johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: suppress gosec lint warnings for file operations

Browse Source 
All file reads/writes are from controlled paths (.beads/, .git/, or git root).
Add #nosec comments to suppress G304 and G204 warnings.

- cmd/bd/doctor.go:664 - ReadFile from .beads/config.yaml
- cmd/bd/main.go:645 - ReadFile from .beads/{issues,beads}.jsonl
- cmd/bd/doctor/fix/database_config.go:166 - ReadFile from git root .gitattributes
- cmd/bd/doctor/fix/untracked.go:61 - exec Command with whitelisted JSONL files
This commit is contained in:
matt wilkie
2025-11-29 00:44:23 -07:00
parent f134a3d658
commit dee16db0c0
6 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/bd/doctor.go
View File

@@ -661,6 +661,7 @@ func checkDatabaseVersion(path string) doctorCheck {
// Check config.yaml for no-db: true
configPath := filepath.Join(beadsDir, "config.yaml")
isNoDbMode := false
// #nosec G304 -- configPath is constructed from beadsDir which is in .beads/
if configData, err := os.ReadFile(configPath); err == nil {
// Simple check for no-db: true in config.yaml
isNoDbMode = strings.Contains(string(configData), "no-db: true")

1
cmd/bd/doctor/fix/database_config.go
View File

@@ -163,6 +163,7 @@ func LegacyJSONLConfig(path string) error {
// Update .gitattributes if it references beads.jsonl
gitattrsPath := filepath.Join(path, ".gitattributes")
// #nosec G304 -- gitattrsPath is constructed from path which is the git root
if content, err := os.ReadFile(gitattrsPath); err == nil {
if strings.Contains(string(content), ".beads/beads.jsonl") {
newContent := strings.ReplaceAll(string(content), ".beads/beads.jsonl", ".beads/issues.jsonl")

1
cmd/bd/doctor/fix/untracked.go
View File

@@ -58,6 +58,7 @@ func UntrackedJSONL(path string) error {
continue
}
// #nosec G204 -- file is validated against a whitelist of JSONL files
addCmd := exec.Command("git", "add", file)
addCmd.Dir = path
if err := addCmd.Run(); err != nil {

1
cmd/bd/main.go
View File

@@ -642,6 +642,7 @@ func handleFreshCloneError(err error, beadsDir string) bool {
if info, statErr := os.Stat(candidate); statErr == nil && !info.IsDir() {
jsonlPath = candidate
// Count lines (approximately = issue count)
// #nosec G304 -- candidate is constructed from beadsDir which is .beads/
if data, readErr := os.ReadFile(candidate); readErr == nil {
for _, line := range strings.Split(string(data), "\n") {
if strings.TrimSpace(line) != "" {