From 58100fec9f62549426e3ec10d99a49ea1fb8a07f Mon Sep 17 00:00:00 2001 From: "anchore-actions-token-generator[bot]" <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 15:05:50 -0400 Subject: [PATCH] chore(deps): update tools to latest versions (#3205) * chore(deps): update tools to latest versions Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: disable gosec(G115) A change to the rule gosec(G115) made a large amount of FP for gosec appear when updating to the latest golang-ci linter. https://github.com/securego/gosec/issues/1185 https://github.com/securego/gosec/pull/1149 We're going to ignore this rule for the time being while waiting for gosec to get updates so that bound checking and example snippets of `valid` code is added for this rule Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> --- .binny.yaml | 10 +++++----- .golangci.yaml | 3 +++ internal/file/zip_read_closer.go | 4 ++-- syft/file/cataloger/executable/elf.go | 2 +- syft/format/syftjson/to_syft_model.go | 2 +- syft/pkg/cataloger/debian/parse_dpkg_db.go | 2 +- .../cataloger/java/graalvm_native_image_cataloger.go | 6 +++--- syft/pkg/cataloger/php/parse_pecl_serialized.go | 4 ++-- syft/pkg/cataloger/redhat/parse_rpm_archive.go | 4 ++-- 9 files changed, 20 insertions(+), 17 deletions(-) diff --git a/.binny.yaml b/.binny.yaml index cab909d29..7d30d69c5 100644 --- a/.binny.yaml +++ b/.binny.yaml @@ -26,7 +26,7 @@ tools: # used for linting - name: golangci-lint version: - want: v1.60.3 + want: v1.61.0 method: github-release with: repo: golangci/golangci-lint @@ -58,7 +58,7 @@ tools: # used to release all artifacts - name: goreleaser version: - want: v2.2.0 + want: v2.3.0 method: github-release with: repo: goreleaser/goreleaser @@ -103,7 +103,7 @@ tools: # used for running all local and CI tasks - name: task version: - want: v3.38.0 + want: v3.39.0 method: github-release with: repo: go-task/task @@ -111,7 +111,7 @@ tools: # used for triggering a release - name: gh version: - want: v2.55.0 + want: v2.56.0 method: github-release with: repo: cli/cli @@ -130,4 +130,4 @@ tools: want: v4.44.3 method: github-release with: - repo: mikefarah/yq \ No newline at end of file + repo: mikefarah/yq diff --git a/.golangci.yaml b/.golangci.yaml index 3ea4697ae..3fefa111c 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -57,6 +57,9 @@ linters-settings: settings: ruleguard: rules: "test/rules/rules.go" + gosec: + excludes: + - G115 output: uniq-by-line: false run: diff --git a/internal/file/zip_read_closer.go b/internal/file/zip_read_closer.go index 5f82a2127..4c0f523e7 100644 --- a/internal/file/zip_read_closer.go +++ b/internal/file/zip_read_closer.go @@ -56,7 +56,7 @@ func OpenZip(filepath string) (*ZipReadCloser, error) { if offset > math.MaxInt64 { return nil, fmt.Errorf("archive start offset too large: %v", offset) } - offset64 := int64(offset) //nolint:gosec // lint bug, checked above: https://github.com/securego/gosec/issues/1187 + offset64 := int64(offset) size := fi.Size() - offset64 @@ -183,7 +183,7 @@ func findDirectory64End(r io.ReaderAt, directoryEndOffset int64) (int64, error) if b.uint32() != 1 { // total number of disks return -1, nil // the file is not a valid zip64-file } - return int64(p), nil //nolint:gosec + return int64(p), nil } // readDirectory64End reads the zip64 directory end and updates the diff --git a/syft/file/cataloger/executable/elf.go b/syft/file/cataloger/executable/elf.go index 9c6ad6151..dec6abd34 100644 --- a/syft/file/cataloger/executable/elf.go +++ b/syft/file/cataloger/executable/elf.go @@ -175,7 +175,7 @@ func hasElfDynTag(f *elf.File, tag elf.DynTag) bool { t = elf.DynTag(f.ByteOrder.Uint32(d[0:4])) d = d[8:] case elf.ELFCLASS64: - t = elf.DynTag(f.ByteOrder.Uint64(d[0:8])) //nolint:gosec + t = elf.DynTag(f.ByteOrder.Uint64(d[0:8])) d = d[16:] } if t == tag { diff --git a/syft/format/syftjson/to_syft_model.go b/syft/format/syftjson/to_syft_model.go index 289e91fda..b2b1916e2 100644 --- a/syft/format/syftjson/to_syft_model.go +++ b/syft/format/syftjson/to_syft_model.go @@ -146,7 +146,7 @@ func safeFileModeConvert(val int) (fs.FileMode, error) { if err != nil { return 0, err } - return os.FileMode(mode), nil //nolint:gosec + return os.FileMode(mode), nil } func toSyftLicenses(m []model.License) (p []pkg.License) { diff --git a/syft/pkg/cataloger/debian/parse_dpkg_db.go b/syft/pkg/cataloger/debian/parse_dpkg_db.go index 87428d608..077e5bef9 100644 --- a/syft/pkg/cataloger/debian/parse_dpkg_db.go +++ b/syft/pkg/cataloger/debian/parse_dpkg_db.go @@ -230,7 +230,7 @@ func handleNewKeyValue(line string) (key string, val interface{}, err error) { if err != nil { return "", nil, fmt.Errorf("bad installed-size value=%q: %w", val, err) } - return key, int(s), nil //nolint:gosec + return key, int(s), nil default: return key, val, nil } diff --git a/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go b/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go index 5dd74a654..add09a458 100644 --- a/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go +++ b/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go @@ -268,7 +268,7 @@ func newPE(filename string, r io.ReaderAt) (nativeImage, error) { } exportSymbolsOffset := uint64(exportSymbolsDataDirectory.VirtualAddress) exports := make([]byte, exportSymbolsDataDirectory.Size) - _, err = r.ReadAt(exports, int64(exportSymbolsOffset)) //nolint:gosec + _, err = r.ReadAt(exports, int64(exportSymbolsOffset)) if err != nil { return fileError(filename, fmt.Errorf("could not read the exported symbols data directory: %w", err)) } @@ -412,7 +412,7 @@ func (ni nativeImagePE) fetchExportAttribute(i int) (uint32, error) { func (ni nativeImagePE) fetchExportFunctionPointer(functionsBase uint32, i uint32) (uint32, error) { var pointer uint32 - n := uint32(len(ni.exports)) //nolint:gosec + n := uint32(len(ni.exports)) sz := uint32(unsafe.Sizeof(ni.t.functionPointer)) j := functionsBase + i*sz if j+sz >= n { @@ -457,7 +457,7 @@ func (ni nativeImagePE) fetchSbomSymbols(content *exportContentPE) { sbomBytes := []byte(nativeImageSbomSymbol + "\x00") sbomLengthBytes := []byte(nativeImageSbomLengthSymbol + "\x00") svmVersionInfoBytes := []byte(nativeImageSbomVersionSymbol + "\x00") - n := uint32(len(ni.exports)) //nolint:gosec + n := uint32(len(ni.exports)) // Find SBOM, SBOM Length, and SVM Version Symbol for i := uint32(0); i < content.numberOfNames; i++ { diff --git a/syft/pkg/cataloger/php/parse_pecl_serialized.go b/syft/pkg/cataloger/php/parse_pecl_serialized.go index 84c5c4c3b..7f48f2096 100644 --- a/syft/pkg/cataloger/php/parse_pecl_serialized.go +++ b/syft/pkg/cataloger/php/parse_pecl_serialized.go @@ -60,10 +60,10 @@ func readStruct(metadata any, fields ...string) string { if len(fields) > 0 { value, ok := metadata.(map[any]any) if !ok { - log.Tracef("unable to read '%s' from: %v", fields[0], metadata) //nolint:gosec + log.Tracef("unable to read '%s' from: %v", fields[0], metadata) return "" } - return readStruct(value[fields[0]], fields[1:]...) //nolint:gosec + return readStruct(value[fields[0]], fields[1:]...) } value, ok := metadata.(string) if !ok { diff --git a/syft/pkg/cataloger/redhat/parse_rpm_archive.go b/syft/pkg/cataloger/redhat/parse_rpm_archive.go index e7d4b2287..8c4b395a7 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_archive.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_archive.go @@ -88,12 +88,12 @@ func mapFiles(files []rpmutils.FileInfo, digestAlgorithm string) []pkg.RpmFileRe } out = append(out, pkg.RpmFileRecord{ Path: f.Name(), - Mode: pkg.RpmFileMode(f.Mode()), //nolint:gosec + Mode: pkg.RpmFileMode(f.Mode()), Size: int(f.Size()), Digest: digest, UserName: f.UserName(), GroupName: f.GroupName(), - Flags: rpmdb.FileFlags(f.Flags()).String(), //nolint:gosec + Flags: rpmdb.FileFlags(f.Flags()).String(), }) } return out