diff --git a/cmd/gosec/main.go b/cmd/gosec/main.go index 330280d..7372a78 100644 --- a/cmd/gosec/main.go +++ b/cmd/gosec/main.go @@ -364,7 +364,7 @@ func main() { if err != nil { logger.Fatal(err) } - // get a bug + ruleList := loadRules(includeRules, excludeRules) if len(ruleList.Rules) == 0 { logger.Fatal("No rules are configured") diff --git a/rules/sql.go b/rules/sql.go index 8a5b638..844eaf5 100644 --- a/rules/sql.go +++ b/rules/sql.go @@ -282,7 +282,7 @@ func NewSQLStrFormat(id string, conf gosec.Config) (gosec.Rule, []ast.Node) { noIssueQuoted: gosec.NewCallList(), sqlStatement: sqlStatement{ patterns: []*regexp.Regexp{ - regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE) "), + regexp.MustCompile("(?i)(SELECT|DELETE|INSERT|UPDATE|INTO|FROM|WHERE)( |\n|\r|\t)"), regexp.MustCompile("%[^bdoxXfFp]"), }, MetaData: gosec.MetaData{ diff --git a/testutils/source.go b/testutils/source.go index 717fab5..106d8a2 100644 --- a/testutils/source.go +++ b/testutils/source.go @@ -1168,7 +1168,28 @@ import ( func main(){ fmt.Sprintln() -}`}, 0, gosec.NewConfig()}, +}`}, 0, gosec.NewConfig()}, {[]string{` +// Format string with \n\r +package main + +import ( + "database/sql" + "fmt" + "os" +) + +func main(){ + db, err := sql.Open("sqlite3", ":memory:") + if err != nil { + panic(err) + } + q := fmt.Sprintf("SELECT * FROM foo where\n name = '%s'", os.Args[1]) + rows, err := db.Query(q) + if err != nil { + panic(err) + } + defer rows.Close() +}`}, 1, gosec.NewConfig()}, } // SampleCodeG202 - SQL query string building via string concatenation