Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/houqp/sqlvet
Go fearless SQL. Sqlvet performs static analysis on raw SQL queries in your Go code base.
https://github.com/houqp/sqlvet
golang linter security sql static-analysis
Last synced: 3 days ago
JSON representation
Go fearless SQL. Sqlvet performs static analysis on raw SQL queries in your Go code base.
- Host: GitHub
- URL: https://github.com/houqp/sqlvet
- Owner: houqp
- License: mit
- Created: 2019-12-18T00:14:36.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-09-17T06:16:33.000Z (3 months ago)
- Last Synced: 2024-12-14T06:05:11.425Z (10 days ago)
- Topics: golang, linter, security, sql, static-analysis
- Language: Go
- Homepage:
- Size: 114 KB
- Stars: 493
- Watchers: 9
- Forks: 25
- Open Issues: 9
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# Sqlvet
[![goreportcard](https://goreportcard.com/badge/github.com/houqp/sqlvet)](https://goreportcard.com/report/github.com/houqp/sqlvet)
[![codecov](https://codecov.io/gh/houqp/sqlvet/branch/master/graphs/badge.svg?branch=master)](https://codecov.io/gh/houqp/sqlvet)
[![build-status](https://github.com/houqp/sqlvet/workflows/build/badge.svg)](https://github.com/houqp/sqlvet/actions)Sqlvet performs static analysis on raw SQL queries in your Go code base to
surface potential runtime errors at build time.Feature highlights:
* Check for SQL syntax error
* Identify unsafe queries that could potentially lead to SQL injections
* For INSERT statements, make sure column count matches value count
* Validate table names
* Validate column namesTODO:
* Validate query function argument count and types
* Support MySQL syntax
* Type check value list in UPDATE query
* Trace wrapper function call## Usage
### Installation
Go less than 1.18:
```sh
$ go get github.com/houqp/sqlvet
```Go greater or equal 1.18:
```sh
$ go install github.com/houqp/sqlvet@latest
```### Zero conf
SqlVet should work out of the box for any Go project using go modules:
```
$ sqlvet .
[!] No schema specified, will run without table and column validation.
Checked 10 SQL queries.
🎉 Everything is awesome!
```Note: unreachable code will be skipped.
### Schema validation
To enable more in-depth analysis, create a `sqlvet.toml` config file at the
root of your project and specify the path to a database schema file:```
$ cat ./sqlvet.toml
schema_path = "schema/full_schema.sql"$ sqlvet .
Loaded DB schema from schema/full_schema.sql
table alembic_version with 1 columns
table incident with 13 columns
table usr with 4 columns
Exec @ ./pkg/incident.go:75:19
UPDATE incident SET oops = $1 WHERE id = $2ERROR: column `oops` is not defined in table `incident`
Checked 10 SQL queries.
Identified 1 errors.
```### Customer query functions and libraries
By default, sqlvet checks all calls to query function in `database/sql`,
`github.com/jmoiron/sqlx`, `github.com/jinzhu/gorm` and `go-gorp/gorp`
libraries. You can however configure it to white-list arbitrary query
functions like below:```toml
[[sqlfunc_matchers]]
pkg_path = "github.com/mattermost/gorp"
[[sqlfunc_matchers.rules]]
query_arg_name = "query"
query_arg_pos = 0
[[sqlfunc_matchers.rules]]
query_arg_name = "sql"
query_arg_pos = 0
```The above config tells sqlvet to analyze any function/method from
`github.com/mattermost/gorp` package that has the first parameter named either
`query` or `sql`.You can also match query functions by names:
```toml
[[sqlfunc_matchers]]
pkg_path = "github.com/jmoiron/sqlx"
[[sqlfunc_matchers.rules]]
func_name = "NamedExecContext"
query_arg_pos = 1
```The above config tells sqlvet to analyze the second parameter of any
function/method named `NamedExecContext` in `github.com/jmoiron/sqlx` package.### Ignore false positives
To skip a false positive, annotate the relevant line with `sqlvet: ignore`
comment:```go
func foo() {
Db.Query(fmt.Sprintf("SELECT %s", "1")) // sqlvet: ignore
}
```## Acknowledgements
Sqlvet was inspired by [safesql](https://github.com/stripe/safesql) and
[sqlc](https://github.com/kyleconroy/sqlc).