search

stripe-archive / safesql

Static analysis tool for Golang that protects against SQL injections
MIT License
564 stars 47 forks source link

Extraneous output #12

Open briansorahan opened 7 years ago

briansorahan commented 7 years ago

Using this tool for the very first time, I was curious why the output is so verbose. Here is what I see:

Found 3 potentially unsafe SQL statements:
<LIST OF FILES WITH PROBLEMS>
Please ensure that all SQL queries you use are compile-time constants.
You should always use parameterized queries or prepared statements
instead of building queries from strings.

Do we gain anything from all the extra output or could we just output a list of problematic files? I'd be happy to open a PR if y'all think we should trim down the output.

I think the informational lines would be more appropriate in the output of safesql -h what do you think?

melvinsh commented 6 years ago

I think saying You're safe from SQL injection! Yay \o/ is also a really bad idea because this tool can not guarantee that.