Fix false positives for SQL string concatenation with constants from another file (#247)

* Allow for SQL concatenation of nodes that resolve to literals If node.Y resolves to a literal, it will not be considered as an issue. * Fix typo in comment. * Go through all files in package to resolve that identifier * Refactor code and added comments. * Changed checking to not var or func. * Allow for supporting code for test cases. * Resolve merge conflict changes.
2025-11-25 22:22:17 +02:00 · 2018-09-28 15:46:59 +08:00
parent 5f98926a7b
commit d3f1980e7a
5 changed files with 115 additions and 66 deletions
--- a/rules/sql.go
+++ b/rules/sql.go
@@ -51,10 +51,17 @@ func (s *sqlStrConcat) ID() string {
 }

 // see if we can figure out what it is
-func (s *sqlStrConcat) checkObject(n *ast.Ident) bool {
+func (s *sqlStrConcat) checkObject(n *ast.Ident, c *gosec.Context) bool {
 	if n.Obj != nil {
 		return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
 	}
+
+	// Try to resolve unresolved identifiers using other files in same package
+	for _, file := range c.PkgFiles {
+		if node, ok := file.Scope.Objects[n.String()]; ok {
+			return node.Kind != ast.Var && node.Kind != ast.Fun
+		}
+	}
 	return false
 }

@@ -69,7 +76,7 @@ func (s *sqlStrConcat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)
 				if _, ok := node.Y.(*ast.BasicLit); ok {
 					return nil, nil // string cat OK
 				}
-				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
+				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second, c) {
 					return nil, nil
 				}
 				return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil