ostiwe/go-toml
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Scope capability check to library only, not cmd binaries

Browse Source 
Only analyze the go-toml/v2 library package (./), not ./... which
included cmd/ binaries. The library itself only needs REFLECT and
UNANALYZED — FILES and MODIFY_SYSTEM_STATE were from the CLI tools.

https://claude.ai/code/session_01HwDXpKevFLhE5EfrR6JrBn
This commit is contained in:
Claude
2026-03-24 02:28:27 +00:00
parent 04f7e836d4
commit cad7681abe
2 changed files with 4 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
capability_baseline.txt
+1 -11
View File
@@ -1,11 +1 @@
github.com/pelletier/go-toml/v2: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/cmd/gotoml-test-decoder: CAPABILITY_FILES, CAPABILITY_MODIFY_SYSTEM_STATE, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/cmd/gotoml-test-encoder: CAPABILITY_FILES, CAPABILITY_MODIFY_SYSTEM_STATE, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/cmd/jsontoml: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/cmd/tomljson: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/cmd/tomll: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/cmd/tomltestgen: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/internal/cli: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/internal/testsuite: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/internal/tracker: CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2/ossfuzz: CAPABILITY_FILES, CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
github.com/pelletier/go-toml/v2: CAPABILITY_REFLECT, CAPABILITY_UNANALYZED
caps.sh
+3 -2
View File
@@ -21,7 +21,7 @@ FORBIDDEN_CAPS=(
)
capslock_to_baseline() {
"$CAPSLOCK" -packages=./... -output=package -granularity=package \
"$CAPSLOCK" -packages=. -output=package -granularity=package \
| jq -r 'to_entries | sort_by(.key) | .[] | .key + ": " + (.value | sort | join(", "))'
}
@@ -47,7 +47,8 @@ check() {
# Capslock may report CAPABILITY_UNSAFE_POINTER due to stdlib internals
# (e.g. reflect -> unsafe), which is a false positive. Instead of relying
# on capslock for this, we check the source directly.
unsafe_imports=$(find . -name '*.go' -not -name '*_test.go' -not -path './vendor/*' \
unsafe_imports=$(find . -name '*.go' -not -name '*_test.go' \
-not -path './vendor/*' -not -path './cmd/*' -not -path './internal/*' \
-exec grep -l '"unsafe"' {} +) || true
if [ -n "$unsafe_imports" ]; then
echo "FORBIDDEN: direct unsafe import found in:"