False positives in gorm-hardcoded-secret and gorm-empty-password

[lfama]

Describe the bug
Both rules gorm-empty-password and gorm-hardcoded-secret produce false positives when the password is coming from a variable and it's not actually hardcoded in the source code.

I couldn't find these rules in the semgrep-rules repository (maybe because they are "pro" rules?) so I'm not sure it's the right place to open a bug. In case let me know.

To Reproduce
Run the rules against this snippet of code and notice that both produce a finding.

import (
  "gorm.io/driver/postgres"
  "gorm.io/gorm/schema"	
)

func InitDatabase(configuration *config.Configuration) (*gorm.DB, error) {
	gormConfig := gorm.Config{
		PrepareStmt: true,
	}

	return gorm.Open(postgres.New(postgres.Config{
		DSN: "host=" + configuration.Database.DBAddr +
			" port=" + configuration.Database.DBPort +
			" dbname=" + configuration.Database.DBName +
			" user=" + configuration.Database.DBUser +
			" password=" + configuration.Database.DBPass +
			" sslmode=" + configuration.Database.DBType,
	}), &gormConfig)
}

Expected behavior
Do not report findings.

Priority
How important is this to you?

• P0: blocking me from making progress
• P1: this will block me in the near future
• P2: annoying but not blocking me

Additional Context
N/A