From 0b3920df624f80e10c4ef53c942668e2da7f5cd8 Mon Sep 17 00:00:00 2001
From: Ainar Garipov <a.garipov@adguard.com>
Date: Thu, 7 Sep 2023 14:10:35 +0300
Subject: [PATCH] Pull request 1997: upd-go

Squashed commit of the following:

commit 7e558500d08328b4dca4ef67160334f27c8c48d6
Author: Ainar Garipov <A.Garipov@AdGuard.COM>
Date:   Thu Sep 7 13:54:50 2023 +0300

    all: upd go, tools
---
 .github/workflows/build.yml |   2 +-
 .github/workflows/lint.yml  |   2 +-
 CHANGELOG.md                |  26 ++++---
 bamboo-specs/release.yaml   |   6 +-
 bamboo-specs/snapcraft.yaml |   6 +-
 bamboo-specs/test.yaml      |   2 +-
 internal/tools/go.mod       |  10 +--
 internal/tools/go.sum       |  18 ++---
 scripts/make/go-lint.sh     | 135 ++++++++++++++++++++----------------
 9 files changed, 114 insertions(+), 93 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index da8ca358..c9a48519 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 'name': 'build'
 
 'env':
-  'GO_VERSION': '1.20.7'
+  'GO_VERSION': '1.20.8'
   'NODE_VERSION': '14'
 
 'on':
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 773f0494..a3c68e6a 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'
 
 'env':
-  'GO_VERSION': '1.20.7'
+  'GO_VERSION': '1.20.8'
 
 'on':
   'push':
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4ae24312..6de14190 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,12 +23,18 @@ See also the [v0.107.37 GitHub milestone][ms-v0.107.37].
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+### Security
+
+- Go version has been updated to prevent the possibility of exploiting the
+  CVE-2023-39318, CVE-2023-39319, and CVE-2023-39320 Go vulnerabilities fixed in
+  [Go 1.20.8][go-1.20.8].
+
 ### Added
 
 - AdBlock-style syntax support for ignored domains in logs and statistics
   ([#5720]).
 - [`Strict-Transport-Security`][hsts] header in the HTTP API and DNS-over-HTTPS
-  responses when HTTPS is forced ([#2998]).  See [RFC 6979][rfc6797].
+  responses when HTTPS is forced ([#2998]).  See [RFC 6797][rfc6797].
 - UI for the schedule of the service-blocking pause ([#951]).
 - IPv6 hints are now filtered in case IPv6 addresses resolving is disabled
   ([#6122]).
@@ -36,7 +42,8 @@ NOTE: Add new changes BELOW THIS COMMENT.
   ([#3701]).
 - While adding or updating blocklists, the title can now be parsed from
   `! Title:` definition of the blocklist's source ([#6020]).
-- The ability to filter DNS HTTPS records including IPv4/v6 hints ([#6053]).
+- The ability to filter DNS HTTPS records including IPv4 and IPv6 hints
+  ([#6053]).
 - Two new metrics showing total number of responses from each upstream DNS
   server and their average processing time in the Web UI ([#1453]).
 - The ability to set the port for the `pprof` debug API, see configuration
@@ -54,9 +61,9 @@ NOTE: Add new changes BELOW THIS COMMENT.
 
 In this release, the schema version has changed from 24 to 27.
 
-- Ignore rules blocking `.` in `querylog.…` and `stats.…` have been migrated to
-  AdBlock syntax (`|.^`).  To rollback this change, restore the rules  and
-  change the `schema_version` back to `26`.
+- Ignore rules blocking `.` in `querylog.ignored` and `statistics.ignored` have
+  been migrated to AdBlock syntax (`|.^`).  To rollback this change, restore the
+  rules and change the `schema_version` back to `26`.
 
 - Filtering-related settings have been moved from `dns` section of the YAML
   configuration file to the new section `filtering`:
@@ -173,8 +180,9 @@ In this release, the schema version has changed from 24 to 27.
 [#6122]: https://github.com/AdguardTeam/AdGuardHome/issues/6122
 [#6133]: https://github.com/AdguardTeam/AdGuardHome/issues/6133
 
-[hsts]:    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
-[rfc6797]: https://datatracker.ietf.org/doc/html/rfc6797
+[go-1.20.8]: https://groups.google.com/g/golang-announce/c/Fm51GRLNRvM/m/F5bwBlXMAQAJ
+[hsts]:      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+[rfc6797]:   https://datatracker.ietf.org/doc/html/rfc6797
 
 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
@@ -780,7 +788,6 @@ See also the [v0.107.26 GitHub milestone][ms-v0.107.26].
   been relaxed to meet those from [RFC 3696][rfc3696] ([#4884]).
 - Failing service installation via script on FreeBSD ([#5431]).
 
-[#1472]: https://github.com/AdguardTeam/AdGuardHome/issues/1472
 [#4884]: https://github.com/AdguardTeam/AdGuardHome/issues/4884
 [#5270]: https://github.com/AdguardTeam/AdGuardHome/issues/5270
 [#5281]: https://github.com/AdguardTeam/AdGuardHome/issues/5281
@@ -1399,7 +1406,6 @@ See also the [v0.107.10 GitHub milestone][ms-v0.107.10].
 [#4342]: https://github.com/AdguardTeam/AdGuardHome/issues/4342
 [#4358]: https://github.com/AdguardTeam/AdGuardHome/issues/4358
 [#4670]: https://github.com/AdguardTeam/AdGuardHome/issues/4670
-[#4836]: https://github.com/AdguardTeam/AdGuardHome/issues/4836
 [#4843]: https://github.com/AdguardTeam/AdGuardHome/issues/4843
 
 [ddr-draft]:    https://datatracker.ietf.org/doc/html/draft-ietf-add-ddr-08
@@ -2033,9 +2039,7 @@ In this release, the schema version has changed from 10 to 12.
 [#3558]: https://github.com/AdguardTeam/AdGuardHome/issues/3558
 [#3564]: https://github.com/AdguardTeam/AdGuardHome/issues/3564
 [#3567]: https://github.com/AdguardTeam/AdGuardHome/issues/3567
-[#3568]: https://github.com/AdguardTeam/AdGuardHome/issues/3568
 [#3579]: https://github.com/AdguardTeam/AdGuardHome/issues/3579
-[#3607]: https://github.com/AdguardTeam/AdGuardHome/issues/3607
 [#3638]: https://github.com/AdguardTeam/AdGuardHome/issues/3638
 [#3655]: https://github.com/AdguardTeam/AdGuardHome/issues/3655
 [#3707]: https://github.com/AdguardTeam/AdGuardHome/issues/3707
diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml
index d4efb97b..7ee86906 100644
--- a/bamboo-specs/release.yaml
+++ b/bamboo-specs/release.yaml
@@ -7,7 +7,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.0'
+    'dockerGo': 'adguard/golang-ubuntu:7.1'
 
 'stages':
   - 'Build frontend':
@@ -272,7 +272,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:7.1'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
   - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -287,4 +287,4 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:7.1'
diff --git a/bamboo-specs/snapcraft.yaml b/bamboo-specs/snapcraft.yaml
index 7d8c5f38..20df25bd 100644
--- a/bamboo-specs/snapcraft.yaml
+++ b/bamboo-specs/snapcraft.yaml
@@ -10,7 +10,7 @@
 # Make sure to sync any changes with the branch overrides below.
 'variables':
     'channel': 'edge'
-    'dockerGo': 'adguard/golang-ubuntu:7.0'
+    'dockerGo': 'adguard/golang-ubuntu:7.1'
     'snapcraftChannel': 'edge'
 
 'stages':
@@ -191,7 +191,7 @@
         # need to build a few of these.
         'variables':
             'channel': 'beta'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:7.1'
             'snapcraftChannel': 'beta'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
@@ -207,5 +207,5 @@
         # are the ones that actually get released.
         'variables':
             'channel': 'release'
-            'dockerGo': 'adguard/golang-ubuntu:7.0'
+            'dockerGo': 'adguard/golang-ubuntu:7.1'
             'snapcraftChannel': 'candidate'
diff --git a/bamboo-specs/test.yaml b/bamboo-specs/test.yaml
index 405e397e..33cad20c 100644
--- a/bamboo-specs/test.yaml
+++ b/bamboo-specs/test.yaml
@@ -5,7 +5,7 @@
     'key': 'AHBRTSPECS'
     'name': 'AdGuard Home - Build and run tests'
 'variables':
-    'dockerGo': 'adguard/golang-ubuntu:7.0'
+    'dockerGo': 'adguard/golang-ubuntu:7.1'
 
 'stages':
   - 'Tests':
diff --git a/internal/tools/go.mod b/internal/tools/go.mod
index eacbbbf2..5c1b3dec 100644
--- a/internal/tools/go.mod
+++ b/internal/tools/go.mod
@@ -9,8 +9,10 @@ require (
 	github.com/kisielk/errcheck v1.6.3
 	github.com/kyoh86/looppointer v0.2.1
 	github.com/securego/gosec/v2 v2.17.0
-	github.com/uudashr/gocognit v1.0.7
-	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846
+	// TODO(a.garipov): Return to latest once the release is tagged
+	// correctly.  See uudashr/gocognit#31.
+	github.com/uudashr/gocognit v1.0.8-0.20230906062305-bc9ca12659bf
+	golang.org/x/tools v0.13.0
 	golang.org/x/vuln v1.0.1
 	honnef.co/go/tools v0.4.5
 	mvdan.cc/gofumpt v0.5.0
@@ -26,9 +28,9 @@ require (
 	github.com/kyoh86/nolint v0.0.1 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20230817173708-d852ddb80c63 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.11.0 // indirect
+	golang.org/x/sys v0.12.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/internal/tools/go.sum b/internal/tools/go.sum
index b45a5f88..e3f2edd1 100644
--- a/internal/tools/go.sum
+++ b/internal/tools/go.sum
@@ -36,8 +36,8 @@ github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjR
 github.com/securego/gosec/v2 v2.17.0 h1:ZpAStTDKY39insEG9OH6kV3IkhQZPTq9a9eGOLOjcdI=
 github.com/securego/gosec/v2 v2.17.0/go.mod h1:lt+mgC91VSmriVoJLentrMkRCYs+HLTBnUFUBuhV2hc=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/uudashr/gocognit v1.0.7 h1:e9aFXgKgUJrQ5+bs61zBigmj7bFJ/5cC6HmMahVzuDo=
-github.com/uudashr/gocognit v1.0.7/go.mod h1:nAIUuVBnYU7pcninia3BHOvQkpQCeO76Uscky5BOwcY=
+github.com/uudashr/gocognit v1.0.8-0.20230906062305-bc9ca12659bf h1:LA5CHw6L5BvI0RjqvBYa9+3hXAL2rhuAJPtS5rS2a2k=
+github.com/uudashr/gocognit v1.0.8-0.20230906062305-bc9ca12659bf/go.mod h1:nAIUuVBnYU7pcninia3BHOvQkpQCeO76Uscky5BOwcY=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -49,8 +49,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
 golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
-golang.org/x/exp/typeparams v0.0.0-20230817173708-d852ddb80c63 h1:XkcpbHJE31bhdecT6qfUGtB7MCIKA8Vb9uGOyX/T364=
-golang.org/x/exp/typeparams v0.0.0-20230817173708-d852ddb80c63/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
+golang.org/x/exp/typeparams v0.0.0-20230905200255-921286631fa9 h1:j3D9DvWRpUfIyFfDPws7LoIZ2MAI1OJHdQXtTnYtN+k=
+golang.org/x/exp/typeparams v0.0.0-20230905200255-921286631fa9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
@@ -63,7 +63,7 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -79,8 +79,8 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220702020025-31831981b65f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -93,8 +93,8 @@ golang.org/x/tools v0.0.0-20201007032633-0806396f153e/go.mod h1:z6u4i615ZeAfBE4X
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
-golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 h1:Vve/L0v7CXXuxUmaMGIEK/dEeq7uiqb5qBgQrZzIE7E=
-golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/vuln v1.0.1 h1:KUas02EjQK5LTuIx1OylBQdKKZ9jeugs+HiqO5HormU=
 golang.org/x/vuln v1.0.1/go.mod h1:bb2hMwln/tqxg32BNY4CcxHWtHXuYa3SbIBmtsyjxtM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/scripts/make/go-lint.sh b/scripts/make/go-lint.sh
index f08fcd47..ae230d15 100644
--- a/scripts/make/go-lint.sh
+++ b/scripts/make/go-lint.sh
@@ -35,7 +35,7 @@ set -f -u
 go_version="$( "${GO:-go}" version )"
 readonly go_version
 
-go_min_version='go1.20.7'
+go_min_version='go1.20.8'
 go_version_msg="
 warning: your go version (${go_version}) is different from the recommended minimal one (${go_min_version}).
 if you have the version installed, please set the GO environment variable.
@@ -171,48 +171,60 @@ run_linter govulncheck ./...
 run_linter gocyclo --over 10 .
 
 # TODO(a.garipov): Enable 10 for all.
-#
-# TODO(a.garipov): Redo once https://github.com/uudashr/gocognit/issues/22 is
-# fixed.
-gocognit_paths="\
-./internal/aghnet/   20
-./internal/querylog/ 20
-./internal/dnsforward/  19
-./internal/home/        19
-./internal/aghtls/ 18
-./internal/filtering          17
-./internal/filtering/rewrite/ 17
-./internal/aghos/ 15
-./internal/dhcpd/ 15
-./internal/updater/ 12
-./internal/aghtest/ 11
-./internal/aghalg/               10
-./internal/aghchan/              10
-./internal/aghhttp/              10
-./internal/aghio/                10
-./internal/aghrenameio/          10
-./internal/arpdb/                10
-./internal/client/               10
-./internal/confmigrate/          10
-./internal/dhcpsvc               10
-./internal/filtering/hashprefix/ 10
-./internal/filtering/rulelist/   10
-./internal/filtering/safesearch/ 10
-./internal/next/                 10
-./internal/rdns/                 10
-./internal/schedule/             10
-./internal/stats/                10
-./internal/tools/                10
-./internal/version/              10
-./internal/whois/                10
-./scripts/                       10"
+run_linter gocognit --over='20'\
+	./internal/querylog/\
+	;
 
-readonly gocognit_paths
+run_linter gocognit --over='19'\
+	./internal/home/\
+	;
 
-echo "$gocognit_paths" | while read -r path max
-do
-	run_linter gocognit --over="$max" "$path"
-done
+run_linter gocognit --over='18'\
+	./internal/aghtls/\
+	;
+
+run_linter gocognit --over='15'\
+	./internal/aghos/\
+	./internal/dnsforward/\
+	./internal/filtering/\
+	;
+
+run_linter gocognit --over='14'\
+	./internal/dhcpd\
+	;
+
+run_linter gocognit --over='13'\
+	./internal/aghnet/\
+	;
+
+run_linter gocognit --over='12'\
+	./internal/updater/\
+	./internal/filtering/rewrite/\
+	;
+
+run_linter gocognit --over='10'\
+	./internal/aghalg/\
+	./internal/aghchan/\
+	./internal/aghhttp/\
+	./internal/aghio/\
+	./internal/aghrenameio/\
+	./internal/aghtest/\
+	./internal/arpdb/\
+	./internal/client/\
+	./internal/confmigrate/\
+	./internal/dhcpsvc\
+	./internal/filtering/hashprefix/\
+	./internal/filtering/rulelist/\
+	./internal/filtering/safesearch/\
+	./internal/next/\
+	./internal/rdns/\
+	./internal/schedule/\
+	./internal/stats/\
+	./internal/tools/\
+	./internal/version/\
+	./internal/whois/\
+	./scripts/\
+	;
 
 run_linter ineffassign ./...
 
@@ -232,28 +244,31 @@ run_linter -e shadow --strict ./...
 
 # TODO(a.garipov): Enable for all.
 run_linter gosec --quiet\
-	./internal/aghalg\
-	./internal/aghchan\
-	./internal/aghhttp\
-	./internal/aghio\
-	./internal/aghnet\
-	./internal/aghos\
+	./internal/aghalg/\
+	./internal/aghchan/\
+	./internal/aghhttp/\
+	./internal/aghio/\
+	./internal/aghnet/\
+	./internal/aghos/\
 	./internal/aghrenameio/\
-	./internal/aghtest\
-	./internal/client\
-	./internal/confmigrate\
-	./internal/dhcpd\
-	./internal/dhcpsvc\
-	./internal/dnsforward\
+	./internal/aghtest/\
+	./internal/arpdb/\
+	./internal/client/\
+	./internal/confmigrate/\
+	./internal/dhcpd/\
+	./internal/dhcpsvc/\
+	./internal/dnsforward/\
 	./internal/filtering/hashprefix/\
+	./internal/filtering/rewrite/\
 	./internal/filtering/rulelist/\
-	./internal/next\
-	./internal/rdns\
-	./internal/schedule\
-	./internal/stats\
-	./internal/tools\
-	./internal/version\
-	./internal/whois\
+	./internal/filtering/safesearch/\
+	./internal/next/\
+	./internal/rdns/\
+	./internal/schedule/\
+	./internal/stats/\
+	./internal/tools/\
+	./internal/version/\
+	./internal/whois/\
 	;
 
 run_linter errcheck ./...