codeql-dataflow-sql-injection-go/SinkExecCommandThirdArg.sarif

{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.22.4","notifications":[{"id":"go/baseline/expected-extracted-files","name":"go/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"go/demo/sink","name":"go/demo/sink","shortDescription":{"text":"Sink identification"},"fullDescription":{"text":"Sink identification"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"description":"Sink identification","id":"go/demo/sink","kind":"problem","name":"Sink identification","problem.severity":"warning\n\n Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.\n Uses AST/semantic matching via resolved call target and argument position."}}]},"extensions":[{"name":"hohnlab/codeql-dataflow-sql-injection-go","semanticVersion":"0.0.1","locations":[{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/go-all","semanticVersion":"4.3.3+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.30+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/baseline/expected-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform.","markdown":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform."},"level":"none","timeUtc":"2025-09-05T06:02:18.354356304Z","descriptor":{"id":"cli/platform","index":1},"properties":{"attributes":{"arch":"amd64","name":"Linux","version":"6.15.9-201.fc42.x86_64"},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}],"results":[{"ruleId":"go/demo/sink","ruleIndex":0,"rule":{"id":"go/demo/sink","index":0},"message":{"text":"Sink: 3rd argument to exec.Command"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":36,"startColumn":52,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"effc8e85b7721feb:1","primaryLocationStartColumnFingerprint":"47"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0"}}]}