Fixed the -- completely -- broken Sink query

2025-12-15 18:03:03 +01:00 · 2025-09-04 23:32:50 -07:00
parent 28c40f9af3
commit 3b932164e5
5 changed files with 21 additions and 14 deletions
--- a/README.org
+++ b/README.org
@@ -17,7 +17,8 @@
    go mod tidy 2>/dev/null || true

    # Create the CodeQL database (Go extractor auto-detected)
-    codeql database create db --language=go --source-root .
+    codeql database create db.4b6900 --language=go --command=./build.sh 
+
  #+end_src

  If you already have a database, you can skip creation and reuse it.
@@ -32,7 +33,7 @@
    codeql pack install

    # Run both queries in this directory against the database
-    codeql database analyze db . \
+    codeql database analyze db.4b6900 . \
           --format=sarifv2.1.0 \
           --output=results.sarif
  #+end_src
@@ -41,7 +42,10 @@

  #+begin_src shell
    codeql database analyze db SourceGetUserInfo.ql --format=text
-    codeql database analyze db SinkExecCommandThirdArg.ql --format=text
+    codeql database analyze db.4b6900 \
+           SinkExecCommandThirdArg.ql \
+           --format=sarifv2.1.0 \
+           --output=SinkExecCommandThirdArg.sarif
  #+end_src

 * Notes
--- a/SinkExecCommandThirdArg.ql
+++ b/SinkExecCommandThirdArg.ql
@@ -1,16 +1,21 @@
 /**
- * Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.
- * Uses AST/semantic matching via resolved call target and argument position.
- */
+* @name Sink identification 
+* @description Sink identification 
+* @kind problem
+* @id go/demo/sink
+* @problem.severity warning
+
+* Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.
+* Uses AST/semantic matching via resolved call target and argument position.
+*/

 import go

 /** A sink expression corresponding to the 3rd argument to exec.Command. */
 predicate isSink(Expr e) {
-  exists(Call c, Function f |
-    f = c.getTarget() and
-    f.getName() = "Command" and
-    f.getDeclaringPackage().getName() = "exec" and
+  exists(CallExpr c |
+    c.getCalleeName() = "Command" 
+    and
    e = c.getArgument(2)
  )
 }
--- a/SinkExecCommandThirdArg.sarif
+++ b/SinkExecCommandThirdArg.sarif
@@ -0,0 +1 @@
+{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.22.4","notifications":[{"id":"go/baseline/expected-extracted-files","name":"go/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"go/demo/sink","name":"go/demo/sink","shortDescription":{"text":"Sink identification"},"fullDescription":{"text":"Sink identification"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"description":"Sink identification","id":"go/demo/sink","kind":"problem","name":"Sink identification","problem.severity":"warning\n\n Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.\n Uses AST/semantic matching via resolved call target and argument position."}}]},"extensions":[{"name":"hohnlab/codeql-dataflow-sql-injection-go","semanticVersion":"0.0.1","locations":[{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/go-all","semanticVersion":"4.3.3+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.30+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/baseline/expected-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform.","markdown":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform."},"level":"none","timeUtc":"2025-09-05T06:02:18.354356304Z","descriptor":{"id":"cli/platform","index":1},"properties":{"attributes":{"arch":"amd64","name":"Linux","version":"6.15.9-201.fc42.x86_64"},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}],"results":[{"ruleId":"go/demo/sink","ruleIndex":0,"rule":{"id":"go/demo/sink","index":0},"message":{"text":"Sink: 3rd argument to exec.Command"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":36,"startColumn":52,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"effc8e85b7721feb:1","primaryLocationStartColumnFingerprint":"47"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0"}}]}
--- a/db.4b6900.codeql-2.22.zip
+++ b/db.4b6900.codeql-2.22.zip
--- a/qlpack.yml
+++ b/qlpack.yml
@@ -2,7 +2,7 @@ name: hohnlab/codeql-dataflow-sql-injection-go
 version: 0.0.1
 extractor: go
 dependencies:
-  codeql/go: "*"
+  codeql/go-all: "*"
 queries:
  - SourceGetUserInfo.ql
  - SinkExecCommandThirdArg.ql
				`@@ -0,0 +1 @@`
				{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.22.4","notifications":[{"id":"go/baseline/expected-extracted-files","name":"go/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"go/demo/sink","name":"go/demo/sink","shortDescription":{"text":"Sink identification"},"fullDescription":{"text":"Sink identification"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"description":"Sink identification","id":"go/demo/sink","kind":"problem","name":"Sink identification","problem.severity":"warning\n\n Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.\n Uses AST/semantic matching via resolved call target and argument position."}}]},"extensions":[{"name":"hohnlab/codeql-dataflow-sql-injection-go","semanticVersion":"0.0.1","locations":[{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/go-all","semanticVersion":"4.3.3+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.30+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/baseline/expected-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform.","markdown":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform."},"level":"none","timeUtc":"2025-09-05T06:02:18.354356304Z","descriptor":{"id":"cli/platform","index":1},"properties":{"attributes":{"arch":"amd64","name":"Linux","version":"6.15.9-201.fc42.x86_64"},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}],"results":[{"ruleId":"go/demo/sink","ruleIndex":0,"rule":{"id":"go/demo/sink","index":0},"message":{"text":"Sink: 3rd argument to exec.Command"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":36,"startColumn":52,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"effc8e85b7721feb:1","primaryLocationStartColumnFingerprint":"47"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0"}}]}