fix(lint): add nolint comments for gosec G201/G104 in dolt storage

The SQL formatting warnings (G201) are safe because: - Placeholders only contain "?" markers for parameterized queries - WHERE/SET clauses use validated column names with ? placeholders - Refs are validated by validateRef() before use in AS OF queries - LIMIT values are safe integers from filter.Limit Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-15 11:42:05 -08:00
parent fe67e9e232
commit 28a7f10955
9 changed files with 18 additions and 7 deletions
--- a/internal/storage/dolt/dependencies.go
+++ b/internal/storage/dolt/dependencies.go
@@ -201,6 +201,7 @@ func (s *DoltStore) GetDependencyCounts(ctx context.Context, issueIDs []string)
 	inClause := strings.Join(placeholders, ",")

 	// Query for dependencies (blockers)
+	// nolint:gosec // G201: inClause contains only ? placeholders, actual values passed via args
 	depQuery := fmt.Sprintf(`
 		SELECT issue_id, COUNT(*) as cnt
 		FROM dependencies
@@ -231,6 +232,7 @@ func (s *DoltStore) GetDependencyCounts(ctx context.Context, issueIDs []string)
 	}

 	// Query for dependents (blocking)
+	// nolint:gosec // G201: inClause contains only ? placeholders, actual values passed via args
 	blockingQuery := fmt.Sprintf(`
 		SELECT depends_on_id, COUNT(*) as cnt
 		FROM dependencies
--- a/internal/storage/dolt/dirty.go
+++ b/internal/storage/dolt/dirty.go
@@ -55,6 +55,7 @@ func (s *DoltStore) ClearDirtyIssuesByID(ctx context.Context, issueIDs []string)
 		args[i] = id
 	}

+	// nolint:gosec // G201: placeholders contains only ? markers, actual values passed via args
 	query := fmt.Sprintf("DELETE FROM dirty_issues WHERE issue_id IN (%s)", strings.Join(placeholders, ","))
 	_, err := s.db.ExecContext(ctx, query, args...)
 	if err != nil {
--- a/internal/storage/dolt/events.go
+++ b/internal/storage/dolt/events.go
@@ -124,6 +124,7 @@ func (s *DoltStore) GetCommentsForIssues(ctx context.Context, issueIDs []string)
 		args[i] = id
 	}

+	// nolint:gosec // G201: placeholders contains only ? markers, actual values passed via args
 	query := fmt.Sprintf(`
 		SELECT id, issue_id, author, text, created_at
 		FROM comments
--- a/internal/storage/dolt/history.go
+++ b/internal/storage/dolt/history.go
@@ -134,7 +134,7 @@ func (s *DoltStore) GetIssueAsOf(ctx context.Context, issueID string, ref string
 	var assignee, owner, contentHash sql.NullString
 	var estimatedMinutes sql.NullInt64

-	// Note: AS OF requires literal value, but we've validated ref is safe
+	// nolint:gosec // G201: ref is validated by validateRef() above - AS OF requires literal
 	query := fmt.Sprintf(`
 		SELECT id, content_hash, title, description, status, priority, issue_type, assignee, estimated_minutes,
 		       created_at, created_by, owner, updated_at, closed_at
@@ -216,7 +216,7 @@ func (s *DoltStore) GetIssueDiff(ctx context.Context, issueID, fromRef, toRef st
 		return nil, fmt.Errorf("invalid toRef: %w", err)
 	}

-	// Note: dolt_diff_issues requires literal values, but we've validated refs are safe
+	// nolint:gosec // G201: refs are validated by validateRef() above - dolt_diff_issues requires literal
 	query := fmt.Sprintf(`
 		SELECT
 			from_id, to_id,
--- a/internal/storage/dolt/issues.go
+++ b/internal/storage/dolt/issues.go
@@ -265,6 +265,7 @@ func (s *DoltStore) UpdateIssue(ctx context.Context, id string, updates map[stri
 	}
 	defer func() { _ = tx.Rollback() }()

+	// nolint:gosec // G201: setClauses contains only column names (e.g. "status = ?"), actual values passed via args
 	query := fmt.Sprintf("UPDATE issues SET %s WHERE id = ?", strings.Join(setClauses, ", "))
 	if _, err := tx.ExecContext(ctx, query, args...); err != nil {
 		return fmt.Errorf("failed to update issue: %w", err)
@@ -600,7 +601,8 @@ func markDirty(ctx context.Context, tx *sql.Tx, issueID string) error {
 	return err
 }

-func generateIssueID(ctx context.Context, tx *sql.Tx, prefix string, issue *types.Issue, actor string) (string, error) {
+// nolint:unparam // error return kept for interface consistency
+func generateIssueID(_ context.Context, _ *sql.Tx, prefix string, issue *types.Issue, _ string) (string, error) {
 	// Simple hash-based ID generation
 	// Use first 6 chars of content hash
 	hash := issue.ComputeContentHash()
--- a/internal/storage/dolt/labels.go
+++ b/internal/storage/dolt/labels.go
@@ -64,6 +64,7 @@ func (s *DoltStore) GetLabelsForIssues(ctx context.Context, issueIDs []string) (
 		args[i] = id
 	}

+	// nolint:gosec // G201: placeholders contains only ? markers, actual values passed via args
 	query := fmt.Sprintf(`
 		SELECT issue_id, label FROM labels
 		WHERE issue_id IN (%s)
--- a/internal/storage/dolt/queries.go
+++ b/internal/storage/dolt/queries.go
@@ -211,6 +211,7 @@ func (s *DoltStore) SearchIssues(ctx context.Context, query string, filter types
 		limitSQL = fmt.Sprintf(" LIMIT %d", filter.Limit)
 	}

+	// nolint:gosec // G201: whereSQL contains column comparisons with ?, limitSQL is a safe integer
 	querySQL := fmt.Sprintf(`
 		SELECT id FROM issues
 		%s
@@ -272,6 +273,7 @@ func (s *DoltStore) GetReadyWork(ctx context.Context, filter types.WorkFilter) (
 		limitSQL = fmt.Sprintf(" LIMIT %d", filter.Limit)
 	}

+	// nolint:gosec // G201: whereSQL contains column comparisons with ?, limitSQL is a safe integer
 	query := fmt.Sprintf(`
 		SELECT id FROM issues
 		%s
@@ -338,12 +340,12 @@ func (s *DoltStore) GetBlockedIssues(ctx context.Context, filter types.WorkFilte
 		for blockerRows.Next() {
 			var blockerID string
 			if err := blockerRows.Scan(&blockerID); err != nil {
-				blockerRows.Close()
+				_ = blockerRows.Close() // nolint:gosec // G104: error ignored on early return
 				return nil, err
 			}
 			blockerIDs = append(blockerIDs, blockerID)
 		}
-		blockerRows.Close()
+		_ = blockerRows.Close() // nolint:gosec // G104: rows already read successfully

 		results = append(results, &types.BlockedIssue{
 			Issue:          *issue,
@@ -407,6 +409,7 @@ func (s *DoltStore) GetStaleIssues(ctx context.Context, filter types.StaleFilter
 		statusClause = "status = ?"
 	}

+	// nolint:gosec // G201: statusClause contains only literal SQL or a single ? placeholder
 	query := fmt.Sprintf(`
 		SELECT id FROM issues
 		WHERE updated_at < ?
--- a/internal/storage/dolt/store.go
+++ b/internal/storage/dolt/store.go
@@ -100,10 +100,10 @@ func New(ctx context.Context, cfg *Config) (*DoltStore, error) {
 	// Create the database if it doesn't exist
 	_, err = initDB.ExecContext(ctx, fmt.Sprintf("CREATE DATABASE IF NOT EXISTS %s", cfg.Database))
 	if err != nil {
-		initDB.Close()
+		_ = initDB.Close() // nolint:gosec // G104: error ignored on early return
 		return nil, fmt.Errorf("failed to create database: %w", err)
 	}
-	initDB.Close()
+	_ = initDB.Close() // nolint:gosec // G104: connection no longer needed

 	// Now connect with the database specified
 	connStr := fmt.Sprintf(
--- a/internal/storage/dolt/transaction.go
+++ b/internal/storage/dolt/transaction.go
@@ -137,6 +137,7 @@ func (t *doltTransaction) UpdateIssue(ctx context.Context, id string, updates ma
 	}

 	args = append(args, id)
+	// nolint:gosec // G201: setClauses contains only column names (e.g. "status = ?"), actual values passed via args
 	query := fmt.Sprintf("UPDATE issues SET %s WHERE id = ?", strings.Join(setClauses, ", "))
 	_, err := t.tx.ExecContext(ctx, query, args...)
 	return err