G204: False positive when variable is a value from a hard-coded locally-scoped map

### Summary

The linter reports a variable executing a shell command when the variable is hard-coded and not changed.

### Steps to reproduce the behavior

```go
// first element of each slice is the hard-coded command
osCommand := map[string][]string{
	"darwin":  {"open"},
	"freebsd": {"xdg-open"},
	"linux":   {"xdg-open"},
	"netbsd":  {"xdg-open"},
	"openbsd": {"xdg-open"},
	"windows": {"cmd", "/c", "start"},
}

// (probably irrelevant detail, but keeping it here just in case)
if runtime.GOOS == "windows" {
	// escape characters not allowed by cmd
	url = strings.ReplaceAll(url, "&", `^&`)
}

// read from the map -- no mutations
all := osCommand[runtime.GOOS]

// extract the command from the args -- again, no mutations
exe := all[0]
args := all[1:]

// false positive here
cmd := exec.Command(exe, append(args, url)...)

// it also fires if it's just exec.Command(exe)
```

### gosec version

v2.20

### Go version (output of 'go version')

go version go1.22.6 linux/amd64

### Operating system / Environment

See above

### Expected behavior

The command does not rely on external input in any way, so there should be no lint warning.

### Actual behavior

G204 fires.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

G204: False positive when variable is a value from a hard-coded locally-scoped map #1199

Summary

Steps to reproduce the behavior

gosec version

Go version (output of 'go version')

Operating system / Environment

Expected behavior

Actual behavior

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development