Fix gosec complaints in libnetwork

These were purposefully ignored before but this goes ahead and "fixes"
most of them.
Note that none of the things gosec flagged are problematic, just
quieting the linter here.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

libnetwork/cmd/diagnostic/main.go

@@ -117,7 +117,7 @@ func fetchNodePeers(ip string, port int, network string) map[string]string {
 		path = fmt.Sprintf(clusterPeers, ip, port)
 	}
 
-	resp, err := http.Get(path) // nolint:gosec
+	resp, err := http.Get(path) //nolint:gosec // G107: Potential HTTP request made with variable url
 	if err != nil {
 		logrus.WithError(err).Fatalf("Failed fetching path")
 	}

libnetwork/drivers/bridge/setup_verify.go

@@ -39,8 +39,9 @@ func setupVerifyAndReconcile(config *networkConfiguration, i *bridgeInterface) e
 
 	// Release any residual IPv6 address that might be there because of older daemon instances
 	for _, addrv6 := range addrsv6 {
+		addrv6 := addrv6
 		if addrv6.IP.IsGlobalUnicast() && !types.CompareIPNet(addrv6.IPNet, i.bridgeIPv6) {
-			if err := i.nlh.AddrDel(i.Link, &addrv6); err != nil { // nolint:gosec
+			if err := i.nlh.AddrDel(i.Link, &addrv6); err != nil {
 				logrus.Warnf("Failed to remove residual IPv6 address %s from bridge: %v", addrv6.IPNet, err)
 			}
 		}

libnetwork/drivers/overlay/encryption.go

@@ -628,8 +628,9 @@ func clearEncryptionStates() {
 		logrus.Warnf("Failed to retrieve SA list for cleanup: %v", err)
 	}
 	for _, sp := range spList {
+		sp := sp
 		if sp.Mark != nil && sp.Mark.Value == spMark.Value {
-			if err := nlh.XfrmPolicyDel(&sp); err != nil { // nolint:gosec
+			if err := nlh.XfrmPolicyDel(&sp); err != nil {
 				logrus.Warnf("Failed to delete stale SP %s: %v", sp, err)
 				continue
 			}
@@ -637,8 +638,9 @@ func clearEncryptionStates() {
 		}
 	}
 	for _, sa := range saList {
+		sa := sa
 		if sa.Reqid == r {
-			if err := nlh.XfrmStateDel(&sa); err != nil { // nolint:gosec
+			if err := nlh.XfrmStateDel(&sa); err != nil {
 				logrus.Warnf("Failed to delete stale SA %s: %v", sa, err)
 				continue
 			}

libnetwork/drivers/overlay/peerdb.go

@@ -131,10 +131,11 @@ func (d *driver) peerDbNetworkWalk(nid string, f func(*peerKey, *peerEntry) bool
 
 	for pKeyStr, pEntry := range mp {
 		var pKey peerKey
+		pEntry := pEntry
 		if _, err := fmt.Sscan(pKeyStr, &pKey); err != nil {
 			logrus.Warnf("Peer key scan on network %s failed: %v", nid, err)
 		}
-		if f(&pKey, &pEntry) { // nolint:gosec
+		if f(&pKey, &pEntry) {
 			return nil
 		}
 	}

libnetwork/endpoint_info.go

@@ -448,7 +448,8 @@ func (epj *endpointJoinInfo) UnmarshalJSON(b []byte) error {
 	}
 	var StaticRoutes []*types.StaticRoute
 	for _, r := range tStaticRoute {
-		StaticRoutes = append(StaticRoutes, &r) // nolint:gosec
+		r := r
+		StaticRoutes = append(StaticRoutes, &r)
 	}
 	epj.StaticRoutes = StaticRoutes
 

libnetwork/networkdb/cluster.go

@@ -244,7 +244,7 @@ func (nDB *NetworkDB) clusterLeave() error {
 
 func (nDB *NetworkDB) triggerFunc(stagger time.Duration, C <-chan time.Time, f func()) {
 	// Use a random stagger to avoid synchronizing
-	randStagger := time.Duration(uint64(rnd.Int63()) % uint64(stagger)) // nolint:gosec
+	randStagger := time.Duration(uint64(rnd.Int63()) % uint64(stagger)) //nolint:gosec // gosec complains about the use of rand here. It should be fine.
 	select {
 	case <-time.After(randStagger):
 	case <-nDB.ctx.Done():

libnetwork/resolver.go

@@ -214,7 +214,7 @@ func setCommonFlags(msg *dns.Msg) {
 
 func shuffleAddr(addr []net.IP) []net.IP {
 	for i := len(addr) - 1; i > 0; i-- {
-		r := rand.Intn(i + 1) // nolint:gosec
+		r := rand.Intn(i + 1) // nolint:gosec // gosec complains about the use of rand here. It should be fine.
 		addr[i], addr[r] = addr[r], addr[i]
 	}
 	return addr

libnetwork/resolver_unix.go

@@ -49,7 +49,7 @@ func reexecSetupResolver() {
 		logrus.Errorf("failed get network namespace %q: %v", os.Args[1], err)
 		os.Exit(2)
 	}
-	defer f.Close() // nolint:gosec
+	defer f.Close() //nolint:gosec
 
 	nsFD := f.Fd()
 	if err = netns.Set(netns.NsHandle(nsFD)); err != nil {

libnetwork/sandbox_dns_unix.go

@@ -322,7 +322,7 @@ func (sb *sandbox) updateDNS(ipv6Enabled bool) error {
 	if err != nil {
 		return err
 	}
-	err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) // nolint:gosec
+	err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
 	if err != nil {
 		return err
 	}

libnetwork/service_linux.go

@@ -378,7 +378,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
 		}
 
 		path := filepath.Join("/proc/sys/net/ipv4/conf", oifName, "route_localnet")
-		if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { // nolint:gosec
+		if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
 			return fmt.Errorf("could not write to %s: %v", path, err)
 		}
 
@@ -542,7 +542,7 @@ func writePortsToFile(ports []*PortConfig) (string, error) {
 	if err != nil {
 		return "", err
 	}
-	defer f.Close() // nolint:gosec
+	defer f.Close() //nolint:gosec
 
 	buf, _ := proto.Marshal(&EndpointRecord{
 		IngressPorts: ports,