Add Gosec Github Action (#9332)

* add gosec security scan

* add gosec ignores first batch

* more nosec for exec

* add filepath clean

* more nosec

* file inclusion nosec

* build

* herumi

Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>

tools/analyzers/cryptorand/testdata/custom_import.go

@@ -8,19 +8,25 @@ import (
 
 // UseRandNewCustomImport --
 func UseRandNewCustomImport() {
+	// #nosec G404
 	source := mathRand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator := mathRand.New(source)               // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator := mathRand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	start := uint64(randGenerator.Intn(32))
 	_ = start
 
+	// #nosec G404
 	source = mathRand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator = mathRand.New(source)               // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator = mathRand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 }
 
 // UseWithoutSeeCustomImport --
 func UseWithoutSeeCustomImport() {
+	// #nosec G404
 	assignedIndex := mathRand.Intn(128) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	_ = assignedIndex
+	// #nosec G404
 	foobar.Shuffle(10, func(i, j int) { // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 
 	})

tools/analyzers/cryptorand/testdata/rand_new.go

@@ -8,17 +8,22 @@ import (
 
 // UseRandNew --
 func UseRandNew() {
+	// #nosec G404
 	source := rand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator := mathRand.New(source)           // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator := mathRand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	start := uint64(randGenerator.Intn(32))
 	_ = start
 
+	// #nosec G404
 	source = rand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator = rand.New(source)               // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator = rand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 }
 
 // UseWithoutSeed --
 func UseWithoutSeed() {
+	// #nosec G404
 	assignedIndex := rand.Intn(128) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	_ = assignedIndex
 }

tools/beacon-fuzz/main.go

@@ -48,7 +48,7 @@ func main() {
 		if err != nil {
 			panic(fmt.Sprintf("%s does not end in an integer for the filename.", p))
 		}
-		b, err := ioutil.ReadFile(p)
+		b, err := ioutil.ReadFile(p) // #nosec G304
 		if err != nil {
 			panic(err)
 		}

tools/eth1exporter/main.go

@@ -155,7 +155,7 @@ func ReloadHTTP(w http.ResponseWriter, _ *http.Request) {
 
 // OpenAddresses from text file (name:address)
 func OpenAddresses(filename string) error {
-	file, err := os.Open(filename)
+	file, err := os.Open(filename) // #nosec G304
 	if err != nil {
 		return err
 	}

tools/genesis-state-gen/main.go

@@ -63,7 +63,7 @@ func main() {
 			log.Printf("Could not expand file path %s: %v", inputFile, err)
 			return
 		}
-		inputJSON, err := os.Open(expanded)
+		inputJSON, err := os.Open(expanded) // #nosec G304
 		if err != nil {
 			log.Printf("Could not open JSON file for reading: %v", err)
 			return

tools/interop/convert-keys/main.go

@@ -31,7 +31,7 @@ func main() {
 	}
 	inFile := os.Args[1]
 
-	in, err := ioutil.ReadFile(inFile)
+	in, err := ioutil.ReadFile(inFile) // #nosec G304
 	if err != nil {
 		log.Fatalf("Failed to read file %s: %v", inFile, err)
 	}

tools/keystores/main.go

@@ -224,7 +224,7 @@ func encrypt(cliCtx *cli.Context) error {
 // Reads the keystore file at the provided path and attempts
 // to decrypt it with the specified passwords.
 func readAndDecryptKeystore(fullPath, password string) error {
-	file, err := ioutil.ReadFile(fullPath)
+	file, err := ioutil.ReadFile(fullPath) // #nosec G304
 	if err != nil {
 		return errors.Wrapf(err, "could not read file at path: %s", fullPath)
 	}

tools/pcli/main.go

@@ -208,7 +208,7 @@ func main() {
 
 // dataFetcher fetches and unmarshals data from file to provided data structure.
 func dataFetcher(fPath string, data fssz.Unmarshaler) error {
-	rawFile, err := ioutil.ReadFile(fPath)
+	rawFile, err := ioutil.ReadFile(fPath) // #nosec G304
 	if err != nil {
 		return err
 	}

tools/specs-checker/download.go

@@ -50,7 +50,7 @@ func getAndSaveFile(specDocUrl, outFilePath string) error {
 	}()
 
 	// Download spec doc.
-	resp, err := http.Get(specDocUrl)
+	resp, err := http.Get(specDocUrl) /* #nosec G107 */
 	if err != nil {
 		return err
 	}