Fix macOS posture magic numbers

haasonsaas · haasonsaas · commit 914a7a41f8f8 · 2025-10-19T08:22:54.000-07:00
- Replace version parsing magic numbers with constants
- Fix array index calculations with named constants
- Use defaultsCommand constant for macOS system calls
- Replace -1 with notFoundIndex constant
- Use keyValueParts for string splitting
diff --git a/agent/internal/posture/constants.go b/agent/internal/posture/constants.go
@@ -43,4 +43,8 @@ const (
 	MinMacOSVersion         = 12
 	MinFirewallRules        = 3
 	initialCapacity         = 0
+	indexIncrement          = 1
+	notFoundIndex           = -1
+	versionPartIndex        = 2
+	defaultsCommand         = "defaults"
 )
diff --git a/agent/internal/posture/macos.go b/agent/internal/posture/macos.go
@@ -54,14 +54,14 @@ func (c *MacOSCollector) collectOSInfo(os *OperatingSystem) error {
 
 		if strings.HasPrefix(line, macOSVersionKey) {
 			parts := strings.SplitN(line, colonSeparator, keyValueParts)
-			if len(parts) == 2 {
+			if len(parts) == keyValueParts {
 				versionInfo := strings.TrimSpace(parts[1])
 				// Parse "macOS Monterey 12.6.1 (21G217)"
 				if strings.Contains(versionInfo, "(") {
 					buildStart := strings.LastIndex(versionInfo, "(")
 					buildEnd := strings.LastIndex(versionInfo, ")")
-					if buildStart != -1 && buildEnd != -1 {
-						os.Build = versionInfo[buildStart+1 : buildEnd]
+					if buildStart != notFoundIndex && buildEnd != notFoundIndex {
+						os.Build = versionInfo[buildStart+indexIncrement : buildEnd]
 						versionInfo = strings.TrimSpace(versionInfo[:buildStart])
 					}
 				}
@@ -72,12 +72,12 @@ func (c *MacOSCollector) collectOSInfo(os *OperatingSystem) error {
 					os.Name = strings.Join(parts[:2], spaceSeparator)
 					os.Version = parts[2]
 				} else if len(parts) >= 2 {
-					os.Version = parts[len(parts)-1]
+					os.Version = parts[len(parts)-indexIncrement]
 				}
 			}
 		} else if strings.HasPrefix(line, macOSKernelKey) {
 			parts := strings.SplitN(line, colonSeparator, keyValueParts)
-			if len(parts) == 2 {
+			if len(parts) == keyValueParts {
 				os.Kernel = strings.TrimSpace(parts[1])
 			}
 		}
@@ -94,7 +94,7 @@ func (c *MacOSCollector) collectFirewallStatus(fw *FirewallStatus) error {
 	fw.Service = macOSFirewallService
 
 	// Check if firewall is enabled
-	output, err := runCommand("defaults", "read", "/Library/Preferences/com.apple.alf", "globalstate")
+	output, err := runCommand(defaultsCommand, "read", "/Library/Preferences/com.apple.alf", "globalstate")
 	if err != nil {
 		return err
 	}
@@ -172,7 +172,7 @@ func (c *MacOSCollector) checkDiskEncryption() bool {
 // checkScreenLock checks if screen lock/password is required
 func (c *MacOSCollector) checkScreenLock() bool {
 	// Check if password is required after screensaver
-	output, err := runCommand("defaults", "read", "com.apple.screensaver", macOSScreenPassword)
+	output, err := runCommand(defaultsCommand, "read", "com.apple.screensaver", macOSScreenPassword)
 	if err == nil && strings.Contains(output, macOSPasswordEnabled) {
 		return true
 	}
@@ -185,7 +185,7 @@ func (c *MacOSCollector) checkScreenLock() bool {
 	}
 
 	// Check System Preferences security settings
-	output, err = runCommand("defaults", "read", "com.apple.screensaver", macOSScreenDelay)
+	output, err = runCommand(defaultsCommand, "read", "com.apple.screensaver", macOSScreenDelay)
 	if err == nil {
 		return true
 	}

Original file line number	Diff line number	Diff line change
`@@ -43,4 +43,8 @@ const (`
`43`	`43`	`MinMacOSVersion = 12`
`44`	`44`	`MinFirewallRules = 3`
`45`	`45`	`initialCapacity = 0`
	`46`	`+ indexIncrement = 1`
	`47`	`+ notFoundIndex = -1`
	`48`	`+ versionPartIndex = 2`
	`49`	`+ defaultsCommand = "defaults"`
`46`	`50`	`)`
Original file line number	Diff line number	Diff line change
`@@ -54,14 +54,14 @@ func (c MacOSCollector) collectOSInfo(os OperatingSystem) error {`
`54`	`54`
`55`	`55`	`if strings.HasPrefix(line, macOSVersionKey) {`
`56`	`56`	`parts := strings.SplitN(line, colonSeparator, keyValueParts)`
`57`		`- if len(parts) == 2 {`
	`57`	`+ if len(parts) == keyValueParts {`
`58`	`58`	`versionInfo := strings.TrimSpace(parts[1])`
`59`	`59`	`// Parse "macOS Monterey 12.6.1 (21G217)"`
`60`	`60`	`if strings.Contains(versionInfo, "(") {`
`61`	`61`	`buildStart := strings.LastIndex(versionInfo, "(")`
`62`	`62`	`buildEnd := strings.LastIndex(versionInfo, ")")`
`63`		`- if buildStart != -1 && buildEnd != -1 {`
`64`		`- os.Build = versionInfo[buildStart+1 : buildEnd]`
	`63`	`+ if buildStart != notFoundIndex && buildEnd != notFoundIndex {`
	`64`	`+ os.Build = versionInfo[buildStart+indexIncrement : buildEnd]`
`65`	`65`	`versionInfo = strings.TrimSpace(versionInfo[:buildStart])`
`66`	`66`	`}`
`67`	`67`	`}`
`@@ -72,12 +72,12 @@ func (c MacOSCollector) collectOSInfo(os OperatingSystem) error {`
`72`	`72`	`os.Name = strings.Join(parts[:2], spaceSeparator)`
`73`	`73`	`os.Version = parts[2]`
`74`	`74`	`} else if len(parts) >= 2 {`
`75`		`- os.Version = parts[len(parts)-1]`
	`75`	`+ os.Version = parts[len(parts)-indexIncrement]`
`76`	`76`	`}`
`77`	`77`	`}`
`78`	`78`	`} else if strings.HasPrefix(line, macOSKernelKey) {`
`79`	`79`	`parts := strings.SplitN(line, colonSeparator, keyValueParts)`
`80`		`- if len(parts) == 2 {`
	`80`	`+ if len(parts) == keyValueParts {`
`81`	`81`	`os.Kernel = strings.TrimSpace(parts[1])`
`82`	`82`	`}`
`83`	`83`	`}`
`@@ -94,7 +94,7 @@ func (c MacOSCollector) collectFirewallStatus(fw FirewallStatus) error {`
`94`	`94`	`fw.Service = macOSFirewallService`
`95`	`95`
`96`	`96`	`// Check if firewall is enabled`
`97`		`- output, err := runCommand("defaults", "read", "/Library/Preferences/com.apple.alf", "globalstate")`
	`97`	`+ output, err := runCommand(defaultsCommand, "read", "/Library/Preferences/com.apple.alf", "globalstate")`
`98`	`98`	`if err != nil {`
`99`	`99`	`return err`
`100`	`100`	`}`
`@@ -172,7 +172,7 @@ func (c *MacOSCollector) checkDiskEncryption() bool {`
`172`	`172`	`// checkScreenLock checks if screen lock/password is required`
`173`	`173`	`func (c *MacOSCollector) checkScreenLock() bool {`
`174`	`174`	`// Check if password is required after screensaver`
`175`		`- output, err := runCommand("defaults", "read", "com.apple.screensaver", macOSScreenPassword)`
	`175`	`+ output, err := runCommand(defaultsCommand, "read", "com.apple.screensaver", macOSScreenPassword)`
`176`	`176`	`if err == nil && strings.Contains(output, macOSPasswordEnabled) {`
`177`	`177`	`return true`
`178`	`178`	`}`
`@@ -185,7 +185,7 @@ func (c *MacOSCollector) checkScreenLock() bool {`
`185`	`185`	`}`
`186`	`186`
`187`	`187`	`// Check System Preferences security settings`
`188`		`- output, err = runCommand("defaults", "read", "com.apple.screensaver", macOSScreenDelay)`
	`188`	`+ output, err = runCommand(defaultsCommand, "read", "com.apple.screensaver", macOSScreenDelay)`
`189`	`189`	`if err == nil {`
`190`	`190`	`return true`
`191`	`191`	`}`