Update dependencies, Go version and address CVEs (#1474)

* Update dependencies, Go version and address CVEs

Signed-off-by: Anton Troshin <[email protected]>

* update golangci-lint version and list of disabled linters form dapr/dapr

Signed-off-by: Anton Troshin <[email protected]>

* adjust golangci-lint settings and fix lint issues

Signed-off-by: Anton Troshin <[email protected]>

* fix test

Signed-off-by: Anton Troshin <[email protected]>

---------

Signed-off-by: Anton Troshin <[email protected]>

Author: antontroshin

.github/workflows/dapr_cli.yaml

@@ -29,7 +29,7 @@ jobs:
     name: Build ${{ matrix.target_os }}_${{ matrix.target_arch }} binaries
     runs-on: ${{ matrix.os }}
     env:
-      GOLANG_CI_LINT_VER: v1.55.2
+      GOLANG_CI_LINT_VER: v1.61.0
       GOOS: ${{ matrix.target_os }}
       GOARCH: ${{ matrix.target_arch }}
       GOPROXY: https://proxy.golang.org

.golangci.yml

@@ -4,7 +4,7 @@ run:
   concurrency: 4
 
   # timeout for analysis, e.g. 30s, 5m, default is 1m
-  deadline: 10m
+  timeout: 10m
 
   # exit code when at least one issue was found, default is 1
   issues-exit-code: 1
@@ -16,28 +16,22 @@ run:
   #build-tags:
   #  - mytag
 
+issues:
   # which dirs to skip: they won't be analyzed;
   # can use regexp here: generated.*, regexp is applied on full path;
   # default value is empty list, but next dirs are always skipped independently
   # from this option's value:
   # third_party$, testdata$, examples$, Godeps$, builtin$
-  skip-dirs:
+  exclude-dirs:
     - ^pkg.*client.*clientset.*versioned.*
     - ^pkg.*client.*informers.*externalversions.*
     - pkg.*mod.*k8s.io.*
 
-  # which files to skip: they will be analyzed, but issues from them
-  # won't be reported. Default value is empty list, but there is
-  # no need to include all autogenerated files, we confidently recognize
-  # autogenerated files. If it's not please let us know.
-  skip-files: []
-  #  - ".*\\.my\\.go$"
-  #  - lib/bad.go
-
 # output configuration options
 output:
   # colored-line-number|line-number|json|tab|checkstyle, default is "colored-line-number"
-  format: tab
+  formats: 
+  - format: tab
 
   # print lines of code with issue, default is true
   print-issued-lines: true
@@ -71,9 +65,6 @@ linters-settings:
     statements: 40
 
   govet:
-    # report about shadowed variables
-    check-shadowing: true
-
     # settings per analyzer
     settings:
       printf: # analyzer name, run `go tool vet help` to see all analyzers
@@ -82,13 +73,18 @@ linters-settings:
           - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf
           - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf
           - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf
+          - github.com/dapr/cli/pkg/print.FailureStatusEvent
+          - github.com/dapr/cli/pkg/print.SuccessStatusEvent
+          - github.com/dapr/cli/pkg/print.WarningStatusEvent
+          - github.com/dapr/cli/pkg/print.InfoStatusEvent
+          - github.com/dapr/cli/pkg/print.StatusEvent
+          - github.com/dapr/cli/pkg/print.Spinner
 
     # enable or disable analyzers by name
     enable:
       - atomicalign
-    enable-all: false
-    disable:
       - shadow
+    enable-all: false
     disable-all: false
   revive:
     # linting errors below this confidence will be ignored, default is 0.8
@@ -106,9 +102,6 @@ linters-settings:
   gocognit:
     # minimal code complexity to report, 30 by default (but we recommend 10-20)
     min-complexity: 10
-  maligned:
-    # print struct with more effective memory layout or not, false by default
-    suggest-new: true
   dupl:
     # tokens count to trigger issue, 150 by default
     threshold: 100
@@ -141,7 +134,7 @@ linters-settings:
     # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
     # if it's called for subdir of a project it can't find funcs usages. All text editor integrations
     # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
+    exported-fields-are-used: false
   unparam:
     # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
     # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
@@ -216,12 +209,17 @@ linters-settings:
     # Allow case blocks to end with a whitespace.
     # Allow declarations (var) to be cuddled.
     allow-cuddle-declarations: false
+  testifylint:
+    disable:
+      - require-error
+      
 
 linters:
   fast: false
   enable-all: true
   disable:
     # TODO Enforce the below linters later
+    - musttag
     - dupl
     - errcheck
     - funlen
@@ -230,39 +228,48 @@ linters:
     - gocyclo
     - gocognit
     - godox
-    - interfacer
     - lll
-    - maligned
-    - scopelint
     - unparam
     - wsl
     - gomnd
     - testpackage
     - nestif
-    - goerr113
     - nlreturn
     - exhaustive
-    - gci
-    - noctx
-    - exhaustivestruct
     - exhaustruct
-    - gomoddirectives
-    - paralleltest
+    - noctx
+    - gci
     - tparallel
-    - wastedassign
-    - cyclop
-    - forbidigo
-    - tagliatelle
-    - thelper
+    - paralleltest
     - wrapcheck
+    - tagliatelle
+    - ireturn
+    - errchkjson
+    - contextcheck
+    - gomoddirectives
+    - godot
+    - cyclop
     - varnamelen
+    - errorlint
     - forcetypeassert
-    - ireturn
-    - golint
-    - nosnakecase
+    - maintidx
+    - nilnil
+    - predeclared
+    - tenv
+    - thelper
+    - wastedassign
+    - containedctx
+    - gosimple
+    - nonamedreturns
+    - asasalint
+    - rowserrcheck
+    - sqlclosecheck
+    - inamedparam
     - tagalign
-    - varcheck
-    - deadcode
-    - structcheck
-    - ifshort
-    - testifylint
+    - mnd
+    - canonicalheader
+    - exportloopref
+    - execinquery
+    - err113
+    - fatcontext
+    - forbidigo

cmd/dashboard.go

@@ -182,7 +182,7 @@ dapr dashboard -k -p 0
 			// url for dashboard after port forwarding.
 			webURL := fmt.Sprintf("http://%s", net.JoinHostPort(dashboardHost, fmt.Sprint(portForward.LocalPort))) //nolint: perfsprint
 
-			print.InfoStatusEvent(os.Stdout, fmt.Sprintf("Dapr dashboard found in namespace:\t%s", foundNamespace))
+			print.InfoStatusEvent(os.Stdout, "Dapr dashboard found in namespace:\t"+foundNamespace)
 			print.InfoStatusEvent(os.Stdout, fmt.Sprintf("Dapr dashboard available at:\t%s\n", webURL))
 
 			err = browser.OpenURL(webURL)

cmd/mtls.go

@@ -67,7 +67,7 @@ dapr mtls export -o ./certs
 		}
 
 		dir, _ := filepath.Abs(exportPath)
-		print.SuccessStatusEvent(os.Stdout, fmt.Sprintf("Trust certs successfully exported to %s", dir))
+		print.SuccessStatusEvent(os.Stdout, "Trust certs successfully exported to "+dir)
 	},
 	PostRun: func(cmd *cobra.Command, args []string) {
 		kubernetes.CheckForCertExpiry()

cmd/renew_certificate.go

@@ -103,7 +103,7 @@ dapr mtls renew-cert -k --valid-until <no of days> --restart
 					print.InfoStatusEvent(os.Stdout, "Using password file to generate root certificate")
 					err = kubernetes.RenewCertificate(kubernetes.RenewCertificateParams{
 						RootPrivateKeyFilePath: privateKey,
-						ValidUntil:             time.Hour * time.Duration(validUntil*24),
+						ValidUntil:             time.Hour * time.Duration(validUntil*24), //nolint:gosec
 						Timeout:                timeout,
 						ImageVariant:           imageVariant,
 					})
@@ -113,7 +113,7 @@ dapr mtls renew-cert -k --valid-until <no of days> --restart
 				} else {
 					print.InfoStatusEvent(os.Stdout, "generating fresh certificates")
 					err = kubernetes.RenewCertificate(kubernetes.RenewCertificateParams{
-						ValidUntil:   time.Hour * time.Duration(validUntil*24),
+						ValidUntil:   time.Hour * time.Duration(validUntil*24), //nolint:gosec
 						Timeout:      timeout,
 						ImageVariant: imageVariant,
 					})
@@ -129,7 +129,7 @@ dapr mtls renew-cert -k --valid-until <no of days> --restart
 				logErrorAndExit(err)
 			}
 			print.SuccessStatusEvent(os.Stdout,
-				fmt.Sprintf("Certificate rotation is successful! Your new certicate is valid through %s", expiry.Format(time.RFC1123)))
+				"Certificate rotation is successful! Your new certicate is valid through "+expiry.Format(time.RFC1123))
 
 			if restartDaprServices {
 				restartControlPlaneService()

cmd/run.go

@@ -319,14 +319,14 @@ dapr run --run-file /path/to/directory -k
 
 			stdErrPipe, pipeErr := output.AppCMD.StderrPipe()
 			if pipeErr != nil {
-				print.FailureStatusEvent(os.Stderr, fmt.Sprintf("Error creating stderr for App: %s", err.Error()))
+				print.FailureStatusEvent(os.Stderr, "Error creating stderr for App: "+err.Error())
 				appRunning <- false
 				return
 			}
 
 			stdOutPipe, pipeErr := output.AppCMD.StdoutPipe()
 			if pipeErr != nil {
-				print.FailureStatusEvent(os.Stderr, fmt.Sprintf("Error creating stdout for App: %s", err.Error()))
+				print.FailureStatusEvent(os.Stderr, "Error creating stdout for App: "+err.Error())
 				appRunning <- false
 				return
 			}
@@ -335,13 +335,13 @@ dapr run --run-file /path/to/directory -k
 			outScanner := bufio.NewScanner(stdOutPipe)
 			go func() {
 				for errScanner.Scan() {
-					fmt.Println(print.Blue(fmt.Sprintf("== APP == %s", errScanner.Text())))
+					fmt.Println(print.Blue("== APP == " + errScanner.Text()))
 				}
 			}()
 
 			go func() {
 				for outScanner.Scan() {
-					fmt.Println(print.Blue(fmt.Sprintf("== APP == %s", outScanner.Text())))
+					fmt.Println(print.Blue("== APP == " + outScanner.Text()))
 				}
 			}()
 
@@ -395,7 +395,7 @@ dapr run --run-file /path/to/directory -k
 			}
 
 			appCommand := strings.Join(args, " ")
-			print.InfoStatusEvent(os.Stdout, fmt.Sprintf("Updating metadata for app command: %s", appCommand))
+			print.InfoStatusEvent(os.Stdout, "Updating metadata for app command: "+appCommand)
 			err = metadata.Put(output.DaprHTTPPort, "appCommand", appCommand, output.AppID, unixDomainSocket)
 			if err != nil {
 				print.WarningStatusEvent(os.Stdout, "Could not update sidecar metadata for appCommand: %s", err.Error())