Fix G402 reports with latest gosec version

Ref: securego/gosec#1044 (comment)

Break up transport setup so that the `InsecureSkipVerify` is a single line, so
that their latest changes can find the ignore statement at the exact statement
level to be properly ignored.

Refactor test code to only have the test client setup once.

pkg/image/options.go

@@ -52,17 +52,15 @@ func GetOptions(ctx context.Context, imageName name.Reference, insecure bool, do
 	options = append(options, remote.WithContext(ctx))
 
 	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: false,
+	}
 
 	if insecure {
-		// #nosec:G402 explicitly requested by user to use insecure registry
-		transport.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: true,
-		}
-	} else {
-		transport.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: false,
-			MinVersion:         tls.VersionTLS12,
-		}
+		// #nosec:G402 insecure is explicitly requested by user, make sure to skip verification and reset empty defaults
+		transport.TLSClientConfig.InsecureSkipVerify = insecure
+		transport.TLSClientConfig.MinVersion = 0
 	}
 
 	// find a Docker config.json

test/utils/v1alpha1/webhook.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/shipwright-io/build/pkg/webhook/conversion"
+	"github.com/shipwright-io/build/test/utils"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}

test/utils/v1beta1/webhook.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/shipwright-io/build/pkg/webhook/conversion"
+	"github.com/shipwright-io/build/test/utils"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}

test/utils/webhook.go

@@ -16,6 +16,24 @@ import (
 	"github.com/onsi/gomega"
 )
 
+func TestClient() *http.Client {
+	transport := &http.Transport{
+		IdleConnTimeout:       5 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Second,
+		TLSHandshakeTimeout:   5 * time.Second,
+		TLSClientConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		},
+	}
+
+	// #nosec:G402 test code
+	transport.TLSClientConfig.InsecureSkipVerify = true
+
+	return &http.Client{
+		Transport: transport,
+	}
+}
+
 func StartBuildWebhook() *http.Server {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/convert", conversion.CRDConvertHandler(context.Background()))
@@ -51,20 +69,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +87,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}