I am on
❯ go version
go version go1.26.1 darwin/arm64
❯ golangci-lint --version
golangci-lint has version 2.11.3 built with go1.26.1 from v2.11.3 on 1970-01-01T00:00:00Z
and those find quite a bit more linter warnings than the current version does:
❯ make lint
🔍 Linting code...
golangci-lint run --allow-parallel-runners
cmd/fence/main.go:269:22: G115: integer overflow conversion uintptr -> int (gosec)
term.IsTerminal(int(os.Stdin.Fd())) &&
^
cmd/fence/main.go:270:22: G115: integer overflow conversion uintptr -> int (gosec)
term.IsTerminal(int(os.Stdout.Fd()))
^
cmd/fence/main.go:278:30: G115: integer overflow conversion uintptr -> int (gosec)
isTTY := term.IsTerminal(int(os.Stdin.Fd()))
^
internal/proxy/http.go:129:36: G704: SSRF via taint analysis (gosec)
targetConn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", host, port), 10*time.Second)
^
internal/proxy/http.go:198:34: G704: SSRF via taint analysis (gosec)
proxyReq, err := http.NewRequest(r.Method, r.RequestURI, r.Body)
^
internal/proxy/http.go:221:24: G704: SSRF via taint analysis (gosec)
resp, err := client.Do(proxyReq)
^
internal/sandbox/benchmark_test.go:338:9: G204: Subprocess launched with variable (gosec)
cmd := exec.CommandContext(ctx, shell, "-c", command)
^
internal/sandbox/integration_test.go:248:9: G204: Subprocess launched with variable (gosec)
cmd := exec.CommandContext(ctx, shell, "-c", command)
^
internal/sandbox/runtime_exec_deny.go:428:22: G703: Path traversal via taint analysis (gosec)
info, err := os.Stat(path)
^
internal/sandbox/runtime_exec_deny_test.go:302:3: G101: Potential hardcoded credentials (gosec)
{token: "/shared/bin/dd", accept: "dd"},
^
internal/sandbox/shell_select.go:56:23: G703: Path traversal via taint analysis (gosec)
info, err := os.Stat(envShell)
^
internal/sandbox/linux_stub.go:36:14: ST1005: error strings should not be capitalized (staticcheck)
return nil, fmt.Errorf("Linux bridge not available on this platform")
^
internal/sandbox/linux_stub.go:52:13: ST1005: error strings should not be capitalized (staticcheck)
return "", fmt.Errorf("Linux sandbox not available on this platform")
^
internal/sandbox/linux_stub.go:57:13: ST1005: error strings should not be capitalized (staticcheck)
return "", fmt.Errorf("Linux sandbox not available on this platform")
^
internal/sandbox/macos.go:353:2: QF1012: Use fmt.Fprintf(...) instead of WriteString(fmt.Sprintf(...)) (staticcheck)
profile.WriteString(fmt.Sprintf("(deny default (with message %q))\n\n", logTag))
^
internal/sandbox/macos.go:354:2: QF1012: Use fmt.Fprintf(...) instead of WriteString(fmt.Sprintf(...)) (staticcheck)
profile.WriteString(fmt.Sprintf("; LogTag: %s\n\n", logTag))
^
internal/sandbox/macos.go:505:4: QF1012: Use fmt.Fprintf(...) instead of WriteString(fmt.Sprintf(...)) (staticcheck)
profile.WriteString(fmt.Sprintf(" (literal %s)\n", escapePath(execPath)))
^
17 issues:
* gosec: 11
* staticcheck: 6
make: *** [Makefile:73: lint] Error 1Is there any downside to upgrading to a later go version? Most of these seem easily fixable.
I am on
and those find quite a bit more linter warnings than the current version does:
Is there any downside to upgrading to a later go version? Most of these seem easily fixable.