1 files changed, 253 insertions, 0 deletions

diff --git a/nogo.yaml b/nogo.yaml
new file mode 100644
index 000000000..5c1737f59
--- /dev/null
+++ b/nogo.yaml
@@ -0,0 +1,253 @@
+groups:
+  # We define three basic groups: generated (all generated files),
+  # external (all files outside the repository), and internal (all
+  # files within the local repository). We can't enforce many style
+  # checks on generated and external code, so enable those cases
+  # selectively for analyzers below.
+  - name: generated
+    regex: "^(bazel-genfiles|bazel-out|bazel-bin)/"
+    default: true
+  - name: external
+    regex: "^external/"
+    default: false
+  - name: internal
+    regex: ".*"
+    default: true
+global:
+  generated:
+    suppress:
+      # Suppress the basic style checks for
+      # generated code, but keep the analysis
+      # that are required for quality & security.
+      - "should not use ALL_CAPS in Go names"
+      - "should not use underscores"
+      - "comment on exported"
+      - "methods on the same type should have the same receiver name"
+      - "at least one file in a package"
+      - "package comment should be of the form"
+      # Generated code may have dead code paths.
+      - "identical build constraints"
+      - "no value of type"
+      - "is never used"
+      # go_embed_data rules generate unicode literals.
+      - "string literal contains the Unicode format character"
+      - "string literal contains the Unicode control character"
+      - "string literal contains Unicode control characters"
+      - "string literal contains Unicode format and control characters"
+      # Some external code will generate protov1
+      # implementations. These should be ignored.
+      - "proto.* is deprecated"
+      - "xxx_messageInfo_.*"
+      - "receiver name should be a reflection of its identity"
+      # Generated gRPC code is not compliant either.
+      - "error strings should not be capitalized"
+      - "grpc.Errorf is deprecated"
+      # Generated proto code does not always follow capitalization conventions.
+      - "(field|method|struct|type) .* should be .*"
+      # Generated proto code sometimes duplicates imports with aliases.
+      - "duplicate import"
+  internal:
+    suppress:
+      # We use ALL_CAPS for system definitions,
+      # which are common enough in the code base
+      # that we shouldn't annotate exceptions.
+      #
+      # Same story for underscores.
+      - "should not use ALL_CAPS in Go names"
+      - "should not use underscores in Go names"
+    exclude:
+      # A variety of staticcheck and stylecheck
+      # rules apply here. These should be fixed
+      # and removed from here, and the global
+      # rules should be used sparingly.
+      - pkg/abi/linux/fuse.go:22
+      - pkg/abi/linux/fuse.go:25
+      - pkg/abi/linux/socket.go:113
+      - pkg/abi/linux/tty.go:73
+      - pkg/cpuid/cpuid_x86.go:675
+      - pkg/gohacks/gohacks_unsafe.go:33
+      - pkg/log/json.go:30
+      - pkg/log/log.go:359
+      - pkg/metric/metric_test.go:20
+      - pkg/p9/p9test/client_test.go:687
+      - pkg/p9/transport_test.go:196
+      - pkg/pool/pool.go:15
+      - pkg/refs/refcounter.go:510
+      - pkg/refs/refcounter_test.go:169
+      - pkg/refs_vfs2/refs.go:16
+      - pkg/safemem/block_unsafe.go:89
+      - pkg/seccomp/seccomp.go:82
+      - pkg/segment/test/set_functions.go:15
+      - pkg/sentry/arch/signal.go:166
+      - pkg/sentry/arch/signal.go:171
+      - pkg/sentry/control/pprof.go:196
+      - pkg/sentry/devices/memdev/full.go:58
+      - pkg/sentry/devices/memdev/null.go:59
+      - pkg/sentry/devices/memdev/random.go:68
+      - pkg/sentry/devices/memdev/zero.go:86
+      - pkg/sentry/fdimport/fdimport.go:15
+      - pkg/sentry/fs/attr.go:257
+      - pkg/sentry/fsbridge/fs.go:116
+      - pkg/sentry/fsbridge/vfs.go:124
+      - pkg/sentry/fsbridge/vfs.go:70
+      - pkg/sentry/fs/copy_up.go:365
+      - pkg/sentry/fs/copy_up_test.go:65
+      - pkg/sentry/fs/dev/net_tun.go:161
+      - pkg/sentry/fs/dev/net_tun.go:63
+      - pkg/sentry/fs/dev/null.go:97
+      - pkg/sentry/fs/dirent_cache.go:64
+      - pkg/sentry/fs/fdpipe/pipe_opener_test.go:366
+      - pkg/sentry/fs/file_overlay.go:327
+      - pkg/sentry/fs/file_overlay.go:524
+      - pkg/sentry/fs/filetest/filetest.go:55
+      - pkg/sentry/fs/filetest/filetest.go:60
+      - pkg/sentry/fs/fs.go:77
+      - pkg/sentry/fs/fsutil/file.go:290
+      - pkg/sentry/fs/fsutil/file.go:346
+      - pkg/sentry/fs/fsutil/host_file_mapper.go:105
+      - pkg/sentry/fs/fsutil/inode_cached.go:676
+      - pkg/sentry/fs/fsutil/inode_cached.go:772
+      - pkg/sentry/fs/gofer/attr.go:120
+      - pkg/sentry/fs/gofer/fifo.go:33
+      - pkg/sentry/fs/gofer/inode.go:410
+      - pkg/sentry/fsimpl/ext/disklayout/superblock_64.go:97
+      - pkg/sentry/fsimpl/ext/disklayout/superblock_old.go:92
+      - pkg/sentry/fsimpl/ext/disklayout/block_group_32.go:44
+      - pkg/sentry/fsimpl/ext/disklayout/inode_new.go:91
+      - pkg/sentry/fsimpl/ext/disklayout/inode_old.go:93
+      - pkg/sentry/fsimpl/ext/disklayout/superblock_32.go:66
+      - pkg/sentry/fsimpl/ext/disklayout/block_group_64.go:53
+      - pkg/sentry/fsimpl/fuse/request_response.go:71
+      - pkg/sentry/fsimpl/signalfd/signalfd.go:15
+      - pkg/sentry/memmap/memmap.go:103
+      - pkg/sentry/memmap/memmap.go:163
+      - pkg/sentry/mm/aio_context.go:208
+      - pkg/sentry/mm/pma.go:683
+      - pkg/sentry/usage/cpu.go:42
+      - pkg/shim/runsc/runsc.go:16
+      - pkg/shim/runsc/utils.go:16
+      - pkg/shim/v1/proc/deleted_state.go:16
+      - pkg/shim/v1/proc/exec.go:16
+      - pkg/shim/v1/proc/exec_state.go:16
+      - pkg/shim/v1/proc/init.go:16
+      - pkg/shim/v1/proc/init_state.go:16
+      - pkg/shim/v1/proc/io.go:16
+      - pkg/shim/v1/proc/process.go:16
+      - pkg/shim/v1/proc/types.go:16
+      - pkg/shim/v1/proc/utils.go:16
+      - pkg/shim/v1/shim/api.go:16
+      - pkg/shim/v1/shim/platform.go:16
+      - pkg/shim/v1/shim/service.go:16
+      - pkg/shim/v1/utils/annotations.go:15
+      - pkg/shim/v1/utils/utils.go:15
+      - pkg/shim/v1/utils/volumes.go:15
+      - pkg/shim/v2/api.go:16
+      - pkg/shim/v2/epoll.go:18
+      - pkg/shim/v2/options/options.go:15
+      - pkg/shim/v2/options/options.go:24
+      - pkg/shim/v2/options/options.go:26
+      - pkg/shim/v2/runtimeoptions/runtimeoptions.go:16
+      - pkg/shim/v2/runtimeoptions/runtimeoptions_cri.go # Generated: exempt all.
+      - pkg/shim/v2/runtimeoptions/runtimeoptions_test.go:22
+      - pkg/shim/v2/service.go:15
+      - pkg/shim/v2/service_linux.go:18
+      - pkg/state/tests/integer_test.go:23
+      - pkg/state/tests/integer_test.go:28
+      - pkg/sync/rwmutex_test.go:105
+      - pkg/syserr/host_linux.go:35
+      - pkg/usermem/addr.go:34
+      - pkg/usermem/usermem.go:171
+      - pkg/usermem/usermem.go:170
+      - runsc/boot/compat.go:56
+      - test/cmd/test_app/fds.go:171
+      - test/iptables/filter_output.go:251
+      - test/packetimpact/testbench/connections.go:77
+      - tools/bigquery/bigquery.go:106
+      - tools/checkescape/test1/test1.go:108
+      - tools/checkescape/test1/test1.go:122
+      - tools/checkescape/test1/test1.go:137
+      - tools/checkescape/test1/test1.go:151
+      - tools/checkescape/test1/test1.go:170
+      - tools/checkescape/test1/test1.go:39
+      - tools/checkescape/test1/test1.go:45
+      - tools/checkescape/test1/test1.go:50
+      - tools/checkescape/test1/test1.go:64
+      - tools/checkescape/test1/test1.go:80
+      - tools/checkescape/test1/test1.go:94
+analyzers:
+  asmdecl:
+    external: # Enabled.
+  assign:
+    external:
+      exclude:
+        - gazelle/walk/walk.go
+  atomic:
+    external: # Enabled.
+  bools:
+    external: # Enabled.
+  buildtag:
+    external: # Enabled.
+  cgocall:
+    external: # Enabled.
+  shadow: # Disable for now.
+    generated:
+      exclude: [".*"]
+    internal:
+      exclude: [".*"]
+  composites: # Disable for now.
+    generated:
+      exclude: [".*"]
+    internal:
+      exclude: [".*"]
+  errorsas:
+    external: # Enabled.
+  httpresponse:
+    external: # Enabled.
+  loopclosure:
+    external: # Enabled.
+  nilfunc:
+    external: # Enabled.
+  nilness:
+    internal:
+      exclude:
+        - pkg/sentry/platform/kvm/kvm_test.go # Intentional.
+        - tools/bigquery/bigquery.go          # False positive.
+  printf:
+    external: # Enabled.
+  shift:
+    external: # Enabled.
+  stringintconv:
+    external:
+      exclude:
+        - ".*protobuf/.*.go"              # Bad conversions.
+        - ".*flate/huffman_bit_writer.go" # Bad conversion.
+        # Runtime internal violations.
+        - ".*reflect/value.go"
+        - ".*encoding/xml/xml.go"
+        - ".*runtime/pprof/internal/profile/proto.go"
+        - ".*fmt/scan.go"
+        - ".*go/types/conversions.go"
+        - ".*golang.org/x/net/dns/dnsmessage/message.go"
+  tests:
+    external: # Enabled.
+  unmarshal:
+    external: # Enabled.
+  unreachable:
+    external: # Enabled.
+  unsafeptr:
+    internal:
+      exclude:
+        - ".*_test.go"                                             # Exclude tests.
+        - "pkg/flipcall/.*_unsafe.go"                              # Special case.
+        - pkg/gohacks/gohacks_unsafe.go                            # Special case.
+        - pkg/sentry/fs/fsutil/host_file_mapper_unsafe.go          # Special case.
+        - pkg/sentry/platform/kvm/bluepill_unsafe.go               # Special case.
+        - pkg/sentry/platform/kvm/machine_unsafe.go                # Special case.
+        - pkg/sentry/platform/ring0/pagetables/allocator_unsafe.go # Special case.
+        - pkg/sentry/platform/safecopy/safecopy_unsafe.go          # Special case.
+        - pkg/sentry/vfs/mount_unsafe.go                           # Special case.
+        - pkg/state/decode_unsafe.go                               # Special case.
+  unusedresult:
+    external: # Enabled.
+  checkescape:
+    external: # Enabled.