G201/G202 only works with the stdlib sql pkg

[adrianlungu]

Summary

It seems, at least the latest version of, gosec only works with the standard sql package ?

Steps to reproduce the behavior

By changing the code from the documentation to

import (
	"database/sql"

	"github.com/jmoiron/sqlx"
)

var staticQuery = "SELECT * FROM foo WHERE age < "

func main() {
	db, err := sql.Open("sqlite3", ":memory:")
	if err != nil {
		panic(err)
	}

	xdb := sqlx.NewDb(db, "sqlite3")

	var gender string = "M"
	rows, err := xdb.Query("SELECT * FROM foo WHERE gender = " + gender)
	if err != nil {
		panic(err)
	}
	defer rows.Close()
}

the summary returns

Summary:
  Gosec  : 2.21.4
  Nosec  : 0
  Issues : 0

While when running the Query against the db, it returns

Summary:
  Gosec  : 2.21.4
  Nosec  : 0
  Issues : 1

gosec version

2.21.4

Go version (output of 'go version')

go version go1.23.1 darwin/arm64

Operating system / Environment

MacOS 14.6.1

Expected behavior

Gosec to find sql query issues when using libraries like sqlx or pgx for interacting with various dbs.

Actual behavior

Gosec reporting no issues when using libraries outside of the std lib sql pkg.

[ccojocar]

Thanks for this issue but we aren't planning to support third party libraries.

[adrianlungu]

@ccojocar is there openness to PRs being made to add support for third party libraries or is it a hard no ?

Thanks!

[ccojocar]

Adding third party library requires maintenance which we would like to avoid for now. Thanks