chore: cleanup golangci-lint and cspell findings (#7548)

weikanglim · web-flow · commit a67ac9e9aa8d · 2026-04-07T12:05:52.000-07:00
Small non-behavioral change fixes to address remaining golangci-lint and cspell findings - Anchor local-template `.gitignore` reads to the template root so nested `.gitignore` files can't escape the local template tree during initialization. - Update `internal/vsrpc/server.go` to derive per-call cancelable contexts from `childCtx`, which preserves the tracing span from `tracing.Start` for Call requests instead of dropping it. - Add targeted `gosec` suppressions where the flagged values are already trusted, managed by azd, or owned by a later callback (local FastAPI detection, Darwin process inspection, spinner/server cancellation callbacks, and managed output paths). - Promote repo-specific spellings into the shared cspell dictionaries, keep compatibility names as file-scoped overrides, and reword the remaining comment-only spellcheck hits. Fixes #7426
diff --git a/cli/azd/.vscode/cspell-azd-dictionary.txt b/cli/azd/.vscode/cspell-azd-dictionary.txt
@@ -15,6 +15,8 @@ Errorf
 Frontends
 GOARCH
 GOCOVERDIR
+GOTOOLCHAIN
+GOWORK
 Ghostty
 LASTEXITCODE
 MCPJSON
@@ -110,6 +112,7 @@ containerapps
 containerd
 containerizable
 contoso
+covdata
 createdby
 csharpapp
 csharpapptest
@@ -153,6 +156,7 @@ go-imath
 godotenv
 gofmt
 golangci
+googleapis
 gosec
 goterm
 gotest
@@ -199,6 +203,7 @@ mysqladmin
 mysqlclient
 mysqldb
 nazd
+ndjson
 nobanner
 nodeapp
 nolint
diff --git a/cli/azd/.vscode/cspell.yaml b/cli/azd/.vscode/cspell.yaml
@@ -134,6 +134,10 @@ overrides:
   - filename: cmd/mcp.go
     words:
       - internalcmd
+  - filename: cmd/extension.go
+    words:
+      - compatResult
+      - compatCopy
   - filename: pkg/azdext/config_helper.go
     words:
       - myext
@@ -367,10 +371,6 @@ overrides:
   - filename: pkg/infra/provisioning/bicep/local_preflight.go
     words:
       - actioned
-  - filename: docs/code-coverage-guide.md
-    words:
-      - covdata
-      - GOWORK
 ignorePaths:
   - "**/*_test.go"
   - "**/mock*.go"
diff --git a/cli/azd/internal/appdetect/python.go b/cli/azd/internal/appdetect/python.go
@@ -142,6 +142,7 @@ func PyFastApiLaunch(projectPath string) (string, error) {
 		}
 
 		if strings.HasSuffix(path, "main.py") || strings.HasSuffix(path, "app.py") {
+			//nolint:gosec // G122: local project contents are trusted for FastAPI detection.
 			f, err := os.Open(path)
 			if err != nil {
 				return err
diff --git a/cli/azd/internal/repository/initializer.go b/cli/azd/internal/repository/initializer.go
@@ -224,11 +224,23 @@ func (i *Initializer) copyLocalTemplate(source, destination string) error {
 	}
 	var matchers []gitignoreMatcher
 
+	sourceRoot, err := os.OpenRoot(source)
+	if err != nil {
+		return fmt.Errorf("opening local template root: %w", err)
+	}
+	defer sourceRoot.Close()
+
 	_ = filepath.WalkDir(source, func(path string, d fs.DirEntry, err error) error {
 		if err != nil || d.IsDir() || d.Name() != ".gitignore" {
 			return err
 		}
-		data, readErr := os.ReadFile(path)
+
+		rel, relErr := filepath.Rel(source, path)
+		if relErr != nil {
+			return relErr
+		}
+
+		data, readErr := sourceRoot.ReadFile(rel)
 		if readErr != nil {
 			return nil // skip unreadable gitignore files
 		}
diff --git a/cli/azd/internal/runcontext/agentdetect/detect_process_darwin.go b/cli/azd/internal/runcontext/agentdetect/detect_process_darwin.go
@@ -18,10 +18,12 @@ import (
 func getParentProcessInfoWithPPID(pid int) (parentProcessInfo, int, error) {
 	info := parentProcessInfo{}
 	parentPid := 0
+	pidArg := strconv.Itoa(pid)
 
 	// Use ps to get process info and parent PID
 	// -o comm= gives just the command name, -o ppid= gives parent PID
-	cmd := exec.Command("ps", "-p", fmt.Sprintf("%d", pid), "-o", "comm=,ppid=")
+	//nolint:gosec // G204: pidArg is derived from an integer process ID, not shell input.
+	cmd := exec.Command("ps", "-p", pidArg, "-o", "comm=,ppid=")
 	output, err := cmd.Output()
 	if err != nil {
 		return info, 0, fmt.Errorf("failed to get process info: %w", err)
@@ -37,7 +39,8 @@ func getParentProcessInfoWithPPID(pid int) (parentProcessInfo, int, error) {
 	}
 
 	// Get the full command path
-	cmd = exec.Command("ps", "-p", fmt.Sprintf("%d", pid), "-o", "args=")
+	//nolint:gosec // G204: pidArg is derived from an integer process ID, not shell input.
+	cmd = exec.Command("ps", "-p", pidArg, "-o", "args=")
 	output, err = cmd.Output()
 	if err == nil {
 		cmdLine := strings.TrimSpace(string(output))
@@ -52,7 +55,8 @@ func getParentProcessInfoWithPPID(pid int) (parentProcessInfo, int, error) {
 
 	// If we couldn't get the executable from args, try lsof
 	if info.Executable == "" {
-		cmd = exec.Command("lsof", "-p", fmt.Sprintf("%d", pid), "-Fn")
+		//nolint:gosec // G204: pidArg is derived from an integer process ID, not shell input.
+		cmd = exec.Command("lsof", "-p", pidArg, "-Fn")
 		output, err = cmd.Output()
 		if err == nil {
 			// Parse lsof output - lines starting with 'n' contain file names
diff --git a/cli/azd/internal/vsrpc/server.go b/cli/azd/internal/vsrpc/server.go
@@ -90,7 +90,8 @@ func (s *Server) Serve(l net.Listener) error {
 	}
 
 	// Run upload periodically in the background while the server is running.
-	ctx, cancel := context.WithCancel(context.Background()) //nolint:gosec // G118: cancel stored in s.cancelTelemetryUpload
+	//nolint:gosec // G118: cancel is stored on the server and invoked later by StopAsync.
+	ctx, cancel := context.WithCancel(context.Background())
 	ts := telemetry.GetTelemetrySystem()
 	backgroundTelemetry := func() {
 		ticker := time.NewTicker(5 * time.Second)
@@ -213,9 +214,9 @@ func serveRpc(w http.ResponseWriter, r *http.Request, handlers map[string]Handle
 			call, isCall := req.(*jsonrpc2.Call)
 			if isCall {
 				span.SetAttributes(fields.JsonRpcId.String(fmt.Sprint(call.ID())))
-				//nolint:gosec // G118: cancel stored in cancelers map and called on completion
-				ctx, cancel := context.WithCancel(ctx)
-				childCtx = ctx
+				var cancel context.CancelFunc
+				//nolint:gosec // G118: cancel is stored in cancelers and invoked later by request cancellation handling.
+				childCtx, cancel = context.WithCancel(childCtx)
 				cancelersMu.Lock()
 				cancelers[call.ID()] = cancel
 				cancelersMu.Unlock()
diff --git a/cli/azd/pkg/azdext/atomicfile.go b/cli/azd/pkg/azdext/atomicfile.go
@@ -20,7 +20,7 @@ import (
 // WriteFileAtomic writes data to the named file atomically. It writes to a
 // temporary file in the same directory as path and renames it into place. This
 // ensures that readers never see a partially-written file and that the
-// operation is crash-safe on filesystems that support atomic rename (ext4,
+// operation is crash-safe on file systems that support atomic rename (ext4,
 // APFS, NTFS).
 //
 // Platform behavior:
diff --git a/cli/azd/pkg/azdext/azd_client.go b/cli/azd/pkg/azdext/azd_client.go
@@ -44,7 +44,7 @@ func WithAddress(address string) AzdClientOption {
 		if isLocalhostAddress(address) {
 			opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))
 		} else {
-			// For non-localhost connections, require TLS to prevent MITM attacks
+			// For non-localhost connections, require TLS to prevent man-in-the-middle attacks.
 			opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(nil)))
 		}
 
diff --git a/cli/azd/pkg/azdext/process_darwin.go b/cli/azd/pkg/azdext/process_darwin.go
@@ -27,9 +27,11 @@ func isProcessRunningOS(pid int) bool {
 // getProcessInfoOS retrieves process info on macOS using ps(1).
 func getProcessInfoOS(pid int) ProcessInfo {
 	info := ProcessInfo{PID: pid}
+	pidArg := strconv.Itoa(pid)
 
 	// Use ps to get process name and executable path.
-	cmd := exec.Command("ps", "-p", strconv.Itoa(pid), "-o", "comm=")
+	//nolint:gosec // G204: pidArg is derived from an integer process ID, not shell input.
+	cmd := exec.Command("ps", "-p", pidArg, "-o", "comm=")
 	output, err := cmd.Output()
 	if err != nil {
 		return info // Process does not exist or is inaccessible.
@@ -39,7 +41,8 @@ func getProcessInfoOS(pid int) ProcessInfo {
 	info.Running = true
 
 	// Get full command path.
-	cmd = exec.Command("ps", "-p", strconv.Itoa(pid), "-o", "args=")
+	//nolint:gosec // G204: pidArg is derived from an integer process ID, not shell input.
+	cmd = exec.Command("ps", "-p", pidArg, "-o", "args=")
 	output, err = cmd.Output()
 	if err == nil {
 		args := strings.TrimSpace(string(output))
diff --git a/cli/azd/pkg/infra/provisioning/terraform/terraform_provider.go b/cli/azd/pkg/infra/provisioning/terraform/terraform_provider.go
@@ -748,7 +748,7 @@ func (t *TerraformProvider) createInputParametersFile(
 	}
 
 	log.Printf("Writing parameters file to: %s", inputFilePath)
-	//nolint:gosec // G703: path derived from infra config, not user input
+	//nolint:gosec // G703: inputFilePath is derived from azd's managed .azure environment directory.
 	err = os.WriteFile(inputFilePath, []byte(replaced), 0600)
 	if err != nil {
 		return fmt.Errorf("writing parameter file: %w", err)
diff --git a/cli/azd/pkg/tools/dotnet/dotnet.go b/cli/azd/pkg/tools/dotnet/dotnet.go
@@ -163,7 +163,8 @@ func (cli *Cli) PublishAppHostManifest(
 			)
 		}
 
-		return os.WriteFile(manifestPath, m, osutil.PermissionFile) //nolint:gosec // G703: path from known project structure
+		//nolint:gosec // G703: manifestPath is the azd-managed output path for the generated manifest.
+		return os.WriteFile(manifestPath, m, osutil.PermissionFile)
 	}
 
 	// For single-file apphost, we need to use the .cs file directly
diff --git a/cli/azd/pkg/ux/spinner.go b/cli/azd/pkg/ux/spinner.go
@@ -75,17 +75,18 @@ func (s *Spinner) Start(ctx context.Context) error {
 		s.canvas = NewCanvas(s).WithWriter(s.options.Writer)
 	}
 
-	// Use a context to determine when to stop the spinner
-	cancelCtx, cancel := context.WithCancel(ctx) //nolint:gosec // G118: cancel stored in s.cancel and called in Stop()
-	s.cancel = cancel
-
 	s.clear = false
 	s.cursor.HideCursor()
 
 	if err := s.canvas.Run(); err != nil {
 		return err
 	}
 
+	// Use a context to determine when to stop the spinner updates.
+	//nolint:gosec // G118: s.cancel is stored and invoked later by Stop.
+	cancelCtx, cancel := context.WithCancel(ctx)
+	s.cancel = cancel
+
 	// Periodic update goroutine
 	go func(ctx context.Context) {
 		for {

Original file line number	Diff line number	Diff line change
`@@ -142,6 +142,7 @@ func PyFastApiLaunch(projectPath string) (string, error) {`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`if strings.HasSuffix(path, "main.py") \|\| strings.HasSuffix(path, "app.py") {`
	`145`	`+ //nolint:gosec // G122: local project contents are trusted for FastAPI detection.`
`145`	`146`	`f, err := os.Open(path)`
`146`	`147`	`if err != nil {`
`147`	`148`	`return err`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ func WithAddress(address string) AzdClientOption {`
`44`	`44`	`if isLocalhostAddress(address) {`
`45`	`45`	`opts = append(opts, grpc.WithTransportCredentials(insecure.NewCredentials()))`
`46`	`46`	`} else {`
`47`		`- // For non-localhost connections, require TLS to prevent MITM attacks`
	`47`	`+ // For non-localhost connections, require TLS to prevent man-in-the-middle attacks.`
`48`	`48`	`opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(nil)))`
`49`	`49`	`}`
`50`	`50`
Original file line number	Diff line number	Diff line change
`@@ -748,7 +748,7 @@ func (t *TerraformProvider) createInputParametersFile(`
`748`	`748`	`}`
`749`	`749`
`750`	`750`	`log.Printf("Writing parameters file to: %s", inputFilePath)`
`751`		`- //nolint:gosec // G703: path derived from infra config, not user input`
	`751`	`+ //nolint:gosec // G703: inputFilePath is derived from azd's managed .azure environment directory.`
`752`	`752`	`err = os.WriteFile(inputFilePath, []byte(replaced), 0600)`
`753`	`753`	`if err != nil {`
`754`	`754`	`return fmt.Errorf("writing parameter file: %w", err)`