From deb4c3653ee7b86365d4e6685a78c8594f3209fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@sap.com>
Date: Thu, 6 Jun 2024 12:25:27 +0200
Subject: [PATCH] Forbid some archived and vulnerable packages

---
 .golangci.yaml                         | 9 +++++++++
 internal/golangcilint/golangci_lint.go | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/.golangci.yaml b/.golangci.yaml
index 99948ab..ea4ce22 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -35,6 +35,7 @@ linters-settings:
     # Report about not checking of errors in type assertions.
     check-type-assertions: true
   forbidigo:
+    analyze-types: true # required for pkg:
     forbid:
       # ioutil package has been deprecated: https://github.com/golang/go/issues/42026
       - ^ioutil\..*$
@@ -42,6 +43,14 @@ linters-settings:
       # Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
       - ^http\.DefaultServeMux$
       - ^http\.Handle(?:Func)?$
+      # Forbid usage of old and archived square/go-jose
+      - pkg: ^gopkg\.in/square/go-jose\.v2$
+        msg: "gopk.in/square/go-jose is arcived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+      - pkg: ^github.com/coreos/go-oidc$
+        msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
+
+      - pkg: ^github.com/howeyc/gopass$
+        msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
   goconst:
     ignore-tests: true
     min-occurrences: 5
diff --git a/internal/golangcilint/golangci_lint.go b/internal/golangcilint/golangci_lint.go
index 1d35942..e30888d 100644
--- a/internal/golangcilint/golangci_lint.go
+++ b/internal/golangcilint/golangci_lint.go
@@ -72,6 +72,7 @@ linters-settings:
 			{{- end }}
 		{{- end }}
 	forbidigo:
+		analyze-types: true # required for pkg:
 		forbid:
 			# ioutil package has been deprecated: https://github.com/golang/go/issues/42026
 			- ^ioutil\..*$
@@ -79,6 +80,14 @@ linters-settings:
 			# Applications wishing to use http.ServeMux should obtain local instances through http.NewServeMux() instead of using the global default instance.
 			- ^http\.DefaultServeMux$
 			- ^http\.Handle(?:Func)?$
+			# Forbid usage of old and archived square/go-jose
+			- pkg: ^gopkg\.in/square/go-jose\.v2$
+				msg: "gopk.in/square/go-jose is arcived and has CVEs. Replace it with gopkg.in/go-jose/go-jose.v2"
+			- pkg: ^github.com/coreos/go-oidc$
+				msg: "github.com/coreos/go-oidc depends on gopkg.in/square/go-jose which has CVEs. Replace it with github.com/coreos/go-oidc/v3"
+
+			- pkg: ^github.com/howeyc/gopass$
+				msg: "github.com/howeyc/gopass is archived, use golang.org/x/term instead"
 	goconst:
 		ignore-tests: true
 		min-occurrences: 5