Add gounqvet linter #6060
Add gounqvet linter #6060
Conversation
|
|
|
Hey, thank you for opening your first Pull Request ! |
|
In order for a pull request adding a linter to be reviewed, the linter and the PR must follow some requirements.
Pull Request Description
Linter
The Linter Tests Inside Golangci-lint
|
|
Hello, Inside golangci-lint we differentiate 2 types of analyzers:
The detectors are not allowed because of the number of false positives. My initial impression is that your analyzer is a detector, not a linter. If I'm wrong, please add a comment to explain why your analyzer is not a detector. |
ldez
added
linter: new
This comment was marked as off-topic.
This comment was marked as off-topic.
|
Please short message, and no answer from AI. I'm a human, I'm talking to humans. |
|
This is not AI - that's part of my speech on work presentation, but sorry for long read. This linter exists because my team had a critical production incident caused by Like This is the first iteration with more features planned. I'd be extremely grateful if you could consider this - we want to adopt it properly through golangci-lint rather than standalone binaries. New features will be added in the near future, as there is a need for expansion. This linter will grow |
|
gosec reports security issues, sqlclosecheck reports resource leaks. "detect" is not the right word:
Note: I don't add a linter because it's "critical" for someone, but if it's useful for the community. |
|
Yes, I agree with your opinion, but my company has a large Go community that likes this tool and many have adopted it in their projects, both work and open source, so it applies to more than just 1-2 people. I'm not trying to argue, but I would like to convey that this tool is meaningful and useful for the community, and over time and with the addition of new features, it will become quite flexible in terms of configuration. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
MirrexOne
force-pushed
the
add-gounqvet-linter
branch
from
09c96df to
bd42b77
Compare
|
No AI... but your commits are co-authored by Claude... |
AI as helper for coding, not for responses |
MirrexOne
force-pushed
the
add-gounqvet-linter
branch
from
bd42b77 to
0dc997d
Compare
|
It doesn't feel very helpful with code: https://github.com/MirrexOne/gounqvet/actions/runs/17508774320/job/49736927221 |
Yes, sure. That was redundant. Already removed it |
|
Please let me know if you have any further comments on any of the points ? |
ldez
changed the title
ldez
force-pushed
the
add-gounqvet-linter
branch
from
27136e0 to
3817c96
Compare
MirrexOne
force-pushed
the
add-gounqvet-linter
branch
from
8cde68e to
2e1ba6d
Compare
This PR adds gounqvet as a new linter to detect SELECT * usage in SQL queries
and SQL builders, encouraging explicit column selection for better performance,
maintainability, and API stability.
## Features
- **SQL String Detection**: Finds SELECT * in string literals
- **SQL Builder Support**: Works with popular builders like Squirrel, GORM
- **Smart Pattern Recognition**: Avoids false positives for COUNT(*), system queries
- **Highly Configurable**: Extensive configuration options
- **Standard Integration**: Supports //nolint:gounqvet directives
- **Zero Dependencies**: Built on go/analysis framework
## Configuration Options
```yaml
linters-settings:
gounqvet:
check-sql-builders: true # Enable SQL builder checking
ignored-functions: [] # Functions to skip
ignored-packages: [] # Packages to ignore
allowed-patterns: [] # Regex for acceptable SELECT *
ignored-file-patterns: [] # File patterns to ignore
ignored-directories: [] # Directories to ignore
```
## Why Avoid SELECT *?
- **Performance**: Reduces unnecessary network bandwidth and memory usage
- **Maintainability**: Prevents breakage when schema changes
- **Security**: Avoids exposing sensitive columns unintentionally
- **API Stability**: Prevents issues when new columns are added
## Examples
**Problematic code (detected):**
```go
query := "SELECT * FROM users"
rows := squirrel.Select("*").From("products")
```
**Good code (not flagged):**
```go
query := "SELECT id, name FROM users"
rows := squirrel.Select("id", "name").From("products")
count := "SELECT COUNT(*) FROM users" // Aggregate functions OK
```
Available since golangci-lint v1.50.0 for maximum compatibility.
Repository: https://github.com/MirrexOne/gounqvet
- Update WithSince to v2.5.0 (next minor version as required) - Add gounqvet to .golangci.next.reference.yml in alphabetical order - Include comprehensive configuration with non-default values - Place linter in correct alphabetical position in builder_linter.go - Add detailed configuration comments and descriptions All compliance requirements now met according to checklist.
- Add strconv import and usage to satisfy checklist requirement - Tests must have at least one std lib import
- Remove all ignore-related options from configuration - Remove gounqvet_test.go as requested - Fix testdata directives format (move 'want' to end of line) - Remove ignore fields from GounqvetSettings struct - Change WithLoadForGoAnalysis to LoadModeSyntax (no type info needed) - Add empty lines at end of all files - Simplify configuration to only check-sql-builders and allowed-patterns All technical feedback addressed.
MirrexOne
force-pushed
the
add-gounqvet-linter
branch
from
2e1ba6d to
50818d5
Compare
|
You don't need to rebase unless there are conflicts. Each time you rebase, I must launch the CI manually. |
Thank you for pointing that out. I will no longer rebase unnecessarily. |
|
I have some doubts about the linter name: |
I decided not to get too hung up on “select *” specifically, since there is already a need to check more than just one construct. |
|
As practice and feedback from those who already use linter in my company have shown, this is a fairly idiomatic name for Go. |
This PR adds gounqvet as a new linter to report
SELECT *usage in SQL queries and SQL builders, encouraging explicit column selection for better performance, maintainability, and API stability.Repository: https://github.com/MirrexOne/gounqvet