Fix GOSEC (#3357)

* Fix GOSEC

Author: fluxxBot

artifactory_test.go

@@ -6815,7 +6815,7 @@ func setupTestFilesForSearchPatterns(t *testing.T) {
 	tmpFile, err := os.CreateTemp("", "test-file-*.txt")
 	assert.NoError(t, err)
 	defer func(name string) {
-		_ = os.Remove(name)
+		_ = os.Remove(name) //#nosec G703 -- test code, path from temp file
 	}(tmpFile.Name())
 	_, err = tmpFile.WriteString("test content")
 	if err != nil {

docker_test.go

@@ -138,7 +138,7 @@ func setupInsecureBuildxBuilder(t *testing.T, builderName string) func() {
   http = true
   insecure = true
 `, registryHost)
-	require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644))
+	require.NoError(t, os.WriteFile(configPath, []byte(configContent), 0644)) //#nosec G703 -- test code, path is constructed from temp dir
 
 	// Remove builder if it exists (stop first, then remove)
 	_ = exec.Command("docker", "buildx", "stop", builderName).Run()
@@ -427,7 +427,7 @@ RUN echo "Built for nested path test"
 CMD ["echo", "Hello from nested path"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// Cleanup old build
 	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, buildName, artHttpDetails)
@@ -515,7 +515,7 @@ RUN echo "This is the nested base image"
 CMD ["echo", "base"]`, alpineBase)
 
 	baseDockerfilePath := filepath.Join(workspace, "Dockerfile.base")
-	assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644))
+	assert.NoError(t, os.WriteFile(baseDockerfilePath, []byte(baseDockerfile), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// Push base image to nested path
 	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, baseImageBuildName, artHttpDetails)
@@ -538,7 +538,7 @@ RUN echo "This is the child image using nested base"
 CMD ["echo", "child"]`, baseImageTag)
 
 	childDockerfilePath := filepath.Join(workspace, "Dockerfile.child")
-	assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644))
+	assert.NoError(t, os.WriteFile(childDockerfilePath, []byte(childDockerfile), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// Build child image
 	inttestutils.DeleteBuild(serverDetails.ArtifactoryUrl, childBuildName, artHttpDetails)
@@ -1092,7 +1092,7 @@ RUN echo "Hello from test"
 CMD ["sh"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1141,11 +1141,11 @@ RUN echo "Hello from test"
 CMD ["sh"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// Create test file
 	testFilePath := filepath.Join(workspace, "test.txt")
-	assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644))
+	assert.NoError(t, os.WriteFile(testFilePath, []byte("Hello from Docker build test"), 0644)) //#nosec G703 -- test code
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1199,7 +1199,7 @@ FROM %s
 CMD ["hello"]`, golangImage, alpineImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1251,7 +1251,7 @@ RUN echo "Built with buildx"
 CMD ["echo", "Hello from buildx"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// Check if buildx is available
 	cmd := exec.Command("docker", "buildx", "version")
@@ -1310,7 +1310,7 @@ RUN echo "Testing virtual repo"
 CMD ["sh"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)
@@ -1455,7 +1455,7 @@ func TestDockerBuildPublishWithCIVcsProps(t *testing.T) {
 CMD ["echo", "Hello from CI VCS test"]`, baseImage)
 
 	dockerfilePath := filepath.Join(workspace, "Dockerfile")
-	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644))
+	assert.NoError(t, os.WriteFile(dockerfilePath, []byte(dockerfileContent), 0644)) //#nosec G703 -- test code, path built from test workspace
 
 	// Clean build before test
 	runJfrogCli(t, "rt", "bc", buildName, buildNumber)

general/ai/cli.go

@@ -164,7 +164,7 @@ func sendRestAPI(apiType ApiType, content interface{}) (response string, err err
 		req.Header.Set(askRateLimitHeader, "true")
 	}
 	log.Debug(fmt.Sprintf("Sending HTTP %s request to: %s", req.Method, req.URL))
-	resp, err := client.GetClient().Do(req)
+	resp, err := client.GetClient().Do(req) //#nosec G704 -- URL is constructed from a hardcoded AI service endpoint
 	if err != nil {
 		err = errorutils.CheckErrorf("CLI-AI server is not available. Please check your network or try again later.")
 		return

general/summary/cli.go

@@ -131,7 +131,8 @@ func saveFile(content, filePath string) (err error) {
 	if content == "" {
 		return nil
 	}
-	file, err := os.Create(filePath)
+// #nosec G703 -- filePath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input and filePath is already cleaned.
+	file, err := os.Create(filepath.Clean(filePath))
 	if err != nil {
 		return err
 	}
@@ -145,11 +146,12 @@ func saveFile(content, filePath string) (err error) {
 }
 
 func getSectionMarkdownContent(section MarkdownSection) (string, error) {
-	sectionFilepath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName)
+	sectionFilepath := filepath.Clean(filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(section), markdownFileName))
+	// #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input and sectionFilepath is already cleaned.
 	if _, err := os.Stat(sectionFilepath); os.IsNotExist(err) {
 		return "", nil
 	}
-
+// #nosec G703 -- sectionFilepath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input
 	contentBytes, err := os.ReadFile(sectionFilepath)
 	if err != nil {
 		return "", fmt.Errorf("error reading markdown file for section %s: %w", section, err)
@@ -279,7 +281,8 @@ func processScan(index commandsummary.Index, filePath string, scannedName string
 
 // shouldGenerateUploadSummary checks if upload summary should be generated.
 func shouldGenerateUploadSummary() (bool, error) {
-	buildInfoPath := filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo))
+	buildInfoPath := filepath.Clean(filepath.Join(os.Getenv(coreutils.SummaryOutputDirPathEnv), commandsummary.OutputDirName, string(BuildInfo)))
+	// #nosec G703 -- buildInfoPath is constructed from SummaryOutputDirPathEnv set by CLI, not arbitrary user input, and buildInfoPath is already cleaned.
 	if _, err := os.Stat(buildInfoPath); os.IsNotExist(err) {
 		return true, nil
 	}

lifecycle_test.go

@@ -1713,5 +1713,5 @@ type KeyPairPayload struct {
 	Alias      string `json:"alias,omitempty"`
 	Passphrase string `json:"passphrase,omitempty"`
 	PublicKey  string `json:"publicKey,omitempty"`
-	PrivateKey string `json:"privateKey,omitempty"`
+	PrivateKey string `json:"privateKey,omitempty"` //#nosec G117 -- test struct, not a real secret
 }

nuget_test.go

@@ -251,7 +251,7 @@ func runInitNewConfig(t *testing.T, testSuite testInitNewConfigDescriptor, baseR
 		return
 	}
 
-	content, err := os.ReadFile(configFile.Name())
+	content, err := os.ReadFile(configFile.Name()) //#nosec G703 -- test code, path from temp file
 	if err != nil {
 		assert.NoError(t, err)
 		return

utils/cliutils/utils.go

@@ -668,7 +668,7 @@ func getLatestCliVersionFromGithubAPI() (githubVersionInfo githubResponse, err e
 func doHttpRequest(client *http.Client, req *http.Request) (resp *http.Response, body []byte, err error) {
 	const maxResponseSize = 10 * 1024 * 1024 // 10MB limit
 	req.Close = true
-	resp, err = client.Do(req)
+	resp, err = client.Do(req) //#nosec G704 -- URL is constructed internally from validated version API endpoint
 	if errorutils.CheckError(err) != nil {
 		return
 	}

utils/cliutils/utils_test.go

@@ -365,7 +365,8 @@ type redirectingTransport struct {
 func (t *redirectingTransport) RoundTrip(req *http.Request) (*http.Response, error) {
 	if req.URL.String() == t.targetURL {
 		// Create a new request to the redirect URL
-		redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body)
+        // #nosec G704 -- redirectURL is a controlled test value, not user input
+		redirectReq, err := http.NewRequest(req.Method, t.redirectURL, req.Body) //nolint:gosec // G704 - URL is a test-controlled constant
 		if err != nil {
 			return nil, err
 		}