Skip to content

(fix): Fix necessary linter issues from gosec,errcheck and static che…#595

Draft
ompushkara wants to merge 1 commit intomainfrom
fix/gosec,staticcheck,errcheck-downstream
Draft

(fix): Fix necessary linter issues from gosec,errcheck and static che…#595
ompushkara wants to merge 1 commit intomainfrom
fix/gosec,staticcheck,errcheck-downstream

Conversation

@ompushkara
Copy link

@ompushkara ompushkara commented Mar 2, 2026

…ck (sigstore#4726)

@qodo-code-review
Copy link

qodo-code-review bot commented Mar 2, 2026

Review Summary by Qodo

Fix linter issues from gosec, errcheck, and staticcheck

🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Fix linter issues from gosec, errcheck, and staticcheck
• Replace deprecated swag.String with conv.Pointer function
• Handle write operation error return value properly
• Update format string to use %q for quoted output
• Reorganize go.mod dependencies for clarity
Diagram 
flowchart LR
  A["Linter Issues"] --> B["gosec/errcheck/staticcheck"]
  B --> C["Format String Fix"]
  B --> D["Error Handling Fix"]
  B --> E["Deprecated API Fix"]
  C --> F["Updated Code"]
  D --> F
  E --> F
Loading

Grey Divider

File Changes

1. cmd/conformance/main.go 🐞 Bug fix +1/-1

Fix format string quoting in error message

• Changed format string from %s to %q for proper quoting of os.Args[1]
• Addresses gosec linter warning about unquoted format strings

cmd/conformance/main.go

2. cmd/cosign/cli/generate/generate.go Error handling +2/-2

Handle write operation error properly

• Capture return value from w.Write() operation
• Return the error from w.Write() instead of nil
• Fixes errcheck linter warning about unchecked error

cmd/cosign/cli/generate/generate.go

3. pkg/cosign/tlog.go 🐞 Bug fix +5/-5

Replace deprecated swag.String with conv.Pointer

• Replace import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv
• Replace all swag.String() calls with conv.Pointer() function
• Updates 4 occurrences in TLogUploadWithCustomHash and rekorEntry functions
• Addresses staticcheck linter warnings about deprecated API usage

pkg/cosign/tlog.go

View more (1)
4. go.mod Dependencies +2/-2

Reorganize go.mod dependencies

• Remove direct dependency on github.com/go-openapi/swag v0.25.4
• Add github.com/go-openapi/swag v0.25.4 as indirect dependency
• Update github.com/go-openapi/spec from v0.22.2 to v0.22.3
• Reorganize dependencies to reflect actual usage patterns

go.mod

Grey Divider

Qodo Logo

@qodo-code-review
Copy link

qodo-code-review bot commented Mar 2, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. go.sum missing spec v0.22.3🐞 Bug ⛯ Reliability
Description 
go.mod now requires github.com/go-openapi/spec v0.22.3, but go.sum in the PR checkout still contains
only v0.22.2 checksums. This will fail the GoReleaser hook that runs go mod tidy and requires no
diff in go.mod/go.sum.
Code

go.mod[R165-166]

+	github.com/go-openapi/spec v0.22.3 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
Evidence 
go.mod declares spec v0.22.3, but go.sum still pins spec v0.22.2 and has no v0.22.3 entry. The
release pipeline enforces go mod tidy and then asserts go.mod/go.sum are unchanged, so this
mismatch will cause failure.

go.mod[160-167]
go.sum[308-314]
.goreleaser.yml[11-15]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`go.mod` was updated to require `github.com/go-openapi/spec v0.22.3`, but the current `go.sum` in this PR checkout still contains only `v0.22.2` checksums. This will cause `.goreleaser.yml`’s pre-hook (`go mod tidy` then `git diff --exit-code go.mod go.sum`) to fail.
### Issue Context
GoReleaser enforces tidied module files:
- runs `go mod tidy`
- fails if `go.mod`/`go.sum` change afterwards
### Fix Focus Areas
- go.mod[160-167]
- go.sum[308-314]
- .goreleaser.yml[11-15]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

2. GenerateCmd propagates write errors 🐞 Bug ⛯ Reliability
Description 
GenerateCmd now returns the error from writing JSON to the provided io.Writer; the CLI treats any
returned error as fatal. This can turn benign stdout failures (e.g., broken pipe when output is
piped to head) into user-visible errors and non-zero exits.
Code

cmd/cosign/cli/generate/generate.go[R51-52]

+	_, err = w.Write(json)
+	return err
Evidence 
GenerateCmd now returns the result of w.Write(json). The main CLI entrypoint exits fatally on any
command error, so stdout write errors will abort the command and print an error message (behavioral
change vs ignoring write errors).

cmd/cosign/cli/generate/generate.go[47-52]
cmd/cosign/main.go[64-75]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`GenerateCmd` now returns errors from `w.Write(json)`. Because the CLI main treats any returned error as fatal, this can cause `cosign generate ... | head`-style usage to exit non-zero with a noisy error for a benign broken-pipe condition.
### Issue Context
This change is likely driven by `errcheck`, but many CLIs suppress `EPIPE` to avoid failing pipelines when the consumer intentionally closes stdout early.
### Fix Focus Areas
- cmd/cosign/cli/generate/generate.go[47-52]
- cmd/cosign/main.go[64-75]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

qodo-code-review[bot]
qodo-code-review bot reviewed Mar 2, 2026
View reviewed changes
@ompushkara
(fix): Fix necessary linter issues from gosec,errcheck and static che…
c1e3825 
…ck (sigstore#4726)

Signed-off-by: ompushkara <omotilal@redhat.com>
@ompushkara ompushkara force-pushed the fix/gosec,staticcheck,errcheck-downstream branch from d89cc99 to c1e3825 Compare March 2, 2026 11:07
@ompushkara ompushkara marked this pull request as draft March 2, 2026 14:38
@ompushkara ompushkara marked this pull request as ready for review March 2, 2026 16:46
@qodo-code-review
Copy link

qodo-code-review bot commented Mar 2, 2026

Review Summary by Qodo

Fix linter issues from gosec, errcheck, and staticcheck
🐞 Bug fix

Grey Divider

Walkthroughs

Description 
• Fix linter issues from gosec, errcheck, and staticcheck
• Replace deprecated swag.String() with conv.Pointer()
• Handle write operation error return values properly
• Update go-openapi/spec dependency to v0.22.3
• Improve string formatting in log messages
Diagram 
flowchart LR
  A["Linter Issues<br/>gosec, errcheck, staticcheck"] -->|"Fix string formatting"| B["cmd/conformance/main.go"]
  A -->|"Handle write errors"| C["cmd/cosign/cli/generate/generate.go"]
  A -->|"Replace deprecated API"| D["pkg/cosign/tlog.go"]
  D -->|"Update imports"| E["go.mod & go.sum"]
  E -->|"swag.String → conv.Pointer"| F["Resolved Issues"]
Loading

Grey Divider

File Changes

1. cmd/conformance/main.go 🐞 Bug fix +1/-1

Fix log format specifier for string safety

• Changed log format specifier from %s to %q for safer string formatting

cmd/conformance/main.go

2. cmd/cosign/cli/generate/generate.go Error handling +2/-2

Handle write operation error properly

• Capture return value from w.Write() operation
• Return the error from write operation instead of nil

cmd/cosign/cli/generate/generate.go

3. pkg/cosign/tlog.go 🐞 Bug fix +5/-5

Replace deprecated swag.String with conv.Pointer

• Replace import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv
• Replace all swag.String() calls with conv.Pointer() (4 occurrences)

pkg/cosign/tlog.go

View more (2)
4. go.mod Dependencies +2/-2

Update dependencies and reorganize swag imports

• Remove direct dependency on github.com/go-openapi/swag v0.25.4
• Add github.com/go-openapi/swag/conv v0.25.4 as direct dependency
• Update github.com/go-openapi/spec from v0.22.2 to v0.22.3
• Move github.com/go-openapi/swag to indirect dependencies

go.mod

5. go.sum Dependencies +2/-2

Update go.sum checksums for spec upgrade

• Update hash for github.com/go-openapi/spec v0.22.3
• Maintain github.com/go-openapi/swag v0.25.4 checksums

go.sum

Grey Divider

Qodo Logo

@qodo-code-review
Copy link

qodo-code-review bot commented Mar 2, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. go.sum missing spec v0.22.3🐞 Bug ⛯ Reliability
Description 
go.mod now requires github.com/go-openapi/spec v0.22.3, but go.sum in the PR checkout still contains
only v0.22.2 checksums. This will fail the GoReleaser hook that runs go mod tidy and requires no
diff in go.mod/go.sum.
Code

go.mod[R165-166]

+	github.com/go-openapi/spec v0.22.3 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
Evidence 
go.mod declares spec v0.22.3, but go.sum still pins spec v0.22.2 and has no v0.22.3 entry. The
release pipeline enforces go mod tidy and then asserts go.mod/go.sum are unchanged, so this
mismatch will cause failure.

go.mod[160-167]
go.sum[308-314]
.goreleaser.yml[11-15]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`go.mod` was updated to require `github.com/go-openapi/spec v0.22.3`, but the current `go.sum` in this PR checkout still contains only `v0.22.2` checksums. This will cause `.goreleaser.yml`’s pre-hook (`go mod tidy` then `git diff --exit-code go.mod go.sum`) to fail.
### Issue Context
GoReleaser enforces tidied module files:
- runs `go mod tidy`
- fails if `go.mod`/`go.sum` change afterwards
### Fix Focus Areas
- go.mod[160-167]
- go.sum[308-314]
- .goreleaser.yml[11-15]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

2. GenerateCmd propagates write errors 🐞 Bug ⛯ Reliability
Description 
GenerateCmd now returns the error from writing JSON to the provided io.Writer; the CLI treats any
returned error as fatal. This can turn benign stdout failures (e.g., broken pipe when output is
piped to head) into user-visible errors and non-zero exits.
Code

cmd/cosign/cli/generate/generate.go[R51-52]

+	_, err = w.Write(json)
+	return err
Evidence 
GenerateCmd now returns the result of w.Write(json). The main CLI entrypoint exits fatally on any
command error, so stdout write errors will abort the command and print an error message (behavioral
change vs ignoring write errors).

cmd/cosign/cli/generate/generate.go[47-52]
cmd/cosign/main.go[64-75]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`GenerateCmd` now returns errors from `w.Write(json)`. Because the CLI main treats any returned error as fatal, this can cause `cosign generate ... | head`-style usage to exit non-zero with a noisy error for a benign broken-pipe condition.
### Issue Context
This change is likely driven by `errcheck`, but many CLIs suppress `EPIPE` to avoid failing pipelines when the consumer intentionally closes stdout early.
### Fix Focus Areas
- cmd/cosign/cli/generate/generate.go[47-52]
- cmd/cosign/main.go[64-75]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@ompushkara ompushkara marked this pull request as draft March 3, 2026 10:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qodo-code-review qodo-code-review[bot] qodo-code-review[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ompushkara