staticcheck: detect uses of fmt.Sprintf for URL-like values

[ainar-g]

Not sure about the universality on this one, but filing just in case. Also not sure if it's more of a staticcheck or a stylecheck.

var requrl = fmt.Sprintf("http://%s/api/v1/users/%s/comments?q=%s", host, userUUID, query)

This is probably not the best way to create a URL. While the host part may be considered “acceptable”, the query part just looks like bad code to me. Best case scenario: this leads to occasional errors because of bad URLs. Worst case scenario: data leakage due to undervalidated parameters.

I think that this would be much better with *url.URL, url.Values, and path.Join.

[seiyab]

Should these be detected?

• https://github.com/cli/cli/blob/1319d2cee53ee6fa606b6f6612e91d66d5a82d68/internal/ghinstance/host.go#L72-L83
• https://github.com/cli/cli/blob/1319d2cee53ee6fa606b6f6612e91d66d5a82d68/pkg/search/searcher.go#L197-L199
• https://github.com/reviewdog/reviewdog/blob/f5a2dce537c94c89aab5fc4071bf23507857488a/doghouse/server/ciutil/ciutil.go#L125-L127

Maybe test code should be ignored.

• https://github.com/anchore/grype/blob/b7ffbeee53105478e699290aeac238a0ead28962/test/integration/utils_test.go#L49-L51