Fixes and doc updates

2025-12-16 16:53:25 +01:00 · 2025-11-06 16:55:49 +00:00
parent 8d544e5b15
commit 2b1cd846b3
5 changed files with 8 additions and 7 deletions
--- a/go/ql/lib/go.qll
+++ b/go/ql/lib/go.qll
@@ -41,6 +41,7 @@ import semmle.go.frameworks.ElazarlGoproxy
 import semmle.go.frameworks.Email
 import semmle.go.frameworks.Encoding
 import semmle.go.frameworks.Fasthttp
+import semmle.go.frameworks.Gin
 import semmle.go.frameworks.GinCors
 import semmle.go.frameworks.Glog
 import semmle.go.frameworks.GoJose
--- a/go/ql/lib/semmle/go/concepts/HTTP.qll
+++ b/go/ql/lib/semmle/go/concepts/HTTP.qll
@@ -381,7 +381,7 @@ module Http {
    predicate guardedBy(DataFlow::Node check) { super.guardedBy(check) }
  }

-  /** Provides a class for modelling HTTP response cookie writes. */
+  /** Provides a class for modeling HTTP response cookie writes. */
  module CookieWrite {
    /**
     * An write of an HTTP Cookie to an HTTP response.
@@ -424,7 +424,7 @@ module Http {
    DataFlow::Node getHttpOnly() { result = super.getHttpOnly() }
  }

-  /** Provides a class for modelling the options of an HTTP cookie. */
+  /** Provides a class for modeling the options of an HTTP cookie. */
  module CookieOptions {
    /**
     * An HTTP Cookie object.
--- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -294,7 +294,7 @@ module NetHttp {
    override DataFlow::Node getAPathArgument() { result = this.getArgument(2) }
  }

-  class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode {
+  private class CookieWrite extends Http::CookieWrite::Range, DataFlow::CallNode {
    CookieWrite() { this.getTarget().hasQualifiedName(package("net/http", ""), "SetCookie") }

    override DataFlow::Node getName() { result = this.getArgument(1) }
@@ -306,7 +306,7 @@ module NetHttp {
    override DataFlow::Node getHttpOnly() { result = this.getArgument(1) }
  }

-  class CookieFieldWrite extends Http::CookieOptions::Range {
+  private class CookieFieldWrite extends Http::CookieOptions::Range {
    Write w;
    Field f;
    DataFlow::Node written;
--- a/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/go/ql/src/Security/CWE-1004/CookieWithoutHttpOnly.ql
@@ -7,6 +7,7 @@
 * @kind path-problem
 * @problem.severity warning
 * @precision high
+ * @security-severity 5.0
 * @id go/cookie-httponly-not-set
 * @tags security
 *       external/cwe/cwe-1004
@@ -14,7 +15,6 @@

 import go
 import semmle.go.security.SecureCookies
-import semmle.go.concepts.HTTP
 import SensitiveCookieNameFlow::PathGraph

 from
--- a/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
+++ b/go/ql/src/Security/CWE-614/CookieWithoutSecure.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @problem.severity warning
 * @precision high
+ * @security-severity 5.0
 * @id go/cookie-secure-not-set
 * @tags security
 *       external/cwe/cwe-1004
@@ -11,8 +12,7 @@

 import go
 import semmle.go.security.SecureCookies
-import semmle.go.concepts.HTTP

 from Http::CookieWrite cw
 where isInsecureCookie(cw)
-select cw, "Cookie does not set Secure attribute to true"
+select cw, "Cookie does not set Secure attribute to true."