From 3ff1512b29c8a0b4fd172ecd57be59133534f059 Mon Sep 17 00:00:00 2001 From: fullsend-code Date: Wed, 3 Jun 2026 11:27:14 +0000 Subject: [PATCH] style(#3160): use explicit 0o octal notation for file permissions Replace all old-style Go octal literals (e.g., 0644, 0755) with the explicit 0o prefix notation (0o644, 0o755) introduced in Go 1.13. The 0o prefix makes the numeric base unambiguous and prevents visual confusion with decimal numbers. This is a semantics-preserving change across 42 files covering production code, test files, acceptance tests, and benchmarks. All os.OpenFile, os.WriteFile, os.MkdirAll, os.Chmod, os.Mkdir, afero.WriteFile, and tar.Header Mode calls are updated. Note: TestWriteReport in internal/validate failed due to sandbox network restrictions (sigstore TUF CDN blocked), not related to this change. Closes #3160 --- acceptance/git/git.go | 14 +++--- acceptance/image/image.go | 2 +- acceptance/kubernetes/kind/image.go | 8 ++-- acceptance/pipeline/pipeline_definition.go | 2 +- acceptance/registry/registry.go | 2 +- acceptance/tekton/bundles.go | 2 +- acceptance/testenv/testenv.go | 2 +- benchmark/internal/registry/registry.go | 6 +-- benchmark/offliner/offliner.go | 2 +- cmd/initialize/init_policies.go | 2 +- cmd/inspect/inspect_policy_test.go | 10 ++--- cmd/test/test.go | 2 +- cmd/track/track_bundle.go | 2 +- cmd/track/track_bundle_test.go | 2 +- cmd/validate/image_test.go | 26 +++++------ cmd/validate/input_test.go | 26 +++++------ internal/applicationsnapshot/input_test.go | 10 ++--- internal/applicationsnapshot/vsa.go | 2 +- internal/documentation/documentation.go | 2 +- .../application_snapshot_image.go | 2 +- internal/evaluator/conftest_evaluator.go | 6 +-- .../conftest_evaluator_test_helpers.go | 4 +- .../conftest_evaluator_unit_core_test.go | 44 +++++++++---------- .../conftest_evaluator_unit_data_test.go | 6 +-- .../conftest_evaluator_unit_metadata_test.go | 12 ++--- internal/evaluator/opa_evaluator_test.go | 2 +- internal/input/validate_test.go | 6 +-- internal/kubernetes/client_test.go | 4 +- internal/logging/logging.go | 2 +- internal/opa/inspect_test.go | 6 +-- internal/policy/source/chooser_test.go | 2 +- internal/policy/source/git_config_test.go | 8 ++-- internal/policy/source/source.go | 6 +-- internal/policy/source/source_test.go | 14 +++--- internal/utils/helpers_test.go | 2 +- internal/utils/private_key_test.go | 4 +- internal/validate/helpers_test.go | 8 ++-- internal/validate/vsa/attest_test.go | 2 +- internal/validate/vsa/file_retriever_test.go | 8 ++-- internal/validate/vsa/storage_local.go | 6 +-- internal/validate/vsa/vsa.go | 2 +- internal/validate/vsa/vsa_test.go | 10 ++--- 42 files changed, 145 insertions(+), 145 deletions(-) diff --git a/acceptance/git/git.go b/acceptance/git/git.go index 74b9a0b59..cca2fd1c9 100644 --- a/acceptance/git/git.go +++ b/acceptance/git/git.go @@ -92,15 +92,15 @@ func startStubGitServer(ctx context.Context) (context.Context, error) { } nginxConfDir := path.Join(repositories, "conf") - if err = os.Mkdir(nginxConfDir, 0755); err != nil { + if err = os.Mkdir(nginxConfDir, 0o755); err != nil { return ctx, err } - if err = os.WriteFile(path.Join(nginxConfDir, "nginx.conf"), nginxConf, 0400); err != nil { + if err = os.WriteFile(path.Join(nginxConfDir, "nginx.conf"), nginxConf, 0o400); err != nil { return ctx, err } tlsDir := path.Join(repositories, "tls") - if err = os.Mkdir(tlsDir, 0755); err != nil { + if err = os.Mkdir(tlsDir, 0o755); err != nil { return ctx, err } @@ -114,7 +114,7 @@ func startStubGitServer(ctx context.Context) (context.Context, error) { Bytes: keyBytes, }) - if err = os.WriteFile(path.Join(tlsDir, "server.key"), keyPem, 0400); err != nil { + if err = os.WriteFile(path.Join(tlsDir, "server.key"), keyPem, 0o400); err != nil { return ctx, err } @@ -142,7 +142,7 @@ func startStubGitServer(ctx context.Context) (context.Context, error) { Bytes: cert, }) - if err = os.WriteFile(certificate, certPEM, 0400); err != nil { + if err = os.WriteFile(certificate, certPEM, 0o400); err != nil { return ctx, err } @@ -152,7 +152,7 @@ func startStubGitServer(ctx context.Context) (context.Context, error) { // Create a minimal health check repository before starting the container healthCheckDir := path.Join(repositories, "health-check.git") - if err := os.MkdirAll(healthCheckDir, 0755); err != nil { + if err := os.MkdirAll(healthCheckDir, 0o755); err != nil { return ctx, err } @@ -284,7 +284,7 @@ func createGitRepository(ctx context.Context, repositoryName string, files *godo })) } - err = os.WriteFile(dest, b, 0600) + err = os.WriteFile(dest, b, 0o600) if err != nil { return err } diff --git a/acceptance/image/image.go b/acceptance/image/image.go index f13e1cf1e..984fbc5c2 100644 --- a/acceptance/image/image.go +++ b/acceptance/image/image.go @@ -878,7 +878,7 @@ func createAndPushImageWithLayer(ctx context.Context, imageName string, files *g name := r.Cells[0].Value if err := t.WriteHeader(&tar.Header{ Name: name, - Mode: 0644, + Mode: 0o644, Size: int64(len(content)), }); err != nil { return nil, err diff --git a/acceptance/kubernetes/kind/image.go b/acceptance/kubernetes/kind/image.go index 03e53bc5b..aafd79b7a 100644 --- a/acceptance/kubernetes/kind/image.go +++ b/acceptance/kubernetes/kind/image.go @@ -68,7 +68,7 @@ func (k *kindCluster) buildCliImage(ctx context.Context) error { // Build into a directory not excluded by .dockerignore (which excludes // dist/) and not conflicting with the versioned binary from make build. buildDir := ".acceptance-build" - if err := os.MkdirAll(buildDir, 0755); err != nil { + if err := os.MkdirAll(buildDir, 0o755); err != nil { return fmt.Errorf("creating build directory: %w", err) } defer os.RemoveAll(buildDir) @@ -140,7 +140,7 @@ func (k *kindCluster) buildCliImage(ctx context.Context) error { // Write cache hash only after a successful build if cacheFile != "" { - _ = os.WriteFile(cacheFile, []byte(currentHash), 0644) // #nosec G306 + _ = os.WriteFile(cacheFile, []byte(currentHash), 0o644) // #nosec G306 } return nil @@ -323,7 +323,7 @@ func (k *kindCluster) BuildSnapshotArtifact(ctx context.Context, content string) filePath := "snapshotartifact" // #nosec G306 -- reduce-snapshot.sh needs these permissions - if err := os.WriteFile(filePath, []byte(content), 0644); err != nil { + if err := os.WriteFile(filePath, []byte(content), 0o644); err != nil { return ctx, fmt.Errorf("failed to write JSON to file: %w", err) } @@ -408,7 +408,7 @@ func copyFile(src, dst string) error { } defer in.Close() - out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755) // #nosec G302 + out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755) // #nosec G302 if err != nil { return err } diff --git a/acceptance/pipeline/pipeline_definition.go b/acceptance/pipeline/pipeline_definition.go index cff503a5d..32e5b4092 100644 --- a/acceptance/pipeline/pipeline_definition.go +++ b/acceptance/pipeline/pipeline_definition.go @@ -24,7 +24,7 @@ import ( ) func writePipelineDefinition(ctx context.Context, name string, data string) (context.Context, error) { - err := os.WriteFile(name, []byte(data), 0600) + err := os.WriteFile(name, []byte(data), 0o600) if err != nil { return ctx, err } diff --git a/acceptance/registry/registry.go b/acceptance/registry/registry.go index 3ff7dbeab..eadfb5fad 100644 --- a/acceptance/registry/registry.go +++ b/acceptance/registry/registry.go @@ -101,7 +101,7 @@ func startStubRegistry(ctx context.Context) (context.Context, error) { { HostFilePath: "", ContainerFilePath: "/config/config.json", - FileMode: 0644, + FileMode: 0o644, Reader: strings.NewReader(zotConfig), }, }, diff --git a/acceptance/tekton/bundles.go b/acceptance/tekton/bundles.go index d88e89c8c..58770f7f8 100644 --- a/acceptance/tekton/bundles.go +++ b/acceptance/tekton/bundles.go @@ -49,7 +49,7 @@ func createTektonBundle(ctx context.Context, name string, data *godog.Table) (co writer := tar.NewWriter(&data) if err := writer.WriteHeader(&tar.Header{ Name: name, - Mode: 0600, + Mode: 0o600, Size: int64(len(content)), Typeflag: tar.TypeReg, }); err != nil { diff --git a/acceptance/testenv/testenv.go b/acceptance/testenv/testenv.go index 854898823..e2bbb7374 100644 --- a/acceptance/testenv/testenv.go +++ b/acceptance/testenv/testenv.go @@ -77,7 +77,7 @@ func Persist(ctx context.Context) (bool, error) { return true, fmt.Errorf("unable to store JSON data in .persisted file: %v", err.Error()) } - err = persister(persistedFile, b, 0644) + err = persister(persistedFile, b, 0o644) if err != nil { return true, fmt.Errorf("unable to write to %s file: %v", persistedFile, err.Error()) } diff --git a/benchmark/internal/registry/registry.go b/benchmark/internal/registry/registry.go index 22fcf9611..f210ba164 100644 --- a/benchmark/internal/registry/registry.go +++ b/benchmark/internal/registry/registry.go @@ -100,12 +100,12 @@ func Launch(data string) (suite.Closer, error) { return nil, err } - if err := os.Chmod(dir, 0755); err != nil { + if err := os.Chmod(dir, 0o755); err != nil { return closer.Close, err } certPath := path.Join(dir, "fake_quay.cer") - if err := os.WriteFile(certPath, certificate, 0600); err != nil { + if err := os.WriteFile(certPath, certificate, 0o600); err != nil { return closer.Close, err } @@ -113,7 +113,7 @@ func Launch(data string) (suite.Closer, error) { return closer.Close, err } - if err := os.WriteFile(path.Join(dir, "fake_quay.key"), key, 0600); err != nil { + if err := os.WriteFile(path.Join(dir, "fake_quay.key"), key, 0o600); err != nil { return closer.Close, err } diff --git a/benchmark/offliner/offliner.go b/benchmark/offliner/offliner.go index ffcfbd445..fee9c3216 100644 --- a/benchmark/offliner/offliner.go +++ b/benchmark/offliner/offliner.go @@ -63,7 +63,7 @@ func main() { } if _, err := os.Stat(dir); os.IsNotExist(err) { - if err := os.MkdirAll(dir, 0755); err != nil { + if err := os.MkdirAll(dir, 0o755); err != nil { fmt.Fprintln(os.Stderr, err) os.Exit(3) } diff --git a/cmd/initialize/init_policies.go b/cmd/initialize/init_policies.go index 1ae146617..fdda8e402 100644 --- a/cmd/initialize/init_policies.go +++ b/cmd/initialize/init_policies.go @@ -79,7 +79,7 @@ func initPoliciesCmd() *cobra.Command { } fs := utils.FS(ctx) workDir := destDir - err := fs.MkdirAll(workDir, 0755) + err := fs.MkdirAll(workDir, 0o755) if err != nil { log.Debug("Failed to create policy directory!") return err diff --git a/cmd/inspect/inspect_policy_test.go b/cmd/inspect/inspect_policy_test.go index aa0d7673f..b0f035559 100644 --- a/cmd/inspect/inspect_policy_test.go +++ b/cmd/inspect/inspect_policy_test.go @@ -56,10 +56,10 @@ func TestFetchSourcesFromPolicy(t *testing.T) { createDir := func(args mock.Arguments) { dir := args.String(0) - if err := fs.MkdirAll(dir, 0755); err != nil { + if err := fs.MkdirAll(dir, 0o755); err != nil { panic(err) } - if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0644); err != nil { + if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0o644); err != nil { panic(err) } } @@ -98,10 +98,10 @@ func TestFetchSources(t *testing.T) { createDir := func(args mock.Arguments) { dir := args.String(0) - if err := fs.MkdirAll(dir, 0755); err != nil { + if err := fs.MkdirAll(dir, 0o755); err != nil { panic(err) } - if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0644); err != nil { + if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0o644); err != nil { panic(err) } } @@ -144,7 +144,7 @@ func TestSourcesAndPolicyCantBeBothProvided(t *testing.T) { createDir := func(args mock.Arguments) { dir := args.String(0) - if err := fs.MkdirAll(dir, 0755); err != nil { + if err := fs.MkdirAll(dir, 0o755); err != nil { panic(err) } } diff --git a/cmd/test/test.go b/cmd/test/test.go index 63a4a6d95..61b844471 100644 --- a/cmd/test/test.go +++ b/cmd/test/test.go @@ -200,7 +200,7 @@ func NewTestCommand(ctx context.Context) *cobra.Command { if outputFilePath != "" { // Output to a file - err := os.WriteFile(outputFilePath, reportOutput, 0600) + err := os.WriteFile(outputFilePath, reportOutput, 0o600) if err != nil { return fmt.Errorf("creating output file: %w", err) } diff --git a/cmd/track/track_bundle.go b/cmd/track/track_bundle.go index ae160c2fc..da6390e6b 100644 --- a/cmd/track/track_bundle.go +++ b/cmd/track/track_bundle.go @@ -137,7 +137,7 @@ func trackBundleCmd(track trackBundleFn, pullImage pullImageFn, pushImage pushIm case strings.HasPrefix(params.output, "oci:"): err = pushImage(cmd.Context(), strings.TrimPrefix(params.output, "oci:"), out, invocation) default: - err = afero.WriteFile(fs, params.output, out, 0666) + err = afero.WriteFile(fs, params.output, out, 0o666) } if err != nil { diff --git a/cmd/track/track_bundle_test.go b/cmd/track/track_bundle_test.go index ffc134f6d..b5e4eb8e3 100644 --- a/cmd/track/track_bundle_test.go +++ b/cmd/track/track_bundle_test.go @@ -214,7 +214,7 @@ func Test_TrackBundleCommand(t *testing.T) { inputData := []byte(fmt.Sprintf(`{"file": "%s"}`, c.expectInput)) if c.expectInput != "" { - err := afero.WriteFile(fs, c.expectInput, inputData, 0777) + err := afero.WriteFile(fs, c.expectInput, inputData, 0o777) assert.NoError(t, err) } testOutput := `{"test": true}` diff --git a/cmd/validate/image_test.go b/cmd/validate/image_test.go index edfccbd88..4ef655993 100644 --- a/cmd/validate/image_test.go +++ b/cmd/validate/image_test.go @@ -585,7 +585,7 @@ spec: cmd.SetContext(ctx) - err := afero.WriteFile(fs, "/policy.yaml", []byte(c.config), 0644) + err := afero.WriteFile(fs, "/policy.yaml", []byte(c.config), 0o644) if err != nil { panic(err) } @@ -641,7 +641,7 @@ func Test_ValidateImageCommandJSONPolicyFile(t *testing.T) { - '@minimal' exclude: [] ` - err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0644) + err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0o644) if err != nil { panic(err) } @@ -701,7 +701,7 @@ func Test_ValidateImageCommandExtraData(t *testing.T) { - '@minimal' exclude: [] ` - err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0644) + err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0o644) if err != nil { panic(err) } @@ -717,7 +717,7 @@ spec: repository: quay.io/some-namespace/msd ` - err = afero.WriteFile(fs, "/value.yaml", []byte(testExtraRuleDataYAML), 0644) + err = afero.WriteFile(fs, "/value.yaml", []byte(testExtraRuleDataYAML), 0o644) if err != nil { panic(err) } @@ -784,7 +784,7 @@ func Test_ValidateImageCommandEmptyPolicyFile(t *testing.T) { cmd.SetContext(ctx) - err := afero.WriteFile(fs, "/policy.yaml", []byte(nil), 0644) + err := afero.WriteFile(fs, "/policy.yaml", []byte(nil), 0o644) if err != nil { panic(err) } @@ -875,12 +875,12 @@ func Test_ValidateImageError(t *testing.T) { - '@minimal' exclude: [] ` - err := afero.WriteFile(fs, "/policy.yaml", []byte(testPolicyJSON), 0644) + err := afero.WriteFile(fs, "/policy.yaml", []byte(testPolicyJSON), 0o644) if err != nil { panic(err) } - err = afero.WriteFile(fs, "/value.json", []byte(nil), 0644) + err = afero.WriteFile(fs, "/value.json", []byte(nil), 0o644) if err != nil { panic(err) } @@ -1450,7 +1450,7 @@ func TestValidateImageCommand_VSAUpload_Success(t *testing.T) { ctx := utils.WithFS(context.Background(), fs) // Create a test VSA signing key (real ECDSA P-256 key for testing) - err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600) + err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600) require.NoError(t, err) client := fake.FakeClient{} @@ -1510,7 +1510,7 @@ func TestValidateImageCommand_VSAUpload_NoStorageBackends(t *testing.T) { ctx := utils.WithFS(context.Background(), fs) // Create VSA signing key - err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600) + err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600) require.NoError(t, err) client := fake.FakeClient{} @@ -1654,7 +1654,7 @@ func TestValidateImageCommand_VSAFormat_DSSE(t *testing.T) { ctx := utils.WithFS(context.Background(), fs) // Create a test VSA signing key - err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600) + err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600) require.NoError(t, err) client := fake.FakeClient{} @@ -1923,7 +1923,7 @@ func TestGenerateVSAsDSSE_Errors(t *testing.T) { ctx := utils.WithFS(context.Background(), fs) // Create invalid signing key file - err := afero.WriteFile(fs, "/tmp/invalid-key.pem", []byte("invalid key content"), 0600) + err := afero.WriteFile(fs, "/tmp/invalid-key.pem", []byte("invalid key content"), 0o600) require.NoError(t, err) client := fake.FakeClient{} @@ -2003,7 +2003,7 @@ func TestGenerateVSAsDSSE_Errors(t *testing.T) { ctx := utils.WithFS(context.Background(), fs) // Create a test VSA signing key - err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600) + err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600) require.NoError(t, err) client := fake.FakeClient{} @@ -2152,7 +2152,7 @@ func TestVSAGeneration_WithOutputDir(t *testing.T) { // Create test VSA signing key if needed if tt.needsKey { - err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600) + err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600) require.NoError(t, err) } diff --git a/cmd/validate/input_test.go b/cmd/validate/input_test.go index a7dcf6aff..b9f0d0f52 100644 --- a/cmd/validate/input_test.go +++ b/cmd/validate/input_test.go @@ -68,7 +68,7 @@ func setUpValidateInputCmd(validate InputValidationFunc, fs afero.Fs) (*cobra.Co func Test_ValidateInputCmd_SuccessSingleFile(t *testing.T) { fs := afero.NewMemMapFs() // Write a dummy file to simulate input - require.NoError(t, afero.WriteFile(fs, "/input.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/input.yaml", []byte("some: data"), 0o644)) // Mock validator: returns success with no violations, one success result. outMock := &output.Output{ @@ -113,8 +113,8 @@ func Test_ValidateInputCmd_SuccessSingleFile(t *testing.T) { func Test_ValidateInputCmd_SuccessMultipleFiles(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/input1.yaml", []byte("some: data"), 0644)) - require.NoError(t, afero.WriteFile(fs, "/input2.yaml", []byte("other: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/input1.yaml", []byte("some: data"), 0o644)) + require.NoError(t, afero.WriteFile(fs, "/input2.yaml", []byte("other: data"), 0o644)) // Mock validator: always returns success. outMock := &output.Output{ @@ -166,7 +166,7 @@ func Test_ValidateInputCmd_SuccessMultipleFiles(t *testing.T) { func Test_ValidateInputCmd_Failure(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/bad.yaml", []byte("invalid"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/bad.yaml", []byte("invalid"), 0o644)) // Mock validator: returns an error cmd, _ := setUpValidateInputCmd(mockValidate(nil, errors.New("validation failed")), fs) @@ -184,7 +184,7 @@ func Test_ValidateInputCmd_Failure(t *testing.T) { func Test_ValidateInputCmd_StrictMode(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0o644)) // Mock validator: returns no error, but a violation. outMock := &output.Output{ @@ -213,7 +213,7 @@ func Test_ValidateInputCmd_StrictMode(t *testing.T) { func Test_ValidateInputCmd_NonStrictMode(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0o644)) // Mock validator: returns no error but a violation (should not cause non-zero exit in non-strict mode). outMock := &output.Output{ @@ -255,7 +255,7 @@ func Test_ValidateInputCmd_NonStrictMode(t *testing.T) { func Test_ValidateInputCmd_NoPolicyProvided(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0o644)) cmd, _ := setUpValidateInputCmd(nil, fs) cmd.SetArgs([]string{ @@ -281,7 +281,7 @@ func Test_ValidateInputCmd_NoFileProvided(t *testing.T) { func Test_ValidateInputCmd_PolicyParsingError(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0o644)) cmd, _ := setUpValidateInputCmd(nil, fs) cmd.SetArgs([]string{ @@ -298,8 +298,8 @@ func Test_ValidateInputCmd_PolicyParsingError(t *testing.T) { func Test_ValidateInputCmd_EmptyPolicyFile(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("data"), 0644)) - require.NoError(t, afero.WriteFile(fs, "/policy.yaml", []byte{}, 0644)) + require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("data"), 0o644)) + require.NoError(t, afero.WriteFile(fs, "/policy.yaml", []byte{}, 0o644)) cmd, _ := setUpValidateInputCmd(nil, fs) cmd.SetArgs([]string{ @@ -358,7 +358,7 @@ func Test_ValidateInputCmd_ShowWarningsFlag(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/file.yaml", []byte("some: data"), 0o644)) cmd, buf := setUpValidateInputCmd(warningValidator, fs) args := append(c.args, "--output", "json") // Explicitly request JSON output @@ -400,7 +400,7 @@ func Test_ValidateInputCmd_ShowWarningsFlag(t *testing.T) { func Test_ValidateInputCmd_DefaultTextOutput(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/input.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/input.yaml", []byte("some: data"), 0o644)) // Mock validator: returns success with no violations, one success result. outMock := &output.Output{ @@ -442,7 +442,7 @@ func Test_ValidateInputCmd_DefaultTextOutput(t *testing.T) { func Test_ValidateInputCmd_TextOutputWithShowSuccesses(t *testing.T) { fs := afero.NewMemMapFs() - require.NoError(t, afero.WriteFile(fs, "/input.yaml", []byte("some: data"), 0644)) + require.NoError(t, afero.WriteFile(fs, "/input.yaml", []byte("some: data"), 0o644)) // Mock validator: returns success with one success result. outMock := &output.Output{ diff --git a/internal/applicationsnapshot/input_test.go b/internal/applicationsnapshot/input_test.go index 6bf8598fd..0e001dd23 100644 --- a/internal/applicationsnapshot/input_test.go +++ b/internal/applicationsnapshot/input_test.go @@ -167,13 +167,13 @@ func Test_DetermineInputSpec(t *testing.T) { ctx = oci.WithClient(ctx, &client) if tc.input.File != "" { - if err := afero.WriteFile(fs, tc.input.File, []byte(testJson), 0400); err != nil { + if err := afero.WriteFile(fs, tc.input.File, []byte(testJson), 0o400); err != nil { panic(err) } } if tc.input.Images == "/home/list-of-images.json" { - if err := afero.WriteFile(fs, tc.input.Images, []byte(testJson), 0400); err != nil { + if err := afero.WriteFile(fs, tc.input.Images, []byte(testJson), 0o400); err != nil { panic(err) } } @@ -204,7 +204,7 @@ func TestReadSnapshotFile(t *testing.T) { fs := afero.NewMemMapFs() spec := `{"components":[{"name": "Named", "containerImage":""},{"name": "Set name", "containerImage":"registry.io/repository/image:another"}]}` - err := afero.WriteFile(fs, "/correct.json", []byte(spec), 0644) + err := afero.WriteFile(fs, "/correct.json", []byte(spec), 0o644) if err != nil { t.Fatalf("Setup failure: could not write file: %v", err) } @@ -221,7 +221,7 @@ func TestReadSnapshotFile(t *testing.T) { spec := `bad spec` specFile := "/badSpec.json" - err := afero.WriteFile(fs, specFile, []byte(spec), 0644) + err := afero.WriteFile(fs, specFile, []byte(spec), 0o644) if err != nil { t.Fatalf("Setup failure: could not write file: %v", err) } @@ -262,7 +262,7 @@ func TestReadSnapshotFile(t *testing.T) { } }` - err := afero.WriteFile(fs, "/cluster-record.json", []byte(clusterRecord), 0644) + err := afero.WriteFile(fs, "/cluster-record.json", []byte(clusterRecord), 0o644) if err != nil { t.Fatalf("Setup failure: could not write file: %v", err) } diff --git a/internal/applicationsnapshot/vsa.go b/internal/applicationsnapshot/vsa.go index a22109bf0..af818f749 100644 --- a/internal/applicationsnapshot/vsa.go +++ b/internal/applicationsnapshot/vsa.go @@ -65,7 +65,7 @@ type SnapshotPredicate struct { type SnapshotPredicateWriter struct { FS afero.Fs // defaults to afero.NewOsFs() TempDirPrefix string // defaults to "snapshot-predicate-" - FilePerm os.FileMode // defaults to 0600 + FilePerm os.FileMode // defaults to 0o600 } // NewSnapshotPredicateWriter creates a new application snapshot predicate file writer diff --git a/internal/documentation/documentation.go b/internal/documentation/documentation.go index 0324105c3..b5f8f9b05 100644 --- a/internal/documentation/documentation.go +++ b/internal/documentation/documentation.go @@ -29,7 +29,7 @@ import ( "github.com/conforma/cli/internal/documentation/asciidoc" ) -const DirectoryPermissions = 0755 +const DirectoryPermissions = 0o755 var ( man = flag.String("man", "", "Location of the generated Man files") diff --git a/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go b/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go index eaecddc05..564574b98 100644 --- a/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go +++ b/internal/evaluation_target/application_snapshot_image/application_snapshot_image.go @@ -459,7 +459,7 @@ func (a *ApplicationSnapshotImage) WriteInputFile(ctx context.Context) (string, log.Debugf("Created dir %s", inputDir) inputJSONPath := path.Join(inputDir, "input.json") - f, err := fs.OpenFile(inputJSONPath, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0644) + f, err := fs.OpenFile(inputJSONPath, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0o644) if err != nil { log.Debugf("Problem creating file in %s", inputDir) return "", nil, err diff --git a/internal/evaluator/conftest_evaluator.go b/internal/evaluator/conftest_evaluator.go index f2e434ae6..a5718b562 100644 --- a/internal/evaluator/conftest_evaluator.go +++ b/internal/evaluator/conftest_evaluator.go @@ -978,7 +978,7 @@ func createConfigJSON(ctx context.Context, dataDir string, p ConfigProvider) err } if !exists { log.Debugf("Config data dir '%s' does not exist, will create.", dataDir) - if err := fs.MkdirAll(configDataDir, 0755); err != nil { + if err := fs.MkdirAll(configDataDir, 0o755); err != nil { return err } } @@ -1027,7 +1027,7 @@ func createConfigJSON(ctx context.Context, dataDir string, p ConfigProvider) err } // write our jsonData content to the config/config.json file in the data dir log.Debugf("Writing config data to %s: %#v", configFilePath, string(configJSON)) - if err := afero.WriteFile(fs, configFilePath, configJSON, 0444); err != nil { + if err := afero.WriteFile(fs, configFilePath, configJSON, 0o444); err != nil { return err } @@ -1044,7 +1044,7 @@ func (c *conftestEvaluator) createDataDirectory(ctx context.Context) error { } if !exists { log.Debugf("Data dir '%s' does not exist, will create.", dataDir) - if err := fs.MkdirAll(dataDir, 0755); err != nil { + if err := fs.MkdirAll(dataDir, 0o755); err != nil { return err } } diff --git a/internal/evaluator/conftest_evaluator_test_helpers.go b/internal/evaluator/conftest_evaluator_test_helpers.go index 85f7f07ff..85e71b80a 100644 --- a/internal/evaluator/conftest_evaluator_test_helpers.go +++ b/internal/evaluator/conftest_evaluator_test_helpers.go @@ -133,7 +133,7 @@ func setupTestContext(r *mockTestRunner, dl *mockDownloader) context.Context { # description: This rule will always fail deny contains result if { result := "Fails always" - }`)), 0644); err != nil { + }`)), 0o644); err != nil { panic(err) } @@ -175,7 +175,7 @@ func rulesArchiveFromFS(t *testing.T, files fs.FS) (string, error) { require.NoError(t, ar.WriteHeader(&tar.Header{ Name: r.Name(), - Mode: 0644, + Mode: 0o644, Size: int64(len(bytes)), })) diff --git a/internal/evaluator/conftest_evaluator_unit_core_test.go b/internal/evaluator/conftest_evaluator_unit_core_test.go index a690b4ee4..9793ccd16 100644 --- a/internal/evaluator/conftest_evaluator_unit_core_test.go +++ b/internal/evaluator/conftest_evaluator_unit_core_test.go @@ -353,8 +353,8 @@ func TestConftestEvaluatorEvaluateNoSuccessWarningsOrFailures(t *testing.T) { func TestConftestEvaluatorEvaluate(t *testing.T) { dir := t.TempDir() - require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0755)) - require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0600)) + require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0o755)) + require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0o600)) rego, err := fs.Sub(policies, "__testdir__/simple") require.NoError(t, err) @@ -409,8 +409,8 @@ func TestConftestEvaluatorEvaluate(t *testing.T) { func TestUnconformingRule(t *testing.T) { dir := t.TempDir() - require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0755)) - require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0600)) + require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0o755)) + require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0o600)) rego, err := fs.Sub(policies, "__testdir__/unconforming") require.NoError(t, err) @@ -443,12 +443,12 @@ func TestUnconformingRule(t *testing.T) { // TestAnnotatedAndNonAnnotatedRules tests the separation of annotated and non-annotated rules func TestAnnotatedAndNonAnnotatedRules(t *testing.T) { dir := t.TempDir() - require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0755)) - require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0600)) + require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0o755)) + require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0o600)) // Create a test directory with both annotated and non-annotated rules testDir := path.Join(dir, "test_policies") - require.NoError(t, os.MkdirAll(testDir, 0755)) + require.NoError(t, os.MkdirAll(testDir, 0o755)) // Annotated rule annotatedRule := `package annotated @@ -466,7 +466,7 @@ deny contains result if { "msg": "Annotated rule failure", } }` - require.NoError(t, os.WriteFile(path.Join(testDir, "annotated.rego"), []byte(annotatedRule), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "annotated.rego"), []byte(annotatedRule), 0o600)) // Non-annotated rule nonAnnotatedRule := `package nonannotated @@ -479,7 +479,7 @@ deny contains result if { "msg": "Non-annotated rule failure", } }` - require.NoError(t, os.WriteFile(path.Join(testDir, "nonannotated.rego"), []byte(nonAnnotatedRule), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "nonannotated.rego"), []byte(nonAnnotatedRule), 0o600)) // Non-annotated rule without code in result nonAnnotatedRuleNoCode := `package noresultcode @@ -489,7 +489,7 @@ import rego.v1 deny contains result if { result := "No code in result" }` - require.NoError(t, os.WriteFile(path.Join(testDir, "noresultcode.rego"), []byte(nonAnnotatedRuleNoCode), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "noresultcode.rego"), []byte(nonAnnotatedRuleNoCode), 0o600)) // Create rules archive archivePath := path.Join(dir, "rules.tar.gz") @@ -536,12 +536,12 @@ deny contains result if { // TestRuleCollectionWithMixedRules tests rule collection logic with mixed annotated and non-annotated rules func TestRuleCollectionWithMixedRules(t *testing.T) { dir := t.TempDir() - require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0755)) - require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0600)) + require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0o755)) + require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0o600)) // Create test directory with mixed rules testDir := path.Join(dir, "mixed_policies") - require.NoError(t, os.MkdirAll(testDir, 0755)) + require.NoError(t, os.MkdirAll(testDir, 0o755)) // Annotated failing annotatedFailingRule := `package mixed @@ -559,7 +559,7 @@ deny contains result if { "msg": "Annotated rule failure", } }` - require.NoError(t, os.WriteFile(path.Join(testDir, "annotated_failing.rego"), []byte(annotatedFailingRule), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "annotated_failing.rego"), []byte(annotatedFailingRule), 0o600)) // Annotated passing annotatedPassingRule := `package mixed @@ -575,7 +575,7 @@ deny contains result if { false result := "This should not be reached" }` - require.NoError(t, os.WriteFile(path.Join(testDir, "annotated_passing.rego"), []byte(annotatedPassingRule), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "annotated_passing.rego"), []byte(annotatedPassingRule), 0o600)) // Non-annotated failing nonAnnotatedFailingRule := `package mixed @@ -588,7 +588,7 @@ deny contains result if { "msg": "Non-annotated rule failure", } }` - require.NoError(t, os.WriteFile(path.Join(testDir, "nonannotated_failing.rego"), []byte(nonAnnotatedFailingRule), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "nonannotated_failing.rego"), []byte(nonAnnotatedFailingRule), 0o600)) // Non-annotated passing nonAnnotatedPassingRule := `package mixed @@ -599,7 +599,7 @@ deny contains result if { false result := "This should not be reached" }` - require.NoError(t, os.WriteFile(path.Join(testDir, "nonannotated_passing.rego"), []byte(nonAnnotatedPassingRule), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "nonannotated_passing.rego"), []byte(nonAnnotatedPassingRule), 0o600)) // Create rules archive archivePath := path.Join(dir, "rules.tar.gz") @@ -654,12 +654,12 @@ deny contains result if { // TestFilteringWithMixedRules verifies that both annotated and non-annotated rules participate in filtering func TestFilteringWithMixedRules(t *testing.T) { dir := t.TempDir() - require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0755)) - require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0600)) + require.NoError(t, os.MkdirAll(path.Join(dir, "inputs"), 0o755)) + require.NoError(t, os.WriteFile(path.Join(dir, "inputs", "data.json"), []byte("{}"), 0o600)) // Create test directory with rules in different packages testDir := path.Join(dir, "filtering_policies") - require.NoError(t, os.MkdirAll(testDir, 0755)) + require.NoError(t, os.MkdirAll(testDir, 0o755)) // Annotated rule in package 'a' annotatedRuleA := `package a @@ -677,7 +677,7 @@ deny contains result if { "msg": "Annotated rule in package a", } }` - require.NoError(t, os.WriteFile(path.Join(testDir, "a_annotated.rego"), []byte(annotatedRuleA), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "a_annotated.rego"), []byte(annotatedRuleA), 0o600)) // Non-annotated rule in package 'b' nonAnnotatedRuleB := `package b @@ -690,7 +690,7 @@ deny contains result if { "msg": "Non-annotated rule in package b", } }` - require.NoError(t, os.WriteFile(path.Join(testDir, "b_nonannotated.rego"), []byte(nonAnnotatedRuleB), 0600)) + require.NoError(t, os.WriteFile(path.Join(testDir, "b_nonannotated.rego"), []byte(nonAnnotatedRuleB), 0o600)) // Create rules archive archivePath := path.Join(dir, "rules.tar.gz") diff --git a/internal/evaluator/conftest_evaluator_unit_data_test.go b/internal/evaluator/conftest_evaluator_unit_data_test.go index b7abed70c..b246eb43a 100644 --- a/internal/evaluator/conftest_evaluator_unit_data_test.go +++ b/internal/evaluator/conftest_evaluator_unit_data_test.go @@ -81,13 +81,13 @@ func TestPrepareDataDirs(t *testing.T) { // Create the base data directory dataDir := "/test/data" - require.NoError(t, fs.MkdirAll(dataDir, 0755)) + require.NoError(t, fs.MkdirAll(dataDir, 0o755)) // Create the test files with minimal content for _, filePath := range tt.filePaths { fullPath := filepath.Join(dataDir, filePath) - require.NoError(t, fs.MkdirAll(filepath.Dir(fullPath), 0755)) - require.NoError(t, afero.WriteFile(fs, fullPath, []byte("test"), 0644)) + require.NoError(t, fs.MkdirAll(filepath.Dir(fullPath), 0o755)) + require.NoError(t, afero.WriteFile(fs, fullPath, []byte("test"), 0o644)) } // Create evaluator instance diff --git a/internal/evaluator/conftest_evaluator_unit_metadata_test.go b/internal/evaluator/conftest_evaluator_unit_metadata_test.go index edd9fd4ac..a8f3e6989 100644 --- a/internal/evaluator/conftest_evaluator_unit_metadata_test.go +++ b/internal/evaluator/conftest_evaluator_unit_metadata_test.go @@ -259,14 +259,14 @@ warn contains result if { }` policyFile := filepath.Join(tempDir, "simple.rego") - err := os.WriteFile(policyFile, []byte(policyContent), 0600) + err := os.WriteFile(policyFile, []byte(policyContent), 0o600) require.NoError(t, err) // Create input directory structure inputDir := filepath.Join(tempDir, "inputs") - require.NoError(t, os.MkdirAll(inputDir, 0755)) + require.NoError(t, os.MkdirAll(inputDir, 0o755)) inputFile := filepath.Join(inputDir, "data.json") - err = os.WriteFile(inputFile, []byte("{}"), 0600) + err = os.WriteFile(inputFile, []byte("{}"), 0o600) require.NoError(t, err) // Create evaluator using the proper constructor @@ -339,14 +339,14 @@ warn contains result if { }` policyFile := filepath.Join(tempDir, "warn.rego") - err := os.WriteFile(policyFile, []byte(policyContent), 0600) + err := os.WriteFile(policyFile, []byte(policyContent), 0o600) require.NoError(t, err) // Create input directory structure inputDir := filepath.Join(tempDir, "inputs") - require.NoError(t, os.MkdirAll(inputDir, 0755)) + require.NoError(t, os.MkdirAll(inputDir, 0o755)) inputFile := filepath.Join(inputDir, "data.json") - err = os.WriteFile(inputFile, []byte("{}"), 0600) + err = os.WriteFile(inputFile, []byte("{}"), 0o600) require.NoError(t, err) // Create evaluator using the proper constructor diff --git a/internal/evaluator/opa_evaluator_test.go b/internal/evaluator/opa_evaluator_test.go index 278b42fd4..850ae5430 100644 --- a/internal/evaluator/opa_evaluator_test.go +++ b/internal/evaluator/opa_evaluator_test.go @@ -77,7 +77,7 @@ func TestDestroy(t *testing.T) { t.Run(tc.name, func(t *testing.T) { // Set up the environment if tc.workDir != "" { - err := fs.MkdirAll(tc.workDir, 0755) + err := fs.MkdirAll(tc.workDir, 0o755) assert.NoError(t, err, "Failed to create workDir in in-memory filesystem") } diff --git a/internal/input/validate_test.go b/internal/input/validate_test.go index 4f2e842f0..5659640ff 100644 --- a/internal/input/validate_test.go +++ b/internal/input/validate_test.go @@ -139,11 +139,11 @@ func Test_ValidatePipeline(t *testing.T) { } appFS := afero.NewMemMapFs() - errEmptyDir := appFS.MkdirAll(emptyDir, 0777) + errEmptyDir := appFS.MkdirAll(emptyDir, 0o777) assert.NoError(t, errEmptyDir) - errDir := appFS.MkdirAll(nonEmptyDir, 0777) + errDir := appFS.MkdirAll(nonEmptyDir, 0o777) assert.NoError(t, errDir) - errFile := afero.WriteFile(appFS, validFile, []byte("data"), 0777) + errFile := afero.WriteFile(appFS, validFile, []byte("data"), 0o777) assert.NoError(t, errFile) ctx := utils.WithFS(context.Background(), appFS) policy, err := policy.NewInputPolicy(ctx, "", "2023-01-01T00:00:00.00Z") diff --git a/internal/kubernetes/client_test.go b/internal/kubernetes/client_test.go index 7e5df388c..9725f77f1 100644 --- a/internal/kubernetes/client_test.go +++ b/internal/kubernetes/client_test.go @@ -134,7 +134,7 @@ func Test_FetchEnterpriseContractPolicy(t *testing.T) { } kubeconfigFile := path.Join(t.TempDir(), "KUBECONFIG") - err := os.WriteFile(kubeconfigFile, testKubeconfig, 0400) + err := os.WriteFile(kubeconfigFile, testKubeconfig, 0o400) assert.NoError(t, err) t.Setenv("KUBECONFIG", kubeconfigFile) @@ -193,7 +193,7 @@ func Test_FetchSnapshot(t *testing.T) { } kubeconfigFile := path.Join(t.TempDir(), "KUBECONFIG") - err := os.WriteFile(kubeconfigFile, testKubeconfig, 0400) + err := os.WriteFile(kubeconfigFile, testKubeconfig, 0o400) assert.NoError(t, err) t.Setenv("KUBECONFIG", kubeconfigFile) diff --git a/internal/logging/logging.go b/internal/logging/logging.go index f16f3461e..477ee726d 100644 --- a/internal/logging/logging.go +++ b/internal/logging/logging.go @@ -83,7 +83,7 @@ func InitLogging(verbose, quiet, debug, trace bool, logfile string) { } if logfile != "" { - if l, err := os.OpenFile(logfile, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600); err == nil { + if l, err := os.OpenFile(logfile, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0o600); err == nil { log.SetOutput(l) } else { fmt.Fprintf(os.Stderr, "Unable to create log file %q, log lines will appear on standard error. Error was: %s\n", logfile, err.Error()) diff --git a/internal/opa/inspect_test.go b/internal/opa/inspect_test.go index 5ee0bc2c7..1eeb8beb8 100644 --- a/internal/opa/inspect_test.go +++ b/internal/opa/inspect_test.go @@ -138,8 +138,8 @@ func TestInspectDir(t *testing.T) { for path, value := range files { fullpath := filepath.Join(policiesDir, path) dir := filepath.Dir(fullpath) - require.NoError(t, fs.MkdirAll(dir, 0755)) - require.NoError(t, afero.WriteFile(fs, fullpath, []byte(value), 0660)) + require.NoError(t, fs.MkdirAll(dir, 0o755)) + require.NoError(t, afero.WriteFile(fs, fullpath, []byte(value), 0o660)) } if c.symlink { @@ -232,7 +232,7 @@ func TestCheckRules(t *testing.T) { for _, c := range cases[len(cases)-1:] { t.Run(c.name, func(t *testing.T) { tmp := t.TempDir() - require.NoError(t, os.WriteFile(path.Join(tmp, "rules.rego"), []byte(c.rego), 0600)) + require.NoError(t, os.WriteFile(path.Join(tmp, "rules.rego"), []byte(c.rego), 0o600)) _, err := InspectDir(afero.NewOsFs(), tmp) if c.err != "" { diff --git a/internal/policy/source/chooser_test.go b/internal/policy/source/chooser_test.go index 98a14899e..98335919e 100644 --- a/internal/policy/source/chooser_test.go +++ b/internal/policy/source/chooser_test.go @@ -70,7 +70,7 @@ func TestChoosePolicyFile(t *testing.T) { ctx := utils.WithFS(context.Background(), fs) for _, f := range tt.files { - err := afero.WriteFile(fs, f, []byte(""), 0644) + err := afero.WriteFile(fs, f, []byte(""), 0o644) assert.NoError(t, err) } diff --git a/internal/policy/source/git_config_test.go b/internal/policy/source/git_config_test.go index 34ba13f17..3d5bb7fd6 100644 --- a/internal/policy/source/git_config_test.go +++ b/internal/policy/source/git_config_test.go @@ -295,11 +295,11 @@ func TestGoGetterDownload(t *testing.T) { tmpDir: "/tmp/test", setupFS: func(fs afero.Fs, destDir string) error { // Create the downloaded directory structure - if err := fs.MkdirAll(destDir, 0755); err != nil { + if err := fs.MkdirAll(destDir, 0o755); err != nil { return err } // Create a policy.yaml file that choosePolicyFile can find - return afero.WriteFile(fs, path.Join(destDir, "policy.yaml"), []byte("test config"), 0644) + return afero.WriteFile(fs, path.Join(destDir, "policy.yaml"), []byte("test config"), 0o644) }, mockDownloader: func(m *mockDownloader, destDir string) { // Mock successful download @@ -313,11 +313,11 @@ func TestGoGetterDownload(t *testing.T) { src: "https://github.com/example/policy2", tmpDir: "/tmp/test2", setupFS: func(fs afero.Fs, destDir string) error { - if err := fs.MkdirAll(destDir, 0755); err != nil { + if err := fs.MkdirAll(destDir, 0o755); err != nil { return err } // Create .ec/policy.json file (higher priority) - return afero.WriteFile(fs, path.Join(destDir, ".ec/policy.json"), []byte(`{"policy": "config"}`), 0644) + return afero.WriteFile(fs, path.Join(destDir, ".ec/policy.json"), []byte(`{"policy": "config"}`), 0o644) }, mockDownloader: func(m *mockDownloader, destDir string) { m.On("Download", mock.Anything, destDir, "https://github.com/example/policy2", false). diff --git a/internal/policy/source/source.go b/internal/policy/source/source.go index 1cc83a7f7..f90f1d27d 100644 --- a/internal/policy/source/source.go +++ b/internal/policy/source/source.go @@ -134,7 +134,7 @@ func getPolicyThroughCache(ctx context.Context, s PolicySource, workDir string, } base := filepath.Dir(dest) - if err := fs.MkdirAll(base, 0755); err != nil { + if err := fs.MkdirAll(base, 0o755); err != nil { return "", nil, err } @@ -242,7 +242,7 @@ func (s inlineData) GetPolicy(ctx context.Context, workDir string, showMsg bool) dl := func(source string, dest string) (metadata.Metadata, error) { fs := utils.FS(ctx) - if err := fs.MkdirAll(dest, 0755); err != nil { + if err := fs.MkdirAll(dest, 0o755); err != nil { return nil, err } @@ -253,7 +253,7 @@ func (s inlineData) GetPolicy(ctx context.Context, workDir string, showMsg bool) Size: int64(len(dest)), } - return m, afero.WriteFile(fs, f, s.source, 0400) + return m, afero.WriteFile(fs, f, s.source, 0o400) } dest, _, err := getPolicyThroughCache(ctx, s, workDir, dl) diff --git a/internal/policy/source/source_test.go b/internal/policy/source/source_test.go index 92df12403..87af0f351 100644 --- a/internal/policy/source/source_test.go +++ b/internal/policy/source/source_test.go @@ -196,7 +196,7 @@ func TestInlineDataSource(t *testing.T) { // Verify file permissions stat, err := fs.Stat(file) require.NoError(t, err) - assert.Equal(t, os.FileMode(0400), stat.Mode().Perm()) + assert.Equal(t, os.FileMode(0o400), stat.Mode().Perm()) }) } } @@ -315,7 +315,7 @@ func TestInlineDataGetPolicy(t *testing.T) { // Verify file permissions are read-only stat, err := fs.Stat(ruleDataFile) require.NoError(t, err) - assert.Equal(t, os.FileMode(0400), stat.Mode().Perm(), "file should have read-only permissions") + assert.Equal(t, os.FileMode(0o400), stat.Mode().Perm(), "file should have read-only permissions") // Verify cache functionality - second call should return same result dest2, err2 := s.GetPolicy(ctx, tt.workDir, tt.showMsg) @@ -548,11 +548,11 @@ func TestGetPolicyThroughCache(t *testing.T) { data := []byte("hello") dl := func(source, dest string) (metadata.Metadata, error) { invocations++ - if err := fs.MkdirAll(dest, 0755); err != nil { + if err := fs.MkdirAll(dest, 0o755); err != nil { return nil, err } - return nil, afero.WriteFile(fs, filepath.Join(dest, "data.json"), data, 0400) + return nil, afero.WriteFile(fs, filepath.Join(dest, "data.json"), data, 0o400) } source := &mockPolicySource{&mock.Mock{}} @@ -614,7 +614,7 @@ func TestDownloadCacheWorkdirMismatch(t *testing.T) { // same URL downloaded to workdir1 precachedDest := uniqueDestination(tmp, "subdir", source.PolicyUrl()) - require.NoError(t, os.MkdirAll(precachedDest, 0755)) + require.NoError(t, os.MkdirAll(precachedDest, 0o755)) downloadCache.Store("policy-url", func() (string, cacheContent) { return precachedDest, cacheContent{} }) @@ -652,11 +652,11 @@ func TestConcurrentPolicyCachingRaceCondition(t *testing.T) { // This represents the first worker that successfully downloaded the policy sharedCacheDir := filepath.Join(tmp, "shared-cache") cachedPolicyPath := uniqueDestination(sharedCacheDir, "subdir", source.PolicyUrl()) - require.NoError(t, os.MkdirAll(cachedPolicyPath, 0755)) + require.NoError(t, os.MkdirAll(cachedPolicyPath, 0o755)) // Create test policy files policyFile := filepath.Join(cachedPolicyPath, "policy.rego") - require.NoError(t, os.WriteFile(policyFile, []byte("package test"), 0600)) + require.NoError(t, os.WriteFile(policyFile, []byte("package test"), 0o600)) // Pre-populate the cache with the shared policy location downloadCache.Store("policy-url", func() (string, cacheContent) { diff --git a/internal/utils/helpers_test.go b/internal/utils/helpers_test.go index 49884521d..4e59680c6 100644 --- a/internal/utils/helpers_test.go +++ b/internal/utils/helpers_test.go @@ -111,7 +111,7 @@ func TestIsFile(t *testing.T) { ctx := WithFS(context.Background(), fs) testFilePath := "/test-file.txt" - err := afero.WriteFile(fs, testFilePath, []byte("test"), 0644) + err := afero.WriteFile(fs, testFilePath, []byte("test"), 0o644) assert.NoError(t, err) isFile, err := IsFile(ctx, testFilePath) diff --git a/internal/utils/private_key_test.go b/internal/utils/private_key_test.go index c77690f9e..d8e1f130e 100644 --- a/internal/utils/private_key_test.go +++ b/internal/utils/private_key_test.go @@ -41,7 +41,7 @@ func TestPrivateKeyFromKeyRef(t *testing.T) { name: "file path", keyRef: "/path/to/key.pem", setup: func(fs afero.Fs, ctx context.Context) { - err := afero.WriteFile(fs, "/path/to/key.pem", []byte("test key content"), 0600) + err := afero.WriteFile(fs, "/path/to/key.pem", []byte("test key content"), 0o600) require.NoError(t, err) }, expectErr: false, @@ -218,7 +218,7 @@ func TestPublicKeyFromKeyRef(t *testing.T) { name: "file path", keyRef: "/path/to/public-key.pem", setup: func(fs afero.Fs, ctx context.Context) { - err := afero.WriteFile(fs, "/path/to/public-key.pem", []byte("test public key content"), 0600) + err := afero.WriteFile(fs, "/path/to/public-key.pem", []byte("test public key content"), 0o600) require.NoError(t, err) }, expectErr: false, diff --git a/internal/validate/helpers_test.go b/internal/validate/helpers_test.go index 692aaf647..5dfc4b09d 100644 --- a/internal/validate/helpers_test.go +++ b/internal/validate/helpers_test.go @@ -32,9 +32,9 @@ func TestGetPolicyConfig(t *testing.T) { fileName := "/tmp/policy.yaml" fileContent := "foo: bar" emptyFile := "/tmp/empty.yaml" - err := afero.WriteFile(fs, fileName, []byte(fileContent), 0644) + err := afero.WriteFile(fs, fileName, []byte(fileContent), 0o644) require.NoError(t, err) - err = afero.WriteFile(fs, emptyFile, []byte{}, 0644) + err = afero.WriteFile(fs, emptyFile, []byte{}, 0o644) require.NoError(t, err) tests := []struct { @@ -66,9 +66,9 @@ func TestGetPolicyConfig(t *testing.T) { func TestReadFile(t *testing.T) { fs := afero.NewMemMapFs() ctx := utils.WithFS(context.Background(), fs) - err := afero.WriteFile(fs, "/tmp/testfile.txt", []byte("hello world"), 0644) + err := afero.WriteFile(fs, "/tmp/testfile.txt", []byte("hello world"), 0o644) require.NoError(t, err) - err = afero.WriteFile(fs, "/tmp/emptyfile.txt", []byte{}, 0644) + err = afero.WriteFile(fs, "/tmp/emptyfile.txt", []byte{}, 0o644) require.NoError(t, err) tests := []struct { diff --git a/internal/validate/vsa/attest_test.go b/internal/validate/vsa/attest_test.go index 8cb72a6c6..6e16f8d81 100644 --- a/internal/validate/vsa/attest_test.go +++ b/internal/validate/vsa/attest_test.go @@ -388,7 +388,7 @@ func TestNewSigner_Comprehensive(t *testing.T) { name: "file path success", keyRef: "/path/to/key.pem", setup: func(fs afero.Fs, ctx context.Context) { - err := afero.WriteFile(fs, "/path/to/key.pem", []byte("test key content"), 0600) + err := afero.WriteFile(fs, "/path/to/key.pem", []byte("test key content"), 0o600) if err != nil { t.Fatalf("WriteFile: %v", err) } diff --git a/internal/validate/vsa/file_retriever_test.go b/internal/validate/vsa/file_retriever_test.go index 6b597b83b..a6c28a4db 100644 --- a/internal/validate/vsa/file_retriever_test.go +++ b/internal/validate/vsa/file_retriever_test.go @@ -52,11 +52,11 @@ func TestFileVSARetriever_RetrieveVSA(t *testing.T) { require.NoError(t, err) // Write to both real filesystem and memory filesystem for different tests - err = os.WriteFile(vsaPath, envelopeJSON, 0600) + err = os.WriteFile(vsaPath, envelopeJSON, 0o600) require.NoError(t, err) // Also write to memory filesystem - err = afero.WriteFile(fs, "test-vsa.json", envelopeJSON, 0600) + err = afero.WriteFile(fs, "test-vsa.json", envelopeJSON, 0o600) require.NoError(t, err) tests := []struct { @@ -278,7 +278,7 @@ func TestFileVSARetriever_RetrieveVSA_ErrorCases(t *testing.T) { // Create a test file with invalid JSON invalidJSON := []byte(`{"invalid": json}`) - err := afero.WriteFile(fs, "invalid.json", invalidJSON, 0600) + err := afero.WriteFile(fs, "invalid.json", invalidJSON, 0o600) require.NoError(t, err) // Create a test file with valid JSON but invalid DSSE structure @@ -288,7 +288,7 @@ func TestFileVSARetriever_RetrieveVSA_ErrorCases(t *testing.T) { } invalidDSSEJSON, err := json.Marshal(invalidDSSE) require.NoError(t, err) - err = afero.WriteFile(fs, "invalid-dsse.json", invalidDSSEJSON, 0600) + err = afero.WriteFile(fs, "invalid-dsse.json", invalidDSSEJSON, 0o600) require.NoError(t, err) tests := []struct { diff --git a/internal/validate/vsa/storage_local.go b/internal/validate/vsa/storage_local.go index 6fa48054f..895b07449 100644 --- a/internal/validate/vsa/storage_local.go +++ b/internal/validate/vsa/storage_local.go @@ -52,7 +52,7 @@ func NewLocalBackend(config *StorageConfig) (StorageBackend, error) { } // Ensure directory exists - if err := os.MkdirAll(basePath, 0755); err != nil { + if err := os.MkdirAll(basePath, 0o755); err != nil { return nil, fmt.Errorf("failed to create storage directory %s: %w", basePath, err) } @@ -67,7 +67,7 @@ func (l *LocalBackend) Name() string { // Upload saves the VSA envelope to a local file func (l *LocalBackend) Upload(ctx context.Context, envelopeContent []byte) error { // Create directory if it doesn't exist - if err := os.MkdirAll(l.basePath, 0755); err != nil { + if err := os.MkdirAll(l.basePath, 0o755); err != nil { return fmt.Errorf("failed to create directory %s: %w", l.basePath, err) } @@ -78,7 +78,7 @@ func (l *LocalBackend) Upload(ctx context.Context, envelopeContent []byte) error // Write to file filePath := filepath.Join(l.basePath, filename) - if err := os.WriteFile(filePath, envelopeContent, 0600); err != nil { + if err := os.WriteFile(filePath, envelopeContent, 0o600); err != nil { return fmt.Errorf("failed to write VSA envelope to %s: %w", filePath, err) } diff --git a/internal/validate/vsa/vsa.go b/internal/validate/vsa/vsa.go index cee6a591b..82dc158aa 100644 --- a/internal/validate/vsa/vsa.go +++ b/internal/validate/vsa/vsa.go @@ -326,7 +326,7 @@ func removeDuplicateStrings(slice []string) []string { type Writer struct { FS afero.Fs // defaults to the package-level FS or afero.NewOsFs() TempDirPrefix string // defaults to "vsa-" - FilePerm os.FileMode // defaults to 0600 + FilePerm os.FileMode // defaults to 0o600 } // NewWriter creates a new VSA file writer diff --git a/internal/validate/vsa/vsa_test.go b/internal/validate/vsa/vsa_test.go index 02cc92c94..32448e264 100644 --- a/internal/validate/vsa/vsa_test.go +++ b/internal/validate/vsa/vsa_test.go @@ -82,11 +82,11 @@ OURRVjNQMk9ndDFDaVFHeGg1VXhUZytGc3c9PSJ9 // Write test files vsaPath := "/test.vsa.json" data, _ := json.Marshal(pred) - err := afero.WriteFile(fs, vsaPath, data, 0600) + err := afero.WriteFile(fs, vsaPath, data, 0o600) assert.NoError(t, err) keyPath := "/test.key" - err = afero.WriteFile(fs, keyPath, []byte(testKey), 0600) + err = afero.WriteFile(fs, keyPath, []byte(testKey), 0o600) assert.NoError(t, err) // Test successful signing @@ -650,7 +650,7 @@ OURRVjNQMk9ndDFDaVFHeGg1VXhUZytGc3c9PSJ9 // Set up test filesystem fs := afero.NewMemMapFs() keyPath := "/test.key" - err := afero.WriteFile(fs, keyPath, []byte(testKey), 0600) + err := afero.WriteFile(fs, keyPath, []byte(testKey), 0o600) require.NoError(t, err) t.Run("successful signer creation", func(t *testing.T) { @@ -677,7 +677,7 @@ OURRVjNQMk9ndDFDaVFHeGg1VXhUZytGc3c9PSJ9 t.Run("invalid key content", func(t *testing.T) { ctx := context.Background() invalidKeyPath := "/invalid.key" - err := afero.WriteFile(fs, invalidKeyPath, []byte("invalid key content"), 0600) + err := afero.WriteFile(fs, invalidKeyPath, []byte("invalid key content"), 0o600) require.NoError(t, err) signer, err := NewSigner(ctx, invalidKeyPath, fs) @@ -707,7 +707,7 @@ dXdrWDBYL1phY0RUTERGaUxyc1laMWVMMmlqMGU1MVRpZmVQNTl4WXNPK1FnM1Jv OURRVjNQMk9ndDFDaVFHeGg1VXhUZytGc3c9PSJ9 -----END ENCRYPTED SIGSTORE PRIVATE KEY-----` - err := afero.WriteFile(fs, keyPath, []byte(testKey), 0600) + err := afero.WriteFile(fs, keyPath, []byte(testKey), 0o600) require.NoError(t, err) ctx := context.Background()