Merge pull request #112 from deepfence/tomasz/linters

[lint] Add golangci-lint automation + fix existing issues

.github/workflows/golang-linter.yaml

@@ -0,0 +1,28 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  lint:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+          fetch-depth: "0"
+      - uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: v1.55
+          only-new-issues: true

.golangci.yml

@@ -0,0 +1,11 @@
+linters:
+  enable:
+  - stylecheck
+  - gocritic
+  # - dupl
+  - durationcheck
+  # - goconst
+  - gofmt
+  - goimports
+  # - misspell
+  # - nestif

core/config.go

@@ -109,6 +109,9 @@ func ParseConfig(options *Options) (*Config, error) {
 // Helps e.g. with Drone where workdir is different than shhgit dir
 func getDefaultConfig() (*Config, error) {
 	ex, err := os.Executable()
+	if err != nil {
+		return nil, fmt.Errorf("os.Executable: %w", err)
+	}
 	dir := filepath.Dir(ex)
 	config, err := loadConfigFile(dir)
 	if err != nil {
@@ -119,17 +122,12 @@ func getDefaultConfig() (*Config, error) {
 }
 
 func loadConfigFile(configPath string) (*Config, error) {
-	var (
-		config *Config = &Config{}
-		data   []byte
-		err    error
-	)
-
 	fstat, err := os.Stat(configPath)
 	if err != nil {
 		return nil, err
 	}
 
+	var data []byte
 	if fstat.IsDir() {
 		data, err = os.ReadFile(path.Join(configPath, "config.yaml"))
 	} else {
@@ -139,6 +137,7 @@ func loadConfigFile(configPath string) (*Config, error) {
 		return nil, err
 	}
 
+	config := &Config{}
 	err = yaml.Unmarshal(data, config)
 	if err != nil {
 		return nil, err

core/match.go

@@ -95,7 +95,7 @@ func ContainsBlacklistedString(input []byte) bool {
 }
 
 //// GetMatchingFiles Return the list of all applicable files inside the given directory for scanning
-//func GetMatchingFiles(dir string, baseDir string) (*bytes.Buffer, *bytes.Buffer, error) {
+// func GetMatchingFiles(dir string, baseDir string) (*bytes.Buffer, *bytes.Buffer, error) {
 //	findCmd := "find " + dir
 //	for _, skippableExt := range session.Config.BlacklistedExtensions {
 //		findCmd += " -not -name \"*" + skippableExt + "\""
@@ -116,7 +116,7 @@ func ContainsBlacklistedString(input []byte) bool {
 
 // UpdateDirsPermissionsRW Update permissions for dirs in container images, so that they can be properly deleted
 func UpdateDirsPermissionsRW(dir string) {
-	filepath.WalkDir(dir, func(path string, f os.DirEntry, err error) error {
+	_ = filepath.WalkDir(dir, func(path string, f os.DirEntry, err error) error {
 		if f.IsDir() {
 			err := os.Chmod(path, 0700)
 			if err != nil {

core/options.go

@@ -9,7 +9,7 @@ import (
 const (
 	TempDirSuffix          = "SecretScanning"
 	ExtractedImageFilesDir = "ExtractedFiles"
-	JsonOutput             = "json"
+	JSONOutput             = "json"
 	TableOutput            = "table"
 )
 
@@ -26,12 +26,12 @@ type Options struct {
 	MultipleMatch     *bool
 	MaxMultiMatch     *uint
 	MaxSecrets        *uint
-	ContainerId       *string
+	ContainerID       *string
 	ContainerNS       *string
 	WorkersPerScan    *int
 	InactiveThreshold *int
 	OutFormat         *string
-	ConsoleUrl        *string
+	ConsoleURL        *string
 	ConsolePort       *int
 	DeepfenceKey      *string
 	FailOnCount       *int
@@ -71,12 +71,12 @@ func ParseOptions() (*Options, error) {
 		MultipleMatch:     flag.Bool("multi-match", false, "Output multiple matches of same pattern in one file. By default, only one match of a pattern is output for a file for better performance"),
 		MaxMultiMatch:     flag.Uint("max-multi-match", 3, "Maximum number of matches of same pattern in one file. This is used only when multi-match option is enabled."),
 		MaxSecrets:        flag.Uint("max-secrets", 1000, "Maximum number of secrets to find in one container image or file system."),
-		ContainerId:       flag.String("container-id", "", "Id of existing container ID"),
+		ContainerID:       flag.String("container-id", "", "Id of existing container ID"),
 		ContainerNS:       flag.String("container-ns", "", "Namespace of existing container to scan, empty for docker runtime"),
 		WorkersPerScan:    flag.Int("workers-per-scan", 1, "Number of concurrent workers per scan"),
 		InactiveThreshold: flag.Int("inactive-threshold", 600, "Threshold for Inactive scan in seconds"),
 		OutFormat:         flag.String("output", TableOutput, "Output format: json or table"),
-		ConsoleUrl:        flag.String("console-url", "", "Deepfence Management Console URL"),
+		ConsoleURL:        flag.String("console-url", "", "Deepfence Management Console URL"),
 		ConsolePort:       flag.Int("console-port", 443, "Deepfence Management Console Port"),
 		DeepfenceKey:      flag.String("deepfence-key", "", "Deepfence key for auth"),
 		FailOnCount:       flag.Int("fail-on-count", -1, "Exit with status 1 if number of secrets found is >= this value (Default: -1)"),

core/session.go

@@ -2,12 +2,10 @@ package core
 
 import (
 	"context"
-	"math/rand"
 	"os"
 	"runtime"
 	"strings"
 	"sync"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 )
@@ -27,7 +25,6 @@ var (
 )
 
 func (s *Session) Start() {
-	rand.Seed(time.Now().Unix())
 	s.InitThreads()
 }
 
@@ -60,13 +57,13 @@ func GetSession() *Session {
 		nameSeperator := "-"
 		var blacklistedPaths []string
 		for _, blacklistedPath := range session.Config.BlacklistedPaths {
-			blacklistedPaths = append(blacklistedPaths, strings.Replace(blacklistedPath, "{sep}", pathSeparator, -1))
+			blacklistedPaths = append(blacklistedPaths, strings.ReplaceAll(blacklistedPath, "{sep}", pathSeparator))
 		}
 		session.Config.BlacklistedPaths = blacklistedPaths
 		var excludePaths []string
 		for _, excludePath := range session.Config.ExcludePaths {
-			excludePaths = append(excludePaths, strings.Replace(excludePath, "{sep}", pathSeparator, -1))
-			excludePaths = append(excludePaths, strings.Replace(excludePath, "{name_sep}", nameSeperator, -1))
+			excludePaths = append(excludePaths, strings.ReplaceAll(excludePath, "{sep}", pathSeparator))
+			excludePaths = append(excludePaths, strings.ReplaceAll(excludePath, "{name_sep}", nameSeperator))
 
 		}
 		session.Config.ExcludePaths = excludePaths

core/util.go

@@ -29,7 +29,7 @@ func CreateRecursiveDir(completePath string) error {
 		return err
 	} else if err != nil {
 		log.Errorf("createRecursiveDir %q: %s. Deleting temp dir", completePath, err)
-		DeleteTmpDir(completePath)
+		_ = DeleteTmpDir(completePath)
 		return err
 	}
 
@@ -42,6 +42,7 @@ func CreateRecursiveDir(completePath string) error {
 // @returns
 // string - Sanitized string which can used as part of filename
 func getSanitizedString(imageName string) string {
+	//nolint:gocritic
 	reg, err := regexp.Compile("[^A-Za-z0-9]+")
 	if err != nil {
 		return "error"
@@ -58,12 +59,12 @@ func getSanitizedString(imageName string) string {
 // Error - Errors if any. Otherwise, returns nil
 func GetTmpDir(imageName string) (string, error) {
 
-	var scanId string = "df_" + getSanitizedString(imageName)
+	scanID := "df_" + getSanitizedString(imageName)
 
 	dir := *session.Options.TempDirectory
-	tempPath := filepath.Join(dir, "Deepfence", TempDirSuffix, scanId)
+	tempPath := filepath.Join(dir, "Deepfence", TempDirSuffix, scanID)
 
-	//if runtime.GOOS == "windows" {
+	// if runtime.GOOS == "windows" {
 	//	tempPath = dir + "\temp\Deepfence\SecretScanning\df_" + scanId
 	//}
 

main.go

@@ -58,15 +58,15 @@ var session = core.GetSession()
 // image - Name of the container image to scan (e.g. "alpine:3.5")
 // @returns
 // Error, if any. Otherwise, returns nil
-func findSecretsInImage(image string) (*output.JsonImageSecretsOutput, error) {
+func findSecretsInImage(image string) (*output.JSONImageSecretsOutput, error) {
 
 	res, err := scan.ExtractAndScanImage(image)
 	if err != nil {
 		return nil, err
 	}
-	jsonImageSecretsOutput := output.JsonImageSecretsOutput{ImageName: image}
+	jsonImageSecretsOutput := output.JSONImageSecretsOutput{ImageName: image}
 	jsonImageSecretsOutput.SetTime()
-	jsonImageSecretsOutput.SetImageId(res.ImageId)
+	jsonImageSecretsOutput.SetImageID(res.ImageId)
 	jsonImageSecretsOutput.SetSecrets(res.Secrets)
 
 	return &jsonImageSecretsOutput, nil
@@ -77,7 +77,7 @@ func findSecretsInImage(image string) (*output.JsonImageSecretsOutput, error) {
 // dir - Complete path of the directory to be scanned
 // @returns
 // Error, if any. Otherwise, returns nil
-func findSecretsInDir(dir string) (*output.JsonDirSecretsOutput, error) {
+func findSecretsInDir(dir string) (*output.JSONDirSecretsOutput, error) {
 	var isFirstSecret bool = true
 
 	secrets, err := scan.ScanSecretsInDir("", "", dir, &isFirstSecret, nil)
@@ -86,7 +86,7 @@ func findSecretsInDir(dir string) (*output.JsonDirSecretsOutput, error) {
 		return nil, err
 	}
 
-	jsonDirSecretsOutput := output.JsonDirSecretsOutput{DirName: *session.Options.Local}
+	jsonDirSecretsOutput := output.JSONDirSecretsOutput{DirName: *session.Options.Local}
 	jsonDirSecretsOutput.SetTime()
 	jsonDirSecretsOutput.SetSecrets(secrets)
 
@@ -98,22 +98,22 @@ func findSecretsInDir(dir string) (*output.JsonDirSecretsOutput, error) {
 // containerId - Id of the container to scan (e.g. "0fdasf989i0")
 // @returns
 // Error, if any. Otherwise, returns nil
-func findSecretsInContainer(containerId string, containerNS string) (*output.JsonImageSecretsOutput, error) {
+func findSecretsInContainer(containerId string, containerNS string) (*output.JSONImageSecretsOutput, error) {
 
 	res, err := scan.ExtractAndScanContainer(containerId, containerNS, nil)
 	if err != nil {
 		return nil, err
 	}
-	jsonImageSecretsOutput := output.JsonImageSecretsOutput{ContainerId: containerId}
+	jsonImageSecretsOutput := output.JSONImageSecretsOutput{ContainerID: containerId}
 	jsonImageSecretsOutput.SetTime()
-	jsonImageSecretsOutput.SetImageId(res.ContainerId)
+	jsonImageSecretsOutput.SetImageID(res.ContainerId)
 	jsonImageSecretsOutput.SetSecrets(res.Secrets)
 
 	return &jsonImageSecretsOutput, nil
 }
 
 type SecretsWriter interface {
-	WriteJson() error
+	WriteJSON() error
 	WriteTable() error
 	GetSecrets() []output.SecretFound
 }
@@ -146,11 +146,11 @@ func runOnce(format string) {
 	}
 
 	// Scan existing container for secrets
-	if len(*session.Options.ContainerId) > 0 {
+	if len(*session.Options.ContainerID) > 0 {
 		node_type = "container_image"
-		node_id = *session.Options.ContainerId
-		log.Debugf("Scanning container %s for secrets...", *session.Options.ContainerId)
-		result, err = findSecretsInContainer(*session.Options.ContainerId, *session.Options.ContainerNS)
+		node_id = *session.Options.ContainerID
+		log.Debugf("Scanning container %s for secrets...", *session.Options.ContainerID)
+		result, err = findSecretsInContainer(*session.Options.ContainerID, *session.Options.ContainerNS)
 		if err != nil {
 			log.Fatal("main: error while scanning container: %s", err)
 		}
@@ -161,17 +161,17 @@ func runOnce(format string) {
 		return
 	}
 
-	if len(*core.GetSession().Options.ConsoleUrl) != 0 && len(*core.GetSession().Options.DeepfenceKey) != 0 {
+	if len(*core.GetSession().Options.ConsoleURL) != 0 && len(*core.GetSession().Options.DeepfenceKey) != 0 {
 		pub, err := output.NewPublisher(
-			*core.GetSession().Options.ConsoleUrl,
+			*core.GetSession().Options.ConsoleURL,
 			strconv.Itoa(*core.GetSession().Options.ConsolePort),
 			*core.GetSession().Options.DeepfenceKey,
 		)
 		if err != nil {
 			log.Error(err.Error())
 		}
 
-		pub.SendReport(output.GetHostname(), *session.Options.ImageName, *session.Options.ContainerId, node_type)
+		pub.SendReport(output.GetHostname(), *session.Options.ImageName, *session.Options.ContainerID, node_type)
 		scanId := pub.StartScan(node_id, node_type)
 		if len(scanId) == 0 {
 			scanId = fmt.Sprintf("%s-%d", node_id, time.Now().UnixMilli())
@@ -183,8 +183,8 @@ func runOnce(format string) {
 	counts := output.CountBySeverity(result.GetSecrets())
 	log.Infof("result severity counts: %+v", counts)
 
-	if format == core.JsonOutput {
-		err = result.WriteJson()
+	if format == core.JSONOutput {
+		err = result.WriteJSON()
 		if err != nil {
 			log.Fatal("main: error while writing secrets: %s", err)
 		}