Ability to override SafeSQL to prevent false positives

stripe-archive / safesql

Static analysis tool for Golang that protects against SQL injections

MIT License

562 stars 47 forks source link

Ability to override SafeSQL to prevent false positives #1

Closed rmulley closed 5 years ago

rmulley commented 9 years ago

I propose adding functionality to allow the programmer to override the analysis done by SafeSQL to help avoid false positives. Specifically I have have an offending line such as:

stmt, err = dbh.Prepare(query)

That is actually safe, I'd like to be able to provide a comment right above the line that tells SafeSQL to ignore the error. Perhaps something similar to the build-tag syntax such as:

// +safesql ignore
stmt, err = dbh.Prepare(query)

ian-axelrod commented 7 years ago

I am surprised that there is no way to ignore false positives, and I am astounded that this issue is unresolved after two years. I was going to integrate safesql into my CI process, but could not because it flagged safe queries as false positives and gave me no way to ignore them.

codyl-stripe commented 5 years ago

Hey @rmulley, @ian-axelrod I have just merged the ability to ignore false positives by adding the following comment:

//nolint:safesql