From bbc5216f87d133f848abdf66d45c2164b6abf14f Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Mon, 7 Oct 2024 08:47:54 -0400
Subject: [PATCH] fix lint errors

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 cmd/api-docs/main.go     |  2 +-
 pkg/tuf/repo.go          | 10 ++++++++--
 pkg/webhook/validator.go |  2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/cmd/api-docs/main.go b/cmd/api-docs/main.go
index 2eefb7e79..6264777f5 100644
--- a/cmd/api-docs/main.go
+++ b/cmd/api-docs/main.go
@@ -165,7 +165,7 @@ func astFrom(filePath string) *doc.Package {
 	}
 
 	m[filePath] = f
-	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:errcheck
+	apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:staticcheck
 
 	return doc.New(apkg, "", 0)
 }
diff --git a/pkg/tuf/repo.go b/pkg/tuf/repo.go
index 6fb029642..0b31c49d3 100644
--- a/pkg/tuf/repo.go
+++ b/pkg/tuf/repo.go
@@ -129,7 +129,10 @@ func Uncompress(src io.Reader, dst string) error {
 			}
 		// Write out files
 		case tar.TypeReg:
-			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return errors.New("invalid mode value in tar header")
+			}
+			fileToWrite, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode)) //nolint:gosec // disable G115
 			if err != nil {
 				return err
 			}
@@ -213,9 +216,12 @@ func UncompressMemFS(src io.Reader, stripPrefix string) (fs.FS, error) {
 			if err != nil && err != io.EOF {
 				return nil, fmt.Errorf("reading file %s : %w", header.Name, err)
 			}
+			if header.Mode < 0 && int64(uint32(header.Mode)) != header.Mode { //nolint:gosec // disable G115
+				return nil, errors.New("invalid mode value in tar header")
+			}
 			testFS[target] = &fstest.MapFile{
 				Data:    data,
-				Mode:    os.FileMode(header.Mode),
+				Mode:    os.FileMode(header.Mode), //nolint:gosec // disable G115
 				ModTime: header.ModTime,
 			}
 		}
diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go
index 02a46b6c3..73cd6999d 100644
--- a/pkg/webhook/validator.go
+++ b/pkg/webhook/validator.go
@@ -517,7 +517,7 @@ func ValidatePolicy(ctx context.Context, namespace string, ref name.Reference, c
 			switch {
 			case authority.Static != nil:
 				if authority.Static.Action == "fail" {
-					result.err = cosign.NewVerificationError("disallowed by static policy: " + authority.Static.Message)
+					result.err = cosign.NewVerificationError("disallowed by static policy: %s", authority.Static.Message)
 					results <- result
 					return
 				}