chore(lint): suppress known gosec false positives

Add config-level exclusions for G117 (secret-named struct fields),
G101 in test files, G702/G704 in magefile, and goheader in plugins.
Add inline #nosec comments for specific G703/G704 false positives
in export, dump/restore, migration, and avatar code.
This commit is contained in:
kolaente 2026-03-23 16:23:15 +01:00
parent 595002bf96
commit 2053426062
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
5 changed files with 19 additions and 5 deletions

View File

@ -152,6 +152,20 @@ linters:
- err113
path: magefile.go
text: 'do not define dynamic errors, use wrapped static errors instead:'
- linters:
- gosec
text: 'G117:' # Struct fields named Password/Secret/AccessToken are intentional data model fields
- linters:
- gosec
text: 'G101:'
path: (pkg/webtests/|pkg/e2etests/|_test\.go) # Test fixtures with bcrypt hashes, not real credentials
- linters:
- gosec
text: 'G70[24]:'
path: magefile.go # Build tooling, not user-facing code
- linters:
- goheader
path: plugins/
paths:
- third_party$
- builtin$

View File

@ -81,7 +81,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) {
dumpWriter.Close()
dumpFile.Close()
exported, err := os.Open(tmpFilename)
exported, err := os.Open(tmpFilename) // #nosec G703 -- tmpFilename is generated internally, not from user input
if err != nil {
return err
}
@ -107,7 +107,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) {
}
// Remove the old file
err = os.Remove(exported.Name())
err = os.Remove(exported.Name()) // #nosec G703 -- path from internally created temp file
if err != nil {
return err
}

View File

@ -247,7 +247,7 @@ func restoreFile(id int64, zipFile *zip.File) error {
}
defer func() {
_ = tmpFile.Close()
_ = os.Remove(tmpFile.Name())
_ = os.Remove(tmpFile.Name()) // #nosec G703 -- path from os.CreateTemp, not user input
}()
// Limit copy size to prevent decompression bombs

View File

@ -187,7 +187,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error {
}
req.Header.Set("Authorization", "Bearer "+token)
resp, err := (&http.Client{}).Do(req)
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is constructed from a hardcoded API prefix
if err != nil {
return err
}

View File

@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) {
return nil, fmt.Errorf("failed to create HTTP request: %w", err)
}
resp, err := (&http.Client{}).Do(req)
resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL comes from OIDC provider picture claim
if err != nil {
return nil, fmt.Errorf("failed to download image: %w", err)
}