Fix false positives for SQL string concatenation with constants from another file (#247)

* Allow for SQL concatenation of nodes that resolve to literals

If node.Y resolves to a literal, it will not be considered as an issue.

* Fix typo in comment.

* Go through all files in package to resolve that identifier

* Refactor code and added comments.

* Changed checking to not var or func.

* Allow for supporting code for test cases.

* Resolve merge conflict changes.

Author: wongherlung

analyzer.go

@@ -39,6 +39,7 @@ type Context struct {
 	Comments ast.CommentMap
 	Info     *types.Info
 	Pkg      *types.Package
+	PkgFiles []*ast.File
 	Root     *ast.File
 	Config   map[string]interface{}
 	Imports  *ImportTracker
@@ -139,6 +140,7 @@ func (gosec *Analyzer) Process(buildTags []string, packagePaths ...string) error
 			gosec.context.Root = file
 			gosec.context.Info = &pkg.Info
 			gosec.context.Pkg = pkg.Pkg
+			gosec.context.PkgFiles = pkg.Files
 			gosec.context.Imports = NewImportTracker()
 			gosec.context.Imports.TrackPackages(gosec.context.Pkg.Imports()...)
 			ast.Walk(gosec, file)

resolve.go

@@ -56,7 +56,7 @@ func resolveCallExpr(n *ast.CallExpr, c *Context) bool {
 
 // TryResolve will attempt, given a subtree starting at some ATS node, to resolve
 // all values contained within to a known constant. It is used to check for any
-// unkown values in compound expressions.
+// unknown values in compound expressions.
 func TryResolve(n ast.Node, c *Context) bool {
 	switch node := n.(type) {
 	case *ast.BasicLit:

rules/rules_test.go

@@ -28,10 +28,24 @@ var _ = Describe("gosec rules", func() {
 		analyzer = gosec.NewAnalyzer(config, logger)
 		runner = func(rule string, samples []testutils.CodeSample) {
 			analyzer.LoadRules(rules.Generate(rules.NewRuleFilter(false, rule)).Builders())
+
+			supportingFiles := []string{}
+			for _, sample := range samples {
+				if sample.SupportingCode {
+					supportingFiles = append(supportingFiles, sample.Code)
+				}
+			}
+
 			for n, sample := range samples {
+				if sample.SupportingCode {
+					continue
+				}
 				analyzer.Reset()
 				pkg := testutils.NewTestPackage()
 				defer pkg.Close()
+				for n, supportingCode := range supportingFiles {
+					pkg.AddFile(fmt.Sprintf("supporting_sample_%d.go", n), supportingCode)
+				}
 				pkg.AddFile(fmt.Sprintf("sample_%d.go", n), sample.Code)
 				err := pkg.Build()
 				Expect(err).ShouldNot(HaveOccurred())

rules/sql.go

@@ -51,10 +51,17 @@ func (s *sqlStrConcat) ID() string {
 }
 
 // see if we can figure out what it is
-func (s *sqlStrConcat) checkObject(n *ast.Ident) bool {
+func (s *sqlStrConcat) checkObject(n *ast.Ident, c *gosec.Context) bool {
 	if n.Obj != nil {
 		return n.Obj.Kind != ast.Var && n.Obj.Kind != ast.Fun
 	}
+
+	// Try to resolve unresolved identifiers using other files in same package
+	for _, file := range c.PkgFiles {
+		if node, ok := file.Scope.Objects[n.String()]; ok {
+			return node.Kind != ast.Var && node.Kind != ast.Fun
+		}
+	}
 	return false
 }
 
@@ -69,7 +76,7 @@ func (s *sqlStrConcat) Match(n ast.Node, c *gosec.Context) (*gosec.Issue, error)
 				if _, ok := node.Y.(*ast.BasicLit); ok {
 					return nil, nil // string cat OK
 				}
-				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second) {
+				if second, ok := node.Y.(*ast.Ident); ok && s.checkObject(second, c) {
 					return nil, nil
 				}
 				return gosec.NewIssue(c, n, s.ID(), s.What, s.Severity, s.Confidence), nil