[sergo] Sergo Report: Registry Delta 35→36 — New httpstatuscode Linter Fresh Audit - 2026-06-28

[github-actions[bot]]

Executive Summary

Run R50 detected a registry delta (35 → 36 analyzers): a brand-new 36th linter, httpstatuscode, was registered at cmd/linters/main.go:72 and had never been audited. A fresh deep audit found a precision flaw in its HTTP-context detection: it gates on hardcoded identifier/field spellings rather than type/domain, yielding both false negatives and false positives. One high-quality issue was filed. R49's two issues were reconciled as landed-but-open.

Tool & Registry Updates

Surface	Prior	Now	Note
Serena LSP tools	23	23	stable R4–R50
Registered analyzers (grep -c Analyzer main.go)	35	36	NEW: httpstatuscode
doc.go header	30 active	30 active	drift persists (#40436), now 30-vs-36

The 36th linter was identified via the registry-delta detector (analyzer count vs cache) cross-checked against the never-referenced-in-cache set.

Strategy (50/50 split)

• Cached reuse (50%) — reconciliation + syntactic_match family lens: Applied the proven gh api sergo issues + grep CODE reconcile loop and the recurring syntactic/name-match → FP+FN pattern (cf. Linter precision: migrate the 3 remaining CI-enforced linters that match stdlib packages by identifier name to astutil.IsPkgSele [Content truncated due to length] #40243, errstringmatch coverage gap: only strings.Contains(err.Error(), ...) is flagged — HasPrefix/HasSuffix/EqualFold/Index on err.Err [Content truncated due to length] #40244, lenstringzero coverage gap: len(s) != 0 is flagged but the identical idiom len(s) > 0 (and len(s) < 1 / <= 0) escapes — relation [Content truncated due to length] #40581) as the audit lens.
• New exploration (50%) — fresh audit of the new linter: Deep-read httpstatuscode (never previously audited), validated against real production call sites in pkg/cli/.

Run targets: ≥1 evidence-backed finding on the new linter · ≤2 high-quality, non-duplicate issues · cache + registry delta recorded. All met.

Findings

Finding 1 (filed, #42004) — `httpstatuscode` context detection is spelling-gated, not type-gated

isHTTPStatusContext (pkg/linters/httpstatuscode/httpstatuscode.go:173-195) accepts exactly three spellings — identifier status / statusCode and field .StatusCode — and the two branches are inconsistent:

• Ident branch (:175-176): name-only (e.Name == "status" || e.Name == "statusCode"), no type check.
• SelectorExpr branch (:177-193): only .StatusCode, but rigorously type-resolved to an integer field (correct).

False negatives (proven in-repo):

• pkg/cli/firewall_policy.go:56,65 declare Status int (HTTP status). A direct entry.Status == 200 is not flagged because the selector branch rejects .Status; the code only lints because the author copies it into a local named status first (firewall_policy.go:236-241).
• pkg/cli/gateway_logs_timeline.go:99 declares HTTPStatus int // HTTP response status code — unmatchable.
• Other-named locals (code, httpStatus, respStatus, sc) are all missed.

False positives: any non-HTTP integer named status/statusCode in 100–599 (exit status, job-state enum, custom protocol code) is flagged with a hard-asserting HTTP message and wrong fix. Testdata compareNonHTTP (:49-54) stays silent only because its operand is named buildNumber.

Confirmed clean: httpstatuscode wires both internal/nolint (:97,152) and filecheck.IsTestFile (:149) — no nolint/test-skip parity gap (so it is not part of the #41844 cluster). Call-argument scope (e.g. w.WriteHeader(404)) is intentionally excluded by the analyzer's own doc ("used in comparisons") — not a bug.

Reconciliation — prior open issues (grepped, still open)

• nolint-suppression parity gap: 5 linters still have no (nolint/redacted) support, blocking CI enforcement #41844 = R49 #aw_sg49a1 (nolint-parity 5-linter cluster) — LANDED, OPEN.
• fmterrorfnoverbs false negative: escaped %% is treated as a real verb, missing no-verb fmt.Errorf calls #41845 = R49 #aw_sg49a2 (fmterrorfnoverbs escaped-%% FN) — LANDED, OPEN.
• Earlier syntactic holdouts (Linter precision: migrate the 3 remaining CI-enforced linters that match stdlib packages by identifier name to astutil.IsPkgSele [Content truncated due to length] #40243, Linter precision: two newest linters (fileclosenotdeferred, contextcancelnotdeferred) match stdlib packages by identifier name — [Content truncated due to length] #40435) and pattern/shape gaps (errstringmatch coverage gap: only strings.Contains(err.Error(), ...) is flagged — HasPrefix/HasSuffix/EqualFold/Index on err.Err [Content truncated due to length] #40244, jsonmarshalignoredeerror FN: bare-call json.Unmarshal(data, &v) (ExprStmt) discards the error but is never inspected — only As [Content truncated due to length] #39982, sprintferrdot precision: verb handling {s,v} is wrong in both directions — %#v false positive, %q/%x/%X false negative #40434, lenstringzero coverage gap: len(s) != 0 is flagged but the identical idiom len(s) > 0 (and len(s) < 1 / <= 0) escapes — relation [Content truncated due to length] #40581, seenmapbool: duplicate diagnostics for set-maps declared inside function literals (double AST traversal) #40733, Threshold linters: excessivefuncparams lints test files (every sibling FuncDecl linter skips them); largefunc & excessivefuncpar [Content truncated due to length] #40734) remain open.

Generated Task

1. Type-resolve httpstatuscode context detection — replace spelling allow-lists with type/domain checks: add the integer-type check to the Ident branch and widen accepted field names to Status / HTTPStatus on the selector branch; add testdata for entry.Status == 200, an HTTPStatus field, a non-HTTP status int enum (must stay silent), and an HTTP code in a non-status-named local. (Effort: small–medium, single file + testdata.)

Metrics

Metric	Value
Run	R50
Findings	5 (1 new filed, 4 reconciled)
Issues created	1 (#42004)
Duplicates skipped	0 (no prior httpstatuscode issue)
Success score	9 / 10
Cumulative runs / findings / tasks	50 / 352 / 98

Historical Context

This is the third registry delta caught by the analyzer-count detector (R46 → lenstringsplit, R47 → stringreplaceminusone, R50 → httpstatuscode). Each new linter has surfaced an audit target on first inspection. The spelling-gate flaw here is the same syntactic_match/pattern_set_too_narrow family that recurs across this linter suite — the selector branch even demonstrates the correct type-resolved approach the ident branch omits.

Recommendations & Next-Run Focus (R51)

• Recheck the R50 landing (#42004).
• Registry now 36 stable — watch for a 37th via grep -c Analyzer main.go vs 36 plus doc-omitted-minus-known (httpstatuscode now a known linter).
• doc.go drift (doc-sync: pkg/linters/doc.go says "29 active analyzers" but 30 are registered — list omits hardcodedfilepath and sprintferrdot #40436) widens to 30-vs-36 — worth a maintainer nudge.
• Continue probing never-deep-audited internals (hardcodedfilepath recheck; seenmapbool seenmapbool: duplicate diagnostics for set-maps declared inside function literals (double AST traversal) #40733; errstringmatch errstringmatch coverage gap: only strings.Contains(err.Error(), ...) is flagged — HasPrefix/HasSuffix/EqualFold/Index on err.Err [Content truncated due to length] #40244).

References:

• §28312124401

Generated by 🤖 Sergo - Serena Go Expert · 226.5 AIC · ⌖ 13.7 AIC · ⊞ 5.9K · ◷

• expires on Jun 28, 2026, 9:17 PM UTC-08:00

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #42175.