chore: fix dependabot alerts (#4048)

* chore: fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: fix dependabot alerts

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: fix golangci-lint findings from CI

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: fix golangci-lint gosec warnings

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update code to use slices package and address gosec linting issues

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* build: fix makefile target

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update tests to use context in HTTP requests and add gosec annotations

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update tests to use context in HTTP requests

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update tests to use context in HTTP requests

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update tests to use context in HTTP requests

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update tests to use context in HTTP requests

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: bump zui version

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: update test helpers and improve security settings in tests

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

* chore: add gosec linting directive for test path construction

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

---------

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>

pkg/storage/gc/gc_test.go

@@ -2200,7 +2200,7 @@ func TestGarbageCollectAndRetentionNoMetaDB(t *testing.T) {
 
 							continue
 						}
-						So(repo, ShouldEqual, expectedRepos[i])
+						So(repo, ShouldEqual, expectedRepos[i]) //nolint:gosec // guarded by i < len(expectedRepos)
 
 						processedRepos[repo] = struct{}{}
 

pkg/storage/gcs/gcs_test.go

@@ -135,8 +135,14 @@ func newHTTPSProxyServer(target string) (*httpsProxyServer, error) {
 			targetURL += "?" + r.URL.RawQuery
 		}
 
-		// Create request to target
-		req, err := http.NewRequestWithContext(r.Context(), r.Method, targetURL, r.Body)
+		// Create request to target.
+		//nolint:gosec // proxy target is local test server
+		req, err := http.NewRequestWithContext(
+			r.Context(),
+			r.Method,
+			targetURL,
+			r.Body,
+		)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 
@@ -154,7 +160,7 @@ func newHTTPSProxyServer(target string) (*httpsProxyServer, error) {
 
 		// Make request
 		client := &http.Client{Timeout: 30 * time.Second}
-		resp, err := client.Do(req)
+		resp, err := client.Do(req) //nolint:gosec // request is sent to local test server
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusBadGateway)
 
@@ -204,12 +210,9 @@ func newHTTPSProxyServer(target string) (*httpsProxyServer, error) {
 }
 
 func (p *httpsProxyServer) Start() {
-	p.wg.Add(1) //nolint:modernize // standard sync.WaitGroup usage
-
-	go func() {
-		defer p.wg.Done()
+	p.wg.Go(func() {
 		_ = p.server.Serve(p.listener)
-	}()
+	})
 }
 
 func (p *httpsProxyServer) Stop() {
@@ -377,7 +380,13 @@ func createObjectsStore(rootDir string, cacheDir string, dedupe bool) (
 
 	url := strings.TrimSuffix(endpoint, "/") + "/storage/v1/b?project=test-project"
 	body := fmt.Sprintf(`{"name": "%s"}`, bucket)
-	req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, url, strings.NewReader(body))
+	//nolint:gosec // URL points to gcsmock endpoint in tests
+	req, err := http.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost,
+		url,
+		strings.NewReader(body),
+	)
 	if err != nil {
 		return nil, nil, err
 	}

pkg/storage/s3/s3_test.go

@@ -1202,12 +1202,20 @@ func TestS3Dedupe(t *testing.T) {
 		Convey("Check backward compatibility - switch dedupe to false", func() {
 			/* copy cache to the new storage with dedupe false (doing this because we
 			already have a cache object holding the lock on cache db file) */
-			input, err := os.ReadFile(path.Join(tdir, storageConstants.BoltdbName+storageConstants.DBExtensionName))
+			//nolint:gosec // test path is tempdir-scoped
+			input, err := os.ReadFile(path.Join(
+				tdir,
+				storageConstants.BoltdbName+storageConstants.DBExtensionName,
+			))
 			So(err, ShouldBeNil)
 
 			tdir = t.TempDir()
 
-			err = os.WriteFile(path.Join(tdir, storageConstants.BoltdbName+storageConstants.DBExtensionName), input, 0o600)
+			//nolint:gosec // test path is tempdir-scoped
+			err = os.WriteFile(path.Join(
+				tdir,
+				storageConstants.BoltdbName+storageConstants.DBExtensionName,
+			), input, 0o600)
 			So(err, ShouldBeNil)
 
 			storeDriver, imgStore, _ := createObjectsStore(testDir, tdir, false)
@@ -3626,7 +3634,11 @@ func TestS3DedupeErr(t *testing.T) {
 
 		tdir = t.TempDir()
 
-		err = os.WriteFile(path.Join(tdir, storageConstants.BoltdbName+storageConstants.DBExtensionName), input, 0o600)
+		//nolint:gosec // test path is tempdir-scoped
+		err = os.WriteFile(path.Join(
+			tdir,
+			storageConstants.BoltdbName+storageConstants.DBExtensionName,
+		), input, 0o600)
 		So(err, ShouldBeNil)
 
 		imgStore = createMockStorage(testDir, tdir, true, &mocks.StorageDriverMock{
@@ -3674,7 +3686,11 @@ func TestS3DedupeErr(t *testing.T) {
 
 		tdir = t.TempDir()
 
-		err = os.WriteFile(path.Join(tdir, storageConstants.BoltdbName+storageConstants.DBExtensionName), input, 0o600)
+		//nolint:gosec // test path is tempdir-scoped
+		err = os.WriteFile(path.Join(
+			tdir,
+			storageConstants.BoltdbName+storageConstants.DBExtensionName,
+		), input, 0o600)
 		So(err, ShouldBeNil)
 
 		imgStore = createMockStorage(testDir, tdir, true, &mocks.StorageDriverMock{