diff --git a/cmd/ooniprobe/internal/config/parser.go b/cmd/ooniprobe/internal/config/parser.go index c0ddcf58a5..ae762484bd 100644 --- a/cmd/ooniprobe/internal/config/parser.go +++ b/cmd/ooniprobe/internal/config/parser.go @@ -14,7 +14,7 @@ const ConfigVersion = 1 // ReadConfig reads the configuration from the path func ReadConfig(path string) (*Config, error) { - b, err := os.ReadFile(path) + b, err := os.ReadFile(path) // #nosec G304 - this is working as intended if err != nil { return nil, err } diff --git a/cmd/ooniprobe/internal/utils/homedir/homedir.go b/cmd/ooniprobe/internal/utils/homedir/homedir.go index 6ede81be0c..7e3c60a1be 100644 --- a/cmd/ooniprobe/internal/utils/homedir/homedir.go +++ b/cmd/ooniprobe/internal/utils/homedir/homedir.go @@ -151,7 +151,7 @@ func dirUnix() (string, error) { var stdout bytes.Buffer // If that fails, try OS specific commands - cmd := execabs.Command("getent", "passwd", strconv.Itoa(os.Getuid())) + cmd := execabs.Command("getent", "passwd", strconv.Itoa(os.Getuid())) // #nosec G204 - this is fine cmd.Stdout = &stdout if err := cmd.Run(); err == nil { if passwd := strings.TrimSpace(stdout.String()); passwd != "" { diff --git a/internal/cmd/e2epostprocess/main.go b/internal/cmd/e2epostprocess/main.go index 4f857a5a98..75849af226 100644 --- a/internal/cmd/e2epostprocess/main.go +++ b/internal/cmd/e2epostprocess/main.go @@ -48,7 +48,7 @@ func main() { } var found int for _, file := range files { - data, err := os.ReadFile(file) + data, err := os.ReadFile(file) // #nosec G304 - this is working as intended fatalOnError(err) measurements := bytes.Split(data, []byte("\n")) for _, measurement := range measurements { @@ -72,7 +72,7 @@ func main() { options = append(options, *entry.Input) } log.Printf("run: go %s", strings.Join(options, " ")) - cmd := execabs.Command("go", options...) + cmd := execabs.Command("go", options...) // #nosec G204 - this is working as intended cmd.Stdout, cmd.Stderr = os.Stdout, os.Stderr err = cmd.Run() fatalOnError(err) diff --git a/internal/cmd/gardener/internal/testlists/testlists.go b/internal/cmd/gardener/internal/testlists/testlists.go index 2e61f59895..38baebb74b 100644 --- a/internal/cmd/gardener/internal/testlists/testlists.go +++ b/internal/cmd/gardener/internal/testlists/testlists.go @@ -198,7 +198,7 @@ func csvReadAndFilter(filepath string, shouldKeep func(URL string) bool) [][]str // csvWriteBack writes records back to a given file. func csvWriteBack(filename string, records [][]string) { - filep := runtimex.Try1(os.Create(filename)) + filep := runtimex.Try1(os.Create(filename)) // #nosec G304 - this is working as intended writer := csv.NewWriter(filep) runtimex.Try0(writer.WriteAll(records)) runtimex.Try0(writer.Error()) diff --git a/internal/cmd/ghgen/utils.go b/internal/cmd/ghgen/utils.go index 39f203b1c7..67dd045a5e 100644 --- a/internal/cmd/ghgen/utils.go +++ b/internal/cmd/ghgen/utils.go @@ -152,7 +152,7 @@ func mustClose(c io.Closer) { func generateWorkflowFile(name string, jobs []Job) { filename := filepath.Join(".github", "workflows", name+".yml") - fp, err := os.Create(filename) + fp, err := os.Create(filename) // #nosec G304 - this is working as intended runtimex.PanicOnError(err, "os.Create failed") defer mustClose(fp) mustFprintf(fp, "# File generated by `go run ./internal/cmd/ghgen`; DO NOT EDIT.\n") diff --git a/internal/cmd/miniooni/consent.go b/internal/cmd/miniooni/consent.go index 3edd8710d5..7c7e3b6d74 100644 --- a/internal/cmd/miniooni/consent.go +++ b/internal/cmd/miniooni/consent.go @@ -27,7 +27,7 @@ func acquireUserConsent(miniooniDir string, currentOptions *Options) { // maybeWriteConsentFile writes the consent file iff the yes argument is true func maybeWriteConsentFile(yes bool, filepath string) (err error) { if yes { - err = os.WriteFile(filepath, []byte("\n"), 0644) + err = os.WriteFile(filepath, []byte("\n"), 0600) } return } diff --git a/internal/cmd/miniooni/oonirun.go b/internal/cmd/miniooni/oonirun.go index ce41e58fc9..366839badb 100644 --- a/internal/cmd/miniooni/oonirun.go +++ b/internal/cmd/miniooni/oonirun.go @@ -43,7 +43,7 @@ func ooniRunMain(ctx context.Context, } } for _, filename := range currentOptions.InputFilePaths { - data, err := os.ReadFile(filename) + data, err := os.ReadFile(filename) // #nosec G304 - this is working as intended if err != nil { logger.Warnf("oonirun: reading OONI Run v2 descriptor failed: %s", err.Error()) continue diff --git a/internal/cmd/oonireport/oonireport.go b/internal/cmd/oonireport/oonireport.go index 37d231cb94..8aa4ae3e72 100644 --- a/internal/cmd/oonireport/oonireport.go +++ b/internal/cmd/oonireport/oonireport.go @@ -53,7 +53,7 @@ func fatalIfFalse(cond bool, msg string) { func readLines(path string) []string { // open measurement file - file, err := os.Open(path) + file, err := os.Open(path) // #nosec G304 - this is working as intended runtimex.PanicOnError(err, "Open file error.") defer file.Close() diff --git a/internal/database/actions.go b/internal/database/actions.go index 984d25904a..2e754ca2bd 100644 --- a/internal/database/actions.go +++ b/internal/database/actions.go @@ -112,7 +112,7 @@ func (d *Database) GetMeasurementJSON(msmtID int64) (map[string]interface{}, err return nil, errors.New("cannot access measurement file") } measurementFilePath := measurement.DatabaseMeasurement.MeasurementFilePath.String - b, err := os.ReadFile(measurementFilePath) + b, err := os.ReadFile(measurementFilePath) // #nosec G304 - this is working as intended if err != nil { return nil, err } diff --git a/internal/enginenetx/httpsdialer.go b/internal/enginenetx/httpsdialer.go index 2881bdebcd..9020d310d5 100644 --- a/internal/enginenetx/httpsdialer.go +++ b/internal/enginenetx/httpsdialer.go @@ -379,7 +379,7 @@ func (hd *httpsDialer) dialTLS( // create TLS configuration tlsConfig := &tls.Config{ - InsecureSkipVerify: true, // Note: we're going to verify at the end of the func! + InsecureSkipVerify: true, // #nosec G402 - we verify at end of func NextProtos: []string{"h2", "http/1.1"}, RootCAs: hd.rootCAs, ServerName: tactic.SNI, diff --git a/internal/experiment/echcheck/handshake.go b/internal/experiment/echcheck/handshake.go index 011966b81b..05a4e25267 100644 --- a/internal/experiment/echcheck/handshake.go +++ b/internal/experiment/echcheck/handshake.go @@ -72,6 +72,6 @@ func genTLSConfig(sni string) *tls.Config { RootCAs: certpool, ServerName: sni, NextProtos: []string{"h2", "http/1.1"}, - InsecureSkipVerify: true, + InsecureSkipVerify: true, // #nosec G402 - it's fine to skip verify in a nettest } } diff --git a/internal/experiment/echcheck/utls.go b/internal/experiment/echcheck/utls.go index 2f5d2b259e..50eb632377 100644 --- a/internal/experiment/echcheck/utls.go +++ b/internal/experiment/echcheck/utls.go @@ -37,7 +37,7 @@ func (t *tlsHandshakerWithExtensions) Handshake( runtimex.Assert(err == nil, "unexpected error when creating UTLSConn") if t.extensions != nil && len(t.extensions) != 0 { - tlsConn.BuildHandshakeState() + runtimex.Try0(tlsConn.BuildHandshakeState()) tlsConn.Extensions = append(tlsConn.Extensions, t.extensions...) } diff --git a/internal/experiment/ndt7/dial.go b/internal/experiment/ndt7/dial.go index 578facdd01..864cbaed9b 100644 --- a/internal/experiment/ndt7/dial.go +++ b/internal/experiment/ndt7/dial.go @@ -40,7 +40,7 @@ func (mgr dialManager) dialWithTestName(ctx context.Context, testName string) (* // See https://github.com/ooni/probe/issues/2413 to understand // why we're using nil to force netxlite to use the cached // default Mozilla cert pool. - tlsConfig := &tls.Config{ + tlsConfig := &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring RootCAs: nil, } dialer := websocket.Dialer{ diff --git a/internal/experiment/quicping/quic.go b/internal/experiment/quicping/quic.go index 32d6339421..d0d2892ecf 100644 --- a/internal/experiment/quicping/quic.go +++ b/internal/experiment/quicping/quic.go @@ -49,7 +49,7 @@ func buildPacket() ([]byte, connectionID, connectionID) { // generate random payload minPayloadSize := 1200 - 14 - (len(destConnID) + len(srcConnID)) randomPayload := make([]byte, minPayloadSize) - rand.Read(randomPayload) + _ = runtimex.Try1(rand.Read(randomPayload)) clientSecret, _ := computeSecrets(destConnID) encrypted := encryptPayload(randomPayload, destConnID, clientSecret) diff --git a/internal/experiment/tlsmiddlebox/tracing.go b/internal/experiment/tlsmiddlebox/tracing.go index 110c39f586..dd55b40457 100644 --- a/internal/experiment/tlsmiddlebox/tracing.go +++ b/internal/experiment/tlsmiddlebox/tracing.go @@ -128,7 +128,7 @@ func genTLSConfig(sni string) *tls.Config { RootCAs: nil, ServerName: sni, NextProtos: []string{"h2", "http/1.1"}, - InsecureSkipVerify: true, + InsecureSkipVerify: true, // #nosec G402 - it's fine to skip verify in a nettest } } diff --git a/internal/fsx/fsx.go b/internal/fsx/fsx.go index 34304ea7fc..ff8c4d50a4 100644 --- a/internal/fsx/fsx.go +++ b/internal/fsx/fsx.go @@ -44,7 +44,7 @@ type filesystem struct{} // Open implements fs.FS.Open. func (filesystem) Open(pathname string) (fs.File, error) { - return os.Open(pathname) + return os.Open(pathname) // #nosec G304 - this is working as intended } // IsRegular returns whether a file is a regular file. diff --git a/internal/legacy/measurex/measurer.go b/internal/legacy/measurex/measurer.go index 8820f35fb4..7ef50a6a81 100644 --- a/internal/legacy/measurex/measurer.go +++ b/internal/legacy/measurex/measurer.go @@ -583,7 +583,7 @@ func (mx *Measurer) httpEndpointGetQUIC(ctx context.Context, // Using a nil cert pool here forces netxlite to use a cached copy of Mozilla's // CA bundle. See https://github.com/ooni/probe/issues/2413 for context. qconn, err := mx.QUICHandshakeWithDB(ctx, db, epnt.Address, - &tls.Config{ // // #nosec G402 - we need to use a large TLS versions range for measuring + &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring ServerName: epnt.SNI, NextProtos: epnt.ALPN, RootCAs: nil, diff --git a/internal/must/must.go b/internal/must/must.go index 1ba0e9ff73..dd617ef43d 100644 --- a/internal/must/must.go +++ b/internal/must/must.go @@ -20,7 +20,7 @@ import ( // CreateFile is like [os.Create] but calls // [runtimex.PanicOnError] on failure. func CreateFile(name string) *File { - fp, err := os.Create(name) + fp, err := os.Create(name) // #nosec G304 - this is working as intended runtimex.PanicOnError(err, "os.Create failed") return &File{fp} } @@ -28,7 +28,7 @@ func CreateFile(name string) *File { // OpenFile is like [os.Open] but calls // [runtimex.PanicOnError] on failure. func OpenFile(name string) *File { - fp, err := os.Open(name) + fp, err := os.Open(name) // #nosec G304 - this is working as intended runtimex.PanicOnError(err, "os.Open failed") return &File{fp} } @@ -143,7 +143,7 @@ func WriteFile(filename string, content []byte, mode fs.FileMode) { // ReadFile is like [os.ReadFile] but calls // [runtimex.PanicOnError] on failure. func ReadFile(filename string) []byte { - data, err := os.ReadFile(filename) + data, err := os.ReadFile(filename) // #nosec G304 - this is working as intended runtimex.PanicOnError(err, "os.ReadFile failed") return data } diff --git a/internal/netxlite/internal/gencertifi/main.go b/internal/netxlite/internal/gencertifi/main.go index a7c9dae102..1218d91a3c 100644 --- a/internal/netxlite/internal/gencertifi/main.go +++ b/internal/netxlite/internal/gencertifi/main.go @@ -41,7 +41,7 @@ func main() { } url := os.Args[1] - resp, err := http.Get(url) + resp, err := http.Get(url) // #nosec G107 -- this is working as intended if err != nil { log.Fatal(err) } diff --git a/internal/netxlite/internal/generrno/main.go b/internal/netxlite/internal/generrno/main.go index cb1fefabfd..3d23b7aeb7 100644 --- a/internal/netxlite/internal/generrno/main.go +++ b/internal/netxlite/internal/generrno/main.go @@ -191,7 +191,7 @@ func mapSystemToLibrary(system string) string { } func fileCreate(filename string) *os.File { - filep, err := os.Create(filename) + filep, err := os.Create(filename) // #nosec G304 - this is working as intended if err != nil { log.Fatal(err) } diff --git a/internal/shellx/shellx.go b/internal/shellx/shellx.go index 08ad3a24eb..5e0c1209a8 100644 --- a/internal/shellx/shellx.go +++ b/internal/shellx/shellx.go @@ -128,7 +128,7 @@ func cmd(config *Config, argv *Argv, envp *Envp) *execabs.Cmd { // hence the choice to keep using x/sys/execabs everywhere. // // See for more information. - cmd := execabs.Command(argv.P, argv.V...) + cmd := execabs.Command(argv.P, argv.V...) // #nosec G204 - this is working as intended cmd.Env = os.Environ() for _, entry := range envp.V { if config.Logger != nil { diff --git a/internal/testingx/tlsx.go b/internal/testingx/tlsx.go index f381c78098..fd7c8f14c8 100644 --- a/internal/testingx/tlsx.go +++ b/internal/testingx/tlsx.go @@ -230,7 +230,7 @@ type tlsHandlerReset struct{} // GetCertificate implements TLSHandler. func (*tlsHandlerReset) GetCertificate(ctx context.Context, tcpConn net.Conn, chi *tls.ClientHelloInfo) (*tls.Certificate, error) { tcpMaybeResetNetConn(tcpConn) - tcpConn.Close() // just in case to avoid the error returned here to be sent remotely as an alert + _ = tcpConn.Close() // just in case to avoid the error returned here to be sent remotely as an alert return nil, errors.New("internal error") } diff --git a/internal/torlogs/torlogs.go b/internal/torlogs/torlogs.go index 6cd2a2781b..99bc816729 100644 --- a/internal/torlogs/torlogs.go +++ b/internal/torlogs/torlogs.go @@ -49,7 +49,7 @@ func ReadBootstrapLogs(logFilePath string) ([]string, error) { if logFilePath == "" { return nil, ErrEmptyLogFilePath } - data, err := os.ReadFile(logFilePath) + data, err := os.ReadFile(logFilePath) // #nosec G304 - this is working as intended if err != nil { return nil, fmt.Errorf("%w: %s", ErrCannotReadLogFile, err.Error()) } diff --git a/internal/tutorial/generator/main.go b/internal/tutorial/generator/main.go index 6ae7009e22..08bee77d3b 100644 --- a/internal/tutorial/generator/main.go +++ b/internal/tutorial/generator/main.go @@ -21,7 +21,7 @@ func writeString(w io.Writer, s string) { // gen1 generates a single file within a chapter. func gen1(destfile io.Writer, filepath string) { - srcfile, err := os.Open(filepath) + srcfile, err := os.Open(filepath) // #nosec G304 - this is working as intended if err != nil { log.Fatal(err) } @@ -67,7 +67,7 @@ func gen1(destfile io.Writer, filepath string) { // gen("./experiment/torsf/chapter01", "main.go") func gen(dirpath string, files ...string) { readme := path.Join(dirpath, "README.md") - destfile, err := os.Create(path.Join(readme)) + destfile, err := os.Create(path.Join(readme)) // #nosec G304 - this is working as intended if err != nil { log.Fatal(err) } diff --git a/internal/tutorial/netxlite/chapter08/README.md b/internal/tutorial/netxlite/chapter08/README.md index 03fc1954b2..c0b8d27030 100644 --- a/internal/tutorial/netxlite/chapter08/README.md +++ b/internal/tutorial/netxlite/chapter08/README.md @@ -44,7 +44,7 @@ func main() { flag.Parse() ctx, cancel := context.WithTimeout(context.Background(), *timeout) defer cancel() - config := &tls.Config{ + config := &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring ServerName: *sni, NextProtos: []string{"h3"}, RootCAs: nil, diff --git a/internal/tutorial/netxlite/chapter08/main.go b/internal/tutorial/netxlite/chapter08/main.go index 96e3205fb3..59c0b6b020 100644 --- a/internal/tutorial/netxlite/chapter08/main.go +++ b/internal/tutorial/netxlite/chapter08/main.go @@ -45,7 +45,7 @@ func main() { flag.Parse() ctx, cancel := context.WithTimeout(context.Background(), *timeout) defer cancel() - config := &tls.Config{ + config := &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring ServerName: *sni, NextProtos: []string{"h3"}, RootCAs: nil, diff --git a/internal/x/dsljavascript/vm.go b/internal/x/dsljavascript/vm.go index ba63462caa..ba5e50f3db 100644 --- a/internal/x/dsljavascript/vm.go +++ b/internal/x/dsljavascript/vm.go @@ -137,7 +137,7 @@ func LoadExperiment(config *VMConfig, exPath string) (*VM, error) { func (vm *VM) RunScript(exPath string) error { // read the file content - content, err := os.ReadFile(exPath) + content, err := os.ReadFile(exPath) // #nosec G304 - this is working as intended if err != nil { return err } diff --git a/internal/x/dslvm/http.go b/internal/x/dslvm/http.go index d74939c4cd..2f361f7ac2 100644 --- a/internal/x/dslvm/http.go +++ b/internal/x/dslvm/http.go @@ -138,7 +138,7 @@ func (sx *HTTPRoundTripStage[T]) roundTrip(ctx context.Context, rtx Runtime, con } func (sx *HTTPRoundTripStage[T]) newHTTPRequest( - ctx context.Context, conn HTTPConnection, logger model.Logger) (*http.Request, error) { + ctx context.Context, conn HTTPConnection, _ model.Logger) (*http.Request, error) { // create the default HTTP request URL := &url.URL{ Scheme: conn.Scheme(), diff --git a/internal/x/dslvm/quic.go b/internal/x/dslvm/quic.go index ca4af5421a..bdf8bb0e33 100644 --- a/internal/x/dslvm/quic.go +++ b/internal/x/dslvm/quic.go @@ -169,7 +169,7 @@ func (sx *QUICHandshakeStage) handshake(ctx context.Context, rtx Runtime, endpoi func (sx *QUICHandshakeStage) newTLSConfig() *tls.Config { return &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring NextProtos: sx.NextProtos, - InsecureSkipVerify: sx.InsecureSkipVerify, + InsecureSkipVerify: sx.InsecureSkipVerify, // #nosec G402 - it's fine to possibly skip verify in a nettest RootCAs: sx.RootCAs, ServerName: sx.ServerName, } diff --git a/internal/x/dslvm/tls.go b/internal/x/dslvm/tls.go index 99f4deb4f5..f41eab0f19 100644 --- a/internal/x/dslvm/tls.go +++ b/internal/x/dslvm/tls.go @@ -164,7 +164,7 @@ func (sx *TLSHandshakeStage) handshake(ctx context.Context, rtx Runtime, tcpConn func (sx *TLSHandshakeStage) newTLSConfig() *tls.Config { return &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring NextProtos: sx.NextProtos, - InsecureSkipVerify: sx.InsecureSkipVerify, + InsecureSkipVerify: sx.InsecureSkipVerify, // #nosec G402 - it's fine to possibly skip verify in a nettest RootCAs: sx.RootCAs, ServerName: sx.ServerName, }