From b9489dd84f2d9a431fb4c06cfdd9706d976bacbb Mon Sep 17 00:00:00 2001
From: Harry Pidcock <harry.pidcock@canonical.com>
Date: Tue, 23 Jul 2024 14:23:23 +1000
Subject: [PATCH] ci: add govulncheck + backported cleanup

---
 .github/workflows/static-analysis.yml           |  7 ++-----
 acceptancetests/jujupy/client.py                | 10 +++++-----
 acceptancetests/jujupy/tests/test_status.py     |  2 +-
 acceptancetests/repository/trusty/haproxy/cm.py |  4 ++--
 acceptancetests/tests/test_jujucharm.py         |  2 +-
 scripts/find-bad-doc-comments.py                |  4 ++--
 scripts/leadershipclaimer/count-leadership.py   |  4 ++--
 tests/README.md                                 |  2 +-
 tests/suites/static_analysis/lint_go.sh         | 15 +++++++++++++--
 9 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml
index e13aa2d7192..269920f043a 100644
--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -49,7 +49,8 @@ jobs:
         echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
         echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
 
-        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.54.2
+        go install golang.org/x/vuln/cmd/govulncheck@latest
+        curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.59.1
         sudo curl -sSfL https://github.com/mvdan/sh/releases/download/v3.7.0/shfmt_v3.7.0_linux_$(go env GOARCH) -o /usr/bin/shfmt
         sudo chmod +x /usr/bin/shfmt
         sudo DEBIAN_FRONTEND=noninteractive apt install -y expect
@@ -58,19 +59,16 @@ jobs:
       run: go mod download
 
     - name: "Static Analysis: Copyright"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.go == 'true'
       run: |
         STATIC_ANALYSIS_JOB=test_copyright make static-analysis
       shell: bash
 
     - name: "Static Analysis: Shell Check"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.sh == 'true'
       run: |
         STATIC_ANALYSIS_JOB=test_static_analysis_shell make static-analysis
       shell: bash
 
     - name: "Static Analysis: Go Check"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.go == 'true'
       run: |
         # Explicitly set GOROOT to avoid golangci-lint/issues/3107
         export "GOROOT=$(go env GOROOT)"
@@ -78,7 +76,6 @@ jobs:
       shell: bash
 
     - name: "Static Analysis: Python Check"
-      if: steps.filter.outputs.static-analysis == 'true' || steps.filter.outputs.python == 'true'
       run: |
         STATIC_ANALYSIS_JOB=test_static_analysis_python make static-analysis
       shell: bash
diff --git a/acceptancetests/jujupy/client.py b/acceptancetests/jujupy/client.py
index bc9284fc094..66e57c17ef0 100644
--- a/acceptancetests/jujupy/client.py
+++ b/acceptancetests/jujupy/client.py
@@ -1868,7 +1868,7 @@ def backup(self):
             raise
         log.info('backup file {}'.format(output))
         backup_file_pattern = re.compile(
-            '(juju-backup-[0-9-]+\.(t|tar.)gz)'.encode('ascii'))
+            '(juju-backup-[0-9-]+\\.(t|tar.)gz)'.encode('ascii'))
         match = backup_file_pattern.search(output)
         if match is None:
             raise Exception("The backup file was not found in output: %s" %
@@ -2273,7 +2273,7 @@ def handle_openstack(self, child, cloud):
             child.expect(self.REGION_ENDPOINT_PROMPT)
             child.sendline(values['endpoint'])
             match = child.expect([
-                u"Enter another region\? \([yY]/[nN]\):",
+                u"Enter another region\\? \\([yY]/[nN]\\):",
                 u"Can't validate endpoint"
             ])
             if match == 1:
@@ -2285,7 +2285,7 @@ def handle_openstack(self, child, cloud):
 
     def handle_vsphere(self, child, cloud):
         match = child.expect([u"Enter a name for your .* cloud:",
-                              u'Enter the (vCenter address or URL|API endpoint url for the cloud \[\]):'])
+                              u'Enter the (vCenter address or URL|API endpoint url for the cloud \\[\\]):'])
         if match == 0:
             raise NameNotAccepted('Cloud name not accepted.')
         if match == 1:
@@ -2301,7 +2301,7 @@ def handle_vsphere(self, child, cloud):
                 raise InvalidEndpoint()
             child.sendline(name)
             child.expect(
-                u'Enter another (datacenter|region)\? \([yY]/[nN]\):')
+                u'Enter another (datacenter|region)\\? \\([yY]/[nN]\\):')
             if num + 1 < len(cloud['regions']):
                 child.sendline('y')
             else:
@@ -2410,7 +2410,7 @@ def register_user_interactively(client, token, controller_name):
         child.sendline(password)
         child.expect(u'Confirm password:')
         child.sendline(password)
-        child.expect(u'Enter a name for this controller( \[.*\])?:')
+        child.expect(u'Enter a name for this controller( \\[.*\\])?:')
         child.sendline(controller_name)
 
         def login_if_need(session):
diff --git a/acceptancetests/jujupy/tests/test_status.py b/acceptancetests/jujupy/tests/test_status.py
index 0c0efae7ec3..9c8bca35082 100644
--- a/acceptancetests/jujupy/tests/test_status.py
+++ b/acceptancetests/jujupy/tests/test_status.py
@@ -80,7 +80,7 @@ def test_to_exception_stuck_allocating(self):
                                      current='allocating', message='foo')
         with self.assertRaisesRegexp(
                 StuckAllocatingError,
-                "\('0', 'Stuck allocating.  Last message: foo'\)"):
+                "\\('0', 'Stuck allocating.  Last message: foo'\\)"):
             raise item.to_exception()
 
     def test_to_exception_allocating_unit(self):
diff --git a/acceptancetests/repository/trusty/haproxy/cm.py b/acceptancetests/repository/trusty/haproxy/cm.py
index f728b8608f4..72775f991f5 100644
--- a/acceptancetests/repository/trusty/haproxy/cm.py
+++ b/acceptancetests/repository/trusty/haproxy/cm.py
@@ -32,7 +32,7 @@ def get_branch_config(config_file):
             line = line.split('#')[0].strip()
             bzr_match = re.match(r'(\S+)\s+'
                                  'lp:([^;]+)'
-                                 '(?:;revno=(\d+))?', line)
+                                 '(?:;revno=(\\d+))?', line)
             if bzr_match:
                 name, branch, revno = bzr_match.group(1, 2, 3)
                 if revno is None:
@@ -42,7 +42,7 @@ def get_branch_config(config_file):
                 branches[name] = (branch, revspec)
                 continue
             dir_match = re.match(r'(\S+)\s+'
-                                 '\(directory\)', line)
+                                 '\\(directory\\)', line)
             if dir_match:
                 name = dir_match.group(1)
                 branches[name] = None
diff --git a/acceptancetests/tests/test_jujucharm.py b/acceptancetests/tests/test_jujucharm.py
index f7e9c79732f..ffc7a5e7231 100644
--- a/acceptancetests/tests/test_jujucharm.py
+++ b/acceptancetests/tests/test_jujucharm.py
@@ -118,7 +118,7 @@ def test_ensure_valid_name(self):
         self.assertIsNone(Charm.NAME_REGEX.match(charm.metadata['name']))
         self.assertRaisesRegexp(
             JujuAssertionError,
-            'Invalid Juju Charm Name, "BAD_NAME" does not match ".*"\.',
+            'Invalid Juju Charm Name, "BAD_NAME" does not match ".*"\\.',
             Charm, 'BAD_NAME', 'A charm with a checked bad name')
 
     def test_ensure_valid_name_anchoring(self):
diff --git a/scripts/find-bad-doc-comments.py b/scripts/find-bad-doc-comments.py
index 42bdee56536..196ca628459 100755
--- a/scripts/find-bad-doc-comments.py
+++ b/scripts/find-bad-doc-comments.py
@@ -31,8 +31,8 @@ def find_go_files(root):
             yield path.join(directory, filename)
 
 DOC_COMMENT_PATT = '\n\n//.+\n(//.+\n)*func.+\n'
-FIRST_WORD_PATT = '// *(\w+)'
-FUNC_NAME_PATT = 'func(?: \([^)]+\))? (\S+)\('
+FIRST_WORD_PATT = '// *(\\w+)'
+FUNC_NAME_PATT = 'func(?: \\([^)]+\\))? (\\S+)\\('
 
 def extract_doc_comments(text):
     for match in re.finditer(DOC_COMMENT_PATT, text, re.MULTILINE):
diff --git a/scripts/leadershipclaimer/count-leadership.py b/scripts/leadershipclaimer/count-leadership.py
index ddc66e425f0..c872213815b 100644
--- a/scripts/leadershipclaimer/count-leadership.py
+++ b/scripts/leadershipclaimer/count-leadership.py
@@ -13,9 +13,9 @@ def main(args):
     p.add_argument("--tick", type=float, default=1.0,
             help="seconds between printing status ticks")
     opts = p.parse_args(args)
-    actionsRE = re.compile("\s*(?P<time>\d+\.\d\d\d)s\s+(?P<action>claimed|extended|lost|connected).*in (?P<duration>[0-9m.]+s)")
+    actionsRE = re.compile("\\s*(?P<time>\\d+\\.\\d\\d\\d)s\\s+(?P<action>claimed|extended|lost|connected).*in (?P<duration>[0-9m.]+s)")
     # We don't have minutes if we have 'ms', so match 'ms' first, we might have 'm' if we have 's', so put it before s.
-    durationRE = re.compile("((?P<milliseconds>\d+)ms)?((?P<minutes>\d+)m)?((?P<seconds>\d+(\.\d+)?)s)?")
+    durationRE = re.compile("((?P<milliseconds>\\d+)ms)?((?P<minutes>\\d+)m)?((?P<seconds>\\d+(\\.\\d+)?)s)?")
     totalClaims = 0
     extendedSum = 0
     extendedCount = 0
diff --git a/tests/README.md b/tests/README.md
index 3603541dda4..e8d4c45cf68 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -58,7 +58,7 @@ sudo snap install expect
 The static analysis tests also require `golangci-lint`:
 
 ```
-go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2
+go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.1
 ```
 
 To get started, it's best to quickly look at the help command from the runner.
diff --git a/tests/suites/static_analysis/lint_go.sh b/tests/suites/static_analysis/lint_go.sh
index 059870bc032..ab9a9281c90 100644
--- a/tests/suites/static_analysis/lint_go.sh
+++ b/tests/suites/static_analysis/lint_go.sh
@@ -1,7 +1,7 @@
 run_go() {
 	VER=$(golangci-lint --version | tr -s ' ' | cut -d ' ' -f 4 | cut -d '.' -f 1,2)
-	if [[ ${VER} != "1.54" ]] && [[ ${VER} != "v1.54" ]]; then
-		(echo >&2 -e '\nError: golangci-lint version does not match 1.54. Please upgrade/downgrade to the right version.')
+	if [[ ${VER} != "1.59" ]] && [[ ${VER} != "v1.59" ]]; then
+		(echo >&2 -e '\nError: golangci-lint version does not match 1.59. Please upgrade/downgrade to the right version.')
 		exit 1
 	fi
 	OUT=$(golangci-lint run -c .github/golangci-lint.config.yaml 2>&1)
@@ -27,6 +27,10 @@ run_go_tidy() {
 	fi
 }
 
+run_govulncheck() {
+	govulncheck "github.com/juju/juju/..."
+}
+
 test_static_analysis_go() {
 	if [ "$(skip 'test_static_analysis_go')" ]; then
 		echo "==> TEST SKIPPED: static go analysis"
@@ -40,5 +44,12 @@ test_static_analysis_go() {
 
 		run_linter "run_go"
 		run_linter "run_go_tidy"
+
+		# govulncheck static analysis
+		if which govulncheck >/dev/null 2>&1; then
+			run_linter "run_govulncheck"
+		else
+			echo "govulncheck not found, govulncheck static analysis disabled"
+		fi
 	)
 }