From 4596605deb3dc0163dd1e150e0b5c8d37628f4d1 Mon Sep 17 00:00:00 2001
From: Matthias Diester <matthias.diester@de.ibm.com>
Date: Mon, 23 Oct 2023 11:09:44 +0200
Subject: [PATCH] Fix `G402` reports with latest `gosec` version

Ref: https://github.com/securego/gosec/issues/1044#issuecomment-1764948001

Break up transport setup so that the `InsecureSkipVerify` is a single line, so
that their latest changes can find the ignore statement at the exact statement
level to be properly ignored.

Refactor test code to only have the test client setup once.
---
 pkg/image/options.go           | 16 ++++++------
 test/utils/v1alpha1/webhook.go | 29 +++------------------
 test/utils/v1beta1/webhook.go  | 29 +++------------------
 test/utils/webhook.go          | 46 +++++++++++++++-------------------
 4 files changed, 33 insertions(+), 87 deletions(-)

diff --git a/pkg/image/options.go b/pkg/image/options.go
index 891cb9ac89..a30a7c2e4a 100644
--- a/pkg/image/options.go
+++ b/pkg/image/options.go
@@ -52,17 +52,15 @@ func GetOptions(ctx context.Context, imageName name.Reference, insecure bool, do
 	options = append(options, remote.WithContext(ctx))
 
 	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: false,
+	}
 
 	if insecure {
-		// #nosec:G402 explicitly requested by user to use insecure registry
-		transport.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: true,
-		}
-	} else {
-		transport.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: false,
-			MinVersion:         tls.VersionTLS12,
-		}
+		// #nosec:G402 insecure is explicitly requested by user, make sure to skip verification and reset empty defaults
+		transport.TLSClientConfig.InsecureSkipVerify = insecure
+		transport.TLSClientConfig.MinVersion = 0
 	}
 
 	// find a Docker config.json
diff --git a/test/utils/v1alpha1/webhook.go b/test/utils/v1alpha1/webhook.go
index 731a7133ed..8d5542a0bf 100644
--- a/test/utils/v1alpha1/webhook.go
+++ b/test/utils/v1alpha1/webhook.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/shipwright-io/build/pkg/webhook/conversion"
+	"github.com/shipwright-io/build/test/utils"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
diff --git a/test/utils/v1beta1/webhook.go b/test/utils/v1beta1/webhook.go
index 731a7133ed..8d5542a0bf 100644
--- a/test/utils/v1beta1/webhook.go
+++ b/test/utils/v1beta1/webhook.go
@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/shipwright-io/build/pkg/webhook/conversion"
+	"github.com/shipwright-io/build/test/utils"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
diff --git a/test/utils/webhook.go b/test/utils/webhook.go
index 731a7133ed..19f0d375ca 100644
--- a/test/utils/webhook.go
+++ b/test/utils/webhook.go
@@ -16,6 +16,24 @@ import (
 	"github.com/onsi/gomega"
 )
 
+func TestClient() *http.Client {
+	transport := &http.Transport{
+		IdleConnTimeout:       5 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Second,
+		TLSHandshakeTimeout:   5 * time.Second,
+		TLSClientConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		},
+	}
+
+	// #nosec:G402 test code
+	transport.TLSClientConfig.InsecureSkipVerify = true
+
+	return &http.Client{
+		Transport: transport,
+	}
+}
+
 func StartBuildWebhook() *http.Server {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/convert", conversion.CRDConvertHandler(context.Background()))
@@ -51,20 +69,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +87,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}