fix: suppress gosec lint warnings for file operations

All file reads/writes are from controlled paths (.beads/, .git/, or git root). Add #nosec comments to suppress G304 and G204 warnings. - cmd/bd/doctor.go:664 - ReadFile from .beads/config.yaml - cmd/bd/main.go:645 - ReadFile from .beads/{issues,beads}.jsonl - cmd/bd/doctor/fix/database_config.go:166 - ReadFile from git root .gitattributes - cmd/bd/doctor/fix/untracked.go:61 - exec Command with whitelisted JSONL files
2025-11-29 00:44:23 -07:00
parent f134a3d658
commit dee16db0c0
6 changed files with 62 additions and 0 deletions
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -4,6 +4,7 @@
 {"id":"bd-0io","title":"Sync should cleanup snapshot files after completion","description":"## Problem\n`bd sync` leaves orphaned merge artifact files (beads.base.jsonl, beads.left.jsonl) after completion, causing:\n1. Doctor warnings about 'Multiple JSONL files found'\n2. Confusion during debugging\n3. Potential stale data issues on next sync\n\n## Root Cause\n`SnapshotManager` creates these files for 3-way merge deletion tracking but `Cleanup()` is never called after sync completes (success or failure).\n\n## Fix\nCall `SnapshotManager.Cleanup()` at end of successful sync:\n\n```go\n// sync.go after successful validation\nsm := NewSnapshotManager(jsonlPath)\nsm.Cleanup()\n```\n\n## Files\n- cmd/bd/sync.go (add cleanup call)\n- cmd/bd/snapshot_manager.go (Cleanup method exists at line 188)","status":"closed","priority":1,"issue_type":"bug","created_at":"2025-11-28T17:06:20.881183-08:00","updated_at":"2025-11-28T21:53:44.37689-08:00","closed_at":"2025-11-28T21:53:44.37689-08:00"}
 {"id":"bd-0v4","title":"Short tests taking 13+ minutes (performance regression)","description":"","status":"closed","priority":0,"issue_type":"bug","created_at":"2025-11-27T00:54:03.350344-08:00","updated_at":"2025-11-27T13:23:19.376658-08:00","closed_at":"2025-11-27T01:36:06.684059-08:00"}
 {"id":"bd-1pj6","title":"Proposal: Custom status states via config","description":"Proposal to add 'custom status states' via `bd config`.\nUsers could define an optional issue status enum (e.g., awaiting_review, review_in_progress) in the config.\nThis would enable multi-step pipelines to process issues where each step correlates to a specific status.\n\nExamples:\n- awaiting_verification\n- awaiting_docs\n- awaiting_testing\n","status":"open","priority":3,"issue_type":"feature","created_at":"2025-11-20T18:55:48.670499-05:00","updated_at":"2025-11-20T18:55:48.670499-05:00"}
+{"id":"bd-1u4","title":"Fix gosec lint warnings in doctor.go, main.go, and fix subdirectory","description":"CI lint job failing with 4 gosec warnings:\n- cmd/bd/doctor.go:664 (G304: file inclusion via variable)\n- cmd/bd/doctor/fix/database_config.go:166 (G304: file inclusion via variable)  \n- cmd/bd/doctor/fix/untracked.go:61 (G204: subprocess launched with variable)\n- cmd/bd/main.go:645 (G304: file inclusion via variable)\n\nEither suppress with `// #nosec` if false positives, or refactor to validate paths properly.","status":"open","priority":2,"issue_type":"task","created_at":"2025-11-29T00:43:07.393406783-07:00","updated_at":"2025-11-29T00:43:07.393406783-07:00"}
 {"id":"bd-2em","title":"Expand checkHooksQuick to verify all hook versions","description":"Currently checkHooksQuick only checks post-merge hook version. Should also check pre-commit, pre-push, and post-checkout for completeness. Keep it lightweight but catch more outdated hooks.","status":"closed","priority":2,"issue_type":"task","created_at":"2025-11-25T19:27:47.432243-08:00","updated_at":"2025-11-25T19:50:21.378464-08:00","closed_at":"2025-11-25T19:50:21.378464-08:00"}
 {"id":"bd-39o","title":"Rename last_import_hash metadata key to jsonl_content_hash","description":"The metadata key 'last_import_hash' is misleading because it's updated on both import AND export (sync.go:614, import.go:320).\n\nBetter names:\n- jsonl_content_hash (more accurate)\n- last_sync_hash (clearer intent)\n\nThis is a breaking change requiring migration of existing metadata values.","status":"open","priority":2,"issue_type":"task","created_at":"2025-11-20T21:31:07.568739-05:00","updated_at":"2025-11-20T21:31:07.568739-05:00"}
 {"id":"bd-3gc","title":"Audit remaining cmd/bd files for error handling consistency","description":"Extend ERROR_HANDLING_AUDIT.md to cover: daemon_sync.go, update.go, list.go, show.go, close.go, reopen.go, dep.go, label.go, comments.go, delete.go, compact.go, config.go, validate.go and other high-usage command files","status":"open","priority":3,"issue_type":"task","created_at":"2025-11-24T00:28:55.890991-08:00","updated_at":"2025-11-24T00:28:55.890991-08:00"}
--- a/_working_on_.md
+++ b/_working_on_.md
@@ -0,0 +1,57 @@
+I created a new worktree branch and was stopped even before getting started. Beads is not happy with this setup. I don't know why.
+
+
+```
+main on  main [$] via 🐹 v1.25.4 
+❯ git worktree add ../fix-ci -b fix-ci
+Preparing worktree (new branch 'fix-ci')
+HEAD is now at 4ef5a28a bd sync: 2025-11-28 22:17:18
+🔗 Importing beads issues from JSONL...
+✓ Beads issues imported successfully
+
+main on  main [$] via 🐹 v1.25.4 
+❯ cd ../fix-ci/
+
+fix-ci on  fix-ci [$] via 🐹 v1.25.4 
+❯ bd doctor
+
+Diagnostics
+ ├ Installation: .beads/ directory found
+ ├ Git Hooks: All recommended hooks installed
+ │   Installed: post-merge, pre-push, pre-commit
+ ├ Database: Unable to read database version ✗
+ │   Storage: SQLite
+ ├ Schema Compatibility: All required tables and columns present
+ ├ Issue IDs: hash-based ✓
+ ├ CLI Version: 0.26.0 (latest)
+ ├ Database Files: Single database file
+ ├ JSONL Files: Using issues.jsonl
+ ├ JSONL Config: Using issues.jsonl
+ ├ Database Config: Configuration matches existing files
+ ├ Daemon Health: No daemon running (will auto-start on next command)
+ ├ DB-JSONL Sync: Database and JSONL are in sync
+ ├ Permissions: All permissions OK
+ ├ Dependency Cycles: No circular dependencies detected
+ ├ Claude Integration: Hooks installed (CLI mode)
+ │   Plugin not detected - install for slash commands
+ ├ bd in PATH: 'bd' command available
+ ├ Documentation bd prime: Documentation references match installed features
+ │   Files: AGENTS.md
+ ├ Agent Documentation: Documentation found: AGENTS.md
+ ├ Documentation: No legacy beads slash commands detected
+ ├ Gitignore: Up to date
+ ├ Git Merge Driver: Correctly configured
+ │   bd merge %A %O %A %B
+ ├ Metadata Version Tracking: Version tracking active (version: 0.26.0)
+ ├ Sync Branch Config: sync.branch not configured ⚠
+ │   Current branch: fix-ci
+ ├ Deletions Manifest: Present (2474 entries)
+ └ Untracked Files: All .beads/*.jsonl files are tracked
+
+✗ Error: Unable to read database version
+  Fix: Database may be corrupted. Try 'bd migrate'
+
+⚠ Warning: sync.branch not configured
+  Fix: Run 'bd doctor --fix' to auto-configure to 'fix-ci', or manually: bd config set sync.branch <branch-name>
+
+```
--- a/cmd/bd/doctor.go
+++ b/cmd/bd/doctor.go
@@ -661,6 +661,7 @@ func checkDatabaseVersion(path string) doctorCheck {
 			// Check config.yaml for no-db: true
 			configPath := filepath.Join(beadsDir, "config.yaml")
 			isNoDbMode := false
+			// #nosec G304 -- configPath is constructed from beadsDir which is in .beads/
 			if configData, err := os.ReadFile(configPath); err == nil {
 				// Simple check for no-db: true in config.yaml
 				isNoDbMode = strings.Contains(string(configData), "no-db: true")
--- a/cmd/bd/doctor/fix/database_config.go
+++ b/cmd/bd/doctor/fix/database_config.go
@@ -163,6 +163,7 @@ func LegacyJSONLConfig(path string) error {

 		// Update .gitattributes if it references beads.jsonl
 		gitattrsPath := filepath.Join(path, ".gitattributes")
+		// #nosec G304 -- gitattrsPath is constructed from path which is the git root
 		if content, err := os.ReadFile(gitattrsPath); err == nil {
 			if strings.Contains(string(content), ".beads/beads.jsonl") {
 				newContent := strings.ReplaceAll(string(content), ".beads/beads.jsonl", ".beads/issues.jsonl")
--- a/cmd/bd/doctor/fix/untracked.go
+++ b/cmd/bd/doctor/fix/untracked.go
@@ -58,6 +58,7 @@ func UntrackedJSONL(path string) error {
 			continue
 		}

+		// #nosec G204 -- file is validated against a whitelist of JSONL files
 		addCmd := exec.Command("git", "add", file)
 		addCmd.Dir = path
 		if err := addCmd.Run(); err != nil {
--- a/cmd/bd/main.go
+++ b/cmd/bd/main.go
@@ -642,6 +642,7 @@ func handleFreshCloneError(err error, beadsDir string) bool {
 			if info, statErr := os.Stat(candidate); statErr == nil && !info.IsDir() {
 				jsonlPath = candidate
 				// Count lines (approximately = issue count)
+				// #nosec G304 -- candidate is constructed from beadsDir which is .beads/
 				if data, readErr := os.ReadFile(candidate); readErr == nil {
 					for _, line := range strings.Split(string(data), "\n") {
 						if strings.TrimSpace(line) != "" {