semgrep-rules icon indicating copy to clipboard operation
semgrep-rules copied to clipboard
verified publisher icon semgrep

False positive pattern in loop pointer rule

Open romdr opened this issue 2 years ago • 1 comments

This pattern seems incorrect:

      - pattern: |
          for _, $VALUE := range $SOURCE {
            <... $ANYTHING(..., <... $VALUE ...>, ...) ...>
          }

This triggers a semgrep warning:

	input := []string{"a", "b", "c"}
	output := []string{}

	for _, val := range input {
		output = append(output, val)
	}

There is no pointer involved here.

Go Playground example here.

Semgrep Playground example: image

romdr avatar Jun 21 '23 18:06 romdr

Hey! Thanks for filing this issue :)

I don't think Semgrep can do that kind of type analysis over contents of a collection in Go right now. I filed an issue to the engine team https://github.com/returntocorp/semgrep/issues/8117, so hopefully this should be fixed soon!

enncoded avatar Jun 22 '23 23:06 enncoded