feat: add 12 new detection categories and auto-fix mode#2
Merged
Conversation
Implements 8 major improvements for reducing false positives:
1. **Prepared statement detection** - Skips stmt.Exec() when using
db.Prepare() pattern (idiomatic Go batch pattern)
2. **Transaction context awareness** - Lower severity for SQL in
transactions since they batch at commit time
3. **Preallocation detection** - Tracks make([]T, 0, cap) to skip
false positives for properly preallocated slices
4. **Bounded loop severity** - Small bounded loops (≤10 iterations)
get lower severity since impact is limited
5. **Map-based optimization recognition** - Detects when nested loops
use map lookups (O(1)) instead of linear search
6. **Intentional unbuffered channel detection** - Skips channels in
select statements, signal patterns (done, quit, cancel), and
chan struct{} (intentional synchronization)
7. **Call graph analysis** - New IndirectSQLInLoopRule detects when
helper functions containing SQL are called in loops
8. **JSON encoder detection** - Recognizes json.Encoder/Decoder which
cache reflection, vs json.Marshal/Unmarshal which don't
New rules added:
- indirect-sql-in-loop: Detect SQL in helper functions called from loops
- reflection-in-loop: Detect reflect.ValueOf/TypeOf in loops
- sync-pool-opportunity: Suggest sync.Pool for buffer allocations
All rules now have context-aware severity adjustment.
New detection rules:
- memory: pprof in hot paths, large struct copying, heap escape detection
- context: context.Background in handlers, missing timeouts, context leaks
- database: missing connection pool config, unlimited connections (SetMaxOpenConns(0))
- errors: fmt.Errorf in loops, error wrapping overhead
- time: time.Parse/LoadLocation/Format in loops
- interface: interface{} boxing in loops, variadic interface allocation
- http: missing MaxBytesReader, missing Body.Close, response buffering
- cache: regexp.MatchString in loops, JSON schema in loops
Enhanced existing rules:
- Expanded regex detection to catch MatchString/Match/ReplaceAll in loops
Auto-fix mode:
- New --fix flag to apply automatic fixes
- New --dry-run flag to preview fixes without applying
- New --format=diff for unified diff output
- Auto-fix support for: missing-body-close, context-leak
- Suggestion-only fixes for other rules
Benchmark suggestions:
- Detects functions with performance-sensitive patterns
- Generates benchmark scaffolding code
Total: 27 new detection rules across 12 categories
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--fixand--dry-runflagsNew Detection Categories
Auto-Fix Mode
Auto-fixable rules:
missing-body-close→defer resp.Body.Close()context-leak→defer cancel()Test plan