chore(lint): clean up linter and lint options

Signed-off-by: Tristan Colgate-McFarlane <[email protected]>
cerbos · Dec 16, 2024 · 7db1bbd · 7db1bbd
1 parent dcafa33
commit 7db1bbd
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 98 deletions.
diff --git a/.golangci.yaml b/.golangci.yaml
@@ -1,8 +1,6 @@
 ---
 run:
   timeout: 300s
-  skip-dirs:
-    - "^tools/"
   build-tags:
     - tests
 
@@ -53,7 +51,6 @@ linters:
     - gocritic
     - goimports
     - goheader
-    - gomnd
     - gomoddirectives
     - gosec
     - govet
@@ -64,7 +61,6 @@ linters:
     - nilerr
     - noctx
     - nolintlint
-    - prealloc
     - predeclared
     - promlinter
     - revive
@@ -73,14 +69,16 @@ linters:
     - tenv
     - thelper
     - tparallel
-    - unconvert
     - unparam
     - wastedassign
     - whitespace
 
 issues:
   max-same-issues: 30
 
+  exclude-dirs:
+    - "^tools/"
+
   exclude-rules:
     - path: _test\.go
       linters:

diff --git a/cmd/reimage/main.go b/cmd/reimage/main.go
@@ -35,47 +35,43 @@ import (
 type inputFn func(io.Writer, io.Reader, reimage.Updater) error
 
 type app struct {
-	Version               bool
-	MappingsOnly          bool
-	Input                 string
+	imagFinder            reimage.ImagesFinder
+	remoteTemplate        *template.Template
+	log                   *slog.Logger
+	vulnCheckIgnoreImages *regexp.Regexp
 	inputFn               inputFn
-	Ignore                string
+	static                *reimage.StaticRemapper
 	ignore                *regexp.Regexp
-	RenameIgnore          string
 	renameIgnore          *regexp.Regexp
+	WriteMappingsImg      string
+	VulnCheckIgnoreImages string
 	RenameRemotePath      string
-	RenameTemplateString  string
-	remoteTemplate        *template.Template
-	RenameForceToDigest   bool
-	Clobber               bool
-	NoCopy                bool
+	GCPKMSKey             string
+	BinAuthzAttestor      string
+	VulnCheckMethod       string
 	RulesConfigFile       string
-	imagFinder            reimage.ImagesFinder
-	DryRun                bool
+	RenameIgnore          string
+	Input                 string
 	WriteMappings         string
-	WriteMappingsImg      string
+	RenameTemplateString  string
 	StaticMappings        string
 	StaticMappingsImg     string
-	static                *reimage.StaticRemapper
-	VerifyStaticMappings  bool
-	GrafeasParent         string
+	Ignore                string
 	TrivyCommand          string
+	GrafeasParent         string
 	trivyCommand          []string
-	VulnCheckTimeout      time.Duration
-	VulnCheckMaxRetries   int
 	VulnCheckIgnoreList   []string
 	VulnCheckMaxCVSS      float64
-	VulnCheckIgnoreImages string
-	vulnCheckIgnoreImages *regexp.Regexp
-	VulnCheckMethod       string
-
-	BinAuthzAttestor string
-
-	GCPKMSKey string
-
-	Debug bool
-
-	log *slog.Logger
+	VulnCheckTimeout      time.Duration
+	VulnCheckMaxRetries   int
+	Version               bool
+	VerifyStaticMappings  bool
+	DryRun                bool
+	NoCopy                bool
+	Clobber               bool
+	RenameForceToDigest   bool
+	Debug                 bool
+	MappingsOnly          bool
 }
 
 func setup() (*app, error) {
@@ -176,10 +172,8 @@ func setup() (*app, error) {
 		if err != nil {
 			return &a, fmt.Errorf("failed parsing remote template, %w", err)
 		}
-	} else {
-		if a.StaticMappings == "" && a.StaticMappingsImg == "" {
-			log.Info("copying disabled, (remote path and remote template must be set)")
-		}
+	} else if a.StaticMappings == "" && a.StaticMappingsImg == "" {
+		log.Info("copying disabled, (remote path and remote template must be set)")
 	}
 
 	err = a.setupRulesConfigs()
@@ -253,6 +247,7 @@ func readStaticMappingsImage(src string) ([]byte, error) {
 		return nil, fmt.Errorf("could not read image layer tar file, %w", err)
 	}
 	lbs := bytes.NewBuffer([]byte{})
+	//nolint:gosec
 	_, err = io.Copy(lbs, tarrdr)
 	if err != nil {
 		return nil, fmt.Errorf("failed reading image layer tar content, %w", err)
@@ -278,13 +273,13 @@ func (a *app) readStaticMappings(confirmDigests bool) (*reimage.StaticRemapper,
 	}
 
 	if err != nil {
-		return nil, fmt.Errorf("failed reading json mappings, %v", err)
+		return nil, fmt.Errorf("failed reading json mappings, %w", err)
 	}
 
 	rimgs := map[string]reimage.QualifiedImage{}
 	err = json.Unmarshal(bs, &rimgs)
 	if err != nil {
-		return nil, fmt.Errorf("could not parse as JSON map, %v", err)
+		return nil, fmt.Errorf("could not parse as JSON map, %w", err)
 	}
 	return reimage.NewStaticRemapper(rimgs, confirmDigests)
 }
@@ -303,7 +298,7 @@ func (a *app) writeMappings(mappings map[string]reimage.QualifiedImage) (err err
 	a.log.Info("writing mappings file", "file", a.WriteMappings)
 	if a.WriteMappings != "" {
 		a.log.Info("writing mappings file", "file", a.WriteMappings)
-		err = os.WriteFile(a.WriteMappings, bs, 0644)
+		err = os.WriteFile(a.WriteMappings, bs, 0600)
 		if err != nil {
 			return fmt.Errorf("could not write file, %w", err)
 		}
@@ -478,8 +473,7 @@ func (a *app) checkVulns(ctx context.Context, imgs map[string]reimage.QualifiedI
 	wg.Wait()
 
 	for _, err := range errs {
-		switch {
-		case errors.Is(err, context.Canceled):
+		if errors.Is(err, context.Canceled) {
 			// if there are any context cancelled errors, we'll just return one
 			// directly
 			return err
@@ -581,8 +575,7 @@ func (a *app) attestImages(ctx context.Context, imgs map[string]reimage.Qualifie
 	wg.Wait()
 
 	for _, err := range errs {
-		switch {
-		case errors.Is(err, context.Canceled):
+		if errors.Is(err, context.Canceled) {
 			// if there are any context cancelled errors, we'll just return one
 			// directly
 			return err

diff --git a/grafeas.go b/grafeas.go
@@ -31,12 +31,11 @@ type GrafeasClient interface {
 // GrafeasVulnGetter checks that images have been scanned, and checks that
 // they do not contain unexpected vulnerabilities
 type GrafeasVulnGetter struct {
-	Grafeas    GrafeasClient
-	Parent     string
-	RetryMax   int           // Max attempts to retrieve vulnerability discovery results
-	RetryDelay time.Duration // Max time to wait for vulnerability discovery results
-
+	Grafeas GrafeasClient
 	Logger
+	Parent     string
+	RetryMax   int
+	RetryDelay time.Duration
 }
 
 func (vc *GrafeasVulnGetter) getDiscovery(ctx context.Context, dig name.Digest) (*grafeaspb.DiscoveryOccurrence, error) {
@@ -54,17 +53,14 @@ func (vc *GrafeasVulnGetter) getDiscovery(ctx context.Context, dig name.Digest)
 		if err != nil {
 			return nil, err
 		}
-		switch occ.GetKind() {
-		case kind:
+		if occ.GetKind() == kind {
 			return occ.GetDiscovery(), nil
 		}
 	}
 
 	return nil, ErrDiscoveryNotFound
 }
 
-var errVulnerabilitiesNotFound = errors.New("vulnerability assessment not found in response")
-
 func (vc *GrafeasVulnGetter) getVulnerabilities(ctx context.Context, dig name.Digest) ([]*grafeaspb.VulnerabilityOccurrence, error) {
 	req := &grafeaspb.ListOccurrencesRequest{
 		Parent: vc.Parent,
@@ -80,8 +76,7 @@ func (vc *GrafeasVulnGetter) getVulnerabilities(ctx context.Context, dig name.Di
 		if err != nil {
 			return nil, err
 		}
-		switch occ.GetKind() {
-		case grafeaspb.NoteKind_VULNERABILITY:
+		if occ.GetKind() == grafeaspb.NoteKind_VULNERABILITY {
 			res = append(res, occ.GetVulnerability())
 		}
 	}
@@ -122,7 +117,7 @@ func (vc *GrafeasVulnGetter) check(ctx context.Context, dig name.Digest) ([]Imag
 	return res, nil
 }
 
-// Check waits for a completed vulnerability discovery, and then check that an image
+// GetVulnerabilities waits for a completed vulnerability discovery, and then check that an image
 // has no CVEs that violate the configured policy
 func (vc *GrafeasVulnGetter) GetVulnerabilities(ctx context.Context, dig name.Digest) ([]ImageVulnerability, error) {
 	var err error
@@ -196,15 +191,13 @@ type Keyer interface {
 // GrafeasAttester implements attestation creation and checking using Grafaes
 type GrafeasAttester struct {
 	Grafeas GrafeasClient
-	Parent  string
-
 	Keys    Keyer
-	NoteRef string
-
 	Logger
+	Parent  string
+	NoteRef string
 }
 
-// Get retrieves all the Attestation occurences for the given image that use the provided
+// Get retrieves all the Attestation occurrences for the given image that use the provided
 // noteRef (or all if noteRef is "")
 func (t *GrafeasAttester) Get(ctx context.Context, dig name.Digest, noteRef string) ([]*grafeaspb.AttestationOccurrence, error) {
 	kind := grafeaspb.NoteKind_ATTESTATION
@@ -223,8 +216,7 @@ func (t *GrafeasAttester) Get(ctx context.Context, dig name.Digest, noteRef stri
 		if err != nil {
 			return nil, err
 		}
-		switch occ.GetKind() {
-		case kind:
+		if occ.GetKind() == kind {
 			if noteRef != "" && occ.NoteName != noteRef {
 				continue
 			}

diff --git a/kms.go b/kms.go
@@ -33,12 +33,11 @@ type KMSClient interface {
 // KMS uses Google Cloud KMS to sign and verify data. Only EC_SIGN_P256_SHA256  are supported
 // at this time
 type KMS struct {
-	Client KMSClient
-	Key    string
-
-	keyOnce sync.Once
+	Client  KMSClient
 	keyErr  error
 	key     *ecdsa.PublicKey
+	Key     string
+	keyOnce sync.Once
 }
 
 // Sign bs, returns the signature and key ID of the signing key
@@ -48,7 +47,6 @@ func (ks *KMS) Sign(ctx context.Context, bs []byte) ([]byte, string, error) {
 	crc32c := func(data []byte) uint32 {
 		t := crc32.MakeTable(crc32.Castagnoli)
 		return crc32.Checksum(data, t)
-
 	}
 	digestCRC32C := crc32c(digest[:])