chore: update golangci-lint config and fix lint issues (#542)

* chore: update golangci-lint config and fix lint issues

Author: moonD4rk

.golangci.yml

@@ -10,7 +10,7 @@ run:
 linters:
   default: none
   enable:
-    # Default tier
+    # Default tier — must-have for any Go project
     - errcheck
     - govet
     - staticcheck
@@ -21,11 +21,18 @@ linters:
     - errorlint
     - gosec
     - sqlclosecheck
+    - nilerr
+    - bodyclose
+    - durationcheck
+    - errchkjson
+    - exhaustive
+    - forcetypeassert
 
     # Code quality
     - depguard
     - dogsled
     - dupl
+    - dupword
     - errname
     - funlen
     - gocheckcompilerdirectives
@@ -35,20 +42,24 @@ linters:
     - godox
     - goprintffuncname
     - lll
+    - mirror
     - misspell
     - nakedret
+    - predeclared
     - revive
     - testifylint
     - unconvert
     - unparam
     - usestdlibvars
+    - wastedassign
     - whitespace
 
     # Complexity
     - gocognit
+    - nestif
 
     # Note: copyloopvar, intrange, modernize, perfsprint require Go 1.22+
-    # They will be enabled when Go version constraint is lifted
+    # They will be enabled when Go version constraint is lifted.
 
   settings:
     depguard:
@@ -61,6 +72,8 @@ linters:
               desc: Deprecated since Go 1.16. Use io and os packages instead.
             - pkg: "github.com/instana/testify"
               desc: Use github.com/stretchr/testify instead.
+    exhaustive:
+      default-signifies-exhaustive: true
     dupl:
       threshold: 100
     funlen:
@@ -82,17 +95,15 @@ linters:
       disabled-checks:
         - dupImport
         - hugeParam
-        - rangeValCopy
-        - ifElseChain
-        - octalLiteral
+        - rangeValCopy  # keychainbreaker structs are large by design
+        - unnamedResult # crypto functions returning (key, iv) are clear without names
         - whyNoLint
-        - singleCaseSwitch
-        - exitAfterDefer
-        - commentedOutCode
     lll:
       line-length: 140
     gocognit:
       min-complexity: 30
+    nestif:
+      min-complexity: 5
     godox:
       keywords:
         - FIXME
@@ -103,17 +114,17 @@ linters:
       asserts: false
     gosec:
       excludes:
-        - G101
-        - G104
-        - G304
-        - G401
-        - G405
-        - G501
-        - G502
-        - G505
-        - G115
-        - G117
-        - G204
+        - G101 # hardcoded credentials — false positives on const names
+        - G115 # integer overflow on conversion — false positives on safe narrowing
+        - G117 # struct field matches secret pattern — false positive on Password fields
+        - G204 # exec.Command with variable — required for macOS `security` command
+        - G304 # file inclusion via variable — required for dynamic browser paths
+        - G401 # weak crypto SHA1 — required for Chromium PBKDF2 key derivation
+        - G402 # TLS MinVersion — not applicable (no TLS in this tool)
+        - G405 # weak crypto DES — required for Firefox 3DES decryption
+        - G501 # blocklisted import crypto/md5 — not used, keep for safety
+        - G502 # blocklisted import crypto/des — required for Firefox decryption
+        - G505 # blocklisted import crypto/sha1 — required for PBKDF2
     errcheck:
       check-type-assertions: true
       exclude-functions:
@@ -127,22 +138,13 @@ linters:
       rules:
         - name: indent-error-flow
         - name: unexported-return
-          disabled: true
         - name: unused-parameter
           disabled: true
-        - name: package-comments
-          disabled: true
-        - name: exported
-          disabled: true
     staticcheck:
       checks:
         - "all"
-        - "-ST1000"
-        - "-ST1003"
-        - "-ST1016"
-        - "-ST1020"
-        - "-ST1021"
-        - "-ST1022"
+        - "-ST1000" # package comment — not a public library
+        - "-ST1003" # naming convention — allow platform-specific names
 
   exclusions:
     presets:
@@ -157,55 +159,19 @@ linters:
           - funlen
           - gosec
           - errcheck
-          - testifylint
           - lll
       - source: "defer"
         linters:
           - errcheck
       - text: "SELECT"
         linters:
           - gosec
-      # Temporary: known issues in pre-refactoring code (will be removed during refactoring)
-      - text: "result 0 .* is always nil"
-        linters:
-          - unparam
-      - text: "result 0 .* is never used"
-        linters:
-          - unparam
-      - path: "browser/firefox/firefox.go"
-        text: "field .* is unused"
-        linters:
-          - unused
-      - path: "browserdata/sessionstorage/"
-        text: "is unused"
-        linters:
-          - unused
       - path: "cmd/hack-browser-data/main.go"
         linters:
           - lll
-      # Temporary: pre-refactoring code issues (all will be rewritten)
-      - path: "browserdata/"
-        linters:
-          - dupl
-          - gochecknoinits
-          - goconst
-          - lll
-      - path: "browser/firefox/"
-        linters:
-          - gocritic
-      - path: "crypto/"
-        linters:
-          - gocritic
       - path: "crypto/keyretriever/gcoredump_darwin.go"
         linters:
           - gocognit
-      # Temporary: new v2 extract files have no callers until Phase 8 wiring
-      - path: "browser/chromium/(source|decrypt|extract_.*)\\.go"
-        linters:
-          - unused
-      - path: "browser/firefox/(source|extract_.*)\\.go"
-        linters:
-          - unused
 
 formatters:
   enable:

browser/browser_test.go

@@ -21,7 +21,7 @@ func mkFile(t *testing.T, parts ...string) {
 
 func TestListBrowsers(t *testing.T) {
 	list := ListBrowsers()
-	assert.True(t, len(list) > 0)
+	assert.NotEmpty(t, list)
 	assert.True(t, sort.StringsAreSorted(list))
 }
 

browser/chromium/chromium_test.go

@@ -399,7 +399,7 @@ func TestAcquireFiles(t *testing.T) {
 	assert.Len(t, paths, len(cats))
 	for _, p := range paths {
 		_, err := os.Stat(p)
-		assert.NoError(t, err, "acquired file should exist")
+		require.NoError(t, err, "acquired file should exist")
 	}
 }
 

browser/firefox/extract_history_test.go

@@ -40,5 +40,5 @@ func TestExtractHistories_NullFields(t *testing.T) {
 	require.NoError(t, err)
 	require.Len(t, got, 1)
 	assert.Equal(t, "https://null.test", got[0].URL)
-	assert.Equal(t, "", got[0].Title)
+	assert.Empty(t, got[0].Title)
 }

crypto/asn1pbe_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 var (
@@ -74,14 +75,14 @@ var (
 func TestNewASN1PBE(t *testing.T) {
 	for _, tc := range nssPBETestCases {
 		nssRaw, err := hex.DecodeString(tc.RawHexPBE)
-		assert.Equal(t, nil, err)
+		require.NoError(t, err)
 		pbe, err := NewASN1PBE(nssRaw)
-		assert.Equal(t, nil, err)
+		require.NoError(t, err)
 		nssPBETC, ok := pbe.(nssPBE)
-		assert.Equal(t, true, ok)
+		assert.True(t, ok)
 		assert.Equal(t, nssPBETC.Encrypted, tc.Encrypted)
 		assert.Equal(t, nssPBETC.AlgoAttr.SaltAttr.EntrySalt, tc.GlobalSalt)
-		assert.Equal(t, nssPBETC.AlgoAttr.SaltAttr.Len, 20)
+		assert.Equal(t, 20, nssPBETC.AlgoAttr.SaltAttr.Len)
 		assert.Equal(t, nssPBETC.AlgoAttr.ObjectIdentifier, tc.ObjectIdentifier)
 	}
 }
@@ -108,8 +109,8 @@ func TestNssPBE_Encrypt(t *testing.T) {
 			},
 		}
 		encrypted, err := nssPBETC.Encrypt(tc.GlobalSalt, tc.Plaintext)
-		assert.Equal(t, nil, err)
-		assert.Equal(t, true, len(encrypted) > 0)
+		require.NoError(t, err)
+		assert.NotEmpty(t, encrypted)
 		assert.Equal(t, nssPBETC.Encrypted, encrypted)
 	}
 }
@@ -136,20 +137,20 @@ func TestNssPBE_Decrypt(t *testing.T) {
 			},
 		}
 		decrypted, err := nssPBETC.Decrypt(tc.GlobalSalt)
-		assert.Equal(t, nil, err)
-		assert.Equal(t, true, len(decrypted) > 0)
+		require.NoError(t, err)
+		assert.NotEmpty(t, decrypted)
 		assert.Equal(t, pbePlaintext, decrypted)
 	}
 }
 
 func TestNewASN1PBE_MetaPBE(t *testing.T) {
 	for _, tc := range metaPBETestCases {
 		metaRaw, err := hex.DecodeString(tc.RawHexPBE)
-		assert.Equal(t, nil, err)
+		require.NoError(t, err)
 		pbe, err := NewASN1PBE(metaRaw)
-		assert.Equal(t, nil, err)
+		require.NoError(t, err)
 		metaPBETC, ok := pbe.(metaPBE)
-		assert.Equal(t, true, ok)
+		assert.True(t, ok)
 		assert.Equal(t, metaPBETC.Encrypted, tc.Encrypted)
 		assert.Equal(t, metaPBETC.AlgoAttr.Data.IVData.IV, tc.IV)
 		assert.Equal(t, metaPBETC.AlgoAttr.Data.IVData.ObjectIdentifier, objWithSHA256AndAES)
@@ -193,8 +194,8 @@ func TestMetaPBE_Encrypt(t *testing.T) {
 			Encrypted: tc.Encrypted,
 		}
 		encrypted, err := metaPBETC.Encrypt(tc.GlobalSalt, tc.Plaintext)
-		assert.Equal(t, nil, err)
-		assert.Equal(t, true, len(encrypted) > 0)
+		require.NoError(t, err)
+		assert.NotEmpty(t, encrypted)
 		assert.Equal(t, metaPBETC.Encrypted, encrypted)
 	}
 }
@@ -236,20 +237,20 @@ func TestMetaPBE_Decrypt(t *testing.T) {
 			Encrypted: tc.Encrypted,
 		}
 		decrypted, err := metaPBETC.Decrypt(tc.GlobalSalt)
-		assert.Equal(t, nil, err)
-		assert.Equal(t, true, len(decrypted) > 0)
+		require.NoError(t, err)
+		assert.NotEmpty(t, decrypted)
 		assert.Equal(t, pbePlaintext, decrypted)
 	}
 }
 
 func TestNewASN1PBE_LoginPBE(t *testing.T) {
 	for _, tc := range loginPBETestCases {
 		loginRaw, err := hex.DecodeString(tc.RawHexPBE)
-		assert.Equal(t, nil, err)
+		require.NoError(t, err)
 		pbe, err := NewASN1PBE(loginRaw)
-		assert.Equal(t, nil, err)
+		require.NoError(t, err)
 		loginPBETC, ok := pbe.(loginPBE)
-		assert.Equal(t, true, ok)
+		assert.True(t, ok)
 		assert.Equal(t, loginPBETC.Encrypted, tc.Encrypted)
 		assert.Equal(t, loginPBETC.Data.IV, tc.IV)
 		assert.Equal(t, loginPBETC.Data.ObjectIdentifier, objWithMD5AndDESCBC)
@@ -270,8 +271,8 @@ func TestLoginPBE_Encrypt(t *testing.T) {
 			Encrypted: tc.Encrypted,
 		}
 		encrypted, err := loginPBETC.Encrypt(tc.GlobalSalt, plainText)
-		assert.Equal(t, nil, err)
-		assert.Equal(t, true, len(encrypted) > 0)
+		require.NoError(t, err)
+		assert.NotEmpty(t, encrypted)
 		assert.Equal(t, loginPBETC.Encrypted, encrypted)
 	}
 }
@@ -290,8 +291,8 @@ func TestLoginPBE_Decrypt(t *testing.T) {
 			Encrypted: tc.Encrypted,
 		}
 		decrypted, err := loginPBETC.Decrypt(tc.GlobalSalt)
-		assert.Equal(t, nil, err)
-		assert.Equal(t, true, len(decrypted) > 0)
+		require.NoError(t, err)
+		assert.NotEmpty(t, decrypted)
 		assert.Equal(t, pbePlaintext, decrypted)
 	}
 }