diff --git a/Dockerfile b/Dockerfile index 2934a6446c..ff9fd941f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -175,7 +175,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ PREFIX=/build /install.sh containerd FROM base AS golangci_lint -ARG GOLANGCI_LINT_VERSION=v1.23.8 +ARG GOLANGCI_LINT_VERSION=v1.44.0 RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \ diff --git a/client/client.go b/client/client.go index fa511897e0..6a8b4d4fea 100644 --- a/client/client.go +++ b/client/client.go @@ -135,9 +135,6 @@ func NewClientWithOpts(ops ...Opt) (*Client, error) { } } - if _, ok := c.client.Transport.(http.RoundTripper); !ok { - return nil, fmt.Errorf("unable to verify TLS configuration, invalid transport %v", c.client.Transport) - } if c.scheme == "" { c.scheme = "http" diff --git a/daemon/logger/awslogs/cloudwatchlogs.go b/daemon/logger/awslogs/cloudwatchlogs.go index 0ed42e6651..7406046298 100644 --- a/daemon/logger/awslogs/cloudwatchlogs.go +++ b/daemon/logger/awslogs/cloudwatchlogs.go @@ -39,7 +39,7 @@ const ( tagKey = "tag" datetimeFormatKey = "awslogs-datetime-format" multilinePatternKey = "awslogs-multiline-pattern" - credentialsEndpointKey = "awslogs-credentials-endpoint" + credentialsEndpointKey = "awslogs-credentials-endpoint" //nolint:gosec // G101: Potential hardcoded credentials forceFlushIntervalKey = "awslogs-force-flush-interval-seconds" maxBufferedEventsKey = "awslogs-max-buffered-events" logFormatKey = "awslogs-format" @@ -64,7 +64,7 @@ const ( invalidSequenceTokenCode = "InvalidSequenceTokenException" resourceNotFoundCode = "ResourceNotFoundException" - credentialsEndpoint = "http://169.254.170.2" + credentialsEndpoint = "http://169.254.170.2" //nolint:gosec // G101: Potential hardcoded credentials userAgentHeader = "User-Agent" diff --git a/hack/validate/golangci-lint.yml b/hack/validate/golangci-lint.yml index 661a85e385..0eb7e26c3b 100644 --- a/hack/validate/golangci-lint.yml +++ b/hack/validate/golangci-lint.yml @@ -41,35 +41,56 @@ issues: exclude-use-default: false exclude-rules: - # These are copied from the default exclude rules, except for "ineffective break statement" - # and GoDoc checks. - # https://github.com/golangci/golangci-lint/blob/0cc87df732aaf1d5ad9ce9ca538d38d916918b36/pkg/config/config.go#L36 - - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked" + # We prefer to use an "exclude-list" so that new "default" exclusions are not + # automatically inherited. We can decide whether or not to follow upstream + # defaults when updating golang-ci-lint versions. + # Unfortunately, this means we have to copy the whole exclusion pattern, as + # (unlike the "include" option), the "exclude" option does not take exclusion + # ID's. + # + # These exclusion patterns are copied from the default excluses at: + # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104 + + # EXC0001 + - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked" linters: - errcheck + # EXC0003 - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this" linters: - golint - - text: "G103: Use of unsafe calls should be audited" + # EXC0006 + - text: "Use of unsafe calls should be audited" linters: - gosec - - text: "G104: Errors unhandled" + # EXC0007 + - text: "Subprocess launch(ed with variable|ing should be audited)" linters: - gosec - - text: "G204: Subprocess launch(ed with (variable|function call)|ing should be audited)" + # EXC0008 + # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec) + - text: "(G104|G307)" linters: - gosec - - text: "(G301|G302): (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)" + # EXC0009 + - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)" linters: - gosec - - text: "G304: Potential file inclusion via variable" + # EXC0010 + - text: "Potential file inclusion via variable" linters: - gosec + + # Looks like the match in "EXC0007" above doesn't catch this one + # TODO: consider upstreaming this to golangci-lint's default exclusion rules + - text: "G204: Subprocess launched with a potential tainted input or cmd arguments" + linters: + - gosec + # Looks like the match in "EXC0009" above doesn't catch this one + # TODO: consider upstreaming this to golangci-lint's default exclusion rules - text: "G306: Expect WriteFile permissions to be 0600 or less" linters: - gosec - - text: 'G307: Deferring unsafe method "Close" on type "*os.File"' - linters: gosec # Exclude some linters from running on tests files. - path: _test\.go @@ -82,10 +103,6 @@ issues: path: "api/types/(volume|container)/" linters: - golint - # FIXME: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec) - - text: "G307: Deferring unsafe method" - linters: - - gosec # FIXME temporarily suppress these. See #39924 - text: "SA1019: .*\\.Xattrs is deprecated: Use PAXRecords instead" linters: diff --git a/integration-cli/docker_utils_test.go b/integration-cli/docker_utils_test.go index f8c8fcdca8..5ae3aa44ea 100644 --- a/integration-cli/docker_utils_test.go +++ b/integration-cli/docker_utils_test.go @@ -81,9 +81,7 @@ func inspectFieldAndUnmarshall(c *testing.T, name, field string, output interfac c.Helper() str := inspectFieldJSON(c, name, field) err := json.Unmarshal([]byte(str), output) - if c != nil { - assert.Assert(c, err == nil, "failed to unmarshal: %v", err) - } + assert.Assert(c, err == nil, "failed to unmarshal: %v", err) } // Deprecated: use cli.Inspect @@ -105,9 +103,7 @@ func inspectFieldWithError(name, field string) (string, error) { func inspectField(c *testing.T, name, field string) string { c.Helper() out, err := inspectFilter(name, fmt.Sprintf(".%s", field)) - if c != nil { - assert.NilError(c, err) - } + assert.NilError(c, err) return out } @@ -115,9 +111,7 @@ func inspectField(c *testing.T, name, field string) string { func inspectFieldJSON(c *testing.T, name, field string) string { c.Helper() out, err := inspectFilter(name, fmt.Sprintf("json .%s", field)) - if c != nil { - assert.NilError(c, err) - } + assert.NilError(c, err) return out } @@ -125,9 +119,7 @@ func inspectFieldJSON(c *testing.T, name, field string) string { func inspectFieldMap(c *testing.T, name, path, field string) string { c.Helper() out, err := inspectFilter(name, fmt.Sprintf("index .%s %q", path, field)) - if c != nil { - assert.NilError(c, err) - } + assert.NilError(c, err) return out } diff --git a/libnetwork/libnetwork_test.go b/libnetwork/libnetwork_test.go index e64f957d74..5472547246 100644 --- a/libnetwork/libnetwork_test.go +++ b/libnetwork/libnetwork_test.go @@ -1014,7 +1014,11 @@ func TestEndpointMultipleJoins(t *testing.T) { sbx1, err := controller.NewSandbox(containerID, libnetwork.OptionHostname("test"), libnetwork.OptionDomainname("docker.io"), - libnetwork.OptionExtraHost("web", "192.168.0.1")) + libnetwork.OptionExtraHost("web", "192.168.0.1"), + ) + if err != nil { + t.Fatal(err) + } defer func() { if err := sbx1.Delete(); err != nil { t.Fatal(err) @@ -1022,6 +1026,9 @@ func TestEndpointMultipleJoins(t *testing.T) { }() sbx2, err := controller.NewSandbox("c2") + if err != nil { + t.Fatal(err) + } defer func() { if err := sbx2.Delete(); err != nil { t.Fatal(err)