fix gosec issues

pkg/controller/provider/openstack/designateclient.go

@@ -81,7 +81,9 @@ func createDesignateServiceClient(logger logger.LogContext, clientAuthConfig *cl
 		return nil, err
 	}
 
-	tlscfg := &tls.Config{}
+	tlscfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
 
 	if clientAuthConfig.CACert != "" {
 		caCertPool := x509.NewCertPool()

pkg/controller/provider/powerdns/handler.go

@@ -73,7 +73,7 @@ func newHttpClient(insecureSkipVerify bool, trustedCaCert string) *http.Client {
 
 	if insecureSkipVerify {
 		httpClient.Transport = &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec G402 -- InsecureSkipVerify is used to allow insecure connections
 		}
 	}
 

pkg/controller/provider/remote/handler.go

@@ -121,6 +121,7 @@ func (h *Handler) loadTLSCredentials(serverCA_PEM, clientCert_PEM, clientKey_PEM
 
 	// Create the credentials and return it
 	config := &tls.Config{
+		MinVersion:   tls.VersionTLS12,
 		Certificates: []tls.Certificate{clientCert},
 	}
 
@@ -138,7 +139,7 @@ func (h *Handler) loadTLSCredentials(serverCA_PEM, clientCert_PEM, clientKey_PEM
 func (h *Handler) Release() {
 	h.cache.Release()
 	if h.connection != nil {
-		h.connection.Close()
+		_ = h.connection.Close()
 	}
 }
 

pkg/dns/provider/state_entry.go

@@ -244,7 +244,7 @@ func (this *state) HandleUpdateEntry(logger logger.LogContext, op string, object
 	old := this.entries[object.ObjectName()]
 	if old != nil {
 		if !old.lock.TryLockSpinning(10 * time.Millisecond) {
-			millis := time.Millisecond * time.Duration(3000+rand.Int31n(3000))
+			millis := time.Millisecond * time.Duration(3000+rand.Int31n(3000)) // #nosec G404  -- not used for cryptographic purposes
 			return reconcile.RescheduleAfter(logger, millis)
 		}
 		defer old.lock.Unlock()

pkg/server/remote/embed/dynamictransportcreds.go

@@ -65,6 +65,7 @@ func (d *dynamicTransportCredentials) updateTLS(secret *corev1.Secret) {
 
 func (d *dynamicTransportCredentials) createTLS(secret *corev1.Secret) (credentials.TransportCredentials, bool) {
 	config := &tls.Config{
+		MinVersion:   tls.VersionTLS12,
 		Certificates: []tls.Certificate{},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		ClientCAs:    d.certPool,

test/functional/config/config.go

@@ -104,7 +104,7 @@ func InitConfig() *Config {
 }
 
 func LoadConfig(filename string) (*Config, error) {
-	f, err := os.Open(filename)
+	f, err := os.Open(filename) // #nosec G304 -- only used during tests to read test configuration
 	if err != nil {
 		return nil, err
 	}
@@ -175,7 +175,7 @@ func (p *ProviderConfig) TTLValue() int {
 
 func (p *ProviderConfig) CreateTempManifest(basePath, testName string, manifestTemplate *template.Template) (string, error) {
 	filename := fmt.Sprintf("%s/tmp-%s-%s.yaml", basePath, p.Name, testName)
-	f, err := os.Create(filename)
+	f, err := os.Create(filename) // #nosec G304 -- only used during tests to write to a temp file
 	if err != nil {
 		return "", err
 	}

test/functional/config/utils.go

@@ -228,7 +228,7 @@ func (u *TestUtils) AwaitLookupTXT(dnsname string, expected ...string) {
 func RandStringBytes(n int) string {
 	b := make([]byte, n)
 	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
+		b[i] = letterBytes[rand.Intn(len(letterBytes))] // #nosec G404  -- not used for cryptographic purposes
 	}
 	return string(b)
 }

test/integration/testenv.go

@@ -171,7 +171,7 @@ func (te *TestEnv) ApplyCRDs(dir string) error {
 
 // readDocuments reads documents from file.
 func readDocuments(fp string) ([][]byte, error) {
-	b, err := os.ReadFile(fp)
+	b, err := os.ReadFile(fp) // #nosec G304 -- only used during tests to read test configuration
 	if err != nil {
 		return nil, err
 	}