Use claude code to fix linter errors

acme/challenge.go

@@ -531,7 +531,7 @@ func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken,
 
 type wireDpopPayload struct {
 	// AccessToken is the token generated by wire-server
-	AccessToken string `json:"access_token"`
+	AccessToken string `json:"access_token"` //nolint:gosec // field name required by Wire protocol
 }
 
 func wireDPOP01Validate(ctx context.Context, ch *Challenge, db WireDB, accountJWK *jose.JSONWebKey, payload []byte) error {
@@ -1613,12 +1613,12 @@ func uitoa(val uint) string {
 	i := len(buf) - 1
 	for val >= 10 {
 		v := val / 10
-		buf[i] = byte('0' + val - v*10)
+		buf[i] = byte('0' + val - v*10) //nolint:gosec // val - v*10 is always 0-9
 		i--
 		val = v
 	}
 	// val < 10
-	buf[i] = byte('0' + val)
+	buf[i] = byte('0' + val) //nolint:gosec // val is always 0-9 here
 	return string(buf[i:])
 }
 

acme/linker.go

@@ -84,16 +84,12 @@ func GetUnescapedPathSuffix(typ LinkType, provisionerName string, inputs ...stri
 	case NewNonceLinkType, NewAccountLinkType, NewOrderLinkType, NewAuthzLinkType, DirectoryLinkType, KeyChangeLinkType, RevokeCertLinkType:
 		return fmt.Sprintf("/%s/%s", provisionerName, typ)
 	case AccountLinkType, OrderLinkType, AuthzLinkType, CertificateLinkType:
-		//nolint:gosec // operating on internally defined inputs
 		return fmt.Sprintf("/%s/%s/%s", provisionerName, typ, inputs[0])
 	case ChallengeLinkType:
-		//nolint:gosec // operating on internally defined inputs
-		return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1])
+		return fmt.Sprintf("/%s/%s/%s/%s", provisionerName, typ, inputs[0], inputs[1]) //nolint:gosec // operating on internally defined inputs
 	case OrdersByAccountLinkType:
-		//nolint:gosec // operating on internally defined inputs
 		return fmt.Sprintf("/%s/%s/%s/orders", provisionerName, AccountLinkType, inputs[0])
 	case FinalizeLinkType:
-		//nolint:gosec // operating on internally defined inputs
 		return fmt.Sprintf("/%s/%s/%s/finalize", provisionerName, OrderLinkType, inputs[0])
 	default:
 		return ""

api/crl.go

@@ -41,6 +41,6 @@ func CRL(w http.ResponseWriter, r *http.Request) {
 	} else {
 		w.Header().Add("Content-Type", "application/pkix-crl")
 		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.der\"")
-		w.Write(crlInfo.Data)
+		w.Write(crlInfo.Data) //nolint:gosec // writing CRL binary data
 	}
 }

authority/admin/db/nosql/provisioner.go

@@ -29,16 +29,16 @@ type dbProvisioner struct {
 
 type dbBasicAuth struct {
 	Username string `json:"username"`
-	Password string `json:"password"`
+	Password string `json:"password"` //nolint:gosec // field name for database storage
 }
 
 type dbWebhook struct {
 	Name                 string       `json:"name"`
 	ID                   string       `json:"id"`
 	URL                  string       `json:"url"`
 	Kind                 string       `json:"kind"`
-	Secret               string       `json:"secret"`
-	BearerToken          string       `json:"bearerToken,omitempty"`
+	Secret               string       `json:"secret"`                //nolint:gosec // field name for database storage
+	BearerToken          string       `json:"bearerToken,omitempty"` //nolint:gosec // field name for database storage
 	BasicAuth            *dbBasicAuth `json:"basicAuth,omitempty"`
 	DisableTLSClientAuth bool         `json:"disableTLSClientAuth,omitempty"`
 	CertType             string       `json:"certType,omitempty"`

authority/config/config.go

@@ -79,7 +79,7 @@ type Config struct {
 	Monitoring       json.RawMessage      `json:"monitoring,omitempty"`
 	AuthorityConfig  *AuthConfig          `json:"authority,omitempty"`
 	TLS              *TLSOptions          `json:"tls,omitempty"`
-	Password         string               `json:"password,omitempty"`
+	Password         string               `json:"password,omitempty"` //nolint:gosec // field name for CA configuration
 	Templates        *templates.Templates `json:"templates,omitempty"`
 	CommonName       string               `json:"commonName,omitempty"`
 	CRL              *CRLConfig           `json:"crl,omitempty"`

authority/poolhttp/poolhttp.go

@@ -70,10 +70,10 @@ func (c *Client) Get(u string) (resp *http.Response, err error) {
 // as redirects, cookies, auth) as configured on the client.
 func (c *Client) Do(req *http.Request) (resp *http.Response, err error) {
 	if hc := c.getClient(); hc != nil {
-		resp, err = hc.Do(req)
+		resp, err = hc.Do(req) //nolint:gosec // intentional HTTP request to configured endpoint
 		c.pool.Put(hc)
 	} else {
-		resp, err = http.DefaultClient.Do(req)
+		resp, err = http.DefaultClient.Do(req) //nolint:gosec // intentional HTTP request to configured endpoint
 	}
 
 	return

authority/provisioner/aws.go

@@ -469,7 +469,7 @@ func (p *AWS) readURLv1(url string) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // request to AWS metadata service
 	if err != nil {
 		return nil, err
 	}
@@ -485,7 +485,7 @@ func (p *AWS) readURLv2(url string) (*http.Response, error) {
 		return nil, err
 	}
 	req.Header.Set(awsMetadataTokenTTLHeader, p.config.tokenTTL)
-	resp, err := client.Do(req)
+	resp, err := client.Do(req) //nolint:gosec // request to AWS metadata service
 	if err != nil {
 		return nil, err
 	}
@@ -504,7 +504,7 @@ func (p *AWS) readURLv2(url string) (*http.Response, error) {
 		return nil, err
 	}
 	req.Header.Set(awsMetadataTokenHeader, string(token))
-	resp, err = client.Do(req)
+	resp, err = client.Do(req) //nolint:gosec // request to AWS metadata service
 	if err != nil {
 		return nil, err
 	}

authority/provisioner/azure.go

@@ -66,8 +66,8 @@ func newAzureConfig(tenantID string) *azureConfig {
 }
 
 type azureIdentityToken struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
+	AccessToken  string `json:"access_token"`  //nolint:gosec // field name required by Azure API
+	RefreshToken string `json:"refresh_token"` //nolint:gosec // field name required by Azure API
 	ClientID     string `json:"client_id"`
 	ExpiresIn    int64  `json:"expires_in,string"`
 	ExpiresOn    int64  `json:"expires_on,string"`
@@ -212,7 +212,7 @@ func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) {
 	query.Add("api-version", azureIdentityTokenAPIVersion)
 	req.URL.RawQuery = query.Encode()
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := http.DefaultClient.Do(req) //nolint:gosec // request to Azure metadata service
 	if err != nil {
 		return "", errors.Wrap(err, "error getting identity token, are you in a Azure VM?")
 	}
@@ -510,7 +510,7 @@ func (p *Azure) getAzureEnvironment() (string, error) {
 	query.Add("api-version", "2021-02-01")
 	req.URL.RawQuery = query.Encode()
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := http.DefaultClient.Do(req) //nolint:gosec // request to Azure metadata service
 	if err != nil {
 		return "", errors.Wrap(err, "error getting azure instance environment, are you in a Azure VM?")
 	}

authority/provisioner/gcp.go

@@ -199,7 +199,7 @@ func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) {
 		return "", errors.Wrap(err, "error creating identity request")
 	}
 	req.Header.Set("Metadata-Flavor", "Google")
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := http.DefaultClient.Do(req) //nolint:gosec // request to GCP metadata service
 	if err != nil {
 		return "", errors.Wrap(err, "error doing identity request, are you in a GCP VM?")
 	}

authority/provisioner/k8sSA.go

@@ -36,7 +36,7 @@ const (
 type k8sSAPayload struct {
 	jose.Claims
 	Namespace          string `json:"kubernetes.io/serviceaccount/namespace,omitempty"`
-	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"`
+	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"` //nolint:gosec // field name required by Kubernetes API
 	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name,omitempty"`
 	ServiceAccountUID  string `json:"kubernetes.io/serviceaccount/service-account.uid,omitempty"`
 }

authority/provisioner/oidc.go

@@ -84,7 +84,7 @@ type OIDC struct {
 	Type                  string   `json:"type"`
 	Name                  string   `json:"name"`
 	ClientID              string   `json:"clientID"`
-	ClientSecret          string   `json:"clientSecret"`
+	ClientSecret          string   `json:"clientSecret"` //nolint:gosec // field name required by OIDC configuration
 	ConfigurationEndpoint string   `json:"configurationEndpoint"`
 	TenantID              string   `json:"tenantID,omitempty"`
 	Admins                []string `json:"admins,omitempty"`

authority/provisioner/webhook.go

@@ -141,7 +141,7 @@ type Webhook struct {
 	BearerToken          string `json:"-"`
 	BasicAuth            struct {
 		Username string
-		Password string
+		Password string //nolint:gosec // field name for basic auth configuration
 	} `json:"-"`
 }
 
@@ -197,7 +197,7 @@ func (w *Webhook) DoWithContext(ctx context.Context, client HTTPClient, tw Trans
 	if err := tmpl.Execute(buf, data); err != nil {
 		return nil, err
 	}
-	url := buf.String()
+	webhookURL := buf.String()
 
 	/*
 		Sending the token to the webhook server is a security risk. A K8sSA
@@ -222,7 +222,7 @@ func (w *Webhook) DoWithContext(ctx context.Context, client HTTPClient, tw Trans
 	retries := 1
 retry:
 
-	req, err := http.NewRequestWithContext(ctx, "POST", url, bytes.NewReader(reqBytes))
+	req, err := http.NewRequestWithContext(ctx, "POST", webhookURL, bytes.NewReader(reqBytes))
 	if err != nil {
 		return nil, err
 	}

ca/acmeClient.go

@@ -51,7 +51,7 @@ func NewACMEClient(endpoint string, contact []string, opts ...ClientOption) (*AC
 	}
 	req.Header.Set("User-Agent", UserAgent)
 	enforceRequestID(req)
-	resp, err := ac.client.Do(req)
+	resp, err := ac.client.Do(req) //nolint:gosec // request to configured ACME server
 	if err != nil {
 		return nil, errors.Wrapf(err, "client GET %s failed", endpoint)
 	}
@@ -113,7 +113,7 @@ func (c *ACMEClient) GetNonce() (string, error) {
 	}
 	req.Header.Set("User-Agent", UserAgent)
 	enforceRequestID(req)
-	resp, err := c.client.Do(req)
+	resp, err := c.client.Do(req) //nolint:gosec // request to configured ACME server
 	if err != nil {
 		return "", errors.Wrapf(err, "client GET %s failed", c.dir.NewNonce)
 	}
@@ -193,7 +193,7 @@ func (c *ACMEClient) post(payload []byte, url string, headerOps ...withHeaderOpt
 	req.Header.Set("Content-Type", "application/jose+json")
 	req.Header.Set("User-Agent", UserAgent)
 	enforceRequestID(req)
-	resp, err := c.client.Do(req)
+	resp, err := c.client.Do(req) //nolint:gosec // request to configured ACME server
 	if err != nil {
 		return nil, errors.Wrapf(err, "client POST %s failed", c.dir.NewOrder)
 	}

ca/client.go

@@ -143,7 +143,7 @@ func enforceRequestID(r *http.Request) {
 func (c *uaClient) Do(req *http.Request) (*http.Response, error) {
 	req.Header.Set("User-Agent", UserAgent)
 	enforceRequestID(req)
-	return c.Client.Do(req)
+	return c.Client.Do(req) //nolint:gosec // request to configured CA server
 }
 
 // RetryFunc defines the method used to retry a request. If it returns true, the
@@ -823,7 +823,7 @@ retry:
 		return nil, err
 	}
 	req.Header.Set("Content-Type", "application/json")
-	resp, err := httpClient.Do(req)
+	resp, err := httpClient.Do(req) //nolint:gosec // request to configured CA server
 	if err != nil {
 		return nil, clientError(err)
 	}
@@ -900,7 +900,7 @@ retry:
 		return nil, err
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
-	resp, err := httpClient.Do(httpReq)
+	resp, err := httpClient.Do(httpReq) //nolint:gosec // request to configured CA server
 	if err != nil {
 		return nil, clientError(err)
 	}

cas/apiv1/options.go

@@ -88,7 +88,7 @@ type CertificateIssuer struct {
 	Provisioner string `json:"provisioner,omitempty"`
 	Certificate string `json:"crt,omitempty"`
 	Key         string `json:"key,omitempty"`
-	Password    string `json:"password,omitempty"`
+	Password    string `json:"password,omitempty"` //nolint:gosec // field name for CA configuration
 }
 
 // Validate checks the fields in Options.

examples/basic-client/client.go

@@ -23,7 +23,7 @@ func printResponse(name string, v interface{}) {
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0]) //nolint:gosec // example code writing to stderr
 		os.Exit(1)
 	}
 

examples/basic-federation/client/main.go

@@ -12,7 +12,7 @@ import (
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0]) //nolint:gosec // example code writing to stderr
 		os.Exit(1)
 	}
 

examples/basic-federation/server/main.go

@@ -12,7 +12,7 @@ import (
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0]) //nolint:gosec // example code writing to stderr
 		os.Exit(1)
 	}
 
@@ -31,7 +31,7 @@ func main() {
 				name = r.TLS.PeerCertificates[0].Subject.CommonName
 				issuer = r.TLS.PeerCertificates[len(r.TLS.PeerCertificates)-1].Issuer.CommonName
 			}
-			fmt.Fprintf(w, "Hello %s (cert issued by '%s') at %s", name, issuer, time.Now().UTC())
+			fmt.Fprintf(w, "Hello %s (cert issued by '%s') at %s", name, issuer, time.Now().UTC()) //nolint:gosec // example code for demonstration
 		}),
 		ReadHeaderTimeout: 30 * time.Second,
 	}, ca.AddFederationToClientCAs(), ListTrustedRoots())

examples/bootstrap-client/client.go

@@ -12,7 +12,7 @@ import (
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0]) //nolint:gosec // example code writing to stderr
 		os.Exit(1)
 	}
 

examples/bootstrap-mtls-server/server.go

@@ -12,7 +12,7 @@ import (
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0]) //nolint:gosec // example code writing to stderr
 		os.Exit(1)
 	}
 
@@ -29,7 +29,7 @@ func main() {
 			if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
 				name = r.TLS.PeerCertificates[0].Subject.CommonName
 			}
-			fmt.Fprintf(w, "Hello %s at %s!!!", name, time.Now().UTC())
+			fmt.Fprintf(w, "Hello %s at %s!!!", name, time.Now().UTC()) //nolint:gosec // example code for demonstration
 		}),
 		ReadHeaderTimeout: 30 * time.Second,
 	})

examples/bootstrap-tls-server/server.go

@@ -12,7 +12,7 @@ import (
 
 func main() {
 	if len(os.Args) != 2 {
-		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "Usage: %s <token>\n", os.Args[0]) //nolint:gosec // example code writing to stderr
 		os.Exit(1)
 	}
 
@@ -29,7 +29,7 @@ func main() {
 			if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
 				name = r.TLS.PeerCertificates[0].Subject.CommonName
 			}
-			fmt.Fprintf(w, "Hello %s at %s!!!", name, time.Now().UTC())
+			fmt.Fprintf(w, "Hello %s at %s!!!", name, time.Now().UTC()) //nolint:gosec // example code for demonstration
 		}),
 		ReadHeaderTimeout: 30 * time.Second,
 	}, ca.VerifyClientCertIfGiven())

logging/clf.go

@@ -29,26 +29,26 @@ func (f *CommonLogFormat) Format(entry *logrus.Entry) ([]byte, error) {
 		if v, ok := entry.Data[name]; ok {
 			switch v := v.(type) {
 			case error:
-				data[i] = v.Error()
+				data[i] = v.Error() //nolint:gosec // i is bounded by len(clfFields)
 			case string:
 				if v == "" {
-					data[i] = "-"
+					data[i] = "-" //nolint:gosec // i is bounded by len(clfFields)
 				} else {
-					data[i] = v
+					data[i] = v //nolint:gosec // i is bounded by len(clfFields)
 				}
 			case time.Time:
-				data[i] = v.Format(time.RFC3339)
+				data[i] = v.Format(time.RFC3339) //nolint:gosec // i is bounded by len(clfFields)
 			case time.Duration:
-				data[i] = strconv.FormatInt(int64(v/time.Millisecond), 10)
+				data[i] = strconv.FormatInt(int64(v/time.Millisecond), 10) //nolint:gosec // i is bounded by len(clfFields)
 			case int:
-				data[i] = strconv.FormatInt(int64(v), 10)
+				data[i] = strconv.FormatInt(int64(v), 10) //nolint:gosec // i is bounded by len(clfFields)
 			case int64:
-				data[i] = strconv.FormatInt(v, 10)
+				data[i] = strconv.FormatInt(v, 10) //nolint:gosec // i is bounded by len(clfFields)
 			default:
-				data[i] = fmt.Sprintf("%v", v)
+				data[i] = fmt.Sprintf("%v", v) //nolint:gosec // i is bounded by len(clfFields)
 			}
 		} else {
-			data[i] = "-"
+			data[i] = "-" //nolint:gosec // i is bounded by len(clfFields)
 		}
 	}
 

pki/helm.go

@@ -16,7 +16,7 @@ import (
 type helmVariables struct {
 	*linkedca.Configuration
 	Defaults     *linkedca.Defaults
-	Password     string
+	Password     string //nolint:gosec // field name for helm template variables
 	EnableSSH    bool
 	EnableAdmin  bool
 	TLS          authconfig.TLSOptions

scep/api/api.go

@@ -443,7 +443,7 @@ func writeResponse(w http.ResponseWriter, r *http.Request, res Response) {
 	}
 
 	w.Header().Set("Content-Type", contentHeader(res))
-	_, _ = w.Write(res.Data)
+	_, _ = w.Write(res.Data) //nolint:gosec // writing SCEP protocol response
 }
 
 func fail(w http.ResponseWriter, r *http.Request, err error) {