Update golangci-lint from 2.7.1 to 2.11.3 (#42066)

2026-04-21 13:37:30 +00:00 · 2026-03-19 11:19:42 -05:00 · 2026-03-19 11:19:42 -05:00 · db5fb9b230
commit db5fb9b230
parent 8dfdb94885
9 changed files with 41 additions and 10 deletions
--- a/.custom-gcl.yml
+++ b/.custom-gcl.yml
@ -1,7 +1,7 @@
 # This configures how golangci-lint builds a custom build, wich is necessary to use nilaway as a plugin per https://github.com/uber-go/nilaway?tab=readme-ov-file#golangci-lint--v1570

 # This has to be >= v1.57.0 for module plugin system support.
-version: v2.7.1
+version: v2.11.3
 plugins:
  - module: "go.uber.org/nilaway"
    import: "go.uber.org/nilaway/cmd/gclplugin"
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@ -73,7 +73,7 @@ jobs:
        run: |
          # Don't forget to update
          # docs/Contributing/Testing-and-local-development.md when this version changes
-          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887 # v2.7.1
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@6008b81b81c690c046ffc3fd5bce896da715d5fd # v2.11.3
          SKIP_INCREMENTAL=1 make lint-go

      - name: Run cloner-check tool
@ -136,7 +136,7 @@ jobs:
        run: |
          # Don't forget to update
          # docs/Contributing/Testing-and-local-development.md when this version changes
-          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887 # v2.7.1
+          go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@6008b81b81c690c046ffc3fd5bce896da715d5fd # v2.11.3
          # custom build of golangci-lint that incorporates nilaway - see .custom-gcl.yml
          golangci-lint custom
          ./custom-gcl run -c .golangci-incremental.yml --new-from-rev=origin/${{ github.base_ref }} --timeout 15m ./...
--- a/.golangci-incremental.yml
+++ b/.golangci-incremental.yml
@ -10,9 +10,25 @@ issues:
 linters:
  default: none
  enable:
+    - gosec
    - modernize
    - nilaway
  settings:
+    gosec:
+      # Only enable rules that are too noisy on existing code but valuable for new code.
+      # Existing violations were audited during the v2.7.1 -> v2.11.3 upgrade and found
+      # to be false positives or safe patterns, but we want to catch real issues going forward.
+      includes:
+        - G101 # Potential hardcoded credentials.
+        - G115 # Integer overflow conversion.
+        - G117 # Marshaled struct field matches secret pattern.
+        - G118 # Goroutine uses context.Background/TODO while request-scoped context is available.
+        - G122 # Filesystem race in filepath.Walk/WalkDir callback.
+        - G202 # SQL string concatenation.
+        - G602 # Slice index out of range.
+        - G704 # SSRF via taint analysis.
+        - G705 # XSS via taint analysis.
+        - G706 # Log injection via taint analysis.
    custom:
      nilaway:
        type: module
--- a/.golangci.yml
+++ b/.golangci.yml
@ -177,7 +177,22 @@ linters:
        - G104 # Errors unhandled. We are using errcheck linter instead of this rule.
        - G204 # Subprocess launched with variable. Some consider this rule to be too noisy.
        - G301 # Directory permissions 0750 as opposed to standard 0755. Consider enabling stricter permission in the future.
-        - G304 # File path provided as taint input
+        - G304 # File path provided as taint input.
+        - G702 # Command injection via taint analysis (taint version of excluded G204).
+        - G703 # Path traversal via taint analysis (taint version of excluded G304).
+        # The following rules are excluded from the full lint but enabled in the incremental
+        # linter (.golangci-incremental.yml) so they only apply to new/changed code.
+        # Existing violations were audited during the v2.7.1 -> v2.11.3 upgrade.
+        - G101 # Potential hardcoded credentials.
+        - G115 # Integer overflow conversion.
+        - G117 # Marshaled struct field matches secret pattern.
+        - G118 # Goroutine uses context.Background/TODO while request-scoped context is available.
+        - G122 # Filesystem race in filepath.Walk/WalkDir callback.
+        - G202 # SQL string concatenation.
+        - G602 # Slice index out of range.
+        - G704 # SSRF via taint analysis.
+        - G705 # XSS via taint analysis.
+        - G706 # Log injection via taint analysis.
      config:
        G306: "0644"

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -8,7 +8,7 @@ repos:
  hooks:
  - id: gitleaks
 - repo: https://github.com/golangci/golangci-lint
-  rev: v2.7.1
+  rev: v2.11.3
  hooks:
  - id: golangci-lint
 - repo: https://github.com/jumanjihouse/pre-commit-hooks
--- a/docs/Contributing/getting-started/testing-and-local-development.md
+++ b/docs/Contributing/getting-started/testing-and-local-development.md
@ -73,7 +73,7 @@ Check out [`/tools/osquery` directory instructions](https://github.com/fleetdm/f
 You must install the [`golangci-lint`](https://golangci-lint.run/) command to run `make test[-go]` or `make lint[-go]`, using:

 ```sh
-go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887
+go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@6008b81b81c690c046ffc3fd5bce896da715d5fd
 ```

 This installs the version of `golangci-lint` used in our CI environment (currently 2.7.1). Make sure it is available in your `PATH`. To execute the basic unit and integration tests, run the following from the root of the repository:
--- a/server/service/mdm.go
+++ b/server/service/mdm.go
@ -3171,7 +3171,7 @@ func (uploadMDMAppleAPNSCertRequest) DecodeRequest(ctx context.Context, r *http.
 		}
 	}

-	if r.MultipartForm.File["certificate"] == nil || len(r.MultipartForm.File["certificate"]) == 0 {
+	if len(r.MultipartForm.File["certificate"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "certificate multipart field is required",
 			InternalErr: err,
--- a/server/service/software_installers.go
+++ b/server/service/software_installers.go
@ -299,7 +299,7 @@ func (uploadSoftwareInstallerRequest) DecodeRequest(ctx context.Context, r *http
 		}
 	}

-	if r.MultipartForm.File["software"] == nil || len(r.MultipartForm.File["software"]) == 0 {
+	if len(r.MultipartForm.File["software"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "software multipart field is required",
 			InternalErr: err,
--- a/server/service/vpp.go
+++ b/server/service/vpp.go
@ -205,7 +205,7 @@ func (uploadVPPTokenRequest) DecodeRequest(ctx context.Context, r *http.Request)
 		}
 	}

-	if r.MultipartForm.File["token"] == nil || len(r.MultipartForm.File["token"]) == 0 {
+	if len(r.MultipartForm.File["token"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "token multipart field is required",
 			InternalErr: err,
@ -272,7 +272,7 @@ func (patchVPPTokenRenewRequest) DecodeRequest(ctx context.Context, r *http.Requ
 		}
 	}

-	if r.MultipartForm.File["token"] == nil || len(r.MultipartForm.File["token"]) == 0 {
+	if len(r.MultipartForm.File["token"]) == 0 {
 		return nil, &fleet.BadRequestError{
 			Message:     "token multipart field is required",
 			InternalErr: err,