Skip to content

Fix gosec lints from golangci-lint v2.10.1#465

Merged
oschwald merged 2 commits intomainfrom
wstorey/eng-4203-lints-from-new-golangci-lint-are-fixed-in-githubcom-repos
Feb 18, 2026
Merged

Fix gosec lints from golangci-lint v2.10.1#465
oschwald merged 2 commits intomainfrom
wstorey/eng-4203-lints-from-new-golangci-lint-are-fixed-in-githubcom-repos

Conversation

@horgh
Copy link
Copy Markdown
Contributor

@horgh horgh commented Feb 17, 2026

Summary

  • Add nolint directives for new gosec taint analysis false positives (G101, G703, G704, G706)
  • These are false positives in a CLI tool where user-provided input (URLs, file paths, proxy credentials in tests) is used by design

Test plan

  • golangci-lint run ./... passes with 0 issues

🤖 Generated with Claude Code

@horgh @claude
Fix gosec lints from golangci-lint v2.10.1
1e59ccf 
Add nolint directives for taint analysis false positives (G101, G703,
G704, G706) in a CLI tool where user-provided input is used by design.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist bot commented Feb 17, 2026

Summary of Changes

Hello @horgh, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses new gosec taint analysis warnings that appeared after updating to golangci-lint v2.10.1. The changes involve strategically placing nolint directives in the code to silence these warnings, which were identified as false positives. These instances typically involve the processing of user-supplied data like URLs, file paths, or proxy credentials, which are inherent to the CLI tool's functionality and are handled securely despite the linter's flags.

Highlights

  • Linter Fixes: Added nolint directives to suppress new gosec taint analysis false positives introduced by golangci-lint v2.10.1.
  • False Positive Handling: Specifically addressed false positives related to G101, G703, G704, and G706, which were triggered by the intended use of user-provided input in a CLI tool context.
  • Linting Status: Ensured that golangci-lint run ./... now passes with zero issues, maintaining a clean linting state.
Changelog
  • client/download.go
    • Added //nolint:gosec directive to an httpClient.Do call, indicating the URL is from a known configuration.
  • client/metadata.go
    • Added //nolint:gosec directive to an httpClient.Do call, indicating the URL is from a known configuration.
  • cmd/geoipupdate/args.go
    • Added //nolint:gosec directive to a log.Printf call, clarifying that the program name is being logged.
  • internal/geoipupdate/config.go
    • Added //nolint:gosec directives to os.ReadFile calls, noting that the paths originate from environment variables.
  • internal/geoipupdate/config_test.go
    • Added //nolint:gosec directives to test data definitions, acknowledging the use of sensitive-looking test data.
  • internal/geoipupdate/database/local_file_writer.go
    • Added //nolint:gosec directives to os.Remove and os.Rename calls, confirming that the paths are derived from os.CreateTemp.
Activity
  • The pull request author confirmed that golangci-lint run ./... passes with 0 issues after these changes.
  • The pull request was generated with the assistance of Claude Code.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 17, 2026
edited
Loading

Modver result

This report was generated by Modver,
a Go package and command that helps you obey semantic versioning rules in your Go module.

This PR does not require a change in your module’s version number.
(You might still consider bumping the patchlevel anyway.)

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 17, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request addresses several gosec linting issues by adding nolint directives. The justifications for disabling these checks seem reasonable, as this is a command-line tool where user-provided input is expected. I've found a couple of minor issues with the comments accompanying the nolint directives in internal/geoipupdate/database/local_file_writer.go, where the explanation for the path's origin is inaccurate. I've left suggestions to correct them for better code clarity and future maintenance.

internal/geoipupdate/database/local_file_writer.go Outdated
}

err := os.Remove(w.file.Name())
err := os.Remove(w.file.Name()) //nolint:gosec // path from os.CreateTemp
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comment for this nolint:gosec directive is inaccurate. It states the path is from os.CreateTemp, but the file path is actually constructed from configuration values (database directory and edition ID). Correcting this comment will improve clarity for future security reviews and maintenance.

Suggested change
err := os.Remove(w.file.Name()) //nolint:gosec // path from os.CreateTemp
err := os.Remove(w.file.Name()) //nolint:gosec // path is constructed from config values

Copy link
Copy Markdown
Member

@oschwald oschwald Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gemini appears to be right. I don't even see any os.CreateTemp uses in this repo!

internal/geoipupdate/database/local_file_writer.go Outdated
return fmt.Errorf("closing temporary file: %w", err)
}
if err := os.Rename(w.file.Name(), name); err != nil {
if err := os.Rename(w.file.Name(), name); err != nil { //nolint:gosec // path from os.CreateTemp
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comment for this nolint:gosec directive is inaccurate. It states the path is from os.CreateTemp, but the file path is actually constructed from configuration values. For better code clarity and to aid future security analysis, this comment should be updated to reflect the true origin of the path.

Suggested change
if err := os.Rename(w.file.Name(), name); err != nil { //nolint:gosec // path from os.CreateTemp
if err := os.Rename(w.file.Name(), name); err != nil { //nolint:gosec // path is constructed from config values

oschwald
oschwald requested changes Feb 17, 2026
View reviewed changes
internal/geoipupdate/database/local_file_writer.go Outdated
}

err := os.Remove(w.file.Name())
err := os.Remove(w.file.Name()) //nolint:gosec // path from os.CreateTemp
Copy link
Copy Markdown
Member

@oschwald oschwald Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gemini appears to be right. I don't even see any os.CreateTemp uses in this repo!

@horgh @claude
Fix inaccurate nolint comments in local_file_writer.go
a492e8a 
The comments incorrectly stated the paths came from os.CreateTemp
when they are actually constructed from config values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@horgh horgh force-pushed the wstorey/eng-4203-lints-from-new-golangci-lint-are-fixed-in-githubcom-repos branch from 55eef16 to a492e8a Compare February 17, 2026 21:04
@oschwald oschwald merged commit 5eca6df into main Feb 18, 2026
21 checks passed
@oschwald oschwald deleted the wstorey/eng-4203-lints-from-new-golangci-lint-are-fixed-in-githubcom-repos branch February 18, 2026 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oschwald oschwald oschwald approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@horgh @oschwald