FP in javascript-lang-codei-taint: setTimeout(function() {

Description: The javascript-lang-codei-taint rule is incorrectly flagging safe usage of setTimeout where a function is passed as a parameter, despite being designed to detect potentially dangerous string-based setTimeout calls.

Current Behavior: The rule is generating false positives for code patterns like:

setTimeout(function() {
    if (winobj.closed) {
        window.location = course_url;
    }
}, 800)

Expected Behavior: The rule should only detect instances where setTimeout is called with a string parameter that could be user-controlled, as these cases can lead to code injection vulnerabilities.

Rule Documentation: The rule documentation explicitly states that passing functions as arguments to setTimeout is the recommended safe approach:

"Avoid using dangerous functions with strings: Use safe alternatives by passing functions as arguments to setTimeout()"

Impact: These false positives reduce the reliability of security scanning results and may cause unnecessary remediation efforts.

Links:

• Rule definition: https://gitlab.com/gitlab-org/security-products/oxeye/product/oxeye-rulez/-/blob/main/gitlab/rules/javascript/lang/codei/javascript-lang-codei-taint.yaml
• Example false positive: https://staging.gitlab.com/ai-evaluation/etv/eyeballvul-moodle-f968cd4/-/security/vulnerabilities/8443849/

/cc @dabeles