fix: G704 false positive on const URL (#1551)

Author: ravisastryk

taint/taint.go

@@ -521,6 +521,12 @@ func (a *Analyzer) isTainted(v ssa.Value, fn *ssa.Function, visited map[ssa.Valu
 	}
 	visited[v] = true
 
+	// Constants are compile-time literals and can never carry attacker-controlled
+	// data. Short-circuit immediately — no taint possible.
+	if _, ok := v.(*ssa.Const); ok {
+		return false
+	}
+
 	// Trace back through SSA instructions
 	switch val := v.(type) {
 	case *ssa.Parameter:

testutils/g704_samples.go

@@ -65,4 +65,40 @@ func GetPublicIP() (string, error) {
 	return "", nil
 }
 `}, 0, gosec.NewConfig()},
+	// Constant URL string must NOT trigger G704.
+	{[]string{`
+package main
+
+import (
+	"context"
+	"net/http"
+)
+
+const url = "https://go.dev/"
+
+func main() {
+	ctx := context.Background()
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, http.NoBody)
+	if err != nil {
+		panic(err)
+	}
+	_, err = new(http.Client).Do(req)
+	if err != nil {
+		panic(err)
+	}
+}
+`}, 0, gosec.NewConfig()},
+	// Sanity check: variable URL from request still fires.
+	{[]string{`
+package main
+
+import (
+	"net/http"
+)
+
+func handler(r *http.Request) {
+	target := r.URL.Query().Get("url")
+	http.Get(target) //nolint:errcheck
+}
+`}, 1, gosec.NewConfig()},
 }