ci(gosec): suppress G117 and G704 false positives

Signed-off-by: DCjanus <[email protected]>

Author: DCjanus

alter_user_scram_credentials_request.go

@@ -28,7 +28,7 @@ type AlterUserScramCredentialsUpsert struct {
 
 	// This field is never transmitted over the wire
 	// @see: https://tools.ietf.org/html/rfc5802
-	Password []byte
+	Password []byte // #nosec G117 -- SCRAM API requires this exported field name; value is not marshaled or logged.
 }
 
 func (r *AlterUserScramCredentialsRequest) encode(pe packetEncoder) error {

config.go

@@ -95,7 +95,7 @@ type Config struct {
 			// SASL/PLAIN or SASL/SCRAM authentication
 			User string
 			// Password for SASL/PLAIN authentication
-			Password string
+			Password string // #nosec G117 -- public SASL config schema; callers set this credential explicitly.
 			// authz id used for SASL/SCRAM authentication
 			SCRAMAuthzID string
 			// SCRAMClientGeneratorFunc is a generator of a user provided implementation of a SCRAM

gssapi_kerberos.go

@@ -37,7 +37,7 @@ type GSSAPIConfig struct {
 	KerberosConfigPath string
 	ServiceName        string
 	Username           string
-	Password           string
+	Password           string // #nosec G117 -- required by GSSAPI auth config and intentionally user-provided.
 	Realm              string
 	DisablePAFXFAST    bool
 	BuildSpn           BuildSpnFunc

internal/toxiproxy/client.go

@@ -55,7 +55,7 @@ func (c *Client) Proxy(name string) (*Proxy, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed to make proxy request: %w", err)
 	}
-	resp, err := c.httpClient.Do(req)
+	resp, err := c.httpClient.Do(req) // #nosec G704 -- toxiproxy endpoint is controlled test infrastructure.
 	if err != nil {
 		return nil, fmt.Errorf("failed to http get proxy: %w", err)
 	}
@@ -80,7 +80,7 @@ func (c *Client) ResetState() error {
 	if err != nil {
 		return fmt.Errorf("failed to make reset request: %w", err)
 	}
-	resp, err := c.httpClient.Do(req)
+	resp, err := c.httpClient.Do(req) // #nosec G704 -- toxiproxy endpoint is controlled test infrastructure.
 	if err != nil {
 		return fmt.Errorf("failed to http post reset: %w", err)
 	}

internal/toxiproxy/proxy.go

@@ -44,7 +44,7 @@ func (p *Proxy) AddToxic(
 		return nil, fmt.Errorf("failed to make post toxic request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
-	resp, err := c.httpClient.Do(req)
+	resp, err := c.httpClient.Do(req) // #nosec G704 -- toxiproxy endpoint is controlled test infrastructure.
 	if err != nil {
 		return nil, fmt.Errorf("failed to http post toxic: %w", err)
 	}
@@ -83,7 +83,7 @@ func (p *Proxy) Save() (*Proxy, error) {
 		return nil, fmt.Errorf("failed to make post proxy request: %w", err)
 	}
 	req.Header.Set("Content-Type", "application/json")
-	resp, err := c.httpClient.Do(req)
+	resp, err := c.httpClient.Do(req) // #nosec G704 -- toxiproxy endpoint is controlled test infrastructure.
 	if err != nil {
 		return nil, fmt.Errorf("failed to http post proxy: %w", err)
 	}
@@ -98,7 +98,7 @@ func (p *Proxy) Save() (*Proxy, error) {
 			return nil, fmt.Errorf("failed to make post proxy request: %w", err)
 		}
 		req.Header.Set("Content-Type", "application/json")
-		resp, err = c.httpClient.Do(req)
+		resp, err = c.httpClient.Do(req) // #nosec G704 -- toxiproxy endpoint is controlled test infrastructure.
 		if err != nil {
 			return nil, fmt.Errorf("failed to http post proxy: %w", err)
 		}