From b3d1e4cf133b2d57916f0428a25407491df19372 Mon Sep 17 00:00:00 2001 From: Achilleas Koutsou Date: Wed, 30 Jul 2025 16:27:59 +0200 Subject: [PATCH] Makefile: bump GOLANGCI_LINT_VERSION to v1.61 v1.60 seems to have some issues [1] with something in our dependency chain. Update to v1.61 and fix all new issues. New issues are all instances of potential integer overflow from int -> uint conversions. Added guards where appropriate and disabled the check when when it's not needed. [1] https://github.com/osbuild/osbuild-composer/actions/runs/16624417387/job/47037518471 --- Makefile | 2 +- cmd/osbuild-koji-tests/main_test.go | 5 +++-- cmd/osbuild-worker/jobimpl-koji-finalize.go | 14 +++++++++----- cmd/osbuild-worker/jobimpl-koji-init.go | 5 ++++- internal/cloudapi/v2/handler.go | 5 ++++- internal/cloudapi/v2/server.go | 2 +- internal/cloudapi/v2/v2_koji_test.go | 2 +- 7 files changed, 23 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index dfe120229..cecf8e496 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,7 @@ SHELL := /bin/bash # v1.56 to get golang 1.22 (1.22.0) # v1.55 to get golang 1.21 (1.21.3) # v1.53 to get golang 1.20 (1.20.5) -GOLANGCI_LINT_VERSION=v1.60 +GOLANGCI_LINT_VERSION=v1.61 GOLANGCI_LINT_CACHE_DIR=$(HOME)/.cache/golangci-lint/$(GOLANGCI_LINT_VERSION) GOLANGCI_COMPOSER_IMAGE=composer_golangci # diff --git a/cmd/osbuild-koji-tests/main_test.go b/cmd/osbuild-koji-tests/main_test.go index a88a86c57..eb27e2d1a 100644 --- a/cmd/osbuild-koji-tests/main_test.go +++ b/cmd/osbuild-koji-tests/main_test.go @@ -168,11 +168,12 @@ func TestKojiImport(t *testing.T) { RPMs: []koji.RPM{}, }, } + output := []koji.BuildOutput{ { BuildRootID: 1, Filename: filename, - FileSize: uint64(filesize), + FileSize: uint64(filesize), // nolint: gosec Arch: "noarch", ChecksumType: koji.ChecksumTypeMD5, Checksum: hash, @@ -190,7 +191,7 @@ func TestKojiImport(t *testing.T) { initResult, err := k.CGInitBuild(build.Name, build.Version, build.Release) require.NoError(t, err) - build.BuildID = uint64(initResult.BuildID) + build.BuildID = uint64(initResult.BuildID) // nolint: gosec importResult, err := k.CGImport(build, buildRoots, output, uploadDirectory, initResult.Token) require.NoError(t, err) diff --git a/cmd/osbuild-worker/jobimpl-koji-finalize.go b/cmd/osbuild-worker/jobimpl-koji-finalize.go index 63b93439b..bded2c32d 100644 --- a/cmd/osbuild-worker/jobimpl-koji-finalize.go +++ b/cmd/osbuild-worker/jobimpl-koji-finalize.go @@ -141,6 +141,10 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error { } for i, buildResult := range osbuildResults { + // i is a range index which never get modified, so it's safe to + // ignore the sec warning + buildRootID := uint64(i) // nolint: gosec + buildRPMs := make([]koji.RPM, 0) // collect packages from stages in build pipelines for _, plName := range buildResult.PipelineNames.Build { @@ -171,7 +175,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error { kojiTargetOptions := kojiTargetResult.Options.(*target.KojiTargetResultOptions) buildRoots = append(buildRoots, koji.BuildRoot{ - ID: uint64(i), + ID: buildRootID, Host: koji.Host{ Os: buildResult.HostOS, Arch: buildResult.Arch, @@ -224,7 +228,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error { // Image output outputs = append(outputs, koji.BuildOutput{ - BuildRootID: uint64(i), + BuildRootID: buildRootID, Filename: imageFilename, FileSize: kojiTargetOptions.Image.Size, Arch: buildResult.Arch, @@ -268,7 +272,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error { manifestOutputsExtraInfo[kojiTargetOptions.OSBuildManifest.Filename] = &manifestExtraInfo outputs = append(outputs, koji.BuildOutput{ - BuildRootID: uint64(i), + BuildRootID: buildRootID, Filename: kojiTargetOptions.OSBuildManifest.Filename, FileSize: kojiTargetOptions.OSBuildManifest.Size, Arch: buildResult.Arch, @@ -286,7 +290,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error { // TODO: Remove the condition it in the future. if kojiTargetOptions.Log != nil { outputs = append(outputs, koji.BuildOutput{ - BuildRootID: uint64(i), + BuildRootID: buildRootID, Filename: kojiTargetOptions.Log.Filename, FileSize: kojiTargetOptions.Log.Size, Arch: "noarch", // log file is not architecture dependent @@ -300,7 +304,7 @@ func (impl *KojiFinalizeJobImpl) Run(job worker.Job) error { if len(kojiTargetOptions.SbomDocs) > 0 { for _, sbomDoc := range kojiTargetOptions.SbomDocs { outputs = append(outputs, koji.BuildOutput{ - BuildRootID: uint64(i), + BuildRootID: buildRootID, Filename: sbomDoc.Filename, FileSize: sbomDoc.Size, Arch: buildResult.Arch, diff --git a/cmd/osbuild-worker/jobimpl-koji-init.go b/cmd/osbuild-worker/jobimpl-koji-init.go index c022a5666..6ec7c271f 100644 --- a/cmd/osbuild-worker/jobimpl-koji-init.go +++ b/cmd/osbuild-worker/jobimpl-koji-init.go @@ -44,7 +44,10 @@ func (impl *KojiInitJobImpl) kojiInit(server, name, version, release string) (st return "", 0, err } - return buildInfo.Token, uint64(buildInfo.BuildID), nil + if buildInfo.BuildID < 0 { + return "", 0, fmt.Errorf("invalid koji init job build ID: %d", buildInfo.BuildID) + } + return buildInfo.Token, uint64(buildInfo.BuildID), nil // nolint: gosec } func (impl *KojiInitJobImpl) Run(job worker.Job) error { diff --git a/internal/cloudapi/v2/handler.go b/internal/cloudapi/v2/handler.go index 09751f778..16d8148a1 100644 --- a/internal/cloudapi/v2/handler.go +++ b/internal/cloudapi/v2/handler.go @@ -140,7 +140,10 @@ func (h *apiHandlers) PostCompose(ctx echo.Context) error { var id uuid.UUID if request.Koji != nil { - id, err = h.server.enqueueKojiCompose(uint64(request.Koji.TaskId), request.Koji.Server, request.Koji.Name, request.Koji.Version, request.Koji.Release, irs, channel) + if request.Koji.TaskId < 0 { + return fmt.Errorf("invalid Koji task ID: %d", request.Koji.TaskId) + } + id, err = h.server.enqueueKojiCompose(uint64(request.Koji.TaskId), request.Koji.Server, request.Koji.Name, request.Koji.Version, request.Koji.Release, irs, channel) // nolint: gosec if err != nil { return err } diff --git a/internal/cloudapi/v2/server.go b/internal/cloudapi/v2/server.go index 7250c08b0..d434328d7 100644 --- a/internal/cloudapi/v2/server.go +++ b/internal/cloudapi/v2/server.go @@ -440,7 +440,7 @@ func (s *Server) enqueueKojiCompose(taskID uint64, server, name, version, releas KojiFilenames: kojiFilenames, KojiDirectory: kojiDirectory, TaskID: taskID, - StartTime: uint64(time.Now().Unix()), + StartTime: uint64(time.Now().Unix()), // nolint: gosec }, initID, buildIDs, channel) if err != nil { return id, HTTPErrorWithInternal(ErrorEnqueueingJob, err) diff --git a/internal/cloudapi/v2/v2_koji_test.go b/internal/cloudapi/v2/v2_koji_test.go index 44b26d57f..08d45a7f4 100644 --- a/internal/cloudapi/v2/v2_koji_test.go +++ b/internal/cloudapi/v2/v2_koji_test.go @@ -611,7 +611,7 @@ func TestKojiJobTypeValidation(t *testing.T) { KojiFilenames: filenames, KojiDirectory: "koji-server-test-dir", TaskID: 0, - StartTime: uint64(time.Now().Unix()), + StartTime: uint64(time.Now().Unix()), // nolint: gosec } finalizeID, err := workers.EnqueueKojiFinalize(&finalizeJob, initID, buildJobIDs, "") require.NoError(t, err)