From 01c4d5761d7af1ef77f2cd93135a8f182d87103f Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Thu, 19 Mar 2026 13:36:29 +0100
Subject: [PATCH] Fix gosec and staticcheck lint errors from proto deprecation

---
 client/internal/acl/manager.go                 | 1 +
 client/internal/debug/debug.go                 | 3 ++-
 management/internals/shared/grpc/conversion.go | 3 ++-
 management/server/peer_test.go                 | 1 +
 shared/netiputil/compact.go                    | 6 ++++--
 5 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/client/internal/acl/manager.go b/client/internal/acl/manager.go
index dd6f9479a..54a97e38f 100644
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -216,6 +216,7 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	r *mgmProto.FirewallRule,
 	ipsetName string,
 ) (id.RuleID, []firewall.Rule, error) {
+	//nolint:staticcheck // PeerIP used for backward compatibility with old management
 	ip := net.ParseIP(r.PeerIP)
 	if ip == nil {
 		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
diff --git a/client/internal/debug/debug.go b/client/internal/debug/debug.go
index f0f399bef..b4c3a5951 100644
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -1231,8 +1231,9 @@ func anonymizeFirewallRule(rule *mgmProto.FirewallRule, anonymizer *anonymize.An
 		return
 	}
 
+	//nolint:staticcheck // PeerIP used for backward compatibility
 	if addr, err := netip.ParseAddr(rule.PeerIP); err == nil {
-		rule.PeerIP = anonymizer.AnonymizeIP(addr).String()
+		rule.PeerIP = anonymizer.AnonymizeIP(addr).String() //nolint:staticcheck
 	}
 }
 
diff --git a/management/internals/shared/grpc/conversion.go b/management/internals/shared/grpc/conversion.go
index ef417d3cf..4b72e807f 100644
--- a/management/internals/shared/grpc/conversion.go
+++ b/management/internals/shared/grpc/conversion.go
@@ -284,7 +284,8 @@ func toProtocolFirewallRules(rules []*types.FirewallRule) []*proto.FirewallRule
 
 		fwRule := &proto.FirewallRule{
 			PolicyID:  []byte(rule.PolicyID),
-			PeerIP:    rule.PeerIP,
+			PeerIP:    rule.PeerIP, //nolint:staticcheck // populated for backward compatibility
+
 			Direction: getProtoDirection(rule.Direction),
 			Action:    getProtoAction(rule.Action),
 			Protocol:  getProtoProtocol(rule.Protocol),
diff --git a/management/server/peer_test.go b/management/server/peer_test.go
index b17757ffd..7f42c8c77 100644
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -1252,6 +1252,7 @@ func TestToSyncResponse(t *testing.T) {
 	assert.Equal(t, int64(53), response.NetworkMap.DNSConfig.NameServerGroups[0].NameServers[0].GetPort())
 	// assert network map Firewall
 	assert.Equal(t, 1, len(response.NetworkMap.FirewallRules))
+	//nolint:staticcheck // testing backward-compatible field
 	assert.Equal(t, "192.168.1.2", response.NetworkMap.FirewallRules[0].PeerIP)
 	assert.Equal(t, proto.RuleDirection_IN, response.NetworkMap.FirewallRules[0].Direction)
 	assert.Equal(t, proto.RuleAction_ACCEPT, response.NetworkMap.FirewallRules[0].Action)
diff --git a/shared/netiputil/compact.go b/shared/netiputil/compact.go
index 3e6d07ea7..c1132650f 100644
--- a/shared/netiputil/compact.go
+++ b/shared/netiputil/compact.go
@@ -36,10 +36,12 @@ func EncodePrefix(p netip.Prefix) []byte {
 func DecodePrefix(b []byte) (netip.Prefix, error) {
 	switch len(b) {
 	case 5:
-		addr := netip.AddrFrom4([4]byte(b[:4]))
+		ip4 := [4]byte(b[:4])
+		addr := netip.AddrFrom4(ip4)
 		return netip.PrefixFrom(addr, int(b[4])), nil
 	case 17:
-		addr := netip.AddrFrom16([16]byte(b[:16])).Unmap()
+		ip6 := [16]byte(b[:16])
+		addr := netip.AddrFrom16(ip6).Unmap()
 		bits := int(b[16])
 		// Clamp prefix length when unmapping v4-mapped v6 to v4
 		if addr.Is4() && bits > 32 {