fix: clean up linter issues

smoyer64 · smoyer64 · commit b5394eadfc54 · 2026-02-20T16:18:41.000-05:00
diff --git a/internal/buildinfo/parse.go b/internal/buildinfo/parse.go
@@ -28,7 +28,7 @@ func Parse(info string) ([]model.BuildInfo, error) {
 		if !strings.HasPrefix(l, "\t") {
 			matches := goVersionRgx.FindStringSubmatch(l)
 			if len(matches) != 2 {
-				return nil, fmt.Errorf("unrecognised version line: %s", l)
+				return nil, fmt.Errorf("unrecognized version line: %s", l)
 			}
 			if current.Path != "" {
 				results = append(results, current)
@@ -81,7 +81,7 @@ func Parse(info string) ([]model.BuildInfo, error) {
 		case "":
 			// blank (tab prefixed) lines appear after lines relating to replace directives in Go 1.18 compiled binaries
 		default:
-			return nil, fmt.Errorf("unrecognised line: %s", l)
+			return nil, fmt.Errorf("unrecognized line: %s", l)
 		}
 	}
 	if current.Path != "" {
diff --git a/internal/buildinfo/parse_test.go b/internal/buildinfo/parse_test.go
@@ -232,9 +232,9 @@ func TestParse(t *testing.T) {
 			},
 		},
 		{
-			name:        "unrecognised line",
+			name:        "unrecognized line",
 			input:       `/tmp/lichen: invalid`,
-			expectedErr: "unrecognised version line: /tmp/lichen: invalid",
+			expectedErr: "unrecognized version line: /tmp/lichen: invalid",
 		},
 		{
 			name: "partial path line",
diff --git a/internal/license/db/gen/gen.go b/internal/license/db/gen/gen.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"log/slog"
 	"os"
 )
 
@@ -28,13 +29,22 @@ func run() error {
 	if err != nil {
 		return err
 	}
-	defer f.Close()
+	defer func() {
+		if err := f.Close(); err != nil {
+			slog.Error("failed to close binary", slog.String("reason", err.Error()))
+		}
+	}()
 
 	w, err := os.Create(os.Args[2])
 	if err != nil {
 		return err
 	}
-	defer w.Close()
+
+	defer func() {
+		if err := w.Close(); err != nil {
+			slog.Error("failed to close report", slog.String("reason", err.Error()))
+		}
+	}()
 
 	buf := &bytes.Buffer{}
 	encoder := ascii85.NewEncoder(buf)
@@ -52,7 +62,9 @@ func run() error {
 		return err
 	}
 
-	fmt.Fprintf(w, tmpl, buf.String())
+	if _, err := fmt.Fprintf(w, tmpl, buf.String()); err != nil {
+		slog.Error("failed to write report", slog.String("reason", err.Error()))
+	}
 
 	return nil
 }
diff --git a/internal/license/resolve.go b/internal/license/resolve.go
@@ -3,11 +3,13 @@ package license
 import (
 	"fmt"
 	"io/ioutil"
+	"log/slog"
 	"path/filepath"
 	"regexp"
 	"strings"
 
 	"github.com/google/licenseclassifier"
+
 	"github.com/selesy/lichen/internal/license/db"
 	"github.com/selesy/lichen/internal/model"
 )
@@ -18,9 +20,15 @@ func Resolve(modules []model.Module, threshold float64) ([]model.Module, error)
 	archiveFn := licenseclassifier.ArchiveFunc(func() ([]byte, error) {
 		f, err := db.Open()
 		if err != nil {
-			return nil, fmt.Errorf("failed to open license databse: %w", err)
+			return nil, fmt.Errorf("failed to open license database: %w", err)
 		}
-		defer f.Close()
+
+		defer func() {
+			if err := f.Close(); err != nil {
+				slog.Error("failed to close license database", slog.String("reason", err.Error()))
+			}
+		}()
+
 		return ioutil.ReadAll(f)
 	})
 
@@ -32,7 +40,7 @@ func Resolve(modules []model.Module, threshold float64) ([]model.Module, error)
 	for i, m := range modules {
 		if m.IsLocal() {
 			// there is no guarantee we are being run in a location that makes local module references resolvable.. to
-			// avoid incidental and non-obvious behaviour here, we simply don't touch such references - overrides must
+			// avoid incidental and non-obvious behavior here, we simply don't touch such references - overrides must
 			// be provided instead.
 			continue
 		}
@@ -71,6 +79,17 @@ func locateLicenses(path string) (lp []string, err error) {
 func classify(lc *licenseclassifier.License, paths []string) ([]model.License, error) {
 	licenses := make([]model.License, 0)
 	for _, p := range paths {
+		// normalize the path
+		p, err := filepath.Abs(p)
+		if err != nil {
+			return nil, err
+		}
+		// resolve symlinks to prevent directory traversal attacks
+		p, err = filepath.EvalSymlinks(p)
+		if err != nil {
+			return nil, err
+		}
+
 		content, err := ioutil.ReadFile(p)
 		if err != nil {
 			return nil, err
diff --git a/internal/model/model.go b/internal/model/model.go
@@ -27,8 +27,8 @@ type ModuleReference struct {
 }
 
 // pathRgx covers
-//  - unix paths: ".", "..", prefixed "./", prefixed "../", prefixed "/"
-//  - windows paths: ".", "..", prefixed ".\", prefixed "..\", prefixed "<drive>:\"
+//   - unix paths: ".", "..", prefixed "./", prefixed "../", prefixed "/"
+//   - windows paths: ".", "..", prefixed ".\", prefixed "..\", prefixed "<drive>:\"
 var pathRgx = regexp.MustCompile(`^(\.\.?($|/|\\)|/|[A-Za-z]:\\)`)
 
 // IsLocal returns true if the module reference points to a local path
diff --git a/internal/model/model_test.go b/internal/model/model_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+
 	"github.com/selesy/lichen/internal/model"
 )
 
diff --git a/internal/module/extract.go b/internal/module/extract.go
@@ -2,12 +2,15 @@ package module
 
 import (
 	"context"
+	"errors"
 	"fmt"
-	"io/ioutil"
+	"log/slog"
 	"os"
 	"os/exec"
+	"path/filepath"
 
 	"github.com/hashicorp/go-multierror"
+
 	"github.com/selesy/lichen/internal/buildinfo"
 	"github.com/selesy/lichen/internal/model"
 )
@@ -50,20 +53,43 @@ func goVersion(ctx context.Context, paths []string) (string, error) {
 		return "", err
 	}
 
-	tempDir, err := ioutil.TempDir("", "lichen")
+	// normalize the path
+	goBin, err = filepath.Abs(goBin)
+	if err != nil {
+		return "", err
+	}
+	// resolve symlinks to prevent directory traversal attacks
+	goBin, err = filepath.EvalSymlinks(goBin)
+	if err != nil {
+		return "", err
+	}
+
+	// Validation: Ensure we actually found a 'go' binary
+	if filepath.Base(goBin) != "go" && filepath.Base(goBin) != "go.exe" {
+		return "", errors.New("unexpected binary resolved")
+	}
+
+	tempDir, err := os.MkdirTemp("", "lichen")
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}
-	defer os.Remove(tempDir)
+	defer func() {
+		if err := os.Remove(tempDir); err != nil {
+			slog.Error("failed to remove temporary folder/files", slog.String("reason", err.Error()))
+		}
+	}()
 
 	args := []string{"version", "-m"}
 	args = append(args, paths...)
 
+	//nolint:gosec
+	// the goBin variable was sanitized above
 	cmd := exec.CommandContext(ctx, goBin, args...)
 	cmd.Dir = tempDir
 	out, err := cmd.Output()
 	if err != nil {
-		if exitErr, ok := err.(*exec.ExitError); ok {
+		exitErr := &exec.ExitError{}
+		if errors.As(err, &exitErr) {
 			return "", fmt.Errorf("error when running 'go version': %w - stderr: %s", err, exitErr.Stderr)
 		}
 		return "", fmt.Errorf("error when running 'go version': %w", err)
diff --git a/internal/module/fetch.go b/internal/module/fetch.go
@@ -7,11 +7,13 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
+	"log/slog"
 	"os"
 	"os/exec"
+	"path/filepath"
 
 	"github.com/hashicorp/go-multierror"
+
 	"github.com/selesy/lichen/internal/model"
 )
 
@@ -25,11 +27,32 @@ func Fetch(ctx context.Context, refs []model.ModuleReference) ([]model.Module, e
 		return nil, err
 	}
 
-	tempDir, err := ioutil.TempDir("", "lichen")
+	// normalize the path
+	goBin, err = filepath.Abs(goBin)
+	if err != nil {
+		return nil, err
+	}
+	// resolve symlinks to prevent directory traversal attacks
+	goBin, err = filepath.EvalSymlinks(goBin)
+	if err != nil {
+		return nil, err
+	}
+
+	// Validation: Ensure we actually found a 'go' binary
+	if filepath.Base(goBin) != "go" && filepath.Base(goBin) != "go.exe" {
+		return nil, errors.New("unexpected binary resolved")
+	}
+
+	tempDir, err := os.MkdirTemp("", "lichen")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create temp directory: %w", err)
 	}
-	defer os.Remove(tempDir)
+
+	defer func() {
+		if err := os.Remove(tempDir); err != nil {
+			slog.Error("failed to remove temporary folder/files", slog.String("reason", err.Error()))
+		}
+	}()
 
 	args := []string{"mod", "download", "-json"}
 	for _, ref := range refs {
@@ -38,6 +61,8 @@ func Fetch(ctx context.Context, refs []model.ModuleReference) ([]model.Module, e
 		}
 	}
 
+	//nolint:gosec
+	// the goBin variable was sanitized above
 	cmd := exec.CommandContext(ctx, goBin, args...)
 	cmd.Dir = tempDir
 	out, err := cmd.CombinedOutput()
diff --git a/internal/module/fetch_test.go b/internal/module/fetch_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+
 	"github.com/selesy/lichen/internal/model"
 	"github.com/selesy/lichen/internal/module"
 )
diff --git a/internal/scan/result.go b/internal/scan/result.go
@@ -31,7 +31,7 @@ func (r EvaluatedModule) ExplainDecision() string {
 	case DecisionNotAllowedLicenseNotPermitted:
 		return fmt.Sprintf("not allowed - non-permitted licenses: %v", r.NotPermitted)
 	default:
-		panic("unrecognised decision")
+		panic("unrecognized decision")
 	}
 }
 
@@ -52,6 +52,6 @@ func (d Decision) MarshalText() ([]byte, error) {
 	case DecisionNotAllowedLicenseNotPermitted:
 		return []byte("licenses-not-allowed"), nil
 	default:
-		panic("unrecognised decision")
+		panic("unrecognized decision")
 	}
 }
diff --git a/internal/scan/run.go b/internal/scan/run.go
@@ -42,7 +42,7 @@ func Run(ctx context.Context, conf Config, binPaths ...string) (Summary, error)
 	// evaluate the modules and sort by path
 	results := evaluate(conf, binaries, modules)
 	sort.Slice(results, func(i, j int) bool {
-		return results[i].Module.Path < results[j].Module.Path
+		return results[i].Path < results[j].Path
 	})
 
 	return Summary{
@@ -83,7 +83,7 @@ func applyOverrides(modules []model.Module, overrides []Override) []model.Module
 	}
 
 	for i, mod := range modules {
-		if repl, found := replacements[mod.ModuleReference.Path]; found {
+		if repl, found := replacements[mod.Path]; found {
 			// if an explicit version is configured, only apply the override if the module version matches
 			if repl.version != "" && repl.version != mod.Version {
 				continue
diff --git a/main.go b/main.go
@@ -4,17 +4,18 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"log"
+	"log/slog"
 	"os"
 	"path/filepath"
 	"text/template"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/muesli/termenv"
 	"github.com/urfave/cli/v2"
-	"github.com/selesy/lichen/internal/scan"
 	"gopkg.in/yaml.v2"
+
+	"github.com/selesy/lichen/internal/scan"
 )
 
 const tmpl = `{{range .Modules}}
@@ -92,7 +93,7 @@ func run(c *cli.Context) error {
 	var rErr error
 	for _, m := range summary.Modules {
 		if !m.Allowed() {
-			rErr = multierror.Append(rErr, fmt.Errorf("%s: %s", m.Module.ModuleReference, m.ExplainDecision()))
+			rErr = multierror.Append(rErr, fmt.Errorf("%s: %s", m.ModuleReference, m.ExplainDecision()))
 		}
 	}
 	return rErr
@@ -101,7 +102,18 @@ func run(c *cli.Context) error {
 func parseConfig(path string) (scan.Config, error) {
 	var conf scan.Config
 	if path != "" {
-		b, err := ioutil.ReadFile(path)
+		// normalize the path
+		path, err := filepath.Abs(path)
+		if err != nil {
+			return conf, err
+		}
+		// resolve symlinks to prevent directory traversal attacks
+		path, err = filepath.EvalSymlinks(path)
+		if err != nil {
+			return conf, err
+		}
+
+		b, err := os.ReadFile(path)
 		if err != nil {
 			return scan.Config{}, fmt.Errorf("failed to read file %q: %w", path, err)
 		}
@@ -125,11 +137,28 @@ func absolutePaths(paths []string) ([]string, error) {
 }
 
 func writeJSON(path string, summary scan.Summary) error {
+	// normalize the path
+	path, err := filepath.Abs(path)
+	if err != nil {
+		return err
+	}
+	// resolve symlinks to prevent directory traversal attacks
+	path, err = filepath.EvalSymlinks(path)
+	if err != nil {
+		return err
+	}
+
 	f, err := os.Create(path)
 	if err != nil {
 		return fmt.Errorf("failed to create file for json output: %w", err)
 	}
-	defer f.Close()
+
+	defer func() {
+		if err := f.Close(); err != nil {
+			slog.Error("failed to close file for json output", slog.String("reason", err.Error()))
+		}
+	}()
+
 	if err := json.NewEncoder(f).Encode(summary); err != nil {
 		return fmt.Errorf("json encode failed: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func Parse(info string) ([]model.BuildInfo, error) {`
`28`	`28`	`if !strings.HasPrefix(l, "\t") {`
`29`	`29`	`matches := goVersionRgx.FindStringSubmatch(l)`
`30`	`30`	`if len(matches) != 2 {`
`31`		`- return nil, fmt.Errorf("unrecognised version line: %s", l)`
	`31`	`+ return nil, fmt.Errorf("unrecognized version line: %s", l)`
`32`	`32`	`}`
`33`	`33`	`if current.Path != "" {`
`34`	`34`	`results = append(results, current)`
`@@ -81,7 +81,7 @@ func Parse(info string) ([]model.BuildInfo, error) {`
`81`	`81`	`case "":`
`82`	`82`	`// blank (tab prefixed) lines appear after lines relating to replace directives in Go 1.18 compiled binaries`
`83`	`83`	`default:`
`84`		`- return nil, fmt.Errorf("unrecognised line: %s", l)`
	`84`	`+ return nil, fmt.Errorf("unrecognized line: %s", l)`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`	`if current.Path != "" {`
Original file line number	Diff line number	Diff line change
`@@ -232,9 +232,9 @@ func TestParse(t *testing.T) {`
`232`	`232`	`},`
`233`	`233`	`},`
`234`	`234`	`{`
`235`		`- name: "unrecognised line",`
	`235`	`+ name: "unrecognized line",`
`236`	`236`	input: `/tmp/lichen: invalid`,
`237`		`- expectedErr: "unrecognised version line: /tmp/lichen: invalid",`
	`237`	`+ expectedErr: "unrecognized version line: /tmp/lichen: invalid",`
`238`	`238`	`},`
`239`	`239`	`{`
`240`	`240`	`name: "partial path line",`
Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,8 @@ type ModuleReference struct {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`// pathRgx covers`
`30`		`-// - unix paths: ".", "..", prefixed "./", prefixed "../", prefixed "/"`
`31`		`-// - windows paths: ".", "..", prefixed ".\", prefixed "..\", prefixed "<drive>:\"`
	`30`	`+// - unix paths: ".", "..", prefixed "./", prefixed "../", prefixed "/"`
	`31`	`+// - windows paths: ".", "..", prefixed ".\", prefixed "..\", prefixed "<drive>:\"`
`32`	`32`	var pathRgx = regexp.MustCompile(`^(\.\.?($\|/\|\\)\|/\|[A-Za-z]:\\)`)
`33`	`33`
`34`	`34`	`// IsLocal returns true if the module reference points to a local path`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import (`
`4`	`4`	`"testing"`
`5`	`5`
`6`	`6`	`"github.com/stretchr/testify/assert"`
	`7`	`+`
`7`	`8`	`"github.com/selesy/lichen/internal/model"`
`8`	`9`	`)`
`9`	`10`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ import (`
`5`	`5`	`"testing"`
`6`	`6`
`7`	`7`	`"github.com/stretchr/testify/assert"`
	`8`	`+`
`8`	`9`	`"github.com/selesy/lichen/internal/model"`
`9`	`10`	`"github.com/selesy/lichen/internal/module"`
`10`	`11`	`)`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func (r EvaluatedModule) ExplainDecision() string {`
`31`	`31`	`case DecisionNotAllowedLicenseNotPermitted:`
`32`	`32`	`return fmt.Sprintf("not allowed - non-permitted licenses: %v", r.NotPermitted)`
`33`	`33`	`default:`
`34`		`- panic("unrecognised decision")`
	`34`	`+ panic("unrecognized decision")`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`@@ -52,6 +52,6 @@ func (d Decision) MarshalText() ([]byte, error) {`
`52`	`52`	`case DecisionNotAllowedLicenseNotPermitted:`
`53`	`53`	`return []byte("licenses-not-allowed"), nil`
`54`	`54`	`default:`
`55`		`- panic("unrecognised decision")`
	`55`	`+ panic("unrecognized decision")`
`56`	`56`	`}`
`57`	`57`	`}`