8fa1eda207
The batch_ops.go file uses fmt.Sprintf to build SQL queries with IN clause expansion, same pattern as dependencies.go. The placeholders are parameterized (?) making this safe, but gosec G201 flags it. Add batch_ops.go to the existing G201 exclusion path regex. This fixes CI lint failures affecting multiple open PRs. Co-authored-by: Charles P. Cross <cpdata@users.noreply.github.com>
100 lines
3.2 KiB
YAML
100 lines
3.2 KiB
YAML
version: "2"
|
|
|
|
run:
|
|
timeout: 5m
|
|
tests: false
|
|
|
|
linters:
|
|
default: 'none'
|
|
enable:
|
|
- errcheck
|
|
- gosec
|
|
- misspell
|
|
- unconvert
|
|
- unparam
|
|
|
|
settings:
|
|
errcheck:
|
|
exclude-functions:
|
|
- (*database/sql.DB).Close
|
|
- (*database/sql.Rows).Close
|
|
- (*database/sql.Tx).Rollback
|
|
- (*database/sql.Stmt).Close
|
|
- (*database/sql.Conn).Close
|
|
- (*os.File).Close
|
|
- (os).RemoveAll
|
|
- (os).Remove
|
|
- (os).Setenv
|
|
- (os).Unsetenv
|
|
- (os).Chdir
|
|
- (os).MkdirAll
|
|
- (fmt).Sscanf
|
|
misspell:
|
|
locale: US
|
|
|
|
exclusions:
|
|
rules:
|
|
# G304: File inclusion via variable in tests is safe (test data)
|
|
- path: '_test\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G304"
|
|
# G306: File permissions 0644 in tests are acceptable (test fixtures)
|
|
- path: '_test\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G306"
|
|
# G304: Safe file reads from known JSONL and error paths
|
|
- path: 'cmd/bd/autoflush\.go|internal/beads/beads\.go|internal/daemon/discovery\.go|internal/daemonrunner/sync\.go|internal/syncbranch/worktree\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G304"
|
|
# G302/G306: Directory/file permissions 0700/0750 are acceptable
|
|
- linters:
|
|
- gosec
|
|
text: "G302.*0700|G301.*0750"
|
|
# G302/G306: JSONL files and error logs need 0644 for debugging/sharing
|
|
- path: 'cmd/bd/autoflush\.go|cmd/bd/daemon\.go|cmd/bd/daemon_sync_branch\.go|internal/daemon/registry\.go|internal/daemonrunner/daemon\.go|internal/git/worktree\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G306"
|
|
# G306: Git hooks must be executable (0700)
|
|
- path: 'cmd/bd/init\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G306.*0700"
|
|
# G204: Safe subprocess launches with validated arguments
|
|
- path: 'cmd/bd/daemon_autostart\.go|cmd/bd/daemon_sync_branch\.go|cmd/bd/doctor\.go|cmd/bd/doctor/fix/sync_branch\.go|cmd/bd/jira\.go|cmd/bd/migrate_sync\.go|cmd/bd/show\.go|cmd/bd/sync\.go|internal/git/worktree\.go|internal/syncbranch/worktree\.go'
|
|
linters:
|
|
- gosec
|
|
text: 'G204'
|
|
# G104: Deferred file closes - errors are non-critical
|
|
- path: 'cmd/bd/show\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G104.*Close"
|
|
# G115: Safe integer conversions in backoff calculations
|
|
- path: 'cmd/bd/daemon_autostart\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G115"
|
|
# G201: SQL with fmt.Sprintf using placeholders (IN clause expansion)
|
|
- path: 'internal/storage/sqlite/(dependencies|batch_ops)\.go'
|
|
linters:
|
|
- gosec
|
|
text: "G201"
|
|
# errcheck: Ignore unchecked errors in test files for common cleanup patterns
|
|
- path: '_test\.go'
|
|
linters:
|
|
- errcheck
|
|
text: "Error return value of .*(Close|Rollback|RemoveAll|Setenv|Unsetenv|Chdir|MkdirAll|Remove|Write|SetReadDeadline|SetDeadline|Start|Stop).* is not checked"
|
|
|
|
# unparam: Placeholder functions that may return errors in future implementation
|
|
- path: 'cmd/bd/jira\.go'
|
|
linters:
|
|
- unparam
|
|
text: 'reimportConflicts|resolveConflictsByTimestamp'
|
|
|
|
issues:
|
|
uniq-by-line: true
|