diff --git a/internal/sqlutil/sqlutil_test.go b/internal/sqlutil/sqlutil_test.go
index c40757893e..aba5f3631d 100644
--- a/internal/sqlutil/sqlutil_test.go
+++ b/internal/sqlutil/sqlutil_test.go
@@ -218,5 +218,5 @@ func assertNoError(t *testing.T, err error, msg string) {
 	if err == nil {
 		return
 	}
-	t.Fatalf(msg)
+	t.Fatalf("%s", msg)
 }
diff --git a/roomserver/acls/acls_test.go b/roomserver/acls/acls_test.go
index 09920308c5..1b4fc36eb3 100644
--- a/roomserver/acls/acls_test.go
+++ b/roomserver/acls/acls_test.go
@@ -29,11 +29,11 @@ func TestOpenACLsWithBlacklist(t *testing.T) {
 	roomID := "!test:test.com"
 	allowRegex, err := compileACLRegex("*")
 	if err != nil {
-		t.Fatalf(err.Error())
+		t.Fatalf("%s", err.Error())
 	}
 	denyRegex, err := compileACLRegex("foo.com")
 	if err != nil {
-		t.Fatalf(err.Error())
+		t.Fatalf("%s", err.Error())
 	}
 
 	acls := ServerACLs{
@@ -72,7 +72,7 @@ func TestDefaultACLsWithWhitelist(t *testing.T) {
 	roomID := "!test:test.com"
 	allowRegex, err := compileACLRegex("foo.com")
 	if err != nil {
-		t.Fatalf(err.Error())
+		t.Fatalf("%s", err.Error())
 	}
 
 	acls := ServerACLs{
diff --git a/userapi/internal/key_api.go b/userapi/internal/key_api.go
index 422898c70a..81127481ec 100644
--- a/userapi/internal/key_api.go
+++ b/userapi/internal/key_api.go
@@ -196,7 +196,7 @@ func (a *UserInternalAPI) QueryDeviceMessages(ctx context.Context, req *api.Quer
 		if m.StreamID > maxStreamID {
 			maxStreamID = m.StreamID
 		}
-		if m.KeyJSON == nil || len(m.KeyJSON) == 0 {
+		if len(m.KeyJSON) == 0 {
 			continue
 		}
 		result = append(result, m)