Update golangci-lint to v1.58.0

.github/workflows/ci.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-    container: golangci/golangci-lint:v1.57.2
+    container: golangci/golangci-lint:v1.58.0
     steps:
     - uses: actions/cache@v2
       with:

.golangci.yml

@@ -82,7 +82,7 @@ linters:
     # Triggers on TODOs in the code, which is fine to put.
     - godox
     # Disabled until we implement some error types and migrate to use them.
-    - goerr113
+    - err113
     # We don't really care about sprintf performance.
     - perfsprint
     # To allow defensive approach when initializing structs.
@@ -100,6 +100,7 @@ linters:
     - asciicheck
     - bidichk
     - bodyclose
+    - canonicalheader
     - containedctx
     - contextcheck
     - cyclop
@@ -112,9 +113,9 @@ linters:
     - errchkjson
     - errname
     - errorlint
-    - execinquery
     - exhaustive
     - exportloopref
+    - fatcontext
     - forbidigo
     - forcetypeassert
     - funlen
@@ -132,21 +133,25 @@ linters:
     - gofumpt
     - goheader
     - goimports
-    - gomnd
     - gomoddirectives
     - gomodguard
     - goprintffuncname
+    - gosec
+    - gosimple
     - gosmopolitan
+    - govet
     - grouper
     - importas
     - inamedparam
     - ineffassign
     - interfacebloat
     - lll
+    - loggercheck
     - maintidx
     - makezero
     - mirror
     - misspell
+    - mnd
     - musttag
     - nakedret
     - nestif
@@ -168,6 +173,7 @@ linters:
     - sloglint
     - spancheck
     - sqlclosecheck
+    - staticcheck
     - stylecheck
     - tagalign
     - tagliatelle
@@ -178,6 +184,7 @@ linters:
     - tparallel
     - unconvert
     - unparam
+    - unused
     - usestdlibvars
     - varnamelen
     - wastedassign

Makefile

@@ -11,7 +11,7 @@ GORUN=$(GOCMD) run
 GOBUILD=$(GOCMD) build -v -ldflags $(LD_FLAGS) -trimpath
 
 CC_TEST_REPORTER_ID=6e107e510c5479f40b0ce9166a254f3f1ee0bc547b3e48281bada1a5a32bb56d
-GOLANGCI_LINT_VERSION=v1.57.2
+GOLANGCI_LINT_VERSION=v1.58.0
 BIN_PATH=$$HOME/bin
 
 GO_PACKAGES=./...

internal/utiltest/x509.go

@@ -102,10 +102,12 @@ func GeneratePKI(t *testing.T) *PKI {
 
 // generateX509Certificate generates X.509 certificate in DER format using given RSA private key.
 func generateX509Certificate(priv *rsa.PrivateKey) ([]byte, error) {
+	var serialNumberLimitBase uint = 128
+
 	// Generate serial number for X.509 certificate.
 	//
 	//nolint:gomnd // As in https://golang.org/src/crypto/tls/generate_cert.go.
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), serialNumberLimitBase)
 
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {

pkg/apiloadbalancer/api-loadbalancers_integration_test.go

@@ -20,6 +20,7 @@ func TestDeploy(t *testing.T) {
 		sshPrivateKeyPath = "/home/core/.ssh/id_rsa"
 	}
 
+	//#nosec G304 // Expected path customization.
 	key, err := os.ReadFile(sshPrivateKeyPath)
 	if err != nil {
 		t.Fatalf("Reading SSH private key shouldn't fail, got: %v", err)

pkg/etcd/member.go

@@ -233,8 +233,10 @@ func (m *member) ToHostConfiguredContainer() (*container.HostConfiguredContainer
 		},
 	}
 
+	//#nosec G101 // False positive.
 	initialClusterTokenArgument := "--initial-cluster-state=existing"
 	if m.config.NewCluster {
+		//#nosec G101 // False positive.
 		initialClusterTokenArgument = "--initial-cluster-token=etcd-cluster-2"
 	}
 

pkg/host/transport/ssh/ssh_integration_test.go

@@ -26,9 +26,11 @@ func TestPasswordAuth(t *testing.T) {
 	passwordFilePath := os.Getenv("TEST_INTEGRATION_SSH_PASSWORD_FILE")
 
 	if passwordFilePath == "" {
+		//#nosec 101 // Expected default path.
 		passwordFilePath = "/home/core/.ssh/password"
 	}
 
+	//#nosec G304 // Expected test path customization.
 	pass, err := os.ReadFile(passwordFilePath)
 	if err != nil {
 		t.Fatalf("Reading password file %q: %v", passwordFilePath, err)
@@ -100,6 +102,7 @@ func withPrivateKey(t *testing.T) transport.Interface {
 		sshPrivateKeyPath = "/home/core/.ssh/id_rsa"
 	}
 
+	//#nosec G304 // Expected test path customization.
 	key, err := os.ReadFile(sshPrivateKeyPath)
 	if err != nil {
 		t.Fatalf("Reading SSH private key from %q shouldn't fail, got: %v", sshPrivateKeyPath, err)
@@ -197,6 +200,8 @@ func prepareTestSocket(t *testing.T, socket string) net.Listener {
 	} {
 		// We may SSH into host as unprivileged user, so make sure we are allowed to access the
 		// socket file.
+		//
+		//nolint:gosec // Nosec rule does not work, this is expected test permissions.
 		if err := os.Chmod(path, 0o777); err != nil {
 			fmt.Printf("Socket chmod should succeed, got: %v\n", err)
 			t.Fail()

pkg/host/transport/ssh/ssh_test.go

@@ -2,13 +2,13 @@ package ssh
 
 import (
 	"bytes"
-	cryptorand "crypto/rand"
+	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"io"
-	"math/rand"
+	"math/big"
 	"net"
 	"os"
 	"reflect"
@@ -167,7 +167,7 @@ func newTestConfig(t *testing.T) *Config {
 func generateRSAPrivateKey(t *testing.T) string {
 	t.Helper()
 
-	privateKey, err := rsa.GenerateKey(cryptorand.Reader, 2048)
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatalf("Generating key failed: %v", err)
 	}
@@ -187,10 +187,13 @@ const maxTestMessageLength = 1024
 func testMessage(t *testing.T) ([]byte, int) {
 	t.Helper()
 
-	rand := rand.New(rand.NewSource(time.Now().UTC().UnixNano()))
+	randLength, err := rand.Int(rand.Reader, big.NewInt(maxTestMessageLength))
+	if err != nil {
+		t.Fatalf("Generating random length: %v", err)
+	}
 
 	// We must have at least 1 byte message.
-	length := rand.Intn(maxTestMessageLength) + 1
+	length := randLength.Int64() + 1
 
 	message := make([]byte, length)
 	if _, err := rand.Read(message); err != nil {

pkg/pki/pki.go

@@ -5,7 +5,7 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -420,10 +420,12 @@ func (c *Certificate) decodeKeyUsage() (x509.KeyUsage, []x509.ExtKeyUsage) {
 }
 
 func (c *Certificate) generateX509Certificate(certPK *rsa.PrivateKey, caCert *Certificate) error {
+	var serialNumberLimitBase uint = 128
+
 	// Generate serial number for X.509 certificate.
 	//
 	//nolint:gomnd // As in https://golang.org/src/crypto/tls/generate_cert.go.
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), serialNumberLimitBase)
 
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
@@ -485,7 +487,7 @@ func (c *Certificate) createAndPersist(cert, caCert *x509.Certificate, certPK, c
 
 // Taken from https://play.golang.org/p/tispiUVmdm.
 func bigIntHash(n *big.Int) ([]byte, error) {
-	hash := sha1.New() // #nosec G401
+	hash := sha256.New() // #nosec G401
 
 	if _, err := hash.Write(n.Bytes()); err != nil {
 		return nil, fmt.Errorf("writing bytes to SHA1 function: %w", err)

pkg/types/privatekey_test.go

@@ -84,6 +84,7 @@ func TestParsePrivateKeyEC(t *testing.T) {
 func TestParsePrivateKeyBad(t *testing.T) {
 	t.Parallel()
 
+	//#nosec G101 // Just bad test data.
 	privateKey := `---
 bar: |
   -----BEGIN RSA PRIVATE KEY-----