Update configuration

SaschaSchwarze0 · SaschaSchwarze0 · commit f92ccfdcd74e · 2025-11-21T16:31:19.000+01:00
Signed-off-by: Sascha Schwarze &lt;schwarzs@de.ibm.com&gt;
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -1,23 +1,31 @@
+version: "2"
+
 linters:
+  disable:
+    - errcheck
   enable:
-    - ineffassign
-    - revive
     - gosec
     - govet
+    - ineffassign
     - misspell
+    - revive
     - staticcheck
-  disable:
-    - errcheck
+    - unused
+
+  exclusions:
+    rules:
+      - path: test
+        linters:
+          - revive
 
-linters-settings:
-  gosec:
-    excludes:
-      - G101 # Look for hard coded credentials
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
+  settings:
+    gosec:
+      excludes:
+        - G101 # Look for hard coded credentials
+        - G305 # File traversal when extracting zip/tar archive
+        - G306 # Poor file permissions used when writing to a new file
 
-issues:
-  exclude-rules:
-    - path: test
-      linters:
-        - revive
+    revive:
+      rules:
+        - name: package-comments
+          disabled: true
diff --git a/cmd/bundle/main_test.go b/cmd/bundle/main_test.go
@@ -79,6 +79,7 @@ var _ = Describe("Bundle Loader", func() {
 	}
 
 	filecontent := func(path string) string {
+		// #nosec G304 ok in tests
 		data, err := os.ReadFile(path)
 		Expect(err).ToNot(HaveOccurred())
 		return string(data)
diff --git a/cmd/git/main.go b/cmd/git/main.go
@@ -252,6 +252,7 @@ func checkEnvironment(ctx context.Context) error {
 		if flagValues.verbose {
 			log.Printf("Debug: %s %s\n", path, check.versionArg)
 		}
+		// #nosec G204 in the default container configuration, it is impossible to inject other binaries, as such it is safe that we have no hard-coded path
 		out, err := exec.CommandContext(ctx, path, check.versionArg).CombinedOutput()
 		if err != nil {
 			log.Printf("Error: %s: %s\n", check.toolName, strings.TrimRight(string(out), "\n"))
@@ -474,13 +475,16 @@ func git(ctx context.Context, args ...string) (string, error) {
 		fmt.Sprintf("safe.directory=%s", flagValues.target),
 	}
 	fullArgs = append(fullArgs, args...)
+	// #nosec G204 arguments are well-defined by the code
 	cmd := exec.CommandContext(ctx, "git", fullArgs...)
 
 	// Print the command to be executed, but replace the URL with a safe version
 	log.Print(strings.ReplaceAll(cmd.String(), flagValues.url, displayURL))
 
 	// Make sure that the spawned process does not try to prompt for infos
-	os.Setenv("GIT_TERMINAL_PROMPT", "0")
+	if err := os.Setenv("GIT_TERMINAL_PROMPT", "0"); err != nil {
+		return "", err
+	}
 	cmd.Stdin = nil
 
 	out, err := cmd.CombinedOutput()
diff --git a/cmd/git/main_test.go b/cmd/git/main_test.go
@@ -79,6 +79,7 @@ var _ = Describe("Git Resource", func() {
 	}
 
 	var filecontent = func(path string) string {
+		// #nosec: G304 fine in tests
 		data, err := os.ReadFile(path)
 		Expect(err).ToNot(HaveOccurred())
 		return string(data)
@@ -509,6 +510,7 @@ var _ = Describe("Git Resource", func() {
 						lfsFile := filepath.Join(target, "assets", "shipwright-logo-lightbg-512.png")
 						Expect(lfsFile).To(BeAnExistingFile())
 
+						// #nosec: G304 fine in tests
 						data, err := os.ReadFile(lfsFile)
 						Expect(err).ToNot(HaveOccurred())
 						Expect(http.DetectContentType(data)).To(Equal("image/png"))
@@ -524,14 +526,14 @@ var _ = Describe("Git Resource", func() {
 				git_config_nosystem := os.Getenv("GIT_CONFIG_NOSYSTEM")
 
 				// unset all pre-existing git configurations to avoid credential helpers and authentication
-				os.Setenv("GIT_CONFIG_NOSYSTEM", "1")
-				os.Setenv("GIT_CONFIG", "/dev/null")
-				os.Setenv("GIT_CONFIG_GLOBAL", "/dev/null")
+				Expect(os.Setenv("GIT_CONFIG_NOSYSTEM", "1")).To(Succeed())
+				Expect(os.Setenv("GIT_CONFIG", "/dev/null")).To(Succeed())
+				Expect(os.Setenv("GIT_CONFIG_GLOBAL", "/dev/null")).To(Succeed())
 
 				DeferCleanup(func() {
-					os.Setenv("GIT_CONFIG_NOSYSTEM", git_config_nosystem)
-					os.Setenv("GIT_CONFIG", git_config)
-					os.Setenv("GIT_CONFIG_GLOBAL", git_global_config)
+					Expect(os.Setenv("GIT_CONFIG_NOSYSTEM", git_config_nosystem)).To(Succeed())
+					Expect(os.Setenv("GIT_CONFIG", git_config)).To(Succeed())
+					Expect(os.Setenv("GIT_CONFIG_GLOBAL", git_global_config)).To(Succeed())
 				})
 			})
 
diff --git a/cmd/image-processing/main_test.go b/cmd/image-processing/main_test.go
@@ -153,6 +153,7 @@ var _ = Describe("Image Processing Resource", Ordered, func() {
 	}
 
 	filecontent := func(path string) string {
+		// #nosec G304 ok in tests
 		data, err := os.ReadFile(path)
 		Expect(err).ToNot(HaveOccurred())
 		return string(data)
diff --git a/cmd/waiter/main_test.go b/cmd/waiter/main_test.go
@@ -31,6 +31,7 @@ var _ = BeforeSuite(func() {
 var _ = Describe("Waiter", func() {
 	// run creates a exec.Command instance using the arguments informed.
 	var run = func(args ...string) *gexec.Session {
+		// #nosec G204 necessary for the test
 		cmd := exec.Command(executable)
 		cmd.Args = append(cmd.Args, args...)
 		stdin := &bytes.Buffer{}
diff --git a/pkg/apis/build/v1beta1/build_conversion.go b/pkg/apis/build/v1beta1/build_conversion.go
@@ -36,7 +36,10 @@ func (src *Build) ConvertTo(ctx context.Context, obj *unstructured.Unstructured)
 
 	alphaBuild.ObjectMeta = src.ObjectMeta
 
-	src.Spec.ConvertTo(&alphaBuild.Spec)
+	if err := src.Spec.ConvertTo(&alphaBuild.Spec); err != nil {
+		ctxlog.Error(ctx, err, "failed to convert object")
+		return err
+	}
 
 	alphaBuild.Status = v1alpha1.BuildStatus{
 		Registered: src.Status.Registered,
@@ -57,6 +60,7 @@ func (src *Build) ConvertTo(ctx context.Context, obj *unstructured.Unstructured)
 	mapito, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&alphaBuild)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed structuring the newObject")
+		return err
 	}
 	obj.Object = mapito
 
@@ -73,6 +77,7 @@ func (src *Build) ConvertFrom(ctx context.Context, obj *unstructured.Unstructure
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstructured, &alphaBuild)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed unstructuring the convertedObject")
+		return err
 	}
 
 	ctxlog.Info(ctx, "converting Build from alpha to beta", "namespace", alphaBuild.Namespace, "name", alphaBuild.Name)
@@ -81,7 +86,10 @@ func (src *Build) ConvertFrom(ctx context.Context, obj *unstructured.Unstructure
 	src.TypeMeta = alphaBuild.TypeMeta
 	src.TypeMeta.APIVersion = betaGroupVersion
 
-	src.Spec.ConvertFrom(&alphaBuild.Spec)
+	if err := src.Spec.ConvertFrom(&alphaBuild.Spec); err != nil {
+		ctxlog.Error(ctx, err, "failed to convert object")
+		return err
+	}
 
 	// convert annotation-controlled features
 	if value, set := alphaBuild.Annotations[v1alpha1.AnnotationBuildRunDeletion]; set {
diff --git a/pkg/apis/build/v1beta1/buildrun_conversion.go b/pkg/apis/build/v1beta1/buildrun_conversion.go
@@ -187,13 +187,17 @@ func (src *BuildRun) ConvertTo(ctx context.Context, obj *unstructured.Unstructur
 
 	aux := &v1alpha1.BuildSpec{}
 	if src.Status.BuildSpec != nil {
-		src.Status.BuildSpec.ConvertTo(aux)
+		if err := src.Status.BuildSpec.ConvertTo(aux); err != nil {
+			ctxlog.Error(ctx, err, "failed to convert object")
+			return err
+		}
 		alphaBuildRun.Status.BuildSpec = aux
 	}
 
 	mapito, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&alphaBuildRun)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed structuring the newObject")
+		return err
 	}
 	obj.Object = mapito
 
@@ -210,6 +214,7 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(unstructured, &alphaBuildRun)
 	if err != nil {
 		ctxlog.Error(ctx, err, "failed unstructuring the buildrun convertedObject")
+		return err
 	}
 
 	ctxlog.Info(ctx, "converting BuildRun from alpha to beta", "namespace", alphaBuildRun.Namespace, "name", alphaBuildRun.Name)
@@ -218,7 +223,10 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct
 	src.TypeMeta = alphaBuildRun.TypeMeta
 	src.TypeMeta.APIVersion = betaGroupVersion
 
-	src.Spec.ConvertFrom(&alphaBuildRun.Spec)
+	if err = src.Spec.ConvertFrom(ctx, &alphaBuildRun.Spec); err != nil {
+		ctxlog.Error(ctx, err, "failed to convert object")
+		return err
+	}
 
 	var sourceStatus *SourceResult
 	for _, s := range alphaBuildRun.Status.Sources {
@@ -282,19 +290,25 @@ func (src *BuildRun) ConvertFrom(ctx context.Context, obj *unstructured.Unstruct
 
 	buildBeta := Build{}
 	if alphaBuildRun.Status.BuildSpec != nil {
-		buildBeta.Spec.ConvertFrom(alphaBuildRun.Status.BuildSpec)
+		if err = buildBeta.Spec.ConvertFrom(alphaBuildRun.Status.BuildSpec); err != nil {
+			ctxlog.Error(ctx, err, "failed to convert object")
+			return err
+		}
 		src.Status.BuildSpec = &buildBeta.Spec
 	}
 
 	return nil
 }
 
-func (dest *BuildRunSpec) ConvertFrom(orig *v1alpha1.BuildRunSpec) error {
+func (dest *BuildRunSpec) ConvertFrom(ctx context.Context, orig *v1alpha1.BuildRunSpec) error {
 
 	// BuildRunSpec BuildSpec
 	if orig.BuildSpec != nil {
 		dest.Build.Spec = &BuildSpec{}
-		dest.Build.Spec.ConvertFrom(orig.BuildSpec)
+		if err := dest.Build.Spec.ConvertFrom(orig.BuildSpec); err != nil {
+			ctxlog.Error(ctx, err, "failed to convert object")
+			return err
+		}
 	}
 	if orig.BuildRef != nil {
 		dest.Build.Name = &orig.BuildRef.Name
diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
@@ -98,6 +98,7 @@ func Pack(directory string) (io.ReadCloser, error) {
 	var split = func(path string) []string { return strings.Split(path, string(filepath.Separator)) }
 
 	var write = func(w io.Writer, path string) error {
+		// #nosec G304 names are safe, they come from the listing
 		file, err := os.Open(path)
 		if err != nil {
 			return err
@@ -127,6 +128,7 @@ func Pack(directory string) (io.ReadCloser, error) {
 	}
 
 	var patterns []gitignore.Pattern
+	// #nosec G304 names are safe
 	if file, err := os.Open(filepath.Join(directory, shpIgnoreFilename)); err == nil {
 		defer file.Close()
 
@@ -293,13 +295,14 @@ func Unpack(in io.Reader, targetPath string) (*UnpackDetails, error) {
 				return nil, err
 			}
 
+			// #nosec G304 names are safe, they come from the listing
 			file, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, fileMode(header))
 			if err != nil {
 				return nil, err
 			}
 
 			if _, err := io.Copy(file, tr); err != nil {
-				file.Close()
+				_ = file.Close()
 				return nil, err
 			}
 
diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go
@@ -285,7 +285,7 @@ func configWithEnvVariableOverrides(settings map[string]string, f func(config *C
 			backup[k] = nil
 		}
 
-		os.Setenv(k, v)
+		Expect(os.Setenv(k, v)).To(Succeed())
 	}
 
 	config := NewDefaultConfig()
@@ -298,9 +298,9 @@ func configWithEnvVariableOverrides(settings map[string]string, f func(config *C
 
 	for k, v := range backup {
 		if v != nil {
-			os.Setenv(k, *v)
+			Expect(os.Setenv(k, *v)).To(Succeed())
 		} else {
-			os.Unsetenv(k)
+			Expect(os.Unsetenv(k)).To(Succeed())
 		}
 	}
 }
diff --git a/pkg/image/options.go b/pkg/image/options.go
@@ -74,6 +74,7 @@ func GetOptions(ctx context.Context, imageName name.Reference, insecure bool, do
 
 	var dockerconfig *configfile.ConfigFile
 	if dockerConfigJSONPath != "" {
+		// #nosec G304 user provided by design
 		file, err := os.Open(dockerConfigJSONPath)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to open the config json: %w", err)
diff --git a/pkg/metrics/pprof.go b/pkg/metrics/pprof.go
@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-// +build pprof_enabled
+//go:build pprof_enabled
 
 package metrics
 
diff --git a/pkg/reconciler/buildrun/buildrun_test.go b/pkg/reconciler/buildrun/buildrun_test.go
@@ -91,7 +91,7 @@ var _ = Describe("Reconcile BuildRun", func() {
 
 		// ensure resources are added to the Scheme
 		// via the manager and initialize the fake Manager
-		apis.AddToScheme(scheme.Scheme)
+		Expect(apis.AddToScheme(scheme.Scheme)).To(Succeed())
 		manager = &fakes.FakeManager{}
 		manager.GetSchemeReturns(scheme.Scheme)
 
diff --git a/pkg/webhook/conversion/converter.go b/pkg/webhook/conversion/converter.go
diff --git a/test/e2e/v1alpha1/validators_test.go b/test/e2e/v1alpha1/validators_test.go
diff --git a/test/e2e/v1beta1/validators_test.go b/test/e2e/v1beta1/validators_test.go
diff --git a/test/utils/v1alpha1/controllers.go b/test/utils/v1alpha1/controllers.go
diff --git a/test/utils/v1beta1/controllers.go b/test/utils/v1beta1/controllers.go

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ var _ = Describe("Bundle Loader", func() {`
`79`	`79`	`}`
`80`	`80`
`81`	`81`	`filecontent := func(path string) string {`
	`82`	`+ // #nosec G304 ok in tests`
`82`	`83`	`data, err := os.ReadFile(path)`
`83`	`84`	`Expect(err).ToNot(HaveOccurred())`
`84`	`85`	`return string(data)`
Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,7 @@ var _ = Describe("Image Processing Resource", Ordered, func() {`
`153`	`153`	`}`
`154`	`154`
`155`	`155`	`filecontent := func(path string) string {`
	`156`	`+ // #nosec G304 ok in tests`
`156`	`157`	`data, err := os.ReadFile(path)`
`157`	`158`	`Expect(err).ToNot(HaveOccurred())`
`158`	`159`	`return string(data)`
Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,7 @@ func Pack(directory string) (io.ReadCloser, error) {`
`98`	`98`	`var split = func(path string) []string { return strings.Split(path, string(filepath.Separator)) }`
`99`	`99`
`100`	`100`	`var write = func(w io.Writer, path string) error {`
	`101`	`+ // #nosec G304 names are safe, they come from the listing`
`101`	`102`	`file, err := os.Open(path)`
`102`	`103`	`if err != nil {`
`103`	`104`	`return err`
`@@ -127,6 +128,7 @@ func Pack(directory string) (io.ReadCloser, error) {`
`127`	`128`	`}`
`128`	`129`
`129`	`130`	`var patterns []gitignore.Pattern`
	`131`	`+ // #nosec G304 names are safe`
`130`	`132`	`if file, err := os.Open(filepath.Join(directory, shpIgnoreFilename)); err == nil {`
`131`	`133`	`defer file.Close()`
`132`	`134`
`@@ -293,13 +295,14 @@ func Unpack(in io.Reader, targetPath string) (*UnpackDetails, error) {`
`293`	`295`	`return nil, err`
`294`	`296`	`}`
`295`	`297`
	`298`	`+ // #nosec G304 names are safe, they come from the listing`
`296`	`299`	`file, err := os.OpenFile(target, os.O_CREATE\|os.O_RDWR, fileMode(header))`
`297`	`300`	`if err != nil {`
`298`	`301`	`return nil, err`
`299`	`302`	`}`
`300`	`303`
`301`	`304`	`if _, err := io.Copy(file, tr); err != nil {`
`302`		`- file.Close()`
	`305`	`+ _ = file.Close()`
`303`	`306`	`return nil, err`
`304`	`307`	`}`
`305`	`308`
Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ func configWithEnvVariableOverrides(settings map[string]string, f func(config *C`
`285`	`285`	`backup[k] = nil`
`286`	`286`	`}`
`287`	`287`
`288`		`- os.Setenv(k, v)`
	`288`	`+ Expect(os.Setenv(k, v)).To(Succeed())`
`289`	`289`	`}`
`290`	`290`
`291`	`291`	`config := NewDefaultConfig()`
`@@ -298,9 +298,9 @@ func configWithEnvVariableOverrides(settings map[string]string, f func(config *C`
`298`	`298`
`299`	`299`	`for k, v := range backup {`
`300`	`300`	`if v != nil {`
`301`		`- os.Setenv(k, *v)`
	`301`	`+ Expect(os.Setenv(k, *v)).To(Succeed())`
`302`	`302`	`} else {`
`303`		`- os.Unsetenv(k)`
	`303`	`+ Expect(os.Unsetenv(k)).To(Succeed())`
`304`	`304`	`}`
`305`	`305`	`}`
`306`	`306`	`}`