Skip to content
Permalink
Browse files
fix: ruleguard and semgrep scans and fixes (#3364)
run semgrep-go ruleguard and semgrep scans

https://github.com/dgryski/semgrep-go

Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
  • Loading branch information
caarlos0 committed Sep 11, 2022
1 parent 2244bba commit 8cb4eb16543a77709d33f13517bd2d6ddb7f886c
Show file tree
Hide file tree
Showing 17 changed files with 37 additions and 39 deletions.
@@ -15,15 +15,11 @@ permissions:

jobs:
govulncheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
- uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v3
with:
go-version: '1.19'
cache: true
- run: go install golang.org/x/vuln/cmd/govulncheck@latest
- run: govulncheck ./...
uses: caarlos0/meta/.github/workflows/govulncheck.yml@main
semgrep:
uses: caarlos0/meta/.github/workflows/semgrep.yml@main
ruleguard:
uses: caarlos0/meta/.github/workflows/ruleguard.yml@main
goreleaser-check-pkgs:
runs-on: ubuntu-latest
env:
@@ -1,6 +1,8 @@
package cmd

import (
"errors"
"io/fs"
"os"

"github.com/caarlos0/log"
@@ -22,7 +24,7 @@ func loadConfig(path string) (config.Project, error) {
"goreleaser.yaml",
} {
proj, err := config.Load(f)
if err != nil && os.IsNotExist(err) {
if err != nil && errors.Is(err, fs.ErrNotExist) {
continue
}
return proj, err
@@ -496,7 +496,7 @@ func TestBuild(t *testing.T) {
},
})

modTimes := map[time.Time]bool{}
modTimes := map[int64]bool{}
for _, bin := range ctx.Artifacts.List() {
if bin.Type != artifact.Binary {
continue
@@ -506,7 +506,7 @@ func TestBuild(t *testing.T) {
require.NoError(t, err)

// make this a suitable map key, per docs: https://golang.org/pkg/time/#Time
modTime := fi.ModTime().UTC().Round(0)
modTime := fi.ModTime().UTC().Round(0).Unix()

if modTimes[modTime] {
t.Fatal("duplicate modified time found, times should be different by default")
@@ -27,9 +27,9 @@ type MockCall struct {
ExitCode int `json:"exit_code"`
}

func (m *MockData) MarshalJSON() ([]byte, error) {
func (m MockData) MarshalJSON() ([]byte, error) {
type t MockData
return json.Marshal((*t)(m))
return json.Marshal((t)(m))
}

func (m *MockData) UnmarshalJSON(b []byte) error {
@@ -2,6 +2,7 @@ package gio

import (
"bytes"
"io"
"sync"
"testing"

@@ -18,7 +19,7 @@ func TestSafe(t *testing.T) {
wg.Add(chars)
for i := 0; i < chars; i++ {
go func() {
s, err := w.Write([]byte("a"))
s, err := io.WriteString(w, "a")
require.Equal(t, 1, s)
require.NoError(t, err)
wg.Done()
@@ -5,6 +5,7 @@ import (
"errors"
"fmt"
"net/url"
"path"
"strings"

"github.com/caarlos0/log"
@@ -68,7 +69,7 @@ func ExtractRepoFromURL(rawurl string) (config.Repo, error) {
}
repo := config.Repo{
RawURL: rawurl,
Owner: strings.Join(ss[:len(ss)-1], "/"),
Owner: path.Join(ss[:len(ss)-1]...),
Name: ss[len(ss)-1],
}
log.WithField("owner", repo.Owner).WithField("name", repo.Name).Debugf("parsed url")
@@ -2,6 +2,7 @@ package logext

import (
"bytes"
"io"
"os"
"strconv"
"testing"
@@ -24,7 +25,7 @@ func TestWriter(t *testing.T) {
})
var b bytes.Buffer
log.Log = log.New(&b)
l, err := NewWriter(log.Fields{"foo": "bar"}, out).Write([]byte("foo\nbar\n"))
l, err := io.WriteString(NewWriter(log.Fields{"foo": "bar"}, out), "foo\nbar\n")
require.NoError(t, err)
require.Equal(t, 8, l)
require.Empty(t, b.String())
@@ -41,7 +42,7 @@ func TestWriter(t *testing.T) {
var b bytes.Buffer
log.Log = log.New(&b)
log.SetLevel(log.DebugLevel)
l, err := NewWriter(log.Fields{"foo": "bar"}, out).Write([]byte("foo\nbar\n"))
l, err := io.WriteString(NewWriter(log.Fields{"foo": "bar"}, out), "foo\nbar\n")
require.NoError(t, err)
require.Equal(t, 8, l)
golden.RequireEqualTxt(t, b.Bytes())
@@ -6,6 +6,7 @@ package archive
import (
"errors"
"fmt"
"io/fs"
"os"
"path/filepath"
"strings"
@@ -150,7 +151,7 @@ func doCreate(ctx *context.Context, arch config.Archive, binaries []*artifact.Ar
lock.Unlock()
return err
}
if _, err = os.Stat(archivePath); !os.IsNotExist(err) {
if _, err = os.Stat(archivePath); !errors.Is(err, fs.ErrNotExist) {
lock.Unlock()
return fmt.Errorf("archive named %s already exists. Check your archive name template", archivePath)
}
@@ -5,6 +5,7 @@ import (
"bytes"
"errors"
"fmt"
"io"
"os"
"path/filepath"
"sort"
@@ -471,7 +472,7 @@ func keyPath(key string) (string, error) {
key += "\n"
}

if _, err := f.Write([]byte(key)); err != nil {
if _, err := io.WriteString(f, key); err != nil {
return "", fmt.Errorf("failed to store private key: %w", err)
}
if err := f.Close(); err != nil {
@@ -116,10 +116,7 @@ func doUpload(ctx *context.Context, conf config.Blob) error {
fullpath := fullpath
g.Go(func() error {
uploadFile := path.Join(folder, name)

err := uploadData(ctx, conf, up, fullpath, uploadFile, bucketURL)

return err
return uploadData(ctx, conf, up, fullpath, uploadFile, bucketURL)
})
}

@@ -132,11 +129,10 @@ func uploadData(ctx *context.Context, conf config.Blob, up uploader, dataFile, u
return err
}

err = up.Upload(ctx, uploadFile, data)
if err != nil {
if err := up.Upload(ctx, uploadFile, data); err != nil {
return handleError(err, bucketURL)
}
return err
return nil
}

// errorContains check if error contains specific string.
@@ -6,6 +6,7 @@ import (
"bufio"
"errors"
"fmt"
"io/fs"
"os"
"strings"

@@ -146,7 +147,7 @@ func loadEnv(env, path string) (string, error) {
return "", err
}
f, err := os.Open(path) // #nosec
if os.IsNotExist(err) {
if errors.Is(err, fs.ErrNotExist) {
return "", nil
}
if err != nil {
@@ -2,6 +2,7 @@ package linkedin

import (
"fmt"
"io"
"net/http"
"net/http/httptest"
"testing"
@@ -56,12 +57,12 @@ func TestCreateLinkedInClient(t *testing.T) {

func TestClient_Share(t *testing.T) {
server := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
_, _ = rw.Write([]byte(`
_, _ = io.WriteString(rw, `
{
"id": "foo",
"activity": "123456789"
}
`))
`)
}))
defer server.Close()

@@ -5,7 +5,6 @@ import (
"io"
"net/http"
"net/http/httptest"
"os"
"testing"

"github.com/stretchr/testify/require"
@@ -92,8 +91,7 @@ func TestPostWebhook(t *testing.T) {
ctx.ReleaseURL = "https://github.com/honk/honk/releases/tag/v1.0.0"
ctx.Git.URL = "https://github.com/honk/honk"

os.Setenv("MATTERMOST_WEBHOOK", ts.URL)
defer os.Unsetenv("MATTERMOST_WEBHOOK")
t.Setenv("MATTERMOST_WEBHOOK", ts.URL)

require.NoError(t, Pipe{}.Default(ctx))
require.NoError(t, Pipe{}.Announce(ctx))
@@ -3,6 +3,7 @@ package release
import (
"errors"
"fmt"
"io/fs"
"os"
"time"

@@ -121,7 +122,7 @@ func doPublish(ctx *context.Context, client client.Client) error {
}

for name, path := range extraFiles {
if _, err := os.Stat(path); os.IsNotExist(err) {
if _, err := os.Stat(path); errors.Is(err, fs.ErrNotExist) {
return fmt.Errorf("failed to upload %s: %w", name, err)
}
ctx.Artifacts.Add(&artifact.Artifact{
@@ -7,7 +7,6 @@ import (
"io"
"net/http"
"net/http/httptest"
"os"
"testing"

"github.com/google/uuid"
@@ -180,8 +179,7 @@ func TestAnnounceBasicAuthWebhook(t *testing.T) {
},
},
})
os.Setenv("BASIC_AUTH_HEADER_VALUE", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass"))))
defer os.Unsetenv("BASIC_AUTH_HEADER_VALUE")
t.Setenv("BASIC_AUTH_HEADER_VALUE", fmt.Sprintf("Basic %s", base64.StdEncoding.EncodeToString([]byte("user:pass"))))
require.NoError(t, Pipe{}.Announce(ctx))
}

@@ -84,7 +84,7 @@ func fakeGit(args ...string) (string, error) {
"-c", "log.showSignature=false",
}
allArgs = append(allArgs, args...)
return git.Run(context.TODO(), allArgs...)
return git.Run(context.Background(), allArgs...)
}

// GitCheckoutBranch allows us to change the active branch that we're using.
@@ -126,7 +126,7 @@ func New(config config.Project) *Context {

// NewWithTimeout new context with the given timeout.
func NewWithTimeout(config config.Project, timeout time.Duration) (*Context, stdctx.CancelFunc) {
ctx, cancel := stdctx.WithTimeout(stdctx.Background(), timeout)
ctx, cancel := stdctx.WithTimeout(stdctx.Background(), timeout) // nosem
return Wrap(ctx, config), cancel
}

0 comments on commit 8cb4eb1

Please sign in to comment.