Gosec does not detect G204 if user input is from a function parameter

[BinaryFissionGames]

Summary

When using exec.Command with user defined input, I expect G204 (Subprocess launched with variable) to trigger. However, if that user defined input is used directly from a function parameter, it does not trigger G204.

Steps to reproduce the behavior

See this go program:

package main

import (
	"os"
	"os/exec"
)

func main() {
	execCommand(os.Args[0])
}

func execCommand(command string) {
	cmd := exec.Command("bash", "-c", command)
	err := cmd.Run()
	if err != nil {
		panic(err)
	}
}

I'd expect this to trigger G204, however gosec reports no issues.

If I make a small change and assign the command string to a new variable, however, gosec properly detects the issue:

package main

import (
	"os"
	"os/exec"
)

func main() {
	execCommand(os.Args[0])
}

func execCommand(command string) {
	cmdStr := command
	cmd := exec.Command("bash", "-c", cmdStr)
	err := cmd.Run()
	if err != nil {
		panic(err)
	}
}

This DOES trigger G204, as expected.

gosec version

v2.20.0

Go version (output of 'go version')

go version go1.21.9 darwin/arm64

Operating system / Environment

macOS sonoma 14.5

Expected behavior

Expected G204 to trigger

Actual behavior

G204 does not trigger