False positive in Go / Golang context when logging using %T

[webbnh]

Description of the false positive

The warning is "Clear-text logging of sensitive information", but what is actually logged is the type of the variable which holds the information and not the information itself.

CodeQL correctly determines that a variable potentially holding a piece of sensitive information is referenced in a log.Fatalf() call, but it misses the fact that the reference is processed using a %T format specifier which will result in the log receiving the type of the data and not the value of the data:

	apiKeyPair, ok := apiKeyPairAny.([]any)
	if !ok {
		log.Fatalf("Error reading Cloudability API keypair, expected an array, found %T",
			apiKeyPairAny)

Possible workaround

I'm hoping that the following will suffice to work around the problem, but it's ugly and really shouldn't be necessary!

		log.Fatalf("Error reading Cloudability API keypair, expected an array, found %v",
			reflect.TypeOf(apiKeyPairAny).String())

[mbg]

Hi @webbnh 👋🏻

Thanks for reporting this and thank you as well for sharing a workaround. That does look like a false positive to me. I'll see what it would take to get this fixed, and we will track this issue in any case. However, fixing false positives isn't a current product priority, so I cannot commit to how long it will take.