testing: address G115 integer overflow conversion warnings and re-enable linter

Each G115 (gosec) integer overflow conversion has been evaluated and
annotated with an inline //nolint:gosec comment explaining why the
conversion is safe:

- opts/swarmopts/port.go: port numbers are in [0, 65535], within uint32
- cli/command/service/logs.go: replica count is far below math.MaxInt
- cli/compose/convert/service.go: healthcheck retries and restart policy
  MaximumRetryCount are small, non-negative values
- cli/command/container/cp.go: len() is always non-negative
- cli/command/container/opts.go: ioMaxBandwidth is validated non-negative
- cli/command/container/stats_helpers.go: time diff between reads is positive
- cli/command/image/tree.go: terminal width fits well within int range
- cli/command/service/progress/progress.go: replica/running/job counts
  are far below math.MaxInt; mappedSlot is a positive slot number

Remove the global G115 exclusion from .golangci.yml now that all cases
have been individually addressed.

Fixes #5584

Author: abhay1999

.golangci.yml

@@ -109,7 +109,6 @@ linters:
     gosec:
       excludes:
         - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
-        - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
         - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
         - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
 

cli/command/container/cp.go

@@ -108,7 +108,7 @@ func copyProgress(ctx context.Context, dst io.Writer, header string, total *int6
 				}
 
 				// Write to the buffer first to avoid flickering and context switching
-				fmt.Fprint(buf, aec.Column(uint(len(header)+1)))
+				fmt.Fprint(buf, aec.Column(uint(len(header)+1))) //nolint:gosec // G115: len() is always non-negative, safe to convert to uint
 				fmt.Fprint(buf, aec.EraseLine(aec.EraseModes.Tail))
 				fmt.Fprint(buf, progressHumanSize(n))
 

cli/command/container/opts.go

@@ -635,7 +635,7 @@ func parse(flags *pflag.FlagSet, copts *containerOptions, serverOS string) (*con
 		BlkioDeviceReadIOps:  copts.deviceReadIOps.GetList(),
 		BlkioDeviceWriteIOps: copts.deviceWriteIOps.GetList(),
 		IOMaximumIOps:        copts.ioMaxIOps,
-		IOMaximumBandwidth:   uint64(copts.ioMaxBandwidth),
+		IOMaximumBandwidth:   uint64(copts.ioMaxBandwidth), //nolint:gosec // G115: ioMaxBandwidth is validated to be non-negative
 		Ulimits:              copts.ulimits.GetList(),
 		DeviceCgroupRules:    copts.deviceCgroupRules.GetSlice(),
 		Devices:              deviceMappings,

cli/command/container/stats_helpers.go

@@ -185,7 +185,7 @@ func calculateCPUPercentUnix(previousCPU container.CPUStats, curCPUStats contain
 
 func calculateCPUPercentWindows(v *container.StatsResponse) float64 {
 	// Max number of 100ns intervals between the previous time read and now
-	possIntervals := uint64(v.Read.Sub(v.PreRead).Nanoseconds()) // Start with number of ns intervals
+	possIntervals := uint64(v.Read.Sub(v.PreRead).Nanoseconds()) //nolint:gosec // G115: time difference between CPU stat reads is always positive
 	possIntervals /= 100                                         // Convert to number of 100ns intervals
 	possIntervals *= uint64(v.NumProcs)                          // Multiply by the number of processors
 

cli/command/image/tree.go

@@ -349,7 +349,7 @@ func printImageTree(outs command.Streams, view treeView) {
 // available for image names and removes any columns that would be too narrow
 // to display their content.
 func adjustColumns(width uint, columns []imgColumn, images []topImage) []imgColumn {
-	nameWidth := int(width)
+	nameWidth := int(width) //nolint:gosec // G115: terminal width is a small value well within int range
 	if nameWidth > 0 {
 		for idx, h := range columns {
 			if h.Width == 0 {

cli/command/service/logs.go

@@ -127,7 +127,7 @@ func runLogs(ctx context.Context, dockerCli command.Cli, opts *logsOptions) erro
 		if service.Service.Spec.Mode.Replicated != nil && service.Service.Spec.Mode.Replicated.Replicas != nil {
 			// if replicas are initialized, figure out if we need to pad them
 			replicas := *service.Service.Spec.Mode.Replicated.Replicas
-			maxLength = getMaxLength(int(replicas))
+			maxLength = getMaxLength(int(replicas)) //nolint:gosec // G115: replica count is far below math.MaxInt in practice
 		}
 
 		// we can't prettify tty logs. tell the user that this is the case.

cli/command/service/progress/progress.go

@@ -301,7 +301,7 @@ func (u *replicatedProgressUpdater) update(service swarm.Service, tasks []swarm.
 		u.slotMap = make(map[int]int)
 
 		// Draw progress bars in order
-		writeOverallProgress(u.progressOut, 0, int(replicas), rollback)
+		writeOverallProgress(u.progressOut, 0, int(replicas), rollback) //nolint:gosec // G115: replica count is far below math.MaxInt in practice
 
 		if replicas <= maxProgressBars {
 			for i := uint64(1); i <= replicas; i++ {
@@ -340,7 +340,7 @@ func (u *replicatedProgressUpdater) update(service swarm.Service, tasks []swarm.
 	}
 
 	if !u.done {
-		writeOverallProgress(u.progressOut, int(running), int(replicas), rollback)
+		writeOverallProgress(u.progressOut, int(running), int(replicas), rollback) //nolint:gosec // G115: running/replica counts are far below math.MaxInt in practice
 
 		if running == replicas {
 			u.done = true
@@ -383,7 +383,7 @@ func (*replicatedProgressUpdater) tasksBySlot(tasks []swarm.Task, activeNodes ma
 }
 
 func (u *replicatedProgressUpdater) writeTaskProgress(task swarm.Task, mappedSlot int, replicas uint64) {
-	if u.done || replicas > maxProgressBars || uint64(mappedSlot) > replicas {
+	if u.done || replicas > maxProgressBars || uint64(mappedSlot) > replicas { //nolint:gosec // G115: mappedSlot is a positive task slot number, safe to convert to uint64
 		return
 	}
 
@@ -572,8 +572,8 @@ type replicatedJobProgressUpdater struct {
 }
 
 func newReplicatedJobProgressUpdater(service swarm.Service, progressOut progress.Output) *replicatedJobProgressUpdater {
-	concurrent := int(*service.Spec.Mode.ReplicatedJob.MaxConcurrent)
-	total := int(*service.Spec.Mode.ReplicatedJob.TotalCompletions)
+	concurrent := int(*service.Spec.Mode.ReplicatedJob.MaxConcurrent)    //nolint:gosec // G115: job concurrency count is far below math.MaxInt in practice
+	total := int(*service.Spec.Mode.ReplicatedJob.TotalCompletions) //nolint:gosec // G115: job total completions count is far below math.MaxInt in practice
 
 	return &replicatedJobProgressUpdater{
 		progressOut:    progressOut,

cli/compose/convert/service.go

@@ -460,7 +460,7 @@ func convertHealthcheck(healthcheck *composetypes.HealthCheckConfig) (*container
 		startInterval = time.Duration(*healthcheck.StartInterval)
 	}
 	if healthcheck.Retries != nil {
-		retries = int(*healthcheck.Retries)
+		retries = int(*healthcheck.Retries) //nolint:gosec // G115: healthcheck retry count is a small value, safe to convert
 	}
 	return &container.HealthConfig{
 		Test:          healthcheck.Test,
@@ -487,7 +487,7 @@ func convertRestartPolicy(restart string, source *composetypes.RestartPolicy) (*
 				Condition: swarm.RestartPolicyConditionAny,
 			}, nil
 		case policy.IsOnFailure():
-			attempts := uint64(policy.MaximumRetryCount)
+			attempts := uint64(policy.MaximumRetryCount) //nolint:gosec // G115: MaximumRetryCount is a non-negative value, safe to convert
 			return &swarm.RestartPolicy{
 				Condition:   swarm.RestartPolicyConditionOnFailure,
 				MaxAttempts: &attempts,

opts/swarmopts/port.go

@@ -80,7 +80,7 @@ func (p *PortOpt) Set(value string) error {
 					return fmt.Errorf("invalid target port (%s): value must be an integer: %w", val, err)
 				}
 
-				pConfig.TargetPort = uint32(tPort)
+				pConfig.TargetPort = uint32(tPort) //nolint:gosec // G115: port numbers are in range [0, 65535], within uint32 bounds
 			case portOptPublishedPort:
 				pPort, err := strconv.ParseUint(val, 10, 16)
 				if err != nil {
@@ -91,7 +91,7 @@ func (p *PortOpt) Set(value string) error {
 					return fmt.Errorf("invalid published port (%s): value must be an integer: %w", val, err)
 				}
 
-				pConfig.PublishedPort = uint32(pPort)
+				pConfig.PublishedPort = uint32(pPort) //nolint:gosec // G115: port numbers are in range [0, 65535], within uint32 bounds
 			default:
 				return fmt.Errorf("invalid field key: %s", key)
 			}
@@ -176,8 +176,8 @@ func ConvertPortToPortConfig(
 			ports = append(ports, swarm.PortConfig{
 				// TODO Name: ?
 				Protocol:      portProto.Proto(),
-				TargetPort:    uint32(portProto.Num()),
-				PublishedPort: uint32(p.Num()),
+				TargetPort:    uint32(portProto.Num()),    //nolint:gosec // G115: port numbers are in range [0, 65535], within uint32 bounds
+				PublishedPort: uint32(p.Num()), //nolint:gosec // G115: port numbers are in range [0, 65535], within uint32 bounds
 				PublishMode:   swarm.PortConfigPublishModeIngress,
 			})
 		}