mirror of
https://github.com/opencontainers/runc.git
synced 2025-12-24 11:50:58 +08:00
55 lines
1.6 KiB
YAML
55 lines
1.6 KiB
YAML
version: "2"
|
|
|
|
run:
|
|
build-tags:
|
|
- seccomp
|
|
|
|
formatters:
|
|
enable:
|
|
- gofumpt
|
|
settings:
|
|
gofumpt:
|
|
extra-rules: true
|
|
|
|
linters:
|
|
enable:
|
|
- errorlint
|
|
- forbidigo
|
|
- nolintlint
|
|
- unconvert
|
|
- unparam
|
|
settings:
|
|
govet:
|
|
enable:
|
|
- nilness
|
|
staticcheck:
|
|
checks:
|
|
- all
|
|
- -ST1000 # https://staticcheck.dev/docs/checks/#ST1000 Incorrect or missing package comment.
|
|
- -ST1003 # https://staticcheck.dev/docs/checks/#ST1003 Poorly chosen identifier.
|
|
- -ST1005 # https://staticcheck.dev/docs/checks/#ST1005 Incorrectly formatted error string.
|
|
- -QF1008 # https://staticcheck.dev/docs/checks/#QF1008 Omit embedded fields from selector expression.
|
|
forbidigo:
|
|
forbid:
|
|
# os.Create implies O_TRUNC without O_CREAT|O_EXCL, which can lead to
|
|
# an even more severe attacks than CVE-2024-45310, where host files
|
|
# could be wiped. Always use O_EXCL or otherwise ensure we are not
|
|
# going to be tricked into overwriting host files.
|
|
- pattern: ^os\.Create$
|
|
pkg: ^os$
|
|
# os.Is* error checking functions predate errors.Is. Therefore, they
|
|
# only support errors returned by the os package and subtly fail
|
|
# to deal with other wrapped error types.
|
|
# New code should use errors.Is(err, error-type) instead.
|
|
- pattern: ^os\.Is(Exist|NotExist|Permission|Timeout)$
|
|
pkg: ^os$
|
|
analyze-types: true
|
|
exclusions:
|
|
rules:
|
|
# forbidigo lints are only relevant for main code.
|
|
- path: '(.+)_test\.go'
|
|
linters:
|
|
- forbidigo
|
|
presets:
|
|
- std-error-handling
|