From 5f60e096bd143017dd2f8afdb5f0d3648bd645d1 Mon Sep 17 00:00:00 2001
From: chainchad <96362174+chainchad@users.noreply.github.com>
Date: Sat, 23 Nov 2024 20:37:57 -0500
Subject: [PATCH] Ignore gosec lint for execs

---
 .../internal/updater/module_operator.go                    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tools/gomod-required-updater/internal/updater/module_operator.go b/tools/gomod-required-updater/internal/updater/module_operator.go
index 4f59b2f5a5b..ca57b5e8f8d 100644
--- a/tools/gomod-required-updater/internal/updater/module_operator.go
+++ b/tools/gomod-required-updater/internal/updater/module_operator.go
@@ -71,7 +71,10 @@ func (m *moduleOperator) GetGitInfo(remote, branch string) (string, time.Time, e
 	ctx, cancel := context.WithTimeout(context.Background(), gitTimeout)
 	defer cancel()
 
-	// Get latest SHA
+	// Safe to use remote/branch after validateGitInput ensures they match:
+	// - remote: ^[a-zA-Z0-9][-a-zA-Z0-9_.]*$
+	// - branch: ^[a-zA-Z0-9][-a-zA-Z0-9/_]*$
+	//nolint:gosec // Inputs are validated by regex patterns above
 	cmd := exec.CommandContext(ctx, "git", "ls-remote", remote, "refs/heads/"+branch)
 	out, err := cmd.Output()
 	if err != nil {
@@ -85,7 +88,7 @@ func (m *moduleOperator) GetGitInfo(remote, branch string) (string, time.Time, e
 		return "", time.Time{}, fmt.Errorf("%w: empty SHA from git ls-remote", ErrModOperation)
 	}
 
-	// Get commit timestamp
+	//nolint:gosec // SHA is obtained from git ls-remote output above
 	cmd = exec.CommandContext(ctx, "git", "show", "-s", "--format=%cI", sha)
 	out, err = cmd.Output()
 	if err != nil {