CI(lint): Add gosec exclusion rules to fix lint jobs

[vg006]

Overview

Fixes #711

This PR aims to fix the failure of the lint job in the release pipeline with updated gosec linter rules.

Problem

The lint job fails only because of issues identified by the gosec linter, which updated its policies and checks strictly in the latest release last week.

So it arises multiple issues, notably

1. G101: Look for hard coded credentials
2. G115: Potential integer overflow when converting between integer types
3. G117: Potential exposure of secrets in values marshaled by JSON/YAML/XML/TOML
4. G703: Path traversal via taint analysis

Here, most of the issues are risk-free and false positives and can be ignored; the reason is explained below.

Solution

Note that the golangci-lint usually packaged and released with the latest versions of multiple linters & formatters everytime.
Similarly in its latest version v2.10 (changelog), it is packaged with the latest version of gosec (changelog) which adds a few rules including the above listed. (ref)

Also golangci-lint doesn't provide a way to pin particular version of a specific linter, which is neither a good thing too.

So obviously, with the golangci-lint of version v2.10 and above will continue to fail. As the failure is only due to gosec and not because of golangci-lint, it is good to update gosec linter rules as suggested above, rather than rolling back to or pinning to specific version of golangci-lint.

I have tested the lint job with multiple versions of golangci-lint using dagger locally and here are the reports.

Changes

1. The .golangci-lint.yaml file is updated with new gosec rules that exclude the running on test files (_test.go and files under test dir), which eliminates numerous G101 and G117 issues.

linters:
  exclusions:
    rules:
      - linters:
          - gosec
        text: "G117:"
      - path: test
        linters:
          - gosec

2. There are few G703 and G115 issues, which are false positives, so they are ignored using the nosec inline rule.

// #nosec <Rule> - <Justification>

With this configuration, there are no issues from gosec and the lint job will pass. The results of the local tests can be seen here

Conclusion

As the failure is only due to gosec and not because of golangci-lint, it is good to update gosec linter rules as suggested above, rather than rolling back to or pinning to specific version of golangci-lint.

cc: @bupd @NucleoFusion @qcserestipy

[codecov]

Codecov Report

❌ Patch coverage is 0% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 7.24%. Comparing base (60ad0bd) to head (861e30e).
⚠️ Report is 99 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/harbor/root/login.go	0.00%	1 Missing ⚠️
pkg/views/context/list/view.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #715      +/-   ##
=========================================
- Coverage   10.99%   7.24%   -3.75%     
=========================================
  Files         173     260      +87     
  Lines        8671   12913    +4242     
=========================================
- Hits          953     935      -18     
- Misses       7612   11870    +4258     
- Partials      106     108       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[qcserestipy]

Thank you for looking into it in so much detail! LGTM. I like the inline comments for ignoring gosec issues. I think it is better than passing it generally to gosec such as gosec -exclude=G115 ./... because it makes auditable where the issues are coming from.

[bupd]

/lgtm