Skip to content

Commit

Permalink
Forbid some archived and vulnerable packages
Browse files Browse the repository at this point in the history
  • Loading branch information
SuperSandro2000 committed Jun 6, 2024
1 parent d02480b commit deb4c36
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 0 deletions.
9 changes: 9 additions & 0 deletions .golangci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,22 @@ linters-settings:
# Report about not checking of errors in type assertions.
check-type-assertions: true
forbidigo:
analyze-types: true # required for pkg:
forbid:
# ioutil package has been deprecated: https://github.com/golang/go/issues/42026
- ^ioutil\..*$
# Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
# Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
- ^http\.DefaultServeMux$
- ^http\.Handle(?:Func)?$
# Forbid usage of old and archived square/go-jose
- pkg: ^gopkg\.in/square/go-jose\.v2$
msg: "gopk.in/square/go-jose is arcived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
- pkg: ^github.com/coreos/go-oidc$
msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"

- pkg: ^github.com/howeyc/gopass$
msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
goconst:
ignore-tests: true
min-occurrences: 5
Expand Down
9 changes: 9 additions & 0 deletions internal/golangcilint/golangci_lint.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,13 +72,22 @@ linters-settings:
{{- end }}
{{- end }}
forbidigo:
analyze-types: true # required for pkg:
forbid:
# ioutil package has been deprecated: https://github.com/golang/go/issues/42026
- ^ioutil\..*$
# Using http.DefaultServeMux is discouraged because it's a global variable that some packages silently and magically add handlers to (esp. net/http/pprof).
# Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
- ^http\.DefaultServeMux$
- ^http\.Handle(?:Func)?$
# Forbid usage of old and archived square/go-jose
- pkg: ^gopkg\.in/square/go-jose\.v2$
msg: "gopk.in/square/go-jose is arcived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
- pkg: ^github.com/coreos/go-oidc$
msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
- pkg: ^github.com/howeyc/gopass$
msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
goconst:
ignore-tests: true
min-occurrences: 5
Expand Down

0 comments on commit deb4c36

Please sign in to comment.