enable gosec

[kim-tsao]

Signed-off-by: Kim Tsao ktsao@redhat.com

What does this PR do?:

• enables gosec in githubs actions, we will not fail if there are scan findings
• adds rule to Makefile
• clean up other rules in Makefile

Which issue(s) this PR fixes:

devfile/api#937

PR acceptance criteria:

Testing and documentation do not need to be complete in order for this PR to be approved. We just need to ensure tracking issues are opened.

• Open new test/doc issues under the devfile/api repo
• Check each criteria if:
• There is a separate tracking issue. Add the issue link under the criteria
  or
• test/doc updates are made as part of this PR
• If unchecked, explain why it's not needed

• Unit/Functional tests

• QE Integration test

• Documentation

• Client Impact

How to test changes / Special notes to the reviewer:

[codecov-commenter]

Codecov Report

Base: 58.23% // Head: 58.20% // Decreases project coverage by -0.02% ⚠️

Coverage data is based on head (0aaa518) compared to base (4c7c5dc).
Patch coverage: 42.85% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #147      +/-   ##
==========================================
- Coverage   58.23%   58.20%   -0.03%     
==========================================
  Files          35       35              
  Lines        3963     3965       +2     
==========================================
  Hits         2308     2308              
- Misses       1516     1518       +2     
  Partials      139      139              

Impacted Files	Coverage Δ
pkg/devfile/parser/configurables.go	0.00% <0.00%> (ø)
pkg/devfile/parser/parse.go	53.88% <0.00%> (-0.18%)	⬇️
pkg/util/util.go	39.47% <28.57%> (ø)
pkg/devfile/parser/data/v2/containers.go	80.31% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[maysunfaisal]

does this not fail the github CI @kim-tsao ?

[kim-tsao]

This only place this seems to get called is from main.go which is called from the updateAPI.sh script (run locally) to sync the api dependency

[kim-tsao]

Handled all Gosec findings by either fixing them or annotating them with nosec. Some details of the fixes include:

• Following the guideline for G304 to clean user provided filepaths in order to avoid path traversal
• Updating the permissions to 0644 if the JSON schema is updated and replaced. This is not a security concern since it's part of a script that's run outside core code to update the API dependency so I restricted the level of permissions based on our current defaults. This will not eliminate the finding since it expects 0600 but I think 0644 is appropriate for our needs

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kim-tsao, maysunfaisal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [kim-tsao,maysunfaisal]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment