Introduce golangci-lint and fix findings

First, the same GitHub Action used in the icinga-go-library was added to
the Go workflow.

Then, the findings were addressed. In general, these were mostly missing
return check - when being unused anyway -, potential overflows for
integer type conversions, and SHA1 warnings.

If applicable, the code was slightly modified to perform the necessary
checks. Sometimes the linter has detected the checks. Sometimes not and
a linter comment was added.

.github/workflows/go.yml

@@ -38,6 +38,14 @@ jobs:
         with:
           install-go: false
 
+      - uses: golangci/golangci-lint-action@v6
+        with:
+          version: latest
+          only-new-issues: true
+
+          # Enable the gosec linter w/o having to create a .golangci.yml config
+          args: -E gosec
+
   vet:
     runs-on: ubuntu-latest
     steps:

cmd/icingadb-migrate/convert.go

@@ -299,7 +299,7 @@ func convertDowntimeRows(
 			Author:             row.AuthorName,
 			Comment:            row.CommentData,
 			IsFlexible:         types.Bool{Bool: row.IsFixed == 0, Valid: true},
-			FlexibleDuration:   uint64(row.Duration) * 1000,
+			FlexibleDuration:   uint64(row.Duration) * 1000, // #nosec G115 -- flexible_duration is unsigned in Icinga DB's schema
 			ScheduledStartTime: scheduledStart,
 			ScheduledEndTime:   scheduledEnd,
 			StartTime:          startTime,

cmd/icingadb-migrate/main.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"context"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec G505 -- cryptographic weak SHA1
 	"database/sql"
 	_ "embed"
 	"encoding/hex"

cmd/icingadb-migrate/misc.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"context"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec G505 -- cryptographic weak SHA1
 	"github.com/icinga/icinga-go-library/database"
 	"github.com/icinga/icinga-go-library/objectpacker"
 	"github.com/icinga/icinga-go-library/types"
@@ -54,7 +54,7 @@ var objectTypes = map[uint8]string{1: "host", 2: "service"}
 
 // hashAny combines objectpacker.PackAny and SHA1 hashing.
 func hashAny(in interface{}) []byte {
-	hash := sha1.New()
+	hash := sha1.New() // #nosec G401 -- cryptographic weak SHA1
 	if err := objectpacker.PackAny(in, hash); err != nil {
 		panic(err)
 	}

cmd/icingadb/main.go

@@ -50,15 +50,15 @@ func run() int {
 	_ = sdnotify.Ready()
 
 	logger := logs.GetLogger()
-	defer logger.Sync()
+	defer func() { _ = logger.Sync() }()
 
 	logger.Infof("Starting Icinga DB daemon (%s)", internal.Version.Version)
 
 	db, err := cmd.Database(logs.GetChildLogger("database"))
 	if err != nil {
 		logger.Fatalf("%+v", errors.Wrap(err, "can't create database connection pool from config"))
 	}
-	defer db.Close()
+	defer func() { _ = db.Close() }()
 	{
 		logger.Infof("Connecting to database at '%s'", db.GetAddr())
 		err := db.Ping()
@@ -112,7 +112,7 @@ func run() int {
 		if err != nil {
 			logger.Fatalf("%+v", errors.Wrap(err, "can't create database connection pool from config"))
 		}
-		defer db.Close()
+		defer func() { _ = db.Close() }()
 		ha = icingadb.NewHA(ctx, db, heartbeat, logs.GetChildLogger("high-availability"))
 
 		telemetryLogger := logs.GetChildLogger("telemetry")
@@ -125,7 +125,7 @@ func run() int {
 		// Give up after 3s, not 5m (default) not to hang for 5m if DB is down.
 		ctx, cancelCtx := context.WithTimeout(context.Background(), 3*time.Second)
 
-		ha.Close(ctx)
+		_ = ha.Close(ctx)
 		cancelCtx()
 	}()
 	s := icingadb.NewSync(db, rc, logs.GetChildLogger("config-sync"))

pkg/icingadb/cleanup.go

@@ -32,7 +32,7 @@ func (stmt *CleanupStmt) CleanupOlderThan(
 	defer db.Log(ctx, q, &counter).Stop()
 
 	for {
-		var rowsDeleted int64
+		var rowsDeleted uint64
 
 		err := retry.WithBackoff(
 			ctx,
@@ -45,7 +45,8 @@ func (stmt *CleanupStmt) CleanupOlderThan(
 					return database.CantPerformQuery(err, q)
 				}
 
-				rowsDeleted, err = rs.RowsAffected()
+				i, err := rs.RowsAffected()
+				rowsDeleted = uint64(i) // #nosec G115 -- negative amount of rows should not be possible
 
 				return err
 			},
@@ -57,15 +58,15 @@ func (stmt *CleanupStmt) CleanupOlderThan(
 			return 0, err
 		}
 
-		counter.Add(uint64(rowsDeleted))
+		counter.Add(rowsDeleted)
 
 		for _, onSuccess := range onSuccess {
 			if err := onSuccess(ctx, make([]struct{}, rowsDeleted)); err != nil {
 				return 0, err
 			}
 		}
 
-		if rowsDeleted < int64(count) {
+		if rowsDeleted < count {
 			break
 		}
 	}

pkg/icingadb/delta_test.go

@@ -232,19 +232,21 @@ func benchmarkDelta(b *testing.B, numEntities int) {
 		return e
 	}
 	for i := 0; i < numEntities; i++ {
+		i := uint64(i) // #nosec G115 -- for loop iterates only over positive numbers
+
 		// each iteration writes exactly one entity to each channel
 		var eActual, eDesired database.Entity
 		switch i % 3 {
 		case 0: // distinct IDs
-			eActual = makeEndpoint(1, uint64(i), uint64(i))
-			eDesired = makeEndpoint(2, uint64(i), uint64(i))
+			eActual = makeEndpoint(1, i, i)
+			eDesired = makeEndpoint(2, i, i)
 		case 1: // same ID, same checksum
-			e := makeEndpoint(3, uint64(i), uint64(i))
+			e := makeEndpoint(3, i, i)
 			eActual = e
 			eDesired = e
 		case 2: // same ID, different checksum
-			eActual = makeEndpoint(4, uint64(i), uint64(i))
-			eDesired = makeEndpoint(4, uint64(i), uint64(i+1))
+			eActual = makeEndpoint(4, i, i)
+			eDesired = makeEndpoint(4, i, i+1)
 		}
 		for _, ch := range chActual {
 			ch <- eActual

pkg/icingadb/history/retention.go

@@ -11,6 +11,7 @@ import (
 	"github.com/icinga/icingadb/pkg/icingaredis/telemetry"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
+	"math"
 	"time"
 )
 
@@ -180,9 +181,14 @@ func (r *Retention) Start(ctx context.Context) error {
 			zap.Uint64("retention-days", days),
 		)
 
+		if days > -math.MinInt {
+			r.logger.Errorf("Skipping history retention for category %s as days number %d is too big", stmt.Category, -days)
+			continue
+		}
+
 		stmt := stmt
 		periodic.Start(ctx, r.interval, func(tick periodic.Tick) {
-			olderThan := tick.Time.AddDate(0, 0, -int(days))
+			olderThan := tick.Time.AddDate(0, 0, -int(days)) // #nosec G115 -- overflow check above
 
 			r.logger.Debugf("Cleaning up historical data for category %s from table %s older than %s",
 				stmt.Category, stmt.Table, olderThan)

pkg/icingadb/types/comment_type.go

@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"github.com/icinga/icinga-go-library/types"
 	"github.com/pkg/errors"
+	"math"
 	"strconv"
 )
 
@@ -36,13 +37,11 @@ func (ct *CommentType) UnmarshalText(text []byte) error {
 	if err != nil {
 		return types.CantParseUint64(err, s)
 	}
-
-	c := CommentType(i)
-	if uint64(c) != i {
-		// Truncated due to above cast, obviously too high
+	if i > math.MaxUint8 {
 		return badCommentType(s)
 	}
 
+	c := CommentType(i)
 	if _, ok := commentTypes[c]; !ok {
 		return badCommentType(s)
 	}

pkg/icingadb/types/notification_type.go

@@ -5,6 +5,7 @@ import (
 	"encoding"
 	"github.com/icinga/icinga-go-library/types"
 	"github.com/pkg/errors"
+	"math"
 	"strconv"
 )
 
@@ -19,13 +20,11 @@ func (nt *NotificationType) UnmarshalText(text []byte) error {
 	if err != nil {
 		return types.CantParseUint64(err, s)
 	}
-
-	n := NotificationType(i)
-	if uint64(n) != i {
-		// Truncated due to above cast, obviously too high
+	if i > math.MaxUint16 {
 		return badNotificationType(s)
 	}
 
+	n := NotificationType(i)
 	if _, ok := notificationTypes[n]; !ok {
 		return badNotificationType(s)
 	}