False positives in gorm-hardcoded-secret and gorm-empty-password #3316
Open
Description
Describe the bug
Both rules gorm-empty-password and gorm-hardcoded-secret produce false positives when the password is coming from a variable and it's not actually hardcoded in the source code.
I couldn't find these rules in the semgrep-rules repository (maybe because they are "pro" rules?) so I'm not sure it's the right place to open a bug. In case let me know.
To Reproduce
Run the rules against this snippet of code and notice that both produce a finding.
import (
"gorm.io/driver/postgres"
"gorm.io/gorm/schema"
)
func InitDatabase(configuration *config.Configuration) (*gorm.DB, error) {
gormConfig := gorm.Config{
PrepareStmt: true,
}
return gorm.Open(postgres.New(postgres.Config{
DSN: "host=" + configuration.Database.DBAddr +
" port=" + configuration.Database.DBPort +
" dbname=" + configuration.Database.DBName +
" user=" + configuration.Database.DBUser +
" password=" + configuration.Database.DBPass +
" sslmode=" + configuration.Database.DBType,
}), &gormConfig)
}Expected behavior
Do not report findings.
Priority
How important is this to you?
- P0: blocking me from making progress
- P1: this will block me in the near future
- P2: annoying but not blocking me
Additional Context
N/A