Go: Semgrep mistakes import's PackageName with a local variable
GrosQuildu opened this issue · comments
Describe the bug
If a local variable has the same name as an imported package, Semgrep mistakes the two. Please see the example issue below.
To Reproduce
https://semgrep.dev/playground/s/j203Y
package main
import (
testalias "fmt"
)
func main() {
_, fmt := testalias.Println("Hello, 世界")
if fmt != nil {
testalias.Println(fmt)
}
}
rules:
- id: python-fstring
languages:
- go
severity: ERROR
message: Potential `$FOO` nil dereference when `$BAR` is called
patterns:
- pattern: |
$FOO.$BAR(...)
...
if $FOO != nil { ... }
Expected behavior
I would expect no matches - the testalias.Println
is called, but a completely independent fmt
variable is checked againt nil
.
With other name collisions Semgrep behaces as expected. See example here: https://semgrep.dev/playground/s/10e4w
package main
import "fmt"
var x = 1
func main() {
fmt.Println(x)
x := 2
fmt.Println(x, "x")
}
rules:
- id: python-fstring
languages:
- go
severity: ERROR
message: Matched $X
patterns:
- pattern: |
fmt.Println($X)
$X := ...
No matches. Semgrep figured out that the first $X
in Println
is different from the newly created variable.
What is the priority of the bug to you?
- P0: blocking your adoption of Semgrep or workflow
- P1: important to fix or quite annoying
- P2: regular bug that should get fixed
Use case
This bug causes false positive with Trail of Bits nil-check-after-call
rule.