False positive in check_unsafe_interpolations

[ekohl]

The newly added check_unsafe_interpolations give false positives. If command is present, the title doesn't need to be validated. An example: https://github.com/voxpupuli/puppet-trusted_ca/blob/8f9ccc04a12ed3608131d9cb4d80d9d9ecffb380/manifests/ca.pp#L74-L81

Or simplified, this being flagged as unsafe but I don't see any problem with it:

exec { "validate ${filename}":
  command => ['openssl', 'x509', '-in', "${install_path}/${_name}", '-noout'],
}

Originally posted by @ekohl in https://github.com/puppetlabs/puppet-lint/issues/142#issuecomment-1694652627

[parkr]

I have a bunch of examples of this in my code. I always use command (which this has helped turn into arrays!) but I can't figure out a way to get the resource titles to pass check_unsafe_interpolations. I tried removing the interpolation, but every Exec must be unique and I use the pathname for that (since it varies by app). Example:

# For each hostname, generate ssl dhparam file
$ssl_dhparam_path = "${nginx::conf_dir}/ssl/${hostname}_dhparam.pem"

exec { "generate ${ssl_dhparam_path}": # FAILS check_unsafe_interpolations (false positive), but must be unique
    # PASSES check_unsafe_interpolations
    command   => ['/usr/bin/openssl', 'dhparam', '-dsaparam', '-out', $ssl_dhparam_path, 4096], 
    ...
}

/cc @GSPatton @david22swan

[pmcmaw]

Hey! :-) Closing as we have reverted the check, apologies for any inconvenience caused.