ci: fix lint issues for golangci-lint v2.12.1#199
ci: fix lint issues for golangci-lint v2.12.1#199rawadhossain wants to merge 1 commit intokubernetes-sigs:mainfrom
Conversation
✅ Deploy Preview for node-readiness-controller canceled.
|
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rawadhossain The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
|
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @rawadhossain! |
|
Hi @rawadhossain. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
needs-ok-to-test
ajaysundark
requested review from
Karthik-K-N
and removed request for
haircommander
| - gosec | ||
| path: "test/utils/" | ||
| text: "G204" | ||
| - linters: |
There was a problem hiding this comment.
Ins't there any better way apart from excluding it?
There was a problem hiding this comment.
Hey @Karthik-K-N, thanks for reviewing the PR.
I looked into fixing this properly instead of excluding it.
- For G703
suite_test.go), usingfilepath.Cleanworks fine - no suppression needed. - For G704
(main.go), I added URL validation (scheme + host), so we’re not accepting arbitrary inputs anymore. But gosec still flags the HTTP calls. looks like its taint analysis doesn’t treat this validation as a sanitizer.
Because of that, some form of suppression is still needed for those two lines.
The tricky part is that the repo is currently using golangci-lint v2.9.0, which doesn’t include G704. So if I add inline //nolint:gosec, nolintlint flags it as unused and CI fails.
That’s why I initially went with the .golangci.yml exclusion, else the warnings can’t be resolved cleanly with the current lint setup (shared the lint output if helpful).
From here, I see two options:
- Keep the validation in code and use a scoped
.golangci.ymlexclusion just for G704 - Upgrade golangci-lint to a version that includes G704, then use inline
//nolint:gosecwith the validation in place
Happy to go with whichever direction you prefer.
There was a problem hiding this comment.
I think in near future we need to update the golang lint, so I think that would be better, wdyt?
There was a problem hiding this comment.
Yeah I think that sounds better for the long term.
I can update the lint version in CI and switch to inline suppression using //nolint:gosec. That should keep things cleaner going forward.
Let me know if you want me to go ahead with that.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
4 participants
This pr resolves the issues reported by
golangci-lint v2.12.1that block upgrading the linter version in CI.Fixes #195
Changes
G704 (SSRF) — readiness-condition-reporter/main.go
Excluded via
.golangci.yml. The endpoint comes from theCHECK_ENDPOINTenv var (deployment config), not user input.G703 (path traversal) — suite_test.go
Excluded via
.golangci.yml. This is test only code usingKUBEBUILDER_ASSETSfrom the envtest setup.prealloc — nodereadinessgaterule_webhook.go
Preallocated
allErrs(make(..., 0, 4)) to address the prealloc linter.Why config exclusions instead of
//nolintInline
//nolint:gosectriggersnolintlinterrors on v2.9.0 (since the checks don’t exist there). Using.golangci.ymlkeeps things compatible across both versions. So clean results on v2.12.1.With these fixes,
golangci-lintcan be upgraded in CI without breaking.Testing
Before:
After:
make lint(v2.9.0) andgolangci-lint run ./...(v2.12.1) are both clean.Checklist
make testpassesmake lintpasses