Fix G402 reports with latest gosec version

Ref: securego/gosec#1044 (comment)

Break up transport setup so that the `InsecureSkipVerify` is a single line, so
that their latest changes can find the ignore statement at the exact statement
level to be properly ignored.

Refactor test code to only have the test client setup once.

pkg/image/options.go

@@ -52,18 +52,10 @@ func GetOptions(ctx context.Context, imageName name.Reference, insecure bool, do
 	options = append(options, remote.WithContext(ctx))
 
 	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{MinVersion: tls.VersionTLS12}
 
-	if insecure {
-		// #nosec:G402 explicitly requested by user to use insecure registry
-		transport.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: true,
-		}
-	} else {
-		transport.TLSClientConfig = &tls.Config{
-			InsecureSkipVerify: false,
-			MinVersion:         tls.VersionTLS12,
-		}
-	}
+	// #nosec:G402 explicitly requested by user to potentially use insecure registry if set
+	transport.TLSClientConfig.InsecureSkipVerify = insecure
 
 	// find a Docker config.json
 	if dockerConfigJSONPath != "" {

test/utils/v1alpha1/webhook.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/shipwright-io/build/pkg/webhook/conversion"
+	"github.com/shipwright-io/build/test/utils"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}

test/utils/v1beta1/webhook.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"github.com/shipwright-io/build/pkg/webhook/conversion"
+	"github.com/shipwright-io/build/test/utils"
 
 	"github.com/onsi/ginkgo/v2"
 	"github.com/onsi/gomega"
@@ -51,20 +52,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +70,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := utils.TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}

test/utils/webhook.go

@@ -16,6 +16,24 @@ import (
 	"github.com/onsi/gomega"
 )
 
+func TestClient() *http.Client {
+	transport := &http.Transport{
+		IdleConnTimeout:       5 * time.Second,
+		ResponseHeaderTimeout: 5 * time.Second,
+		TLSHandshakeTimeout:   5 * time.Second,
+		TLSClientConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		},
+	}
+
+	// #nosec:G402 test code
+	transport.TLSClientConfig.InsecureSkipVerify = true
+
+	return &http.Client{
+		Transport: transport,
+	}
+}
+
 func StartBuildWebhook() *http.Server {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/convert", conversion.CRDConvertHandler(context.Background()))
@@ -51,20 +69,8 @@ func StartBuildWebhook() *http.Server {
 		}
 	}()
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}
@@ -81,20 +87,8 @@ func StopBuildWebhook(webhookServer *http.Server) {
 	err := webhookServer.Close()
 	gomega.Expect(err).ToNot(gomega.HaveOccurred())
 
-	client := &http.Client{
-		Transport: &http.Transport{
-			IdleConnTimeout:       5 * time.Second,
-			ResponseHeaderTimeout: 5 * time.Second,
-			// #nosec:G402 test code
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
-			TLSHandshakeTimeout: 5 * time.Second,
-		},
-	}
-
 	gomega.Eventually(func() int {
-		r, err := client.Get("https://localhost:30443/health")
+		r, err := TestClient().Get("https://localhost:30443/health")
 		if err != nil {
 			return 0
 		}