gosec: G401, G501 - Weak cryptographic primitive

azure, koji and gcp use md5 hashes. Gosec is not happy with it, so we
create exceptions for them (G401, G501).

internal/cloud/gcp/storage.go

@@ -2,6 +2,8 @@ package gcp
 
 import (
 	"context"
+	// gcp uses MD5 hashes
+	/* #nosec G501 */
 	"crypto/md5"
 	"fmt"
 	"io"
@@ -46,6 +48,8 @@ func (g *GCP) StorageObjectUpload(ctx context.Context, filename, bucket, object
 	defer imageFile.Close()
 
 	// Compute MD5 checksum of the image file for later verification
+	// gcp uses MD5 hashes
+	/* #nosec G401 */
 	imageFileHash := md5.New()
 	if _, err := io.Copy(imageFileHash, imageFile); err != nil {
 		return nil, fmt.Errorf("cannot create md5 of the image: %v", err)

internal/upload/azure/azurestorage.go

@@ -4,6 +4,8 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	// azure uses MD5 hashes
+	/* #nosec G501 */
 	"crypto/md5"
 	"errors"
 	"fmt"
@@ -88,6 +90,8 @@ func (c StorageClient) UploadPageBlob(metadata BlobMetadata, fileName string, th
 	}
 
 	// Hash the imageFile
+	// azure uses MD5 hashes
+	/* #nosec G401 */
 	imageFileHash := md5.New()
 	if _, err := io.Copy(imageFileHash, imageFile); err != nil {
 		return fmt.Errorf("cannot create md5 of the image: %v", err)

internal/upload/koji/koji.go

@@ -2,6 +2,8 @@ package koji
 
 import (
 	"bytes"
+	// koji uses MD5 hashes
+	/* #nosec G501 */
 	"crypto/md5"
 	"encoding/json"
 	"errors"
@@ -343,6 +345,8 @@ func (k *Koji) uploadChunk(chunk []byte, filepath, filename string, offset uint6
 func (k *Koji) Upload(file io.Reader, filepath, filename string) (string, uint64, error) {
 	chunk := make([]byte, 1024*1024) // upload a megabyte at a time
 	offset := uint64(0)
+	// Koji uses MD5 hashes
+	/* #nosec G401 */
 	hash := md5.New()
 	for {
 		n, err := file.Read(chunk)