api: add golangci-lint with gosec and fix the related warnings (!143) · Merge requests · Commento / Commento

evalphobia requested to merge evalphobia/commento:feature/golangci-lint into master Mar 10, 2020
This MR adds golangci-lint to follow best practice. Besides the default linters, gosec is enabled.
Original warnigns are below,
$ golangci-lint run ./api/ --disable-all -E deadcode -E gosimple -E gosec -E govet -E ineffassign -E staticcheck -E structcheck -E typecheck -E unused -E varcheck

comment_get.go:36: G202: SQL string concatenation (gosec)
	statement := `
		SELECT ` + commentsRowColumns + `
commenter_get.go:32: G202: SQL string concatenation (gosec)
	statement := `
		SELECT ` + commentersRowColumns + `
commenter_get.go:53: G202: SQL string concatenation (gosec)
	statement := `
		SELECT ` + commentersRowColumns + `
commenter_photo.go:35: G107: Potential HTTP request made with variable url (gosec)
	resp, err := http.Get(url)
domain_import_disqus.go:65: G107: Potential HTTP request made with variable url (gosec)
	resp, err := http.Get(url)
smtp_email_notification.go:50: G203: this method will not auto-escape HTML. Verify data is well formed. (gosec)
		Html:                 ht.HTML(html),
testing.go:93: G201: SQL string formatting (gosec)
		_, err = db.Exec(fmt.Sprintf("DELETE FROM %s;", table))
utils_html.go:28: G107: Potential HTTP request made with variable url (gosec)
	resp, err := http.Get(url)
oauth_github_callback.go:12:8: ineffectual assignment to `err` (ineffassign)
	resp, err := http.Get("https://api.github.com/user/emails?access_token=" + accessToken)
	      ^
smtp_email_notification.go:25:5: ineffectual assignment to `err` (ineffassign)
	h, err := tt.New("header").Parse(`MIME-Version: 1.0
	   ^
errors.go:22:5: `errorAlreadyUpvoted` is unused (varcheck)
var errorAlreadyUpvoted = errors.New("You have already upvoted that comment.")
    ^
errors.go:38:5: `errorGzip` is unused (varcheck)
var errorGzip = errors.New("Cannot GZip content.")
    ^
errors.go:25:5: `errorInvalidState` is unused (varcheck)
var errorInvalidState = errors.New("Invalid state value.")
    ^
errors.go:30:5: `errorInvalidEmail` is unused (varcheck)
var errorInvalidEmail = errors.New("You do not have an email registered with that account.")
    ^
errors.go:31:5: `errorForbiddenEdit` is unused (varcheck)
var errorForbiddenEdit = errors.New("You cannot edit someone else's comment.")
    ^
errors.go:13:5: `errorEmailExists` is unused (varcheck)
var errorEmailExists = errors.New("That email address is already registered. Sign in instead?")
    ^
commenter_session.go:10:6: `commenterSession` is unused (deadcode)
type commenterSession struct {
     ^
domain_import_disqus.go:36:6: `disqusPostId` is unused (deadcode)
type disqusPostId struct {
     ^
email_notification.go:5:6: `emailNotification` is unused (deadcode)
type emailNotification struct {
     ^
owner_get.go:68:6: `ownerGetByOwnerHex` is unused (deadcode)
func ownerGetByOwnerHex(ownerHex string) (owner, error) {
     ^
router_static.go:17:6: `staticPlugs` is unused (deadcode)
type staticPlugs struct {
     ^
smtp_domain_export_error.go:9:6: `domainExportErrorPlugs` is unused (deadcode)
type domainExportErrorPlugs struct {
     ^
router_static.go:118:9: S1005: should omit value from range; this loop is equivalent to `for p := range ...` (gosimple)
	for p, _ := range asset {
	       ^
forgot.go:58:2: S1021: should merge variable declaration with assignment on next line (gosimple)
	var statement string
	^
version.go:62:7: S1002: should omit comparison to bool constant, can be simplified to `!r.Success` (gosimple)
			if r.Success == false {
			   ^
oauth_github_callback.go:13:2: SA5001: should check returned error before deferring resp.Body.Close() (staticcheck)
	defer resp.Body.Close()
	^
oauth_google_callback.go:28:2: SA5001: should check returned error before deferring resp.Body.Close() (staticcheck)
	defer resp.Body.Close()
	^
version.go:41:4: SA5003: defers in this infinite loop will never run (staticcheck)
			defer resp.Body.Close()
			^
oauth_google_callback.go:27:8: SA4006: this value of `err` is never used (staticcheck)
	resp, err := http.Get("https://www.googleapis.com/oauth2/v2/userinfo?access_token=" + token.AccessToken)
	      ^
oauth_github_callback.go:47:38: SA1019: oauth2.NoContext is deprecated: Use context.Background() or context.TODO() instead.  (staticcheck)
	token, err := githubConfig.Exchange(oauth2.NoContext, code)
	                                    ^
oauth_gitlab_callback.go:21:38: SA1019: oauth2.NoContext is deprecated: Use context.Background() or context.TODO() instead.  (staticcheck)
	token, err := gitlabConfig.Exchange(oauth2.NoContext, code)
	                                    ^
oauth_google_callback.go:21:38: SA1019: oauth2.NoContext is deprecated: Use context.Background() or context.TODO() instead.  (staticcheck)
	token, err := googleConfig.Exchange(oauth2.NoContext, code)
api: add golangci-lint with gosec and fix the related warnings

Merge request reports
