Do not use golangci action for better reproducibility (use make lint-go) (#6175)

* Do not use golangci action for better reproducibility

* Add fix to trigger build

* Fix all reported issues

* fix more lint errors

* Add missing import

* Remove unused method

* Remove change not necessary

.github/workflows/golangci-lint.yml

@@ -18,19 +18,19 @@ jobs:
   golangci:
     permissions:
       contents: read  # for actions/checkout to fetch code
-      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
+      pull-requests: read  # for actions/checkout to fetch pull requests
     name: lint
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+
       - uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923
         with:
           go-version: '1.17'
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          # Required: the version of golangci-lint is required and must be
-          # specified without patch version: we always use the latest patch
-          # version.
-          version: v1.42
-          args: --timeout 10m
+
+      - name: Run go lint
+        run: |
+          # The following packages are needed to build Fleet Desktop on Ubuntu.
+          sudo apt install -y gcc libgtk-3-dev libayatana-appindicator3-dev
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.46.2
+          make lint-go

.github/workflows/test-packaging.yml

@@ -30,6 +30,7 @@ jobs:
 
     steps:
     - name: Install Docker
+      timeout-minutes: 60
       if: matrix.os == 'macos-latest'
       # From https://github.com/docker/for-mac/issues/2359#issuecomment-943131345
       run: |

.golangci.yml

@@ -32,7 +32,7 @@ linters-settings:
       - ruleguard
     settings:
       ruleguard:
-        rules: "tools/ci/rules.go"
+        rules: "./tools/ci/rules.go"
 
   gofmt:
     # simplify code: gofmt with `-s` option, true by default

Makefile

@@ -122,7 +122,7 @@ lint-js:
 	yarn lint
 
 lint-go:
-	golangci-lint run --skip-dirs ./node_modules
+	golangci-lint run --skip-dirs ./node_modules --timeout 10m
 
 lint: lint-go lint-js
 

cmd/osquery-perf/agent.go

@@ -755,7 +755,6 @@ func main() {
 		tmpl, err := template.ParseFS(templatesFS, t)
 		if err != nil {
 			log.Fatal("parse templates: ", err)
-			continue
 		}
 		tmpls = append(tmpls, tmpl)
 	}

go.mod

@@ -244,6 +244,7 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.21 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rogpeppe/go-internal v1.8.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect

go.sum

@@ -1470,6 +1470,8 @@ github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1
 github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/quasilyte/go-ruleguard/dsl v0.3.21 h1:vNkC6fC6qMLzCOGbnIHOd5ixUGgTbp3Z4fGnUgULlDA=
+github.com/quasilyte/go-ruleguard/dsl v0.3.21/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ=
 github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=

orbit/pkg/execuser/execuser_linux.go

@@ -1,6 +1,7 @@
 package execuser
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -69,7 +70,7 @@ func getLoginUID() (*user, error) {
 	usernames := parseUsersOutput(string(out))
 	username := usernames[0]
 	if username == "" {
-		return nil, fmt.Errorf("no user session found")
+		return nil, errors.New("no user session found")
 	}
 	out, err = exec.Command("id", "-u", username).CombinedOutput()
 	if err != nil {

orbit/pkg/update/runner_test.go

@@ -34,6 +34,7 @@ func TestNewRunner(t *testing.T) {
 	r, err := NewRunner(u, runnerOpts)
 	require.NoError(t, err)
 	execPath, err := u.ExecutableLocalPath("osqueryd")
+	require.NoError(t, err)
 	require.NoFileExists(t, execPath)
 
 	// r.UpdateAction should download osqueryd.

server/datastore/mysql/software_test.go

@@ -1254,6 +1254,7 @@ func testHostsBySoftwareIDs(t *testing.T, ds *Datastore) {
 	insertVulnSoftwareForTest(t, ds)
 
 	allSoftware, err := ds.ListSoftware(ctx, fleet.SoftwareListOptions{})
+	require.NoError(t, err)
 
 	var chrome3 fleet.Software
 	var barRpm fleet.Software
@@ -1530,6 +1531,7 @@ func testInsertVulnerabilities(t *testing.T, ds *Datastore) {
 		require.Equal(t, 0, int(n))
 
 		storedVulns, err := ds.ListSoftwareVulnerabilities(ctx, []uint{host.ID})
+		require.NoError(t, err)
 
 		occurrence := make(map[string]int)
 		for _, v := range storedVulns[host.ID] {

server/service/base_client.go

@@ -96,7 +96,8 @@ func newBaseClient(addr string, insecureSkipVerify bool, rootCA, urlPrefix strin
 	}
 
 	httpClient := fleethttp.NewClient(fleethttp.WithTLSClientConfig(&tls.Config{
-		InsecureSkipVerify: insecureSkipVerify,
+		// Ignoring "G402: TLS InsecureSkipVerify set true", needed for development/testing.
+		InsecureSkipVerify: insecureSkipVerify, //nolint:gosec
 		RootCAs:            rootCAPool,
 	}))
 

server/service/hosts_test.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"testing"
 	"time"
@@ -469,7 +470,7 @@ func TestEmptyTeamOSVersions(t *testing.T) {
 			return &fleet.OSVersions{CountsUpdatedAt: time.Now(), OSVersions: testVersions}, nil
 		}
 		if *teamID == 4 {
-			return nil, fmt.Errorf("some unknown error")
+			return nil, errors.New("some unknown error")
 		}
 
 		return nil, notFoundError{}

server/service/labels_test.go

@@ -167,13 +167,8 @@ func testLabelsListLabels(t *testing.T, ds *mysql.Datastore) {
 	labels, err := svc.ListLabels(test.UserContext(test.UserAdmin), fleet.ListOptions{Page: 0, PerPage: 1000})
 	require.NoError(t, err)
 	require.Len(t, labels, 7)
-}
 
-func testLabelsSummary(t *testing.T, ds *mysql.Datastore) {
-	svc := newTestService(t, ds, nil, nil)
-	require.NoError(t, ds.MigrateData(context.Background()))
-
-	labels, err := svc.LabelsSummary(test.UserContext(test.UserAdmin))
+	labelsSummary, err := svc.LabelsSummary(test.UserContext(test.UserAdmin))
 	require.NoError(t, err)
-	require.Len(t, labels, 7)
+	require.Len(t, labelsSummary, 7)
 }

server/vulnerabilities/oval/analyzer_test.go

@@ -43,7 +43,8 @@ func withTestFixture(
 		defer dstF.Close()
 
 		r := bzip2.NewReader(srcF)
-		_, err = io.Copy(dstF, r)
+		// ignoring "G110: Potential DoS vulnerability via decompression bomb", as this is test code.
+		_, err = io.Copy(dstF, r) //nolint:gosec
 		require.NoError(t, err)
 	}
 

server/vulnerabilities/oval/mappers.go

@@ -1,6 +1,7 @@
 package oval
 
 import (
+	"errors"
 	"fmt"
 	"strconv"
 	"strings"
@@ -78,7 +79,7 @@ func mapPackageState(sta oval_input.DpkgStateXML) ([]oval_parsed.ObjectStateEvrS
 		sta.Arch != nil ||
 		sta.Epoch != nil ||
 		sta.Version != nil {
-		return nil, fmt.Errorf("only evr state definitions are supported")
+		return nil, errors.New("only evr state definitions are supported")
 	}
 
 	if sta.Evr != nil {

server/vulnerabilities/sync.go

@@ -14,14 +14,14 @@ import (
 	"strings"
 	"time"
 
-	"github.com/go-kit/kit/log/level"
-	"github.com/go-kit/kit/log"
 	"github.com/facebookincubator/nvdtools/cvefeed"
 	feednvd "github.com/facebookincubator/nvdtools/cvefeed/nvd"
 	"github.com/fleetdm/fleet/v4/pkg/download"
 	"github.com/fleetdm/fleet/v4/pkg/fleethttp"
 	"github.com/fleetdm/fleet/v4/server/fleet"
 	"github.com/fleetdm/fleet/v4/server/ptr"
+	"github.com/go-kit/kit/log"
+	"github.com/go-kit/kit/log/level"
 )
 
 // Sync downloads all the vulnerability data sources.
@@ -47,8 +47,10 @@ func Sync(vulnPath string, cpeDatabaseURL string) error {
 	return nil
 }
 
-const epssFeedsURL = "https://epss.cyentia.com"
-const epssFilename = "epss_scores-current.csv.gz"
+const (
+	epssFeedsURL = "https://epss.cyentia.com"
+	epssFilename = "epss_scores-current.csv.gz"
+)
 
 // DownloadEPSSFeed downloads the EPSS scores feed.
 func DownloadEPSSFeed(vulnPath string, client *http.Client) error {
@@ -119,8 +121,10 @@ func parseEPSSScoresFile(path string) ([]epssScore, error) {
 	return epssScores, nil
 }
 
-const cisaKnownExploitsURL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
-const cisaKnownExploitsFilename = "known_exploited_vulnerabilities.json"
+const (
+	cisaKnownExploitsURL      = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
+	cisaKnownExploitsFilename = "known_exploited_vulnerabilities.json"
+)
 
 // knownExploitedVulnerabilitiesCatalog represents the CISA Catalog of Known Exploited Vulnerabilities.
 type knownExploitedVulnerabilitiesCatalog struct {
@@ -189,7 +193,7 @@ func LoadCVEMeta(logger log.Logger, vulnPath string, ds fleet.Datastore) error {
 			schema := vuln.Schema()
 
 			meta := fleet.CVEMeta{
-				CVE:       cve,
+				CVE: cve,
 			}
 
 			if schema.Impact.BaseMetricV3 != nil {
@@ -197,7 +201,7 @@ func LoadCVEMeta(logger log.Logger, vulnPath string, ds fleet.Datastore) error {
 			}
 
 			if published, err := time.Parse(publishedDateFmt, schema.PublishedDate); err != nil {
-				level.Error(logger). Log("msg", "failed to parse published data", "cve", cve, "published_date", schema.PublishedDate, "err", err)
+				level.Error(logger).Log("msg", "failed to parse published data", "cve", cve, "published_date", schema.PublishedDate, "err", err)
 			} else {
 				meta.Published = &published
 			}