johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(lint): add nolint comments for gosec G201/G104 in dolt storage

Browse Source 
The SQL formatting warnings (G201) are safe because:
- Placeholders only contain "?" markers for parameterized queries
- WHERE/SET clauses use validated column names with ? placeholders
- Refs are validated by validateRef() before use in AS OF queries
- LIMIT values are safe integers from filter.Limit

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
beads/crew/dave
2026-01-15 11:42:05 -08:00
committed by Steve Yegge
parent fe67e9e232
commit 28a7f10955
9 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/storage/dolt/dependencies.go
View File

@@ -201,6 +201,7 @@ func (s *DoltStore) GetDependencyCounts(ctx context.Context, issueIDs []string)
inClause := strings.Join(placeholders, ",") inClause := strings.Join(placeholders, ",")
// Query for dependencies (blockers) // Query for dependencies (blockers)
// nolint:gosec // G201: inClause contains only ? placeholders, actual values passed via args
depQuery := fmt.Sprintf(` depQuery := fmt.Sprintf(`
SELECT issue_id, COUNT(*) as cnt SELECT issue_id, COUNT(*) as cnt
FROM dependencies FROM dependencies
@@ -231,6 +232,7 @@ func (s *DoltStore) GetDependencyCounts(ctx context.Context, issueIDs []string)
} }
// Query for dependents (blocking) // Query for dependents (blocking)
// nolint:gosec // G201: inClause contains only ? placeholders, actual values passed via args
blockingQuery := fmt.Sprintf(` blockingQuery := fmt.Sprintf(`
SELECT depends_on_id, COUNT(*) as cnt SELECT depends_on_id, COUNT(*) as cnt
FROM dependencies FROM dependencies

1
internal/storage/dolt/dirty.go
View File

@@ -55,6 +55,7 @@ func (s *DoltStore) ClearDirtyIssuesByID(ctx context.Context, issueIDs []string)
args[i] = id args[i] = id
} }
// nolint:gosec // G201: placeholders contains only ? markers, actual values passed via args
query := fmt.Sprintf("DELETE FROM dirty_issues WHERE issue_id IN (%s)", strings.Join(placeholders, ",")) query := fmt.Sprintf("DELETE FROM dirty_issues WHERE issue_id IN (%s)", strings.Join(placeholders, ","))
_, err := s.db.ExecContext(ctx, query, args...) _, err := s.db.ExecContext(ctx, query, args...)
if err != nil { if err != nil {

1
internal/storage/dolt/events.go
View File

@@ -124,6 +124,7 @@ func (s *DoltStore) GetCommentsForIssues(ctx context.Context, issueIDs []string)
args[i] = id args[i] = id
} }
// nolint:gosec // G201: placeholders contains only ? markers, actual values passed via args
query := fmt.Sprintf(` query := fmt.Sprintf(`
SELECT id, issue_id, author, text, created_at SELECT id, issue_id, author, text, created_at
FROM comments FROM comments

4
internal/storage/dolt/history.go
View File

@@ -134,7 +134,7 @@ func (s *DoltStore) GetIssueAsOf(ctx context.Context, issueID string, ref string
var assignee, owner, contentHash sql.NullString var assignee, owner, contentHash sql.NullString
var estimatedMinutes sql.NullInt64 var estimatedMinutes sql.NullInt64
// Note: AS OF requires literal value, but we've validated ref is safe // nolint:gosec // G201: ref is validated by validateRef() above - AS OF requires literal
query := fmt.Sprintf(` query := fmt.Sprintf(`
SELECT id, content_hash, title, description, status, priority, issue_type, assignee, estimated_minutes, SELECT id, content_hash, title, description, status, priority, issue_type, assignee, estimated_minutes,
created_at, created_by, owner, updated_at, closed_at created_at, created_by, owner, updated_at, closed_at
@@ -216,7 +216,7 @@ func (s *DoltStore) GetIssueDiff(ctx context.Context, issueID, fromRef, toRef st
return nil, fmt.Errorf("invalid toRef: %w", err) return nil, fmt.Errorf("invalid toRef: %w", err)
} }
// Note: dolt_diff_issues requires literal values, but we've validated refs are safe // nolint:gosec // G201: refs are validated by validateRef() above - dolt_diff_issues requires literal
query := fmt.Sprintf(` query := fmt.Sprintf(`
SELECT SELECT
from_id, to_id, from_id, to_id,

4
internal/storage/dolt/issues.go
View File

@@ -265,6 +265,7 @@ func (s *DoltStore) UpdateIssue(ctx context.Context, id string, updates map[stri
} }
defer func() { _ = tx.Rollback() }() defer func() { _ = tx.Rollback() }()
// nolint:gosec // G201: setClauses contains only column names (e.g. "status = ?"), actual values passed via args
query := fmt.Sprintf("UPDATE issues SET %s WHERE id = ?", strings.Join(setClauses, ", ")) query := fmt.Sprintf("UPDATE issues SET %s WHERE id = ?", strings.Join(setClauses, ", "))
if _, err := tx.ExecContext(ctx, query, args...); err != nil { if _, err := tx.ExecContext(ctx, query, args...); err != nil {
return fmt.Errorf("failed to update issue: %w", err) return fmt.Errorf("failed to update issue: %w", err)
@@ -600,7 +601,8 @@ func markDirty(ctx context.Context, tx *sql.Tx, issueID string) error {
return err return err
} }
func generateIssueID(ctx context.Context, tx *sql.Tx, prefix string, issue *types.Issue, actor string) (string, error) { // nolint:unparam // error return kept for interface consistency
func generateIssueID(_ context.Context, _ *sql.Tx, prefix string, issue *types.Issue, _ string) (string, error) {
// Simple hash-based ID generation // Simple hash-based ID generation
// Use first 6 chars of content hash // Use first 6 chars of content hash
hash := issue.ComputeContentHash() hash := issue.ComputeContentHash()

1
internal/storage/dolt/labels.go
View File

@@ -64,6 +64,7 @@ func (s *DoltStore) GetLabelsForIssues(ctx context.Context, issueIDs []string) (
args[i] = id args[i] = id
} }
// nolint:gosec // G201: placeholders contains only ? markers, actual values passed via args
query := fmt.Sprintf(` query := fmt.Sprintf(`
SELECT issue_id, label FROM labels SELECT issue_id, label FROM labels
WHERE issue_id IN (%s) WHERE issue_id IN (%s)

7
internal/storage/dolt/queries.go
View File

@@ -211,6 +211,7 @@ func (s *DoltStore) SearchIssues(ctx context.Context, query string, filter types
limitSQL = fmt.Sprintf(" LIMIT %d", filter.Limit) limitSQL = fmt.Sprintf(" LIMIT %d", filter.Limit)
} }
// nolint:gosec // G201: whereSQL contains column comparisons with ?, limitSQL is a safe integer
querySQL := fmt.Sprintf(` querySQL := fmt.Sprintf(`
SELECT id FROM issues SELECT id FROM issues
%s %s
@@ -272,6 +273,7 @@ func (s *DoltStore) GetReadyWork(ctx context.Context, filter types.WorkFilter) (
limitSQL = fmt.Sprintf(" LIMIT %d", filter.Limit) limitSQL = fmt.Sprintf(" LIMIT %d", filter.Limit)
} }
// nolint:gosec // G201: whereSQL contains column comparisons with ?, limitSQL is a safe integer
query := fmt.Sprintf(` query := fmt.Sprintf(`
SELECT id FROM issues SELECT id FROM issues
%s %s
@@ -338,12 +340,12 @@ func (s *DoltStore) GetBlockedIssues(ctx context.Context, filter types.WorkFilte
for blockerRows.Next() { for blockerRows.Next() {
var blockerID string var blockerID string
if err := blockerRows.Scan(&blockerID); err != nil { if err := blockerRows.Scan(&blockerID); err != nil {
blockerRows.Close() _ = blockerRows.Close() // nolint:gosec // G104: error ignored on early return
return nil, err return nil, err
} }
blockerIDs = append(blockerIDs, blockerID) blockerIDs = append(blockerIDs, blockerID)
} }
blockerRows.Close() _ = blockerRows.Close() // nolint:gosec // G104: rows already read successfully
results = append(results, &types.BlockedIssue{ results = append(results, &types.BlockedIssue{
Issue: *issue, Issue: *issue,
@@ -407,6 +409,7 @@ func (s *DoltStore) GetStaleIssues(ctx context.Context, filter types.StaleFilter
statusClause = "status = ?" statusClause = "status = ?"
} }
// nolint:gosec // G201: statusClause contains only literal SQL or a single ? placeholder
query := fmt.Sprintf(` query := fmt.Sprintf(`
SELECT id FROM issues SELECT id FROM issues
WHERE updated_at < ? WHERE updated_at < ?

4
internal/storage/dolt/store.go
View File

@@ -100,10 +100,10 @@ func New(ctx context.Context, cfg *Config) (*DoltStore, error) {
// Create the database if it doesn't exist // Create the database if it doesn't exist
_, err = initDB.ExecContext(ctx, fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s", cfg.Database)) _, err = initDB.ExecContext(ctx, fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s", cfg.Database))
if err != nil { if err != nil {
initDB.Close() _ = initDB.Close() // nolint:gosec // G104: error ignored on early return
return nil, fmt.Errorf("failed to create database: %w", err) return nil, fmt.Errorf("failed to create database: %w", err)
} }
initDB.Close() _ = initDB.Close() // nolint:gosec // G104: connection no longer needed
// Now connect with the database specified // Now connect with the database specified
connStr := fmt.Sprintf( connStr := fmt.Sprintf(

1
internal/storage/dolt/transaction.go
View File

@@ -137,6 +137,7 @@ func (t *doltTransaction) UpdateIssue(ctx context.Context, id string, updates ma
} }
args = append(args, id) args = append(args, id)
// nolint:gosec // G201: setClauses contains only column names (e.g. "status = ?"), actual values passed via args
query := fmt.Sprintf("UPDATE issues SET %s WHERE id = ?", strings.Join(setClauses, ", ")) query := fmt.Sprintf("UPDATE issues SET %s WHERE id = ?", strings.Join(setClauses, ", "))
_, err := t.tx.ExecContext(ctx, query, args...) _, err := t.tx.ExecContext(ctx, query, args...)
return err return err