G204: False positive when variable is a value from a hard-coded locally-scoped map

[mholt]

Summary

The linter reports a variable executing a shell command when the variable is hard-coded and not changed.

Steps to reproduce the behavior

// first element of each slice is the hard-coded command
osCommand := map[string][]string{
	"darwin":  {"open"},
	"freebsd": {"xdg-open"},
	"linux":   {"xdg-open"},
	"netbsd":  {"xdg-open"},
	"openbsd": {"xdg-open"},
	"windows": {"cmd", "/c", "start"},
}

// (probably irrelevant detail, but keeping it here just in case)
if runtime.GOOS == "windows" {
	// escape characters not allowed by cmd
	url = strings.ReplaceAll(url, "&", `^&`)
}

// read from the map -- no mutations
all := osCommand[runtime.GOOS]

// extract the command from the args -- again, no mutations
exe := all[0]
args := all[1:]

// false positive here
cmd := exec.Command(exe, append(args, url)...)

// it also fires if it's just exec.Command(exe)

gosec version

v2.20

Go version (output of 'go version')

go version go1.22.6 linux/amd64

Operating system / Environment

See above

Expected behavior

The command does not rely on external input in any way, so there should be no lint warning.

Actual behavior

G204 fires.