Adopt static code analysis with security verification

[jpkrohling]

Adopt a static code analysis that can also verify common security problems. One possible candidate is https://github.com/alecthomas/gometalinter .

This is part of #404 .

[jpkrohling]

gometalinter provides too much feedback. It would probably be better to focus first on a tool that does only security analysis, like Gas:

$ gas -exclude=G104 ./...
.
.
.
Summary:
   Files: 264
   Lines: 32020
   Nosec: 0
  Issues: 8

Of the 8 issues, 4 are related to the hotrod example, three are G304 (which seem OK at a first glance), and one is G103, related to a test utilility.

G104 is "Errors unhandled", and happens in 154 places.

[jpkrohling]

Could someone please assign this to me?

[yurishkuro]

@jpkrohling the ticket #455 mentioned that it's part of this ticket, but there is no checklist here. Do we just go by the tickets in the milestone, or is there something else? I'm just trying to get the full picture, what's outstanding for completion.

[jpkrohling]

The milestone is accurate. We actually need only #456 to get a "passing" state and I'm expecting @PikBot to help us on that.

The status can be seen by clicking on the badge on the main readme file, or here:
https://bestpractices.coreinfrastructure.org/en/projects/1273