fix: simplify NOSONAR comment format for SonarCloud

leifj · leifj · commit 741d4958a396 · 2026-02-24T12:58:03.000+01:00
diff --git a/pkg/didcomm/crypto/jwe.go b/pkg/didcomm/crypto/jwe.go
@@ -491,7 +491,7 @@ func encryptA256CBCHS512(plaintext, cek, aad []byte) (ciphertext, tag, iv []byte
 
 	ciphertext = make([]byte, len(padded))
 	//nolint:gosec // RFC 7518 A256CBC-HS512 requires CBC mode - this is authenticated encryption with HMAC-SHA-512
-	mode := cipher.NewCBCEncrypter(block, iv) //NOSONAR go:S5542
+	mode := cipher.NewCBCEncrypter(block, iv) //NOSONAR
 	mode.CryptBlocks(ciphertext, padded)
 
 	// Compute HMAC-SHA-512 tag
@@ -634,7 +634,7 @@ func wrapKeyAES(cek, wrappingKey []byte) ([]byte, error) {
 			copy(b[:8], a)
 			copy(b[8:], r[i])
 			//nolint:gosec // RFC 3394 AES Key Wrap - this is a key-wrapping primitive with integrity check
-			block.Encrypt(b, b) //NOSONAR go:S5542
+			block.Encrypt(b, b) //NOSONAR
 
 			// A = MSB(64, B) ^ t where t = (n*j)+i
 			t := uint64(n*j + i)
@@ -945,7 +945,7 @@ func decryptA256CBCHS512(ctx context.Context, msg *EncryptedMessage, header *JWE
 	}
 
 	//nolint:gosec // RFC 7518 A256CBC-HS512 - HMAC authentication verified above before decryption
-	mode := cipher.NewCBCDecrypter(block, iv) //NOSONAR go:S5542
+	mode := cipher.NewCBCDecrypter(block, iv) //NOSONAR
 	plaintext := make([]byte, len(ciphertext))
 	mode.CryptBlocks(plaintext, ciphertext)
 
@@ -1125,7 +1125,7 @@ func unwrapKeyAES(wrappedKey, wrappingKey []byte) ([]byte, error) {
 			copy(b[:8], a)
 			copy(b[8:], r[i])
 			//nolint:gosec // RFC 3394 AES Key Unwrap - integrity check validates after unwrap
-			block.Decrypt(b, b) //NOSONAR go:S5542
+			block.Decrypt(b, b) //NOSONAR
 
 			// A = MSB(64, B)
 			copy(a, b[:8])
diff --git a/pkg/pki/keymaterial_signer.go b/pkg/pki/keymaterial_signer.go
@@ -73,7 +73,7 @@ func (s *KeyMaterialSigner) SignDigest(ctx context.Context, digest []byte) ([]by
 		// widely used in JWT RS256/RS384/RS512. It's distinct from RSA-PKCS1v15 encryption
 		// which has known vulnerabilities. The signature scheme is secure.
 		hash := getHashForAlgorithm(s.km.SigningMethod.Alg())
-		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec // NOSONAR go:S5542 - This is signature, not encryption
+		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec //NOSONAR
 	default:
 		return nil, fmt.Errorf("unsupported key type: %T", s.km.PrivateKey)
 	}
diff --git a/pkg/pki/software.go b/pkg/pki/software.go
@@ -79,7 +79,7 @@ func (s *SoftwareSigner) SignDigest(ctx context.Context, digest []byte) ([]byte,
 		// widely used in JWT RS256/RS384/RS512. It's distinct from RSA-PKCS1v15 encryption
 		// which has known vulnerabilities. The signature scheme is secure.
 		hash := getHashForAlgorithm(s.algorithm)
-		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec // NOSONAR go:S5542 - This is signature, not encryption
+		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec //NOSONAR
 	case *ecdsa.PrivateKey:
 		// Sign the digest directly using ECDSA
 		r, sigS, err := ecdsa.Sign(rand.Reader, key, digest)

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ func (s *KeyMaterialSigner) SignDigest(ctx context.Context, digest []byte) ([]by`
`73`	`73`	`// widely used in JWT RS256/RS384/RS512. It's distinct from RSA-PKCS1v15 encryption`
`74`	`74`	`// which has known vulnerabilities. The signature scheme is secure.`
`75`	`75`	`hash := getHashForAlgorithm(s.km.SigningMethod.Alg())`
`76`		`- return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec // NOSONAR go:S5542 - This is signature, not encryption`
	`76`	`+ return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec //NOSONAR`
`77`	`77`	`default:`
`78`	`78`	`return nil, fmt.Errorf("unsupported key type: %T", s.km.PrivateKey)`
`79`	`79`	`}`