Does not flag potential injection if entire query is user-submitted

[audunmo]

Summary

If the entire query is user submitted, gosec doesn't flag it as a potential injection point

Steps to reproduce the behavior

With the following code:

package main

import (
	"context"
	"database/sql"
	"os"
)

func main() {
	db, err := sql.Open("sqlite3", ":memory:")
	if err != nil {
		panic(err)
	}

	_, err = db.Conn(context.Background())
	if err != nil {
		panic(err)
	}
	_, err = db.Query(os.Args[0])
	if err != nil {
		panic(err)
	}
}

Run gosec, you'll get the following output:

Summary:
  Gosec  : dev
  Files  : 1
  Lines  : 23
  Nosec  : 0
  Issues : 0

gosec version

dev. Clean-installed via go install github.com/securego/gosec/v2/cmd/gosec@latest

Go version (output of 'go version')

go version go1.20.3 darwin/amd64

Operating system / Environment

macOS 13.3, MacBook Pro 16in, intel i9

Expected behavior

gosec should flag that this is a potential injection

Actual behavior

gosec doesn't find any issues

[audunmo]

Fixing this issue will require creating a new SQL injection rule, and following the current scheme it should be numbered as G205. It's a bit awkward to add one that's so "far" down the list, when the existing rules are G201 and G202 for SQL injections.

If you're open to it @ccojocar, I'd like to merge G201 and G202, and have just a single "SQL injection" rule before attempting to fix this. I'll open up a separate issue for that, so that we can keep the conversations separate