docs(security): Improve nolint explanations

YaCodesDevelopment · YaCodesDevelopment · commit c5aaaa8123ae · 2026-02-21T07:03:58.000+02:00
diff --git a/.golangci.yml b/.golangci.yml
@@ -73,7 +73,7 @@ linters:
     forbidigo:
       forbid:
         - pattern: "^panic\\("
-          msg: "us panic() with caution, leave a comment explaining why it's necessary"
+          msg: "use panic() with caution, leave a comment explaining why it's necessary"
         - pattern: "unsafe\\."
           msg: "use unsafe with caution, leave a comment explaining why it's necessary"
 
diff --git a/yaautoflags/yaautoflags.go b/yaautoflags/yaautoflags.go
@@ -74,7 +74,7 @@ func PackFlags[T any](instance *T) yaerrors.Error {
 				flagsField.Type().Size() * bitsInByte,
 			)
 
-			//nolint: exhaustive
+			//nolint:exhaustive // The flags field must be of an unsigned integer type, so only those types are handled
 			switch flagsField.Kind() {
 			case reflect.Uint64,
 				reflect.Uint32,
@@ -165,7 +165,7 @@ func UnpackFlags[T any](instance *T) yaerrors.Error {
 		)
 	}
 
-	//nolint: exhaustive
+	//nolint:exhaustive // The flags field must be of an unsigned integer type, so only those types are handled
 	switch flagsField.Kind() {
 	case reflect.Uint64,
 		reflect.Uint32,
diff --git a/yaerrors/yaerrors.go b/yaerrors/yaerrors.go
@@ -66,8 +66,10 @@ func FromErrorWithLog(code int, cause error, wrap string, log yalogger.Logger) E
 // It creates a new Error instance with the provided code and message.
 func FromString(code int, msg string) Error {
 	return &yaError{
-		code:      code,
-		cause:     errors.New(msg), //nolint:err113
+		code: code,
+		cause: errors.New( //nolint:err113 // This is error constructor, error is not from library, no constants here
+			msg,
+		),
 		traceback: msg,
 	}
 }
@@ -79,8 +81,10 @@ func FromStringWithLog(code int, msg string, log yalogger.Logger) Error {
 	log.Error(msg)
 
 	return &yaError{
-		code:      code,
-		cause:     errors.New(msg), //nolint:err113
+		code: code,
+		cause: errors.New( //nolint:err113 // This is error constructor, error is not from library, no constants here
+			msg,
+		),
 		traceback: msg,
 	}
 }
diff --git a/yafsm/entityfsm.go b/yafsm/entityfsm.go
@@ -54,7 +54,7 @@ func (b *EntityFSMStorage) SetState(
 //	}
 func (b *EntityFSMStorage) GetState(
 	ctx context.Context,
-) (string, stateDataMarshalled, yaerrors.Error) { //nolint: revive
+) (string, stateDataMarshalled, yaerrors.Error) { //nolint:revive,lll // Unexported type used for safe encapsulation of marshalled state data
 	return b.storage.GetState(ctx, b.uid)
 }
 
diff --git a/yafsm/fsm.go b/yafsm/fsm.go
@@ -118,7 +118,7 @@ func (b *DefaultFSMStorage[T]) SetState(
 func (b *DefaultFSMStorage[T]) GetState(
 	ctx context.Context,
 	uid string,
-) (string, stateDataMarshalled, yaerrors.Error) { //nolint: revive
+) (string, stateDataMarshalled, yaerrors.Error) { //nolint:revive,lll // Unexported type used for safe encapsulation of marshalled state data
 	data, err := b.storage.Get(ctx, uid)
 	if err != nil {
 		return b.defaultState.StateName(), "", nil
diff --git a/yahash/yahash.go b/yahash/yahash.go
@@ -80,7 +80,7 @@ type HashableType valueparser.ParsableType
 // used with `Hash`.
 //
 //   - *I* – the input type (usually `string`).
-//   - *O* – the output type **must** be `comparable` so that we can check equality
+//   - *O* – the output type **must** be `comparable` so that equality can be checked
 //     when validating.
 //
 // A hash function receives the main *data* plus zero or more *args* that are
@@ -264,7 +264,7 @@ func FNVStringToInt64(data string, args ...string) int64 {
 		hasher.Write([]byte(arg))
 	}
 
-	return int64( //nolint:gosec // We don't care about overflow here, as the result will remain deterministic
+	return int64( //nolint:gosec // It doesn't matter if it overflows here, as the result will remain deterministic
 		hasher.Sum64(),
 	)
 }
@@ -288,7 +288,7 @@ func FNVStringToInt32(data string, args ...string) int32 {
 		hasher.Write([]byte(arg))
 	}
 
-	return int32( //nolint:gosec // We don't care about overflow here, as the result will remain deterministic
+	return int32( //nolint:gosec // It doesn't matter if it overflows here, as the result will remain deterministic
 		hasher.Sum32(),
 	)
 }
diff --git a/yalocales/locales_test.go b/yalocales/locales_test.go
@@ -121,7 +121,7 @@ func TestFormattedValueWithMap(t *testing.T) {
 		t.Fatalf("format value: %v", yaErr)
 	}
 
-	//nolint: goconst
+	//nolint:goconst // Who cares about consts in tests?
 	want := "This is a Formatable Locale Replacement"
 	if got != want {
 		t.Fatalf("unexpected formatted value: got %q want %q", got, want)
diff --git a/yalogger/logrus_logger.go b/yalogger/logrus_logger.go
@@ -327,7 +327,7 @@ func (l *logrusAdapter) WithRequestID(id uint64) Logger {
 //	logger.WithRandomRequestID().Info("Generated random request ID")
 func (l *logrusAdapter) WithRandomRequestID() Logger {
 	return &logrusAdapter{
-		//nolint:gosec // We don't care about randomness quality here, as this is just for logging
+		//nolint:gosec // Randomness quality here could be neglected, as this is just for logging
 		entry: l.entry.WithField(KeyRequestID, rand.Uint64()),
 	}
 }
diff --git a/yarsa/key.go b/yarsa/key.go
@@ -10,8 +10,8 @@
 //     p and q to the top quarter of their ranges so the final modulus has the
 //     requested bit-length.
 //     - The stdlib rsa.GenerateKey is NOT guaranteed deterministic even with a
-//     deterministic io.Reader (due to internal jitter), so we implement our
-//     own prime generation.
+//     deterministic io.Reader (due to internal jitter), so custom prime generation
+//     is implemented here.
 //
 //  2. Private key parsing convenience:
 //     ParsePrivateKey(string) -> *rsa.PrivateKey
@@ -349,7 +349,7 @@ func StripCRLF(s string) string {
 
 // tryBase64URLAll attempts to decode s as URL-safe base64 in both variants:
 //   - RawURLEncoding (no '=' padding expected)
-//   - URLEncoding (padding expected; we add best-effort padding if missing)
+//   - URLEncoding (padding expected; add best-effort padding if missing)
 //
 // It returns decoded bytes or an error if neither variant works.
 func tryBase64URLAll(s string) ([]byte, yaerrors.Error) {
diff --git a/yatgbot/dispatcher.go b/yatgbot/dispatcher.go
@@ -145,7 +145,7 @@ func (r *Dispatcher) checkFilters(
 		chain = append(chain, g)
 	}
 
-	// 2) Reverse so we run filters from root -> current.
+	// 2) Reverse so filters run from root -> current.
 	for i, j := 0, len(chain)-1; i < j; i, j = i+1, j-1 {
 		chain[i], chain[j] = chain[j], chain[i]
 	}
diff --git a/yatgbot/messagequeue/messagequeue.go b/yatgbot/messagequeue/messagequeue.go
@@ -117,7 +117,7 @@ func (d *Dispatcher) AddRawJob(
 	taskCount uint,
 ) (uint64, <-chan JobResult) {
 	job := MessageJob{
-		ID:        rand.Uint64(), //nolint:gosec,lll // We don't care about randomness quality here, as this is just for generating a random job ID
+		ID:        rand.Uint64(), //nolint:gosec,lll // `Randomness quality doesn't matter`, as this is just for generating a random job ID
 		Priority:  priority,
 		Request:   request,
 		ResultCh:  make(chan JobResult, 1),
@@ -188,7 +188,7 @@ func (d *Dispatcher) AddForwardMessagesJob(
 
 	req.RandomID = make([]int64, len(req.ID))
 	for i := range req.RandomID {
-		req.RandomID[i] = rand.Int63() //nolint:gosec,lll // We don't care about randomness quality here, as this is just for generating random IDs for forwarding messages
+		req.RandomID[i] = rand.Int63() //nolint:gosec,lll // Randomness quality doesn't matter, as this is just for generating random IDs for forwarding messages
 	}
 
 	return d.AddRawJob(req, priority, uint(len(req.RandomID)))
@@ -233,7 +233,7 @@ func (d *Dispatcher) AddSendMessageJob(
 	}
 
 	if req.RandomID == 0 {
-		req.RandomID = rand.Int63() //nolint:gosec,lll // We don't care about randomness quality here, as this is just for generating a random ID for sending a message
+		req.RandomID = rand.Int63() //nolint:gosec,lll // Randomness quality doesn't matter, as this is just for generating a random ID for sending a message
 	}
 
 	return d.AddRawJob(req, priority, SingleMessage)
@@ -282,7 +282,7 @@ func (d *Dispatcher) AddSendMultiMediaJob(
 	}
 
 	for i := range req.MultiMedia {
-		req.MultiMedia[i].RandomID = rand.Int63() //nolint:gosec,lll // We don't care about randomness quality here, as this is just for generating random IDs for sending media
+		req.MultiMedia[i].RandomID = rand.Int63() //nolint:gosec,lll // Randomness quality doesn't matter, as this is just for generating random IDs for sending media
 	}
 
 	return d.AddRawJob(req, priority, uint(len(req.MultiMedia)))
@@ -328,7 +328,7 @@ func (d *Dispatcher) AddSendMediaJob(
 	}
 
 	if req.RandomID == 0 {
-		req.RandomID = rand.Int63() //nolint:gosec,lll // We don't care about randomness quality here, as this is just for generating a random ID for sending a message
+		req.RandomID = rand.Int63() //nolint:gosec,lll // Randomness quality doesn't matter, as this is just for generating a random ID for sending a message
 	}
 
 	return d.AddRawJob(req, priority, SingleMessage)
diff --git a/yatgbot/updates.go b/yatgbot/updates.go
@@ -347,7 +347,7 @@ func wrapAsync[T tg.UpdateClass](
 
 	return func(ctx context.Context, e tg.Entities, upd T) error {
 		go func() {
-			_ = h( //nolint:errcheck,lll // We cannot do anything about the error here, as we are running asynchronously and the handler is responsible for its own error handling and logging.
+			_ = h( //nolint:errcheck,lll // It isn't really possible to do anything about the error here, as it is run asynchronously and the handler is responsible for its own error handling and logging.
 				ctx,
 				e,
 				upd,
diff --git a/yatgclient/heplers.go b/yatgclient/heplers.go
@@ -123,7 +123,7 @@ func (c *Client) UploadFile(
 ) (tg.MessageMediaClass, yaerrors.Error) {
 	var chunkID int
 
-	randID := rand.Int63() //nolint:gosec,lll // We don't care about randomness quality here, as this is just for generating a random file ID for uploading
+	randID := rand.Int63() //nolint:gosec,lll // Randomness quality doesn't matter, as this is just for generating a random file ID for uploading
 
 	buf := make([]byte, c.chunkSize)
 	for {
diff --git a/yatgclient/mtprotoproxy.go b/yatgclient/mtprotoproxy.go
@@ -19,7 +19,7 @@ import (
 type MTProto struct {
 	Host   string
 	Port   uint16
-	Secret string //nolint:gosec
+	Secret string //nolint:gosec // This struct is for parsing proxy config, so it has what it parses
 }
 
 // NewMTProtoWithParseURL is a helper that allocates MTProto and calls ParseURL.
diff --git a/yatgclient/socks5proxy.go b/yatgclient/socks5proxy.go
@@ -19,7 +19,7 @@ type SOCKS5 struct {
 	Host     string
 	Port     uint16
 	Username *string
-	Password *string //nolint:gosec
+	Password *string //nolint:gosec // This struct is for parsing proxy config, so it has what it parses
 }
 
 // NewSOCKS5WithParseURL parses a socks5:// URL into a SOCKS5 struct(socks5://username:password@host:port)
diff --git a/yatgmessageencoding/helpers.go b/yatgmessageencoding/helpers.go
@@ -19,7 +19,9 @@ func getUTF16LECUSize(s string) uint32 {
 }
 
 func getUTF8Size(s string) uint32 {
-	return uint32(len(s)) //nolint:gosec
+	return uint32( //nolint:gosec // Overflow is not a concern here as input string is expected to be reasonably sized
+		len(s),
+	)
 }
 
 func getMultiSize(s string) multiSize {
diff --git a/yatgmessageencoding/markdown.go b/yatgmessageencoding/markdown.go
@@ -105,7 +105,7 @@ charIter:
 			}
 
 			if _, ok := allURLLikeDelimiters[possiblyDelimiter]; ok {
-				//nolint:exhaustive
+				//nolint:exhaustive // Only URL-like delimiters are checked in this block
 				switch possiblyDelimiter {
 				case linkStartDelim:
 					if URLLike.linkOrEmoji.startPosition == maxMultiSize {
diff --git a/yatgstorage/yatgstorage.go b/yatgstorage/yatgstorage.go
@@ -121,8 +121,8 @@ type IStorage interface {
 
 // Storage is the production implementation backed by a yacache.Cache[*redis.Client].
 //
-// It embeds a telegram.UpdateHandler (your own dispatcher) so we can inject a
-// middle layer that persists access‑hashes before letting updates propagate.
+// It embeds a telegram.UpdateHandler (your own dispatcher) so a middle layer
+// that persists access‑hashes before letting updates propagate can be injected.
 // The zero value is **not** valid – use NewStorage.
 //
 // Example:

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ func PackFlags[T any](instance *T) yaerrors.Error {`
`74`	`74`	`flagsField.Type().Size() * bitsInByte,`
`75`	`75`	`)`
`76`	`76`
`77`		`- //nolint: exhaustive`
	`77`	`+ //nolint:exhaustive // The flags field must be of an unsigned integer type, so only those types are handled`
`78`	`78`	`switch flagsField.Kind() {`
`79`	`79`	`case reflect.Uint64,`
`80`	`80`	`reflect.Uint32,`
`@@ -165,7 +165,7 @@ func UnpackFlags[T any](instance *T) yaerrors.Error {`
`165`	`165`	`)`
`166`	`166`	`}`
`167`	`167`
`168`		`- //nolint: exhaustive`
	`168`	`+ //nolint:exhaustive // The flags field must be of an unsigned integer type, so only those types are handled`
`169`	`169`	`switch flagsField.Kind() {`
`170`	`170`	`case reflect.Uint64,`
`171`	`171`	`reflect.Uint32,`
Original file line number	Diff line number	Diff line change
`@@ -66,8 +66,10 @@ func FromErrorWithLog(code int, cause error, wrap string, log yalogger.Logger) E`
`66`	`66`	`// It creates a new Error instance with the provided code and message.`
`67`	`67`	`func FromString(code int, msg string) Error {`
`68`	`68`	`return &yaError{`
`69`		`- code: code,`
`70`		`- cause: errors.New(msg), //nolint:err113`
	`69`	`+ code: code,`
	`70`	`+ cause: errors.New( //nolint:err113 // This is error constructor, error is not from library, no constants here`
	`71`	`+ msg,`
	`72`	`+ ),`
`71`	`73`	`traceback: msg,`
`72`	`74`	`}`
`73`	`75`	`}`
`@@ -79,8 +81,10 @@ func FromStringWithLog(code int, msg string, log yalogger.Logger) Error {`
`79`	`81`	`log.Error(msg)`
`80`	`82`
`81`	`83`	`return &yaError{`
`82`		`- code: code,`
`83`		`- cause: errors.New(msg), //nolint:err113`
	`84`	`+ code: code,`
	`85`	`+ cause: errors.New( //nolint:err113 // This is error constructor, error is not from library, no constants here`
	`86`	`+ msg,`
	`87`	`+ ),`
`84`	`88`	`traceback: msg,`
`85`	`89`	`}`
`86`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ func (b *EntityFSMStorage) SetState(`
`54`	`54`	`// }`
`55`	`55`	`func (b *EntityFSMStorage) GetState(`
`56`	`56`	`ctx context.Context,`
`57`		`-) (string, stateDataMarshalled, yaerrors.Error) { //nolint: revive`
	`57`	`+) (string, stateDataMarshalled, yaerrors.Error) { //nolint:revive,lll // Unexported type used for safe encapsulation of marshalled state data`
`58`	`58`	`return b.storage.GetState(ctx, b.uid)`
`59`	`59`	`}`
`60`	`60`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ type HashableType valueparser.ParsableType`
`80`	`80`	// used with `Hash`.
`81`	`81`	`//`
`82`	`82`	// - I – the input type (usually `string`).
`83`		-// - O – the output type must be `comparable` so that we can check equality
	`83`	+// - O – the output type must be `comparable` so that equality can be checked
`84`	`84`	`// when validating.`
`85`	`85`	`//`
`86`	`86`	`// A hash function receives the main data plus zero or more args that are`
`@@ -264,7 +264,7 @@ func FNVStringToInt64(data string, args ...string) int64 {`
`264`	`264`	`hasher.Write([]byte(arg))`
`265`	`265`	`}`
`266`	`266`
`267`		`- return int64( //nolint:gosec // We don't care about overflow here, as the result will remain deterministic`
	`267`	`+ return int64( //nolint:gosec // It doesn't matter if it overflows here, as the result will remain deterministic`
`268`	`268`	`hasher.Sum64(),`
`269`	`269`	`)`
`270`	`270`	`}`
`@@ -288,7 +288,7 @@ func FNVStringToInt32(data string, args ...string) int32 {`
`288`	`288`	`hasher.Write([]byte(arg))`
`289`	`289`	`}`
`290`	`290`
`291`		`- return int32( //nolint:gosec // We don't care about overflow here, as the result will remain deterministic`
	`291`	`+ return int32( //nolint:gosec // It doesn't matter if it overflows here, as the result will remain deterministic`
`292`	`292`	`hasher.Sum32(),`
`293`	`293`	`)`
`294`	`294`	`}`
Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ func TestFormattedValueWithMap(t *testing.T) {`
`121`	`121`	`t.Fatalf("format value: %v", yaErr)`
`122`	`122`	`}`
`123`	`123`
`124`		`- //nolint: goconst`
	`124`	`+ //nolint:goconst // Who cares about consts in tests?`
`125`	`125`	`want := "This is a Formatable Locale Replacement"`
`126`	`126`	`if got != want {`
`127`	`127`	`t.Fatalf("unexpected formatted value: got %q want %q", got, want)`
Original file line number	Diff line number	Diff line change
`@@ -327,7 +327,7 @@ func (l *logrusAdapter) WithRequestID(id uint64) Logger {`
`327`	`327`	`// logger.WithRandomRequestID().Info("Generated random request ID")`
`328`	`328`	`func (l *logrusAdapter) WithRandomRequestID() Logger {`
`329`	`329`	`return &logrusAdapter{`
`330`		`- //nolint:gosec // We don't care about randomness quality here, as this is just for logging`
	`330`	`+ //nolint:gosec // Randomness quality here could be neglected, as this is just for logging`
`331`	`331`	`entry: l.entry.WithField(KeyRequestID, rand.Uint64()),`
`332`	`332`	`}`
`333`	`333`	`}`
Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ func (r *Dispatcher) checkFilters(`
`145`	`145`	`chain = append(chain, g)`
`146`	`146`	`}`
`147`	`147`
`148`		`- // 2) Reverse so we run filters from root -> current.`
	`148`	`+ // 2) Reverse so filters run from root -> current.`
`149`	`149`	`for i, j := 0, len(chain)-1; i < j; i, j = i+1, j-1 {`
`150`	`150`	`chain[i], chain[j] = chain[j], chain[i]`
`151`	`151`	`}`