G107 fails if behind sanitize function, but not if manually outlined

[JAicewizard]

Summary

G107 fails if behind sanitize function, but not if function i smanually outlined

Steps to reproduce the behavior

	url, valid := sanitizeURL(url)
	if !valid {
		return errors.New("an invalid URL is provided")
	}
	resp, err := http.Get(url)

func sanitizeURL(URL string) (string, bool) {
	u, err := url.Parse(URL)
	if err != nil || u.Host == "" {
		return "", false

	}

	if u.Scheme != "" {
		u.Scheme = "https"
	}
	return u.String(), true
}

does result in G107 being thrown

	u, err := url.Parse(URL)
	if err != nil || u.Host == "" {
		return errors.New("an invalid URL is provided")

	}
	if u.Scheme != "" {
		u.Scheme = "https"
	}

	resp, err := http.Get(u.String())

does not throw G107

gosec version

latest(master)

Go version (output of 'go version')

1.12.4

Operating system / Environment

linux/amd64

Expected behavior

both should at least behave the same(I assume passing since that's the inlined behavior)

Actual behavior

different behavior depending on if it is inlined

[gcmurphy]

I think what is happening here is G107 is trying to resolve the url variable to a known constant or basic literal. This mechanism is currently pretty basic and unable to ascertain the return value of sanitizeURL. As such it is treated as untrusted / tainted input.