HackBrowserData/.golangci.yml

# golangci-lint v2 configuration
# Compatible with Go 1.20
version: "2"

run:
  go: "1.20"
  timeout: "5m"
  allow-parallel-runners: true

linters:
  default: none
  enable:
    # Default tier — must-have for any Go project
    - errcheck
    - govet
    - staticcheck
    - ineffassign
    - unused

    # Bug detection
    - errorlint
    - gosec
    - sqlclosecheck
    - nilerr
    - bodyclose
    - durationcheck
    - errchkjson
    - exhaustive
    - forcetypeassert

    # Code quality
    - depguard
    - dogsled
    - dupl
    - dupword
    - errname
    - funlen
    - gocheckcompilerdirectives
    - gochecknoinits
    - goconst
    - gocritic
    - godox
    - goprintffuncname
    - lll
    - mirror
    - misspell
    - nakedret
    - predeclared
    - revive
    - testifylint
    - unconvert
    - unparam
    - usestdlibvars
    - wastedassign
    - whitespace

    # Complexity
    - gocognit
    - nestif

    # Note: copyloopvar, intrange, modernize, perfsprint require Go 1.22+
    # They will be enabled when Go version constraint is lifted.

  settings:
    depguard:
      rules:
        blocked:
          deny:
            - pkg: "github.com/pkg/errors"
              desc: Use fmt.Errorf with %w or errors stdlib instead.
            - pkg: "io/ioutil"
              desc: Deprecated since Go 1.16. Use io and os packages instead.
            - pkg: "github.com/instana/testify"
              desc: Use github.com/stretchr/testify instead.
    exhaustive:
      default-signifies-exhaustive: true
    dupl:
      threshold: 100
    funlen:
      lines: -1
      statements: 50
    goconst:
      min-len: 2
      min-occurrences: 3
      ignore-string-values:
        - "all"
        - "csv"
        - "json"
        - "https"
        - "http"
    gocritic:
      enabled-tags:
        - diagnostic
        - experimental
        - opinionated
        - performance
        - style
      disabled-checks:
        - dupImport
        - hugeParam
        - rangeValCopy  # keychainbreaker structs are large by design
        - unnamedResult # crypto functions returning (key, iv) are clear without names
        - whyNoLint
    lll:
      line-length: 140
    gocognit:
      min-complexity: 30
    nestif:
      min-complexity: 5
    godox:
      keywords:
        - FIXME
    govet:
      enable:
        - nilness
    errorlint:
      asserts: false
    gosec:
      excludes:
        - G101 # hardcoded credentials — false positives on const names
        - G115 # integer overflow on conversion — false positives on safe narrowing
        - G117 # struct field matches secret pattern — false positive on Password fields
        - G204 # exec.Command with variable — required for macOS `security` command
        - G304 # file inclusion via variable — required for dynamic browser paths
        - G703 # path traversal via taint analysis — same false-positive class as G304 (gosec 2.22+ / golangci-lint 2.11+)
        - G401 # weak crypto SHA1 — required for Chromium PBKDF2 key derivation
        - G402 # TLS MinVersion — not applicable (no TLS in this tool)
        - G405 # weak crypto DES — required for Firefox 3DES decryption
        - G501 # blocklisted import crypto/md5 — not used, keep for safety
        - G502 # blocklisted import crypto/des — required for Firefox decryption
        - G505 # blocklisted import crypto/sha1 — required for PBKDF2
    errcheck:
      check-type-assertions: true
      exclude-functions:
        - "os.Remove"
        - "os.RemoveAll"
        - "(*database/sql.DB).Close"
        - "(*database/sql.Rows).Close"
    misspell:
      locale: US
    revive:
      rules:
        - name: indent-error-flow
        - name: unexported-return
        - name: unused-parameter
          disabled: true
    staticcheck:
      checks:
        - "all"
        - "-ST1000" # package comment — not a public library
        - "-ST1003" # naming convention — allow platform-specific names

  exclusions:
    presets:
      - comments
      - std-error-handling
      - common-false-positives
      - legacy
    rules:
      - path: _test\.go
        linters:
          - dupl
          - funlen
          - gosec
          - errcheck
          - lll
      - source: "defer"
        linters:
          - errcheck
      - text: "SELECT"
        linters:
          - gosec
      - path: "cmd/hack-browser-data/main.go"
        linters:
          - lll
      - path: "crypto/keyretriever/gcoredump_darwin.go"
        linters:
          - gocognit

formatters:
  enable:
    - gofumpt
    - goimports
  settings:
    gofumpt:
      extra-rules: true
    goimports:
      local-prefixes:
        - github.com/moond4rk/hackbrowserdata