Add gosec to SAST analysis

.golangci.yml

@@ -24,6 +24,7 @@ linters:
     - durationcheck
     - exportloopref
     - whitespace
+    - gosec
 
     # - structcheck # lots of false positives
     # - errcheck #lot of false positives

api/accounts/accounts_test.go

@@ -527,7 +527,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data))
+	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -540,7 +540,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) {
 }
 
 func httpGet(t *testing.T, url string) ([]byte, int) {
-	res, err := http.Get(url)
+	res, err := http.Get(url) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}

api/blocks/blocks_test.go

@@ -237,7 +237,7 @@ func checkExpandedBlock(t *testing.T, expBl *block.Block, actBl *blocks.JSONExpa
 }
 
 func httpGet(t *testing.T, url string) ([]byte, int) {
-	res, err := http.Get(url)
+	res, err := http.Get(url) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}

api/debug/debug_test.go

@@ -509,7 +509,7 @@ func httpPostAndCheckResponseStatus(t *testing.T, url string, obj interface{}, r
 	if err != nil {
 		t.Fatal(err)
 	}
-	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data))
+	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}

api/events/events_test.go

@@ -160,7 +160,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data))
+	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}

api/node/node_test.go

@@ -56,7 +56,7 @@ func initCommServer(t *testing.T) {
 }
 
 func httpGet(t *testing.T, url string) []byte {
-	res, err := http.Get(url)
+	res, err := http.Get(url) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}

api/transactions/transactions_test.go

@@ -258,7 +258,7 @@ func httpPostAndCheckResponseStatus(t *testing.T, url string, obj interface{}, r
 	if err != nil {
 		t.Fatal(err)
 	}
-	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data))
+	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint: gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -364,7 +364,7 @@ func checkMatchingTx(t *testing.T, expectedTx *tx.Transaction, actualTx *transac
 }
 
 func httpGetAndCheckResponseStatus(t *testing.T, url string, responseStatusCode int) []byte {
-	res, err := http.Get(url)
+	res, err := http.Get(url) // nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}

api/transfers/transfers_test.go

@@ -170,7 +170,7 @@ func httpPost(t *testing.T, url string, body interface{}) ([]byte, int) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data))
+	res, err := http.Post(url, "application/x-www-form-urlencoded", bytes.NewReader(data)) // nolint: gosec
 	if err != nil {
 		t.Fatal(err)
 	}

block/header_test.go

@@ -63,7 +63,7 @@ func TestHeader_BetterThan(t *testing.T) {
 
 func TestHeaderEncoding(t *testing.T) {
 	var sig [65]byte
-	rand.Read(sig[:])
+	rand.Read(sig[:]) // nolint:gosec
 
 	block := new(Builder).Build().WithSignature(sig[:])
 	h := block.Header()
@@ -86,8 +86,8 @@ func TestHeaderEncoding(t *testing.T) {
 
 	var proof [81]byte
 	var alpha [32]byte
-	rand.Read(proof[:])
-	rand.Read(alpha[:])
+	rand.Read(proof[:]) // nolint:gosec
+	rand.Read(alpha[:]) // nolint:gosec
 
 	complex, err := NewComplexSignature(sig[:], proof[:])
 	if err != nil {
@@ -110,7 +110,7 @@ func TestHeaderEncoding(t *testing.T) {
 // type extension struct{Alpha []byte}
 func TestEncodingBadExtension(t *testing.T) {
 	var sig [65]byte
-	rand.Read(sig[:])
+	rand.Read(sig[:]) // nolint:gosec
 
 	block := new(Builder).Build().WithSignature(sig[:])
 	h := block.Header()
@@ -157,8 +157,8 @@ func TestEncodingBadExtension(t *testing.T) {
 func TestEncodingExtension(t *testing.T) {
 	var sig [ComplexSigSize]byte
 	var alpha [32]byte
-	rand.Read(sig[:])
-	rand.Read(alpha[:])
+	rand.Read(sig[:])   // nolint:gosec
+	rand.Read(alpha[:]) // nolint:gosec
 
 	block := new(Builder).Alpha(alpha[:]).Build().WithSignature(sig[:])
 	h := block.Header()

cache/prio_cache_test.go

@@ -46,9 +46,9 @@ func TestPrioCache(t *testing.T) {
 
 	for i := 0; i < 100; i++ {
 		e := kvp{
-			rand.Int(),
-			rand.Int(),
-			rand.Float64()}
+			rand.Int(),     // nolint: gosec
+			rand.Int(),     // nolint:gosec
+			rand.Float64()} // nolint:gosec
 		kvps = append(kvps, e)
 		c.Set(e.k, e.v, e.p)
 	}

cache/rnd_cache.go

@@ -106,7 +106,7 @@ func (rc *RandCache) Pick() *Entry {
 	if len(rc.s) == 0 {
 		return nil
 	}
-	ent := rc.s[rand.Intn(len(rc.s))]
+	ent := rc.s[rand.Intn(len(rc.s))] // nolint:gosec
 	cpy := ent.Entry
 	return &cpy
 }
@@ -141,6 +141,6 @@ func (rc *RandCache) randDrop() {
 	if len(rc.s) == 0 {
 		return
 	}
-	ent := rc.s[rand.Intn(len(rc.s))]
+	ent := rc.s[rand.Intn(len(rc.s))] // nolint:gosec
 	rc.remove(ent.Key)
 }

cmd/thor/node/tx_stash_test.go

@@ -20,7 +20,7 @@ import (
 )
 
 func newTx() *tx.Transaction {
-	tx := new(tx.Builder).Nonce(rand.Uint64()).Build()
+	tx := new(tx.Builder).Nonce(rand.Uint64()).Build() // nolint:gosec
 	sig, _ := crypto.Sign(tx.SigningHash().Bytes(), genesis.DevAccounts()[0].PrivateKey)
 	return tx.WithSignature(sig)
 }

cmd/thor/solo/solo.go

@@ -263,7 +263,7 @@ func (s *Solo) newTx(clauses []*tx.Clause, from genesis.DevAccount) (*tx.Transac
 
 	newTx := builder.BlockRef(tx.NewBlockRef(0)).
 		Expiration(math.MaxUint32).
-		Nonce(rand.Uint64()).
+		Nonce(rand.Uint64()). // nolint:gosec
 		DependsOn(nil).
 		Gas(1_000_000).
 		Build()

cmd/thor/utils.go

@@ -488,7 +488,7 @@ func startAPIServer(ctx *cli.Context, handler http.Handler, genesisID thor.Bytes
 	handler = handleXGenesisID(handler, genesisID)
 	handler = handleXThorestVersion(handler)
 	handler = requestBodyLimit(handler)
-	srv := &http.Server{Handler: handler}
+	srv := &http.Server{Handler: handler, ReadHeaderTimeout: time.Second, ReadTimeout: 5 * time.Second}
 	var goes co.Goes
 	goes.Go(func() {
 		srv.Serve(listener)

comm/peer.go

@@ -84,7 +84,7 @@ func (p *Peer) UpdateHead(id thor.Bytes32, totalScore uint64) {
 // MarkTransaction marks a transaction to known.
 func (p *Peer) MarkTransaction(hash thor.Bytes32) {
 	// that's 10~100 block intervals
-	expiration := mclock.AbsTime(time.Second * time.Duration(thor.BlockInterval*uint64(rand.Intn(91)+10)))
+	expiration := mclock.AbsTime(time.Second * time.Duration(thor.BlockInterval*uint64(rand.Intn(91)+10))) // nolint:gosec
 
 	deadline := mclock.Now() + expiration
 	p.knownTxs.Add(hash, deadline)

p2psrv/rpc/rpc.go

@@ -158,7 +158,7 @@ func (r *RPC) prepareCall(msgCode uint64, onResult func(*p2p.Msg) error) uint32
 	r.lock.Lock()
 	defer r.lock.Unlock()
 	for {
-		id := rand.Uint32()
+		id := rand.Uint32() // nolint:gosec
 		if id == 0 {
 			// 0 id is taken by Notify
 			continue

runtime/statedb/statedb_test.go

@@ -134,7 +134,7 @@ func newTestAction(addr common.Address, r *rand.Rand) testAction {
 		nameargs = append(nameargs, addr.Hex())
 	}
 	for _, i := range action.args {
-		action.args[i] = rand.Int63n(100)
+		action.args[i] = rand.Int63n(100) // nolint:gosec
 		nameargs = append(nameargs, fmt.Sprint(action.args[i]))
 	}
 	action.name += strings.Join(nameargs, ", ")

state/cached_object_test.go

@@ -41,7 +41,7 @@ func TestCachedObject(t *testing.T) {
 	assert.Nil(t, err)
 
 	code := make([]byte, 100)
-	rand.Read(code)
+	rand.Read(code) // nolint:gosec
 
 	codeHash := thor.Keccak256(code).Bytes()
 	db.NewStore(codeStoreName).Put(codeHash, code)

test/datagen/numbers.go

@@ -10,9 +10,9 @@ import (
 )
 
 func RandInt() int {
-	return mathrand.Int()
+	return mathrand.Int() // nolint:gosec
 }
 
 func RandIntN(n int) int {
-	return mathrand.Intn(n)
+	return mathrand.Intn(n) // nolint:gosec
 }

thor/hash_test.go

@@ -18,7 +18,7 @@ import (
 
 func BenchmarkHash(b *testing.B) {
 	data := make([]byte, 10)
-	rand.New(rand.NewSource(1)).Read(data)
+	rand.New(rand.NewSource(1)).Read(data) // nolint:gosec
 
 	b.Run("keccak", func(b *testing.B) {
 		type keccakState interface {
@@ -44,7 +44,7 @@ func BenchmarkHash(b *testing.B) {
 
 func BenchmarkBlake2b(b *testing.B) {
 	data := make([]byte, 100)
-	rand.New(rand.NewSource(1)).Read(data)
+	rand.New(rand.NewSource(1)).Read(data) // nolint:gosec
 	b.Run("Blake2b", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
 			thor.Blake2b(data).Bytes()

trie/iterator_test.go

@@ -331,7 +331,7 @@ func TestIteratorContinueAfterError(t *testing.T) {
 		// because that one is already loaded.
 		var rkey []byte
 		for {
-			if rkey = keys[rand.Intn(len(keys))]; !bytes.Equal(rkey, tr.Hash().Bytes()) {
+			if rkey = keys[rand.Intn(len(keys))]; !bytes.Equal(rkey, tr.Hash().Bytes()) { // nolint:gosec
 				break
 			}
 		}

trie/proof_test.go

@@ -79,7 +79,7 @@ func TestVerifyBadProof(t *testing.T) {
 			t.Fatal("zero length proof")
 		}
 		keys := proofs.Keys()
-		key := keys[mrand.Intn(len(keys))]
+		key := keys[mrand.Intn(len(keys))] // nolint:gosec
 		node, _ := proofs.Get(key)
 		proofs.Delete(key)
 		mutateByte(node)
@@ -92,8 +92,8 @@ func TestVerifyBadProof(t *testing.T) {
 
 // mutateByte changes one byte in b.
 func mutateByte(b []byte) {
-	for r := mrand.Intn(len(b)); ; {
-		new := byte(mrand.Intn(255))
+	for r := mrand.Intn(len(b)); ; { // nolint:gosec
+		new := byte(mrand.Intn(255)) // nolint:gosec
 		if new != b[r] {
 			b[r] = new
 			break

trie/trie_test.go

@@ -546,7 +546,7 @@ func benchUpdate(b *testing.B, e binary.ByteOrder) *Trie {
 // insert into the trie before measuring the hashing.
 func BenchmarkHash(b *testing.B) {
 	// Make the random benchmark deterministic
-	random := rand.New(rand.NewSource(0))
+	random := rand.New(rand.NewSource(0)) // nolint:gosec
 
 	// Create a realistic account trie to hash
 	addresses := make([][20]byte, b.N)

tx/block_ref_test.go

@@ -21,7 +21,7 @@ func TestBlockRef(t *testing.T) {
 	assert.Equal(t, tx.BlockRef{0, 0, 0, 0xff, 0, 0, 0, 0}, tx.NewBlockRef(0xff))
 
 	var bid thor.Bytes32
-	rand.Read(bid[:])
+	rand.Read(bid[:]) // nolint:gosec
 
 	br := tx.NewBlockRefFromID(bid)
 	assert.Equal(t, bid[:8], br[:])

tx/reserved_test.go

@@ -25,7 +25,7 @@ func TestReservedEncoding(t *testing.T) {
 	}
 
 	for i, c := range cases {
-		data, err := rlp.EncodeToBytes(&c.input)
+		data, err := rlp.EncodeToBytes(&c.input) // nolint:gosec
 		assert.Nil(t, err, "case #%v", i)
 		assert.Equal(t, c.expected, data, "case #%v", i)
 	}

txpool/blocklist_test.go

@@ -26,7 +26,7 @@ func SetupTempFile(t *testing.T, dummyData string) string {
 	}
 	testFilePath := tempFile.Name()
 
-	err = os.WriteFile(testFilePath, []byte(dummyData), 0644)
+	err = os.WriteFile(testFilePath, []byte(dummyData), 0644) // nolint: gosec
 	if err != nil {
 		t.Fatalf("Failed to write to temp file: %s", err)
 	}

txpool/tx_object_test.go

@@ -42,7 +42,7 @@ func newTx(chainTag byte, clauses []*tx.Clause, gas uint64, blockRef tx.BlockRef
 
 	tx := builder.BlockRef(blockRef).
 		Expiration(expiration).
-		Nonce(rand.Uint64()).
+		Nonce(rand.Uint64()). // nolint:gosec
 		DependsOn(dependsOn).
 		Features(features).
 		Gas(gas).Build()
@@ -61,7 +61,7 @@ func newDelegatedTx(chainTag byte, clauses []*tx.Clause, gas uint64, blockRef tx
 
 	tx := builder.BlockRef(blockRef).
 		Expiration(expiration).
-		Nonce(rand.Uint64()).
+		Nonce(rand.Uint64()). // nolint:gosec
 		DependsOn(dependsOn).
 		Features(features).
 		Gas(gas).Build()

txpool/tx_pool.go

@@ -181,7 +181,7 @@ func (p *TxPool) fetchBlocklistLoop() {
 
 	for {
 		// delay 1~2 min
-		delay := time.Second * time.Duration(rand.Int()%60+60)
+		delay := time.Second * time.Duration(rand.Int()%60+60) // nolint:gosec
 		select {
 		case <-p.ctx.Done():
 			return