Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91

Update golangci-lint to v2.4.0 (#33251)

Browse source 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #33250

Waived most new failures. Planning to come back and fix some of them in
subsequent PRs.
This commit is contained in:
Victor Lyuboslavsky 2025-09-22 13:17:11 -05:00 committed by GitHub
parent 353b8d0374
commit e872f9a984
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
32 changed files with 375 additions and 244 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/golangci-lint.yml vendored
View file

@ -67,7 +67,7 @@ jobs:
# Don't forget to update
# docs/Contributing/Testing-and-local-development.md when this
# version changes
go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14162043f908949f1b363d061dc9ba713c0 # v1.64.8
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@43d03392d7dc3746fa776dbddd66dfcccff70651 # v2.4.0
make lint-go
- name: Run cloner-check tool

519
.golangci.yml
View file

@ -1,216 +1,335 @@
version: "2"
formatters:
enable:
- gofmt
settings:
gofmt:
# simplify code: gofmt with `-s` option, true by default
simplify: false
exclusions:
paths:
- server/fleet/agent_options_generated.go # generated file
issues:
max-issues-per-linter: 0 # show all issues
max-same-issues: 0 # show all issues
linters:
disable-all: true
default: none
enable:
- depguard
- gosec
- gocritic
- gofmt
- govet
- ineffassign
- revive
- rowserrcheck
- sqlclosecheck
- typecheck
- unconvert
- unused
- errcheck
- gosimple
- staticcheck
settings:
depguard:
rules:
main:
deny:
- pkg: github.com/pkg/errors
desc: "use ctxerr if a context.Context is available or stdlib errors.New / fmt.Errorf with the %w verb"
linters-settings:
depguard:
errcheck:
check-type-assertions: false
check-blank: false
disable-default-exclusions: false
exclude-functions:
# Logging
- "(github.com/go-kit/log.Logger).Log"
# fmt package
- fmt.Fprint
- fmt.Fprintf
- fmt.Fprintln
- fmt.Print
- fmt.Printf
- fmt.Println
# Close methods
- "(io.Closer).Close"
- "(io.ReadCloser).Close"
- "(io.WriteCloser).Close"
- "(net.Conn).Close"
- "(net.Listener).Close"
- "(*database/sql.Rows).Close"
- "(*database/sql.DB).Close"
- "(*database/sql.Stmt).Close"
- "(*database/sql.Tx).Close"
- "(*database/sql.Tx).Rollback"
- "(*os.File).Close"
# OS operations
- os.Remove
- os.RemoveAll
- os.Setenv
- os.Unsetenv
- os.Chdir
- os.Mkdir
- os.MkdirAll
- os.Rename
# Writers and flushers
- "(*bufio.Writer).Flush"
- "(*bufio.ReadWriter).Flush"
- "(*archive/tar.Writer).Close"
- "(*archive/zip.Writer).Close"
- "(*archive/zip.ReadCloser).Close"
- "(*compress/gzip.Writer).Close"
- "(*compress/gzip.Reader).Close"
- "(*mime/multipart.Writer).Close"
# HTTP and network
- "(*net.TCPConn).Close"
- "(*net.UDPConn).Close"
- "(*net.UnixConn).Close"
- "(*net.TCPListener).Close"
- "(*net/http.Client).CloseIdleConnections"
- "(*crypto/tls.Conn).Close"
# Redis
- "(github.com/gomodule/redigo/redis.Conn).Close"
- "(*github.com/gomodule/redigo/redis.Pool).Close"
- "(*github.com/redis/go-redis/v9.ClusterClient).Close"
- "(*github.com/fleetdm/fleet/v4/server/datastore/redis.Pool).Close"
- "(*github.com/mna/redisc.Cluster).Close"
# WebSockets
- "(*github.com/gorilla/websocket.Conn).Close"
- "(*github.com/igm/sockjs-go/v3/sockjs.session).Close"
# Test helpers and Fleet-specific
- "(*github.com/fleetdm/fleet/v4/server/datastore/mysql.Datastore).Close"
- "(*github.com/DATA-DOG/go-sqlmock.Sqlmock).ExpectClose"
# Additional project-specific types
- "(*github.com/fleetdm/fleet/v4/pkg/file.TemporaryFile).Close"
- "(*github.com/fleetdm/fleet/v4/server/fleet.TempFileReader).Close"
- "(*github.com/fleetdm/fleet/v4/server/service.Session).Close"
- "(github.com/fleetdm/fleet/v4/server/fleet.RedisPool).Close"
- "(*github.com/go-redis/redis/v8.ClusterClient).Close"
- "(*go.etcd.io/bbolt.DB).Close"
- "(*github.com/boltdb/bolt.DB).Close"
- "(*net/smtp.Client).Close"
- "(*cloud.google.com/go/pubsub.Client).Close"
- "(*github.com/saferwall/pe.File).Close"
- "(*github.com/sassoftware/relic/v8/lib/comdoc.ComDoc).Close"
# Unix/syscall operations
- "golang.org/x/sys/unix.Close"
# Additional writers and iterators
- "(*go/printer.Config).Fprint"
- "go/printer.Fprint"
- "(*github.com/fleetdm/fleet/v4/server/vulnerabilities/macoffice.OfficeReleasesIterator).Close"
- "(*github.com/fleetdm/fleet/v4/server/vulnerabilities/nvd.CPEIterator).Close"
- "(github.com/fleetdm/fleet/v4/server/fleet.SoftwareIterator).Close"
- "(*github.com/gosuri/uilive.Writer).Flush"
# Security hardware interface
- "(github.com/fleetdm/fleet/v4/ee/orbit/pkg/securehw.SecureHW).Close"
- "(github.com/fleetdm/fleet/v4/ee/orbit/pkg/securehw.Key).Close"
# Containerd
- "(*github.com/containerd/containerd.Client).Close"
# Windows-specific
- "(golang.org/x/sys/windows.Token).Close"
- "(golang.org/x/sys/windows/registry.Key).Close"
# Color package
- "(*github.com/fatih/color.Color).Fprint"
- "(*github.com/fatih/color.Color).Fprintf"
- "(*github.com/fatih/color.Color).Fprintln"
- "(*github.com/fatih/color.Color).Print"
- "(*github.com/fatih/color.Color).Printf"
- "(*github.com/fatih/color.Color).Println"
gosec:
excludes:
- G104 # Errors unhandled. We are using errcheck linter instead of this rule.
- G204 # Subprocess launched with variable. Some consider this rule to be too noisy.
- G301 # Directory permissions 0750 as opposed to standard 0755. Consider enabling stricter permission in the future.
- G304 # File path provided as taint input
config:
G306: "0644"
gocritic:
enabled-checks:
- ruleguard
settings:
ruleguard:
rules: "${base-path}/tools/ci/rules.go"
failOn: all
revive:
severity: "warning"
confidence: 0.8
rules:
- name: dot-imports
- name: error-return
- name: var-declaration
- name: range
- name: receiver-naming
- name: time-naming
- name: indent-error-flow
- name: errorf
- name: empty-block
- name: superfluous-else
- name: unreachable-code
- name: redefines-builtin-id
staticcheck:
checks:
- "all"
- "-SA9003" # Empty body in an if or else branch.
- "-ST1000" # Incorrect or missing package comment.
- "-ST1003" # Poorly chosen identifier.
- "-ST1016" # Use consistent method receiver names.
- "-ST1020" # The documentation of an exported function should start with the function's name.
- "-ST1021" # The documentation of an exported type should start with type's name.
- "-ST1022" # The documentation of an exported variable or constant should start with variable's name.
- "-ST1023" # Redundant type in variable declaration.
- "-SA1019" # Using a deprecated function, variable, constant or field.
- "-ST1005" # Incorrectly formatted error string.
- "-ST1012" # Poorly chosen name for error variable.
- "-ST1019" # Importing the same package multiple times. TODO: Fix this.
- "-QF1001" # Apply De Morgan's law. TODO: Autofix these QFs (quick-fixes) in a follow-up PR.
- "-QF1002" # Convert untagged switch to tagged switch.
- "-QF1003" # Convert if/else-if chain to tagged switch.
- "-QF1008" # Omit embedded fields from selector expression.
- "-QF1009" # Use time.Time.Equal instead of == operator
- "-QF1011" # Omit redundant type from variable declaration.
- "-QF1012" # Use 'fmt.Fprintf(x, ...)' instead of 'x.Write(fmt.Sprintf(...))'.
exclusions:
generated: strict
# Before excluding files from gosec linter - an issue must be created and referenced in a comment.
rules:
main:
deny:
- pkg: github.com/pkg/errors
desc: "use ctxerr if a context.Context is available or stdlib errors.New / fmt.Errorf with the %w verb"
errcheck:
check-type-assertions: false
check-blank: false
disable-default-exclusions: false
exclude-functions:
- "(github.com/go-kit/log.Logger).Log"
- fmt:.*
gosec:
config:
G306: "0644"
gocritic:
enabled-checks:
- ruleguard
settings:
ruleguard:
rules: "${configDir}/tools/ci/rules.go"
failOn: all
gofmt:
# simplify code: gofmt with `-s` option, true by default
simplify: false
revive:
ignoreGeneratedHeader: false
severity: "warning"
confidence: 0.8
errorCode: 0
warningCode: 0
rules:
- name: dot-imports
- name: error-return
- name: var-declaration
- name: package-comments
- name: range
- name: receiver-naming
- name: time-naming
- name: indent-error-flow
- name: errorf
- name: empty-block
- name: superfluous-else
- name: unreachable-code
- name: redefines-builtin-id
staticcheck:
checks: ["all", "-SA9003", "-ST1000", "-ST1003", "-ST1016", "-ST1020", "-ST1021", "-ST1022", "-ST1023", "-SA1019"]
# Before excluding files from gosec linter - an issue must be created and referenced in a comment.
issues:
max-issues-per-linter: 0 # show all issues
max-same-issues: 0 # show all issues
exclude-rules:
- path: server/datastore/mysql/migrations/[^/]+/[^/]+\.go
linters:
- depguard
# cmd gosec exclusions https://github.com/fleetdm/fleet/issues/4451
- path: cmd/osquery-perf/agent.go
linters:
- gosec
- path: cmd/fleet/serve.go
linters:
- gosec
- path: cmd/fleetctl/fleetctl/api.go
linters:
- gosec
- path: cmd/fleetctl/fleetctl/get.go
linters:
- gosec
- path: cmd/fleetctl/fleetctl/preview.go
linters:
- gosec
# Orbit gosec exclusions https://github.com/fleetdm/fleet/issues/4452
- path: orbit/pkg/update/update.go
linters:
- gosec
- path: orbit/pkg/packaging/wix/wix.go
linters:
- gosec
- path: orbit/pkg/packaging/macos.go
linters:
- gosec
- path: orbit/pkg/packaging/windows.go
linters:
- gosec
- path: orbit/pkg/packaging/packaging.go
linters:
- gosec
# insecure proxy is insecure by design
- path: orbit/pkg/insecure/proxy.go
linters:
- gosec
# pkg gosec exclusions https://github.com/fleetdm/fleet/issues/4453
# Test file which triggers many TLS warnings by design
- path: pkg/fleethttp/fleethttp_test.go
linters:
- gosec
- path: pkg/certificate/certificate.go
linters:
- gosec
- path: pkg/download/download.go
linters:
- gosec
# server gosec exclusions https://github.com/fleetdm/fleet/issues/4455
- path: server/mail/mail.go
linters:
- gosec
- path: server/datastore/mysql/migrations/tables/20201011162341_CleanupSoftDeletedColumns.go
linters:
- gosec
- path: server/service/redis_policy_set/redis_policy_set_test.go
linters:
- gosec
- path: server/sso/settings.go
linters:
- gosec
- path: server/datastore/mysql/hosts.go
linters:
- gosec
- path: server/datastore/mysql/hosts_test.go
linters:
- gosec
- path: server/datastore/mysql/mysql_test.go
linters:
- gosec
- path: server/service/client_live_query.go
linters:
- gosec
- path: server/service/invites.go
linters:
- gosec
- path: server/service/service_appconfig.go
linters:
- gosec
- path: server/service/service_users.go
linters:
- gosec
- path: server/datastore/mysql/migrations/tables/20201011162341_CleanupSoftDeletedColumns.go
linters:
- gosec
- path: server/datastore/mysql/aggregated_stats_test.go
linters:
- gosec
- path: server/fleet/app.go
linters:
- gosec
- path: server/service/async/async_policy.go
linters:
- gosec
- path: server/logging/kinesis.go
linters:
- gosec
- path: server/logging/kinesis_test.go
linters:
- gosec
- path: server/config/config.go
linters:
- gosec
- path: server/datastore/redis/ratelimit_store.go
linters:
- gosec
- path: server/datastore/mysql/testing_utils.go
linters:
- gosec
- path: server/datastore/mysql/packs_test.go
linters:
- gosec
- path: server/service/appconfig.go
linters:
- gosec
- path: server/service/client.go
linters:
- gosec
- path: server/service/users.go
linters:
- gosec
- path: server/service/appconfig_test.go
linters:
- gosec
- path: server/service/service_campaign_test.go
linters:
- gosec
- path: server/datastore/mysql/software_test.go
linters:
- gosec
# tools gosec exclusions https://github.com/fleetdm/fleet/issues/4456
- path: tools/dbutils/schema_generator.go
linters:
- gosec
- path: server/datastore/mysql/migrations/[^/]+/[^/]+\.go
linters:
- depguard
# cmd gosec exclusions https://github.com/fleetdm/fleet/issues/4451
- path: cmd/osquery-perf/agent.go
linters:
- gosec
- path: cmd/fleet/serve.go
linters:
- gosec
- path: cmd/fleetctl/fleetctl/api.go
linters:
- gosec
- path: cmd/fleetctl/fleetctl/get.go
linters:
- gosec
- path: cmd/fleetctl/fleetctl/preview.go
linters:
- gosec
# Orbit gosec exclusions https://github.com/fleetdm/fleet/issues/4452
- path: orbit/pkg/update/update.go
linters:
- gosec
- path: orbit/pkg/packaging/wix/wix.go
linters:
- gosec
- path: orbit/pkg/packaging/macos.go
linters:
- gosec
- path: orbit/pkg/packaging/windows.go
linters:
- gosec
- path: orbit/pkg/packaging/packaging.go
linters:
- gosec
# insecure proxy is insecure by design
- path: orbit/pkg/insecure/proxy.go
linters:
- gosec
# pkg gosec exclusions https://github.com/fleetdm/fleet/issues/4453
# Test file which triggers many TLS warnings by design
- path: pkg/fleethttp/fleethttp_test.go
linters:
- gosec
- path: pkg/certificate/certificate.go
linters:
- gosec
- path: pkg/download/download.go
linters:
- gosec
# server gosec exclusions https://github.com/fleetdm/fleet/issues/4455
- path: server/mail/mail.go
linters:
- gosec
- path: server/datastore/mysql/migrations/tables/20201011162341_CleanupSoftDeletedColumns.go
linters:
- gosec
- path: server/service/redis_policy_set/redis_policy_set_test.go
linters:
- gosec
- path: server/sso/settings.go
linters:
- gosec
- path: server/datastore/mysql/hosts.go
linters:
- gosec
- path: server/datastore/mysql/hosts_test.go
linters:
- gosec
- path: server/datastore/mysql/mysql_test.go
linters:
- gosec
- path: server/service/client_live_query.go
linters:
- gosec
- path: server/service/invites.go
linters:
- gosec
- path: server/service/service_appconfig.go
linters:
- gosec
- path: server/service/service_users.go
linters:
- gosec
- path: server/datastore/mysql/migrations/tables/20201011162341_CleanupSoftDeletedColumns.go
linters:
- gosec
- path: server/datastore/mysql/aggregated_stats_test.go
linters:
- gosec
- path: server/fleet/app.go
linters:
- gosec
- path: server/service/async/async_policy.go
linters:
- gosec
- path: server/logging/kinesis.go
linters:
- gosec
- path: server/logging/kinesis_test.go
linters:
- gosec
- path: server/config/config.go
linters:
- gosec
- path: server/datastore/redis/ratelimit_store.go
linters:
- gosec
- path: server/datastore/mysql/testing_utils.go
linters:
- gosec
- path: server/datastore/mysql/packs_test.go
linters:
- gosec
- path: server/service/appconfig.go
linters:
- gosec
- path: server/service/client.go
linters:
- gosec
- path: server/service/users.go
linters:
- gosec
- path: server/service/appconfig_test.go
linters:
- gosec
- path: server/service/service_campaign_test.go
linters:
- gosec
- path: server/datastore/mysql/software_test.go
linters:
- gosec
# tools gosec exclusions https://github.com/fleetdm/fleet/issues/4456
- path: tools/dbutils/schema_generator.go
linters:
- gosec

2
Makefile
View file

@ -210,7 +210,7 @@ lint-js:
.help-short--lint-go:
@echo "Run the Go linters"
lint-go:
golangci-lint run --exclude-dirs ./node_modules --timeout 15m
golangci-lint run --timeout 15m
.help-short--lint:
@echo "Run linters"

10
go.mod
View file

@ -353,3 +353,13 @@ tool (
github.com/kevinburke/go-bindata
github.com/quasilyte/go-ruleguard/dsl
)
ignore (
./articles
./assets
./docs
./frontend
./handbook
./it-and-security
./node_modules
)

2
orbit/cmd/desktop/desktop.go
View file

@ -646,7 +646,7 @@ func setupStderr() {
return
}
stderrFile, err := os.OpenFile(filepath.Join(dir, "Fleet", "fleet-desktop.err"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o666)
stderrFile, err := os.OpenFile(filepath.Join(dir, "Fleet", "fleet-desktop.err"), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0o666) // nolint:gosec // G302
if err != nil {
log.Error().Err(err).Msg("create file to redirect stderr")
return

2
orbit/pkg/augeas/augeas_unix.go
View file

@ -33,7 +33,7 @@ func CopyLenses(installPath string) (string, error) {
if err != nil {
return "", err
}
dest, err := os.OpenFile(filepath.Join(outPath, entry.Name()), os.O_CREATE|os.O_WRONLY, 0o644)
dest, err := os.OpenFile(filepath.Join(outPath, entry.Name()), os.O_CREATE|os.O_WRONLY, 0o644) // nolint:gosec // G302
if err != nil {
return "", err
}

1
orbit/pkg/execuser/execuser_windows.go
View file

@ -1,3 +1,4 @@
// nolint:gosec,G103,govet,unsafeptr // Reason: unsafe required for Windows API calls.
package execuser
// NOTE: The following was copied from

1
orbit/pkg/keystore/keystore_darwin.go
View file

@ -1,5 +1,6 @@
//go:build darwin && cgo
// nolint:govet,unsafeptr // Reason: audited unsafe.Pointer usage required for C APIs
package keystore
/*

2
orbit/pkg/scripts/exec_nonwindows.go
View file

@ -29,7 +29,7 @@ func ExecCmd(ctx context.Context, scriptPath string, env []string) (output []byt
cmd := exec.CommandContext(ctx, "/bin/sh", scriptPath)
if directExecute {
err = os.Chmod(scriptPath, 0o700)
err = os.Chmod(scriptPath, 0o700) // nolint:gosec // G302
if err != nil {
return nil, -1, ctxerr.Wrapf(ctx, err, "marking script as executable %s", scriptPath)
}

2
orbit/pkg/scripts/exec_nonwindows_test.go
View file

@ -102,7 +102,7 @@ func writeTestScript(content string) (string, error) {
return "", err
}
err = os.Chmod(tmpfile.Name(), 0o700)
err = os.Chmod(tmpfile.Name(), 0o700) // nolint:gosec // G302
if err != nil {
return "", err
}

4
orbit/pkg/table/find_cmd/find_cmd_darwin_test.go
View file

@ -94,12 +94,12 @@ func TestGenerate(t *testing.T) {
require.NoError(t, err)
err = f.Close()
require.NoError(t, err)
err = os.Chmod(filepath.Join(testDir, "foo.txt"), os.ModePerm)
err = os.Chmod(filepath.Join(testDir, "foo.txt"), os.ModePerm) // nolint:gosec // G302
require.NoError(t, err)
require.NoError(t, err)
err = os.Mkdir(filepath.Join(testDir, "zoo"), os.ModePerm)
require.NoError(t, err)
err = os.Chmod(filepath.Join(testDir, "zoo"), os.ModePerm)
err = os.Chmod(filepath.Join(testDir, "zoo"), os.ModePerm) // nolint:gosec // G302
require.NoError(t, err)
// Test directory with a few entries.

2
orbit/pkg/table/firmwarepasswd/firmwarepasswd.go
View file

@ -93,7 +93,7 @@ func (t *Table) runFirmwarepasswd(ctx context.Context, subcommand string, output
}
defer os.RemoveAll(dir)
if err := os.Chmod(dir, 0o755); err != nil {
if err := os.Chmod(dir, 0o755); err != nil { // nolint:gosec // G302
return fmt.Errorf("chmod: %w", err)
}

4
orbit/pkg/table/mdm/mdm_windows.go
View file

@ -1,6 +1,6 @@
//go:build windows
// +build windows
// nolint:gosec,G103 // Reason: unsafe required for Windows API calls.
package mdmbridge
import (
@ -10,7 +10,6 @@ import (
"encoding/xml"
"errors"
"fmt"
"github.com/scjalliance/comshim"
"io"
"os"
"strings"
@ -22,6 +21,7 @@ import (
"github.com/hillu/go-ntdll"
"github.com/osquery/osquery-go/plugin/table"
"github.com/rs/zerolog/log"
"github.com/scjalliance/comshim"
"golang.org/x/sys/windows"
"golang.org/x/sys/windows/registry"
)

1
orbit/pkg/update/execwinapi_windows.go
View file

@ -1,5 +1,6 @@
//go:build windows
// nolint:gosec,G103 // Reason: unsafe required for Windows API calls.
package update
import (

2
orbit/pkg/update/filestore/filestore_test.go
View file

@ -27,7 +27,7 @@ func TestFileStore(t *testing.T) {
t.Parallel()
tmpDir := t.TempDir()
require.NoError(t, os.Chmod(tmpDir, 0700))
require.NoError(t, os.Chmod(tmpDir, 0700)) // nolint:gosec // G302
store, err := New(filepath.Join(tmpDir, "metadata.json"))
require.NoError(t, err)

2
orbit/pkg/update/flag_runner_test.go
View file

@ -72,7 +72,7 @@ func TestWriteFlagFile(t *testing.T) {
func touchFile(t *testing.T, name string) {
t.Helper()
file, err := os.OpenFile(name, os.O_RDONLY|os.O_CREATE, 0o644)
file, err := os.OpenFile(name, os.O_RDONLY|os.O_CREATE, 0o644) // nolint:gosec // G302
require.NoError(t, err)
require.NoError(t, file.Close())
}

2
pkg/file/management_test.go
View file

@ -72,7 +72,7 @@ func assertGoldenMatches(t *testing.T, goldenFile string, actual string, update
goldenPath := filepath.Join("testdata", goldenFile+".golden")
f, err := os.OpenFile(goldenPath, os.O_RDWR|os.O_CREATE, 0o644)
f, err := os.OpenFile(goldenPath, os.O_RDWR|os.O_CREATE, 0o644) // nolint:gosec // G302
require.NoError(t, err)
defer f.Close()

2
server/fleet/datastore.go
View file

@ -209,7 +209,7 @@ type Datastore interface {
// based on its host vitals criteria.
UpdateLabelMembershipByHostCriteria(ctx context.Context, hvl HostVitalsLabel) (*Label, error)
NewLabel(ctx context.Context, Label *Label, opts ...OptionalArg) (*Label, error)
NewLabel(ctx context.Context, label *Label, opts ...OptionalArg) (*Label, error)
// SaveLabel updates the label and returns the label and an array of host IDs
// members of this label, or an error.
SaveLabel(ctx context.Context, label *Label, teamFilter TeamFilter) (*Label, []uint, error)

2
server/logging/filesystem.go
View file

@ -148,5 +148,5 @@ func (l *rawLogWriter) Close() error {
}
func openFile(path string) (*os.File, error) {
return os.OpenFile(path, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0o644)
return os.OpenFile(path, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0o644) // nolint:gosec // G302
}

2
server/logging/filesystem_test.go
View file

@ -18,7 +18,7 @@ import (
func TestFilesystemLogger(t *testing.T) {
ctx := context.Background()
tempPath := t.TempDir()
require.NoError(t, os.Chmod(tempPath, 0o755))
require.NoError(t, os.Chmod(tempPath, 0o755)) // nolint:gosec // G302
fileName := filepath.Join(tempPath, "filesystemLogWriter")
lgr, err := NewFilesystemLogWriter(fileName, log.NewNopLogger(), false, false, 500, 28, 3)
require.Nil(t, err)

4
server/mdm/android/datastore.go
View file

@ -17,12 +17,12 @@ func MySQLTables() []string {
type Datastore interface {
CreateEnterprise(ctx context.Context, userID uint) (uint, error)
GetEnterpriseByID(ctx context.Context, ID uint) (*EnterpriseDetails, error)
GetEnterpriseByID(ctx context.Context, id uint) (*EnterpriseDetails, error)
GetEnterpriseBySignupToken(ctx context.Context, signupToken string) (*EnterpriseDetails, error)
GetEnterprise(ctx context.Context) (*Enterprise, error)
UpdateEnterprise(ctx context.Context, enterprise *EnterpriseDetails) error
DeleteAllEnterprises(ctx context.Context) error
DeleteOtherEnterprises(ctx context.Context, ID uint) error
DeleteOtherEnterprises(ctx context.Context, id uint) error
CreateDeviceTx(ctx context.Context, tx sqlx.ExtContext, device *Device) (*Device, error)
UpdateDeviceTx(ctx context.Context, tx sqlx.ExtContext, device *Device) error

2
server/mdm/nanodep/cmd/deptokens/main.go
View file

@ -50,7 +50,7 @@ func main() {
var jsonBytes []byte
jsonBytes, err = decryptTokens(*flTokens, *flCert, *flKey, *flPassword)
if err == nil {
os.Stdout.Write(jsonBytes)
_, _ = os.Stdout.Write(jsonBytes)
}
}
if err != nil {

2
server/mdm/nanomdm/storage/file/certauth.go
View file

@ -55,7 +55,7 @@ func (s *FileStorage) IsCertHashAssociated(r *mdm.Request, hash string) (bool, e
}
func (s *FileStorage) AssociateCertHash(r *mdm.Request, hash string, _ time.Time) error {
f, err := os.OpenFile(
f, err := os.OpenFile( // nolint:gosec // G302
path.Join(s.path, CertAuthAssociationsFilename),
os.O_APPEND|os.O_CREATE|os.O_WRONLY,
0644,

2
server/mdm/scep/cmd/scepclient/cert.go
View file

@ -29,7 +29,7 @@ func pemCert(derBytes []byte) []byte {
}
func loadOrSign(path string, priv *rsa.PrivateKey, csr *x509.CertificateRequest) (*x509.Certificate, error) {
file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) // nolint:gosec // G302
if err != nil {
if os.IsExist(err) {
return loadPEMCertFromFile(path)

2
server/mdm/scep/cmd/scepclient/csr.go
View file

@ -23,7 +23,7 @@ type csrOptions struct {
}
func loadOrMakeCSR(path string, opts *csrOptions) (*x509.CertificateRequest, error) {
file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0o666)
file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0o666) // nolint:gosec // G302
if err != nil {
if os.IsExist(err) {
return loadCSRfromFile(path)

2
server/mdm/scep/cmd/scepclient/key.go
View file

@ -25,7 +25,7 @@ func newRSAKey(bits int) (*rsa.PrivateKey, error) {
// load key if it exists or create a new one
func loadOrMakeKey(path string, rsaBits int) (*rsa.PrivateKey, error) {
file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
file, err := os.OpenFile(path, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) // nolint:gosec // G302
if err != nil {
if os.IsExist(err) {
return loadKeyFromFile(path)

3
server/mdm/scep/depot/file/depot.go
View file

@ -22,7 +22,8 @@ import (
// NewFileDepot returns a new cert depot.
func NewFileDepot(path string) (*fileDepot, error) {
f, err := os.OpenFile(fmt.Sprintf("%s/index.txt", path),
f, err := os.OpenFile( // nolint:gosec // G302
fmt.Sprintf("%s/index.txt", path),
os.O_RDONLY|os.O_CREATE, 0o666)
if err != nil {
return nil, err

18
server/mock/datastore_mock.go
View file

@ -151,7 +151,7 @@ type UpdateLabelMembershipByHostIDsFunc func(ctx context.Context, labelID uint,
type UpdateLabelMembershipByHostCriteriaFunc func(ctx context.Context, hvl fleet.HostVitalsLabel) (*fleet.Label, error)
type NewLabelFunc func(ctx context.Context, Label *fleet.Label, opts ...fleet.OptionalArg) (*fleet.Label, error)
type NewLabelFunc func(ctx context.Context, label *fleet.Label, opts ...fleet.OptionalArg) (*fleet.Label, error)
type SaveLabelFunc func(ctx context.Context, label *fleet.Label, teamFilter fleet.TeamFilter) (*fleet.Label, []uint, error)
@ -1415,7 +1415,7 @@ type ExpandEmbeddedSecretsAndUpdatedAtFunc func(ctx context.Context, document st
type CreateEnterpriseFunc func(ctx context.Context, userID uint) (uint, error)
type GetEnterpriseByIDFunc func(ctx context.Context, ID uint) (*android.EnterpriseDetails, error)
type GetEnterpriseByIDFunc func(ctx context.Context, id uint) (*android.EnterpriseDetails, error)
type GetEnterpriseBySignupTokenFunc func(ctx context.Context, signupToken string) (*android.EnterpriseDetails, error)
@ -1425,7 +1425,7 @@ type UpdateEnterpriseFunc func(ctx context.Context, enterprise *android.Enterpri
type DeleteAllEnterprisesFunc func(ctx context.Context) error
type DeleteOtherEnterprisesFunc func(ctx context.Context, ID uint) error
type DeleteOtherEnterprisesFunc func(ctx context.Context, id uint) error
type CreateDeviceTxFunc func(ctx context.Context, tx sqlx.ExtContext, device *android.Device) (*android.Device, error)
@ -4280,11 +4280,11 @@ func (s *DataStore) UpdateLabelMembershipByHostCriteria(ctx context.Context, hvl
return s.UpdateLabelMembershipByHostCriteriaFunc(ctx, hvl)
}
func (s *DataStore) NewLabel(ctx context.Context, Label *fleet.Label, opts ...fleet.OptionalArg) (*fleet.Label, error) {
func (s *DataStore) NewLabel(ctx context.Context, label *fleet.Label, opts ...fleet.OptionalArg) (*fleet.Label, error) {
s.mu.Lock()
s.NewLabelFuncInvoked = true
s.mu.Unlock()
return s.NewLabelFunc(ctx, Label, opts...)
return s.NewLabelFunc(ctx, label, opts...)
}
func (s *DataStore) SaveLabel(ctx context.Context, label *fleet.Label, teamFilter fleet.TeamFilter) (*fleet.Label, []uint, error) {
@ -8704,11 +8704,11 @@ func (s *DataStore) CreateEnterprise(ctx context.Context, userID uint) (uint, er
return s.CreateEnterpriseFunc(ctx, userID)
}
func (s *DataStore) GetEnterpriseByID(ctx context.Context, ID uint) (*android.EnterpriseDetails, error) {
func (s *DataStore) GetEnterpriseByID(ctx context.Context, id uint) (*android.EnterpriseDetails, error) {
s.mu.Lock()
s.GetEnterpriseByIDFuncInvoked = true
s.mu.Unlock()
return s.GetEnterpriseByIDFunc(ctx, ID)
return s.GetEnterpriseByIDFunc(ctx, id)
}
func (s *DataStore) GetEnterpriseBySignupToken(ctx context.Context, signupToken string) (*android.EnterpriseDetails, error) {
@ -8739,11 +8739,11 @@ func (s *DataStore) DeleteAllEnterprises(ctx context.Context) error {
return s.DeleteAllEnterprisesFunc(ctx)
}
func (s *DataStore) DeleteOtherEnterprises(ctx context.Context, ID uint) error {
func (s *DataStore) DeleteOtherEnterprises(ctx context.Context, id uint) error {
s.mu.Lock()
s.DeleteOtherEnterprisesFuncInvoked = true
s.mu.Unlock()
return s.DeleteOtherEnterprisesFunc(ctx, ID)
return s.DeleteOtherEnterprisesFunc(ctx, id)
}
func (s *DataStore) CreateDeviceTx(ctx context.Context, tx sqlx.ExtContext, device *android.Device) (*android.Device, error) {

7
server/service/apple_mdm.go
View file

@ -4927,6 +4927,7 @@ func preprocessProfileContents(
}
}
initialFleetVarLoop:
for fleetVar := range fleetVars {
switch {
case fleetVar == string(fleet.FleetVarNDESSCEPChallenge) || fleetVar == string(fleet.FleetVarNDESSCEPProxyURL):
@ -4936,7 +4937,7 @@ func preprocessProfileContents(
}
if !configured {
valid = false
break
break initialFleetVarLoop
}
case fleetVar == string(fleet.FleetVarHostEndUserEmailIDP) || fleetVar == string(fleet.FleetVarHostHardwareSerial) ||
@ -4961,7 +4962,7 @@ func preprocessProfileContents(
}
if !configured {
valid = false
break
break initialFleetVarLoop
}
case strings.HasPrefix(fleetVar, string(fleet.FleetVarCustomSCEPChallengePrefix)) || strings.HasPrefix(fleetVar, string(fleet.FleetVarCustomSCEPProxyURLPrefix)):
@ -4981,7 +4982,7 @@ func preprocessProfileContents(
}
if !configured {
valid = false
break
break initialFleetVarLoop
}
default:

5
server/service/integration_mdm_test.go
View file

@ -11119,10 +11119,7 @@ func (s *integrationMDMTestSuite) TestAPNsPushWithNotNow() {
// Flush any existing profiles.
cmd, err := macDevice.Idle()
require.NoError(t, err)
for {
if cmd == nil {
break
}
for cmd != nil {
t.Logf("Received: %s %s", cmd.CommandUUID, cmd.Command.RequestType)
cmd, err = macDevice.Acknowledge(cmd.CommandUUID)
require.NoError(t, err)

2
tools/mdm/windows/programmatic-enrollment/main.go
View file

@ -1,6 +1,6 @@
//go:build windows
// +build windows
// nolint:gosec,G103 // Reason: unsafe required for Windows API calls.
package main
import (

4
tools/osquery-agent-options/main.go
View file

@ -198,7 +198,7 @@ func main() {
}
outputFilePath := os.Args[1]
outputFile, err := os.OpenFile(outputFilePath, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0o644)
outputFile, err := os.OpenFile(outputFilePath, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0o644) // nolint:gosec // G302
if err != nil {
log.Fatalf("open output file %q: %s", outputFilePath, err)
}
@ -237,7 +237,7 @@ func sanitizeArchivePath(d, t string) (string, error) {
// extractTagGz extracts the contents of the provided tar.gz file.
func extractTarGz(path string) error {
tarGzFile, err := os.OpenFile(path, os.O_RDONLY, 0o755)
tarGzFile, err := os.Open(path)
if err != nil {
return fmt.Errorf("open %q: %w", path, err)
}