From 3d5fce5c4474a2163e4da0bd14a9aa99c1fcf06e Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Fri, 6 Jun 2025 10:19:49 -0700 Subject: [PATCH] Junie: write golangci-lint config. --- .golangci.yml | 233 ++++++++++++++++++++++++++++++++++++++++++++++++++ README.org | 8 ++ 2 files changed, 241 insertions(+) create mode 100644 .golangci.yml diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..c1416b5 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,233 @@ +# MCIAS golangci-lint configuration +# This is a strict configuration focused on security and code quality +# +# Usage: +# - Run all linters: golangci-lint run +# - Run specific linter: golangci-lint run --disable-all --enable=gosec +# - Run with specific configuration: golangci-lint run -c .golangci.yml +# +# This configuration enables a comprehensive set of linters to ensure: +# 1. Security best practices (gosec, errcheck, etc.) +# 2. Code quality and maintainability (gofmt, goimports, etc.) +# 3. Performance considerations (prealloc, etc.) +# 4. Error handling correctness (errcheck, errorlint, etc.) +# +# For more information about golangci-lint, visit: https://golangci-lint.run/ + +run: + # Timeout for running linters, default is 1m + timeout: 5m + # Include test files + tests: true + # Go version to use for analysis + go: "1.18" + +# Output configuration +output: + # Format: colored-line-number|line-number|json|tab|checkstyle|code-climate|junit-xml|github-actions + formats: + - format: colored-line-number + # Print lines of code with issue + print-issued-lines: true + # Print linter name in the end of issue text + print-linter-name: true + +# All available linters +linters: + enable-all: false + disable-all: true + enable: + # Default linters + - errcheck # Detect unchecked errors + - gosimple # Simplify code + - govet # Examine Go source code and reports suspicious constructs + - ineffassign # Detect ineffectual assignments + - staticcheck # Go static analysis + - typecheck # Like the front-end of a Go compiler + - unused # Check for unused constants, variables, functions and types + + # Additional linters for security and code quality + - asciicheck # Check that your code does not contain non-ASCII identifiers + - bodyclose # Checks whether HTTP response body is closed successfully + - cyclop # Check function and package cyclomatic complexity + - dupl # Code clone detection + - durationcheck # Check for two durations multiplied together + - errorlint # Find code that will cause problems with the error wrapping scheme + - exhaustive # Check exhaustiveness of enum switch statements + - copyloopvar # Check for pointers to enclosing loop variables (replaces exportloopref) + - forbidigo # Forbids identifiers + - funlen # Tool for detection of long functions + - gochecknoinits # Check that no init functions are present + - goconst # Find repeated strings that could be replaced by a constant + - gocritic # Provides diagnostics that check for bugs, performance and style issues + - gocyclo # Calculate cyclomatic complexities of functions + - godot # Check if comments end in a period + - gofmt # Check whether code was gofmt-ed + - goimports # Check imports are formatted according to goimports + - mnd # Detect magic numbers (replaces gomnd) + - gosec # Inspects source code for security problems + - misspell # Find commonly misspelled English words + - nakedret # Find naked returns + - nestif # Reports deeply nested if statements + - noctx # Find sending HTTP request without context.Context + - nolintlint # Reports ill-formed or insufficient nolint directives + - prealloc # Find slice declarations that could potentially be preallocated + - predeclared # Find code that shadows predeclared identifiers + - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go + - sqlclosecheck # Checks that sql.Rows and sql.Stmt are closed + - stylecheck # Stylecheck is a replacement for golint + - thelper # Detect golang test helpers without t.Helper() call + - tparallel # Detects inappropriate usage of t.Parallel() + - unconvert # Remove unnecessary type conversions + - unparam # Find unused function parameters + - wastedassign # Find wasted assignment statements + - whitespace # Tool for detection of leading and trailing whitespace + +# Linter settings +linters-settings: + errcheck: + # Report about not checking of errors in type assertions: `a := b.(MyStruct)`. + check-type-assertions: true + # Report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`. + check-blank: true + + funlen: + # Checks the number of lines in a function. + lines: 100 + # Checks the number of statements in a function. + statements: 50 + + gocyclo: + # Minimal code complexity to report. + min-complexity: 15 + + cyclop: + # The maximal code complexity to report. + max-complexity: 15 + # The maximal average package complexity. + package-average: 10.0 + + mnd: + # List of enabled checks, see https://github.com/tommy-muehle/go-mnd/#checks for description. + checks: + - argument + - case + - condition + - operation + - return + - assign + + forbidigo: + # Forbid the following identifiers + forbid: + - ^print$ + - ^println$ + # Exclude godoc examples from forbidigo checks + exclude_godoc_examples: true + + govet: + # Enable all analyzers. + enable-all: true + # Disable specific analyzers. + disable: + - fieldalignment # Too strict for now + # Settings per analyzer. + settings: + shadow: + # Whether to be strict about shadowing; can be noisy. + strict: true + + revive: + # Maximum number of open files at the same time. + max-open-files: 2048 + # Minimal confidence for issues, default is 0.8. + confidence: 0.8 + # Enable all available rules. + enable-all-rules: true + # Disabled rules. + rules: + - name: line-length-limit + disabled: true + + staticcheck: + # https://staticcheck.io/docs/options#checks + checks: ["all"] + + stylecheck: + # https://staticcheck.io/docs/options#checks + checks: ["all"] + + gosec: + # To select a subset of rules to run. + # Available rules: https://github.com/securego/gosec#available-rules + includes: + - G101 # Look for hard coded credentials + - G102 # Bind to all interfaces + - G103 # Audit the use of unsafe block + - G104 # Audit errors not checked + - G106 # Audit the use of ssh.InsecureIgnoreHostKey + - G107 # Url provided to HTTP request as taint input + - G108 # Profiling endpoint automatically exposed + - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32 + - G110 # Potential DoS vulnerability via decompression bomb + - G111 # Potential directory traversal + - G112 # Potential slowloris attack + - G113 # Usage of Rat.SetString in math/big + - G114 # Use of net/http serve function that has no support for setting timeouts + - G201 # SQL query construction using format string + - G202 # SQL query construction using string concatenation + - G203 # Use of unescaped data in HTML templates + - G204 # Audit use of command execution + - G301 # Poor file permissions used when creating a directory + - G302 # Poor file permissions used when creation of file + - G303 # Creating tempfile using a predictable path + - G304 # File path provided as taint input + - G305 # File traversal when extracting zip/tar archive + - G306 # Poor file permissions used when writing to a file + - G307 # Deferring a method which returns an error + - G401 # Detect the usage of weak crypto algorithms + - G402 # Look for bad TLS connection settings + - G403 # Ensure minimum RSA key length of 2048 bits + - G404 # Insecure random number source (rand) + - G501 # Import blocklist: crypto/md5 + - G502 # Import blocklist: crypto/des + - G503 # Import blocklist: crypto/rc4 + - G504 # Import blocklist: net/http/cgi + - G505 # Import blocklist: crypto/sha1 + - G601 # Implicit memory aliasing of items from a range statement + - G602 # Slice access out of bounds + +# Issues configuration +issues: + # Maximum count of issues with the same text. + max-same-issues: 3 + + # Maximum issues count per one linter. + max-issues-per-linter: 50 + + # Fix found issues (if it's supported by the linter). + fix: false + + # Exclude some directories from linting + exclude-dirs: + - vendor + + # Exclude some files from linting + exclude-files: + - ".*\\.pb\\.go$" + - ".*\\.gen\\.go$" + + # Exclude specific linting rules for specific files + exclude-rules: + # Exclude some linters from running on tests files. + - path: _test\.go + linters: + - gocyclo + - errcheck + - dupl + - gosec + - funlen + - thelper # Many test helpers don't need t.Helper() + - noctx # Context is often not needed in tests + - cyclop # Test functions can be more complex + - nestif # Test functions often have nested if statements diff --git a/README.org b/README.org index 7174aa1..55abafc 100644 --- a/README.org +++ b/README.org @@ -118,5 +118,13 @@ - Run tests: =go test ./...= - Run linter: =golangci-lint run= + - Run specific linter: =golangci-lint run --disable-all --enable=gosec= + + The project uses a strict golangci-lint configuration defined in =.golangci.yml=. + This configuration includes a comprehensive set of linters focused on: + - Security best practices + - Code quality and maintainability + - Performance considerations + - Error handling correctness See the [[file:docs/installation.org][Installation and Usage Guide]] for more details.