update code for the golangci-lint release v.2.7.0

Remove some of the gosec type linter check exceptions. Latest version of
golanci-lint can determine the bounds of variables better and does not
raise problems.

Split the check_os_updates code into available platforms of: linux,
darwin, windows, other. Fix the linting problems that would arise due to
unused variables on different platforms.

Author: Ahmet Oeztuerk

Makefile

@@ -353,6 +353,8 @@ golangci: tools
 	# golangci combines a few static code analyzer
 	# See https://github.com/golangci/golangci-lint
 	#
+	@which golangci-lint
+	@golangci-lint version
 	@echo "  - GOOS=linux"; \
 	GOOS=linux CGO_ENABLED=0 golangci-lint run --timeout=5m pkg/... cmd/... t/...
 	@echo "  - GOOS=darwin"; \

pkg/convert/convert.go

@@ -156,7 +156,7 @@ func Int32E(raw any) (int32, error) {
 			return 0, fmt.Errorf("number to large for int32")
 		}
 
-		return int32(num), nil //nolint:gosec // false positive, MaxInt32 has been checked but it not considered by gosec (https://github.com/securego/gosec/issues/1187)
+		return int32(num), nil
 	}
 }
 

pkg/humanize/humanize.go

@@ -122,7 +122,7 @@ func NumF(num int64, precision int) string {
 		prefix = "-"
 	}
 
-	return prefix + humanizeBytes(uint64(num), 1000, []string{"", "k", "M", "G", "T", "P", "E"}, precision) //nolint:gosec // underflow checked before but not recognized by gosec
+	return prefix + humanizeBytes(uint64(num), 1000, []string{"", "k", "M", "G", "T", "P", "E"}, precision)
 }
 
 // Bytes(82854982) -> 83 MB

pkg/humanize/humanize_test.go

@@ -30,7 +30,7 @@ func TestParseBytes(t *testing.T) {
 		} else {
 			require.NoError(t, err)
 		}
-		assert.Equalf(t, int64(tst.res), int64(res), "ParseBytes: %s -> %d", tst.in, res) //nolint:gosec // no overflow, fixed range of numbers
+		assert.Equalf(t, int64(tst.res), int64(res), "ParseBytes: %s -> %d", tst.in, res)
 	}
 }
 

pkg/nrpe/nrpe.go

@@ -133,7 +133,7 @@ func BuildPacketV4(packetType, statusCode uint16, statusLine []byte) *Packet {
 	binary.BigEndian.PutUint32(packet.crc32, 0)
 	binary.BigEndian.PutUint16(packet.statusCode, statusCode)
 	binary.BigEndian.PutUint16(packet.alignment, 0)
-	binary.BigEndian.PutUint32(packet.dataLength, uint32(dataLength)) //nolint:gosec // dataLength cannot exceed NrpeV4MaxPacketDataLength which is smaller than MaxUint32
+	binary.BigEndian.PutUint32(packet.dataLength, uint32(dataLength))
 
 	copy(packet.data, statusLine)
 	packet.data[dataLength-1] = 0 // add null byte

pkg/snclient/check_os_updates.go

@@ -3,13 +3,8 @@ package snclient
 import (
 	"cmp"
 	"context"
-	_ "embed"
 	"fmt"
-	"os"
-	"regexp"
-	"runtime"
 	"slices"
-	"strings"
 
 	"github.com/consol-monitoring/snclient/pkg/convert"
 )
@@ -18,17 +13,6 @@ func init() {
 	AvailableChecks["check_os_updates"] = CheckEntry{"check_os_updates", NewCheckOSUpdates}
 }
 
-//go:embed embed/scripts/windows/check_os_updates.ps1
-var checkOSupdatesPS1 string
-
-var (
-	reAPTSecurity = regexp.MustCompile(`(Debian-Security:|Ubuntu:[^/]*/[^-]*-security)`)
-	reAPTEntry    = regexp.MustCompile(`^Inst\s+(\S+)\s+\[([^\[]+)\]\s+\((\S+)\s+(.*)\s+\[(\S+)\]\)`)
-	reYUMEntry    = regexp.MustCompile(`^(\S+)\.(\S+)\s+(\S+)\s+(\S+)`)
-	reOSXEntry    = regexp.MustCompile(`^\*\s+Label:\s+(.*)$`)
-	reOSXDetails  = regexp.MustCompile(`^Title:.*Version:\s(\S+), `)
-)
-
 type CheckOSUpdates struct {
 	snc    *Agent
 	system string
@@ -81,41 +65,10 @@ If you only want to be notified about security related updates:
 func (l *CheckOSUpdates) Check(ctx context.Context, snc *Agent, check *CheckData, _ []Argument) (*CheckResult, error) {
 	l.snc = snc
 
-	found := 0
-	ok, err := l.addAPT(ctx, check)
-	if err != nil {
-		return nil, err
-	}
-	if ok {
-		found++
-	}
-
-	ok, err = l.addYUM(ctx, check)
-	if err != nil {
-		return nil, err
-	}
-	if ok {
-		found++
-	}
-
-	ok, err = l.addOSX(ctx, check)
-	if err != nil {
-		return nil, err
-	}
-	if ok {
-		found++
-	}
+	addedOsBackendCount, osBackendAddErr := l.addOSBackends(ctx, check)
 
-	ok, err = l.addWindows(ctx, check)
-	if err != nil {
-		return nil, err
-	}
-	if ok {
-		found++
-	}
-
-	if found == 0 {
-		return nil, fmt.Errorf("no suitable package system found, supported systems are apt, yum, osx and windows")
+	if addedOsBackendCount == 0 {
+		return nil, fmt.Errorf("no suitable package system found, supported systems are apt, yum, osx and windows. found errors: %w", osBackendAddErr)
 	}
 
 	count := 0
@@ -173,250 +126,3 @@ func (l *CheckOSUpdates) Check(ctx context.Context, snc *Agent, check *CheckData
 
 	return check.Finalize()
 }
-
-// get packages from apt
-func (l *CheckOSUpdates) addAPT(ctx context.Context, check *CheckData) (bool, error) {
-	switch l.system {
-	case "auto":
-		if runtime.GOOS != "linux" {
-			return false, nil
-		}
-		_, err := os.Stat("/usr/bin/apt-get")
-		if os.IsNotExist(err) {
-			return false, nil
-		}
-	case "apt":
-	default:
-		return false, nil
-	}
-
-	if l.update {
-		output, stderr, rc, err := l.snc.execCommand(ctx, "apt-get update", DefaultCmdTimeout)
-		if err != nil {
-			return true, fmt.Errorf("apt-get update failed: %s\n%s", err.Error(), stderr)
-		}
-		if rc != 0 {
-			return true, fmt.Errorf("apt-get update failed: %s\n%s", output, stderr)
-		}
-	}
-
-	output, stderr, rc, err := l.snc.execCommand(ctx, "apt-get upgrade -o 'Debug::NoLocking=true' -s -qq", DefaultCmdTimeout)
-	if err != nil {
-		return true, fmt.Errorf("apt-get upgrade failed: %s\n%s", err.Error(), stderr)
-	}
-	if rc != 0 {
-		return true, fmt.Errorf("apt-get upgrade failed: %s\n%s", output, stderr)
-	}
-
-	l.parseAPT(output, check)
-
-	return true, nil
-}
-
-func (l *CheckOSUpdates) parseAPT(output string, check *CheckData) {
-	for line := range strings.SplitSeq(output, "\n") {
-		matches := reAPTEntry.FindStringSubmatch(line)
-		security := "0"
-		if reAPTSecurity.MatchString(line) {
-			security = "1"
-		}
-		if len(matches) < 5 {
-			continue
-		}
-		check.listData = append(check.listData, map[string]string{
-			"security":    security,
-			"package":     matches[1],
-			"version":     matches[3],
-			"old_version": matches[2],
-			"repository":  matches[4],
-			"arch":        matches[5],
-		})
-	}
-}
-
-// get packages from yum
-func (l *CheckOSUpdates) addYUM(ctx context.Context, check *CheckData) (bool, error) {
-	switch l.system {
-	case "auto":
-		if runtime.GOOS != "linux" {
-			return false, nil
-		}
-		_, err := os.Stat("/usr/bin/yum")
-		if os.IsNotExist(err) {
-			return false, nil
-		}
-	case "yum":
-	default:
-		return false, nil
-	}
-
-	yumOpts := " -C"
-	if l.update {
-		yumOpts = ""
-	}
-
-	output, stderr, exitCode, err := l.snc.execCommand(ctx, "yum check-update --security -q"+yumOpts, DefaultCmdTimeout)
-	if err != nil {
-		return true, fmt.Errorf("yum check-update failed: %s\n%s", err.Error(), stderr)
-	}
-	if exitCode != 0 && exitCode != 100 {
-		return true, fmt.Errorf("yum check-update failed: %s\n%s", output, stderr)
-	}
-	packageLookup := l.parseYUM(output, "1", check, nil)
-
-	output, stderr, exitCode, err = l.snc.execCommand(ctx, "yum check-update -q"+yumOpts, DefaultCmdTimeout)
-	if err != nil {
-		return true, fmt.Errorf("yum check-update failed: %s\n%s", err.Error(), stderr)
-	}
-	if exitCode != 0 && exitCode != 100 {
-		return true, fmt.Errorf("yum check-update failed: %s\n%s", output, stderr)
-	}
-	l.parseYUM(output, "0", check, packageLookup)
-
-	return true, nil
-}
-
-func (l *CheckOSUpdates) parseYUM(output, security string, check *CheckData, skipPackages map[string]bool) map[string]bool {
-	packages := map[string]bool{}
-	for line := range strings.SplitSeq(output, "\n") {
-		if strings.HasPrefix(line, "Obsoleting Packages") {
-			break
-		}
-		matches := reYUMEntry.FindStringSubmatch(line)
-		if len(matches) < 3 {
-			continue
-		}
-		if skipPackages[matches[1]] {
-			continue
-		}
-		packages[matches[1]] = true
-		check.listData = append(check.listData, map[string]string{
-			"security":    security,
-			"package":     matches[1],
-			"version":     matches[2],
-			"old_version": "",
-			"repository":  matches[3],
-			"arch":        matches[2],
-		})
-	}
-
-	return packages
-}
-
-// get packages from osx softwareupdate
-func (l *CheckOSUpdates) addOSX(ctx context.Context, check *CheckData) (bool, error) {
-	switch l.system {
-	case "auto":
-		if runtime.GOOS != "darwin" {
-			return false, nil
-		}
-		_, err := os.Stat("/usr/sbin/softwareupdate")
-		if os.IsNotExist(err) {
-			return false, nil
-		}
-	case "osx":
-	default:
-		return false, nil
-	}
-
-	opts := " --no-scan"
-	if l.update {
-		opts = ""
-	}
-
-	output, stderr, exitCode, err := l.snc.execCommand(ctx, "softwareupdate -l"+opts, DefaultCmdTimeout)
-	if err != nil {
-		return true, fmt.Errorf("softwareupdate failed: %s\n%s", err.Error(), stderr)
-	}
-	if exitCode != 0 {
-		return true, fmt.Errorf("softwareupdate failed: %s\n%s", output, stderr)
-	}
-
-	l.parseOSX(output, check)
-
-	return true, nil
-}
-
-func (l *CheckOSUpdates) parseOSX(output string, check *CheckData) {
-	var lastEntry map[string]string
-	for line := range strings.SplitSeq(output, "\n") {
-		if lastEntry != nil {
-			matches := reOSXDetails.FindStringSubmatch(line)
-			if len(matches) > 1 {
-				lastEntry["version"] = matches[1]
-
-				continue
-			}
-		}
-		matches := reOSXEntry.FindStringSubmatch(line)
-		if len(matches) < 2 {
-			continue
-		}
-		entry := map[string]string{
-			"security":    "0",
-			"package":     matches[1],
-			"version":     "",
-			"old_version": "",
-			"repository":  "",
-			"arch":        "",
-		}
-		check.listData = append(check.listData, entry)
-		lastEntry = entry
-	}
-}
-
-// get packages from windows powershell
-func (l *CheckOSUpdates) addWindows(ctx context.Context, check *CheckData) (bool, error) {
-	switch l.system {
-	case "auto":
-		if runtime.GOOS != "windows" {
-			return false, nil
-		}
-	case "windows":
-	default:
-		return false, nil
-	}
-
-	// https://learn.microsoft.com/en-us/windows/win32/api/wuapi/nf-wuapi-iupdatesearcher-search
-	// https://learn.microsoft.com/en-us/windows/win32/api/wuapi/nn-wuapi-iupdate
-	cmd := powerShellCmd(ctx, checkOSupdatesPS1)
-	if l.update {
-		cmd.Env = append(cmd.Env, "ONLINE_SEARCH=1")
-	}
-	output, stderr, exitCode, _, err := l.snc.runExternalCommand(ctx, cmd, DefaultCmdTimeout)
-	if err != nil {
-		return true, fmt.Errorf("getting pending updates failed: %s\n%s", err.Error(), stderr)
-	}
-	if exitCode != 0 {
-		return true, fmt.Errorf("getting pending updates failed: %s\n%s", output, stderr)
-	}
-
-	l.parseWindows(output, check)
-
-	return true, nil
-}
-
-func (l *CheckOSUpdates) parseWindows(output string, check *CheckData) {
-	var lastEntry map[string]string
-	for line := range strings.SplitSeq(output, "\n") {
-		if strings.HasPrefix(line, "Category: ") {
-			if strings.Contains(line, "Security") || strings.Contains(line, "Critical") {
-				lastEntry["security"] = "1"
-			}
-
-			continue
-		}
-		if pkg, ok := strings.CutPrefix(line, "Title: "); ok {
-			entry := map[string]string{
-				"security":    "0",
-				"package":     pkg,
-				"version":     "",
-				"old_version": "",
-				"repository":  "",
-				"arch":        "",
-			}
-			check.listData = append(check.listData, entry)
-			lastEntry = entry
-		}
-	}
-}