houqp / Sqlvet
Licence: mit
Go fearless SQL. Sqlvet performs static analysis on raw SQL queries in your Go code base.
Stars: ✭ 410
Projects that are alternatives of or similar to Sqlvet
Goreporter
A Golang tool that does static analysis, unit testing, code review and generate code quality report.
Stars: ✭ 2,943 (+617.8%)
Mutual labels: static-analysis, linter
Pytype
A static type analyzer for Python code
Stars: ✭ 3,545 (+764.63%)
Mutual labels: static-analysis, linter
Wotan
Pluggable TypeScript and JavaScript linter
Stars: ✭ 271 (-33.9%)
Mutual labels: static-analysis, linter
Go Ruleguard
Define and run pattern-based custom linting rules.
Stars: ✭ 402 (-1.95%)
Mutual labels: static-analysis, linter
Exakat
The Exakat Engine : smart static analysis for PHP
Stars: ✭ 346 (-15.61%)
Mutual labels: static-analysis, linter
automutate
Applies waves of mutations provided by other tools, such as linters or codemods.
Stars: ✭ 13 (-96.83%)
Mutual labels: linter, static-analysis
Reviewdog
🐶 Automated code review tool integrated with any code analysis tools regardless of programming language
Stars: ✭ 4,541 (+1007.56%)
Mutual labels: static-analysis, linter
pahout
A pair programming partner for writing better PHP. Pahout means PHP mahout 🐘
Stars: ✭ 43 (-89.51%)
Mutual labels: linter, static-analysis
Pmd
An extensible multilanguage static code analyzer.
Stars: ✭ 3,667 (+794.39%)
Mutual labels: static-analysis, linter
Dlint
Dlint is a tool for encouraging best coding practices and helping ensure we're writing secure Python code.
Stars: ✭ 320 (-21.95%)
Mutual labels: static-analysis, linter
addlint
An example linter written with go/analysis for tutorial purposes
Stars: ✭ 49 (-88.05%)
Mutual labels: linter, static-analysis
Go Tools
Staticcheck - The advanced Go linter
Stars: ✭ 4,317 (+952.93%)
Mutual labels: static-analysis, linter
illuaminate
Very WIP static analysis for Lua
Stars: ✭ 21 (-94.88%)
Mutual labels: linter, static-analysis
unimport
A linter, formatter for finding and removing unused import statements.
Stars: ✭ 119 (-70.98%)
Mutual labels: linter, static-analysis
golintui
A simple terminal UI for Go linters
Stars: ✭ 73 (-82.2%)
Mutual labels: linter, static-analysis
Linter
Static Analysis Compiler Plugin for Scala
Stars: ✭ 273 (-33.41%)
Mutual labels: static-analysis, linter
codeclimate-eslint
Code Climate Engine for ESLint
Stars: ✭ 86 (-79.02%)
Mutual labels: linter, static-analysis
static-code-analysis-plugin
A plugin to simplify Static Code Analysis on Gradle. Not restricted to, but specially useful, in Android projects, by making sure all analysis can access the SDK classes.
Stars: ✭ 36 (-91.22%)
Mutual labels: linter, static-analysis
Pylint
It's not just a linter that annoys you!
Stars: ✭ 3,733 (+810.49%)
Mutual labels: static-analysis, linter
Detekt
Static code analysis for Kotlin
Stars: ✭ 4,169 (+916.83%)
Mutual labels: linter, static-analysis
Sqlvet
Sqlvet performs static analysis on raw SQL queries in your Go code base to surface potential runtime errors at build time.
Feature highlights:
- Check for SQL syntax error
- Identify unsafe queries that could potentially lead to SQL injections
- For INSERT statements, make sure column count matches value count
- Validate table names
- Validate column names
TODO:
- Validate query function argument count and types
- Support MySQL syntax
- Type check value list in UPDATE query
- Trace wrapper function call
Usage
Installation
$ go get github.com/houqp/sqlvet
Zero conf
SqlVet should work out of the box for any Go project using go modules:
$ sqlvet .
[!] No schema specified, will run without table and column validation.
Checked 10 SQL queries.
🎉 Everything is awesome!
Note: unreachable code will be skipped.
Schema validation
To enable more in-depth analysis, create a sqlvet.toml config file at the
root of your project and specify the path to a database schema file:
$ cat ./sqlvet.toml
schema_path = "schema/full_schema.sql"
$ sqlvet .
Loaded DB schema from schema/full_schema.sql
table alembic_version with 1 columns
table incident with 13 columns
table usr with 4 columns
Exec @ ./pkg/incident.go:75:19
UPDATE incident SET oops = $1 WHERE id = $2
ERROR: column `oops` is not defined in table `incident`
Checked 10 SQL queries.
Identified 1 errors.
Customer query functions and libraries
By default, sqlvet checks all calls to query function in database/sql,
github.com/jmoiron/sqlx, github.com/jinzhu/gorm and go-gorp/gorp
libraries. You can however configure it to white-list arbitrary query
functions like below:
[[sqlfunc_matchers]]
pkg_path = "github.com/mattermost/gorp"
[[sqlfunc_matchers.rules]]
query_arg_name = "query"
query_arg_pos = 0
[[sqlfunc_matchers.rules]]
query_arg_name = "sql"
query_arg_pos = 0
The above config tells sqlvet to analyze any function/method from
github.com/mattermost/gorp package that has the first parameter named either
query or sql.
You can also match query functions by names:
[[sqlfunc_matchers]]
pkg_path = "github.com/jmoiron/sqlx"
[[sqlfunc_matchers.rules]]
func_name = "NamedExecContext"
query_arg_pos = 1
The above config tells sqlvet to analyze the second parameter of any
function/method named NamedExecContext in github.com/jmoiron/sqlx package.
Ignore false positives
To skip a false positive, annotate the relevant line with sqlvet: ignore
comment:
func foo() {
Db.Query(fmt.Sprintf("SELECT %s", "1")) // sqlvet: ignore
}
Acknowledgements
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].