input validation 2

.circleci/config.yml

@@ -168,7 +168,7 @@ jobs:
 
   format-go:
     docker:
-      - image: cimg/go:1.22.12
+      - image: cimg/go:1.23.4
     steps:
       - run:
           name: Install gofumpt
@@ -186,7 +186,7 @@ jobs:
   # Build types and cosmwam package without cgo
   wasmvm_no_cgo:
     docker:
-      - image: cimg/go:1.22.12
+      - image: cimg/go:1.23.4
     steps:
       - checkout
       - run:
@@ -205,7 +205,7 @@ jobs:
   # Build types and cosmwasm with libwasmvm linking disabled
   nolink_libwasmvm:
     docker:
-      - image: cimg/go:1.22.12
+      - image: cimg/go:1.23.4
     steps:
       - checkout
       - run:
@@ -223,7 +223,7 @@ jobs:
 
   tidy-go:
     docker:
-      - image: cimg/go:1.22.12
+      - image: cimg/go:1.23.4
     steps:
       - checkout
       - run:
@@ -241,7 +241,7 @@ jobs:
 
   format-scripts:
     docker:
-      - image: cimg/go:1.22.12
+      - image: cimg/go:1.23.4
     steps:
       - run:
           name: Install shfmt
@@ -299,7 +299,7 @@ jobs:
   # Test the Go project and run benchmarks
   wasmvm_test:
     docker:
-      - image: cimg/go:1.22.12
+      - image: cimg/go:1.23.4
     environment:
       GORACE: "halt_on_error=1"
       BUILD_VERSION: $(echo ${CIRCLE_SHA1} | cut -c 1-10)

.cursor/rules/wasmvm-description.mdc

@@ -0,0 +1,6 @@
+---
+description: 
+globs: 
+alwaysApply: true
+---
+this project is written in both go and rust.  Please make sure to frequently check both golangci-lint and cargo clippy.

.github/workflows/cargo-audit.yml

@@ -0,0 +1,38 @@
+name: Cargo Audit
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/cargo-audit.yml"
+  pull_request:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/cargo-audit.yml"
+  schedule:
+    - cron: "0 0 * * 0" # Run weekly on Sundays at midnight
+
+jobs:
+  cargo-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run cargo audit
+        working-directory: ./libwasmvm
+        run: cargo audit
+        continue-on-error: ${{ github.event_name == 'schedule' }} # Don't fail scheduled runs
+
+      - name: Run cargo audit with ignore unmaintained
+        working-directory: ./libwasmvm
+        run: cargo audit --ignore RUSTSEC-2024-0436 --ignore RUSTSEC-2024-0370
+        # These are the unmaintained crates we're already tracking in deny.toml

.github/workflows/cargo-deny.yml

@@ -0,0 +1,35 @@
+name: Cargo Deny
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - "**/deny.toml"
+      - ".github/workflows/cargo-deny.yml"
+  pull_request:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - "**/deny.toml"
+      - ".github/workflows/cargo-deny.yml"
+
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans
+          - licenses
+          - sources
+    steps:
+      - uses: actions/checkout@v3
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          command: check ${{ matrix.checks }}
+          arguments: --all-features --exclude-dev
+          rust-version: stable
+          manifest-path: libwasmvm/Cargo.toml

.github/workflows/lint-go.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23.4"
+          go-version: "1.24"
           cache: false
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7

.golangci.yml

@@ -2,25 +2,95 @@ version: "2"
 
 run:
   tests: true
+  timeout: 5m
 
 linters:
   # Enable specific linters
   # https://golangci-lint.run/usage/linters/#enabled-by-default
   enable:
-    - misspell
-    - testifylint
-    - thelper
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+    - copyloopvar # Detect copy loops
+    - errcheck # Detect unchecked errors
+    - govet # Reports suspicious constructs
+    - ineffassign # Detect unused assignments
+    - staticcheck # Go static analysis
+    - unused # Detect unused constants, variables, functions and types
+
+    # Additional recommended linters
+    - gocritic # A more opinionated linter
+    - gosec # Security checker
+    - misspell # Find commonly misspelled words
+    - revive # a metalinter with more checks
+    - maintidx
+    - bodyclose # Check HTTP response bodies are closed
+    - goconst # Find repeated strings that could be constants
+    - gocyclo # Check function complexity
+    - gocognit # Check cognitive complexity
+    - whitespace # Check trailing whitespace
+    - thelper # Detect test helpers not using t.Helper()
+    - usetesting # Detect incorrect usage of testing package
+    - tparallel # Detect incorrect usage of t.Parallel()
+
+  settings:
+    gocritic:
+      enabled-tags:
+        - diagnostic
+        - style
+        - performance
+      disabled-checks:
+        - dupSubExpr
+        - paramTypeCombine
+        - dupImport
+        - hugeParam
+        - rangeValCopy
+        - ptrToRefParam
+
+    gocyclo:
+      min-complexity: 15
+    gocognit:
+      min-complexity: 20
+    dupl:
+      threshold: 100
+    goconst:
+      min-len: 3
+      min-occurrences: 3
+    revive:
+      enable-all-rules: true
+
+      rules:
+        # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md#var-naming
+        - name: var-naming
+          severity: warning
+          disabled: true
+          exclude: [""]
+          arguments:
+            - ["ID"] # AllowList
+            - ["VM"] # DenyList
+            - - upperCaseConst: true # Extra parameter (upperCaseConst|skipPackageNameChecks)
+        - name: line-length-limit
+          severity: warning
+          disabled: true
+          exclude: [""]
+          arguments: [80]
+        - name: add-constant
+          disabled: true
+        - name: exported
+          disabled: true
+        - name: function-length
+          disabled: true
+        - name: nested-structs
+          disabled: true
+        - name: flag-parameter
+          disabled: true
+        - name: max-public-structs
+          disabled: false
+          severity: warning
+          arguments: [100]
+
+
+
+
+
+
 
 issues:
   max-issues-per-linter: 0
@@ -46,12 +116,7 @@ formatters:
         - dot # Dot section: contains all dot imports. This section is not present unless explicitly enabled.
         - alias # Alias section: contains all alias imports. This section is not present unless explicitly enabled.
         - localmodule # Local module section: contains all local packages. This section is not present unless explicitly enabled.
-      # Enable custom order of sections.
-      # If `true`, make the section order the same as the order of `sections`.
-      # Default: false
       custom-order: true
-      # Drops lexical ordering for custom sections.
-      # Default: false
       no-lex-order: true
   exclusions:
     # Skip generated files.