all: fix printf(var) mistakes detected by latest printf checker

This includes testdata files that incorrectly formatted "%40l".

For golang/go#69267.

Change-Id: Ibd22b65c89382b386452f0a5b442bb94a4c03c22
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/610955
Reviewed-by: Ian Lance Taylor <iant@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

all_test.go

@@ -113,7 +113,7 @@ func TestLintReports(t *testing.T) {
 			}
 			lints := lint(r)
 			if len(lints) > 0 {
-				t.Errorf(strings.Join(lints, "\n"))
+				t.Error(strings.Join(lints, "\n"))
 			}
 			duplicates := make(map[string][]string)
 			for _, alias := range r.Aliases() {

internal/cve5/cveclient.go

@@ -7,6 +7,7 @@ package cve5
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -496,5 +497,5 @@ func extractError(resp *http.Response) error {
 		errMsg = fmt.Sprintf("%s\n  %s: %s", errMsg, detail.InstancePath, detail.Message)
 	}
 
-	return fmt.Errorf(errMsg)
+	return errors.New(errMsg)
 }

internal/cve5/testdata/cve/TestToReport/CVE-2021-27919.txtar

@@ -24,8 +24,8 @@ notes:
     - lint: 'modules[0] "std": packages[0] "archive/zip": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'references: must contain at least one fix'
     - lint: 'references: must contain at least one report'
-    - lint: 'references[0] "https://lists.fedoraproject.org/archives/list/package-announce%!l(MISSING)ists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/": "https://lists.fedoraproject.org/archives/list/package-announce%!l(MISSING)ists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/": advisory reference must not be set for first-party issues'
-    - lint: 'references[1] "https://lists.fedoraproject.org/archives/list/package-announce%!l(MISSING)ists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/": "https://lists.fedoraproject.org/archives/list/package-announce%!l(MISSING)ists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/": advisory reference must not be set for first-party issues'
+    - lint: 'references[0] "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MU47VKTNXX33ZDLTI2ORRUY3KLJKU6G/": advisory reference must not be set for first-party issues'
+    - lint: 'references[1] "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HM7U5JNS5WU66Q3S26PFIU2ITB2ATTQ4/": advisory reference must not be set for first-party issues'
     - lint: 'references[2] "https://nvd.nist.gov/vuln/detail/CVE-2021-27919": "https://nvd.nist.gov/vuln/detail/CVE-2021-27919": advisory reference must not be set for first-party issues'
     - lint: 'references[3] "https://security.gentoo.org/glsa/202208-02": "https://security.gentoo.org/glsa/202208-02": advisory reference must not be set for first-party issues'
 source:

internal/cve5/testdata/cve/TestToReport/CVE-2021-3115.txtar

@@ -25,7 +25,7 @@ notes:
     - lint: 'modules[0] "cmd": packages[0] "cmd/go": at least one of vulnerable_at and skip_fix must be set'
     - lint: 'references: must contain at least one fix'
     - lint: 'references: must contain at least one report'
-    - lint: 'references[0] "https://lists.fedoraproject.org/archives/list/package-announce%!l(MISSING)ists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/": "https://lists.fedoraproject.org/archives/list/package-announce%!l(MISSING)ists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/": advisory reference must not be set for first-party issues'
+    - lint: 'references[0] "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWAYJGXWC232SG3UR3TR574E6BP3OSQQ/": advisory reference must not be set for first-party issues'
     - lint: 'references[1] "https://nvd.nist.gov/vuln/detail/CVE-2021-3115": "https://nvd.nist.gov/vuln/detail/CVE-2021-3115": advisory reference must not be set for first-party issues'
     - lint: 'references[2] "https://security.gentoo.org/glsa/202208-02": "https://security.gentoo.org/glsa/202208-02": advisory reference must not be set for first-party issues'
     - lint: 'references[3] "https://blog.go.dev/path-security": "https://blog.go.dev/path-security": web reference must match regex "https://groups.google.com/g/golang-(announce|dev|nuts)/c/([^/]+)"'

internal/report/lint.go

@@ -481,7 +481,7 @@ func (r *Report) LintAsNotes(pc *proxy.Client) bool {
 	if lints := r.Lint(pc); len(lints) > 0 {
 		slices.Sort(lints)
 		for _, lint := range lints {
-			r.AddNote(NoteTypeLint, lint)
+			r.AddNote(NoteTypeLint, "%s", lint)
 		}
 		return true
 	}

internal/worker/server.go

@@ -153,7 +153,7 @@ func (s *Server) serveError(ctx context.Context, w http.ResponseWriter, _ *http.
 		serr = &serverError{status: http.StatusInternalServerError, err: err}
 	}
 	if serr.status == http.StatusInternalServerError {
-		log.Errorf(ctx, serr.err.Error())
+		log.Errorf(ctx, "%s", serr.err.Error())
 	} else {
 		log.Errorf(ctx, "returning %d (%s) for error %v", serr.status, http.StatusText(serr.status), err)
 	}