chore: start addressing gosec warnings (#1602)

Part of ooni/probe#2722

cmd/ooniprobe/internal/nettests/run.go

@@ -131,7 +131,7 @@ func RunGroup(config RunGroupConfig) error {
 	defer dir.Close()
 	_, err = dir.Readdirnames(1)
 	if err != nil {
-		os.Remove(result.MeasurementDir)
+		_ = os.Remove(result.MeasurementDir)
 	}
 	if err = db.Finished(result); err != nil {
 		return err

internal/cmd/gardener/internal/dnsfix/dnsfix.go

@@ -46,7 +46,7 @@ func (s *Subcommand) Main() {
 
 	// walk through each entry
 	for _, entry := range entries {
-		bar.Add(1)
+		_ = bar.Add(1)
 		s.processEntry(entry)
 	}
 }

internal/cmd/gardener/internal/dnsreport/dnsreport.go

@@ -220,7 +220,7 @@ func (s *Subcommand) measureEntries(ctx context.Context, db *sql.DB, entries []*
 
 	// walk through each entry until we're interrupted by the context
 	for idx := 0; idx < len(entries) && ctx.Err() == nil; idx++ {
-		bar.Add(1)
+		_ = bar.Add(1)
 		s.measureSingleEntry(db, entries[idx])
 	}
 }

internal/cmd/gardener/internal/testlists/testlists.go

@@ -146,7 +146,7 @@ func emit(filepath string, all []*Entry, och chan<- *Entry) {
 		progressbar.OptionSetWriter(os.Stdout),
 	)
 	for _, entry := range all {
-		bar.Add(1)
+		_ = bar.Add(1)
 		och <- entry
 	}
 }

internal/cmd/ghgen/utils.go

@@ -171,7 +171,7 @@ func generateWorkflowFile(name string, jobs []Job) {
 	mustFprintf(fp, "\n")
 	mustFprintf(fp, "jobs:\n")
 	for _, job := range jobs {
-		job.Action(fp, &job)
+		job.Action(fp, &job) // #nosec G601 -- job.Action is synchronous and does not retain job
 	}
 	mustFprintf(fp, "# End of autogenerated file\n")
 }

internal/cmd/miniooni/main.go

@@ -372,7 +372,7 @@ func mainSingleIteration(logger model.Logger, experimentName string, currentOpti
 
 	sess := newSessionOrPanic(ctx, currentOptions, miniooniDir, logger)
 	defer func() {
-		sess.Close()
+		_ = sess.Close()
 		log.Infof("whole session: recv %s, sent %s",
 			humanize.SI(sess.KibiBytesReceived()*1024, "byte"),
 			humanize.SI(sess.KibiBytesSent()*1024, "byte"),

internal/cmd/oohelperd/main.go

@@ -60,7 +60,7 @@ func shutdown(srv *http.Server, wg *sync.WaitGroup) {
 	defer wg.Done()
 	ctx, cancel := context.WithTimeout(context.Background(), 45*time.Second)
 	defer cancel()
-	srv.Shutdown(ctx)
+	_ = srv.Shutdown(ctx)
 }
 
 func main() {

internal/cmd/ooporthelper/main.go

@@ -27,7 +27,7 @@ func init() {
 
 func shutdown(ctx context.Context, l net.Listener) {
 	<-ctx.Done()
-	l.Close()
+	_ = l.Close()
 }
 
 // TODO(DecFox): Add the ability of an echo service to generate some traffic

internal/cmd/tinyjafar/main.go

@@ -153,7 +153,7 @@ func mainWithArgs(writer io.Writer, sigChan <-chan os.Signal, args ...string) {
 	fset := flag.NewFlagSet("tinyjafar", flag.ExitOnError)
 	cfg.initFlags(fset)
 
-	fset.Parse(args)
+	runtimex.Try0(fset.Parse(args))
 
 	cs := newCmdSet()
 	cs.handleDropIP(cfg)

internal/engine/session.go

@@ -338,7 +338,7 @@ func (s *Session) Close() error {
 // doClose implements Close. This function is called just once.
 func (s *Session) doClose() {
 	// make sure we close open connections and persist stats to the key-value store
-	s.network.Close()
+	_ = s.network.Close()
 
 	s.resolver.CloseIdleConnections()
 	if s.tunnel != nil {

internal/enginelocate/iplookup.go

@@ -68,7 +68,7 @@ type ipLookupClient struct {
 }
 
 func makeSlice() []method {
-	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	r := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	ret := make([]method, len(methods))
 	perm := r.Perm(len(methods))
 	for idx, randIdx := range perm {

internal/enginelocate/stun.go

@@ -45,7 +45,7 @@ func stunIPLookup(ctx context.Context, config stunConfig) (string, error) {
 		}
 		clnt, err := newClient(conn)
 		if err != nil {
-			conn.Close()
+			_ = conn.Close()
 			return model.DefaultProbeIP, err
 		}
 		defer clnt.Close()

internal/enginenetx/bridgespolicy.go

@@ -60,7 +60,7 @@ func bridgesTacticsForDomain(domain, port string) <-chan *httpsDialerTactic {
 
 func bridgesDomainsInRandomOrder() (out []string) {
 	out = bridgesDomains()
-	r := rand.New(rand.NewSource(time.Now().UnixNano()))
+	r := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	r.Shuffle(len(out), func(i, j int) {
 		out[i], out[j] = out[j], out[i]
 	})

internal/enginenetx/httpsdialer.go

@@ -306,7 +306,7 @@ func httpsDialerReduceResult(connv []model.TLSConn, errorv []error) (model.TLSCo
 	switch {
 	case len(connv) >= 1:
 		for _, c := range connv[1:] {
-			c.Close()
+			_ = c.Close()
 		}
 		return connv[0], nil
 
@@ -400,7 +400,7 @@ func (hd *httpsDialer) dialTLS(
 	// handle handshake error
 	if err != nil {
 		hd.stats.OnTLSHandshakeError(ctx, tactic, err)
-		tcpConn.Close()
+		_ = tcpConn.Close()
 		return nil, err
 	}
 
@@ -412,7 +412,7 @@ func (hd *httpsDialer) dialTLS(
 	// handle verification error
 	if err != nil {
 		hd.stats.OnTLSVerifyError(tactic, err)
-		tlsConn.Close()
+		_ = tlsConn.Close()
 		return nil, err
 	}
 

internal/engineresolver/resolver.go

@@ -168,7 +168,7 @@ func (r *Resolver) lookupHost(ctx context.Context, ri *resolverinfo, hostname st
 //
 // The return value is only meaningful for testing.
 func (r *Resolver) maybeConfusion(state []*resolverinfo, seed int64) int {
-	rng := rand.New(rand.NewSource(seed))
+	rng := rand.New(rand.NewSource(seed)) // #nosec G404 -- not really important
 	const confusion = 0.3
 	if rng.Float64() >= confusion {
 		return -1

internal/engineresolver/resolvermaker.go

@@ -58,7 +58,7 @@ var allbyurl = resolverMakeInitialState()
 // see https://github.com/ooni/probe/issues/2544.
 func resolverMakeInitialState() map[string]*resolvermaker {
 	output := make(map[string]*resolvermaker)
-	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
+	rng := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	for _, e := range allmakers {
 		output[e.url] = e
 		if e.url != systemResolverURL {

internal/experiment/echcheck/handshake.go

@@ -68,7 +68,7 @@ var certpool = netxlite.NewMozillaCertPool()
 
 // genTLSConfig generates tls.Config from a given SNI
 func genTLSConfig(sni string) *tls.Config {
-	return &tls.Config{
+	return &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring
 		RootCAs:            certpool,
 		ServerName:         sni,
 		NextProtos:         []string{"h2", "http/1.1"},

internal/experiment/fbmessenger/fbmessenger.go

@@ -179,7 +179,7 @@ func (m Measurer) Run(ctx context.Context, args *model.ExperimentArgs) error {
 	for _, service := range Services {
 		inputs = append(inputs, urlgetter.MultiInput{Target: service})
 	}
-	rnd := rand.New(rand.NewSource(time.Now().UnixNano()))
+	rnd := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	rnd.Shuffle(len(inputs), func(i, j int) {
 		inputs[i], inputs[j] = inputs[j], inputs[i]
 	})

internal/experiment/portfiltering/tcpconnect.go

@@ -44,6 +44,6 @@ func (m *Measurer) tcpConnect(ctx context.Context, index int64,
 	dialer := trace.NewDialerWithoutResolver(logger)
 	conn, err := dialer.DialContext(ctx, "tcp", address)
 	ol.Stop(err)
-	measurexlite.MaybeClose(conn)
+	_ = measurexlite.MaybeClose(conn)
 	return trace.FirstTCPConnectOrNil()
 }

internal/experiment/quicping/quicping.go

@@ -259,7 +259,7 @@ func (m *Measurer) Run(ctx context.Context, args *model.ExperimentArgs) error {
 
 	// set context and read timeouts
 	deadline := time.Duration(rep*2) * time.Second
-	pconn.SetDeadline(time.Now().Add(deadline))
+	_ = pconn.SetDeadline(time.Now().Add(deadline))
 	ctx, cancel := context.WithTimeout(ctx, deadline)
 	defer cancel()
 

internal/experiment/simplequicping/simplequicping.go

@@ -178,7 +178,7 @@ func (m *Measurer) quicHandshake(ctx context.Context, index int64,
 	// See https://github.com/ooni/probe/issues/2413 to understand
 	// why we're using nil to force netxlite to use the cached
 	// default Mozilla cert pool.
-	tlsConfig := &tls.Config{
+	tlsConfig := &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring
 		NextProtos: alpn,
 		RootCAs:    nil,
 		ServerName: sni,

internal/experiment/sniblocking/sniblocking.go

@@ -112,7 +112,7 @@ func (m *Measurer) measureone(
 	thaddr string,
 ) Subresult {
 	// slightly delay the measurement
-	gen := rand.New(rand.NewSource(time.Now().UnixNano()))
+	gen := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	sleeptime := time.Duration(gen.Intn(250)) * time.Millisecond
 	select {
 	case <-time.After(sleeptime):

internal/experiment/tcpping/tcpping.go

@@ -138,7 +138,7 @@ func (m *Measurer) tcpConnect(ctx context.Context, index int64,
 	ol := logx.NewOperationLogger(logger, "TCPPing #%d %s", index, address)
 	conn, err := dialer.DialContext(ctx, "tcp", address)
 	ol.Stop(err)
-	measurexlite.MaybeClose(conn)
+	_ = measurexlite.MaybeClose(conn)
 	sp := &SinglePing{
 		TCPConnect: trace.FirstTCPConnectOrNil(), // record the first connect from the buffer
 	}

internal/experiment/tlsmiddlebox/connect.go

@@ -21,7 +21,7 @@ func (m *Measurer) TCPConnect(ctx context.Context, index int64, zeroTime time.Ti
 	ol := logx.NewOperationLogger(logger, "TCPConnect #%d %s", index, address)
 	conn, err := dialer.DialContext(ctx, "tcp", address)
 	ol.Stop(err)
-	measurexlite.MaybeClose(conn)
+	_ = measurexlite.MaybeClose(conn)
 	tcpEvents := trace.TCPConnects()
 	tk.addTCPConnect(tcpEvents)
 	return err

internal/experiment/tlsmiddlebox/tracing.go

@@ -124,7 +124,7 @@ func genTLSConfig(sni string) *tls.Config {
 	// See https://github.com/ooni/probe/issues/2413 to understand
 	// why we're using nil to force netxlite to use the cached
 	// default Mozilla cert pool.
-	return &tls.Config{
+	return &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring
 		RootCAs:            nil,
 		ServerName:         sni,
 		NextProtos:         []string{"h2", "http/1.1"},

internal/experiment/tlsping/tlsping.go

@@ -184,7 +184,7 @@ func (m *Measurer) tlsConnectAndHandshake(ctx context.Context, index int64,
 	// See https://github.com/ooni/probe/issues/2413 to understand
 	// why we're using nil to force netxlite to use the cached
 	// default Mozilla cert pool.
-	config := &tls.Config{
+	config := &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring
 		NextProtos: alpn,
 		RootCAs:    nil,
 		ServerName: sni,

internal/experiment/tlstool/internal/splitter.go

@@ -58,7 +58,7 @@ func Splitter3264rand(input []byte) (output [][]byte) {
 		output = append(output, input)
 		return
 	}
-	rnd := rand.New(rand.NewSource(time.Now().UnixNano()))
+	rnd := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	offset := rnd.Intn(32) + 32
 	output = append(output, input[:offset])
 	output = append(output, input[offset:])

internal/experiment/tlstool/tlstool.go

@@ -136,13 +136,13 @@ func (m Measurer) run(ctx context.Context, config runConfig) error {
 	if err != nil {
 		return err
 	}
-	conn.Close()
+	_ = conn.Close()
 	return nil
 }
 
 func (m Measurer) tlsConfig() *tls.Config {
 	if m.config.SNI != "" {
-		return &tls.Config{ServerName: m.config.SNI}
+		return &tls.Config{ServerName: m.config.SNI} // #nosec G402 - we need to use a large TLS versions range for measuring
 	}
 	return nil
 }

internal/experiment/urlgetter/configurer.go

@@ -80,7 +80,7 @@ func (c Configurer) NewConfiguration() (Configuration, error) {
 	configuration.DNSClient = dnsclient
 	configuration.HTTPConfig.BaseResolver = dnsclient
 	// configure TLS
-	configuration.HTTPConfig.TLSConfig = &tls.Config{
+	configuration.HTTPConfig.TLSConfig = &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring
 		NextProtos: []string{"h2", "http/1.1"},
 	}
 	if c.Config.TLSServerName != "" {

internal/experiment/urlgetter/runner.go

@@ -113,7 +113,7 @@ func (r Runner) tlsHandshake(ctx context.Context, address string) error {
 	tlsDialer := netx.NewTLSDialer(r.HTTPConfig)
 	conn, err := tlsDialer.DialTLSContext(ctx, "tcp", address)
 	if conn != nil {
-		conn.Close()
+		_ = conn.Close()
 	}
 	return err
 }
@@ -122,7 +122,7 @@ func (r Runner) tcpConnect(ctx context.Context, address string) error {
 	dialer := netx.NewDialer(r.HTTPConfig)
 	conn, err := dialer.DialContext(ctx, "tcp", address)
 	if conn != nil {
-		conn.Close()
+		_ = conn.Close()
 	}
 	return err
 }

internal/experiment/webconnectivitylte/cleartextflow.go

@@ -96,7 +96,7 @@ func (t *CleartextFlow) Start(ctx context.Context) {
 	index := t.IDGenerator.NewIDForEndpointCleartext()
 	go func() {
 		defer t.WaitGroup.Done() // synchronize with the parent
-		t.Run(ctx, index)
+		_ = t.Run(ctx, index)
 	}()
 }
 
@@ -114,7 +114,7 @@ func (t *CleartextFlow) Run(parentCtx context.Context, index int64) error {
 	sampler := throttling.NewSampler(trace)
 	defer func() {
 		t.TestKeys.AppendNetworkEvents(sampler.ExtractSamples()...)
-		sampler.Close()
+		_ = sampler.Close()
 	}()
 
 	// start the operation logger

internal/experiment/webconnectivitylte/secureflow.go

@@ -104,7 +104,7 @@ func (t *SecureFlow) Start(ctx context.Context) {
 	index := t.IDGenerator.NewIDForEndpointSecure()
 	go func() {
 		defer t.WaitGroup.Done() // synchronize with the parent
-		t.Run(ctx, index)
+		_ = t.Run(ctx, index)
 	}()
 }
 
@@ -122,7 +122,7 @@ func (t *SecureFlow) Run(parentCtx context.Context, index int64) error {
 	sampler := throttling.NewSampler(trace)
 	defer func() {
 		t.TestKeys.AppendNetworkEvents(sampler.ExtractSamples()...)
-		sampler.Close()
+		_ = sampler.Close()
 	}()
 
 	// start the operation logger
@@ -162,7 +162,7 @@ func (t *SecureFlow) Run(parentCtx context.Context, index int64) error {
 	// See https://github.com/ooni/probe/issues/2413 to understand
 	// why we're using nil to force netxlite to use the cached
 	// default Mozilla cert pool.
-	tlsConfig := &tls.Config{
+	tlsConfig := &tls.Config{ // #nosec G402 - we need to use a large TLS versions range for measuring
 		NextProtos: t.alpn(),
 		RootCAs:    nil,
 		ServerName: tlsSNI,

internal/experiment/whatsapp/whatsapp.go

@@ -162,7 +162,7 @@ func (m Measurer) Run(ctx context.Context, args *model.ExperimentArgs) error {
 		// don't care about the HTTP response code.
 		Target: WebHTTPSURL,
 	})
-	rnd := rand.New(rand.NewSource(time.Now().UnixNano()))
+	rnd := rand.New(rand.NewSource(time.Now().UnixNano())) // #nosec G404 -- not really important
 	rnd.Shuffle(len(inputs), func(i, j int) {
 		inputs[i], inputs[j] = inputs[j], inputs[i]
 	})

internal/fsx/fsx.go

@@ -29,11 +29,11 @@ func openWithFS(fs fs.FS, pathname string) (fs.File, error) {
 	}
 	info, err := file.Stat()
 	if err != nil {
-		file.Close()
+		_ = file.Close()
 		return nil, err
 	}
 	if !IsRegular(info) {
-		file.Close()
+		_ = file.Close()
 		return nil, fmt.Errorf("%w: %s", ErrNotRegularFile, pathname)
 	}
 	return file, nil