Merge pull request #43195 from thaJeztah/update_golangci_lint

Dockerfile: update golangci-lint v1.44.0

Dockerfile

@@ -175,7 +175,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
         PREFIX=/build /install.sh containerd
 
 FROM base AS golangci_lint
-ARG GOLANGCI_LINT_VERSION=v1.23.8
+ARG GOLANGCI_LINT_VERSION=v1.44.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
         GOBIN=/build/ GO111MODULE=on go install "github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINT_VERSION}" \

client/client.go

@@ -135,9 +135,6 @@ func NewClientWithOpts(ops ...Opt) (*Client, error) {
 		}
 	}
 
-	if _, ok := c.client.Transport.(http.RoundTripper); !ok {
-		return nil, fmt.Errorf("unable to verify TLS configuration, invalid transport %v", c.client.Transport)
-	}
 	if c.scheme == "" {
 		c.scheme = "http"
 

daemon/logger/awslogs/cloudwatchlogs.go

@@ -39,7 +39,7 @@ const (
 	tagKey                 = "tag"
 	datetimeFormatKey      = "awslogs-datetime-format"
 	multilinePatternKey    = "awslogs-multiline-pattern"
-	credentialsEndpointKey = "awslogs-credentials-endpoint"
+	credentialsEndpointKey = "awslogs-credentials-endpoint" //nolint:gosec // G101: Potential hardcoded credentials
 	forceFlushIntervalKey  = "awslogs-force-flush-interval-seconds"
 	maxBufferedEventsKey   = "awslogs-max-buffered-events"
 	logFormatKey           = "awslogs-format"
@@ -64,7 +64,7 @@ const (
 	invalidSequenceTokenCode  = "InvalidSequenceTokenException"
 	resourceNotFoundCode      = "ResourceNotFoundException"
 
-	credentialsEndpoint = "http://169.254.170.2"
+	credentialsEndpoint = "http://169.254.170.2" //nolint:gosec // G101: Potential hardcoded credentials
 
 	userAgentHeader = "User-Agent"
 

hack/validate/golangci-lint.yml

@@ -41,35 +41,56 @@ issues:
   exclude-use-default: false
 
   exclude-rules:
-    # These are copied from the default exclude rules, except for "ineffective break statement"
+    # We prefer to use an "exclude-list" so that new "default" exclusions are not
-    # and GoDoc checks.
+    # automatically inherited. We can decide whether or not to follow upstream
-    # https://github.com/golangci/golangci-lint/blob/0cc87df732aaf1d5ad9ce9ca538d38d916918b36/pkg/config/config.go#L36
+    # defaults when updating golang-ci-lint versions.
-    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*printf?|os\\.(Un)?Setenv). is not checked"
+    # Unfortunately, this means we have to copy the whole exclusion pattern, as
+    # (unlike the "include" option), the "exclude" option does not take exclusion
+    # ID's.
+    #
+    # These exclusion patterns are copied from the default excluses at:
+    # https://github.com/golangci/golangci-lint/blob/v1.44.0/pkg/config/issues.go#L10-L104
+
+    # EXC0001
+    - text: "Error return value of .((os\\.)?std(out|err)\\..*|.*Close|.*Flush|os\\.Remove(All)?|.*print(f|ln)?|os\\.(Un)?Setenv). is not checked"
       linters:
         - errcheck
+    # EXC0003
     - text: "func name will be used as test\\.Test.* by other packages, and that stutters; consider calling this"
       linters:
         - golint
-    - text: "G103: Use of unsafe calls should be audited"
+    # EXC0006
+    - text: "Use of unsafe calls should be audited"
       linters:
         - gosec
-    - text: "G104: Errors unhandled"
+    # EXC0007
+    - text: "Subprocess launch(ed with variable|ing should be audited)"
       linters:
         - gosec
-    - text: "G204: Subprocess launch(ed with (variable|function call)|ing should be audited)"
+    # EXC0008
+    # TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
+    - text: "(G104|G307)"
       linters:
         - gosec
-    - text: "(G301|G302): (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
+    # EXC0009
+    - text: "(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)"
       linters:
         - gosec
-    - text: "G304: Potential file inclusion via variable"
+    # EXC0010
+    - text: "Potential file inclusion via variable"
       linters:
         - gosec
+
+    # Looks like the match in "EXC0007" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
+    - text: "G204: Subprocess launched with a potential tainted input or cmd arguments"
+      linters:
+        - gosec
+    # Looks like the match in "EXC0009" above doesn't catch this one
+    # TODO: consider upstreaming this to golangci-lint's default exclusion rules
     - text: "G306: Expect WriteFile permissions to be 0600 or less"
       linters:
         - gosec
-    - text: 'G307: Deferring unsafe method "Close" on type "*os.File"'
-      linters: gosec
 
     # Exclude some linters from running on tests files.
     - path: _test\.go
@@ -82,10 +103,6 @@ issues:
       path: "api/types/(volume|container)/"
       linters:
         - golint
-    # FIXME: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close" (gosec)
-    - text: "G307: Deferring unsafe method"
-      linters:
-        - gosec
     # FIXME temporarily suppress these. See #39924
     - text: "SA1019: .*\\.Xattrs is deprecated: Use PAXRecords instead"
       linters:

integration-cli/docker_utils_test.go

@@ -81,9 +81,7 @@ func inspectFieldAndUnmarshall(c *testing.T, name, field string, output interfac
 	c.Helper()
 	str := inspectFieldJSON(c, name, field)
 	err := json.Unmarshal([]byte(str), output)
-	if c != nil {
+	assert.Assert(c, err == nil, "failed to unmarshal: %v", err)
-		assert.Assert(c, err == nil, "failed to unmarshal: %v", err)
-	}
 }
 
 // Deprecated: use cli.Inspect
@@ -105,9 +103,7 @@ func inspectFieldWithError(name, field string) (string, error) {
 func inspectField(c *testing.T, name, field string) string {
 	c.Helper()
 	out, err := inspectFilter(name, fmt.Sprintf(".%s", field))
-	if c != nil {
+	assert.NilError(c, err)
-		assert.NilError(c, err)
-	}
 	return out
 }
 
@@ -115,9 +111,7 @@ func inspectField(c *testing.T, name, field string) string {
 func inspectFieldJSON(c *testing.T, name, field string) string {
 	c.Helper()
 	out, err := inspectFilter(name, fmt.Sprintf("json .%s", field))
-	if c != nil {
+	assert.NilError(c, err)
-		assert.NilError(c, err)
-	}
 	return out
 }
 
@@ -125,9 +119,7 @@ func inspectFieldJSON(c *testing.T, name, field string) string {
 func inspectFieldMap(c *testing.T, name, path, field string) string {
 	c.Helper()
 	out, err := inspectFilter(name, fmt.Sprintf("index .%s %q", path, field))
-	if c != nil {
+	assert.NilError(c, err)
-		assert.NilError(c, err)
-	}
 	return out
 }
 

libnetwork/libnetwork_test.go

@@ -1014,7 +1014,11 @@ func TestEndpointMultipleJoins(t *testing.T) {
 	sbx1, err := controller.NewSandbox(containerID,
 		libnetwork.OptionHostname("test"),
 		libnetwork.OptionDomainname("docker.io"),
-		libnetwork.OptionExtraHost("web", "192.168.0.1"))
+		libnetwork.OptionExtraHost("web", "192.168.0.1"),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
 	defer func() {
 		if err := sbx1.Delete(); err != nil {
 			t.Fatal(err)
@@ -1022,6 +1026,9 @@ func TestEndpointMultipleJoins(t *testing.T) {
 	}()
 
 	sbx2, err := controller.NewSandbox("c2")
+	if err != nil {
+		t.Fatal(err)
+	}
 	defer func() {
 		if err := sbx2.Delete(); err != nil {
 			t.Fatal(err)