Fix govet non-constant error format string issues

hslatman · hslatman · commit f1092e103a9e · 2025-09-09T01:38:33.000+02:00
diff --git a/acme/api/revoke.go b/acme/api/revoke.go
@@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe
 func wrapRevokeErr(err error) *acme.Error {
 	t := err.Error()
 	if strings.Contains(t, "is already revoked") {
-		return acme.NewError(acme.ErrorAlreadyRevokedType, t)
+		return acme.NewError(acme.ErrorAlreadyRevokedType, "%s", t)
 	}
 	return acme.WrapErrorISE(err, "error when revoking certificate")
 }
@@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error {
 func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error {
 	var acmeErr *acme.Error
 	if err == nil {
-		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)
+		acmeErr = acme.NewError(acme.ErrorUnauthorizedType, "%s", msg)
 	} else {
-		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)
+		acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, "%s", msg)
 	}
 	acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403
 
diff --git a/acme/order.go b/acme/order.go
@@ -309,7 +309,7 @@ func (o *Order) Finalize(ctx context.Context, db DB, csr *x509.CertificateReques
 		// Add subproblem for webhook errors, others can be added later.
 		var webhookErr *webhook.Error
 		if errors.As(err, &webhookErr) {
-			acmeError := NewDetailedError(ErrorUnauthorizedType, webhookErr.Error())
+			acmeError := NewDetailedError(ErrorUnauthorizedType, "%s", webhookErr.Error())
 			acmeError.AddSubproblems(Subproblem{
 				Type:   fmt.Sprintf("urn:smallstep:acme:error:%s", webhookErr.Code),
 				Detail: webhookErr.Message,
diff --git a/authority/admin/api/webhook.go b/authority/admin/api/webhook.go
@@ -202,7 +202,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter
 	}
 	if !found {
 		msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)
-		err := admin.NewError(admin.ErrorNotFoundType, msg)
+		err := admin.NewError(admin.ErrorNotFoundType, "%s", msg)
 		render.Error(w, r, err)
 		return
 	}
diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
@@ -250,7 +250,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error())
+			return nil, errs.BadRequestErr(err, "%s", err.Error())
 		}
 	}
 	if opts.KeyID != "" {
diff --git a/authority/provisioner/ssh_test.go b/authority/provisioner/ssh_test.go
@@ -93,7 +93,7 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si
 		var templErr *sshutil.TemplateError
 		if errors.As(err, &templErr) {
 			return nil, errs.NewErr(http.StatusBadRequest, templErr,
-				errs.WithMessage(templErr.Error()),
+				errs.WithMessage("%s", templErr.Error()),
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		}
diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go
@@ -302,7 +302,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e
 	// Use options in the token.
 	if opts.CertType != "" {
 		if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {
-			return nil, errs.BadRequestErr(err, err.Error())
+			return nil, errs.BadRequestErr(err, "%s", err.Error())
 		}
 	}
 	if opts.KeyID != "" {
diff --git a/authority/ssh.go b/authority/ssh.go
@@ -215,7 +215,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	for _, v := range keyValidators {
 		if err := v.Valid(key); err != nil {
 			return nil, nil, errs.ApplyOptions(
-				errs.ForbiddenErr(err, err.Error()),
+				errs.ForbiddenErr(err, "%s", err.Error()),
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		}
@@ -232,7 +232,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Call enriching webhooks
 	if err := a.callEnrichingWebhooksSSH(ctx, prov, webhookCtl, cr); err != nil {
 		return nil, prov, errs.ApplyOptions(
-			errs.ForbiddenErr(err, err.Error()),
+			errs.ForbiddenErr(err, "%s", err.Error()),
 			errs.WithKeyVal("signOptions", signOpts),
 		)
 	}
@@ -244,7 +244,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 		switch {
 		case errors.As(err, &te):
 			return nil, prov, errs.ApplyOptions(
-				errs.BadRequestErr(err, err.Error()),
+				errs.BadRequestErr(err, "%s", err.Error()),
 				errs.WithKeyVal("signOptions", signOpts),
 			)
 		case strings.HasPrefix(err.Error(), "error unmarshaling certificate"):
@@ -264,7 +264,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi
 	// Use SignSSHOptions to modify the certificate validity. It will be later
 	// checked or set if not defined.
 	if err := opts.ModifyValidity(certTpl); err != nil {
-		return nil, prov, errs.BadRequestErr(err, err.Error())
+		return nil, prov, errs.BadRequestErr(err, "%s", err.Error())
 	}
 
 	// Use provisioner modifiers.
diff --git a/authority/tls.go b/authority/tls.go
@@ -197,7 +197,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest,
 
 	if err := a.callEnrichingWebhooksX509(ctx, prov, webhookCtl, attData, csr); err != nil {
 		return nil, prov, errs.ApplyOptions(
-			errs.ForbiddenErr(err, err.Error()),
+			errs.ForbiddenErr(err, "%s", err.Error()),
 			errs.WithKeyVal("csr", csr),
 			errs.WithKeyVal("signOptions", signOpts),
 		)
@@ -209,7 +209,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest,
 		switch {
 		case errors.As(err, &te):
 			return nil, prov, errs.ApplyOptions(
-				errs.BadRequestErr(err, err.Error()),
+				errs.BadRequestErr(err, "%s", err.Error()),
 				errs.WithKeyVal("csr", csr),
 				errs.WithKeyVal("signOptions", signOpts),
 			)

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe`
`180`	`180`	`func wrapRevokeErr(err error) *acme.Error {`
`181`	`181`	`t := err.Error()`
`182`	`182`	`if strings.Contains(t, "is already revoked") {`
`183`		`- return acme.NewError(acme.ErrorAlreadyRevokedType, t)`
	`183`	`+ return acme.NewError(acme.ErrorAlreadyRevokedType, "%s", t)`
`184`	`184`	`}`
`185`	`185`	`return acme.WrapErrorISE(err, "error when revoking certificate")`
`186`	`186`	`}`
`@@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error {`
`190`	`190`	`func wrapUnauthorizedError(cert x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) acme.Error {`
`191`	`191`	`var acmeErr *acme.Error`
`192`	`192`	`if err == nil {`
`193`		`- acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg)`
	`193`	`+ acmeErr = acme.NewError(acme.ErrorUnauthorizedType, "%s", msg)`
`194`	`194`	`} else {`
`195`		`- acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg)`
	`195`	`+ acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, "%s", msg)`
`196`	`196`	`}`
`197`	`197`	`acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403`
`198`	`198`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter`
`202`	`202`	`}`
`203`	`203`	`if !found {`
`204`	`204`	`msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name)`
`205`		`- err := admin.NewError(admin.ErrorNotFoundType, msg)`
	`205`	`+ err := admin.NewError(admin.ErrorNotFoundType, "%s", msg)`
`206`	`206`	`render.Error(w, r, err)`
`207`	`207`	`return`
`208`	`208`	`}`
Original file line number	Diff line number	Diff line change
`@@ -250,7 +250,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e`
`250`	`250`	`// Use options in the token.`
`251`	`251`	`if opts.CertType != "" {`
`252`	`252`	`if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {`
`253`		`- return nil, errs.BadRequestErr(err, err.Error())`
	`253`	`+ return nil, errs.BadRequestErr(err, "%s", err.Error())`
`254`	`254`	`}`
`255`	`255`	`}`
`256`	`256`	`if opts.KeyID != "" {`
Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si`
`93`	`93`	`var templErr *sshutil.TemplateError`
`94`	`94`	`if errors.As(err, &templErr) {`
`95`	`95`	`return nil, errs.NewErr(http.StatusBadRequest, templErr,`
`96`		`- errs.WithMessage(templErr.Error()),`
	`96`	`+ errs.WithMessage("%s", templErr.Error()),`
`97`	`97`	`errs.WithKeyVal("signOptions", signOpts),`
`98`	`98`	`)`
`99`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -302,7 +302,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e`
`302`	`302`	`// Use options in the token.`
`303`	`303`	`if opts.CertType != "" {`
`304`	`304`	`if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil {`
`305`		`- return nil, errs.BadRequestErr(err, err.Error())`
	`305`	`+ return nil, errs.BadRequestErr(err, "%s", err.Error())`
`306`	`306`	`}`
`307`	`307`	`}`
`308`	`308`	`if opts.KeyID != "" {`
Original file line number	Diff line number	Diff line change
`@@ -215,7 +215,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi`
`215`	`215`	`for _, v := range keyValidators {`
`216`	`216`	`if err := v.Valid(key); err != nil {`
`217`	`217`	`return nil, nil, errs.ApplyOptions(`
`218`		`- errs.ForbiddenErr(err, err.Error()),`
	`218`	`+ errs.ForbiddenErr(err, "%s", err.Error()),`
`219`	`219`	`errs.WithKeyVal("signOptions", signOpts),`
`220`	`220`	`)`
`221`	`221`	`}`
`@@ -232,7 +232,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi`
`232`	`232`	`// Call enriching webhooks`
`233`	`233`	`if err := a.callEnrichingWebhooksSSH(ctx, prov, webhookCtl, cr); err != nil {`
`234`	`234`	`return nil, prov, errs.ApplyOptions(`
`235`		`- errs.ForbiddenErr(err, err.Error()),`
	`235`	`+ errs.ForbiddenErr(err, "%s", err.Error()),`
`236`	`236`	`errs.WithKeyVal("signOptions", signOpts),`
`237`	`237`	`)`
`238`	`238`	`}`
`@@ -244,7 +244,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi`
`244`	`244`	`switch {`
`245`	`245`	`case errors.As(err, &te):`
`246`	`246`	`return nil, prov, errs.ApplyOptions(`
`247`		`- errs.BadRequestErr(err, err.Error()),`
	`247`	`+ errs.BadRequestErr(err, "%s", err.Error()),`
`248`	`248`	`errs.WithKeyVal("signOptions", signOpts),`
`249`	`249`	`)`
`250`	`250`	`case strings.HasPrefix(err.Error(), "error unmarshaling certificate"):`
`@@ -264,7 +264,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi`
`264`	`264`	`// Use SignSSHOptions to modify the certificate validity. It will be later`
`265`	`265`	`// checked or set if not defined.`
`266`	`266`	`if err := opts.ModifyValidity(certTpl); err != nil {`
`267`		`- return nil, prov, errs.BadRequestErr(err, err.Error())`
	`267`	`+ return nil, prov, errs.BadRequestErr(err, "%s", err.Error())`
`268`	`268`	`}`
`269`	`269`
`270`	`270`	`// Use provisioner modifiers.`