Add semgrep rule to catch non-determinism in FSM

[schmichael]

See message: in rule for details.

This catches a few uses that should be cleaned up:

$ semgrep scan -c .semgrep/fsm_time.yml nomad
... 

nomad/fsm.go
     semgrep.no-time-in-fsm
        time.Now() should not be called from within the Server's FSM. Apply Raft log messages to the
        State Store must be deterministic so that each server contains exactly the same state. Since
        time drifts between nodes, it must be set before the Raft log message is applied so that all
        Raft members see the same timestamp.

        568┆ Launch:    time.Now(),


  nomad/state/state_store.go
     semgrep.no-time-in-fsm
        time.Now() should not be called from within the Server's FSM. Apply Raft log messages to the
        State Store must be deterministic so that each server contains exactly the same state. Since
        time drifts between nodes, it must be set before the Raft log message is applied so that all
        Raft members see the same timestamp.

       4450┆ status.RequireProgressBy = time.Now().Add(status.ProgressDeadline)
          ⋮┆----------------------------------------
       5866┆ iter = memdb.NewFilterIterator(iter, expiredOneTimeTokenFilter(time.Now()))
          ⋮┆----------------------------------------
       6651┆ rootKeyMeta.CreateTime = time.Now()

[lgfa29]

Minor suggestion, but LGTM as-is as well.

Currently semgrep only runs on code changes in a PR, so the existing cases would not be a problem 👍

[tgross]

I've fixed the keyring and OTT cases in #13737 and #13733

[github-actions]

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.