From 1e59ccfc907b360b45075c98480f987e03c8fe44 Mon Sep 17 00:00:00 2001
From: William Storey <wstorey@maxmind.com>
Date: Tue, 17 Feb 2026 11:15:34 -0800
Subject: [PATCH 1/2] Fix gosec lints from golangci-lint v2.10.1

Add nolint directives for taint analysis false positives (G101, G703,
G704, G706) in a CLI tool where user-provided input is used by design.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 client/download.go                                 | 2 +-
 client/metadata.go                                 | 2 +-
 cmd/geoipupdate/args.go                            | 2 +-
 internal/geoipupdate/config.go                     | 4 ++--
 internal/geoipupdate/config_test.go                | 8 ++++----
 internal/geoipupdate/database/local_file_writer.go | 4 ++--
 6 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/client/download.go b/client/download.go
index ce251b8c..f66f223e 100644
--- a/client/download.go
+++ b/client/download.go
@@ -116,7 +116,7 @@ func (c *Client) download(
 	req.Header.Add("User-Agent", "geoipupdate/"+vars.Version)
 	req.SetBasicAuth(strconv.Itoa(c.accountID), c.licenseKey)
 
-	response, err := c.httpClient.Do(req)
+	response, err := c.httpClient.Do(req) //nolint:gosec // URL is from known config
 	if err != nil {
 		return nil, time.Time{}, fmt.Errorf("performing download request: %w", err)
 	}
diff --git a/client/metadata.go b/client/metadata.go
index fb3d80b9..7ff72dbd 100644
--- a/client/metadata.go
+++ b/client/metadata.go
@@ -38,7 +38,7 @@ func (c *Client) getMetadata(
 	req.Header.Add("User-Agent", "geoipupdate/"+vars.Version)
 	req.SetBasicAuth(strconv.Itoa(c.accountID), c.licenseKey)
 
-	response, err := c.httpClient.Do(req)
+	response, err := c.httpClient.Do(req) //nolint:gosec // URL is from known config
 	if err != nil {
 		return nil, fmt.Errorf("performing metadata request: %w", err)
 	}
diff --git a/cmd/geoipupdate/args.go b/cmd/geoipupdate/args.go
index 57a97896..804dc7e6 100644
--- a/cmd/geoipupdate/args.go
+++ b/cmd/geoipupdate/args.go
@@ -77,7 +77,7 @@ func getArgs() *Args {
 }
 
 func printUsage() {
-	log.Printf("Usage: %s <arguments>\n", os.Args[0])
+	log.Printf("Usage: %s <arguments>\n", os.Args[0]) //nolint:gosec // logging program name
 	flag.PrintDefaults()
 	//nolint: revive // deep exit from main package
 	os.Exit(1)
diff --git a/internal/geoipupdate/config.go b/internal/geoipupdate/config.go
index 213e3171..a4a7803c 100644
--- a/internal/geoipupdate/config.go
+++ b/internal/geoipupdate/config.go
@@ -296,7 +296,7 @@ func setConfigFromEnv(config *Config) error {
 	if value := os.Getenv("GEOIPUPDATE_ACCOUNT_ID_FILE"); value != "" {
 		var err error
 
-		accountID, err := os.ReadFile(filepath.Clean(value))
+		accountID, err := os.ReadFile(filepath.Clean(value)) //nolint:gosec // path from env var
 		if err != nil {
 			return fmt.Errorf("failed to open GEOIPUPDATE_ACCOUNT_ID_FILE: %w", err)
 		}
@@ -333,7 +333,7 @@ func setConfigFromEnv(config *Config) error {
 	if value := os.Getenv("GEOIPUPDATE_LICENSE_KEY_FILE"); value != "" {
 		var err error
 
-		licenseKey, err := os.ReadFile(filepath.Clean(value))
+		licenseKey, err := os.ReadFile(filepath.Clean(value)) //nolint:gosec // path from env var
 		if err != nil {
 			return fmt.Errorf("failed to open GEOIPUPDATE_LICENSE_KEY_FILE: %w", err)
 		}
diff --git a/internal/geoipupdate/config_test.go b/internal/geoipupdate/config_test.go
index ddf5fe2b..d8917c64 100644
--- a/internal/geoipupdate/config_test.go
+++ b/internal/geoipupdate/config_test.go
@@ -959,11 +959,11 @@ func TestParseProxy(t *testing.T) {
 			Proxy: "ftp://127.0.0.1:8888",
 			Err:   "unsupported proxy type: ftp",
 		},
-		{
+		{ //nolint:gosec // test data
 			Proxy:  "login:password@127.0.0.1",
 			Output: "http://login:password@127.0.0.1:1080",
 		},
-		{
+		{ //nolint:gosec // test data
 			Proxy:        "login:password@127.0.0.1",
 			UserPassword: "something:else",
 			Output:       "http://login:password@127.0.0.1:1080",
@@ -978,12 +978,12 @@ func TestParseProxy(t *testing.T) {
 			UserPassword: "something:else",
 			Output:       "http://something:else@127.0.0.1:8888",
 		},
-		{
+		{ //nolint:gosec // test data
 			Proxy:        "user:password@127.0.0.1:8888",
 			UserPassword: "user2:password2",
 			Output:       "http://user:password@127.0.0.1:8888",
 		},
-		{
+		{ //nolint:gosec // test data
 			Proxy:        "http://user:password@127.0.0.1:8888",
 			UserPassword: "user2:password2",
 			Output:       "http://user:password@127.0.0.1:8888",
diff --git a/internal/geoipupdate/database/local_file_writer.go b/internal/geoipupdate/database/local_file_writer.go
index 3882485e..3faa8ec0 100644
--- a/internal/geoipupdate/database/local_file_writer.go
+++ b/internal/geoipupdate/database/local_file_writer.go
@@ -184,7 +184,7 @@ func (w *fileWriter) close() error {
 		}
 	}
 
-	err := os.Remove(w.file.Name())
+	err := os.Remove(w.file.Name()) //nolint:gosec // path from os.CreateTemp
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return fmt.Errorf("removing temporary file: %w", err)
 	}
@@ -222,7 +222,7 @@ func (w *fileWriter) syncAndRename(name string) error {
 	if err := w.file.Close(); err != nil {
 		return fmt.Errorf("closing temporary file: %w", err)
 	}
-	if err := os.Rename(w.file.Name(), name); err != nil {
+	if err := os.Rename(w.file.Name(), name); err != nil { //nolint:gosec // path from os.CreateTemp
 		return fmt.Errorf("moving database into place: %w", err)
 	}
 	return nil

From a492e8ace6a45e15a7a7b7cc41630f4ad75cceda Mon Sep 17 00:00:00 2001
From: William Storey <wstorey@maxmind.com>
Date: Tue, 17 Feb 2026 13:04:37 -0800
Subject: [PATCH 2/2] Fix inaccurate nolint comments in local_file_writer.go

The comments incorrectly stated the paths came from os.CreateTemp
when they are actually constructed from config values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/geoipupdate/database/local_file_writer.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/geoipupdate/database/local_file_writer.go b/internal/geoipupdate/database/local_file_writer.go
index 3faa8ec0..2c36614c 100644
--- a/internal/geoipupdate/database/local_file_writer.go
+++ b/internal/geoipupdate/database/local_file_writer.go
@@ -184,7 +184,7 @@ func (w *fileWriter) close() error {
 		}
 	}
 
-	err := os.Remove(w.file.Name()) //nolint:gosec // path from os.CreateTemp
+	err := os.Remove(w.file.Name()) //nolint:gosec // path from config
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return fmt.Errorf("removing temporary file: %w", err)
 	}
@@ -222,7 +222,7 @@ func (w *fileWriter) syncAndRename(name string) error {
 	if err := w.file.Close(); err != nil {
 		return fmt.Errorf("closing temporary file: %w", err)
 	}
-	if err := os.Rename(w.file.Name(), name); err != nil { //nolint:gosec // path from os.CreateTemp
+	if err := os.Rename(w.file.Name(), name); err != nil { //nolint:gosec // path from config
 		return fmt.Errorf("moving database into place: %w", err)
 	}
 	return nil