From 20a7856820983fb4160e77db9edca3e71c833234 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 24 Mar 2026 01:49:04 +0000 Subject: [PATCH] Simplify capability check to track names only, add docs and script Replace the full JSON baseline with a simple text file listing capability names per package. Add caps.sh script to generate and check the baseline. Document in CONTRIBUTING.md and AGENTS.md that PRs increasing capabilities are unlikely to be accepted. https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn --- .github/workflows/capabilities.yml | 2 +- AGENTS.md | 11 +- CONTRIBUTING.md | 19 + capability_baseline.json | 1272 ---------------------------- capability_baseline.txt | 11 + caps.sh | 53 ++ 6 files changed, 94 insertions(+), 1274 deletions(-) delete mode 100644 capability_baseline.json create mode 100644 capability_baseline.txt create mode 100755 caps.sh diff --git a/.github/workflows/capabilities.yml b/.github/workflows/capabilities.yml index 57fcae4..19ad6f7 100644 --- a/.github/workflows/capabilities.yml +++ b/.github/workflows/capabilities.yml @@ -22,4 +22,4 @@ jobs: - name: Install capslock run: go install github.com/google/capslock/cmd/capslock@latest - name: Check for new capabilities - run: capslock -packages=./... -output=compare -granularity=package capability_baseline.json + run: ./caps.sh check diff --git a/AGENTS.md b/AGENTS.md index dafe44d..f495afd 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -53,6 +53,14 @@ go-toml is a TOML library for Go. The goal is to provide an easy-to-use and effi - Commit messages must explain **why** the change is needed - Keep messages clear and informative even if details are in the PR description +### Capabilities + +go-toml tracks system-level capabilities using [capslock](https://github.com/google/capslock). The baseline is in `capability_baseline.txt` and CI enforces that it does not grow. + +- **Do not introduce new capabilities.** PRs that increase the capability set (e.g., adding network access, subprocess execution, syscalls) are unlikely to be accepted. +- If a change causes the capabilities check to fail, do not update the baseline to make it pass. Instead, rethink the approach to avoid requiring new capabilities. +- To check locally: `./caps.sh check` (requires `capslock` installed via `go install github.com/google/capslock/cmd/capslock@latest`) + ## Pull Request Checklist Before submitting: @@ -61,4 +69,5 @@ Before submitting: 2. No backward-incompatible changes (unless discussed) 3. Relevant documentation added/updated 4. No performance regression (verify with benchmarks) -5. Title is clear and understandable for changelog +5. Capabilities are not increasing (`./caps.sh check`) +6. Title is clear and understandable for changelog diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 28b88ec..65a3ff4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -180,6 +180,25 @@ description. Pull requests that lower performance will receive more scrutiny. [benchstat]: https://pkg.go.dev/golang.org/x/perf/cmd/benchstat +### Capabilities + +We use [capslock](https://github.com/google/capslock) to track what +system-level capabilities (file access, network, syscalls, etc.) each package +requires. The current baseline is in `capability_baseline.txt`. CI will fail if +a change introduces a new capability. + +**Pull requests that increase the set of capabilities are unlikely to be +accepted.** go-toml is a parsing library and should not need network access, +subprocess execution, or other capabilities beyond what it already uses. + +If you believe a new capability is genuinely needed, discuss it in an issue +first. To update the baseline after approval: + +```bash +go install github.com/google/capslock/cmd/capslock@latest +./caps.sh generate +``` + ### Style Try to look around and follow the same format and structure as the rest of the diff --git a/capability_baseline.json b/capability_baseline.json deleted file mode 100644 index fb5a589..0000000 --- a/capability_baseline.json +++ /dev/null @@ -1,1272 +0,0 @@ -{ - "capabilityInfo": [ - { - "packageName": "toml", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2.Marshal (*github.com/pelletier/go-toml/v2.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2.Marshal", - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "marshaler.go", - "line": "28", - "column": "19" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "marshaler.go", - "line": "191", - "column": "22" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin (*encoding/json.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder" - }, - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin", - "site": { - "filename": "main.go", - "line": "21", - "column": "30" - }, - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*encoding/json.Encoder).Encode", - "site": { - "filename": "testsuite.go", - "line": "45", - "column": "20" - }, - "package": "encoding/json" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "stream.go", - "line": "231", - "column": "25" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main github.com/pelletier/go-toml/v2/internal/testsuite.EncodeStdin (*github.com/pelletier/go-toml/v2.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder" - }, - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.EncodeStdin", - "site": { - "filename": "main.go", - "line": "21", - "column": "30" - }, - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "testsuite.go", - "line": "67", - "column": "42" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "marshaler.go", - "line": "191", - "column": "22" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/cmd/jsontoml.convert (*github.com/pelletier/go-toml/v2.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/jsontoml.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/jsontoml" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "main.go", - "line": "65", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "marshaler.go", - "line": "191", - "column": "22" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/jsontoml", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomljson.convert (*encoding/json.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomljson.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/tomljson" - }, - { - "name": "(*encoding/json.Encoder).Encode", - "site": { - "filename": "main.go", - "line": "62", - "column": "17" - }, - "package": "encoding/json" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "stream.go", - "line": "231", - "column": "25" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomljson", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomll.convert (*github.com/pelletier/go-toml/v2.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomll.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/tomll" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "main.go", - "line": "57", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "marshaler.go", - "line": "191", - "column": "22" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomll", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomltestgen.main os.ReadFile", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomltestgen.main", - "package": "github.com/pelletier/go-toml/v2/cmd/tomltestgen" - }, - { - "name": "os.ReadFile", - "site": { - "filename": "main.go", - "line": "116", - "column": "34" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomltestgen", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "cli", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).run$1 (*os.File).Close", - "path": [ - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).run$1", - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "(*os.File).Close", - "site": { - "filename": "cli.go", - "line": "57", - "column": "29" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/cli", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "testsuite", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin (*encoding/json.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin", - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*encoding/json.Encoder).Encode", - "site": { - "filename": "testsuite.go", - "line": "45", - "column": "20" - }, - "package": "encoding/json" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "stream.go", - "line": "231", - "column": "25" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/testsuite", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "ossfuzz", - "capabilityName": "FILES", - "capability": "CAPABILITY_FILES", - "depPath": "github.com/pelletier/go-toml/v2/ossfuzz.FuzzToml github.com/pelletier/go-toml/v2.Marshal (*github.com/pelletier/go-toml/v2.Encoder).Encode (*os.File).Write", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/ossfuzz.FuzzToml", - "package": "github.com/pelletier/go-toml/v2/ossfuzz" - }, - { - "name": "github.com/pelletier/go-toml/v2.Marshal", - "site": { - "filename": "fuzz.go", - "line": "28", - "column": "30" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "marshaler.go", - "line": "28", - "column": "19" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*os.File).Write", - "site": { - "filename": "marshaler.go", - "line": "191", - "column": "22" - }, - "package": "os" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/ossfuzz", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "MODIFY_SYSTEM_STATE/LOGGING", - "capability": "CAPABILITY_MODIFY_SYSTEM_STATE", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main log.SetFlags", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder" - }, - { - "name": "log.SetFlags", - "site": { - "filename": "main.go", - "line": "14", - "column": "14" - }, - "package": "log" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "MODIFY_SYSTEM_STATE/LOGGING", - "capability": "CAPABILITY_MODIFY_SYSTEM_STATE", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main log.SetFlags", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder" - }, - { - "name": "log.SetFlags", - "site": { - "filename": "main.go", - "line": "14", - "column": "14" - }, - "package": "log" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "toml", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2.Unmarshal (*github.com/pelletier/go-toml/v2.decoder).FromParser errors.As", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2.Unmarshal", - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.decoder).FromParser", - "site": { - "filename": "unmarshaler.go", - "line": "25", - "column": "21" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "errors.As", - "site": { - "filename": "unmarshaler.go", - "line": "249", - "column": "14" - }, - "package": "errors" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main log.Fatal (*log.Logger).Output", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder" - }, - { - "name": "log.Fatal", - "site": { - "filename": "main.go", - "line": "23", - "column": "12" - }, - "package": "log" - }, - { - "name": "(*log.Logger).Output", - "site": { - "filename": "log.go", - "line": "412", - "column": "12" - }, - "package": "log" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main log.Fatal (*log.Logger).Output", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder" - }, - { - "name": "log.Fatal", - "site": { - "filename": "main.go", - "line": "23", - "column": "12" - }, - "package": "log" - }, - { - "name": "(*log.Logger).Output", - "site": { - "filename": "log.go", - "line": "412", - "column": "12" - }, - "package": "log" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/cmd/jsontoml.main (*github.com/pelletier/go-toml/v2/internal/cli.Program).Execute (*github.com/pelletier/go-toml/v2/internal/cli.Program).main errors.As", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/jsontoml.main", - "package": "github.com/pelletier/go-toml/v2/cmd/jsontoml" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).Execute", - "site": { - "filename": "main.go", - "line": "46", - "column": "11" - }, - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).main", - "site": { - "filename": "cli.go", - "line": "28", - "column": "16" - }, - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "errors.As", - "site": { - "filename": "cli.go", - "line": "35", - "column": "15" - }, - "package": "errors" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/jsontoml", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomljson.convert errors.As", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomljson.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/tomljson" - }, - { - "name": "errors.As", - "site": { - "filename": "main.go", - "line": "53", - "column": "15" - }, - "package": "errors" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomljson", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomll.convert (*github.com/pelletier/go-toml/v2.Decoder).Decode io.ReadAll", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomll.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/tomll" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Decoder).Decode", - "site": { - "filename": "main.go", - "line": "51", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "io.ReadAll", - "site": { - "filename": "unmarshaler.go", - "line": "122", - "column": "22" - }, - "package": "io" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomll", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomltestgen.main go/format.Source go/format.parse go/parser.ParseFile go/parser.readSource io.ReadAll", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomltestgen.main", - "package": "github.com/pelletier/go-toml/v2/cmd/tomltestgen" - }, - { - "name": "go/format.Source", - "site": { - "filename": "main.go", - "line": "169", - "column": "35" - }, - "package": "go/format" - }, - { - "name": "go/format.parse", - "site": { - "filename": "format.go", - "line": "103", - "column": "42" - }, - "package": "go/format" - }, - { - "name": "go/parser.ParseFile", - "site": { - "filename": "internal.go", - "line": "30", - "column": "30" - }, - "package": "go/parser" - }, - { - "name": "go/parser.readSource", - "site": { - "filename": "interface.go", - "line": "90", - "column": "25" - }, - "package": "go/parser" - }, - { - "name": "io.ReadAll", - "site": { - "filename": "interface.go", - "line": "37", - "column": "21" - }, - "package": "io" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomltestgen", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "cli", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).Execute (*github.com/pelletier/go-toml/v2/internal/cli.Program).main errors.As", - "path": [ - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).Execute", - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).main", - "site": { - "filename": "cli.go", - "line": "28", - "column": "16" - }, - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "errors.As", - "site": { - "filename": "cli.go", - "line": "35", - "column": "15" - }, - "package": "errors" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/cli", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "testsuite", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin (*github.com/pelletier/go-toml/v2.Decoder).Decode io.ReadAll", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin", - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Decoder).Decode", - "site": { - "filename": "testsuite.go", - "line": "39", - "column": "44" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "io.ReadAll", - "site": { - "filename": "unmarshaler.go", - "line": "122", - "column": "22" - }, - "package": "io" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/testsuite", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "tracker", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "(*github.com/pelletier/go-toml/v2/internal/tracker.SeenTracker).CheckExpression (*github.com/pelletier/go-toml/v2/internal/tracker.SeenTracker).checkKeyValue (*github.com/pelletier/go-toml/v2/internal/tracker.SeenTracker).checkInlineTable (*sync.Pool).Get", - "path": [ - { - "name": "(*github.com/pelletier/go-toml/v2/internal/tracker.SeenTracker).CheckExpression", - "package": "github.com/pelletier/go-toml/v2/internal/tracker" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/tracker.SeenTracker).checkKeyValue", - "site": { - "filename": "seen.go", - "line": "164", - "column": "25" - }, - "package": "github.com/pelletier/go-toml/v2/internal/tracker" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/tracker.SeenTracker).checkInlineTable", - "site": { - "filename": "seen.go", - "line": "310", - "column": "28" - }, - "package": "github.com/pelletier/go-toml/v2/internal/tracker" - }, - { - "name": "(*sync.Pool).Get", - "site": { - "filename": "seen.go", - "line": "339", - "column": "14" - }, - "package": "sync" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/tracker", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "ossfuzz", - "capabilityName": "UNANALYZED", - "capability": "CAPABILITY_UNANALYZED", - "depPath": "github.com/pelletier/go-toml/v2/ossfuzz.FuzzToml github.com/pelletier/go-toml/v2.Unmarshal (*github.com/pelletier/go-toml/v2.decoder).FromParser errors.As", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/ossfuzz.FuzzToml", - "package": "github.com/pelletier/go-toml/v2/ossfuzz" - }, - { - "name": "github.com/pelletier/go-toml/v2.Unmarshal", - "site": { - "filename": "fuzz.go", - "line": "23", - "column": "23" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.decoder).FromParser", - "site": { - "filename": "unmarshaler.go", - "line": "25", - "column": "21" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "errors.As", - "site": { - "filename": "unmarshaler.go", - "line": "249", - "column": "14" - }, - "package": "errors" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/ossfuzz", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "toml", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2.Marshal (*github.com/pelletier/go-toml/v2.Encoder).Encode (*github.com/pelletier/go-toml/v2.Encoder).encode reflect.Zero", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2.Marshal", - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "marshaler.go", - "line": "28", - "column": "19" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).encode", - "site": { - "filename": "marshaler.go", - "line": "186", - "column": "22" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "reflect.Zero", - "site": { - "filename": "marshaler.go", - "line": "321", - "column": "42" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "main", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin (*github.com/pelletier/go-toml/v2.Decoder).Decode (*github.com/pelletier/go-toml/v2.decoder).FromParser (reflect.Value).Set", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder" - }, - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin", - "site": { - "filename": "main.go", - "line": "21", - "column": "30" - }, - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Decoder).Decode", - "site": { - "filename": "testsuite.go", - "line": "39", - "column": "44" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.decoder).FromParser", - "site": { - "filename": "unmarshaler.go", - "line": "136", - "column": "23" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(reflect.Value).Set", - "site": { - "filename": "unmarshaler.go", - "line": "240", - "column": "8" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main github.com/pelletier/go-toml/v2/internal/testsuite.EncodeStdin (*github.com/pelletier/go-toml/v2.Encoder).Encode (*github.com/pelletier/go-toml/v2.Encoder).encode reflect.Zero", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder.main", - "package": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder" - }, - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.EncodeStdin", - "site": { - "filename": "main.go", - "line": "21", - "column": "30" - }, - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "testsuite.go", - "line": "67", - "column": "42" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).encode", - "site": { - "filename": "marshaler.go", - "line": "186", - "column": "22" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "reflect.Zero", - "site": { - "filename": "marshaler.go", - "line": "321", - "column": "42" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/cmd/jsontoml.convert (*github.com/pelletier/go-toml/v2.Encoder).Encode (*github.com/pelletier/go-toml/v2.Encoder).encode reflect.Zero", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/jsontoml.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/jsontoml" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "main.go", - "line": "65", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).encode", - "site": { - "filename": "marshaler.go", - "line": "186", - "column": "22" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "reflect.Zero", - "site": { - "filename": "marshaler.go", - "line": "321", - "column": "42" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/jsontoml", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomljson.convert (*github.com/pelletier/go-toml/v2.Decoder).Decode (*github.com/pelletier/go-toml/v2.decoder).FromParser (reflect.Value).Set", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomljson.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/tomljson" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Decoder).Decode", - "site": { - "filename": "main.go", - "line": "50", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.decoder).FromParser", - "site": { - "filename": "unmarshaler.go", - "line": "136", - "column": "23" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(reflect.Value).Set", - "site": { - "filename": "unmarshaler.go", - "line": "240", - "column": "8" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomljson", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomll.convert (*github.com/pelletier/go-toml/v2.Encoder).Encode (*github.com/pelletier/go-toml/v2.Encoder).encode reflect.Zero", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomll.convert", - "package": "github.com/pelletier/go-toml/v2/cmd/tomll" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "main.go", - "line": "57", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).encode", - "site": { - "filename": "marshaler.go", - "line": "186", - "column": "22" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "reflect.Zero", - "site": { - "filename": "marshaler.go", - "line": "321", - "column": "42" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomll", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "main", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/cmd/tomltestgen.main (*text/template.Template).Execute (*text/template.Template).execute", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/cmd/tomltestgen.main", - "package": "github.com/pelletier/go-toml/v2/cmd/tomltestgen" - }, - { - "name": "(*text/template.Template).Execute", - "site": { - "filename": "main.go", - "line": "165", - "column": "18" - }, - "package": "text/template" - }, - { - "name": "(*text/template.Template).execute", - "site": { - "filename": "exec.go", - "line": "207", - "column": "18" - }, - "package": "text/template" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/cmd/tomltestgen", - "capabilityType": "CAPABILITY_TYPE_DIRECT" - }, - { - "packageName": "cli", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).Execute (*github.com/pelletier/go-toml/v2/internal/cli.Program).main (*github.com/pelletier/go-toml/v2/internal/cli.Program).run github.com/pelletier/go-toml/v2/cmd/jsontoml.convert (*github.com/pelletier/go-toml/v2.Encoder).Encode (*github.com/pelletier/go-toml/v2.Encoder).encode reflect.Zero", - "path": [ - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).Execute", - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).main", - "site": { - "filename": "cli.go", - "line": "28", - "column": "16" - }, - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "(*github.com/pelletier/go-toml/v2/internal/cli.Program).run", - "site": { - "filename": "cli.go", - "line": "32", - "column": "14" - }, - "package": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "name": "github.com/pelletier/go-toml/v2/cmd/jsontoml.convert", - "site": { - "filename": "cli.go", - "line": "60", - "column": "13" - }, - "package": "github.com/pelletier/go-toml/v2/cmd/jsontoml" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).Encode", - "site": { - "filename": "main.go", - "line": "65", - "column": "17" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Encoder).encode", - "site": { - "filename": "marshaler.go", - "line": "186", - "column": "22" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "reflect.Zero", - "site": { - "filename": "marshaler.go", - "line": "321", - "column": "42" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/cli", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "testsuite", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin (*github.com/pelletier/go-toml/v2.Decoder).Decode (*github.com/pelletier/go-toml/v2.decoder).FromParser (reflect.Value).Set", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/internal/testsuite.DecodeStdin", - "package": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.Decoder).Decode", - "site": { - "filename": "testsuite.go", - "line": "39", - "column": "44" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.decoder).FromParser", - "site": { - "filename": "unmarshaler.go", - "line": "136", - "column": "23" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(reflect.Value).Set", - "site": { - "filename": "unmarshaler.go", - "line": "240", - "column": "8" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/internal/testsuite", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - }, - { - "packageName": "ossfuzz", - "capabilityName": "REFLECT", - "capability": "CAPABILITY_REFLECT", - "depPath": "github.com/pelletier/go-toml/v2/ossfuzz.FuzzToml github.com/pelletier/go-toml/v2.Unmarshal (*github.com/pelletier/go-toml/v2.decoder).FromParser (reflect.Value).Set", - "path": [ - { - "name": "github.com/pelletier/go-toml/v2/ossfuzz.FuzzToml", - "package": "github.com/pelletier/go-toml/v2/ossfuzz" - }, - { - "name": "github.com/pelletier/go-toml/v2.Unmarshal", - "site": { - "filename": "fuzz.go", - "line": "23", - "column": "23" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(*github.com/pelletier/go-toml/v2.decoder).FromParser", - "site": { - "filename": "unmarshaler.go", - "line": "25", - "column": "21" - }, - "package": "github.com/pelletier/go-toml/v2" - }, - { - "name": "(reflect.Value).Set", - "site": { - "filename": "unmarshaler.go", - "line": "240", - "column": "8" - }, - "package": "reflect" - } - ], - "packageDir": "github.com/pelletier/go-toml/v2/ossfuzz", - "capabilityType": "CAPABILITY_TYPE_TRANSITIVE" - } - ], - "packageInfo": [ - { - "path": "github.com/pelletier/go-toml/v2" - }, - { - "path": "github.com/pelletier/go-toml/v2/benchmark" - }, - { - "path": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder" - }, - { - "path": "github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder" - }, - { - "path": "github.com/pelletier/go-toml/v2/cmd/jsontoml" - }, - { - "path": "github.com/pelletier/go-toml/v2/cmd/tomljson" - }, - { - "path": "github.com/pelletier/go-toml/v2/cmd/tomll" - }, - { - "path": "github.com/pelletier/go-toml/v2/cmd/tomltestgen" - }, - { - "path": "github.com/pelletier/go-toml/v2/internal/assert" - }, - { - "path": "github.com/pelletier/go-toml/v2/internal/characters" - }, - { - "path": "github.com/pelletier/go-toml/v2/internal/cli" - }, - { - "path": "github.com/pelletier/go-toml/v2/internal/imported_tests" - }, - { - "path": "github.com/pelletier/go-toml/v2/internal/testsuite" - }, - { - "path": "github.com/pelletier/go-toml/v2/internal/tracker" - }, - { - "path": "github.com/pelletier/go-toml/v2/ossfuzz" - }, - { - "path": "github.com/pelletier/go-toml/v2/unstable" - } - ] -} diff --git a/capability_baseline.txt b/capability_baseline.txt new file mode 100644 index 0000000..3fad912 --- /dev/null +++ b/capability_baseline.txt @@ -0,0 +1,11 @@ +github.com/pelletier/go-toml/v2: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder: CAPABILITY_FILES, CAPABILITY_MODIFY_SYSTEM_STATE, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder: CAPABILITY_FILES, CAPABILITY_MODIFY_SYSTEM_STATE, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/cmd/jsontoml: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/cmd/tomljson: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/cmd/tomll: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/cmd/tomltestgen: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/internal/cli: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/internal/testsuite: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/internal/tracker: CAPABILITY_UNANALYZED +github.com/pelletier/go-toml/v2/ossfuzz: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED diff --git a/caps.sh b/caps.sh new file mode 100755 index 0000000..88d31f4 --- /dev/null +++ b/caps.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env bash +# +# Generates or checks the capability baseline for go-toml. +# +# Usage: +# ./caps.sh generate # regenerate capability_baseline.txt +# ./caps.sh check # check that capabilities haven't grown +# +# Requires: go, capslock (go install github.com/google/capslock/cmd/capslock@latest) + +set -euo pipefail + +BASELINE="capability_baseline.txt" +CAPSLOCK="${CAPSLOCK:-capslock}" + +generate() { + "$CAPSLOCK" -packages=./... -output=package -granularity=package \ + | jq -r 'to_entries | sort_by(.key) | .[] | .key + ": " + (.value | sort | join(", "))' \ + > "$BASELINE" + echo "Wrote $BASELINE" +} + +check() { + if [ ! -f "$BASELINE" ]; then + echo "ERROR: $BASELINE not found. Run '$0 generate' first." + exit 1 + fi + + current=$(mktemp) + trap 'rm -f "$current"' EXIT + + "$CAPSLOCK" -packages=./... -output=package -granularity=package \ + | jq -r 'to_entries | sort_by(.key) | .[] | .key + ": " + (.value | sort | join(", "))' \ + > "$current" + + if diff -u "$BASELINE" "$current"; then + echo "OK: capabilities unchanged." + else + echo "" + echo "FAILED: capabilities have changed." + echo "If this is intentional, run '$0 generate' and commit the updated $BASELINE." + exit 1 + fi +} + +case "${1:-}" in + generate) generate ;; + check) check ;; + *) + echo "Usage: $0 {generate|check}" + exit 1 + ;; +esac