Compare commits

...

6 commits

Author SHA1 Message Date
a4fa95f7ca
Merge pull request #371 from wneessen/dependabot/github_actions/codecov/codecov-action-5.0.1
Bump codecov/codecov-action from 4.6.0 to 5.0.1
2024-11-15 16:08:58 +01:00
266f0b36ec
Merge pull request #372 from wneessen/dependabot/github_actions/github/codeql-action-3.27.4
Bump github/codeql-action from 3.27.3 to 3.27.4
2024-11-15 16:08:37 +01:00
dependabot[bot]
1cddf5bc76
Bump github/codeql-action from 3.27.3 to 3.27.4
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.3 to 3.27.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](396bb3e453...ea9e4e3799)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-15 14:02:51 +00:00
dependabot[bot]
7210d679db
Bump codecov/codecov-action from 4.6.0 to 5.0.1
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.6.0 to 5.0.1.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](b9fd7d16f6...3b1354a6c4)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-15 14:02:43 +00:00
e8b41f4a81
Merge pull request #370 from wneessen/feature/golangci-lint-gosec
Enable gosec linter and add exclusion rules
2024-11-15 12:38:55 +01:00
6fbb88239f
Enable gosec linter and add exclusion rules
Added gosec to the list of enabled linters in `.golangci.toml`. Defined specific exclusion rules to ignore certain false positives and context-specific issues flagged by gosec, ensuring the linter does not impose on intentional code practices.
2024-11-15 12:35:15 +01:00
4 changed files with 68 additions and 6 deletions

View file

@ -59,7 +59,7 @@ jobs:
go test -race -shuffle=on --coverprofile=coverage.coverprofile --covermode=atomic ./... go test -race -shuffle=on --coverprofile=coverage.coverprofile --covermode=atomic ./...
- name: Upload coverage to Codecov - name: Upload coverage to Codecov
if: success() if: success()
uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 uses: codecov/codecov-action@3b1354a6c45db9f1008891f4eafc1a7e94ce1d18 # v5.0.1
with: with:
token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
lint: lint:

View file

@ -54,7 +54,7 @@ jobs:
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with: with:
languages: ${{ matrix.language }} languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
@ -65,7 +65,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl # 📚 https://git.io/JvXDl
@ -79,4 +79,4 @@ jobs:
# make release # make release
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4

View file

@ -75,6 +75,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard. # Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning" - name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
with: with:
sarif_file: results.sarif sarif_file: results.sarif

View file

@ -9,4 +9,66 @@ exclude-dirs = ["examples"]
[linters] [linters]
enable = ["stylecheck", "whitespace", "containedctx", "contextcheck", "decorder", enable = ["stylecheck", "whitespace", "containedctx", "contextcheck", "decorder",
"errname", "errorlint", "gofmt", "gofumpt"] "errname", "errorlint", "gofmt", "gofumpt", "gosec"]
[issues]
## An overflow is impossible here
[[issues.exclude-rules]]
linters = ["gosec"]
path = "random.go"
text = "G115:"
## These are tests which intentionally do not need any TLS settings
[[issues.exclude-rules]]
linters = ["gosec"]
path = "client_test.go"
text = "G402:"
## These are tests which intentionally do not need any TLS settings
[[issues.exclude-rules]]
linters = ["gosec"]
path = "smtp/smtp_test.go"
text = "G402:"
## We do not dictate a TLS minimum version in the smtp package. go-mail
## itself does set sane defaults
[[issues.exclude-rules]]
linters = ["gosec"]
path = "smtp/smtp.go"
text = "G402:"
## The chance that we write +2 million tests is very low, I think we can
## ignore this for the time being
[[issues.exclude-rules]]
linters = ["gosec"]
path = "client_test.go"
text = "G109:"
## The chance that we write +2 million tests is very low, I think we can
## ignore this for the time being
[[issues.exclude-rules]]
linters = ["gosec"]
path = "smtp/smtp_test.go"
text = "G109:"
## We inform the user about the deprecated status of CRAM-MD5 and suggest
## to use SCRAM-SHA instead
[[issues.exclude-rules]]
linters = ["gosec"]
path = "smtp/auth_cram_md5.go"
text = "G501:"
## Yes, SHA1 is weak, but in the context of SCRAM it is still considered
## secure for specific applications. The user is information about this
## in the documentation
[[issues.exclude-rules]]
linters = ["gosec"]
path = "smtp/auth_scram.go"
text = "G505:"
## Test code for SCRAM-SHA1. Can be ignored.
[[issues.exclude-rules]]
linters = ["gosec"]
path = "smtp/smtp_test.go"
text = "G505:"