From 20534260622f219c0c5173947249209edf1605ce Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 16:23:15 +0100 Subject: [PATCH] chore(lint): suppress known gosec false positives Add config-level exclusions for G117 (secret-named struct fields), G101 in test files, G702/G704 in magefile, and goheader in plugins. Add inline #nosec comments for specific G703/G704 false positives in export, dump/restore, migration, and avatar code. --- .golangci.yml | 14 ++++++++++++++ pkg/models/export.go | 4 ++-- pkg/modules/dump/restore.go | 2 +- .../migration/microsoft-todo/microsoft_todo.go | 2 +- pkg/utils/avatar.go | 2 +- 5 files changed, 19 insertions(+), 5 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 28f46f670..53021526b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -152,6 +152,20 @@ linters: - err113 path: magefile.go text: 'do not define dynamic errors, use wrapped static errors instead:' + - linters: + - gosec + text: 'G117:' # Struct fields named Password/Secret/AccessToken are intentional data model fields + - linters: + - gosec + text: 'G101:' + path: (pkg/webtests/|pkg/e2etests/|_test\.go) # Test fixtures with bcrypt hashes, not real credentials + - linters: + - gosec + text: 'G70[24]:' + path: magefile.go # Build tooling, not user-facing code + - linters: + - goheader + path: plugins/ paths: - third_party$ - builtin$ diff --git a/pkg/models/export.go b/pkg/models/export.go index 5c953e134..4772fa2d5 100644 --- a/pkg/models/export.go +++ b/pkg/models/export.go @@ -81,7 +81,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) { dumpWriter.Close() dumpFile.Close() - exported, err := os.Open(tmpFilename) + exported, err := os.Open(tmpFilename) // #nosec G703 -- tmpFilename is generated internally, not from user input if err != nil { return err } @@ -107,7 +107,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) { } // Remove the old file - err = os.Remove(exported.Name()) + err = os.Remove(exported.Name()) // #nosec G703 -- path from internally created temp file if err != nil { return err } diff --git a/pkg/modules/dump/restore.go b/pkg/modules/dump/restore.go index 5c9062cfc..953951e00 100644 --- a/pkg/modules/dump/restore.go +++ b/pkg/modules/dump/restore.go @@ -247,7 +247,7 @@ func restoreFile(id int64, zipFile *zip.File) error { } defer func() { _ = tmpFile.Close() - _ = os.Remove(tmpFile.Name()) + _ = os.Remove(tmpFile.Name()) // #nosec G703 -- path from os.CreateTemp, not user input }() // Limit copy size to prevent decompression bombs diff --git a/pkg/modules/migration/microsoft-todo/microsoft_todo.go b/pkg/modules/migration/microsoft-todo/microsoft_todo.go index edc1115de..aa31cf3c8 100644 --- a/pkg/modules/migration/microsoft-todo/microsoft_todo.go +++ b/pkg/modules/migration/microsoft-todo/microsoft_todo.go @@ -187,7 +187,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error { } req.Header.Set("Authorization", "Bearer "+token) - resp, err := (&http.Client{}).Do(req) + resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is constructed from a hardcoded API prefix if err != nil { return err } diff --git a/pkg/utils/avatar.go b/pkg/utils/avatar.go index 1ccd7b911..b5c7ad296 100644 --- a/pkg/utils/avatar.go +++ b/pkg/utils/avatar.go @@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) { return nil, fmt.Errorf("failed to create HTTP request: %w", err) } - resp, err := (&http.Client{}).Do(req) + resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL comes from OIDC provider picture claim if err != nil { return nil, fmt.Errorf("failed to download image: %w", err) }