securego
gosec G101 false positive
Summary
gosec throws a false positive when using sql functions with placeholders
Offending line:
e_USER_PASSWD := `UPDATE users set password=sha2(?, 256) where id=?`
Steps to reproduce the behavior
Create a file containing the previous line and run gosec
gosec version
GitLab Gosec analyzer v2.16.2
Go version (output of 'go version')
1.15.7
Operating system / Environment
Linux on a container. Image reference: registry.gitlab.com/gitlab-org/security-products/analyzers/gosec:2
Expected behavior
Recognizing the function and placeholder as non-password
Actual behavior
Issues a warning because it seems to recognize the function as a password.
Looking into this, I can see that the reason it issues a warning is because the entropyPerChar for UPDATE users set password=sha2(?, 256) where id=? slightly exceeds the threshold of 3.0. SQL statements use a mix of uppercase and lowercase letters so that makes the entropy higher.
Possible quick fixes are 1) to slightly increase the entropy threshold 2) add exceptions to the entropy calculation for SQL reserved words or somehow check if the string is an sql statement.
This can be fixed by tweaking the entropy and the custom patters of the rule G101.
