Merge pull request #371 from wneessen/dependabot/github_actions/codecov/codecov-action-5.0.1

Bump codecov/codecov-action from 4.6.0 to 5.0.1

.github/workflows/ci.yml

@@ -59,7 +59,7 @@ jobs:
                 go test -race -shuffle=on --coverprofile=coverage.coverprofile --covermode=atomic ./...
             - name: Upload coverage to Codecov
               if: success()
-              uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+              uses: codecov/codecov-action@3b1354a6c45db9f1008891f4eafc1a7e94ce1d18 # v5.0.1
               with:
                   token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
     lint:

.github/workflows/codeql-analysis.yml

@@ -54,7 +54,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+      uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -65,7 +65,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+      uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -79,4 +79,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+      uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4

.github/workflows/scorecards.yml

@@ -75,6 +75,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           sarif_file: results.sarif

.golangci.toml

@@ -9,4 +9,66 @@ exclude-dirs = ["examples"]
 
 [linters]
 enable = ["stylecheck", "whitespace", "containedctx", "contextcheck", "decorder",
-    "errname", "errorlint", "gofmt", "gofumpt"]
+    "errname", "errorlint", "gofmt", "gofumpt", "gosec"]
+
+[issues]
+
+## An overflow is impossible here
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "random.go"
+text = "G115:"
+
+## These are tests which intentionally do not need any TLS settings
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "client_test.go"
+text = "G402:"
+
+## These are tests which intentionally do not need any TLS settings
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "smtp/smtp_test.go"
+text = "G402:"
+
+## We do not dictate a TLS minimum version in the smtp package. go-mail
+## itself does set sane defaults
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "smtp/smtp.go"
+text = "G402:"
+
+## The chance that we write +2 million tests is very low, I think we can
+## ignore this for the time being
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "client_test.go"
+text = "G109:"
+
+## The chance that we write +2 million tests is very low, I think we can
+## ignore this for the time being
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "smtp/smtp_test.go"
+text = "G109:"
+
+## We inform the user about the deprecated status of CRAM-MD5 and suggest
+## to use SCRAM-SHA instead
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "smtp/auth_cram_md5.go"
+text = "G501:"
+
+## Yes, SHA1 is weak, but in the context of SCRAM it is still considered
+## secure for specific applications. The user is information about this
+## in the documentation
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "smtp/auth_scram.go"
+text = "G505:"
+
+## Test code for SCRAM-SHA1. Can be ignored.
+[[issues.exclude-rules]]
+linters = ["gosec"]
+path = "smtp/smtp_test.go"
+text = "G505:"