sql0

command module

v0.0.0-...-cf2ca47 Latest Latest Go to latest Published: Apr 15, 2024 License: MIT Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kunalsin9h/sql0

README ¶

Sql0

[!CAUTION] sql0 is currently not ready for use.

Pronounced as \sql - zero, is a fork of unmaintained SqlVet. Sql0 performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors at build time.

Feature highlights:

Check for SQL syntax error
Identify unsafe queries that could potentially lead to SQL injections
For INSERT statements, make sure column count matches value count
Validate table names
Validate column names
golangci-lint support read more
analysis.Analyzer integration read more
Validate query function argument count and types
Support MySQL syntax
Type check value list in UPDATE query
Trace wrapper function call

Supported OS:

Linux
Windows
WSL (Windows)
MacOS

Usage

Installation

Go less than 1.18:

go get github.com/kunalsin9h/sql0

Go greater or equal 1.18:

go install github.com/kunalsin9h/sql0@latest

Zero conf

Sql0 should work out of the box for any Go project using go modules:

$ sql0 .
[!] No schema specified, will run without table and column validation.
Checked 10 SQL queries.
🎉 Everything is awesome!

Note: unreachable code will be skipped.

Schema validation

To enable more in-depth analysis, create a sql0.toml config file at the root of your project and specify the path to a database schema file:

$ cat ./sql0.toml
schema_path = "schema/full_schema.sql"

$ sql0 .
Loaded DB schema from schema/full_schema.sql
        table alembic_version with 1 columns
        table incident with 13 columns
        table usr with 4 columns
Exec @ ./pkg/incident.go:75:19
        UPDATE incident SET oops = $1 WHERE id = $2

        ERROR: column `oops` is not defined in table `incident`

Checked 10 SQL queries.
Identified 1 errors.

Customer query functions and libraries

By default, sql0 checks all calls to query function in database/sql, github.com/jmoiron/sqlx, github.com/jinzhu/gorm and go-gorp/gorp libraries. You can however configure it to white-list arbitrary query functions like below:

[[sqlfunc_matchers]]
  pkg_path = "github.com/mattermost/gorp"
  [[sqlfunc_matchers.rules]]
    query_arg_name = "query"
    query_arg_pos  = 0
  [[sqlfunc_matchers.rules]]
    query_arg_name = "sql"
    query_arg_pos  = 0

The above config tells sql0 to analyze any function/method from github.com/mattermost/gorp package that has the first parameter named either query or sql.

You can also match query functions by names:

[[sqlfunc_matchers]]
  pkg_path = "github.com/jmoiron/sqlx"
  [[sqlfunc_matchers.rules]]
    func_name = "NamedExecContext"
    query_arg_pos  = 1

The above config tells sql0 to analyze the second parameter of any function/method named NamedExecContext in github.com/jmoiron/sqlx package.

Ignore false positives

To skip a false positive, annotate the relevant line with sql0: ignore comment:

func foo() {
    Db.Query(fmt.Sprintf("SELECT %s", "1")) // sql0: ignore
}

Acknowledgements

Sql0 was inspired by safesql and sqlc.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg
cli
config
parseutil
schema
vet

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL