Merge branch 'main' into jca_signature_extensions

2025-12-17 01:03:14 +01:00 · 2025-10-06 14:50:15 +02:00
parent 579da1dbd6 1f2cca7d00
commit 378eb18db5
218 changed files with 3106 additions and 2157 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -84,9 +84,9 @@ dependencies = [
 [[package]]
 name = "anyhow"
-version = "1.0.99"
+version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
+checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 [[package]]
 name = "argfile"
@@ -328,7 +328,7 @@ dependencies = [
 "chalk-derive 0.103.0",
 "chalk-ir 0.103.0",
 "ena",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itertools 0.12.1",
 "petgraph",
 "rustc-hash 1.1.0",
@@ -351,9 +351,9 @@ dependencies = [
 [[package]]
 name = "clap"
-version = "4.5.47"
+version = "4.5.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7eac00902d9d136acd712710d71823fb8ac8004ca445a89e73a41d45aa712931"
+checksum = "e2134bb3ea021b78629caa971416385309e0131b351b25e01dc16fb54e1b5fae"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -361,9 +361,9 @@ dependencies = [
 [[package]]
 name = "clap_builder"
-version = "4.5.47"
+version = "4.5.48"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ad9bbf750e73b5884fb8a211a9424a1906c1e156724260fdae972f31d70e1d6"
+checksum = "c2ba64afa3c0a6df7fa517765e31314e983f51dda798ffba27b988194fb65dc9"
 dependencies = [
 "anstream",
 "anstyle",
@@ -472,7 +472,7 @@ dependencies = [
 "serde",
 "serde_json",
 "serde_with",
- "toml 0.9.5",
+ "toml 0.9.7",
 "tracing",
 "tracing-flame",
 "tracing-subscriber",
@@ -557,9 +557,9 @@ checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
 [[package]]
 name = "darling"
-version = "0.20.11"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc7f46116c46ff9ab3eb1597a45688b6715c6e628b5c133e288e709a29bcb4ee"
+checksum = "9cdf337090841a411e2a7f3deb9187445851f91b309c0c0a29e05f74a00a48c0"
 dependencies = [
 "darling_core",
 "darling_macro",
@@ -567,9 +567,9 @@ dependencies = [
 [[package]]
 name = "darling_core"
-version = "0.20.11"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d00b9596d185e565c2207a0b01f8bd1a135483d02d9b7b0a54b11da8d53412e"
+checksum = "1247195ecd7e3c85f83c8d2a366e4210d588e802133e1e355180a9870b517ea4"
 dependencies = [
 "fnv",
 "ident_case",
@@ -581,9 +581,9 @@ dependencies = [
 [[package]]
 name = "darling_macro"
-version = "0.20.11"
+version = "0.21.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fc34b93ccb385b40dc71c6fceac4b2ad23662c7eeb248cf10d529b7e055b6ead"
+checksum = "d38308df82d1080de0afee5d069fa14b0326a88c14f15c5ccda35b4a6c414c81"
 dependencies = [
 "darling_core",
 "quote",
@@ -1059,13 +1059,14 @@ dependencies = [
 [[package]]
 name = "indexmap"
-version = "2.11.1"
+version = "2.11.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "206a8042aec68fa4a62e8d3f7aa4ceb508177d9324faf261e1959e495b7a1921"
+checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
 dependencies = [
 "equivalent",
 "hashbrown 0.15.5",
 "serde",
 "serde_core",
 ]
 [[package]]
@@ -1490,7 +1491,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 ]
 [[package]]
@@ -1559,9 +1560,9 @@ dependencies = [
 [[package]]
 name = "quote"
-version = "1.0.40"
+version = "1.0.41"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
+checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
 dependencies = [
 "proc-macro2",
 ]
@@ -1666,7 +1667,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e876bb2c3e52a8d4e6684526a2d4e81f9d028b939ee4dc5dc775fe10deb44d59"
 dependencies = [
 "dashmap",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "la-arena",
 "ra_ap_cfg",
 "ra_ap_intern",
@@ -1708,7 +1709,7 @@ checksum = "ebffdc134eccabc17209d7760cfff7fd12ed18ab6e21188c5e084b97aa38504c"
 dependencies = [
 "arrayvec",
 "either",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "ra_ap_base_db",
 "ra_ap_cfg",
@@ -1738,7 +1739,7 @@ dependencies = [
 "drop_bomb",
 "either",
 "fst",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "la-arena",
 "ra-ap-rustc_abi",
@@ -1807,7 +1808,7 @@ dependencies = [
 "cov-mark",
 "either",
 "ena",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "la-arena",
 "oorandom",
@@ -1845,7 +1846,7 @@ dependencies = [
 "crossbeam-channel",
 "either",
 "fst",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itertools 0.14.0",
 "line-index",
 "memchr",
@@ -1947,7 +1948,7 @@ version = "0.0.301"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "45db9e2df587d56f0738afa89fb2c100ff7c1e9cbe49e07f6a8b62342832211b"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "ra_ap_intern",
 "ra_ap_paths",
 "ra_ap_span",
@@ -2106,7 +2107,7 @@ checksum = "6c174d6b9b7a7f54687df7e00c3e75ed6f082a7943a9afb1d54f33c0c12773de"
 dependencies = [
 "crossbeam-channel",
 "fst",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "nohash-hasher",
 "ra_ap_paths",
 "ra_ap_stdx",
@@ -2211,9 +2212,9 @@ dependencies = [
 [[package]]
 name = "regex"
-version = "1.11.2"
+version = "1.11.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "23d7fd106d8c02486a8d64e778353d1cffe08ce79ac2e82f540c86d0facf6912"
+checksum = "8b5288124840bee7b386bc413c487869b360b2b4ec421ea56425128692f2a82c"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -2223,9 +2224,9 @@ dependencies = [
 [[package]]
 name = "regex-automata"
-version = "0.4.10"
+version = "0.4.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b9458fa0bfeeac22b5ca447c63aaf45f28439a709ccd244698632f9aa6394d6"
+checksum = "833eb9ce86d40ef33cb1306d8accf7bc8ec2bfea4355cbdebb3df68b40925cad"
 dependencies = [
 "aho-corasick",
 "memchr",
@@ -2316,7 +2317,7 @@ dependencies = [
 "crossbeam-utils",
 "hashbrown 0.15.5",
 "hashlink",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "intrusive-collections",
 "papaya",
 "parking_lot",
@@ -2414,10 +2415,11 @@ dependencies = [
 [[package]]
 name = "serde"
-version = "1.0.219"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
 dependencies = [
 "serde_core",
 "serde_derive",
 ]
@@ -2443,10 +2445,19 @@ dependencies = [
 ]
 [[package]]
-name = "serde_derive"
+name = "serde_core"
-version = "1.0.219"
+version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
 dependencies = [
 "serde_derive",
 ]
 [[package]]
 name = "serde_derive"
 version = "1.0.228"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2455,15 +2466,16 @@ dependencies = [
 [[package]]
 name = "serde_json"
-version = "1.0.143"
+version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d401abef1d108fbd9cbaebc3e46611f4b1021f714a0597a71f41ee463f5f4a5a"
+checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itoa",
 "memchr",
 "ryu",
 "serde",
 "serde_core",
 ]
 [[package]]
@@ -2477,24 +2489,24 @@ dependencies = [
 [[package]]
 name = "serde_spanned"
-version = "1.0.0"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40734c41988f7306bb04f0ecf60ec0f3f1caa34290e4e8ea471dcd3346483b83"
+checksum = "5417783452c2be558477e104686f7de5dae53dba813c28435e0e70f82d9b04ee"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 [[package]]
 name = "serde_with"
-version = "3.14.0"
+version = "3.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2c45cd61fefa9db6f254525d46e392b852e0e61d9a1fd36e5bd183450a556d5"
+checksum = "c522100790450cf78eeac1507263d0a350d4d5b30df0c8e1fe051a10c22b376e"
 dependencies = [
 "base64",
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "schemars 0.9.0",
 "schemars 1.0.4",
 "serde",
@@ -2506,9 +2518,9 @@ dependencies = [
 [[package]]
 name = "serde_with_macros"
-version = "3.14.0"
+version = "3.14.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "de90945e6565ce0d9a25098082ed4ee4002e047cb59892c318d66821e14bb30f"
+checksum = "327ada00f7d64abaac1e55a6911e90cf665aa051b9a561c7006c157f4633135e"
 dependencies = [
 "darling",
 "proc-macro2",
@@ -2522,7 +2534,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "itoa",
 "ryu",
 "serde",
@@ -2701,14 +2713,14 @@ dependencies = [
 [[package]]
 name = "toml"
-version = "0.9.5"
+version = "0.9.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75129e1dc5000bfbaa9fee9d1b21f974f9fbad9daec557a521ee6e080825f6e8"
+checksum = "00e5e5d9bf2475ac9d4f0d9edab68cc573dc2fd644b0dba36b0c30a92dd9eaa0"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
- "serde",
+ "serde_core",
- "serde_spanned 1.0.0",
+ "serde_spanned 1.0.2",
- "toml_datetime 0.7.0",
+ "toml_datetime 0.7.2",
 "toml_parser",
 "toml_writer",
 "winnow",
@@ -2725,11 +2737,11 @@ dependencies = [
 [[package]]
 name = "toml_datetime"
-version = "0.7.0"
+version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bade1c3e902f58d73d3f294cd7f20391c1cb2fbcb643b73566bc773971df91e3"
+checksum = "32f1085dec27c2b6632b04c80b3bb1b4300d6495d1e129693bdda7d91e72eec1"
 dependencies = [
- "serde",
+ "serde_core",
 ]
 [[package]]
@@ -2738,7 +2750,7 @@ version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
- "indexmap 2.11.1",
+ "indexmap 2.11.4",
 "serde",
 "serde_spanned 0.6.9",
 "toml_datetime 0.6.11",
@@ -2748,9 +2760,9 @@ dependencies = [
 [[package]]
 name = "toml_parser"
-version = "1.0.2"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b551886f449aa90d4fe2bdaa9f4a2577ad2dde302c61ecf262d80b116db95c10"
+checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
 dependencies = [
 "winnow",
 ]
@@ -2763,9 +2775,9 @@ checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
 [[package]]
 name = "toml_writer"
-version = "1.0.2"
+version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fcc842091f2def52017664b53082ecbbeb5c7731092bad69d2c63050401dfd64"
+checksum = "d163a63c116ce562a22cda521fcc4d79152e7aba014456fb5eb442f6d6a10109"
 [[package]]
 name = "tracing"
@@ -2855,9 +2867,9 @@ dependencies = [
 [[package]]
 name = "tree-sitter-embedded-template"
-version = "0.23.2"
+version = "0.25.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "790063ef14e5b67556abc0b3be0ed863fb41d65ee791cf8c0b20eb42a1fa46af"
+checksum = "833d528e8fcb4e49ddb04d4d6450ddb8ac08f282a58fec94ce981c9c5dbf7e3a"
 dependencies = [
 "cc",
 "tree-sitter-language",
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -98,11 +98,11 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
    tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.99",
+    "vendor_ts__anyhow-1.0.100",
    "vendor_ts__argfile-0.2.1",
    "vendor_ts__chalk-ir-0.104.0",
    "vendor_ts__chrono-0.4.42",
-    "vendor_ts__clap-4.5.47",
+    "vendor_ts__clap-4.5.48",
    "vendor_ts__dunce-1.0.5",
    "vendor_ts__either-1.15.0",
    "vendor_ts__encoding-0.2.33",
@@ -116,7 +116,7 @@ use_repo(
    "vendor_ts__num-traits-0.2.19",
    "vendor_ts__num_cpus-1.17.0",
    "vendor_ts__proc-macro2-1.0.101",
-    "vendor_ts__quote-1.0.40",
+    "vendor_ts__quote-1.0.41",
    "vendor_ts__ra_ap_base_db-0.0.301",
    "vendor_ts__ra_ap_cfg-0.0.301",
    "vendor_ts__ra_ap_hir-0.0.301",
@@ -135,17 +135,17 @@ use_repo(
    "vendor_ts__ra_ap_vfs-0.0.301",
    "vendor_ts__rand-0.9.2",
    "vendor_ts__rayon-1.11.0",
-    "vendor_ts__regex-1.11.2",
+    "vendor_ts__regex-1.11.3",
-    "vendor_ts__serde-1.0.219",
+    "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.143",
+    "vendor_ts__serde_json-1.0.145",
-    "vendor_ts__serde_with-3.14.0",
+    "vendor_ts__serde_with-3.14.1",
    "vendor_ts__syn-2.0.106",
-    "vendor_ts__toml-0.9.5",
+    "vendor_ts__toml-0.9.7",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
    "vendor_ts__tracing-subscriber-0.3.20",
    "vendor_ts__tree-sitter-0.25.9",
-    "vendor_ts__tree-sitter-embedded-template-0.23.2",
+    "vendor_ts__tree-sitter-embedded-template-0.25.0",
    "vendor_ts__tree-sitter-json-0.24.8",
    "vendor_ts__tree-sitter-ql-0.23.1",
    "vendor_ts__tree-sitter-ruby-0.23.1",
--- a/cpp/ql/lib/semmle/code/cpp/Element.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Element.qll
@@ -87,6 +87,7 @@ class ElementBase extends @element {
 */
 class Element extends ElementBase {
  /** Gets the primary file where this element occurs. */
  pragma[nomagic]
  File getFile() { result = this.getLocation().getFile() }
  /**
--- a/go/ql/lib/change-notes/2025-09-19-api-changes.md
+++ b/go/ql/lib/change-notes/2025-09-19-api-changes.md
@@ -0,0 +1,5 @@
 ---
 category: breaking
 ---
 * The member predicate `writesField` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing a struct literal. A new member predicate `writesFieldPreUpdate` has been added for cases where this behaviour is not desired.
 * The member predicate `writesElement` on `DataFlow::Write` now uses the post-update node for `base` when that is the node being updated, which is in all cases except initializing an array/slice/map literal. A new member predicate `writesElementPreUpdate` has been added for cases where this behaviour is not desired.
--- a/go/ql/lib/change-notes/2025-09-19-use-use-flow-proper-post-update-nodes.md
+++ b/go/ql/lib/change-notes/2025-09-19-use-use-flow-proper-post-update-nodes.md
@@ -0,0 +1,4 @@
 ---
 category: majorAnalysis
 ---
 * The shape of the Go data-flow graph has changed. Previously for code like `x := def(); use1(x); use2(x)`, there would be edges from the definition of `x` to each use. Now there is an edge from the definition to the first use, then another from the first use to the second, and so on. This means that data-flow barriers work differently - flow will not reach any uses after the barrier node. Where this is not desired it may be be necessary to add an additional flow step to propagate the flow forward. Additionally, when a variable may be subject to a side-effect, such as updating an array, passing a pointer to a function that might write through it or writing to a field of a struct, there is now a dedicated post-update node representing the variable after this side-effect has taken place. Previously post-update nodes were aliases for either a variable's definition, or were equal to the pre-update node. This led to backwards steps in the data-flow graph, which could cause false positives. For example, in the previous code there would be an edge from `x` in `use2(x)` back to the definition of `x`. If we define our sources as any argument of `use2` and our sinks as any argument of `use1` then this would lead to a false positive path. Now there are distinct post-update nodes and no backwards edge to the definition, so we will not find this false positive path.
--- a/go/ql/lib/change-notes/2025-10-02-unvalidated-url-redirection-struct-init-fix.md
+++ b/go/ql/lib/change-notes/2025-10-02-unvalidated-url-redirection-struct-init-fix.md
@@ -0,0 +1,4 @@
 ---
 category: minorAnalysis
 ---
 * For the query `go/unvalidated-url-redirection`, when untrusted data is assigned to the `Host` field of a `url.URL` struct, we consider the whole struct untrusted. We now also include the case when this happens during struct initialization, for example `&url.URL{Host: untrustedData}`.
--- a/go/ql/lib/change-notes/2025-10-02-writenode-writescomponent-deprecated.md
+++ b/go/ql/lib/change-notes/2025-10-02-writenode-writescomponent-deprecated.md
@@ -0,0 +1,4 @@
 ---
 category: deprecated
 ---
 * The member predicate `writesComponent` on `DataFlow::Write` has been deprecated. Instead, use `writesFieldPreUpdate` and `writesElementPreUpdate`, or their new versions `writesField` and `writesElement`.
--- a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
+++ b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
@@ -118,6 +118,8 @@ module ControlFlow {
    /** Gets the left-hand side of this write. */
    IR::WriteTarget getLhs() { result = super.getLhs() }
    private predicate isInitialization() { super.isInitialization() }
    /** Gets the right-hand side of this write. */
    DataFlow::Node getRhs() { super.getRhs() = result.asInstruction() }
@@ -132,21 +134,45 @@ module ControlFlow {
    /**
     * Holds if this node sets the value of field `f` on `base` (or its implicit dereference) to
-     * `rhs`.
+     * `rhs`, where `base` represents the post-update value.
     *
     * For example, for the assignment `x.width = newWidth`, `base` is the post-update node of
     * either the data-flow node corresponding to `x` or (if `x` is a pointer) the data-flow node
     * corresponding to the implicit dereference `*x`, `f` is the field referenced by `width`, and
     * `rhs` is the data-flow node corresponding to `newWidth`. If this `WriteNode` is a struct
     * initialization then there is no post-update node and `base` is the struct literal being
     * initialized.
     */
    predicate writesField(DataFlow::Node base, Field f, DataFlow::Node rhs) {
      exists(DataFlow::Node b | this.writesFieldPreUpdate(b, f, rhs) |
        this.isInitialization() and base = b
        or
        not this.isInitialization() and
        b = base.(DataFlow::PostUpdateNode).getPreUpdateNode()
      )
    }
    /**
     * Holds if this node sets the value of field `f` on `base` (or its implicit dereference) to
     * `rhs`, where `base` represents the pre-update value.
     *
     * For example, for the assignment `x.width = newWidth`, `base` is either the data-flow node
     * corresponding to `x` or (if `x` is a pointer) the data-flow node corresponding to the
-     * implicit dereference `*x`, `f` is the field referenced by `width`, and `rhs` is the data-flow
+     * implicit dereference `*x`, `f` is the field referenced by `width`, and `rhs` is the
-     * node corresponding to `newWidth`.
+     * data-flow node corresponding to `newWidth`.
     */
-    predicate writesField(DataFlow::Node base, Field f, DataFlow::Node rhs) {
+    predicate writesFieldPreUpdate(DataFlow::Node base, Field f, DataFlow::Node rhs) {
      this.writesFieldInsn(base.asInstruction(), f, rhs.asInstruction())
    }
    private predicate writesFieldInsn(IR::Instruction base, Field f, IR::Instruction rhs) {
      exists(IR::FieldTarget trg | trg = super.getLhs() |
        (
-          trg.getBase() = base.asInstruction() or
+          trg.getBase() = base or
-          trg.getBase() = MkImplicitDeref(base.asExpr())
+          trg.getBase() = MkImplicitDeref(base.(IR::EvalInstruction).getExpr())
        ) and
        trg.getField() = f and
-        super.getRhs() = rhs.asInstruction()
+        super.getRhs() = rhs
      )
    }
@@ -154,27 +180,66 @@ module ControlFlow {
     * Holds if this node sets the value of element `index` on `base` (or its implicit dereference)
     * to `rhs`.
     *
-     * For example, for the assignment `xs[i] = v`, `base` is either the data-flow node
+     * For example, for the assignment `xs[i] = v`, `base` is the post-update node of the data-flow
-     * corresponding to `xs` or (if `xs` is a pointer) the data-flow node corresponding to the
+     * node corresponding to `xs` or (if `xs` is a pointer) the implicit dereference `*xs`, `index`
-     * implicit dereference `*xs`, `index` is the data-flow node corresponding to `i`, and `rhs`
+     * is the data-flow node corresponding to `i`, and `rhs` is the data-flow node corresponding to
-     * is the data-flow node corresponding to `base`.
+     * `base`. If this `WriteNode` corresponds to the initialization of an array/slice/map then
     * there is no need for a post-update node and `base` is the array/slice/map literal being
     * initialized.
     */
    predicate writesElement(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs) {
      exists(DataFlow::Node b | this.writesElementPreUpdate(b, index, rhs) |
        this.isInitialization() and base = b
        or
        not this.isInitialization() and
        b = base.(DataFlow::PostUpdateNode).getPreUpdateNode()
      )
    }
    /**
     * Holds if this node sets the value of element `index` on `base` (or its implicit dereference)
     * to `rhs`.
     *
     * For example, for the assignment `xs[i] = v`, `base` is the post-update node of the data-flow
     * node corresponding to `xs` or (if `xs` is a pointer) the implicit dereference `*xs`, `index`
     * is the data-flow node corresponding to `i`, and `rhs` is the data-flow node corresponding to
     * `base`. If this `WriteNode` corresponds to the initialization of an array/slice/map then
     * there is no need for a post-update node and `base` is the array/slice/map literal being
     * initialized.
     */
    predicate writesElementPreUpdate(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs) {
      this.writesElementInsn(base.asInstruction(), index.asInstruction(), rhs.asInstruction())
    }
    private predicate writesElementInsn(
      IR::Instruction base, IR::Instruction index, IR::Instruction rhs
    ) {
      exists(IR::ElementTarget trg | trg = super.getLhs() |
        (
-          trg.getBase() = base.asInstruction() or
+          trg.getBase() = base or
-          trg.getBase() = MkImplicitDeref(base.asExpr())
+          trg.getBase() = MkImplicitDeref(base.(IR::EvalInstruction).getExpr())
        ) and
-        trg.getIndex() = index.asInstruction() and
+        trg.getIndex() = index and
-        super.getRhs() = rhs.asInstruction()
+        super.getRhs() = rhs
      )
    }
    /**
     * DEPRECATED: Use the disjunct of `writesElement` and `writesField`, or `writesFieldPreUpdate`
     * and `writesElementPreUpdate`, instead.
     *
     * Holds if this node sets any field or element of `base` (or its implicit dereference) to
     * `rhs`, where `base` represents the pre-update value.
     */
    deprecated predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
      this.writesElementPreUpdate(base, _, rhs) or this.writesFieldPreUpdate(base, _, rhs)
    }
    /**
     * Holds if this node sets any field or element of `base` to `rhs`.
     */
-    predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
+    predicate writesComponentInstruction(IR::Instruction base, IR::Instruction rhs) {
-      this.writesElement(base, _, rhs) or this.writesField(base, _, rhs)
+      this.writesElementInsn(base, _, rhs) or this.writesFieldInsn(base, _, rhs)
    }
  }
--- a/go/ql/lib/semmle/go/controlflow/IR.qll
+++ b/go/ql/lib/semmle/go/controlflow/IR.qll
@@ -430,18 +430,25 @@ module IR {
   */
  class WriteInstruction extends Instruction {
    WriteTarget lhs;
    Boolean initialization;
    WriteInstruction() {
-      lhs = MkLhs(this, _)
+      (
        lhs = MkLhs(this, _)
        or
        lhs = MkResultWriteTarget(this)
      ) and
      initialization = false
      or
-      lhs = MkLiteralElementTarget(this)
+      lhs = MkLiteralElementTarget(this) and initialization = true
      or
      lhs = MkResultWriteTarget(this)
    }
    /** Gets the target to which this instruction writes. */
    WriteTarget getLhs() { result = lhs }
    /** Holds if this instruction initializes a literal. */
    predicate isInitialization() { initialization = true }
    /** Gets the instruction computing the value this instruction writes. */
    Instruction getRhs() { none() }
--- a/go/ql/lib/semmle/go/dataflow/SSA.qll
+++ b/go/ql/lib/semmle/go/dataflow/SSA.qll
@@ -166,6 +166,13 @@ class SsaDefinition extends TSsaDefinition {
  ) {
    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
  }
  /**
   * Gets the first instruction that the value of this `SsaDefinition` can
   * reach without passing through any other instructions, but possibly through
   * phi nodes.
   */
  IR::Instruction getAFirstUse() { firstUse(this, result) }
 }
 /**
@@ -410,3 +417,12 @@ DataFlow::Node getASimilarReadNode(DataFlow::Node node) {
    result = readFields.similar().getAUse()
  )
 }
 /**
 * Gets an instruction such that  `pred` and `result` form an adjacent
 * use-use-pair of the same`SsaSourceVariable`, that is, the value read in
 * `pred` can reach `result` without passing through any other use or any SSA
 * definition of the variable except for phi nodes and uncertain implicit
 * updates.
 */
 IR::Instruction getAnAdjacentUse(IR::Instruction pred) { adjacentUseUse(pred, result) }
--- a/go/ql/lib/semmle/go/dataflow/SsaImpl.qll
+++ b/go/ql/lib/semmle/go/dataflow/SsaImpl.qll
@@ -199,6 +199,8 @@ private module Internal {
  /**
   * Holds if the `i`th node of `bb` is a use or an SSA definition of variable `v`, with
   * `k` indicating whether it is the former or the latter.
   *
   * Note this includes phi nodes, whereas `ref` above only includes explicit writes and captures.
   */
  private predicate ssaRef(ReachableBasicBlock bb, int i, SsaSourceVariable v, RefKind k) {
    useAt(bb, i, v) and k = ReadRef()
@@ -290,6 +292,172 @@ private module Internal {
    or
    rewindReads(bb, i, v) = 1 and result = getDefReachingEndOf(bb.getImmediateDominator(), v)
  }
  private module AdjacentUsesImpl {
    /** Holds if `v` is defined or used in `b`. */
    private predicate varOccursInBlock(SsaSourceVariable v, ReachableBasicBlock b) {
      ssaRef(b, _, v, _)
    }
    /** Holds if `v` occurs in `b` or one of `b`'s transitive successors. */
    private predicate blockPrecedesVar(SsaSourceVariable v, ReachableBasicBlock b) {
      varOccursInBlock(v, b)
      or
      exists(getDefReachingEndOf(b, v))
    }
    /**
     * Holds if `v` occurs in `b1` and `b2` is one of `b1`'s successors.
     *
     * Factored out of `varBlockReaches` to force join order compared to the larger
     * set `blockPrecedesVar(v, b2)`.
     */
    pragma[noinline]
    private predicate varBlockReachesBaseCand(
      SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2
    ) {
      varOccursInBlock(v, b1) and
      b2 = b1.getASuccessor()
    }
    /**
     * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and
     * in `b2` or one of its transitive successors but not in any block on the path
     * between `b1` and `b2`. Unlike `varBlockReaches` this may include blocks `b2`
     * where `v` is dead.
     *
     * Factored out of `varBlockReaches` to force join order compared to the larger
     * set `blockPrecedesVar(v, b2)`.
     */
    pragma[noinline]
    private predicate varBlockReachesRecCand(
      SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock mid, ReachableBasicBlock b2
    ) {
      varBlockReaches(v, b1, mid) and
      not varOccursInBlock(v, mid) and
      b2 = mid.getASuccessor()
    }
    /**
     * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and
     * in `b2` or one of its transitive successors but not in any block on the path
     * between `b1` and `b2`.
     */
    private predicate varBlockReaches(
      SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2
    ) {
      varBlockReachesBaseCand(v, b1, b2) and
      blockPrecedesVar(v, b2)
      or
      varBlockReachesRecCand(v, b1, _, b2) and
      blockPrecedesVar(v, b2)
    }
    /**
     * Holds if `b2` is a transitive successor of `b1` and `v` occurs in `b1` and
     * `b2` but not in any block on the path between `b1` and `b2`.
     */
    private predicate varBlockStep(
      SsaSourceVariable v, ReachableBasicBlock b1, ReachableBasicBlock b2
    ) {
      varBlockReaches(v, b1, b2) and
      varOccursInBlock(v, b2)
    }
    /**
     * Gets the maximum rank among all SSA references to `v` in basic block `bb`.
     */
    private int maxSsaRefRank(ReachableBasicBlock bb, SsaSourceVariable v) {
      result = max(ssaRefRank(bb, _, v, _))
    }
    /**
     * Holds if `v` occurs at index `i1` in `b1` and at index `i2` in `b2` and
     * there is a path between them without any occurrence of `v`.
     */
    pragma[nomagic]
    predicate adjacentVarRefs(
      SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2
    ) {
      exists(int rankix |
        b1 = b2 and
        ssaRefRank(b1, i1, v, _) = rankix and
        ssaRefRank(b2, i2, v, _) = rankix + 1
      )
      or
      maxSsaRefRank(b1, v) = ssaRefRank(b1, i1, v, _) and
      varBlockStep(v, b1, b2) and
      ssaRefRank(b2, i2, v, _) = 1
    }
    predicate variableUse(SsaSourceVariable v, IR::Instruction use, ReachableBasicBlock bb, int i) {
      bb.getNode(i) = use and
      exists(SsaVariable sv |
        sv.getSourceVariable() = v and
        use = sv.getAUse()
      )
    }
  }
  private import AdjacentUsesImpl
  /**
   * Holds if the value defined at `def` can reach `use` without passing through
   * any other uses, but possibly through phi nodes.
   */
  cached
  predicate firstUse(SsaDefinition def, IR::Instruction use) {
    exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 |
      adjacentVarRefs(v, b1, i1, b2, i2) and
      def.definesAt(b1, i1, v) and
      variableUse(v, use, b2, i2)
    )
    or
    exists(
      SsaSourceVariable v, SsaPhiNode redef, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2,
      int i2
    |
      adjacentVarRefs(v, b1, i1, b2, i2) and
      def.definesAt(b1, i1, v) and
      redef.definesAt(b2, i2, v) and
      firstUse(redef, use)
    )
  }
  /**
   * Holds if `use1` and `use2` form an adjacent use-use-pair of the same SSA
   * variable, that is, the value read in `use1` can reach `use2` without passing
   * through any other use or any SSA definition of the variable.
   */
  cached
  predicate adjacentUseUseSameVar(IR::Instruction use1, IR::Instruction use2) {
    exists(SsaSourceVariable v, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2, int i2 |
      adjacentVarRefs(v, b1, i1, b2, i2) and
      variableUse(v, use1, b1, i1) and
      variableUse(v, use2, b2, i2)
    )
  }
  /**
   * Holds if `use1` and `use2` form an adjacent use-use-pair of the same
   * `SsaSourceVariable`, that is, the value read in `use1` can reach `use2`
   * without passing through any other use or any SSA definition of the variable
   * except for phi nodes and uncertain implicit updates.
   */
  cached
  predicate adjacentUseUse(IR::Instruction use1, IR::Instruction use2) {
    adjacentUseUseSameVar(use1, use2)
    or
    exists(
      SsaSourceVariable v, SsaPhiNode def, ReachableBasicBlock b1, int i1, ReachableBasicBlock b2,
      int i2
    |
      adjacentVarRefs(v, b1, i1, b2, i2) and
      variableUse(v, use1, b1, i1) and
      def.definesAt(b2, i2, v) and
      firstUse(def, use2)
    )
  }
 }
 import Internal
--- a/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/ContainerFlow.qll
@@ -22,7 +22,7 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
        t instanceof SliceType
      ) and
      (
-        exists(Write w | w.writesElement(node2.(PostUpdateNode).getPreUpdateNode(), _, node1))
+        exists(Write w | w.writesElement(node2, _, node1))
        or
        node1 = node2.(ImplicitVarargsSlice).getCallNode().getAnImplicitVarargsArgument()
        or
@@ -36,17 +36,19 @@ predicate containerStoreStep(Node node1, Node node2, Content c) {
    )
    or
    c instanceof CollectionContent and
-    exists(SendStmt send |
+    exists(SendStmt send, Node channelExprNode |
-      send.getChannel() = node2.(ExprNode).asExpr() and send.getValue() = node1.(ExprNode).asExpr()
+      send.getChannel() = channelExprNode.(ExprNode).asExpr() and
      node2.(PostUpdateNode).getPreUpdateNode() = channelExprNode and
      send.getValue() = node1.(ExprNode).asExpr()
    )
    or
    c instanceof MapKeyContent and
    t instanceof MapType and
-    exists(Write w | w.writesElement(node2.(PostUpdateNode).getPreUpdateNode(), node1, _))
+    exists(Write w | w.writesElement(node2, node1, _))
    or
    c instanceof MapValueContent and
    t instanceof MapType and
-    exists(Write w | w.writesElement(node2.(PostUpdateNode).getPreUpdateNode(), _, node1))
+    exists(Write w | w.writesElement(node2, _, node1))
  )
 }
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
@@ -12,7 +12,8 @@ private newtype TNode =
  MkGlobalFunctionNode(Function f) or
  MkImplicitVarargsSlice(CallExpr c) { c.hasImplicitVarargs() } or
  MkSliceElementNode(SliceExpr se) or
-  MkFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn)
+  MkFlowSummaryNode(FlowSummaryImpl::Private::SummaryNode sn) or
  MkDefaultPostUpdateNode(IR::Instruction insn) { insnHasPostUpdateNode(insn) }
 /** Nodes intended for only use inside the data-flow libraries. */
 module Private {
@@ -760,18 +761,27 @@ module Public {
    predicate isReceiverOf(MethodDecl m) { parm.isReceiverOf(m) }
  }
-  private Node getADirectlyWrittenNode() {
+  private IR::Instruction getADirectlyWrittenInsn() {
-    exists(Write w | w.writesComponent(result, _)) or
+    exists(Write w | w.writesComponentInstruction(result, _))
    result = DataFlow::exprNode(any(SendStmt s).getChannel())
  }
  private DataFlow::Node getAccessPathPredecessor(DataFlow::Node node) {
    result = node.(PointerDereferenceNode).getOperand()
    or
-    result = node.(ComponentReadNode).getBase()
+    result = IR::evalExprInstruction(any(SendStmt s).getChannel())
  }
-  private Node getAWrittenNode() { result = getAccessPathPredecessor*(getADirectlyWrittenNode()) }
+  private IR::Instruction getAccessPathPredecessorInsn(IR::Instruction insn) {
    exists(Expr e1, Expr e2 |
      insn = IR::evalExprInstruction(e1) and result = IR::evalExprInstruction(e2)
    |
      e2 = e1.(DerefExpr).getOperand() or e2 = e1.(StarExpr).getBase()
    )
    or
    exists(Expr e | insn = IR::implicitDerefInstruction(e) and result = IR::evalExprInstruction(e))
    or
    result = insn.(IR::ComponentReadInstruction).getBase()
  }
  private IR::Instruction getAWrittenInsn() {
    result = getAccessPathPredecessorInsn*(getADirectlyWrittenInsn())
  }
  /**
   * Holds if `tp` is a type that may (directly or indirectly) reference a memory location.
@@ -807,31 +817,51 @@ module Public {
    abstract Node getPreUpdateNode();
  }
-  private class DefaultPostUpdateNode extends PostUpdateNode {
+  /** Holds if the node corresponding to `insn` has a post-update node. */
  predicate insnHasPostUpdateNode(IR::Instruction insn) {
    exists(Expr e | insn.(IR::EvalInstruction).getExpr() = e |
      e instanceof AddressExpr or
      e = any(AddressExpr ae).getOperand() or
      e = any(StarExpr ae).getBase() or
      e = any(DerefExpr ae).getOperand() or
      e = any(IR::EvalImplicitDerefInstruction eidi).getOperand()
    )
    or
    exists(CallExpr ce |
      ce.getArgument(0).getType() instanceof TupleType and
      insn = IR::extractTupleElement(IR::evalExprInstruction(ce.getArgument(0)), _)
      or
      not ce.getArgument(0).getType() instanceof TupleType and
      insn = IR::evalExprInstruction(ce.getAnArgument())
      or
      // Receiver of a method call
      exists(IR::MethodReadInstruction mri |
        ce.getTarget() instanceof Method and
        mri = IR::evalExprInstruction(ce.getCalleeExpr()) and
        insn = mri.getReceiver()
      )
    ) and
    mutableType(insn.getResultType())
    or
    insn = getAWrittenInsn()
  }
  private class DefaultPostUpdateNode extends PostUpdateNode, MkDefaultPostUpdateNode {
    Node preupd;
-    DefaultPostUpdateNode() {
+    DefaultPostUpdateNode() { this = MkDefaultPostUpdateNode(preupd.asInstruction()) }
      (
        preupd instanceof AddressOperationNode
        or
        preupd = any(AddressOperationNode addr).getOperand()
        or
        preupd = any(PointerDereferenceNode deref).getOperand()
        or
        preupd = getAWrittenNode()
        or
        preupd = any(ArgumentNode arg).getACorrespondingSyntacticArgument() and
        mutableType(preupd.getType())
      ) and
      (
        preupd = this.(SsaNode).getAUse()
        or
        preupd = this and
        not basicLocalFlowStep(_, this)
      )
    }
    override Node getPreUpdateNode() { result = preupd }
    override ControlFlow::Root getRoot() { result = preupd.getRoot() }
    override Type getType() { result = preupd.getType() }
    override string getNodeKind() { result = "post-update node" }
    override string toString() { result = preupd.toString() + " [postupdate]" }
    override Location getLocation() { result = preupd.getLocation() }
  }
  /**
@@ -866,7 +896,7 @@ module Public {
    int getPosition() { result = i }
    /**
-     * Gets a data-flow node for a syntactic argument corresponding this this
+     * Gets a data-flow node for a syntactic argument corresponding to this
     * argument. If this argument is not an implicit varargs slice then this
     * will just be the argument itself. If this argument is an implicit
     * varargs slice then this will be a data-flow node that for an argument
--- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -65,23 +65,30 @@ predicate basicLocalFlowStep(Node nodeFrom, Node nodeTo) {
    else nodeTo.asInstruction() = evalAssert
  )
  or
-  // Instruction -> SSA
+  // Instruction -> SSA defn
  exists(IR::Instruction pred, SsaExplicitDefinition succ |
    succ.getRhs() = pred and
-    nodeFrom = instructionNode(pred) and
+    (
-    nodeTo = ssaNode(succ)
+      nodeFrom = instructionNode(pred) or
      nodeFrom.(PostUpdateNode).getPreUpdateNode() = instructionNode(pred)
    ) and
    nodeTo = ssaNode(succ.getVariable())
  )
  or
-  // SSA -> SSA
+  // SSA defn -> first SSA use
-  exists(SsaDefinition pred, SsaPseudoDefinition succ | succ.getAnInput() = pred |
+  exists(SsaDefinition pred, IR::Instruction succ | succ = pred.getAFirstUse() |
-    nodeFrom = ssaNode(pred) and
+    (pred instanceof SsaExplicitDefinition or pred instanceof SsaVariableCapture) and
-    nodeTo = ssaNode(succ)
+    nodeFrom = ssaNode(pred.getVariable()) and
    nodeTo = instructionNode(succ)
  )
  or
-  // SSA -> Instruction
+  // SSA use -> successive SSA use
-  exists(SsaDefinition pred, IR::Instruction succ |
+  // Note this case includes Phi node traversal
-    succ = pred.getVariable().getAUse() and
+  exists(IR::Instruction pred, IR::Instruction succ | succ = getAnAdjacentUse(pred) |
-    nodeFrom = ssaNode(pred) and
+    (
      nodeFrom = instructionNode(pred) or
      nodeFrom.(PostUpdateNode).getPreUpdateNode() = instructionNode(pred)
    ) and
    nodeTo = instructionNode(succ)
  )
  or
@@ -96,6 +103,10 @@ private Field getASparselyUsedChannelTypedField() {
  count(result.getARead()) = 2
 }
 bindingset[v]
 pragma[inline_late]
 private predicate isValueEntityRead(ValueEntity v, Node n) { n = v.getARead() }
 /**
 * Holds if data can flow from `node1` to `node2` in a way that loses the
 * calling context. For example, this would happen with flow through a
@@ -110,14 +121,22 @@ predicate jumpStep(Node n1, Node n2) {
      or
      n1.(DataFlow::PostUpdateNode).getPreUpdateNode() = v.getARead()
    ) and
-    n2 = v.getARead()
+    isValueEntityRead(v, n2)
  )
  or
-  exists(SsaDefinition pred, SsaDefinition succ |
+  exists(SsaExplicitDefinition def, SsaVariableCapture succ |
-    succ.(SsaVariableCapture).getSourceVariable() = pred.(SsaExplicitDefinition).getSourceVariable()
+    succ.getSourceVariable() = def.getSourceVariable() and
  |
    n1 = ssaNode(pred) and
    n2 = ssaNode(succ)
  |
    not exists(def.getAFirstUse()) and n1 = ssaNode(def)
    or
    exists(IR::Instruction lastUse |
      lastUse = getAnAdjacentUse*(def.getAFirstUse()) and
      not exists(getAnAdjacentUse(lastUse))
    |
      n1 = instructionNode(lastUse) or
      n1.(DataFlow::PostUpdateNode).getPreUpdateNode() = instructionNode(lastUse)
    )
  )
  or
  // If a channel-typed field is referenced exactly once in the context of
@@ -145,15 +164,17 @@ predicate jumpStep(Node n1, Node n2) {
 */
 predicate storeStep(Node node1, ContentSet cs, Node node2) {
  exists(Content c | cs.asOneContent() = c |
-    // a write `(*p).f = rhs` is modeled as two store steps: `rhs` is flows into field `f` of `(*p)`,
+    // a write `(*p).f = rhs` is modeled as two store steps: `rhs` is flows into field `f` of the
-    // which in turn flows into the pointer content of `p`
+    // post-update node of `(*p)`, which in turn flows into the pointer content of the post-update
    // node of `p`
    exists(Write w, Field f, DataFlow::Node base, DataFlow::Node rhs | w.writesField(base, f, rhs) |
      node1 = rhs and
-      node2.(PostUpdateNode).getPreUpdateNode() = base and
+      node2 = base and
      c = any(DataFlow::FieldContent fc | fc.getField() = f)
      or
      node1 = base and
-      node2.(PostUpdateNode).getPreUpdateNode() = node1.(PointerDereferenceNode).getOperand() and
+      node2.(PostUpdateNode).getPreUpdateNode() =
        node1.(PostUpdateNode).getPreUpdateNode().(PointerDereferenceNode).getOperand() and
      c = any(DataFlow::PointerContent pc | pc.getPointerType() = node2.getType())
    )
    or
--- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll
@@ -442,7 +442,7 @@ module SourceSinkInterpretationInput implements
      f = e.asFieldEntity()
    |
      c = "" and
-      fw.writesField(base, f, node.asNode()) and
+      fw.writesFieldPreUpdate(base, f, node.asNode()) and
      pragma[only_bind_into](e) = getElementWithQualifier(f, base)
    )
    or
--- a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
+++ b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll
@@ -83,23 +83,25 @@ class AdditionalTaintStep extends Unit {
  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
-/**
+private predicate localAdditionalForwardTaintStep(
- * Holds if the additional step from `pred` to `succ` should be included in all
+  DataFlow::Node pred, DataFlow::Node succ, string model
- * global taint flow configurations.
+) {
- */
+  exists(DataFlow::Node pred2 |
-predicate localAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ, string model) {
+    pred2 = pred
-  (
+    or
-    referenceStep(pred, succ) or
+    pred2 = pred.(DataFlow::PostUpdateNode).getPreUpdateNode()
-    elementWriteStep(pred, succ) or
+  |
-    fieldReadStep(pred, succ) or
+    referenceStep(pred2, succ) or
-    elementStep(pred, succ) or
+    elementWriteStep(pred2, succ) or
-    tupleStep(pred, succ) or
+    fieldReadStep(pred2, succ) or
-    stringConcatStep(pred, succ) or
+    elementStep(pred2, succ) or
-    sliceStep(pred, succ)
+    tupleStep(pred2, succ) or
    stringConcatStep(pred2, succ) or
    sliceStep(pred2, succ)
  ) and
  model = ""
  or
-  any(FunctionModel fm).taintStep(pred, succ) and model = "FunctionModel"
+  any(FunctionModel fm).forwardTaintStep(pred, succ) and model = "FunctionModel"
  or
  any(AdditionalTaintStep a).step(pred, succ) and model = "AdditionalTaintStep"
  or
@@ -107,6 +109,43 @@ predicate localAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ, str
        .getSummaryNode(), succ.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, model)
 }
 /**
 * This is a helper predicate for `localAdditionalBackwardTaintStep`. It mixes
 * local data flow with local forward taint steps. It should only ever be used
 * via its transitive closure, which gives local forward taint flow, that is
 * with backward steps excluded.
 */
 private predicate partialLocalForwardTaintFlow(DataFlow::Node pred, DataFlow::Node succ) {
  DataFlow::localFlow(pred, succ) or
  localAdditionalForwardTaintStep(pred, succ, _) or
  // Simple flow through library code is included in the exposed local
  // step relation, even though flow is technically inter-procedural
  FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(pred, succ, _)
 }
 /**
 * Holds if taint flows backwards from `pred` to `succ` via a function model.
 */
 private predicate localAdditionalBackwardTaintStep(
  DataFlow::Node pred, DataFlow::Node succ, string model
 ) {
  // backward step through function model
  exists(FunctionModel m, DataFlow::Node resultNode |
    m.backwardTaintStep(resultNode, succ) and
    partialLocalForwardTaintFlow+(resultNode, pred.(DataFlow::PostUpdateNode).getPreUpdateNode())
  ) and
  model = "FunctionModel"
 }
 /**
 * Holds if the additional step from `pred` to `succ` should be included in all
 * global taint flow configurations.
 */
 predicate localAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ, string model) {
  localAdditionalForwardTaintStep(pred, succ, model) or
  localAdditionalBackwardTaintStep(pred, succ, model)
 }
 /**
 * Holds if taint flows from `pred` to `succ` via a reference or dereference.
 *
@@ -140,7 +179,7 @@ predicate referenceStep(DataFlow::Node pred, DataFlow::Node succ) {
 * `succ`.
 */
 predicate elementWriteStep(DataFlow::Node pred, DataFlow::Node succ) {
-  any(DataFlow::Write w).writesElement(succ.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, pred)
+  any(DataFlow::Write w).writesElement(succ, _, pred)
  or
  FlowSummaryImpl::Private::Steps::summaryStoreStep(pred.(DataFlowPrivate::FlowSummaryNode)
        .getSummaryNode(), any(DataFlow::ArrayContent ac).asContentSet(),
@@ -195,23 +234,36 @@ abstract class FunctionModel extends Function {
  abstract predicate hasTaintFlow(FunctionInput input, FunctionOutput output);
  /** Gets an input node for this model for the call `c`. */
-  DataFlow::Node getAnInputNode(DataFlow::CallNode c) { this.taintStepForCall(result, _, c) }
+  DataFlow::Node getAnInputNode(DataFlow::CallNode c) { this.taintStepForCall(result, _, c, _) }
  /** Gets an output node for this model for the call `c`. */
-  DataFlow::Node getAnOutputNode(DataFlow::CallNode c) { this.taintStepForCall(_, result, c) }
+  DataFlow::Node getAnOutputNode(DataFlow::CallNode c) { this.taintStepForCall(_, result, c, _) }
  /** Holds if this function model causes taint to flow from `pred` to `succ` for the call `c`. */
-  predicate taintStepForCall(DataFlow::Node pred, DataFlow::Node succ, DataFlow::CallNode c) {
+  predicate taintStepForCall(
    DataFlow::Node pred, DataFlow::Node succ, DataFlow::CallNode c, Boolean forward
  ) {
    c = this.getACall() and
    exists(FunctionInput inp, FunctionOutput outp | this.hasTaintFlow(inp, outp) |
      pred = pragma[only_bind_out](inp).getNode(c) and
-      succ = pragma[only_bind_out](outp).getNode(c)
+      succ = pragma[only_bind_out](outp).getNode(c) and
      if inp.isResult() or inp.isResult(_) then forward = false else forward = true
    )
  }
  /** Holds if this function model causes taint to flow from `pred` to `succ`. */
  predicate taintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    this.taintStepForCall(pred, succ, _)
+    this.taintStepForCall(pred, succ, _, _)
  }
  /** Holds if this function model causes taint to flow forward from `pred` to `succ`. */
  predicate forwardTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    this.taintStepForCall(pred, succ, _, true)
  }
  /** Holds if this function model causes taint to flow backwards from `pred` to `succ`. */
  predicate backwardTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    this.taintStepForCall(pred, succ, _, false)
  }
 }
--- a/go/ql/lib/semmle/go/frameworks/Email.qll
+++ b/go/ql/lib/semmle/go/frameworks/Email.qll
@@ -26,9 +26,14 @@ module EmailData {
  private class SmtpData extends Range {
    SmtpData() {
      // func (c *Client) Data() (io.WriteCloser, error)
-      exists(Method data |
+      exists(Method data, DataFlow::Node n |
        data.hasQualifiedName("net/smtp", "Client", "Data") and
-        this.(DataFlow::SsaNode).getInit() = data.getACall().getResult(0)
+        // Deal with cases like
        //   w, _ := s.Data()
        //   io.WriteString(w, source()) // $ Alert
        //   w.Write(source())           // $ Alert
        DataFlow::localFlow(data.getACall().getResult(0), n) and
        this.(DataFlow::PostUpdateNode).getPreUpdateNode() = n
      )
      or
      // func SendMail(addr string, a Auth, from string, to []string, msg []byte) error
--- a/go/ql/lib/semmle/go/frameworks/GinCors.qll
+++ b/go/ql/lib/semmle/go/frameworks/GinCors.qll
@@ -27,7 +27,7 @@ module GinCors {
    AllowCredentialsWrite() {
      exists(Field f, Write w |
        f.hasQualifiedName(packagePath(), "Config", "AllowCredentials") and
-        w.writesField(base, f, this) and
+        w.writesFieldPreUpdate(base, f, this) and
        this.getType() instanceof BoolType
      )
    }
@@ -61,7 +61,7 @@ module GinCors {
    AllowOriginsWrite() {
      exists(Field f, Write w |
        f.hasQualifiedName(packagePath(), "Config", "AllowOrigins") and
-        w.writesField(base, f, this) and
+        w.writesFieldPreUpdate(base, f, this) and
        this.asExpr() instanceof SliceLit
      )
    }
@@ -95,7 +95,7 @@ module GinCors {
    AllowAllOriginsWrite() {
      exists(Field f, Write w |
        f.hasQualifiedName(packagePath(), "Config", "AllowAllOrigins") and
-        w.writesField(base, f, this) and
+        w.writesFieldPreUpdate(base, f, this) and
        this.getType() instanceof BoolType
      )
    }
@@ -109,14 +109,9 @@ module GinCors {
     * Get config variable holding header values
     */
    override GinConfig getConfig() {
-      exists(GinConfig gc |
+      result.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
-        (
+        base.asInstruction() or
-          gc.getV().getBaseVariable().getDefinition().(SsaExplicitDefinition).getRhs() =
+      result.getV().getAUse() = base
            base.asInstruction() or
          gc.getV().getAUse() = base
        ) and
        result = gc
      )
    }
  }
--- a/go/ql/lib/semmle/go/frameworks/NoSQL.qll
+++ b/go/ql/lib/semmle/go/frameworks/NoSQL.qll
@@ -38,9 +38,8 @@ module NoSql {
   */
  predicate isAdditionalMongoTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
    // Taint an entry if the `Value` is tainted
-    exists(Write w, DataFlow::Node base, Field f | w.writesField(base, f, pred) |
+    exists(Write w, Field f | w.writesField(succ, f, pred) |
-      base = succ.(DataFlow::PostUpdateNode).getPreUpdateNode() and
+      succ.getType().hasQualifiedName(package("go.mongodb.org/mongo-driver", "bson/primitive"), "E") and
      base.getType().hasQualifiedName(package("go.mongodb.org/mongo-driver", "bson/primitive"), "E") and
      f.getName() = "Value"
    )
  }
--- a/go/ql/lib/semmle/go/frameworks/Protobuf.qll
+++ b/go/ql/lib/semmle/go/frameworks/Protobuf.qll
@@ -64,11 +64,10 @@ module Protobuf {
   */
  private class MarshalStateStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-      exists(DataFlow::PostUpdateNode marshalInput, DataFlow::CallNode marshalStateCall |
+      exists(DataFlow::Node marshalInput, DataFlow::CallNode marshalStateCall |
        marshalStateCall = marshalStateMethod().getACall() and
        // pred -> marshalInput.Message
-        any(DataFlow::Write w)
+        any(DataFlow::Write w).writesField(marshalInput, inputMessageField(), pred) and
            .writesField(marshalInput.getPreUpdateNode(), inputMessageField(), pred) and
        // marshalInput -> marshalStateCall
        marshalStateCall.getArgument(0) = globalValueNumber(marshalInput).getANode() and
        // marshalStateCall -> succ
@@ -142,10 +141,10 @@ module Protobuf {
  private class WriteMessageFieldStep extends TaintTracking::AdditionalTaintStep {
    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
      [succ.getType(), succ.getType().getPointerType()] instanceof MessageType and
-      exists(DataFlow::ReadNode base |
+      exists(DataFlow::Write w, DataFlow::ReadNode base |
-        succ.(DataFlow::PostUpdateNode).getPreUpdateNode() = getUnderlyingNode(base)
+        w.writesElementPreUpdate(base, _, pred) or w.writesFieldPreUpdate(base, _, pred)
      |
-        any(DataFlow::Write w).writesComponent(base, pred)
+        succ.(DataFlow::PostUpdateNode).getPreUpdateNode() = getUnderlyingNode(base)
      )
    }
  }
--- a/go/ql/lib/semmle/go/frameworks/RsCors.qll
+++ b/go/ql/lib/semmle/go/frameworks/RsCors.qll
@@ -54,7 +54,7 @@ module RsCors {
    AllowCredentialsWrite() {
      exists(Field f, Write w |
        f.hasQualifiedName(packagePath(), "Options", "AllowCredentials") and
-        w.writesField(base, f, this) and
+        w.writesFieldPreUpdate(base, f, this) and
        this.getType() instanceof BoolType
      )
    }
@@ -82,7 +82,7 @@ module RsCors {
    AllowOriginsWrite() {
      exists(Field f, Write w |
        f.hasQualifiedName(packagePath(), "Options", "AllowedOrigins") and
-        w.writesField(base, f, this) and
+        w.writesFieldPreUpdate(base, f, this) and
        this.asExpr() instanceof SliceLit
      )
    }
@@ -113,7 +113,7 @@ module RsCors {
    AllowAllOriginsWrite() {
      exists(Field f, Write w |
        f.hasQualifiedName(packagePath(), "Options", "AllowAllOrigins") and
-        w.writesField(base, f, this) and
+        w.writesFieldPreUpdate(base, f, this) and
        this.getType() instanceof BoolType
      )
    }
--- a/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/NetHttp.qll
@@ -52,7 +52,7 @@ module NetHttp {
    MapWrite() {
      this.getType().hasQualifiedName("net/http", "Header") and
-      any(Write write).writesElement(this, index, rhs)
+      any(Write write).writesElementPreUpdate(this, index, rhs)
    }
    override DataFlow::Node getName() { result = index }
--- a/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflowCustomizations.qll
@@ -32,7 +32,10 @@ module AllocationSizeOverflow {
  /**
   * A data-flow node that is an operand to an operation that may overflow.
   */
-  abstract class OverflowProneOperand extends DataFlow::Node { }
+  abstract class OverflowProneOperand extends DataFlow::Node {
    /** Gets the operation that may overflow that `this` is an operand of. */
    abstract DataFlow::Node getOverflowProneOperation();
  }
  /**
   * A data-flow node that represents the size argument of an allocation, such as the `n` in
@@ -91,8 +94,7 @@ module AllocationSizeOverflow {
    AllocationSize allocsz;
    DefaultSink() {
-      this instanceof OverflowProneOperand and
+      localStep*(this.(OverflowProneOperand).getOverflowProneOperation(), allocsz) and
      localStep*(this, allocsz) and
      not allocsz instanceof AllocationSizeCheckBarrier
    }
@@ -134,15 +136,18 @@ module AllocationSizeOverflow {
  /** An operand of an arithmetic expression that could cause overflow. */
  private class DefaultOverflowProneOperand extends OverflowProneOperand {
    OperatorExpr parent;
    DefaultOverflowProneOperand() {
-      exists(OperatorExpr parent | isOverflowProne(parent) |
+      isOverflowProne(parent) and
-        this.asExpr() = parent.getAnOperand() and
+      this.asExpr() = parent.getAnOperand() and
-        // only consider outermost operands to avoid double reporting
+      // only consider outermost operands to avoid double reporting
-        not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() |
+      not exists(OperatorExpr grandparent | parent = grandparent.getAnOperand().stripParens() |
-          isOverflowProne(grandparent)
+        isOverflowProne(grandparent)
        )
      )
    }
    override DataFlow::Node getOverflowProneOperation() { result.asExpr() = parent }
  }
  /**
--- a/go/ql/lib/semmle/go/security/CleartextLogging.qll
+++ b/go/ql/lib/semmle/go/security/CleartextLogging.qll
@@ -35,9 +35,7 @@ module CleartextLogging {
    predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
      // A taint propagating data-flow edge through structs: a tainted write taints the entire struct.
-      exists(Write write |
+      exists(Write write | write.writesField(trg, _, src))
        write.writesField(trg.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, src)
      )
      or
      // taint steps that do not include flow through fields. Field reads would produce FPs due to
      // the additional taint step above that taints whole structs from individual field writes.
--- a/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/CleartextLoggingCustomizations.qll
@@ -55,6 +55,8 @@ module CleartextLogging {
      |
        this.asExpr().(Ident).getName() = name
        or
        this.(DataFlow::SsaNode).getSourceVariable().getName() = name
        or
        this.(DataFlow::FieldReadNode).getFieldName() = name
        or
        this.(DataFlow::CallNode).getCalleeName() = name
@@ -143,7 +145,7 @@ module CleartextLogging {
      not this instanceof NonCleartextPassword and
      name.regexpMatch(maybePassword()) and
      (
-        this.asExpr().(Ident).getName() = name
+        this.(DataFlow::SsaNode).getSourceVariable().getName() = name
        or
        exists(DataFlow::FieldReadNode fn |
          fn = this and
--- a/go/ql/lib/semmle/go/security/CommandInjection.qll
+++ b/go/ql/lib/semmle/go/security/CommandInjection.qll
@@ -84,6 +84,28 @@ module CommandInjection {
    }
    predicate observeDiffInformedIncrementalMode() { any() }
    // Hack: with use-use flow, we might have x (use at line 1) -> x (use at line 2),
    // x (use at line 1) -> array at line 1 and x (use at line 2) -> array at line 2,
    // in the context
    //
    // array1 := {"--", x}
    // array2 := {x, "--"}
    //
    // We want to taint array2 but not array1, which suggests excluding the edge x (use 1) -> array1
    // However isSanitizer only allows us to remove nodes (isSanitizerIn/Out permit removing all outgoing
    // or incoming edges); we can't remove an individual edge, so instead we supply extra edges connecting
    // the definition with the next use.
    predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
      exists(
        ArgumentArrayWithDoubleDash array, DataFlow::InstructionNode sanitized,
        DataFlow::SsaNode defn
      |
        sanitized = array.getASanitizedElement() and sanitized = defn.getAUse()
      |
        pred = defn and succ = sanitized.getASuccessor()
      )
    }
  }
  /**
--- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
+++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
@@ -290,13 +290,17 @@ private predicate integerTypeBound(IntegerType it, int bitSize, int architecture
 * the type assertion succeeded. If it is not checked then there will be a
 * run-time panic if the type assertion fails, so we can assume it succeeded.
 */
-class TypeAssertionCheck extends DataFlow::ExprNode, FlowStateTransformer {
+class TypeAssertionCheck extends DataFlow::InstructionNode, FlowStateTransformer {
  IntegerType it;
  TypeAssertionCheck() {
-    exists(TypeAssertExpr tae |
+    exists(IR::Instruction evalAssert, TypeAssertExpr assert |
-      this = DataFlow::exprNode(tae.getExpr()) and
+      it = assert.getTypeExpr().getType().getUnderlyingType() and
-      it = tae.getTypeExpr().getType().getUnderlyingType()
+      evalAssert = IR::evalExprInstruction(assert)
    |
      if exists(IR::extractTupleElement(evalAssert, _))
      then this.asInstruction() = IR::extractTupleElement(evalAssert, 0)
      else this.asInstruction() = evalAssert
    )
  }
--- a/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll
@@ -35,7 +35,15 @@ module LogInjection {
  /** An argument to a logging mechanism. */
  class LoggerSink extends Sink {
-    LoggerSink() { this = any(LoggerCall log).getAValueFormattedMessageComponent() }
+    LoggerSink() {
      exists(LoggerCall call |
        this = call.getAValueFormattedMessageComponent() and
        // exclude arguments to `call` which have a safe format argument, which
        // aren't caught by SafeFormatArgumentSanitizer as that sanitizes the
        // result of the call.
        not safeFormatArgument(this, call)
      )
    }
  }
  /**
@@ -47,6 +55,22 @@ module LogInjection {
    ReplaceSanitizer() { this.getReplacedString() = ["\r", "\n"] }
  }
  /**
   * Holds if `arg` is an argument to `call` that is formatted using the `%q`
   * directive. This formatting directive replaces newline characters with
   * escape sequences, so `arg` would not be a sink for log injection.
   */
  private predicate safeFormatArgument(
    DataFlow::Node arg, StringOps::Formatting::StringFormatCall call
  ) {
    exists(string safeDirective |
      // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters.
      safeDirective.regexpMatch("%[^%#]*q")
    |
      arg = call.getOperand(_, safeDirective)
    )
  }
  /**
   * An argument that is formatted using the `%q` directive, considered as a sanitizer
   * for log injection.
@@ -55,10 +79,8 @@ module LogInjection {
   */
  private class SafeFormatArgumentSanitizer extends Sanitizer {
    SafeFormatArgumentSanitizer() {
-      exists(StringOps::Formatting::StringFormatCall call, string safeDirective |
+      exists(StringOps::Formatting::StringFormatCall call | safeFormatArgument(_, call) |
-        this = call.getOperand(_, safeDirective) and
+        this = call.getAResult()
        // Mark "%q" formats as safe, but not "%#q", which would preserve newline characters.
        safeDirective.regexpMatch("%[^%#]*q")
      )
    }
  }
--- a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
+++ b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
@@ -33,8 +33,8 @@ module OpenUrlRedirect {
      any(AdditionalStep s).hasTaintStep(pred, succ)
      or
      // propagate to a URL when its host is assigned to
-      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
-        w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
+        w.writesField(succ, f, pred)
      )
      or
      // propagate out of most URL fields, but not `ForceQuery` and `Scheme`
@@ -48,8 +48,10 @@ module OpenUrlRedirect {
    predicate isBarrierOut(DataFlow::Node node) {
      // block propagation of this unsafe value when its host is overwritten
-      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
+      exists(Write w, Field f, DataFlow::Node base |
-        w.writesField(node.getASuccessor(), f, _)
+        f.hasQualifiedName("net/url", "URL", "Host") and
        w.writesField(base, f, _) and
        base.(DataFlow::PostUpdateNode).getPreUpdateNode() = node
      )
      or
      hostnameSanitizingPrefixEdge(node, _)
--- a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -75,25 +75,18 @@ module OpenUrlRedirect {
    }
  }
  bindingset[var, w]
  pragma[inline_late]
  private predicate useIsDominated(SsaWithFields var, Write w, DataFlow::ReadNode sanitizedRead) {
    w.dominatesNode(sanitizedRead.asInstruction()) and
    sanitizedRead = var.getAUse()
  }
  /**
-   * An access to a variable that is preceded by an assignment to its `Path` field.
+   * An assignment of a safe value to the field `Path`, considered as a barrier for sanitizing
   * untrusted URLs.
   *
   * This is overapproximate; this will currently remove flow through all `Url.Path` assignments
   * which contain a substring that could sanitize data.
   */
-  class PathAssignmentBarrier extends Barrier, Read {
+  class PathAssignmentBarrier extends Barrier {
    PathAssignmentBarrier() {
-      exists(Write w, SsaWithFields var |
+      exists(Write w, DataFlow::Node rhs |
-        hasHostnameSanitizingSubstring(w.getRhs()) and
+        hasHostnameSanitizingSubstring(rhs) and
-        w.writesField(var.getAUse(), any(Field f | f.getName() = "Path"), _) and
+        w.writesFieldPreUpdate(this, any(Field f | f.getName() = "Path"), rhs)
        useIsDominated(var, w, this)
      )
    }
  }
--- a/go/ql/lib/semmle/go/security/RequestForgery.qll
+++ b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -27,8 +27,8 @@ module RequestForgery {
    predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
      // propagate to a URL when its host is assigned to
-      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
-        w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
+        w.writesField(succ, f, pred)
      )
    }
--- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
+++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -22,18 +22,21 @@ module SafeUrlFlow {
    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-      // propagate to a URL when its host is assigned to
+      // propagate taint to the post-update node of a URL when its host is
-      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+      // assigned to
-        w.writesField(v.getAUse(), f, node1) and node2 = v.getAUse()
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
        w.writesField(node2, f, node1)
      )
    }
    predicate isBarrierOut(DataFlow::Node node) {
      // block propagation of this safe value when its host is overwritten
-      exists(Write w, DataFlow::Node b, Field f |
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
-        f.hasQualifiedName("net/url", "URL", "Host") and
+        // We sanitize the pre-update node to block flow from previous value.
-        b = node.getASuccessor() and
+        // This fits in with the additional flow step above propagating taint
-        w.writesField(b, f, _)
+        // from the value written to the Host field to the post-update node of
        // the URL.
        w.writesFieldPreUpdate(node, f, _)
      )
      or
      node instanceof SanitizerEdge
--- a/go/ql/src/InconsistentCode/MissingErrorCheck.ql
+++ b/go/ql/src/InconsistentCode/MissingErrorCheck.ql
@@ -73,6 +73,16 @@ predicate checksValue(IR::Instruction instruction, DataFlow::SsaNode value) {
  )
 }
 // Now that we have use-use flow, phi nodes aren't directly involved in the flow graph. TODO: change this?
 DataFlow::SsaNode phiDefinedFrom(DataFlow::SsaNode node) {
  result.getDefinition().(SsaPseudoDefinition).getAnInput() = node.getDefinition().getVariable()
 }
 DataFlow::SsaNode definedFrom(DataFlow::SsaNode node) {
  DataFlow::localFlow(node, result) or
  result = phiDefinedFrom*(node)
 }
 /**
 * Matches if `call` is a function returning (`ptr`, `err`) where `ptr` may be nil, and neither
 * `ptr` not `err` has been checked for validity as of `node`.
@@ -99,7 +109,7 @@ predicate returnUncheckedAtNode(
    // localFlow is used to permit checks via either an SSA phi node or ordinary assignment.
    returnUncheckedAtNode(call, node.getAPredecessor(), ptr, err) and
    not exists(DataFlow::SsaNode checked |
-      DataFlow::localFlow(ptr, checked) or DataFlow::localFlow(err, checked)
+      checked = definedFrom(ptr) or checked = definedFrom(err)
    |
      checksValue(node, checked)
    )
--- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
+++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
@@ -70,8 +70,8 @@ predicate unhandledCall(DataFlow::CallNode call) {
 */
 predicate isWritableFileHandle(DataFlow::Node source, DataFlow::CallNode call) {
  exists(OpenFileFun f, DataFlow::Node flags, QualifiedName flag |
-    // check that the source is a result of the call
+    // check that the source is the first result of the call
-    source = call.getAResult() and
+    source = call.getResult(0) and
    // find a call to the os.OpenFile function
    f.getACall() = call and
    // get the flags expression used for opening the file
--- a/go/ql/src/RedundantCode/DeadStoreOfField.ql
+++ b/go/ql/src/RedundantCode/DeadStoreOfField.ql
@@ -89,7 +89,7 @@ Type getTypeEmbeddedViaPointer(Type t) {
 from Write w, LocalVariable v, Field f
 where
  // `w` writes `f` on `v`
-  w.writesField(v.getARead(), f, _) and
+  w.writesFieldPreUpdate(v.getARead(), f, _) and
  // but `f` is never read on `v`
  not exists(Read r | r.readsField(v.getARead(), f)) and
  // exclude pointer-typed `v`; there may be reads through an alias
--- a/go/ql/src/RedundantCode/ImpossibleInterfaceNilCheck.ql
+++ b/go/ql/src/RedundantCode/ImpossibleInterfaceNilCheck.ql
@@ -35,7 +35,9 @@ predicate flowsToInterfaceNilCheck(DataFlow::Node nd) {
 */
 predicate nonNilWrapper(DataFlow::Node nd) {
  flowsToInterfaceNilCheck(nd) and
-  forex(DataFlow::Node pred | pred = nd.getAPredecessor() |
+  forex(DataFlow::Node pred |
    pred = nd.getAPredecessor() and not pred instanceof DataFlow::PostUpdateNode
  |
    exists(Type predtp | predtp = pred.getType().getUnderlyingType() |
      not predtp instanceof InterfaceType and
      not predtp instanceof NilLiteralType and
--- a/go/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
+++ b/go/ql/src/Security/CWE-295/DisabledCertificateCheck.ql
@@ -34,7 +34,7 @@ predicate becomesPartOf(DataFlow::Node part, DataFlow::Node whole) {
  or
  whole.(DataFlow::AddressOperationNode).getOperand() = part
  or
-  exists(Write w | w.writesField(whole.(DataFlow::PostUpdateNode).getPreUpdateNode(), _, part))
+  exists(Write w | w.writesField(whole, _, part))
 }
 /**
--- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -98,8 +98,8 @@ predicate hostCheckReachesSink(Flow::PathNode sink) {
        Flow::flowPath(source, otherSink) and
        Config::writeIsSink(sink.getNode(), sinkWrite) and
        Config::writeIsSink(otherSink.getNode(), otherSinkWrite) and
-        sinkWrite.writesField(sinkAccessPath.getAUse(), _, sink.getNode()) and
+        sinkWrite.writesFieldPreUpdate(sinkAccessPath.getAUse(), _, sink.getNode()) and
-        otherSinkWrite.writesField(otherSinkAccessPath.getAUse(), _, otherSink.getNode()) and
+        otherSinkWrite.writesFieldPreUpdate(otherSinkAccessPath.getAUse(), _, otherSink.getNode()) and
        otherSinkAccessPath = sinkAccessPath.similar()
      )
    )
--- a/go/ql/src/Security/CWE-327/InsecureTLS.ql
+++ b/go/ql/src/Security/CWE-327/InsecureTLS.ql
@@ -65,7 +65,7 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig {
   */
  additional predicate isSink(DataFlow::Node sink, Field fld, DataFlow::Node base, Write fieldWrite) {
    fld.hasQualifiedName("crypto/tls", "Config", ["MinVersion", "MaxVersion"]) and
-    fieldWrite.writesField(base, fld, sink)
+    fieldWrite.writesFieldPreUpdate(base, fld, sink)
  }
  predicate isSource(DataFlow::Node source) { intIsSource(source, _) }
@@ -190,7 +190,7 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
   */
  additional predicate isSink(DataFlow::Node sink, Field fld, DataFlow::Node base, Write fieldWrite) {
    fld.hasQualifiedName("crypto/tls", "Config", "CipherSuites") and
-    fieldWrite.writesField(base, fld, sink)
+    fieldWrite.writesFieldPreUpdate(base, fld, sink)
  }
  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }
--- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
+++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -61,7 +61,7 @@ predicate isUrlTaintingConfigStep(DataFlow::Node pred, DataFlow::Node succ) {
  exists(Write w, Field f |
    f.hasQualifiedName(package("golang.org/x/oauth2", ""), "Config", "RedirectURL")
  |
-    w.writesField(succ.(DataFlow::PostUpdateNode).getPreUpdateNode(), f, pred)
+    w.writesField(succ, f, pred)
  )
 }
--- a/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
+++ b/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql
@@ -18,7 +18,8 @@ import semmle.go.security.IncorrectIntegerConversionLib
 import Flow::PathGraph
 from
-  Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call, DataFlow::Node sinkConverted
+  Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call,
  DataFlow::TypeCastNode sinkConverted
 where
  Flow::flowPath(source, sink) and
  call.getResult(0) = source.getNode() and
--- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll
+++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll
@@ -28,7 +28,7 @@ private class GorillaSessionOptionsField extends Field {
 private DataFlow::Node getValueForFieldWrite(StructLit sl, string field) {
  exists(Write w, DataFlow::Node base, Field f |
    f.getName() = field and
-    w.writesField(base, f, result) and
+    w.writesFieldPreUpdate(base, f, result) and
    (
      sl = base.asExpr()
      or
@@ -209,10 +209,7 @@ private module GorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSi
  predicate isSink(DataFlow::Node sink) { sink instanceof GorillaSessionSaveSink }
  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(GorillaSessionOptionsField f, DataFlow::Write w, DataFlow::Node base |
+    exists(GorillaSessionOptionsField f, DataFlow::Write w | w.writesField(succ, f, pred))
      w.writesField(base, f, pred) and
      succ = base
    )
  }
 }
@@ -236,10 +233,7 @@ private module BoolToGorillaSessionOptionsTrackingConfig implements DataFlow::Co
      sl = succ.asExpr()
    )
    or
-    exists(GorillaSessionOptionsField f, DataFlow::Write w, DataFlow::Node base |
+    exists(GorillaSessionOptionsField f, DataFlow::Write w | w.writesField(succ, f, pred))
      w.writesField(base, f, pred) and
      succ = base
    )
  }
 }
--- a/go/ql/src/experimental/CWE-918/SSRF.qll
+++ b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -22,8 +22,8 @@ module ServerSideRequestForgery {
    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
      // propagate to a URL when its host is assigned to
-      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+      exists(Write w, Field f | f.hasQualifiedName("net/url", "URL", "Host") |
-        w.writesField(v.getAUse(), f, node1) and node2 = v.getAUse()
+        w.writesField(node2, f, node1)
      )
    }
--- a/go/ql/test/example-tests/snippets/typeinfo.expected
+++ b/go/ql/test/example-tests/snippets/typeinfo.expected
@@ -5,3 +5,4 @@
 | main.go:18:12:18:14 | argument corresponding to req |
 | main.go:18:12:18:14 | definition of req |
 | main.go:20:5:20:7 | req |
 | main.go:20:5:20:7 | req [postupdate] |
--- a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected
@@ -1,90 +1,54 @@
 edges
 | CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | CookieWithoutHttpOnly.go:15:21:15:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:12:10:12:18 | "session" | CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... | CookieWithoutHttpOnly.go:15:21:15:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | CookieWithoutHttpOnly.go:15:21:15:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:15:21:15:21 | c | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:15:21:15:21 | c | CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:20:13:20:21 | "session" | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:22:13:22:17 | false | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:29:13:29:21 | "session" | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:31:13:31:16 | true | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:38:10:38:18 | "session" | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:41:15:41:18 | true | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:47:10:47:18 | "session" | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:50:15:50:19 | false | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | provenance |  |
@@ -93,20 +57,12 @@ edges
 | CookieWithoutHttpOnly.go:55:9:55:13 | false | CookieWithoutHttpOnly.go:59:13:59:15 | val | provenance |  |
 | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:57:13:57:21 | "session" | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:59:13:59:15 | val | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | provenance |  |
@@ -115,20 +71,12 @@ edges
 | CookieWithoutHttpOnly.go:65:9:65:12 | true | CookieWithoutHttpOnly.go:69:13:69:15 | val | provenance |  |
 | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:67:13:67:21 | "session" | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:69:13:69:15 | val | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | provenance |  |
@@ -137,20 +85,12 @@ edges
 | CookieWithoutHttpOnly.go:75:9:75:12 | true | CookieWithoutHttpOnly.go:80:15:80:17 | val | provenance |  |
 | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:77:10:77:18 | "session" | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:80:15:80:17 | val | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | provenance |  |
@@ -159,51 +99,31 @@ edges
 | CookieWithoutHttpOnly.go:85:9:85:13 | false | CookieWithoutHttpOnly.go:90:15:90:17 | val | provenance |  |
 | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:87:10:87:18 | "session" | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:90:15:90:17 | val | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | CookieWithoutHttpOnly.go:100:21:100:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:99:15:99:19 | false | CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... | CookieWithoutHttpOnly.go:100:21:100:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | CookieWithoutHttpOnly.go:100:21:100:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:100:21:100:21 | c | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:100:21:100:21 | c | CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:104:10:104:18 | "session" | CookieWithoutHttpOnly.go:106:10:106:13 | name | provenance |  |
 | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:106:10:106:13 | name | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:109:15:109:19 | false | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | provenance |  |
@@ -211,20 +131,12 @@ edges
 | CookieWithoutHttpOnly.go:114:13:114:24 | "login_name" | CookieWithoutHttpOnly.go:116:10:116:16 | session | provenance |  |
 | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:116:10:116:16 | session | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:119:15:119:19 | false | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
 | CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | provenance |  |
@@ -235,233 +147,83 @@ edges
 | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:2:126:43 | ... := ...[0] | CookieWithoutHttpOnly.go:129:2:129:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:126:2:126:43 | ... := ...[0] | provenance | Config |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:133:2:133:9 | definition of httpOnly | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | provenance |  |
 | CookieWithoutHttpOnly.go:133:14:133:18 | false | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | Config |
 | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | provenance |  |
 | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | CookieWithoutHttpOnly.go:137:20:140:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | CookieWithoutHttpOnly.go:137:20:140:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | provenance | Config |
 | CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:149:2:149:8 | session | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | CookieWithoutHttpOnly.go:149:20:151:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:157:2:157:9 | definition of httpOnly | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | provenance |  |
 | CookieWithoutHttpOnly.go:157:14:157:17 | true | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | Config |
 | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | provenance |  |
 | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | CookieWithoutHttpOnly.go:161:20:164:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | CookieWithoutHttpOnly.go:161:20:164:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:169:56:169:63 | argument corresponding to httpOnly | CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | provenance |  |
 | CookieWithoutHttpOnly.go:169:56:169:63 | definition of httpOnly | CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
+| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance |  |
+| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | Config |
 | CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance |  |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | provenance | Config |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session | provenance | Config |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | provenance |  |
 | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | CookieWithoutHttpOnly.go:173:20:176:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | CookieWithoutHttpOnly.go:173:20:176:2 | &... | provenance |  |
 | CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | provenance | Config |
 | CookieWithoutHttpOnly.go:183:2:183:43 | ... := ...[0] | CookieWithoutHttpOnly.go:191:19:191:25 | session | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:183:2:183:43 | ... := ...[0] | provenance | Config |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:2:195:43 | ... := ...[0] | CookieWithoutHttpOnly.go:202:19:202:25 | session | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:195:2:195:43 | ... := ...[0] | provenance | Config |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:191:2:191:6 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | CookieWithoutHttpOnly.go:202:2:202:6 | store | provenance |  |
 nodes
 | CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | semmle.label | struct literal |
 | CookieWithoutHttpOnly.go:12:10:12:18 | "session" | semmle.label | "session" |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:15:21:15:21 | c | semmle.label | c |
 | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | semmle.label | struct literal |
@@ -470,8 +232,6 @@ nodes
 | CookieWithoutHttpOnly.go:22:13:22:17 | false | semmle.label | false |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:24:21:24:21 | c | semmle.label | c |
@@ -482,8 +242,6 @@ nodes
 | CookieWithoutHttpOnly.go:31:13:31:16 | true | semmle.label | true |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:33:21:33:21 | c | semmle.label | c |
@@ -494,8 +252,6 @@ nodes
 | CookieWithoutHttpOnly.go:41:15:41:18 | true | semmle.label | true |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:42:21:42:21 | c | semmle.label | c |
@@ -506,8 +262,6 @@ nodes
 | CookieWithoutHttpOnly.go:50:15:50:19 | false | semmle.label | false |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:51:21:51:21 | c | semmle.label | c |
@@ -520,8 +274,6 @@ nodes
 | CookieWithoutHttpOnly.go:59:13:59:15 | val | semmle.label | val |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:61:21:61:21 | c | semmle.label | c |
@@ -534,8 +286,6 @@ nodes
 | CookieWithoutHttpOnly.go:69:13:69:15 | val | semmle.label | val |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:71:21:71:21 | c | semmle.label | c |
@@ -548,8 +298,6 @@ nodes
 | CookieWithoutHttpOnly.go:80:15:80:17 | val | semmle.label | val |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:81:21:81:21 | c | semmle.label | c |
@@ -562,8 +310,6 @@ nodes
 | CookieWithoutHttpOnly.go:90:15:90:17 | val | semmle.label | val |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:91:21:91:21 | c | semmle.label | c |
@@ -571,7 +317,6 @@ nodes
 | CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | semmle.label | struct literal |
 | CookieWithoutHttpOnly.go:99:15:99:19 | false | semmle.label | false |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:100:21:100:21 | c | semmle.label | c |
 | CookieWithoutHttpOnly.go:104:10:104:18 | "session" | semmle.label | "session" |
@@ -581,8 +326,6 @@ nodes
 | CookieWithoutHttpOnly.go:109:15:109:19 | false | semmle.label | false |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:110:21:110:21 | c | semmle.label | c |
@@ -594,8 +337,6 @@ nodes
 | CookieWithoutHttpOnly.go:119:15:119:19 | false | semmle.label | false |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | semmle.label | &... [pointer] |
 | CookieWithoutHttpOnly.go:120:21:120:21 | c | semmle.label | c |
@@ -606,20 +347,14 @@ nodes
 | CookieWithoutHttpOnly.go:129:2:129:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:133:2:133:9 | definition of httpOnly | semmle.label | definition of httpOnly |
 | CookieWithoutHttpOnly.go:133:14:133:18 | false | semmle.label | false |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:134:2:134:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | CookieWithoutHttpOnly.go:134:16:134:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:135:2:135:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:135:2:135:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:137:2:137:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:137:20:140:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | semmle.label | struct literal |
@@ -628,34 +363,25 @@ nodes
 | CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:146:2:146:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | CookieWithoutHttpOnly.go:146:16:146:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:147:2:147:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:147:2:147:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
 | CookieWithoutHttpOnly.go:149:2:149:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:149:2:149:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:149:20:151:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | semmle.label | struct literal |
 | CookieWithoutHttpOnly.go:153:2:153:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:153:2:153:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:157:2:157:9 | definition of httpOnly | semmle.label | definition of httpOnly |
 | CookieWithoutHttpOnly.go:157:14:157:17 | true | semmle.label | true |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:158:2:158:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | CookieWithoutHttpOnly.go:158:16:158:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:159:2:159:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:159:2:159:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:161:2:161:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:161:20:164:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | semmle.label | struct literal |
@@ -666,20 +392,14 @@ nodes
 | CookieWithoutHttpOnly.go:166:2:166:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:169:56:169:63 | argument corresponding to httpOnly | semmle.label | argument corresponding to httpOnly |
 | CookieWithoutHttpOnly.go:169:56:169:63 | definition of httpOnly | semmle.label | definition of httpOnly |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:170:2:170:8 | definition of session [pointer] | semmle.label | definition of session [pointer] |
 | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | CookieWithoutHttpOnly.go:170:16:170:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:171:2:171:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:171:2:171:8 | session [pointer] | semmle.label | session [pointer] |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference | semmle.label | implicit dereference |
+| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:173:2:173:8 | session [pointer] | semmle.label | session [pointer] |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:173:20:176:2 | &... | semmle.label | &... |
 | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | semmle.label | struct literal |
@@ -690,11 +410,9 @@ nodes
 | CookieWithoutHttpOnly.go:178:2:178:8 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:183:2:183:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | CookieWithoutHttpOnly.go:183:16:183:20 | store | semmle.label | store |
 | CookieWithoutHttpOnly.go:191:2:191:6 | store | semmle.label | store |
 | CookieWithoutHttpOnly.go:191:19:191:25 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:195:2:195:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | CookieWithoutHttpOnly.go:195:16:195:20 | store | semmle.label | store |
 | CookieWithoutHttpOnly.go:202:2:202:6 | store | semmle.label | store |
 | CookieWithoutHttpOnly.go:202:19:202:25 | session | semmle.label | session |
 | CookieWithoutHttpOnly.go:214:66:214:70 | false | semmle.label | false |
 subpaths
--- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected
+++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected
@@ -1,16 +1,12 @@
 edges
 | go-jose.v3.go:13:14:13:34 | type conversion | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | go-jose.v3.go:13:14:13:34 | type conversion | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:13:14:13:34 | type conversion | provenance |  |
 | go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | golang-jwt-v5.go:19:15:19:35 | type conversion | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | provenance |  |
 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:19:15:19:35 | type conversion | provenance |  |
 nodes
 | go-jose.v3.go:13:14:13:34 | type conversion | semmle.label | type conversion |
 | go-jose.v3.go:13:21:13:33 | "AllYourBase" | semmle.label | "AllYourBase" |
 | go-jose.v3.go:24:32:24:37 | JwtKey | semmle.label | JwtKey |
 | go-jose.v3.go:24:32:24:37 | JwtKey | semmle.label | JwtKey |
 | golang-jwt-v5.go:19:15:19:35 | type conversion | semmle.label | type conversion |
 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" |
 | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 |
--- a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected
+++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected
@@ -68,9 +68,9 @@ edges
 | test.go:91:15:91:26 | selection of Body | test.go:555:19:555:22 | definition of file | provenance | Src:MaD:1  |
 | test.go:93:5:93:16 | selection of Body | test.go:580:9:580:12 | definition of file | provenance | Src:MaD:1  |
 | test.go:128:20:128:27 | definition of filename | test.go:130:33:130:40 | filename | provenance |  |
 | test.go:128:20:128:27 | definition of filename | test.go:143:51:143:58 | filename | provenance |  |
 | test.go:130:2:130:41 | ... := ...[0] | test.go:132:12:132:12 | f | provenance |  |
 | test.go:130:33:130:40 | filename | test.go:130:2:130:41 | ... := ...[0] | provenance | Config |
 | test.go:130:33:130:40 | filename | test.go:143:51:143:58 | filename | provenance |  |
 | test.go:132:3:132:19 | ... := ...[0] | test.go:134:37:134:38 | rc | provenance |  |
 | test.go:132:12:132:12 | f | test.go:132:3:132:19 | ... := ...[0] | provenance | MaD:4 |
 | test.go:143:2:143:59 | ... := ...[0] | test.go:145:12:145:12 | f | provenance |  |
--- a/go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected
+++ b/go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected
@@ -7,17 +7,14 @@ edges
 | Dsn.go:28:11:28:110 | call to Sprintf | Dsn.go:29:29:29:33 | dbDSN | provenance |  |
 | Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | []type{args} [array] | provenance |  |
 | Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | call to Sprintf | provenance | FunctionModel |
-| Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:63:9:63:11 | cfg [pointer] | provenance |  |
+| Dsn.go:63:9:63:11 | cfg [postupdate] [pointer] | Dsn.go:67:102:67:104 | cfg [pointer] | provenance |  |
-| Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:67:102:67:104 | cfg [pointer] | provenance |  |
+| Dsn.go:63:9:63:11 | implicit dereference [postupdate] | Dsn.go:63:9:63:11 | cfg [postupdate] [pointer] | provenance |  |
-| Dsn.go:63:9:63:11 | cfg [pointer] | Dsn.go:63:9:63:11 | implicit dereference | provenance |  |
+| Dsn.go:63:9:63:11 | implicit dereference [postupdate] | Dsn.go:67:102:67:108 | selection of dsn | provenance |  |
 | Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:62:2:62:4 | definition of cfg [pointer] | provenance |  |
 | Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn | provenance |  |
 | Dsn.go:63:19:63:25 | selection of Args | Dsn.go:63:19:63:29 | slice expression | provenance | Src:MaD:1  |
-| Dsn.go:63:19:63:29 | slice expression | Dsn.go:63:9:63:11 | implicit dereference | provenance | FunctionModel |
+| Dsn.go:63:19:63:29 | slice expression | Dsn.go:63:9:63:11 | implicit dereference [postupdate] | provenance | FunctionModel |
 | Dsn.go:67:11:67:109 | []type{args} [array] | Dsn.go:67:11:67:109 | call to Sprintf | provenance | MaD:2 |
 | Dsn.go:67:11:67:109 | call to Sprintf | Dsn.go:68:29:68:33 | dbDSN | provenance |  |
 | Dsn.go:67:102:67:104 | cfg [pointer] | Dsn.go:67:102:67:104 | implicit dereference | provenance |  |
 | Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference | provenance |  |
 | Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn | provenance |  |
 | Dsn.go:67:102:67:108 | selection of dsn | Dsn.go:67:11:67:109 | []type{args} [array] | provenance |  |
 | Dsn.go:67:102:67:108 | selection of dsn | Dsn.go:67:11:67:109 | call to Sprintf | provenance | FunctionModel |
@@ -30,9 +27,8 @@ nodes
 | Dsn.go:28:11:28:110 | call to Sprintf | semmle.label | call to Sprintf |
 | Dsn.go:28:102:28:109 | index expression | semmle.label | index expression |
 | Dsn.go:29:29:29:33 | dbDSN | semmle.label | dbDSN |
-| Dsn.go:62:2:62:4 | definition of cfg [pointer] | semmle.label | definition of cfg [pointer] |
+| Dsn.go:63:9:63:11 | cfg [postupdate] [pointer] | semmle.label | cfg [postupdate] [pointer] |
-| Dsn.go:63:9:63:11 | cfg [pointer] | semmle.label | cfg [pointer] |
+| Dsn.go:63:9:63:11 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
 | Dsn.go:63:9:63:11 | implicit dereference | semmle.label | implicit dereference |
 | Dsn.go:63:19:63:25 | selection of Args | semmle.label | selection of Args |
 | Dsn.go:63:19:63:29 | slice expression | semmle.label | slice expression |
 | Dsn.go:67:11:67:109 | []type{args} [array] | semmle.label | []type{args} [array] |
--- a/go/ql/test/experimental/CWE-918/SSRF.expected
+++ b/go/ql/test/experimental/CWE-918/SSRF.expected
@@ -1,12 +1,13 @@
 #select
-| builtin.go:22:12:22:63 | call to Get | builtin.go:19:12:19:34 | call to FormValue | builtin.go:22:21:22:62 | ...+... | The URL of this request depends on a user-provided value. |
+| builtin.go:23:12:23:63 | call to Get | builtin.go:20:12:20:34 | call to FormValue | builtin.go:23:21:23:62 | ...+... | The URL of this request depends on a user-provided value. |
-| builtin.go:88:12:88:53 | call to Dial | builtin.go:83:21:83:31 | call to Referer | builtin.go:88:27:88:40 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:89:12:89:53 | call to Dial | builtin.go:84:21:84:31 | call to Referer | builtin.go:89:27:89:40 | untrustedInput | The URL of this request depends on a user-provided value. |
-| builtin.go:102:13:102:40 | call to DialConfig | builtin.go:97:21:97:31 | call to Referer | builtin.go:101:36:101:49 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:103:13:103:40 | call to DialConfig | builtin.go:98:21:98:31 | call to Referer | builtin.go:102:36:102:49 | untrustedInput | The URL of this request depends on a user-provided value. |
-| builtin.go:114:3:114:39 | call to Dial | builtin.go:111:21:111:31 | call to Referer | builtin.go:114:15:114:28 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:115:3:115:39 | call to Dial | builtin.go:112:21:112:31 | call to Referer | builtin.go:115:15:115:28 | untrustedInput | The URL of this request depends on a user-provided value. |
-| builtin.go:132:3:132:62 | call to DialContext | builtin.go:129:21:129:31 | call to Referer | builtin.go:132:38:132:51 | untrustedInput | The URL of this request depends on a user-provided value. |
+| builtin.go:133:3:133:62 | call to DialContext | builtin.go:130:21:130:31 | call to Referer | builtin.go:133:38:133:51 | untrustedInput | The URL of this request depends on a user-provided value. |
-| new-tests.go:31:2:31:58 | call to Get | new-tests.go:26:26:26:30 | &... | new-tests.go:31:11:31:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| builtin.go:156:12:156:33 | call to Get | builtin.go:151:16:151:36 | call to FormValue | builtin.go:156:21:156:32 | call to String | The URL of this request depends on a user-provided value. |
-| new-tests.go:32:2:32:58 | call to Get | new-tests.go:26:26:26:30 | &... | new-tests.go:32:11:32:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:31:2:31:58 | call to Get | new-tests.go:26:26:26:30 | &... [postupdate] | new-tests.go:31:11:31:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
-| new-tests.go:35:3:35:59 | call to Get | new-tests.go:26:26:26:30 | &... | new-tests.go:35:12:35:58 | call to Sprintf | The URL of this request depends on a user-provided value. |
+| new-tests.go:32:2:32:58 | call to Get | new-tests.go:26:26:26:30 | &... [postupdate] | new-tests.go:32:11:32:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
 | new-tests.go:35:3:35:59 | call to Get | new-tests.go:26:26:26:30 | &... [postupdate] | new-tests.go:35:12:35:58 | call to Sprintf | The URL of this request depends on a user-provided value. |
 | new-tests.go:47:2:47:47 | call to Get | new-tests.go:39:18:39:30 | call to Param | new-tests.go:47:11:47:46 | ...+... | The URL of this request depends on a user-provided value. |
 | new-tests.go:50:2:50:47 | call to Get | new-tests.go:49:18:49:30 | call to Query | new-tests.go:50:11:50:46 | ...+... | The URL of this request depends on a user-provided value. |
 | new-tests.go:68:2:68:58 | call to Get | new-tests.go:62:31:62:38 | selection of Body | new-tests.go:68:11:68:57 | call to Sprintf | The URL of this request depends on a user-provided value. |
@@ -17,14 +18,20 @@
 | new-tests.go:88:2:88:47 | call to Get | new-tests.go:86:10:86:20 | call to Vars | new-tests.go:88:11:88:46 | ...+... | The URL of this request depends on a user-provided value. |
 | new-tests.go:96:2:96:47 | call to Get | new-tests.go:95:18:95:45 | call to URLParam | new-tests.go:96:11:96:46 | ...+... | The URL of this request depends on a user-provided value. |
 edges
-| builtin.go:19:12:19:34 | call to FormValue | builtin.go:22:21:22:62 | ...+... | provenance | Src:MaD:7  |
+| builtin.go:20:12:20:34 | call to FormValue | builtin.go:23:21:23:62 | ...+... | provenance | Src:MaD:7  |
-| builtin.go:83:21:83:31 | call to Referer | builtin.go:88:27:88:40 | untrustedInput | provenance | Src:MaD:8  |
+| builtin.go:84:21:84:31 | call to Referer | builtin.go:89:27:89:40 | untrustedInput | provenance | Src:MaD:8  |
-| builtin.go:97:21:97:31 | call to Referer | builtin.go:101:36:101:49 | untrustedInput | provenance | Src:MaD:8  |
+| builtin.go:98:21:98:31 | call to Referer | builtin.go:102:36:102:49 | untrustedInput | provenance | Src:MaD:8  |
-| builtin.go:111:21:111:31 | call to Referer | builtin.go:114:15:114:28 | untrustedInput | provenance | Src:MaD:8  |
+| builtin.go:112:21:112:31 | call to Referer | builtin.go:115:15:115:28 | untrustedInput | provenance | Src:MaD:8  |
-| builtin.go:129:21:129:31 | call to Referer | builtin.go:132:38:132:51 | untrustedInput | provenance | Src:MaD:8  |
+| builtin.go:130:21:130:31 | call to Referer | builtin.go:133:38:133:51 | untrustedInput | provenance | Src:MaD:8  |
-| new-tests.go:26:26:26:30 | &... | new-tests.go:31:48:31:56 | selection of word | provenance | Src:MaD:3  |
+| builtin.go:151:16:151:36 | call to FormValue | builtin.go:154:13:154:22 | unsafehost | provenance | Src:MaD:7  |
-| new-tests.go:26:26:26:30 | &... | new-tests.go:32:48:32:56 | selection of safe | provenance | Src:MaD:3  |
+| builtin.go:154:2:154:4 | implicit dereference [postupdate] | builtin.go:154:2:154:4 | url [postupdate] | provenance |  |
-| new-tests.go:26:26:26:30 | &... | new-tests.go:35:49:35:57 | selection of word | provenance | Src:MaD:3  |
+| builtin.go:154:2:154:4 | url [postupdate] | builtin.go:156:21:156:23 | url | provenance |  |
 | builtin.go:154:13:154:22 | unsafehost | builtin.go:154:2:154:4 | implicit dereference [postupdate] | provenance | Config |
 | builtin.go:154:13:154:22 | unsafehost | builtin.go:154:2:154:4 | url [postupdate] | provenance | Config |
 | builtin.go:156:21:156:23 | url | builtin.go:156:21:156:32 | call to String | provenance | MaD:12 |
 | new-tests.go:26:26:26:30 | &... [postupdate] | new-tests.go:31:48:31:56 | selection of word | provenance | Src:MaD:3  |
 | new-tests.go:26:26:26:30 | &... [postupdate] | new-tests.go:32:48:32:56 | selection of safe | provenance | Src:MaD:3  |
 | new-tests.go:26:26:26:30 | &... [postupdate] | new-tests.go:35:49:35:57 | selection of word | provenance | Src:MaD:3  |
 | new-tests.go:31:11:31:57 | []type{args} [array] | new-tests.go:31:11:31:57 | call to Sprintf | provenance | MaD:11 |
 | new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | []type{args} [array] | provenance |  |
 | new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | call to Sprintf | provenance | FunctionModel |
@@ -37,11 +44,11 @@ edges
 | new-tests.go:39:18:39:30 | call to Param | new-tests.go:47:11:47:46 | ...+... | provenance | Src:MaD:1  |
 | new-tests.go:49:18:49:30 | call to Query | new-tests.go:50:11:50:46 | ...+... | provenance | Src:MaD:2  |
 | new-tests.go:62:2:62:39 | ... := ...[0] | new-tests.go:63:17:63:23 | reqBody | provenance |  |
-| new-tests.go:62:31:62:38 | selection of Body | new-tests.go:62:2:62:39 | ... := ...[0] | provenance | Src:MaD:6 MaD:12 |
+| new-tests.go:62:31:62:38 | selection of Body | new-tests.go:62:2:62:39 | ... := ...[0] | provenance | Src:MaD:6 MaD:13 |
-| new-tests.go:63:17:63:23 | reqBody | new-tests.go:63:26:63:30 | &... | provenance | MaD:10 |
+| new-tests.go:63:17:63:23 | reqBody | new-tests.go:63:26:63:30 | &... [postupdate] | provenance | MaD:10 |
-| new-tests.go:63:26:63:30 | &... | new-tests.go:68:48:68:56 | selection of word | provenance |  |
+| new-tests.go:63:26:63:30 | &... [postupdate] | new-tests.go:68:48:68:56 | selection of word | provenance |  |
-| new-tests.go:63:26:63:30 | &... | new-tests.go:69:48:69:56 | selection of safe | provenance |  |
+| new-tests.go:63:26:63:30 | &... [postupdate] | new-tests.go:69:48:69:56 | selection of safe | provenance |  |
-| new-tests.go:63:26:63:30 | &... | new-tests.go:74:49:74:57 | selection of word | provenance |  |
+| new-tests.go:63:26:63:30 | &... [postupdate] | new-tests.go:74:49:74:57 | selection of word | provenance |  |
 | new-tests.go:68:11:68:57 | []type{args} [array] | new-tests.go:68:11:68:57 | call to Sprintf | provenance | MaD:11 |
 | new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | []type{args} [array] | provenance |  |
 | new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | call to Sprintf | provenance | FunctionModel |
@@ -51,12 +58,12 @@ edges
 | new-tests.go:74:12:74:58 | []type{args} [array] | new-tests.go:74:12:74:58 | call to Sprintf | provenance | MaD:11 |
 | new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | []type{args} [array] | provenance |  |
 | new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | call to Sprintf | provenance | FunctionModel |
-| new-tests.go:78:18:78:24 | selection of URL | new-tests.go:78:18:78:32 | call to Query | provenance | Src:MaD:9 MaD:13 |
+| new-tests.go:78:18:78:24 | selection of URL | new-tests.go:78:18:78:32 | call to Query | provenance | Src:MaD:9 MaD:14 |
-| new-tests.go:78:18:78:32 | call to Query | new-tests.go:78:18:78:46 | call to Get | provenance | MaD:14 |
+| new-tests.go:78:18:78:32 | call to Query | new-tests.go:78:18:78:46 | call to Get | provenance | MaD:15 |
 | new-tests.go:78:18:78:46 | call to Get | new-tests.go:79:11:79:46 | ...+... | provenance |  |
 | new-tests.go:81:18:81:67 | call to TrimPrefix | new-tests.go:82:11:82:46 | ...+... | provenance |  |
 | new-tests.go:81:37:81:43 | selection of URL | new-tests.go:81:37:81:48 | selection of Path | provenance | Src:MaD:9  |
-| new-tests.go:81:37:81:48 | selection of Path | new-tests.go:81:18:81:67 | call to TrimPrefix | provenance | MaD:15 |
+| new-tests.go:81:37:81:48 | selection of Path | new-tests.go:81:18:81:67 | call to TrimPrefix | provenance | MaD:16 |
 | new-tests.go:86:10:86:20 | call to Vars | new-tests.go:88:11:88:46 | ...+... | provenance | Src:MaD:5  |
 | new-tests.go:95:18:95:45 | call to URLParam | new-tests.go:96:11:96:46 | ...+... | provenance | Src:MaD:4  |
 models
@@ -71,22 +78,29 @@ models
 | 9 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
 | 10 | Summary: encoding/json; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual |
 | 11 | Summary: fmt; ; false; Sprintf; ; ; Argument[1].ArrayElement; ReturnValue; taint; manual |
-| 12 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
+| 12 | Summary: fmt; Stringer; true; String; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 13 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 13 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
-| 14 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
+| 14 | Summary: net/url; URL; true; Query; ; ; Argument[receiver]; ReturnValue; taint; manual |
-| 15 | Summary: strings; ; false; TrimPrefix; ; ; Argument[0]; ReturnValue; taint; manual |
+| 15 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
 | 16 | Summary: strings; ; false; TrimPrefix; ; ; Argument[0]; ReturnValue; taint; manual |
 nodes
-| builtin.go:19:12:19:34 | call to FormValue | semmle.label | call to FormValue |
+| builtin.go:20:12:20:34 | call to FormValue | semmle.label | call to FormValue |
-| builtin.go:22:21:22:62 | ...+... | semmle.label | ...+... |
+| builtin.go:23:21:23:62 | ...+... | semmle.label | ...+... |
-| builtin.go:83:21:83:31 | call to Referer | semmle.label | call to Referer |
+| builtin.go:84:21:84:31 | call to Referer | semmle.label | call to Referer |
-| builtin.go:88:27:88:40 | untrustedInput | semmle.label | untrustedInput |
+| builtin.go:89:27:89:40 | untrustedInput | semmle.label | untrustedInput |
-| builtin.go:97:21:97:31 | call to Referer | semmle.label | call to Referer |
+| builtin.go:98:21:98:31 | call to Referer | semmle.label | call to Referer |
-| builtin.go:101:36:101:49 | untrustedInput | semmle.label | untrustedInput |
+| builtin.go:102:36:102:49 | untrustedInput | semmle.label | untrustedInput |
-| builtin.go:111:21:111:31 | call to Referer | semmle.label | call to Referer |
+| builtin.go:112:21:112:31 | call to Referer | semmle.label | call to Referer |
-| builtin.go:114:15:114:28 | untrustedInput | semmle.label | untrustedInput |
+| builtin.go:115:15:115:28 | untrustedInput | semmle.label | untrustedInput |
-| builtin.go:129:21:129:31 | call to Referer | semmle.label | call to Referer |
+| builtin.go:130:21:130:31 | call to Referer | semmle.label | call to Referer |
-| builtin.go:132:38:132:51 | untrustedInput | semmle.label | untrustedInput |
+| builtin.go:133:38:133:51 | untrustedInput | semmle.label | untrustedInput |
-| new-tests.go:26:26:26:30 | &... | semmle.label | &... |
+| builtin.go:151:16:151:36 | call to FormValue | semmle.label | call to FormValue |
 | builtin.go:154:2:154:4 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
 | builtin.go:154:2:154:4 | url [postupdate] | semmle.label | url [postupdate] |
 | builtin.go:154:13:154:22 | unsafehost | semmle.label | unsafehost |
 | builtin.go:156:21:156:23 | url | semmle.label | url |
 | builtin.go:156:21:156:32 | call to String | semmle.label | call to String |
 | new-tests.go:26:26:26:30 | &... [postupdate] | semmle.label | &... [postupdate] |
 | new-tests.go:31:11:31:57 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:31:11:31:57 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:31:48:31:56 | selection of word | semmle.label | selection of word |
@@ -103,7 +117,7 @@ nodes
 | new-tests.go:62:2:62:39 | ... := ...[0] | semmle.label | ... := ...[0] |
 | new-tests.go:62:31:62:38 | selection of Body | semmle.label | selection of Body |
 | new-tests.go:63:17:63:23 | reqBody | semmle.label | reqBody |
-| new-tests.go:63:26:63:30 | &... | semmle.label | &... |
+| new-tests.go:63:26:63:30 | &... [postupdate] | semmle.label | &... [postupdate] |
 | new-tests.go:68:11:68:57 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:68:11:68:57 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:68:48:68:56 | selection of word | semmle.label | selection of word |
--- a/go/ql/test/experimental/CWE-918/SSRF.qlref
+++ b/go/ql/test/experimental/CWE-918/SSRF.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-918/SSRF.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
  - utils/test/PrettyPrintModels.ql
  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-918/builtin.go
+++ b/go/ql/test/experimental/CWE-918/builtin.go
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"log"
 	"net/http"
 	"net/url"
 	"regexp"
 	"strings"
@@ -16,10 +17,10 @@ import (
 )
 func handler(w http.ResponseWriter, req *http.Request) {
-	target := req.FormValue("target")
+	target := req.FormValue("target") // $ Source
 	// BAD: `target` is controlled by the attacker
-	_, err := http.Get("https://" + target + ".example.com/data/")
+	_, err := http.Get("https://" + target + ".example.com/data/") // $ Alert
 	if err != nil {
 		// error handling
 	}
@@ -80,12 +81,12 @@ func test() {
 	// x net websocket dial bad
 	http.HandleFunc("/ex2", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 		origin := "http://localhost/"
 		// bad as input is directly passed to dial function
-		ws, _ := websocket.Dial(untrustedInput, "", origin) // SSRF
+		ws, _ := websocket.Dial(untrustedInput, "", origin) // $ Alert
 		var msg = make([]byte, 512)
 		var n int
 		n, _ = ws.Read(msg)
@@ -94,12 +95,12 @@ func test() {
 	// x net websocket dialConfig bad
 	http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 		origin := "http://localhost/"
 		// bad as input is directly used
-		config, _ := websocket.NewConfig(untrustedInput, origin) // SSRF
+		config, _ := websocket.NewConfig(untrustedInput, origin) // $ Sink
-		ws2, _ := websocket.DialConfig(config)
+		ws2, _ := websocket.DialConfig(config)                   // $ Alert
 		var msg = make([]byte, 512)
 		var n int
 		n, _ = ws2.Read(msg)
@@ -108,10 +109,10 @@ func test() {
 	// gorilla websocket Dialer.Dial bad
 	http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 		dialer := gorilla.Dialer{}
-		dialer.Dial(untrustedInput, r.Header) //SSRF
+		dialer.Dial(untrustedInput, r.Header) // $ Alert
 	})
 	// gorilla websocket Dialer.Dial good
@@ -126,10 +127,10 @@ func test() {
 	// gorilla websocket Dialer.DialContext bad
 	http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) {
-		untrustedInput := r.Referer()
+		untrustedInput := r.Referer() // $ Source
 		dialer := gorilla.Dialer{}
-		dialer.DialContext(context.TODO(), untrustedInput, r.Header) //SSRF
+		dialer.DialContext(context.TODO(), untrustedInput, r.Header) // $ Alert
 	})
 	// gorilla websocket Dialer.DialContext good
@@ -145,3 +146,16 @@ func test() {
 	log.Println(http.ListenAndServe(":80", nil))
 }
 func handler2(w http.ResponseWriter, req *http.Request) {
 	unsafehost := req.FormValue("host") // $ Source
 	url, _ := url.Parse("http://example.com/data")
 	url.Host = unsafehost
 	// BAD: `target` is controlled by the attacker
 	_, err := http.Get(url.String()) // $ Alert
 	if err != nil {
 		// error handling
 	}
 	// process request response
 }
--- a/go/ql/test/experimental/CWE-918/new-tests.go
+++ b/go/ql/test/experimental/CWE-918/new-tests.go
@@ -23,20 +23,20 @@ func HandlerGin(c *gin.Context) {
 		safe    string `binding:"alphanum"`
 	}
-	err := c.ShouldBindJSON(&body)
+	err := c.ShouldBindJSON(&body) // $ Source
 	http.Get(fmt.Sprintf("http://example.com/%d", body.integer)) // OK
 	http.Get(fmt.Sprintf("http://example.com/%v", body.float))   // OK
 	http.Get(fmt.Sprintf("http://example.com/%v", body.boolean)) // OK
-	http.Get(fmt.Sprintf("http://example.com/%s", body.word))    // SSRF
+	http.Get(fmt.Sprintf("http://example.com/%s", body.word))    // $ Alert
-	http.Get(fmt.Sprintf("http://example.com/%s", body.safe))    // SSRF
+	http.Get(fmt.Sprintf("http://example.com/%s", body.safe))    // $ Alert
 	if err == nil {
-		http.Get(fmt.Sprintf("http://example.com/%s", body.word)) // SSRF
+		http.Get(fmt.Sprintf("http://example.com/%s", body.word)) // $ Alert
 		http.Get(fmt.Sprintf("http://example.com/%s", body.safe)) // OK
 	}
-	taintedParam := c.Param("id")
+	taintedParam := c.Param("id") // $ Source
 	validate := validator.New()
 	err = validate.Var(taintedParam, "alpha")
@@ -44,10 +44,10 @@ func HandlerGin(c *gin.Context) {
 		http.Get("http://example.com/" + taintedParam) // OK
 	}
-	http.Get("http://example.com/" + taintedParam) //SSRF
+	http.Get("http://example.com/" + taintedParam) // $ Alert
-	taintedQuery := c.Query("id")
+	taintedQuery := c.Query("id")                  // $ Source
-	http.Get("http://example.com/" + taintedQuery) //SSRF
+	http.Get("http://example.com/" + taintedQuery) // $ Alert
 }
 func HandlerHttp(req *http.Request) {
@@ -59,41 +59,41 @@ func HandlerHttp(req *http.Request) {
 		word    string
 		safe    string `validate:"alphanum"`
 	}
-	reqBody, _ := ioutil.ReadAll(req.Body)
+	reqBody, _ := ioutil.ReadAll(req.Body) // $ Source
 	json.Unmarshal(reqBody, &body)
 	http.Get(fmt.Sprintf("http://example.com/%d", body.integer)) // OK
 	http.Get(fmt.Sprintf("http://example.com/%v", body.float))   // OK
 	http.Get(fmt.Sprintf("http://example.com/%v", body.boolean)) // OK
-	http.Get(fmt.Sprintf("http://example.com/%s", body.word))    // SSRF
+	http.Get(fmt.Sprintf("http://example.com/%s", body.word))    // $ Alert
-	http.Get(fmt.Sprintf("http://example.com/%s", body.safe))    // SSRF
+	http.Get(fmt.Sprintf("http://example.com/%s", body.safe))    // $ Alert
 	validate := validator.New()
 	err := validate.Struct(body)
 	if err == nil {
-		http.Get(fmt.Sprintf("http://example.com/%s", body.word)) // SSRF
+		http.Get(fmt.Sprintf("http://example.com/%s", body.word)) // $ Alert
 		http.Get(fmt.Sprintf("http://example.com/%s", body.safe)) // OK
 	}
-	taintedQuery := req.URL.Query().Get("param1")
+	taintedQuery := req.URL.Query().Get("param1")  // $ Source
-	http.Get("http://example.com/" + taintedQuery) // SSRF
+	http.Get("http://example.com/" + taintedQuery) // $ Alert
-	taintedParam := strings.TrimPrefix(req.URL.Path, "/example-path/")
+	taintedParam := strings.TrimPrefix(req.URL.Path, "/example-path/") // $ Source
-	http.Get("http://example.com/" + taintedParam) // SSRF
+	http.Get("http://example.com/" + taintedParam)                     // $ Alert
 }
 func HandlerMux(r *http.Request) {
-	vars := mux.Vars(r)
+	vars := mux.Vars(r) // $ Source
 	taintedParam := vars["id"]
-	http.Get("http://example.com/" + taintedParam) // SSRF
+	http.Get("http://example.com/" + taintedParam) // $ Alert
 	numericID, _ := strconv.Atoi(taintedParam)
 	http.Get(fmt.Sprintf("http://example.com/%d", numericID)) // OK
 }
 func HandlerChi(r *http.Request) {
-	taintedParam := chi.URLParam(r, "articleID")
+	taintedParam := chi.URLParam(r, "articleID")   // $ Source
-	http.Get("http://example.com/" + taintedParam) // SSRF
+	http.Get("http://example.com/" + taintedParam) // $ Alert
 	b, _ := strconv.ParseBool(taintedParam)
 	http.Get(fmt.Sprintf("http://example.com/%t", b)) // OK
--- a/go/ql/test/library-tests/semmle/go/dataflow/ChannelField/test.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ChannelField/test.expected
@@ -1,22 +1,14 @@
 invalidModelRow
 edges
 | test.go:9:9:9:11 | selection of c [collection] | test.go:9:7:9:11 | <-... | provenance |  |
 | test.go:13:16:13:16 | definition of s [pointer, c, collection] | test.go:16:2:16:2 | s [pointer, c, collection] | provenance |  |
 | test.go:15:10:15:17 | call to source | test.go:16:9:16:12 | data | provenance |  |
-| test.go:16:2:16:2 | implicit dereference [c, collection] | test.go:13:16:13:16 | definition of s [pointer, c, collection] | provenance |  |
+| test.go:16:2:16:4 | selection of c [postupdate] [collection] | test.go:9:9:9:11 | selection of c [collection] | provenance |  |
-| test.go:16:2:16:2 | implicit dereference [c, collection] | test.go:16:2:16:4 | selection of c [collection] | provenance |  |
+| test.go:16:9:16:12 | data | test.go:16:2:16:4 | selection of c [postupdate] [collection] | provenance |  |
 | test.go:16:2:16:2 | s [pointer, c, collection] | test.go:16:2:16:2 | implicit dereference [c, collection] | provenance |  |
 | test.go:16:2:16:4 | selection of c [collection] | test.go:9:9:9:11 | selection of c [collection] | provenance |  |
 | test.go:16:2:16:4 | selection of c [collection] | test.go:16:2:16:2 | implicit dereference [c, collection] | provenance |  |
 | test.go:16:9:16:12 | data | test.go:16:2:16:4 | selection of c [collection] | provenance |  |
 nodes
 | test.go:9:7:9:11 | <-... | semmle.label | <-... |
 | test.go:9:9:9:11 | selection of c [collection] | semmle.label | selection of c [collection] |
 | test.go:13:16:13:16 | definition of s [pointer, c, collection] | semmle.label | definition of s [pointer, c, collection] |
 | test.go:15:10:15:17 | call to source | semmle.label | call to source |
-| test.go:16:2:16:2 | implicit dereference [c, collection] | semmle.label | implicit dereference [c, collection] |
+| test.go:16:2:16:4 | selection of c [postupdate] [collection] | semmle.label | selection of c [postupdate] [collection] |
 | test.go:16:2:16:2 | s [pointer, c, collection] | semmle.label | s [pointer, c, collection] |
 | test.go:16:2:16:4 | selection of c [collection] | semmle.label | selection of c [collection] |
 | test.go:16:9:16:12 | data | semmle.label | data |
 subpaths
 #select
--- a/go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/DefaultSanitizer.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/DefaultTaintSanitizer/DefaultSanitizer.expected
@@ -4,27 +4,27 @@ models
 | 3 | Summary: io; Reader; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
 | 4 | Summary: os; File; true; Read; ; ; Argument[receiver]; Argument[0]; taint; manual |
 edges
-| Builtin.go:6:2:6:2 | definition of b | Builtin.go:8:9:8:17 | type conversion | provenance |  |
+| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:7:22:7:22 | b [postupdate] | provenance | Src:MaD:1 MaD:2 |
-| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | Src:MaD:1 MaD:2 |
+| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:7:22:7:22 | b [postupdate] | provenance | Src:MaD:1 MaD:3 |
-| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | Src:MaD:1 MaD:3 |
+| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:7:22:7:22 | b [postupdate] | provenance | Src:MaD:1 MaD:4 |
-| Builtin.go:7:2:7:15 | selection of Body | Builtin.go:6:2:6:2 | definition of b | provenance | Src:MaD:1 MaD:4 |
+| Builtin.go:7:22:7:22 | b [postupdate] | Builtin.go:8:9:8:17 | type conversion | provenance |  |
-| Builtin.go:12:2:12:2 | definition of b | Builtin.go:17:9:17:17 | type conversion | provenance |  |
+| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:13:22:13:22 | b [postupdate] | provenance | Src:MaD:1 MaD:2 |
-| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:12:2:12:2 | definition of b | provenance | Src:MaD:1 MaD:2 |
+| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:13:22:13:22 | b [postupdate] | provenance | Src:MaD:1 MaD:3 |
-| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:12:2:12:2 | definition of b | provenance | Src:MaD:1 MaD:3 |
+| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:13:22:13:22 | b [postupdate] | provenance | Src:MaD:1 MaD:4 |
-| Builtin.go:13:2:13:15 | selection of Body | Builtin.go:12:2:12:2 | definition of b | provenance | Src:MaD:1 MaD:4 |
+| Builtin.go:13:22:13:22 | b [postupdate] | Builtin.go:17:9:17:17 | type conversion | provenance |  |
-| Builtin.go:21:2:21:2 | definition of b | Builtin.go:24:10:24:18 | type conversion | provenance |  |
+| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:22:22:22:22 | b [postupdate] | provenance | Src:MaD:1 MaD:2 |
-| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:21:2:21:2 | definition of b | provenance | Src:MaD:1 MaD:2 |
+| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:22:22:22:22 | b [postupdate] | provenance | Src:MaD:1 MaD:3 |
-| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:21:2:21:2 | definition of b | provenance | Src:MaD:1 MaD:3 |
+| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:22:22:22:22 | b [postupdate] | provenance | Src:MaD:1 MaD:4 |
-| Builtin.go:22:2:22:15 | selection of Body | Builtin.go:21:2:21:2 | definition of b | provenance | Src:MaD:1 MaD:4 |
+| Builtin.go:22:22:22:22 | b [postupdate] | Builtin.go:24:10:24:18 | type conversion | provenance |  |
 nodes
 | Builtin.go:6:2:6:2 | definition of b | semmle.label | definition of b |
 | Builtin.go:7:2:7:15 | selection of Body | semmle.label | selection of Body |
 | Builtin.go:7:22:7:22 | b [postupdate] | semmle.label | b [postupdate] |
 | Builtin.go:8:9:8:17 | type conversion | semmle.label | type conversion |
 | Builtin.go:12:2:12:2 | definition of b | semmle.label | definition of b |
 | Builtin.go:13:2:13:15 | selection of Body | semmle.label | selection of Body |
 | Builtin.go:13:22:13:22 | b [postupdate] | semmle.label | b [postupdate] |
 | Builtin.go:17:9:17:17 | type conversion | semmle.label | type conversion |
 | Builtin.go:21:2:21:2 | definition of b | semmle.label | definition of b |
 | Builtin.go:22:2:22:15 | selection of Body | semmle.label | selection of Body |
 | Builtin.go:22:22:22:22 | b [postupdate] | semmle.label | b [postupdate] |
 | Builtin.go:24:10:24:18 | type conversion | semmle.label | type conversion |
 subpaths
 #select
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected
@@ -1,6 +1,5 @@
 invalidModelRow
 #select
 | test.go:10:6:10:8 | definition of arg | qltest-arg |
 | test.go:39:8:39:15 | call to Src1 | qltest |
 | test.go:40:8:40:15 | call to Src2 | qltest |
 | test.go:40:8:40:15 | call to Src2 | qltest-w-subtypes |
@@ -8,6 +7,7 @@ invalidModelRow
 | test.go:42:2:42:21 | ... = ...[0] | qltest |
 | test.go:42:2:42:21 | ... = ...[1] | qltest-w-subtypes |
 | test.go:43:2:43:22 | ... = ...[1] | qltest-w-subtypes |
 | test.go:44:11:44:13 | arg [postupdate] | qltest-arg |
 | test.go:59:9:59:16 | call to Src1 | qltest |
 | test.go:102:46:102:53 | call to Src1 | qltest |
 | test.go:112:35:112:42 | call to Src1 | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/steps.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/steps.expected
@@ -2,18 +2,18 @@ invalidModelRow
 #select
 | test.go:17:23:17:25 | arg | test.go:17:10:17:26 | call to StepArgRes |
 | test.go:18:27:18:29 | arg | test.go:18:2:18:30 | ... = ...[1] |
-| test.go:19:15:19:17 | arg | test.go:11:6:11:9 | definition of arg1 |
+| test.go:19:15:19:17 | arg | test.go:19:20:19:23 | arg1 [postupdate] |
-| test.go:21:16:21:18 | arg | test.go:13:6:13:6 | definition of t |
+| test.go:21:16:21:18 | arg | test.go:21:2:21:2 | t [postupdate] |
 | test.go:22:10:22:10 | t | test.go:22:10:22:24 | call to StepQualRes |
-| test.go:23:2:23:2 | t | test.go:10:6:10:8 | definition of arg |
+| test.go:23:2:23:2 | t | test.go:23:16:23:18 | arg [postupdate] |
 | test.go:24:32:24:34 | arg | test.go:24:10:24:35 | call to StepArgResNoQual |
 | test.go:61:25:61:27 | src | test.go:61:12:61:28 | call to StepArgRes |
 | test.go:64:29:64:31 | src | test.go:64:2:64:32 | ... := ...[1] |
-| test.go:68:15:68:17 | src | test.go:67:6:67:11 | definition of taint3 |
+| test.go:68:15:68:17 | src | test.go:68:20:68:25 | taint3 [postupdate] |
-| test.go:76:21:76:23 | src | test.go:75:6:75:11 | definition of taint4 |
+| test.go:76:21:76:23 | src | test.go:76:2:76:7 | taint4 [postupdate] |
 | test.go:79:13:79:25 | type assertion | test.go:79:12:79:40 | call to StepQualRes |
-| test.go:83:3:83:15 | type assertion | test.go:82:6:82:11 | definition of taint6 |
+| test.go:83:3:83:15 | type assertion | test.go:83:30:83:35 | taint6 [postupdate] |
 | test.go:86:34:86:36 | src | test.go:86:12:86:37 | call to StepArgResNoQual |
 | test.go:149:10:149:27 | []type{args} | test.go:149:10:149:27 | call to append |
 | test.go:149:17:149:21 | slice | test.go:149:10:149:27 | call to append |
-| test.go:155:15:155:20 | slice1 | test.go:154:2:154:7 | definition of slice2 |
+| test.go:155:15:155:20 | slice1 | test.go:155:7:155:12 | slice2 [postupdate] |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go
@@ -158,7 +158,7 @@ func simpleflow() {
 	ch := make(chan string)
 	ch <- a.Src1().(string)
 	taint16 := test.StepArgCollectionContentRes(ch)
-	b.Sink1(taint16) // $ MISSING: hasTaintFlow="taint16" // currently fails due to lack of post-update nodes after send statements
+	b.Sink1(taint16) // $ hasTaintFlow="taint16"
 	c1 := test.C{""}
 	c1.Set(a.Src1().(string))
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected
@@ -1,6 +1,5 @@
 invalidModelRow
 #select
 | test.go:10:6:10:8 | definition of arg | qltest-arg |
 | test.go:39:8:39:15 | call to Src1 | qltest |
 | test.go:40:8:40:15 | call to Src2 | qltest |
 | test.go:40:8:40:15 | call to Src2 | qltest-w-subtypes |
@@ -8,6 +7,7 @@ invalidModelRow
 | test.go:42:2:42:21 | ... = ...[0] | qltest |
 | test.go:42:2:42:21 | ... = ...[1] | qltest-w-subtypes |
 | test.go:43:2:43:22 | ... = ...[1] | qltest-w-subtypes |
 | test.go:44:11:44:13 | arg [postupdate] | qltest-arg |
 | test.go:59:9:59:16 | call to Src1 | qltest |
 | test.go:102:46:102:53 | call to Src1 | qltest |
 | test.go:112:35:112:42 | call to Src1 | qltest |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/steps.expected
@@ -2,17 +2,17 @@ invalidModelRow
 #select
 | test.go:17:23:17:25 | arg | test.go:17:10:17:26 | call to StepArgRes |
 | test.go:18:27:18:29 | arg | test.go:18:2:18:30 | ... = ...[1] |
-| test.go:19:15:19:17 | arg | test.go:11:6:11:9 | definition of arg1 |
+| test.go:19:15:19:17 | arg | test.go:19:20:19:23 | arg1 [postupdate] |
-| test.go:21:16:21:18 | arg | test.go:13:6:13:6 | definition of t |
+| test.go:21:16:21:18 | arg | test.go:21:2:21:2 | t [postupdate] |
 | test.go:22:10:22:10 | t | test.go:22:10:22:24 | call to StepQualRes |
-| test.go:23:2:23:2 | t | test.go:10:6:10:8 | definition of arg |
+| test.go:23:2:23:2 | t | test.go:23:16:23:18 | arg [postupdate] |
 | test.go:24:32:24:34 | arg | test.go:24:10:24:35 | call to StepArgResNoQual |
 | test.go:61:25:61:27 | src | test.go:61:12:61:28 | call to StepArgRes |
 | test.go:64:29:64:31 | src | test.go:64:2:64:32 | ... := ...[1] |
-| test.go:68:15:68:17 | src | test.go:67:6:67:11 | definition of taint3 |
+| test.go:68:15:68:17 | src | test.go:68:20:68:25 | taint3 [postupdate] |
-| test.go:76:21:76:23 | src | test.go:75:6:75:11 | definition of taint4 |
+| test.go:76:21:76:23 | src | test.go:76:2:76:7 | taint4 [postupdate] |
 | test.go:79:13:79:25 | type assertion | test.go:79:12:79:40 | call to StepQualRes |
-| test.go:83:3:83:15 | type assertion | test.go:82:6:82:11 | definition of taint6 |
+| test.go:83:3:83:15 | type assertion | test.go:83:30:83:35 | taint6 [postupdate] |
 | test.go:86:34:86:36 | src | test.go:86:12:86:37 | call to StepArgResNoQual |
 | test.go:202:14:202:19 | srcInt | test.go:202:10:202:26 | call to max |
 | test.go:202:22:202:22 | 0 | test.go:202:10:202:26 | call to max |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go
@@ -158,7 +158,7 @@ func simpleflow() {
 	ch := make(chan string)
 	ch <- a.Src1().(string)
 	taint16 := test.StepArgCollectionContentRes(ch)
-	b.Sink1(taint16) // $ MISSING: hasValueFlow="taint16" // currently fails due to lack of post-update nodes after send statements
+	b.Sink1(taint16) // $ hasValueFlow="taint16"
 	c1 := test.C{""}
 	c1.Set(a.Src1().(string))
--- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalFlowStep.expected
@@ -49,21 +49,21 @@
 | main.go:3:6:3:10 | function test1 | main.go:34:2:34:6 | test1 |
 | main.go:3:12:3:12 | argument corresponding to x | main.go:3:12:3:12 | definition of x |
 | main.go:3:12:3:12 | definition of x | main.go:5:5:5:5 | x |
 | main.go:3:12:3:12 | definition of x | main.go:6:7:6:7 | x |
 | main.go:3:12:3:12 | definition of x | main.go:8:8:8:8 | x |
 | main.go:3:12:3:12 | definition of x | main.go:10:7:10:7 | x |
 | main.go:3:12:3:12 | definition of x | main.go:10:22:10:22 | x |
 | main.go:3:19:3:20 | argument corresponding to fn | main.go:3:19:3:20 | definition of fn |
 | main.go:3:19:3:20 | definition of fn | main.go:10:24:10:25 | fn |
-| main.go:6:3:6:3 | definition of y | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) |
+| main.go:5:5:5:5 | x | main.go:6:7:6:7 | x |
 | main.go:5:5:5:5 | x | main.go:8:8:8:8 | x |
 | main.go:6:3:6:3 | definition of y | main.go:10:12:10:12 | y |
 | main.go:6:7:6:7 | x | main.go:6:3:6:3 | definition of y |
-| main.go:8:3:8:3 | definition of y | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) |
+| main.go:6:7:6:7 | x | main.go:10:7:10:7 | x |
 | main.go:8:3:8:3 | definition of y | main.go:10:12:10:12 | y |
 | main.go:8:7:8:8 | -... | main.go:8:3:8:3 | definition of y |
 | main.go:8:8:8:8 | x | main.go:10:7:10:7 | x |
 | main.go:10:2:10:2 | definition of z | main.go:11:14:11:14 | z |
-| main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | main.go:10:12:10:12 | y |
+| main.go:10:7:10:7 | x | main.go:10:22:10:22 | x |
 | main.go:10:2:10:2 | y = phi(def@6:3, def@8:3) | main.go:10:17:10:17 | y |
 | main.go:10:7:10:12 | ...<=... | main.go:10:7:10:27 | ...&&... |
 | main.go:10:7:10:27 | ...&&... | main.go:10:2:10:2 | definition of z |
 | main.go:10:12:10:12 | y | main.go:10:17:10:17 | y |
 | main.go:10:17:10:27 | ...>=... | main.go:10:7:10:27 | ...&&... |
 | main.go:11:14:11:14 | z | main.go:11:9:11:15 | type conversion |
 | main.go:14:6:14:10 | function test2 | main.go:34:8:34:12 | test2 |
@@ -84,50 +84,54 @@
 | main.go:26:5:26:6 | definition of ok | main.go:27:5:27:6 | ok |
 | main.go:26:11:26:11 | x | main.go:26:2:26:17 | ... := ...[0] |
 | main.go:38:2:38:2 | definition of s | main.go:39:15:39:15 | s |
 | main.go:38:2:38:2 | definition of s | main.go:40:15:40:15 | s |
 | main.go:38:2:38:2 | definition of s | main.go:42:7:42:7 | s |
 | main.go:38:7:38:20 | slice literal | main.go:38:2:38:2 | definition of s |
 | main.go:38:7:38:20 | slice literal [postupdate] | main.go:38:2:38:2 | definition of s |
 | main.go:39:2:39:3 | definition of s1 | main.go:40:18:40:19 | s1 |
 | main.go:39:8:39:25 | call to append | main.go:39:2:39:3 | definition of s1 |
 | main.go:39:15:39:15 | s | main.go:40:15:40:15 | s |
 | main.go:39:15:39:15 | s [postupdate] | main.go:40:15:40:15 | s |
 | main.go:40:2:40:3 | definition of s2 | main.go:43:9:43:10 | s2 |
 | main.go:40:8:40:23 | call to append | main.go:40:2:40:3 | definition of s2 |
 | main.go:40:15:40:15 | s | main.go:42:7:42:7 | s |
 | main.go:40:15:40:15 | s [postupdate] | main.go:42:7:42:7 | s |
 | main.go:41:2:41:3 | definition of s4 | main.go:42:10:42:11 | s4 |
 | main.go:41:8:41:21 | call to make | main.go:41:2:41:3 | definition of s4 |
 | main.go:46:13:46:14 | argument corresponding to xs | main.go:46:13:46:14 | definition of xs |
 | main.go:46:13:46:14 | definition of xs | main.go:47:20:47:21 | xs |
-| main.go:46:24:46:27 | definition of keys | main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) |
+| main.go:46:24:46:27 | definition of keys | main.go:46:24:46:27 | implicit read of keys |
 | main.go:46:24:46:27 | definition of keys | main.go:49:3:49:6 | keys |
 | main.go:46:24:46:27 | zero value for keys | main.go:46:24:46:27 | definition of keys |
-| main.go:46:34:46:37 | definition of vals | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) |
+| main.go:46:34:46:37 | definition of vals | main.go:46:34:46:37 | implicit read of vals |
 | main.go:46:34:46:37 | definition of vals | main.go:48:3:48:6 | vals |
 | main.go:46:34:46:37 | zero value for vals | main.go:46:34:46:37 | definition of vals |
 | main.go:47:2:50:2 | range statement[0] | main.go:47:6:47:6 | definition of k |
 | main.go:47:2:50:2 | range statement[1] | main.go:47:9:47:9 | definition of v |
 | main.go:47:6:47:6 | definition of k | main.go:49:11:49:11 | k |
 | main.go:47:9:47:9 | definition of v | main.go:48:11:48:11 | v |
-| main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | main.go:46:24:46:27 | implicit read of keys |
+| main.go:48:3:48:6 | definition of vals | main.go:46:34:46:37 | implicit read of vals |
-| main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) | main.go:49:3:49:6 | keys |
+| main.go:48:3:48:6 | definition of vals | main.go:48:3:48:6 | vals |
 | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | main.go:46:34:46:37 | implicit read of vals |
 | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) | main.go:48:3:48:6 | vals |
 | main.go:48:3:48:6 | definition of vals | main.go:47:20:47:21 | vals = phi(def@46:34, def@48:3) |
 | main.go:48:3:48:11 | ... += ... | main.go:48:3:48:6 | definition of vals |
-| main.go:49:3:49:6 | definition of keys | main.go:47:20:47:21 | keys = phi(def@46:24, def@49:3) |
+| main.go:49:3:49:6 | definition of keys | main.go:46:24:46:27 | implicit read of keys |
 | main.go:49:3:49:6 | definition of keys | main.go:49:3:49:6 | keys |
 | main.go:49:3:49:11 | ... += ... | main.go:49:3:49:6 | definition of keys |
 | main.go:55:6:55:7 | definition of ch | main.go:56:2:56:3 | ch |
 | main.go:55:6:55:7 | definition of ch | main.go:57:4:57:5 | ch |
 | main.go:55:6:55:7 | zero value for ch | main.go:55:6:55:7 | definition of ch |
 | main.go:56:2:56:3 | ch | main.go:57:4:57:5 | ch |
 | main.go:56:2:56:3 | ch [postupdate] | main.go:57:4:57:5 | ch |
 | main.go:61:2:61:2 | definition of x | main.go:64:11:64:11 | x |
 | main.go:61:2:61:2 | definition of x | main.go:65:11:65:11 | x |
 | main.go:61:7:61:7 | 1 | main.go:61:2:61:2 | definition of x |
 | main.go:62:2:62:2 | definition of y | main.go:64:14:64:14 | y |
 | main.go:62:2:62:2 | definition of y | main.go:65:14:65:14 | y |
 | main.go:62:7:62:7 | 2 | main.go:62:2:62:2 | definition of y |
 | main.go:63:2:63:2 | definition of z | main.go:64:17:64:17 | z |
 | main.go:63:2:63:2 | definition of z | main.go:65:17:65:17 | z |
 | main.go:63:7:63:7 | 3 | main.go:63:2:63:2 | definition of z |
 | main.go:64:2:64:2 | definition of a | main.go:66:9:66:9 | a |
 | main.go:64:7:64:18 | call to min | main.go:64:2:64:2 | definition of a |
 | main.go:64:11:64:11 | x | main.go:64:7:64:18 | call to min |
 | main.go:64:11:64:11 | x | main.go:65:11:65:11 | x |
 | main.go:64:14:64:14 | y | main.go:64:7:64:18 | call to min |
 | main.go:64:14:64:14 | y | main.go:65:14:65:14 | y |
 | main.go:64:17:64:17 | z | main.go:64:7:64:18 | call to min |
 | main.go:64:17:64:17 | z | main.go:65:17:65:17 | z |
 | main.go:65:2:65:2 | definition of b | main.go:66:12:66:12 | b |
 | main.go:65:7:65:18 | call to max | main.go:65:2:65:2 | definition of b |
 | main.go:65:11:65:11 | x | main.go:65:7:65:18 | call to max |
@@ -135,62 +139,71 @@
 | main.go:65:17:65:17 | z | main.go:65:7:65:18 | call to max |
 | strings.go:8:12:8:12 | argument corresponding to s | strings.go:8:12:8:12 | definition of s |
 | strings.go:8:12:8:12 | definition of s | strings.go:9:24:9:24 | s |
 | strings.go:8:12:8:12 | definition of s | strings.go:10:27:10:27 | s |
 | strings.go:9:2:9:3 | definition of s2 | strings.go:11:20:11:21 | s2 |
 | strings.go:9:2:9:3 | definition of s2 | strings.go:11:48:11:49 | s2 |
 | strings.go:9:8:9:38 | call to Replace | strings.go:9:2:9:3 | definition of s2 |
 | strings.go:9:24:9:24 | s | strings.go:10:27:10:27 | s |
 | strings.go:10:2:10:3 | definition of s3 | strings.go:11:24:11:25 | s3 |
 | strings.go:10:2:10:3 | definition of s3 | strings.go:11:67:11:68 | s3 |
 | strings.go:10:8:10:42 | call to ReplaceAll | strings.go:10:2:10:3 | definition of s3 |
 | strings.go:11:20:11:21 | s2 | strings.go:11:48:11:49 | s2 |
 | strings.go:11:24:11:25 | s3 | strings.go:11:67:11:68 | s3 |
 | url.go:8:12:8:12 | argument corresponding to b | url.go:8:12:8:12 | definition of b |
 | url.go:8:12:8:12 | definition of b | url.go:11:5:11:5 | b |
 | url.go:8:20:8:20 | argument corresponding to s | url.go:8:20:8:20 | definition of s |
 | url.go:8:20:8:20 | definition of s | url.go:12:46:12:46 | s |
 | url.go:8:20:8:20 | definition of s | url.go:14:48:14:48 | s |
-| url.go:12:3:12:5 | definition of res | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) |
+| url.go:12:3:12:5 | definition of res | url.go:19:9:19:11 | res |
 | url.go:12:3:12:48 | ... = ...[0] | url.go:12:3:12:5 | definition of res |
 | url.go:12:3:12:48 | ... = ...[1] | url.go:12:8:12:10 | definition of err |
-| url.go:12:8:12:10 | definition of err | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) |
+| url.go:12:8:12:10 | definition of err | url.go:16:5:16:7 | err |
-| url.go:14:3:14:5 | definition of res | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) |
+| url.go:14:3:14:5 | definition of res | url.go:19:9:19:11 | res |
 | url.go:14:3:14:50 | ... = ...[0] | url.go:14:3:14:5 | definition of res |
 | url.go:14:3:14:50 | ... = ...[1] | url.go:14:8:14:10 | definition of err |
-| url.go:14:8:14:10 | definition of err | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) |
+| url.go:14:8:14:10 | definition of err | url.go:16:5:16:7 | err |
 | url.go:16:5:16:7 | err = phi(def@12:8, def@14:8) | url.go:16:5:16:7 | err |
 | url.go:16:5:16:7 | res = phi(def@12:3, def@14:3) | url.go:19:9:19:11 | res |
 | url.go:22:12:22:12 | argument corresponding to i | url.go:22:12:22:12 | definition of i |
 | url.go:22:12:22:12 | definition of i | url.go:24:5:24:5 | i |
 | url.go:22:19:22:19 | argument corresponding to s | url.go:22:19:22:19 | definition of s |
 | url.go:22:19:22:19 | definition of s | url.go:23:20:23:20 | s |
 | url.go:22:19:22:19 | definition of s | url.go:27:29:27:29 | s |
 | url.go:23:2:23:2 | definition of u | url.go:25:10:25:10 | u |
 | url.go:23:2:23:21 | ... := ...[0] | url.go:23:2:23:2 | definition of u |
 | url.go:23:20:23:20 | s | url.go:27:29:27:29 | s |
 | url.go:27:2:27:2 | definition of u | url.go:28:14:28:14 | u |
 | url.go:27:2:27:2 | definition of u | url.go:29:14:29:14 | u |
 | url.go:27:2:27:2 | definition of u | url.go:30:11:30:11 | u |
 | url.go:27:2:27:2 | definition of u | url.go:32:9:32:9 | u |
 | url.go:27:2:27:30 | ... = ...[0] | url.go:27:2:27:2 | definition of u |
 | url.go:28:14:28:14 | u | url.go:29:14:29:14 | u |
 | url.go:28:14:28:14 | u [postupdate] | url.go:29:14:29:14 | u |
 | url.go:29:14:29:14 | u | url.go:30:11:30:11 | u |
 | url.go:29:14:29:14 | u [postupdate] | url.go:30:11:30:11 | u |
 | url.go:30:2:30:3 | definition of bs | url.go:31:14:31:15 | bs |
 | url.go:30:2:30:27 | ... := ...[0] | url.go:30:2:30:3 | definition of bs |
 | url.go:30:11:30:11 | u | url.go:32:9:32:9 | u |
 | url.go:30:11:30:11 | u [postupdate] | url.go:32:9:32:9 | u |
 | url.go:32:2:32:2 | definition of u | url.go:33:14:33:14 | u |
 | url.go:32:2:32:2 | definition of u | url.go:34:14:34:14 | u |
 | url.go:32:2:32:2 | definition of u | url.go:35:14:35:14 | u |
 | url.go:32:2:32:2 | definition of u | url.go:36:6:36:6 | u |
 | url.go:32:2:32:2 | definition of u | url.go:36:25:36:25 | u |
 | url.go:32:2:32:23 | ... = ...[0] | url.go:32:2:32:2 | definition of u |
 | url.go:33:14:33:14 | u | url.go:34:14:34:14 | u |
 | url.go:33:14:33:14 | u [postupdate] | url.go:34:14:34:14 | u |
 | url.go:34:14:34:14 | u | url.go:35:14:35:14 | u |
 | url.go:34:14:34:14 | u [postupdate] | url.go:35:14:35:14 | u |
 | url.go:35:14:35:14 | u | url.go:36:6:36:6 | u |
 | url.go:35:14:35:14 | u [postupdate] | url.go:36:6:36:6 | u |
 | url.go:36:2:36:2 | definition of u | url.go:37:9:37:9 | u |
 | url.go:36:6:36:6 | u | url.go:36:25:36:25 | u |
 | url.go:36:6:36:6 | u [postupdate] | url.go:36:25:36:25 | u |
 | url.go:36:6:36:26 | call to ResolveReference | url.go:36:2:36:2 | definition of u |
 | url.go:42:2:42:3 | definition of ui | url.go:43:11:43:12 | ui |
 | url.go:42:2:42:3 | definition of ui | url.go:45:14:45:15 | ui |
 | url.go:42:2:42:3 | definition of ui | url.go:46:9:46:10 | ui |
 | url.go:42:7:42:38 | call to UserPassword | url.go:42:2:42:3 | definition of ui |
 | url.go:43:2:43:3 | definition of pw | url.go:44:14:44:15 | pw |
 | url.go:43:2:43:23 | ... := ...[0] | url.go:43:2:43:3 | definition of pw |
 | url.go:43:11:43:12 | ui | url.go:45:14:45:15 | ui |
 | url.go:43:11:43:12 | ui [postupdate] | url.go:45:14:45:15 | ui |
 | url.go:45:14:45:15 | ui | url.go:46:9:46:10 | ui |
 | url.go:45:14:45:15 | ui [postupdate] | url.go:46:9:46:10 | ui |
 | url.go:49:12:49:12 | argument corresponding to q | url.go:49:12:49:12 | definition of q |
 | url.go:49:12:49:12 | definition of q | url.go:50:25:50:25 | q |
 | url.go:50:2:50:2 | definition of v | url.go:51:14:51:14 | v |
 | url.go:50:2:50:2 | definition of v | url.go:52:14:52:14 | v |
 | url.go:50:2:50:2 | definition of v | url.go:53:9:53:9 | v |
 | url.go:50:2:50:26 | ... := ...[0] | url.go:50:2:50:2 | definition of v |
 | url.go:51:14:51:14 | v | url.go:52:14:52:14 | v |
 | url.go:51:14:51:14 | v [postupdate] | url.go:52:14:52:14 | v |
 | url.go:52:14:52:14 | v | url.go:53:9:53:9 | v |
 | url.go:52:14:52:14 | v [postupdate] | url.go:53:9:53:9 | v |
 | url.go:56:12:56:12 | argument corresponding to q | url.go:56:12:56:12 | definition of q |
 | url.go:56:12:56:12 | definition of q | url.go:57:29:57:29 | q |
 | url.go:57:2:57:8 | definition of joined1 | url.go:58:38:58:44 | joined1 |
--- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
@@ -7,7 +7,7 @@
 | main.go:39:15:39:15 | s | main.go:39:8:39:25 | call to append |
 | main.go:40:15:40:15 | s | main.go:40:8:40:23 | call to append |
 | main.go:40:18:40:19 | s1 | main.go:40:8:40:23 | call to append |
-| main.go:42:10:42:11 | s4 | main.go:38:2:38:2 | definition of s |
+| main.go:42:10:42:11 | s4 | main.go:42:7:42:7 | s [postupdate] |
 | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[0] |
 | main.go:47:20:47:21 | next key-value pair in range | main.go:47:2:50:2 | range statement[1] |
 | main.go:47:20:47:21 | xs | main.go:47:2:50:2 | range statement[1] |
--- a/go/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionModelStep.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionModelStep.expected
@@ -1,3 +1,3 @@
-| file://:0:0:0:0 | NewEncoder | tst2.go:10:9:10:26 | call to NewEncoder | tst2.go:9:6:9:6 | definition of w |
+| file://:0:0:0:0 | NewEncoder | tst2.go:10:9:10:26 | call to NewEncoder | tst2.go:10:25:10:25 | w [postupdate] |
-| file://:0:0:0:0 | ReadFrom | tst.go:10:23:10:28 | reader | tst.go:9:2:9:12 | definition of bytesBuffer |
+| file://:0:0:0:0 | ReadFrom | tst.go:10:23:10:28 | reader | tst.go:10:2:10:12 | bytesBuffer [postupdate] |
-| file://:0:0:0:0 | Reset | reset.go:12:15:12:20 | source | reset.go:11:6:11:11 | definition of reader |
+| file://:0:0:0:0 | Reset | reset.go:12:15:12:20 | source | reset.go:12:2:12:7 | reader [postupdate] |
--- a/go/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionOutput_getExitNode.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FunctionInputsAndOutputs/FunctionOutput_getExitNode.expected
@@ -1,13 +1,13 @@
-| parameter 0 | reset.go:12:2:12:21 | call to Reset | reset.go:9:2:9:7 | definition of source |
+| parameter 0 | reset.go:12:2:12:21 | call to Reset | reset.go:12:15:12:20 | source [postupdate] |
-| parameter 0 | tst2.go:10:9:10:26 | call to NewEncoder | tst2.go:9:6:9:6 | definition of w |
+| parameter 0 | tst2.go:10:9:10:26 | call to NewEncoder | tst2.go:10:25:10:25 | w [postupdate] |
-| parameter 0 | tst2.go:10:9:10:39 | call to Encode | tst2.go:8:12:8:15 | definition of data |
+| parameter 0 | tst2.go:10:9:10:39 | call to Encode | tst2.go:10:35:10:38 | data [postupdate] |
-| parameter 0 | tst.go:10:2:10:29 | call to ReadFrom | tst.go:8:12:8:17 | definition of reader |
+| parameter 0 | tst.go:10:2:10:29 | call to ReadFrom | tst.go:10:23:10:28 | reader [postupdate] |
-| parameter 0 | tst.go:16:2:16:12 | call to test5 | tst.go:15:12:15:12 | definition of x |
+| parameter 0 | tst.go:16:2:16:12 | call to test5 | tst.go:16:8:16:8 | x [postupdate] |
-| parameter 1 | tst.go:16:2:16:12 | call to test5 | tst.go:15:15:15:15 | definition of y |
+| parameter 1 | tst.go:16:2:16:12 | call to test5 | tst.go:16:11:16:11 | y [postupdate] |
-| receiver | main.go:53:14:53:21 | call to bump | main.go:52:2:52:2 | definition of c |
+| receiver | main.go:53:14:53:21 | call to bump | main.go:53:14:53:14 | c [postupdate] |
-| receiver | reset.go:12:2:12:21 | call to Reset | reset.go:11:6:11:11 | definition of reader |
+| receiver | reset.go:12:2:12:21 | call to Reset | reset.go:12:2:12:7 | reader [postupdate] |
-| receiver | tst2.go:10:9:10:39 | call to Encode | tst2.go:10:9:10:26 | call to NewEncoder |
+| receiver | tst2.go:10:9:10:39 | call to Encode | tst2.go:10:9:10:26 | call to NewEncoder [postupdate] |
-| receiver | tst.go:10:2:10:29 | call to ReadFrom | tst.go:9:2:9:12 | definition of bytesBuffer |
+| receiver | tst.go:10:2:10:29 | call to ReadFrom | tst.go:10:2:10:12 | bytesBuffer [postupdate] |
 | result | main.go:51:2:51:14 | call to op | main.go:51:2:51:14 | call to op |
 | result | main.go:53:2:53:22 | call to op2 | main.go:53:2:53:22 | call to op2 |
 | result | main.go:53:14:53:21 | call to bump | main.go:53:14:53:21 | call to bump |
--- a/go/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.expected
@@ -1,26 +1,26 @@
-| file://:0:0:0:0 | [summary] to write: Argument[0] in copy | file://:0:0:0:0 | [summary param] 0 in copy |
+| file://:0:0:0:0 | [summary param] 0 in copy | file://:0:0:0:0 | [summary] to write: Argument[0] in copy |
-| test.go:22:2:22:2 | definition of a | test.go:23:2:23:2 | a |
+| test.go:23:2:23:2 | a | test.go:23:2:23:2 | a [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:24:2:24:2 | a |
+| test.go:23:11:23:14 | &... | test.go:23:11:23:14 | &... [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:25:2:25:2 | a |
+| test.go:23:12:23:14 | selection of b | test.go:23:12:23:14 | selection of b [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:26:2:26:2 | a |
+| test.go:24:2:24:2 | a | test.go:24:2:24:2 | a [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:29:6:29:6 | a |
+| test.go:24:2:24:5 | selection of bs | test.go:24:2:24:5 | selection of bs [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:30:7:30:7 | a |
+| test.go:24:2:24:8 | index expression | test.go:24:2:24:8 | index expression [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:35:4:35:4 | a |
+| test.go:24:17:24:20 | &... | test.go:24:17:24:20 | &... [postupdate] |
-| test.go:22:2:22:2 | definition of a | test.go:36:5:36:5 | a |
+| test.go:24:18:24:20 | struct literal | test.go:24:18:24:20 | struct literal [postupdate] |
-| test.go:23:11:23:14 | &... | test.go:23:11:23:14 | &... |
+| test.go:25:2:25:2 | a | test.go:25:2:25:2 | a [postupdate] |
-| test.go:23:12:23:14 | selection of b | test.go:23:12:23:14 | selection of b |
+| test.go:25:2:25:5 | selection of bs | test.go:25:2:25:5 | selection of bs [postupdate] |
-| test.go:24:2:24:5 | selection of bs | test.go:24:2:24:5 | selection of bs |
+| test.go:25:2:25:8 | index expression | test.go:25:2:25:8 | index expression [postupdate] |
-| test.go:24:2:24:8 | index expression | test.go:24:2:24:8 | index expression |
+| test.go:25:2:25:13 | implicit dereference | test.go:25:2:25:13 | implicit dereference [postupdate] |
-| test.go:24:17:24:20 | &... | test.go:24:17:24:20 | &... |
+| test.go:25:2:25:13 | selection of cptr | test.go:25:2:25:13 | selection of cptr [postupdate] |
-| test.go:24:18:24:20 | struct literal | test.go:24:18:24:20 | struct literal |
+| test.go:26:2:26:2 | a | test.go:26:2:26:2 | a [postupdate] |
-| test.go:25:2:25:5 | selection of bs | test.go:25:2:25:5 | selection of bs |
+| test.go:26:2:26:7 | implicit dereference | test.go:26:2:26:7 | implicit dereference [postupdate] |
-| test.go:25:2:25:8 | index expression | test.go:25:2:25:8 | index expression |
+| test.go:26:2:26:7 | selection of bptr | test.go:26:2:26:7 | selection of bptr [postupdate] |
-| test.go:25:2:25:13 | implicit dereference | test.go:25:2:25:13 | implicit dereference |
+| test.go:26:2:26:12 | implicit dereference | test.go:26:2:26:12 | implicit dereference [postupdate] |
-| test.go:25:2:25:13 | selection of cptr | test.go:25:2:25:13 | selection of cptr |
+| test.go:26:2:26:12 | selection of cptr | test.go:26:2:26:12 | selection of cptr [postupdate] |
-| test.go:26:2:26:7 | implicit dereference | test.go:26:2:26:7 | implicit dereference |
+| test.go:28:7:28:10 | struct literal | test.go:28:7:28:10 | struct literal [postupdate] |
-| test.go:26:2:26:7 | selection of bptr | test.go:26:2:26:7 | selection of bptr |
+| test.go:29:2:29:2 | c | test.go:29:2:29:2 | c [postupdate] |
-| test.go:26:2:26:12 | implicit dereference | test.go:26:2:26:12 | implicit dereference |
+| test.go:29:6:29:6 | a | test.go:29:6:29:6 | a [postupdate] |
-| test.go:26:2:26:12 | selection of cptr | test.go:26:2:26:12 | selection of cptr |
+| test.go:30:2:30:2 | c | test.go:30:2:30:2 | c [postupdate] |
-| test.go:28:2:28:2 | definition of c | test.go:29:2:29:2 | c |
+| test.go:30:7:30:7 | a | test.go:30:7:30:7 | a [postupdate] |
-| test.go:28:2:28:2 | definition of c | test.go:30:2:30:2 | c |
+| test.go:35:4:35:4 | a | test.go:35:4:35:4 | a [postupdate] |
-| test.go:28:7:28:10 | struct literal | test.go:28:7:28:10 | struct literal |
+| test.go:36:5:36:5 | a | test.go:36:5:36:5 | a [postupdate] |
--- a/go/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.ql
+++ b/go/ql/test/library-tests/semmle/go/dataflow/PostUpdateNodes/test.ql
@@ -1,4 +1,4 @@
 import go
 from DataFlow::PostUpdateNode pun
-select pun, pun.getPreUpdateNode()
+select pun.getPreUpdateNode(), pun
--- a/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/PromotedFields/LocalFlowStep.expected
@@ -79,106 +79,136 @@
 | main.go:7:6:7:9 | function sink | main.go:149:2:149:5 | sink |
 | main.go:7:6:7:9 | function sink | main.go:150:2:150:5 | sink |
 | main.go:22:2:22:6 | definition of outer | main.go:25:7:25:11 | outer |
 | main.go:22:2:22:6 | definition of outer | main.go:26:7:26:11 | outer |
 | main.go:22:2:22:6 | definition of outer | main.go:27:7:27:11 | outer |
 | main.go:22:2:22:6 | definition of outer | main.go:28:7:28:11 | outer |
 | main.go:22:11:24:2 | struct literal | main.go:22:2:22:6 | definition of outer |
 | main.go:22:11:24:2 | struct literal [postupdate] | main.go:22:2:22:6 | definition of outer |
 | main.go:25:7:25:11 | outer | main.go:26:7:26:11 | outer |
 | main.go:26:7:26:11 | outer | main.go:27:7:27:11 | outer |
 | main.go:27:7:27:11 | outer | main.go:28:7:28:11 | outer |
 | main.go:30:2:30:7 | definition of outerp | main.go:33:7:33:12 | outerp |
 | main.go:30:2:30:7 | definition of outerp | main.go:34:7:34:12 | outerp |
 | main.go:30:2:30:7 | definition of outerp | main.go:35:7:35:12 | outerp |
 | main.go:30:2:30:7 | definition of outerp | main.go:36:7:36:12 | outerp |
 | main.go:30:12:32:2 | &... | main.go:30:2:30:7 | definition of outerp |
 | main.go:30:12:32:2 | &... [postupdate] | main.go:30:2:30:7 | definition of outerp |
 | main.go:33:7:33:12 | outerp | main.go:34:7:34:12 | outerp |
 | main.go:33:7:33:12 | outerp [postupdate] | main.go:34:7:34:12 | outerp |
 | main.go:34:7:34:12 | outerp | main.go:35:7:35:12 | outerp |
 | main.go:34:7:34:12 | outerp [postupdate] | main.go:35:7:35:12 | outerp |
 | main.go:35:7:35:12 | outerp | main.go:36:7:36:12 | outerp |
 | main.go:35:7:35:12 | outerp [postupdate] | main.go:36:7:36:12 | outerp |
 | main.go:40:2:40:6 | definition of outer | main.go:41:7:41:11 | outer |
 | main.go:40:2:40:6 | definition of outer | main.go:42:7:42:11 | outer |
 | main.go:40:2:40:6 | definition of outer | main.go:43:7:43:11 | outer |
 | main.go:40:2:40:6 | definition of outer | main.go:44:7:44:11 | outer |
 | main.go:40:11:40:40 | struct literal | main.go:40:2:40:6 | definition of outer |
 | main.go:40:11:40:40 | struct literal [postupdate] | main.go:40:2:40:6 | definition of outer |
 | main.go:41:7:41:11 | outer | main.go:42:7:42:11 | outer |
 | main.go:42:7:42:11 | outer | main.go:43:7:43:11 | outer |
 | main.go:43:7:43:11 | outer | main.go:44:7:44:11 | outer |
 | main.go:46:2:46:7 | definition of outerp | main.go:47:7:47:12 | outerp |
 | main.go:46:2:46:7 | definition of outerp | main.go:48:7:48:12 | outerp |
 | main.go:46:2:46:7 | definition of outerp | main.go:49:7:49:12 | outerp |
 | main.go:46:2:46:7 | definition of outerp | main.go:50:7:50:12 | outerp |
 | main.go:46:12:46:42 | &... | main.go:46:2:46:7 | definition of outerp |
 | main.go:46:12:46:42 | &... [postupdate] | main.go:46:2:46:7 | definition of outerp |
 | main.go:47:7:47:12 | outerp | main.go:48:7:48:12 | outerp |
 | main.go:47:7:47:12 | outerp [postupdate] | main.go:48:7:48:12 | outerp |
 | main.go:48:7:48:12 | outerp | main.go:49:7:49:12 | outerp |
 | main.go:48:7:48:12 | outerp [postupdate] | main.go:49:7:49:12 | outerp |
 | main.go:49:7:49:12 | outerp | main.go:50:7:50:12 | outerp |
 | main.go:49:7:49:12 | outerp [postupdate] | main.go:50:7:50:12 | outerp |
 | main.go:54:2:54:6 | definition of inner | main.go:55:19:55:23 | inner |
 | main.go:54:11:54:25 | struct literal | main.go:54:2:54:6 | definition of inner |
 | main.go:54:11:54:25 | struct literal [postupdate] | main.go:54:2:54:6 | definition of inner |
 | main.go:55:2:55:7 | definition of middle | main.go:56:17:56:22 | middle |
 | main.go:55:12:55:24 | struct literal | main.go:55:2:55:7 | definition of middle |
 | main.go:55:12:55:24 | struct literal [postupdate] | main.go:55:2:55:7 | definition of middle |
 | main.go:56:2:56:6 | definition of outer | main.go:57:7:57:11 | outer |
 | main.go:56:2:56:6 | definition of outer | main.go:58:7:58:11 | outer |
 | main.go:56:2:56:6 | definition of outer | main.go:59:7:59:11 | outer |
 | main.go:56:2:56:6 | definition of outer | main.go:60:7:60:11 | outer |
 | main.go:56:11:56:23 | struct literal | main.go:56:2:56:6 | definition of outer |
 | main.go:56:11:56:23 | struct literal [postupdate] | main.go:56:2:56:6 | definition of outer |
 | main.go:57:7:57:11 | outer | main.go:58:7:58:11 | outer |
 | main.go:58:7:58:11 | outer | main.go:59:7:59:11 | outer |
 | main.go:59:7:59:11 | outer | main.go:60:7:60:11 | outer |
 | main.go:62:2:62:7 | definition of innerp | main.go:63:20:63:25 | innerp |
 | main.go:62:12:62:26 | struct literal | main.go:62:2:62:7 | definition of innerp |
 | main.go:62:12:62:26 | struct literal [postupdate] | main.go:62:2:62:7 | definition of innerp |
 | main.go:63:2:63:8 | definition of middlep | main.go:64:18:64:24 | middlep |
 | main.go:63:13:63:26 | struct literal | main.go:63:2:63:8 | definition of middlep |
 | main.go:63:13:63:26 | struct literal [postupdate] | main.go:63:2:63:8 | definition of middlep |
 | main.go:64:2:64:7 | definition of outerp | main.go:65:7:65:12 | outerp |
 | main.go:64:2:64:7 | definition of outerp | main.go:66:7:66:12 | outerp |
 | main.go:64:2:64:7 | definition of outerp | main.go:67:7:67:12 | outerp |
 | main.go:64:2:64:7 | definition of outerp | main.go:68:7:68:12 | outerp |
 | main.go:64:12:64:25 | struct literal | main.go:64:2:64:7 | definition of outerp |
 | main.go:64:12:64:25 | struct literal [postupdate] | main.go:64:2:64:7 | definition of outerp |
 | main.go:65:7:65:12 | outerp | main.go:66:7:66:12 | outerp |
 | main.go:66:7:66:12 | outerp | main.go:67:7:67:12 | outerp |
 | main.go:67:7:67:12 | outerp | main.go:68:7:68:12 | outerp |
 | main.go:72:2:72:6 | definition of inner | main.go:73:26:73:30 | inner |
 | main.go:72:11:72:25 | struct literal | main.go:72:2:72:6 | definition of inner |
 | main.go:72:11:72:25 | struct literal [postupdate] | main.go:72:2:72:6 | definition of inner |
 | main.go:73:2:73:7 | definition of middle | main.go:74:25:74:30 | middle |
 | main.go:73:12:73:31 | struct literal | main.go:73:2:73:7 | definition of middle |
 | main.go:73:12:73:31 | struct literal [postupdate] | main.go:73:2:73:7 | definition of middle |
 | main.go:74:2:74:6 | definition of outer | main.go:75:7:75:11 | outer |
 | main.go:74:2:74:6 | definition of outer | main.go:76:7:76:11 | outer |
 | main.go:74:2:74:6 | definition of outer | main.go:77:7:77:11 | outer |
 | main.go:74:2:74:6 | definition of outer | main.go:78:7:78:11 | outer |
 | main.go:74:11:74:31 | struct literal | main.go:74:2:74:6 | definition of outer |
 | main.go:74:11:74:31 | struct literal [postupdate] | main.go:74:2:74:6 | definition of outer |
 | main.go:75:7:75:11 | outer | main.go:76:7:76:11 | outer |
 | main.go:76:7:76:11 | outer | main.go:77:7:77:11 | outer |
 | main.go:77:7:77:11 | outer | main.go:78:7:78:11 | outer |
 | main.go:80:2:80:7 | definition of innerp | main.go:81:27:81:32 | innerp |
 | main.go:80:12:80:26 | struct literal | main.go:80:2:80:7 | definition of innerp |
 | main.go:80:12:80:26 | struct literal [postupdate] | main.go:80:2:80:7 | definition of innerp |
 | main.go:81:2:81:8 | definition of middlep | main.go:82:26:82:32 | middlep |
 | main.go:81:13:81:33 | struct literal | main.go:81:2:81:8 | definition of middlep |
 | main.go:81:13:81:33 | struct literal [postupdate] | main.go:81:2:81:8 | definition of middlep |
 | main.go:82:2:82:7 | definition of outerp | main.go:83:7:83:12 | outerp |
 | main.go:82:2:82:7 | definition of outerp | main.go:84:7:84:12 | outerp |
 | main.go:82:2:82:7 | definition of outerp | main.go:85:7:85:12 | outerp |
 | main.go:82:2:82:7 | definition of outerp | main.go:86:7:86:12 | outerp |
 | main.go:82:12:82:33 | struct literal | main.go:82:2:82:7 | definition of outerp |
 | main.go:82:12:82:33 | struct literal [postupdate] | main.go:82:2:82:7 | definition of outerp |
 | main.go:83:7:83:12 | outerp | main.go:84:7:84:12 | outerp |
 | main.go:84:7:84:12 | outerp | main.go:85:7:85:12 | outerp |
 | main.go:85:7:85:12 | outerp | main.go:86:7:86:12 | outerp |
 | main.go:90:6:90:10 | definition of outer | main.go:91:2:91:6 | outer |
 | main.go:90:6:90:10 | definition of outer | main.go:92:7:92:11 | outer |
 | main.go:90:6:90:10 | definition of outer | main.go:93:7:93:11 | outer |
 | main.go:90:6:90:10 | definition of outer | main.go:94:7:94:11 | outer |
 | main.go:90:6:90:10 | definition of outer | main.go:95:7:95:11 | outer |
 | main.go:90:6:90:10 | zero value for outer | main.go:90:6:90:10 | definition of outer |
 | main.go:91:2:91:6 | outer | main.go:92:7:92:11 | outer |
 | main.go:91:2:91:6 | outer [postupdate] | main.go:92:7:92:11 | outer |
 | main.go:92:7:92:11 | outer | main.go:93:7:93:11 | outer |
 | main.go:93:7:93:11 | outer | main.go:94:7:94:11 | outer |
 | main.go:94:7:94:11 | outer | main.go:95:7:95:11 | outer |
 | main.go:97:6:97:11 | definition of outerp | main.go:98:2:98:7 | outerp |
 | main.go:97:6:97:11 | definition of outerp | main.go:99:7:99:12 | outerp |
 | main.go:97:6:97:11 | definition of outerp | main.go:100:7:100:12 | outerp |
 | main.go:97:6:97:11 | definition of outerp | main.go:101:7:101:12 | outerp |
 | main.go:97:6:97:11 | definition of outerp | main.go:102:7:102:12 | outerp |
 | main.go:97:6:97:11 | zero value for outerp | main.go:97:6:97:11 | definition of outerp |
 | main.go:98:2:98:7 | outerp | main.go:99:7:99:12 | outerp |
 | main.go:98:2:98:7 | outerp [postupdate] | main.go:99:7:99:12 | outerp |
 | main.go:99:7:99:12 | outerp | main.go:100:7:100:12 | outerp |
 | main.go:100:7:100:12 | outerp | main.go:101:7:101:12 | outerp |
 | main.go:101:7:101:12 | outerp | main.go:102:7:102:12 | outerp |
 | main.go:106:6:106:10 | definition of outer | main.go:107:2:107:6 | outer |
 | main.go:106:6:106:10 | definition of outer | main.go:108:7:108:11 | outer |
 | main.go:106:6:106:10 | definition of outer | main.go:109:7:109:11 | outer |
 | main.go:106:6:106:10 | definition of outer | main.go:110:7:110:11 | outer |
 | main.go:106:6:106:10 | definition of outer | main.go:111:7:111:11 | outer |
 | main.go:106:6:106:10 | zero value for outer | main.go:106:6:106:10 | definition of outer |
 | main.go:107:2:107:6 | outer | main.go:108:7:108:11 | outer |
 | main.go:107:2:107:6 | outer [postupdate] | main.go:108:7:108:11 | outer |
 | main.go:108:7:108:11 | outer | main.go:109:7:109:11 | outer |
 | main.go:109:7:109:11 | outer | main.go:110:7:110:11 | outer |
 | main.go:110:7:110:11 | outer | main.go:111:7:111:11 | outer |
 | main.go:113:6:113:11 | definition of outerp | main.go:114:2:114:7 | outerp |
 | main.go:113:6:113:11 | definition of outerp | main.go:115:7:115:12 | outerp |
 | main.go:113:6:113:11 | definition of outerp | main.go:116:7:116:12 | outerp |
 | main.go:113:6:113:11 | definition of outerp | main.go:117:7:117:12 | outerp |
 | main.go:113:6:113:11 | definition of outerp | main.go:118:7:118:12 | outerp |
 | main.go:113:6:113:11 | zero value for outerp | main.go:113:6:113:11 | definition of outerp |
 | main.go:114:2:114:7 | outerp | main.go:115:7:115:12 | outerp |
 | main.go:114:2:114:7 | outerp [postupdate] | main.go:115:7:115:12 | outerp |
 | main.go:115:7:115:12 | outerp | main.go:116:7:116:12 | outerp |
 | main.go:116:7:116:12 | outerp | main.go:117:7:117:12 | outerp |
 | main.go:117:7:117:12 | outerp | main.go:118:7:118:12 | outerp |
 | main.go:122:6:122:10 | definition of outer | main.go:123:2:123:6 | outer |
 | main.go:122:6:122:10 | definition of outer | main.go:124:7:124:11 | outer |
 | main.go:122:6:122:10 | definition of outer | main.go:125:7:125:11 | outer |
 | main.go:122:6:122:10 | definition of outer | main.go:126:7:126:11 | outer |
 | main.go:122:6:122:10 | definition of outer | main.go:127:7:127:11 | outer |
 | main.go:122:6:122:10 | zero value for outer | main.go:122:6:122:10 | definition of outer |
 | main.go:123:2:123:6 | outer | main.go:124:7:124:11 | outer |
 | main.go:123:2:123:6 | outer [postupdate] | main.go:124:7:124:11 | outer |
 | main.go:124:7:124:11 | outer | main.go:125:7:125:11 | outer |
 | main.go:125:7:125:11 | outer | main.go:126:7:126:11 | outer |
 | main.go:126:7:126:11 | outer | main.go:127:7:127:11 | outer |
 | main.go:129:6:129:11 | definition of outerp | main.go:130:2:130:7 | outerp |
 | main.go:129:6:129:11 | definition of outerp | main.go:131:7:131:12 | outerp |
 | main.go:129:6:129:11 | definition of outerp | main.go:132:7:132:12 | outerp |
 | main.go:129:6:129:11 | definition of outerp | main.go:133:7:133:12 | outerp |
 | main.go:129:6:129:11 | definition of outerp | main.go:134:7:134:12 | outerp |
 | main.go:129:6:129:11 | zero value for outerp | main.go:129:6:129:11 | definition of outerp |
 | main.go:130:2:130:7 | outerp | main.go:131:7:131:12 | outerp |
 | main.go:130:2:130:7 | outerp [postupdate] | main.go:131:7:131:12 | outerp |
 | main.go:131:7:131:12 | outerp | main.go:132:7:132:12 | outerp |
 | main.go:132:7:132:12 | outerp | main.go:133:7:133:12 | outerp |
 | main.go:133:7:133:12 | outerp | main.go:134:7:134:12 | outerp |
 | main.go:138:6:138:10 | definition of outer | main.go:139:2:139:6 | outer |
 | main.go:138:6:138:10 | definition of outer | main.go:140:7:140:11 | outer |
 | main.go:138:6:138:10 | definition of outer | main.go:141:7:141:11 | outer |
 | main.go:138:6:138:10 | definition of outer | main.go:142:7:142:11 | outer |
 | main.go:138:6:138:10 | definition of outer | main.go:143:7:143:11 | outer |
 | main.go:138:6:138:10 | zero value for outer | main.go:138:6:138:10 | definition of outer |
 | main.go:139:2:139:6 | outer | main.go:140:7:140:11 | outer |
 | main.go:139:2:139:6 | outer [postupdate] | main.go:140:7:140:11 | outer |
 | main.go:140:7:140:11 | outer | main.go:141:7:141:11 | outer |
 | main.go:141:7:141:11 | outer | main.go:142:7:142:11 | outer |
 | main.go:142:7:142:11 | outer | main.go:143:7:143:11 | outer |
 | main.go:145:6:145:11 | definition of outerp | main.go:146:2:146:7 | outerp |
 | main.go:145:6:145:11 | definition of outerp | main.go:147:7:147:12 | outerp |
 | main.go:145:6:145:11 | definition of outerp | main.go:148:7:148:12 | outerp |
 | main.go:145:6:145:11 | definition of outerp | main.go:149:7:149:12 | outerp |
 | main.go:145:6:145:11 | definition of outerp | main.go:150:7:150:12 | outerp |
 | main.go:145:6:145:11 | zero value for outerp | main.go:145:6:145:11 | definition of outerp |
 | main.go:146:2:146:7 | outerp | main.go:147:7:147:12 | outerp |
 | main.go:146:2:146:7 | outerp [postupdate] | main.go:147:7:147:12 | outerp |
 | main.go:147:7:147:12 | outerp | main.go:148:7:148:12 | outerp |
 | main.go:148:7:148:12 | outerp | main.go:149:7:149:12 | outerp |
 | main.go:149:7:149:12 | outerp | main.go:150:7:150:12 | outerp |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ReadsAndWrites/writesElement.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ReadsAndWrites/writesElement.expected
@@ -1,3 +1,3 @@
-| tst.go:19:2:19:6 | assignment to element | tst.go:19:2:19:3 | xs | tst.go:19:5:19:5 | 0 | tst.go:19:10:19:14 | index expression |
+| tst.go:19:2:19:6 | assignment to element | tst.go:19:2:19:3 | xs [postupdate] | tst.go:19:5:19:5 | 0 | tst.go:19:10:19:14 | index expression |
-| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | implicit dereference | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
+| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | implicit dereference [postupdate] | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
-| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | ps | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
+| tst.go:20:2:20:6 | assignment to element | tst.go:20:2:20:3 | ps [postupdate] | tst.go:20:5:20:5 | 0 | tst.go:20:10:20:14 | index expression |
--- a/go/ql/test/library-tests/semmle/go/dataflow/ReadsAndWrites/writesField.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ReadsAndWrites/writesField.expected
@@ -1,3 +1,3 @@
-| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | implicit dereference | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
+| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | implicit dereference [postupdate] | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
-| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | t | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
+| tst.go:8:2:8:4 | assignment to field f | tst.go:8:2:8:2 | t [postupdate] | tst.go:4:2:4:2 | f | tst.go:8:8:8:14 | ...+... |
-| tst.go:17:2:17:4 | assignment to field f | tst.go:17:2:17:2 | x | tst.go:4:2:4:2 | f | tst.go:17:8:17:14 | ...+... |
+| tst.go:17:2:17:4 | assignment to field f | tst.go:17:2:17:2 | x [postupdate] | tst.go:4:2:4:2 | f | tst.go:17:8:17:14 | ...+... |
--- a/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_gogf_gf_database_gdb.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_gogf_gf_database_gdb.go
@@ -30,9 +30,9 @@ func gogf_Core(g gdb.Core) {
 	g.GetStruct(&v7, "SELECT user from users") // $ source
 	sink(v7)                                   // $ hasTaintFlow="v7"
-	var v8 []User // $ source
+	var v8 []User
-	g.GetStructs(v8, "SELECT user from users")
+	g.GetStructs(v8, "SELECT user from users") // $ source
-	sink(v8) // $ hasTaintFlow="v8"
+	sink(v8)                                   // $ hasTaintFlow="v8"
 	v9, _ := g.GetValue("SELECT user from users") // $ source
 	sink(v9)                                      // $ hasTaintFlow="v9"
@@ -132,9 +132,9 @@ func gogf_TX(g gdb.TX) {
 	g.GetStruct(&v4, "SELECT user from users") // $ source
 	sink(v4)                                   // $ hasTaintFlow="v4"
-	var v5 []User // $ source
+	var v5 []User
-	g.GetStructs(v5, "SELECT user from users")
+	g.GetStructs(v5, "SELECT user from users") // $ source
-	sink(v5) // $ hasTaintFlow="v5"
+	sink(v5)                                   // $ hasTaintFlow="v5"
 	v6, _ := g.GetValue("SELECT user from users") // $ source
 	sink(v6)                                      // $ hasTaintFlow="v6"
--- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/CleartextLogging.expected
@@ -1,5 +1,40 @@
 edges
 | test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:155:17:155:24 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:156:14:156:21 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:157:18:157:25 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:158:14:158:21 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:159:13:159:20 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:160:22:160:29 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:161:15:161:22 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:162:14:162:21 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:163:13:163:20 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:164:16:164:23 | password | provenance |  |
 | test.go:153:17:153:24 | definition of password | test.go:165:13:165:20 | password | provenance | Sink:MaD:380 |
 | test.go:153:17:153:24 | definition of password | test.go:166:16:166:23 | password | provenance | Sink:MaD:381 |
 | test.go:153:17:153:24 | definition of password | test.go:167:13:167:20 | password | provenance | Sink:MaD:382 |
 | test.go:153:17:153:24 | definition of password | test.go:168:17:168:24 | password | provenance | Sink:MaD:383 |
 | test.go:153:17:153:24 | definition of password | test.go:169:13:169:20 | password | provenance | Sink:MaD:384 |
 | test.go:153:17:153:24 | definition of password | test.go:170:12:170:19 | password | provenance | Sink:MaD:385 |
 | test.go:153:17:153:24 | definition of password | test.go:171:21:171:28 | password | provenance | Sink:MaD:386 |
 | test.go:153:17:153:24 | definition of password | test.go:172:14:172:21 | password | provenance | Sink:MaD:387 |
 | test.go:153:17:153:24 | definition of password | test.go:173:13:173:20 | password | provenance | Sink:MaD:388 |
 | test.go:153:17:153:24 | definition of password | test.go:174:12:174:19 | password | provenance | Sink:MaD:389 |
 | test.go:153:17:153:24 | definition of password | test.go:175:15:175:22 | password | provenance | Sink:MaD:390 |
 | test.go:153:17:153:24 | definition of password | test.go:176:15:176:22 | password | provenance | Sink:MaD:391 |
 | test.go:153:17:153:24 | definition of password | test.go:177:18:177:25 | password | provenance | Sink:MaD:392 |
 | test.go:153:17:153:24 | definition of password | test.go:178:15:178:22 | password | provenance | Sink:MaD:393 |
 | test.go:153:17:153:24 | definition of password | test.go:179:19:179:26 | password | provenance | Sink:MaD:394 |
 | test.go:153:17:153:24 | definition of password | test.go:180:15:180:22 | password | provenance | Sink:MaD:395 |
 | test.go:153:17:153:24 | definition of password | test.go:181:14:181:21 | password | provenance | Sink:MaD:396 |
 | test.go:153:17:153:24 | definition of password | test.go:182:23:182:30 | password | provenance | Sink:MaD:397 |
 | test.go:153:17:153:24 | definition of password | test.go:183:16:183:23 | password | provenance | Sink:MaD:398 |
 | test.go:153:17:153:24 | definition of password | test.go:184:15:184:22 | password | provenance | Sink:MaD:399 |
 | test.go:153:17:153:24 | definition of password | test.go:185:14:185:21 | password | provenance | Sink:MaD:400 |
 | test.go:153:17:153:24 | definition of password | test.go:186:17:186:24 | password | provenance | Sink:MaD:401 |
 | test.go:153:17:153:24 | definition of password | test.go:187:16:187:23 | password | provenance |  |
 nodes
 | test.go:153:17:153:24 | definition of password | semmle.label | definition of password |
 | test.go:154:14:154:21 | password | semmle.label | password |
 | test.go:155:17:155:24 | password | semmle.label | password |
 | test.go:156:14:156:21 | password | semmle.label | password |
@@ -36,37 +71,37 @@ nodes
 | test.go:187:16:187:23 | password | semmle.label | password |
 subpaths
 #select
-| test.go:154:14:154:21 | password | test.go:154:14:154:21 | password | test.go:154:14:154:21 | password | $@ flows to a logging call. | test.go:154:14:154:21 | password | Sensitive data returned by an access to password |
+| test.go:154:14:154:21 | password | test.go:153:17:153:24 | definition of password | test.go:154:14:154:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:155:17:155:24 | password | test.go:155:17:155:24 | password | test.go:155:17:155:24 | password | $@ flows to a logging call. | test.go:155:17:155:24 | password | Sensitive data returned by an access to password |
+| test.go:155:17:155:24 | password | test.go:153:17:153:24 | definition of password | test.go:155:17:155:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:156:14:156:21 | password | Sensitive data returned by an access to password |
+| test.go:156:14:156:21 | password | test.go:153:17:153:24 | definition of password | test.go:156:14:156:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:157:18:157:25 | password | test.go:157:18:157:25 | password | test.go:157:18:157:25 | password | $@ flows to a logging call. | test.go:157:18:157:25 | password | Sensitive data returned by an access to password |
+| test.go:157:18:157:25 | password | test.go:153:17:153:24 | definition of password | test.go:157:18:157:25 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:158:14:158:21 | password | test.go:158:14:158:21 | password | test.go:158:14:158:21 | password | $@ flows to a logging call. | test.go:158:14:158:21 | password | Sensitive data returned by an access to password |
+| test.go:158:14:158:21 | password | test.go:153:17:153:24 | definition of password | test.go:158:14:158:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:159:13:159:20 | password | Sensitive data returned by an access to password |
+| test.go:159:13:159:20 | password | test.go:153:17:153:24 | definition of password | test.go:159:13:159:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:160:22:160:29 | password | test.go:160:22:160:29 | password | test.go:160:22:160:29 | password | $@ flows to a logging call. | test.go:160:22:160:29 | password | Sensitive data returned by an access to password |
+| test.go:160:22:160:29 | password | test.go:153:17:153:24 | definition of password | test.go:160:22:160:29 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:161:15:161:22 | password | test.go:161:15:161:22 | password | test.go:161:15:161:22 | password | $@ flows to a logging call. | test.go:161:15:161:22 | password | Sensitive data returned by an access to password |
+| test.go:161:15:161:22 | password | test.go:153:17:153:24 | definition of password | test.go:161:15:161:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:162:14:162:21 | password | test.go:162:14:162:21 | password | test.go:162:14:162:21 | password | $@ flows to a logging call. | test.go:162:14:162:21 | password | Sensitive data returned by an access to password |
+| test.go:162:14:162:21 | password | test.go:153:17:153:24 | definition of password | test.go:162:14:162:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:163:13:163:20 | password | Sensitive data returned by an access to password |
+| test.go:163:13:163:20 | password | test.go:153:17:153:24 | definition of password | test.go:163:13:163:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:164:16:164:23 | password | test.go:164:16:164:23 | password | test.go:164:16:164:23 | password | $@ flows to a logging call. | test.go:164:16:164:23 | password | Sensitive data returned by an access to password |
+| test.go:164:16:164:23 | password | test.go:153:17:153:24 | definition of password | test.go:164:16:164:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:165:13:165:20 | password | test.go:165:13:165:20 | password | test.go:165:13:165:20 | password | $@ flows to a logging call. | test.go:165:13:165:20 | password | Sensitive data returned by an access to password |
+| test.go:165:13:165:20 | password | test.go:153:17:153:24 | definition of password | test.go:165:13:165:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:166:16:166:23 | password | test.go:166:16:166:23 | password | test.go:166:16:166:23 | password | $@ flows to a logging call. | test.go:166:16:166:23 | password | Sensitive data returned by an access to password |
+| test.go:166:16:166:23 | password | test.go:153:17:153:24 | definition of password | test.go:166:16:166:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:167:13:167:20 | password | Sensitive data returned by an access to password |
+| test.go:167:13:167:20 | password | test.go:153:17:153:24 | definition of password | test.go:167:13:167:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:168:17:168:24 | password | test.go:168:17:168:24 | password | test.go:168:17:168:24 | password | $@ flows to a logging call. | test.go:168:17:168:24 | password | Sensitive data returned by an access to password |
+| test.go:168:17:168:24 | password | test.go:153:17:153:24 | definition of password | test.go:168:17:168:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:169:13:169:20 | password | test.go:169:13:169:20 | password | test.go:169:13:169:20 | password | $@ flows to a logging call. | test.go:169:13:169:20 | password | Sensitive data returned by an access to password |
+| test.go:169:13:169:20 | password | test.go:153:17:153:24 | definition of password | test.go:169:13:169:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:170:12:170:19 | password | test.go:170:12:170:19 | password | test.go:170:12:170:19 | password | $@ flows to a logging call. | test.go:170:12:170:19 | password | Sensitive data returned by an access to password |
+| test.go:170:12:170:19 | password | test.go:153:17:153:24 | definition of password | test.go:170:12:170:19 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:171:21:171:28 | password | test.go:171:21:171:28 | password | test.go:171:21:171:28 | password | $@ flows to a logging call. | test.go:171:21:171:28 | password | Sensitive data returned by an access to password |
+| test.go:171:21:171:28 | password | test.go:153:17:153:24 | definition of password | test.go:171:21:171:28 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:172:14:172:21 | password | test.go:172:14:172:21 | password | test.go:172:14:172:21 | password | $@ flows to a logging call. | test.go:172:14:172:21 | password | Sensitive data returned by an access to password |
+| test.go:172:14:172:21 | password | test.go:153:17:153:24 | definition of password | test.go:172:14:172:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:173:13:173:20 | password | test.go:173:13:173:20 | password | test.go:173:13:173:20 | password | $@ flows to a logging call. | test.go:173:13:173:20 | password | Sensitive data returned by an access to password |
+| test.go:173:13:173:20 | password | test.go:153:17:153:24 | definition of password | test.go:173:13:173:20 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:174:12:174:19 | password | test.go:174:12:174:19 | password | test.go:174:12:174:19 | password | $@ flows to a logging call. | test.go:174:12:174:19 | password | Sensitive data returned by an access to password |
+| test.go:174:12:174:19 | password | test.go:153:17:153:24 | definition of password | test.go:174:12:174:19 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:175:15:175:22 | password | test.go:175:15:175:22 | password | test.go:175:15:175:22 | password | $@ flows to a logging call. | test.go:175:15:175:22 | password | Sensitive data returned by an access to password |
+| test.go:175:15:175:22 | password | test.go:153:17:153:24 | definition of password | test.go:175:15:175:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:176:15:176:22 | password | test.go:176:15:176:22 | password | test.go:176:15:176:22 | password | $@ flows to a logging call. | test.go:176:15:176:22 | password | Sensitive data returned by an access to password |
+| test.go:176:15:176:22 | password | test.go:153:17:153:24 | definition of password | test.go:176:15:176:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:177:18:177:25 | password | test.go:177:18:177:25 | password | test.go:177:18:177:25 | password | $@ flows to a logging call. | test.go:177:18:177:25 | password | Sensitive data returned by an access to password |
+| test.go:177:18:177:25 | password | test.go:153:17:153:24 | definition of password | test.go:177:18:177:25 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:178:15:178:22 | password | Sensitive data returned by an access to password |
+| test.go:178:15:178:22 | password | test.go:153:17:153:24 | definition of password | test.go:178:15:178:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:179:19:179:26 | password | test.go:179:19:179:26 | password | test.go:179:19:179:26 | password | $@ flows to a logging call. | test.go:179:19:179:26 | password | Sensitive data returned by an access to password |
+| test.go:179:19:179:26 | password | test.go:153:17:153:24 | definition of password | test.go:179:19:179:26 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:180:15:180:22 | password | test.go:180:15:180:22 | password | test.go:180:15:180:22 | password | $@ flows to a logging call. | test.go:180:15:180:22 | password | Sensitive data returned by an access to password |
+| test.go:180:15:180:22 | password | test.go:153:17:153:24 | definition of password | test.go:180:15:180:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:181:14:181:21 | password | test.go:181:14:181:21 | password | test.go:181:14:181:21 | password | $@ flows to a logging call. | test.go:181:14:181:21 | password | Sensitive data returned by an access to password |
+| test.go:181:14:181:21 | password | test.go:153:17:153:24 | definition of password | test.go:181:14:181:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:182:23:182:30 | password | test.go:182:23:182:30 | password | test.go:182:23:182:30 | password | $@ flows to a logging call. | test.go:182:23:182:30 | password | Sensitive data returned by an access to password |
+| test.go:182:23:182:30 | password | test.go:153:17:153:24 | definition of password | test.go:182:23:182:30 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:183:16:183:23 | password | test.go:183:16:183:23 | password | test.go:183:16:183:23 | password | $@ flows to a logging call. | test.go:183:16:183:23 | password | Sensitive data returned by an access to password |
+| test.go:183:16:183:23 | password | test.go:153:17:153:24 | definition of password | test.go:183:16:183:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:184:15:184:22 | password | test.go:184:15:184:22 | password | test.go:184:15:184:22 | password | $@ flows to a logging call. | test.go:184:15:184:22 | password | Sensitive data returned by an access to password |
+| test.go:184:15:184:22 | password | test.go:153:17:153:24 | definition of password | test.go:184:15:184:22 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:185:14:185:21 | password | test.go:185:14:185:21 | password | test.go:185:14:185:21 | password | $@ flows to a logging call. | test.go:185:14:185:21 | password | Sensitive data returned by an access to password |
+| test.go:185:14:185:21 | password | test.go:153:17:153:24 | definition of password | test.go:185:14:185:21 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:186:17:186:24 | password | test.go:186:17:186:24 | password | test.go:186:17:186:24 | password | $@ flows to a logging call. | test.go:186:17:186:24 | password | Sensitive data returned by an access to password |
+| test.go:186:17:186:24 | password | test.go:153:17:153:24 | definition of password | test.go:186:17:186:24 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
-| test.go:187:16:187:23 | password | test.go:187:16:187:23 | password | test.go:187:16:187:23 | password | $@ flows to a logging call. | test.go:187:16:187:23 | password | Sensitive data returned by an access to password |
+| test.go:187:16:187:23 | password | test.go:153:17:153:24 | definition of password | test.go:187:16:187:23 | password | $@ flows to a logging call. | test.go:153:17:153:24 | definition of password | Sensitive data returned by an access to password |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/ReflectedXss.expected
@@ -1,7 +1,7 @@
 #select
-| test.go:35:13:35:30 | type conversion | test.go:33:6:33:10 | definition of bound | test.go:35:13:35:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:33:6:33:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:35:13:35:30 | type conversion | test.go:34:13:34:17 | bound [postupdate] | test.go:35:13:35:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:34:13:34:17 | bound [postupdate] | user-provided value | test.go:0:0:0:0 | test.go |  |
-| test.go:36:13:36:27 | type conversion | test.go:33:6:33:10 | definition of bound | test.go:36:13:36:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:33:6:33:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:36:13:36:27 | type conversion | test.go:34:13:34:17 | bound [postupdate] | test.go:36:13:36:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:34:13:34:17 | bound [postupdate] | user-provided value | test.go:0:0:0:0 | test.go |  |
-| test.go:37:13:37:29 | type conversion | test.go:33:6:33:10 | definition of bound | test.go:37:13:37:29 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:33:6:33:10 | definition of bound | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:37:13:37:29 | type conversion | test.go:34:13:34:17 | bound [postupdate] | test.go:37:13:37:29 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:34:13:34:17 | bound [postupdate] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:42:13:42:43 | type conversion | test.go:42:20:42:42 | call to Cookie | test.go:42:13:42:43 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:42:20:42:42 | call to Cookie | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:47:13:47:52 | type conversion | test.go:47:20:47:31 | call to Data | test.go:47:13:47:52 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:47:20:47:31 | call to Data | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:52:13:52:53 | type conversion | test.go:52:20:52:43 | call to GetData | test.go:52:13:52:53 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:52:20:52:43 | call to GetData | user-provided value | test.go:0:0:0:0 | test.go |  |
@@ -30,7 +30,7 @@
 | test.go:232:14:232:22 | type conversion | test.go:231:7:231:28 | call to GetString | test.go:232:14:232:22 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:231:7:231:28 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:235:14:235:26 | type conversion | test.go:234:8:234:35 | call to GetStrings | test.go:235:14:235:26 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:234:8:234:35 | call to GetStrings | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:238:14:238:27 | type conversion | test.go:237:9:237:17 | call to Input | test.go:238:14:238:27 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:237:9:237:17 | call to Input | user-provided value | test.go:0:0:0:0 | test.go |  |
-| test.go:242:14:242:30 | type conversion | test.go:240:6:240:8 | definition of str | test.go:242:14:242:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:240:6:240:8 | definition of str | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:242:14:242:30 | type conversion | test.go:241:14:241:16 | str [postupdate] | test.go:242:14:242:30 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:241:14:241:16 | str [postupdate] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:249:21:249:29 | untrusted | test.go:246:15:246:36 | call to GetString | test.go:249:21:249:29 | untrusted | Cross-site scripting vulnerability due to $@. | test.go:246:15:246:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:259:16:259:45 | type conversion | test.go:259:23:259:44 | call to GetCookie | test.go:259:16:259:45 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:259:23:259:44 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:264:16:264:37 | call to GetCookie | test.go:264:16:264:37 | call to GetCookie | test.go:264:16:264:37 | call to GetCookie | Cross-site scripting vulnerability due to $@. | test.go:264:16:264:37 | call to GetCookie | user-provided value | test.go:0:0:0:0 | test.go |  |
@@ -53,9 +53,9 @@
 | test.go:311:21:311:48 | type assertion | test.go:309:15:309:36 | call to GetString | test.go:311:21:311:48 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:309:15:309:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:312:21:312:52 | type assertion | test.go:309:15:309:36 | call to GetString | test.go:312:21:312:52 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:309:15:309:36 | call to GetString | user-provided value | test.go:0:0:0:0 | test.go |  |
 edges
-| test.go:33:6:33:10 | definition of bound | test.go:35:13:35:30 | type conversion | provenance | Src:MaD:1  |
+| test.go:34:13:34:17 | bound [postupdate] | test.go:35:13:35:30 | type conversion | provenance | Src:MaD:1  |
-| test.go:33:6:33:10 | definition of bound | test.go:36:13:36:27 | type conversion | provenance | Src:MaD:1  |
+| test.go:34:13:34:17 | bound [postupdate] | test.go:36:13:36:27 | type conversion | provenance | Src:MaD:1  |
-| test.go:33:6:33:10 | definition of bound | test.go:37:13:37:29 | type conversion | provenance | Src:MaD:1  |
+| test.go:34:13:34:17 | bound [postupdate] | test.go:37:13:37:29 | type conversion | provenance | Src:MaD:1  |
 | test.go:42:20:42:42 | call to Cookie | test.go:42:13:42:43 | type conversion | provenance | Src:MaD:2  |
 | test.go:47:20:47:31 | call to Data | test.go:47:13:47:52 | type conversion | provenance | Src:MaD:3  |
 | test.go:52:20:52:43 | call to GetData | test.go:52:13:52:53 | type conversion | provenance | Src:MaD:4  |
@@ -87,8 +87,8 @@ edges
 | test.go:204:36:204:53 | type assertion | test.go:204:21:204:54 | call to Str2html | provenance | MaD:39 |
 | test.go:205:21:205:58 | call to Substr | test.go:205:14:205:59 | type conversion | provenance |  |
 | test.go:205:34:205:51 | type assertion | test.go:205:21:205:58 | call to Substr | provenance | MaD:40 |
-| test.go:207:6:207:6 | definition of s | test.go:209:14:209:28 | type conversion | provenance |  |
+| test.go:208:18:208:33 | selection of Form | test.go:208:36:208:36 | s [postupdate] | provenance | Src:MaD:21 MaD:38 |
-| test.go:208:18:208:33 | selection of Form | test.go:207:6:207:6 | definition of s | provenance | Src:MaD:21 MaD:38 |
+| test.go:208:36:208:36 | s [postupdate] | test.go:209:14:209:28 | type conversion | provenance |  |
 | test.go:223:2:223:34 | ... := ...[0] | test.go:225:31:225:31 | f | provenance | Src:MaD:15  |
 | test.go:223:2:223:34 | ... := ...[1] | test.go:224:14:224:32 | type conversion | provenance | Src:MaD:15  |
 | test.go:225:2:225:32 | ... := ...[0] | test.go:226:14:226:20 | content | provenance |  |
@@ -97,7 +97,7 @@ edges
 | test.go:231:7:231:28 | call to GetString | test.go:232:14:232:22 | type conversion | provenance | Src:MaD:17  |
 | test.go:234:8:234:35 | call to GetStrings | test.go:235:14:235:26 | type conversion | provenance | Src:MaD:18  |
 | test.go:237:9:237:17 | call to Input | test.go:238:14:238:27 | type conversion | provenance | Src:MaD:19  |
-| test.go:240:6:240:8 | definition of str | test.go:242:14:242:30 | type conversion | provenance | Src:MaD:20  |
+| test.go:241:14:241:16 | str [postupdate] | test.go:242:14:242:30 | type conversion | provenance | Src:MaD:20  |
 | test.go:246:15:246:36 | call to GetString | test.go:249:21:249:29 | untrusted | provenance | Src:MaD:17  |
 | test.go:259:23:259:44 | call to GetCookie | test.go:259:16:259:45 | type conversion | provenance | Src:MaD:14  |
 | test.go:270:62:270:83 | call to GetCookie | test.go:270:55:270:84 | type conversion | provenance | Src:MaD:14  |
@@ -116,8 +116,8 @@ edges
 | test.go:275:2:275:40 | ... := ...[0] | test.go:301:39:301:50 | genericFiles | provenance | Src:MaD:16  |
 | test.go:275:2:275:40 | ... := ...[0] | test.go:302:40:302:51 | genericFiles | provenance | Src:MaD:16  |
 | test.go:275:2:275:40 | ... := ...[0] | test.go:303:39:303:50 | genericFiles | provenance | Src:MaD:16  |
-| test.go:276:2:276:13 | definition of genericFiles [array] | test.go:297:51:297:62 | genericFiles [array] | provenance |  |
+| test.go:278:3:278:14 | genericFiles [postupdate] [array] | test.go:297:51:297:62 | genericFiles [array] | provenance |  |
-| test.go:278:21:278:28 | index expression | test.go:276:2:276:13 | definition of genericFiles [array] | provenance |  |
+| test.go:278:21:278:28 | index expression | test.go:278:3:278:14 | genericFiles [postupdate] [array] | provenance |  |
 | test.go:283:44:283:60 | selection of Filename | test.go:283:21:283:61 | call to GetDisplayString | provenance | FunctionModel |
 | test.go:284:21:284:53 | call to SliceChunk | test.go:284:21:284:92 | selection of Filename | provenance |  |
 | test.go:284:38:284:49 | genericFiles | test.go:284:21:284:53 | call to SliceChunk | provenance | MaD:22 |
@@ -146,10 +146,10 @@ edges
 | test.go:302:40:302:51 | genericFiles | test.go:302:21:302:52 | call to SliceShuffle | provenance | MaD:30 |
 | test.go:303:21:303:51 | call to SliceUnique | test.go:303:21:303:87 | selection of Filename | provenance |  |
 | test.go:303:39:303:50 | genericFiles | test.go:303:21:303:51 | call to SliceUnique | provenance | MaD:31 |
 | test.go:308:2:308:5 | definition of bMap | test.go:311:21:311:24 | bMap | provenance |  |
 | test.go:308:2:308:5 | definition of bMap | test.go:312:21:312:24 | bMap | provenance |  |
 | test.go:309:15:309:36 | call to GetString | test.go:310:22:310:30 | untrusted | provenance | Src:MaD:17  |
-| test.go:310:22:310:30 | untrusted | test.go:308:2:308:5 | definition of bMap | provenance | MaD:34 |
+| test.go:310:2:310:5 | bMap [postupdate] | test.go:311:21:311:24 | bMap | provenance |  |
 | test.go:310:2:310:5 | bMap [postupdate] | test.go:312:21:312:24 | bMap | provenance |  |
 | test.go:310:22:310:30 | untrusted | test.go:310:2:310:5 | bMap [postupdate] | provenance | MaD:34 |
 | test.go:311:21:311:24 | bMap | test.go:311:21:311:39 | call to Get | provenance | MaD:32 |
 | test.go:311:21:311:39 | call to Get | test.go:311:21:311:48 | type assertion | provenance |  |
 | test.go:312:21:312:24 | bMap | test.go:312:21:312:32 | call to Items | provenance | MaD:33 |
@@ -197,7 +197,7 @@ models
 | 40 | Summary: group:beego; ; false; Substr; ; ; Argument[0]; ReturnValue; taint; manual |
 | 41 | Summary: io/ioutil; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
 nodes
-| test.go:33:6:33:10 | definition of bound | semmle.label | definition of bound |
+| test.go:34:13:34:17 | bound [postupdate] | semmle.label | bound [postupdate] |
 | test.go:35:13:35:30 | type conversion | semmle.label | type conversion |
 | test.go:36:13:36:27 | type conversion | semmle.label | type conversion |
 | test.go:37:13:37:29 | type conversion | semmle.label | type conversion |
@@ -249,8 +249,8 @@ nodes
 | test.go:205:14:205:59 | type conversion | semmle.label | type conversion |
 | test.go:205:21:205:58 | call to Substr | semmle.label | call to Substr |
 | test.go:205:34:205:51 | type assertion | semmle.label | type assertion |
 | test.go:207:6:207:6 | definition of s | semmle.label | definition of s |
 | test.go:208:18:208:33 | selection of Form | semmle.label | selection of Form |
 | test.go:208:36:208:36 | s [postupdate] | semmle.label | s [postupdate] |
 | test.go:209:14:209:28 | type conversion | semmle.label | type conversion |
 | test.go:223:2:223:34 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:223:2:223:34 | ... := ...[1] | semmle.label | ... := ...[1] |
@@ -266,7 +266,7 @@ nodes
 | test.go:235:14:235:26 | type conversion | semmle.label | type conversion |
 | test.go:237:9:237:17 | call to Input | semmle.label | call to Input |
 | test.go:238:14:238:27 | type conversion | semmle.label | type conversion |
-| test.go:240:6:240:8 | definition of str | semmle.label | definition of str |
+| test.go:241:14:241:16 | str [postupdate] | semmle.label | str [postupdate] |
 | test.go:242:14:242:30 | type conversion | semmle.label | type conversion |
 | test.go:246:15:246:36 | call to GetString | semmle.label | call to GetString |
 | test.go:249:21:249:29 | untrusted | semmle.label | untrusted |
@@ -277,7 +277,7 @@ nodes
 | test.go:270:55:270:84 | type conversion | semmle.label | type conversion |
 | test.go:270:62:270:83 | call to GetCookie | semmle.label | call to GetCookie |
 | test.go:275:2:275:40 | ... := ...[0] | semmle.label | ... := ...[0] |
-| test.go:276:2:276:13 | definition of genericFiles [array] | semmle.label | definition of genericFiles [array] |
+| test.go:278:3:278:14 | genericFiles [postupdate] [array] | semmle.label | genericFiles [postupdate] [array] |
 | test.go:278:21:278:28 | index expression | semmle.label | index expression |
 | test.go:283:21:283:61 | call to GetDisplayString | semmle.label | call to GetDisplayString |
 | test.go:283:44:283:60 | selection of Filename | semmle.label | selection of Filename |
@@ -321,8 +321,8 @@ nodes
 | test.go:303:21:303:51 | call to SliceUnique | semmle.label | call to SliceUnique |
 | test.go:303:21:303:87 | selection of Filename | semmle.label | selection of Filename |
 | test.go:303:39:303:50 | genericFiles | semmle.label | genericFiles |
 | test.go:308:2:308:5 | definition of bMap | semmle.label | definition of bMap |
 | test.go:309:15:309:36 | call to GetString | semmle.label | call to GetString |
 | test.go:310:2:310:5 | bMap [postupdate] | semmle.label | bMap [postupdate] |
 | test.go:310:22:310:30 | untrusted | semmle.label | untrusted |
 | test.go:311:21:311:24 | bMap | semmle.label | bMap |
 | test.go:311:21:311:39 | call to Get | semmle.label | call to Get |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/TaintedPath.expected
@@ -10,8 +10,8 @@ edges
 | test.go:215:15:215:26 | call to Data | test.go:216:18:216:26 | untrusted | provenance | Src:MaD:6 Sink:MaD:2 |
 | test.go:215:15:215:26 | call to Data | test.go:217:10:217:18 | untrusted | provenance | Src:MaD:6 Sink:MaD:5 |
 | test.go:215:15:215:26 | call to Data | test.go:218:35:218:43 | untrusted | provenance | Src:MaD:6 Sink:MaD:3 |
-| test.go:324:17:324:37 | selection of RequestBody | test.go:324:40:324:43 | &... | provenance | Src:MaD:7 MaD:8 |
+| test.go:324:17:324:37 | selection of RequestBody | test.go:324:40:324:43 | &... [postupdate] | provenance | Src:MaD:7 MaD:8 |
-| test.go:324:40:324:43 | &... | test.go:326:35:326:43 | untrusted | provenance | Sink:MaD:3 |
+| test.go:324:40:324:43 | &... [postupdate] | test.go:326:35:326:43 | untrusted | provenance | Sink:MaD:3 |
 | test.go:332:15:332:26 | call to Data | test.go:334:23:334:31 | untrusted | provenance | Src:MaD:6 Sink:MaD:1 |
 | test.go:340:15:340:26 | call to Data | test.go:342:53:342:61 | untrusted | provenance | Src:MaD:6 Sink:MaD:4 |
 | test.go:340:15:340:26 | call to Data | test.go:344:23:344:31 | untrusted | provenance | Src:MaD:6 Sink:MaD:1 |
@@ -30,7 +30,7 @@ nodes
 | test.go:217:10:217:18 | untrusted | semmle.label | untrusted |
 | test.go:218:35:218:43 | untrusted | semmle.label | untrusted |
 | test.go:324:17:324:37 | selection of RequestBody | semmle.label | selection of RequestBody |
-| test.go:324:40:324:43 | &... | semmle.label | &... |
+| test.go:324:40:324:43 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:326:35:326:43 | untrusted | semmle.label | untrusted |
 | test.go:332:15:332:26 | call to Data | semmle.label | call to Data |
 | test.go:334:23:334:31 | untrusted | semmle.label | untrusted |
--- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/StoredXss.expected
@@ -1,8 +1,8 @@
 #select
-| test.go:81:13:81:29 | type conversion | test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... | stored value |
+| test.go:81:13:81:29 | type conversion | test.go:80:13:80:16 | &... [postupdate] | test.go:81:13:81:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... [postupdate] | stored value |
-| test.go:82:13:82:43 | type conversion | test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... | stored value |
+| test.go:82:13:82:43 | type conversion | test.go:80:13:80:16 | &... [postupdate] | test.go:82:13:82:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:80:13:80:16 | &... [postupdate] | stored value |
-| test.go:86:13:86:30 | type conversion | test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:85:22:85:26 | &... | stored value |
+| test.go:86:13:86:30 | type conversion | test.go:85:22:85:26 | &... [postupdate] | test.go:86:13:86:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:85:22:85:26 | &... [postupdate] | stored value |
-| test.go:90:13:90:30 | type conversion | test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:89:21:89:25 | &... | stored value |
+| test.go:90:13:90:30 | type conversion | test.go:89:21:89:25 | &... [postupdate] | test.go:90:13:90:30 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:89:21:89:25 | &... [postupdate] | stored value |
 | test.go:95:13:95:37 | type conversion | test.go:95:20:95:36 | call to Value | test.go:95:13:95:37 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:95:20:95:36 | call to Value | stored value |
 | test.go:96:13:96:49 | type conversion | test.go:96:20:96:39 | call to RawValue | test.go:96:13:96:49 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:96:20:96:39 | call to RawValue | stored value |
 | test.go:97:13:97:38 | type conversion | test.go:97:20:97:37 | call to String | test.go:97:13:97:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:97:20:97:37 | call to String | stored value |
@@ -12,25 +12,25 @@
 | test.go:101:13:101:38 | type conversion | test.go:101:20:101:37 | call to Value | test.go:101:13:101:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:101:20:101:37 | call to Value | stored value |
 | test.go:102:13:102:50 | type conversion | test.go:102:20:102:40 | call to RawValue | test.go:102:13:102:50 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:102:20:102:40 | call to RawValue | stored value |
 | test.go:103:13:103:39 | type conversion | test.go:103:20:103:38 | call to String | test.go:103:13:103:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:103:20:103:38 | call to String | stored value |
-| test.go:110:13:110:33 | type conversion | test.go:109:9:109:13 | &... | test.go:110:13:110:33 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:109:9:109:13 | &... | stored value |
+| test.go:110:13:110:33 | type conversion | test.go:109:9:109:13 | &... [postupdate] | test.go:110:13:110:33 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:109:9:109:13 | &... [postupdate] | stored value |
-| test.go:114:13:114:29 | type conversion | test.go:113:9:113:12 | &... | test.go:114:13:114:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:113:9:113:12 | &... | stored value |
+| test.go:114:13:114:29 | type conversion | test.go:113:9:113:12 | &... [postupdate] | test.go:114:13:114:29 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:113:9:113:12 | &... [postupdate] | stored value |
-| test.go:118:13:118:48 | type conversion | test.go:117:12:117:19 | &... | test.go:118:13:118:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:117:12:117:19 | &... | stored value |
+| test.go:118:13:118:48 | type conversion | test.go:117:12:117:19 | &... [postupdate] | test.go:118:13:118:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:117:12:117:19 | &... [postupdate] | stored value |
-| test.go:122:13:122:43 | type conversion | test.go:121:16:121:24 | &... | test.go:122:13:122:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:121:16:121:24 | &... | stored value |
+| test.go:122:13:122:43 | type conversion | test.go:121:16:121:24 | &... [postupdate] | test.go:122:13:122:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:121:16:121:24 | &... [postupdate] | stored value |
-| test.go:126:13:126:39 | type conversion | test.go:125:16:125:23 | &... | test.go:126:13:126:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:125:16:125:23 | &... | stored value |
+| test.go:126:13:126:39 | type conversion | test.go:125:16:125:23 | &... [postupdate] | test.go:126:13:126:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:125:16:125:23 | &... [postupdate] | stored value |
-| test.go:130:13:130:47 | type conversion | test.go:129:15:129:24 | &... | test.go:130:13:130:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:129:15:129:24 | &... | stored value |
+| test.go:130:13:130:47 | type conversion | test.go:129:15:129:24 | &... [postupdate] | test.go:130:13:130:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:129:15:129:24 | &... [postupdate] | stored value |
-| test.go:134:13:134:38 | type conversion | test.go:133:18:133:30 | &... | test.go:134:13:134:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:133:18:133:30 | &... | stored value |
+| test.go:134:13:134:38 | type conversion | test.go:133:18:133:30 | &... [postupdate] | test.go:134:13:134:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:133:18:133:30 | &... [postupdate] | stored value |
-| test.go:141:13:141:48 | type conversion | test.go:140:12:140:19 | &... | test.go:141:13:141:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:140:12:140:19 | &... | stored value |
+| test.go:141:13:141:48 | type conversion | test.go:140:12:140:19 | &... [postupdate] | test.go:141:13:141:48 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:140:12:140:19 | &... [postupdate] | stored value |
-| test.go:145:13:145:43 | type conversion | test.go:144:16:144:24 | &... | test.go:145:13:145:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:144:16:144:24 | &... | stored value |
+| test.go:145:13:145:43 | type conversion | test.go:144:16:144:24 | &... [postupdate] | test.go:145:13:145:43 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:144:16:144:24 | &... [postupdate] | stored value |
-| test.go:149:13:149:39 | type conversion | test.go:148:16:148:23 | &... | test.go:149:13:149:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:148:16:148:23 | &... | stored value |
+| test.go:149:13:149:39 | type conversion | test.go:148:16:148:23 | &... [postupdate] | test.go:149:13:149:39 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:148:16:148:23 | &... [postupdate] | stored value |
-| test.go:153:13:153:47 | type conversion | test.go:152:15:152:24 | &... | test.go:153:13:153:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:152:15:152:24 | &... | stored value |
+| test.go:153:13:153:47 | type conversion | test.go:152:15:152:24 | &... [postupdate] | test.go:153:13:153:47 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:152:15:152:24 | &... [postupdate] | stored value |
-| test.go:157:13:157:38 | type conversion | test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:156:18:156:30 | &... | stored value |
+| test.go:157:13:157:38 | type conversion | test.go:156:18:156:30 | &... [postupdate] | test.go:157:13:157:38 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:156:18:156:30 | &... [postupdate] | stored value |
-| test.go:161:13:161:28 | type conversion | test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:160:14:160:22 | &... | stored value |
+| test.go:161:13:161:28 | type conversion | test.go:160:14:160:22 | &... [postupdate] | test.go:161:13:161:28 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:160:14:160:22 | &... [postupdate] | stored value |
-| test.go:165:13:165:32 | type conversion | test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:164:15:164:24 | &... | stored value |
+| test.go:165:13:165:32 | type conversion | test.go:164:15:164:24 | &... [postupdate] | test.go:165:13:165:32 | type conversion | Stored cross-site scripting vulnerability due to $@. | test.go:164:15:164:24 | &... [postupdate] | stored value |
 edges
-| test.go:80:13:80:16 | &... | test.go:81:13:81:29 | type conversion | provenance | Src:MaD:1  |
+| test.go:80:13:80:16 | &... [postupdate] | test.go:81:13:81:29 | type conversion | provenance | Src:MaD:1  |
-| test.go:80:13:80:16 | &... | test.go:82:13:82:43 | type conversion | provenance | Src:MaD:1  |
+| test.go:80:13:80:16 | &... [postupdate] | test.go:82:13:82:43 | type conversion | provenance | Src:MaD:1  |
-| test.go:85:22:85:26 | &... | test.go:86:13:86:30 | type conversion | provenance | Src:MaD:2  |
+| test.go:85:22:85:26 | &... [postupdate] | test.go:86:13:86:30 | type conversion | provenance | Src:MaD:2  |
-| test.go:89:21:89:25 | &... | test.go:90:13:90:30 | type conversion | provenance | Src:MaD:3  |
+| test.go:89:21:89:25 | &... [postupdate] | test.go:90:13:90:30 | type conversion | provenance | Src:MaD:3  |
 | test.go:95:20:95:36 | call to Value | test.go:95:13:95:37 | type conversion | provenance |  |
 | test.go:96:20:96:39 | call to RawValue | test.go:96:13:96:49 | type conversion | provenance |  |
 | test.go:97:20:97:37 | call to String | test.go:97:13:97:38 | type conversion | provenance |  |
@@ -40,31 +40,31 @@ edges
 | test.go:101:20:101:37 | call to Value | test.go:101:13:101:38 | type conversion | provenance |  |
 | test.go:102:20:102:40 | call to RawValue | test.go:102:13:102:50 | type conversion | provenance |  |
 | test.go:103:20:103:38 | call to String | test.go:103:13:103:39 | type conversion | provenance |  |
-| test.go:109:9:109:13 | &... | test.go:110:13:110:33 | type conversion | provenance |  |
+| test.go:109:9:109:13 | &... [postupdate] | test.go:110:13:110:33 | type conversion | provenance |  |
-| test.go:113:9:113:12 | &... | test.go:114:13:114:29 | type conversion | provenance |  |
+| test.go:113:9:113:12 | &... [postupdate] | test.go:114:13:114:29 | type conversion | provenance |  |
-| test.go:117:12:117:19 | &... | test.go:118:13:118:48 | type conversion | provenance |  |
+| test.go:117:12:117:19 | &... [postupdate] | test.go:118:13:118:48 | type conversion | provenance |  |
-| test.go:121:16:121:24 | &... | test.go:122:13:122:43 | type conversion | provenance |  |
+| test.go:121:16:121:24 | &... [postupdate] | test.go:122:13:122:43 | type conversion | provenance |  |
-| test.go:125:16:125:23 | &... | test.go:126:13:126:39 | type conversion | provenance |  |
+| test.go:125:16:125:23 | &... [postupdate] | test.go:126:13:126:39 | type conversion | provenance |  |
-| test.go:129:15:129:24 | &... | test.go:130:13:130:47 | type conversion | provenance |  |
+| test.go:129:15:129:24 | &... [postupdate] | test.go:130:13:130:47 | type conversion | provenance |  |
-| test.go:133:18:133:30 | &... | test.go:134:13:134:38 | type conversion | provenance |  |
+| test.go:133:18:133:30 | &... [postupdate] | test.go:134:13:134:38 | type conversion | provenance |  |
-| test.go:140:12:140:19 | &... | test.go:141:13:141:48 | type conversion | provenance |  |
+| test.go:140:12:140:19 | &... [postupdate] | test.go:141:13:141:48 | type conversion | provenance |  |
-| test.go:144:16:144:24 | &... | test.go:145:13:145:43 | type conversion | provenance |  |
+| test.go:144:16:144:24 | &... [postupdate] | test.go:145:13:145:43 | type conversion | provenance |  |
-| test.go:148:16:148:23 | &... | test.go:149:13:149:39 | type conversion | provenance |  |
+| test.go:148:16:148:23 | &... [postupdate] | test.go:149:13:149:39 | type conversion | provenance |  |
-| test.go:152:15:152:24 | &... | test.go:153:13:153:47 | type conversion | provenance |  |
+| test.go:152:15:152:24 | &... [postupdate] | test.go:153:13:153:47 | type conversion | provenance |  |
-| test.go:156:18:156:30 | &... | test.go:157:13:157:38 | type conversion | provenance |  |
+| test.go:156:18:156:30 | &... [postupdate] | test.go:157:13:157:38 | type conversion | provenance |  |
-| test.go:160:14:160:22 | &... | test.go:161:13:161:28 | type conversion | provenance |  |
+| test.go:160:14:160:22 | &... [postupdate] | test.go:161:13:161:28 | type conversion | provenance |  |
-| test.go:164:15:164:24 | &... | test.go:165:13:165:32 | type conversion | provenance |  |
+| test.go:164:15:164:24 | &... [postupdate] | test.go:165:13:165:32 | type conversion | provenance |  |
 models
 | 1 | Source: group:beego-orm; Ormer; true; Read; ; ; Argument[0]; database; manual |
 | 2 | Source: group:beego-orm; Ormer; true; ReadForUpdate; ; ; Argument[0]; database; manual |
 | 3 | Source: group:beego-orm; Ormer; true; ReadOrCreate; ; ; Argument[0]; database; manual |
 nodes
-| test.go:80:13:80:16 | &... | semmle.label | &... |
+| test.go:80:13:80:16 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:81:13:81:29 | type conversion | semmle.label | type conversion |
 | test.go:82:13:82:43 | type conversion | semmle.label | type conversion |
-| test.go:85:22:85:26 | &... | semmle.label | &... |
+| test.go:85:22:85:26 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:86:13:86:30 | type conversion | semmle.label | type conversion |
-| test.go:89:21:89:25 | &... | semmle.label | &... |
+| test.go:89:21:89:25 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:90:13:90:30 | type conversion | semmle.label | type conversion |
 | test.go:95:13:95:37 | type conversion | semmle.label | type conversion |
 | test.go:95:20:95:36 | call to Value | semmle.label | call to Value |
@@ -84,32 +84,32 @@ nodes
 | test.go:102:20:102:40 | call to RawValue | semmle.label | call to RawValue |
 | test.go:103:13:103:39 | type conversion | semmle.label | type conversion |
 | test.go:103:20:103:38 | call to String | semmle.label | call to String |
-| test.go:109:9:109:13 | &... | semmle.label | &... |
+| test.go:109:9:109:13 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:110:13:110:33 | type conversion | semmle.label | type conversion |
-| test.go:113:9:113:12 | &... | semmle.label | &... |
+| test.go:113:9:113:12 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:114:13:114:29 | type conversion | semmle.label | type conversion |
-| test.go:117:12:117:19 | &... | semmle.label | &... |
+| test.go:117:12:117:19 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:118:13:118:48 | type conversion | semmle.label | type conversion |
-| test.go:121:16:121:24 | &... | semmle.label | &... |
+| test.go:121:16:121:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:122:13:122:43 | type conversion | semmle.label | type conversion |
-| test.go:125:16:125:23 | &... | semmle.label | &... |
+| test.go:125:16:125:23 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:126:13:126:39 | type conversion | semmle.label | type conversion |
-| test.go:129:15:129:24 | &... | semmle.label | &... |
+| test.go:129:15:129:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:130:13:130:47 | type conversion | semmle.label | type conversion |
-| test.go:133:18:133:30 | &... | semmle.label | &... |
+| test.go:133:18:133:30 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:134:13:134:38 | type conversion | semmle.label | type conversion |
-| test.go:140:12:140:19 | &... | semmle.label | &... |
+| test.go:140:12:140:19 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:141:13:141:48 | type conversion | semmle.label | type conversion |
-| test.go:144:16:144:24 | &... | semmle.label | &... |
+| test.go:144:16:144:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:145:13:145:43 | type conversion | semmle.label | type conversion |
-| test.go:148:16:148:23 | &... | semmle.label | &... |
+| test.go:148:16:148:23 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:149:13:149:39 | type conversion | semmle.label | type conversion |
-| test.go:152:15:152:24 | &... | semmle.label | &... |
+| test.go:152:15:152:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:153:13:153:47 | type conversion | semmle.label | type conversion |
-| test.go:156:18:156:30 | &... | semmle.label | &... |
+| test.go:156:18:156:30 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:157:13:157:38 | type conversion | semmle.label | type conversion |
-| test.go:160:14:160:22 | &... | semmle.label | &... |
+| test.go:160:14:160:22 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:161:13:161:28 | type conversion | semmle.label | type conversion |
-| test.go:164:15:164:24 | &... | semmle.label | &... |
+| test.go:164:15:164:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:165:13:165:32 | type conversion | semmle.label | type conversion |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/OpenRedirect.expected
@@ -1,14 +1,15 @@
 #select
 | test.go:173:20:173:24 | param | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | This path to an untrusted URL redirection depends on a $@. | test.go:172:11:172:32 | call to Param | user-provided value |
-| test.go:182:20:182:28 | ...+... | test.go:178:11:178:32 | call to Param | test.go:182:20:182:28 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value |
+| test.go:185:20:185:29 | ...+... | test.go:178:11:178:32 | call to Param | test.go:185:20:185:29 | ...+... | This path to an untrusted URL redirection depends on a $@. | test.go:178:11:178:32 | call to Param | user-provided value |
 edges
 | test.go:172:11:172:32 | call to Param | test.go:173:20:173:24 | param | provenance | Src:MaD:2 Sink:MaD:1 |
-| test.go:178:11:178:32 | call to Param | test.go:182:24:182:28 | param | provenance | Src:MaD:2  |
+| test.go:178:11:178:32 | call to Param | test.go:185:24:185:29 | param2 | provenance | Src:MaD:2  |
-| test.go:182:24:182:28 | param | test.go:182:20:182:28 | ...+... | provenance | Config Sink:MaD:1 |
+| test.go:185:24:185:29 | param2 | test.go:185:20:185:29 | ...+... | provenance | Config Sink:MaD:1 |
-| test.go:190:9:190:26 | star expression | test.go:190:10:190:26 | selection of URL | provenance | Config |
+| test.go:193:9:193:26 | star expression | test.go:193:10:193:26 | selection of URL [postupdate] | provenance | Config |
-| test.go:190:9:190:26 | star expression | test.go:193:21:193:23 | url | provenance |  |
+| test.go:193:9:193:26 | star expression | test.go:196:21:196:23 | url | provenance |  |
-| test.go:190:10:190:26 | selection of URL | test.go:190:9:190:26 | star expression | provenance | Src:MaD:3 Config |
+| test.go:193:10:193:26 | selection of URL | test.go:193:9:193:26 | star expression | provenance | Src:MaD:3 Config |
-| test.go:193:21:193:23 | url | test.go:193:21:193:32 | call to String | provenance | Config Sink:MaD:1 |
+| test.go:193:10:193:26 | selection of URL [postupdate] | test.go:193:9:193:26 | star expression | provenance | Config |
 | test.go:196:21:196:23 | url | test.go:196:21:196:32 | call to String | provenance | Config Sink:MaD:1 |
 models
 | 1 | Sink: github.com/labstack/echo; Context; true; Redirect; ; ; Argument[1]; url-redirection; manual |
 | 2 | Source: github.com/labstack/echo; Context; true; Param; ; ; ReturnValue[0]; remote; manual |
@@ -17,10 +18,11 @@ nodes
 | test.go:172:11:172:32 | call to Param | semmle.label | call to Param |
 | test.go:173:20:173:24 | param | semmle.label | param |
 | test.go:178:11:178:32 | call to Param | semmle.label | call to Param |
-| test.go:182:20:182:28 | ...+... | semmle.label | ...+... |
+| test.go:185:20:185:29 | ...+... | semmle.label | ...+... |
-| test.go:182:24:182:28 | param | semmle.label | param |
+| test.go:185:24:185:29 | param2 | semmle.label | param2 |
-| test.go:190:9:190:26 | star expression | semmle.label | star expression |
+| test.go:193:9:193:26 | star expression | semmle.label | star expression |
-| test.go:190:10:190:26 | selection of URL | semmle.label | selection of URL |
+| test.go:193:10:193:26 | selection of URL | semmle.label | selection of URL |
-| test.go:193:21:193:23 | url | semmle.label | url |
+| test.go:193:10:193:26 | selection of URL [postupdate] | semmle.label | selection of URL [postupdate] |
-| test.go:193:21:193:32 | call to String | semmle.label | call to String |
+| test.go:196:21:196:23 | url | semmle.label | url |
 | test.go:196:21:196:32 | call to String | semmle.label | call to String |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/ReflectedXss.expected
@@ -11,7 +11,7 @@
 | test.go:77:20:77:25 | buffer | test.go:72:2:72:31 | ... := ...[0] | test.go:77:20:77:25 | buffer | Cross-site scripting vulnerability due to $@. | test.go:72:2:72:31 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:83:16:83:24 | selection of Value | test.go:82:2:82:32 | ... := ...[0] | test.go:83:16:83:24 | selection of Value | Cross-site scripting vulnerability due to $@. | test.go:82:2:82:32 | ... := ...[0] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:89:16:89:31 | selection of Value | test.go:88:13:88:25 | call to Cookies | test.go:89:16:89:31 | selection of Value | Cross-site scripting vulnerability due to $@. | test.go:88:13:88:25 | call to Cookies | user-provided value | test.go:0:0:0:0 | test.go |  |
-| test.go:100:16:100:21 | selection of s | test.go:99:11:99:15 | &... | test.go:100:16:100:21 | selection of s | Cross-site scripting vulnerability due to $@. | test.go:99:11:99:15 | &... | user-provided value | test.go:0:0:0:0 | test.go |  |
+| test.go:100:16:100:21 | selection of s | test.go:99:11:99:15 | &... [postupdate] | test.go:100:16:100:21 | selection of s | Cross-site scripting vulnerability due to $@. | test.go:99:11:99:15 | &... [postupdate] | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:114:16:114:42 | type assertion | test.go:113:21:113:42 | call to Param | test.go:114:16:114:42 | type assertion | Cross-site scripting vulnerability due to $@. | test.go:113:21:113:42 | call to Param | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:125:16:125:20 | param | test.go:124:11:124:32 | call to Param | test.go:125:16:125:20 | param | Cross-site scripting vulnerability due to $@. | test.go:124:11:124:32 | call to Param | user-provided value | test.go:0:0:0:0 | test.go |  |
 | test.go:131:20:131:32 | type conversion | test.go:130:11:130:32 | call to Param | test.go:131:20:131:32 | type conversion | Cross-site scripting vulnerability due to $@. | test.go:130:11:130:32 | call to Param | user-provided value | test.go:0:0:0:0 | test.go |  |
@@ -29,23 +29,23 @@ edges
 | test.go:57:2:57:46 | ... := ...[0] | test.go:58:13:58:22 | fileHeader | provenance | Src:MaD:4  |
 | test.go:58:2:58:29 | ... := ...[0] | test.go:60:2:60:5 | file | provenance |  |
 | test.go:58:13:58:22 | fileHeader | test.go:58:2:58:29 | ... := ...[0] | provenance | MaD:17 |
-| test.go:59:2:59:7 | definition of buffer | test.go:61:20:61:25 | buffer | provenance |  |
+| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:15 |
-| test.go:60:2:60:5 | file | test.go:59:2:59:7 | definition of buffer | provenance | MaD:15 |
+| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:16 |
-| test.go:60:2:60:5 | file | test.go:59:2:59:7 | definition of buffer | provenance | MaD:16 |
+| test.go:60:2:60:5 | file | test.go:60:12:60:17 | buffer [postupdate] | provenance | MaD:18 |
-| test.go:60:2:60:5 | file | test.go:59:2:59:7 | definition of buffer | provenance | MaD:18 |
+| test.go:60:12:60:17 | buffer [postupdate] | test.go:61:20:61:25 | buffer | provenance |  |
 | test.go:66:2:66:31 | ... := ...[0] | test.go:67:16:67:41 | index expression | provenance | Src:MaD:7  |
 | test.go:72:2:72:31 | ... := ...[0] | test.go:74:13:74:22 | fileHeader | provenance | Src:MaD:7  |
 | test.go:74:2:74:29 | ... := ...[0] | test.go:76:2:76:5 | file | provenance |  |
 | test.go:74:13:74:22 | fileHeader | test.go:74:2:74:29 | ... := ...[0] | provenance | MaD:17 |
-| test.go:75:2:75:7 | definition of buffer | test.go:77:20:77:25 | buffer | provenance |  |
+| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:15 |
-| test.go:76:2:76:5 | file | test.go:75:2:75:7 | definition of buffer | provenance | MaD:15 |
+| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:16 |
-| test.go:76:2:76:5 | file | test.go:75:2:75:7 | definition of buffer | provenance | MaD:16 |
+| test.go:76:2:76:5 | file | test.go:76:12:76:17 | buffer [postupdate] | provenance | MaD:18 |
-| test.go:76:2:76:5 | file | test.go:75:2:75:7 | definition of buffer | provenance | MaD:18 |
+| test.go:76:12:76:17 | buffer [postupdate] | test.go:77:20:77:25 | buffer | provenance |  |
 | test.go:82:2:82:32 | ... := ...[0] | test.go:83:16:83:24 | selection of Value | provenance | Src:MaD:2  |
 | test.go:88:13:88:25 | call to Cookies | test.go:89:16:89:31 | selection of Value | provenance | Src:MaD:3  |
-| test.go:99:11:99:15 | &... | test.go:100:16:100:21 | selection of s | provenance | Src:MaD:1  |
+| test.go:99:11:99:15 | &... [postupdate] | test.go:100:16:100:21 | selection of s | provenance | Src:MaD:1  |
-| test.go:112:17:112:19 | definition of ctx | test.go:114:16:114:18 | ctx | provenance |  |
+| test.go:113:2:113:4 | ctx [postupdate] | test.go:114:16:114:18 | ctx | provenance |  |
-| test.go:113:21:113:42 | call to Param | test.go:112:17:112:19 | definition of ctx | provenance | Src:MaD:8 MaD:14 |
+| test.go:113:21:113:42 | call to Param | test.go:113:2:113:4 | ctx [postupdate] | provenance | Src:MaD:8 MaD:14 |
 | test.go:114:16:114:18 | ctx | test.go:114:16:114:33 | call to Get | provenance | MaD:13 |
 | test.go:114:16:114:33 | call to Get | test.go:114:16:114:42 | type assertion | provenance |  |
 | test.go:124:11:124:32 | call to Param | test.go:125:16:125:20 | param | provenance | Src:MaD:8  |
@@ -93,24 +93,24 @@ nodes
 | test.go:57:2:57:46 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:58:2:58:29 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:58:13:58:22 | fileHeader | semmle.label | fileHeader |
 | test.go:59:2:59:7 | definition of buffer | semmle.label | definition of buffer |
 | test.go:60:2:60:5 | file | semmle.label | file |
 | test.go:60:12:60:17 | buffer [postupdate] | semmle.label | buffer [postupdate] |
 | test.go:61:20:61:25 | buffer | semmle.label | buffer |
 | test.go:66:2:66:31 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:67:16:67:41 | index expression | semmle.label | index expression |
 | test.go:72:2:72:31 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:74:2:74:29 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:74:13:74:22 | fileHeader | semmle.label | fileHeader |
 | test.go:75:2:75:7 | definition of buffer | semmle.label | definition of buffer |
 | test.go:76:2:76:5 | file | semmle.label | file |
 | test.go:76:12:76:17 | buffer [postupdate] | semmle.label | buffer [postupdate] |
 | test.go:77:20:77:25 | buffer | semmle.label | buffer |
 | test.go:82:2:82:32 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:83:16:83:24 | selection of Value | semmle.label | selection of Value |
 | test.go:88:13:88:25 | call to Cookies | semmle.label | call to Cookies |
 | test.go:89:16:89:31 | selection of Value | semmle.label | selection of Value |
-| test.go:99:11:99:15 | &... | semmle.label | &... |
+| test.go:99:11:99:15 | &... [postupdate] | semmle.label | &... [postupdate] |
 | test.go:100:16:100:21 | selection of s | semmle.label | selection of s |
-| test.go:112:17:112:19 | definition of ctx | semmle.label | definition of ctx |
+| test.go:113:2:113:4 | ctx [postupdate] | semmle.label | ctx [postupdate] |
 | test.go:113:21:113:42 | call to Param | semmle.label | call to Param |
 | test.go:114:16:114:18 | ctx | semmle.label | ctx |
 | test.go:114:16:114:33 | call to Get | semmle.label | call to Get |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/TaintedPath.expected
@@ -1,16 +1,16 @@
 #select
-| test.go:222:17:222:24 | filepath | test.go:221:15:221:38 | call to QueryParam | test.go:222:17:222:24 | filepath | This path depends on a $@. | test.go:221:15:221:38 | call to QueryParam | user-provided value |
+| test.go:225:17:225:24 | filepath | test.go:224:15:224:38 | call to QueryParam | test.go:225:17:225:24 | filepath | This path depends on a $@. | test.go:224:15:224:38 | call to QueryParam | user-provided value |
-| test.go:226:23:226:30 | filepath | test.go:225:15:225:38 | call to QueryParam | test.go:226:23:226:30 | filepath | This path depends on a $@. | test.go:225:15:225:38 | call to QueryParam | user-provided value |
+| test.go:229:23:229:30 | filepath | test.go:228:15:228:38 | call to QueryParam | test.go:229:23:229:30 | filepath | This path depends on a $@. | test.go:228:15:228:38 | call to QueryParam | user-provided value |
 edges
-| test.go:221:15:221:38 | call to QueryParam | test.go:222:17:222:24 | filepath | provenance | Src:MaD:3 Sink:MaD:2 |
+| test.go:224:15:224:38 | call to QueryParam | test.go:225:17:225:24 | filepath | provenance | Src:MaD:3 Sink:MaD:2 |
-| test.go:225:15:225:38 | call to QueryParam | test.go:226:23:226:30 | filepath | provenance | Src:MaD:3 Sink:MaD:1 |
+| test.go:228:15:228:38 | call to QueryParam | test.go:229:23:229:30 | filepath | provenance | Src:MaD:3 Sink:MaD:1 |
 models
 | 1 | Sink: github.com/labstack/echo; Context; true; Attachment; ; ; Argument[0]; path-injection; manual |
 | 2 | Sink: github.com/labstack/echo; Context; true; File; ; ; Argument[0]; path-injection; manual |
 | 3 | Source: github.com/labstack/echo; Context; true; QueryParam; ; ; ReturnValue[0]; remote; manual |
 nodes
-| test.go:221:15:221:38 | call to QueryParam | semmle.label | call to QueryParam |
+| test.go:224:15:224:38 | call to QueryParam | semmle.label | call to QueryParam |
-| test.go:222:17:222:24 | filepath | semmle.label | filepath |
+| test.go:225:17:225:24 | filepath | semmle.label | filepath |
-| test.go:225:15:225:38 | call to QueryParam | semmle.label | call to QueryParam |
+| test.go:228:15:228:38 | call to QueryParam | semmle.label | call to QueryParam |
-| test.go:226:23:226:30 | filepath | semmle.label | filepath |
+| test.go:229:23:229:30 | filepath | semmle.label | filepath |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Echo/test.go
@@ -176,12 +176,15 @@ func testRedirect(ctx echo.Context) error {
 func testLocalRedirects(ctx echo.Context) error {
 	param := ctx.Param("someParam")
 	param2 := param
 	param3 := param
 	// Gratuitous copy because sanitization of uses propagates to subsequent uses
 	// GOOD: local redirects are unproblematic
 	ctx.Redirect(301, "/local"+param)
 	// BAD: this could be a non-local redirect
-	ctx.Redirect(301, "/"+param)
+	ctx.Redirect(301, "/"+param2)
 	// GOOD: localhost redirects are unproblematic
-	ctx.Redirect(301, "//localhost/"+param)
+	ctx.Redirect(301, "//localhost/"+param3)
 	return nil
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/Email/EmailData.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Email/EmailData.expected
@@ -1,5 +1,5 @@
 | mail.go:15:73:15:94 | type conversion |
-| mail.go:18:19:18:23 | definition of write |
+| mail.go:20:17:20:21 | write [postupdate] |
 | mail.go:26:49:26:52 | text |
 | mail.go:26:76:26:79 | text |
 | mail.go:27:20:27:23 | text |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Encoding/jsoniter.expected
@@ -9,28 +9,28 @@ edges
 | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | jsoniter.go:31:21:31:34 | untrustedInput | provenance |  |
 | jsoniter.go:24:21:24:40 | call to getUntrustedString | jsoniter.go:35:27:35:41 | untrustedString | provenance |  |
 | jsoniter.go:24:21:24:40 | call to getUntrustedString | jsoniter.go:39:31:39:45 | untrustedString | provenance |  |
-| jsoniter.go:27:17:27:30 | untrustedInput | jsoniter.go:27:33:27:37 | &... | provenance | MaD:4 |
+| jsoniter.go:27:17:27:30 | untrustedInput | jsoniter.go:27:33:27:37 | &... [postupdate] | provenance | MaD:4 |
-| jsoniter.go:27:33:27:37 | &... | jsoniter.go:28:15:28:24 | selection of field | provenance | Sink:MaD:1 |
+| jsoniter.go:27:33:27:37 | &... [postupdate] | jsoniter.go:28:15:28:24 | selection of field | provenance | Sink:MaD:1 |
-| jsoniter.go:31:21:31:34 | untrustedInput | jsoniter.go:31:37:31:42 | &... | provenance | MaD:2 |
+| jsoniter.go:31:21:31:34 | untrustedInput | jsoniter.go:31:37:31:42 | &... [postupdate] | provenance | MaD:2 |
-| jsoniter.go:31:37:31:42 | &... | jsoniter.go:32:15:32:25 | selection of field | provenance | Sink:MaD:1 |
+| jsoniter.go:31:37:31:42 | &... [postupdate] | jsoniter.go:32:15:32:25 | selection of field | provenance | Sink:MaD:1 |
-| jsoniter.go:35:27:35:41 | untrustedString | jsoniter.go:35:44:35:49 | &... | provenance | MaD:5 |
+| jsoniter.go:35:27:35:41 | untrustedString | jsoniter.go:35:44:35:49 | &... [postupdate] | provenance | MaD:5 |
-| jsoniter.go:35:44:35:49 | &... | jsoniter.go:36:15:36:25 | selection of field | provenance | Sink:MaD:1 |
+| jsoniter.go:35:44:35:49 | &... [postupdate] | jsoniter.go:36:15:36:25 | selection of field | provenance | Sink:MaD:1 |
-| jsoniter.go:39:31:39:45 | untrustedString | jsoniter.go:39:48:39:53 | &... | provenance | MaD:3 |
+| jsoniter.go:39:31:39:45 | untrustedString | jsoniter.go:39:48:39:53 | &... [postupdate] | provenance | MaD:3 |
-| jsoniter.go:39:48:39:53 | &... | jsoniter.go:40:15:40:25 | selection of field | provenance | Sink:MaD:1 |
+| jsoniter.go:39:48:39:53 | &... [postupdate] | jsoniter.go:40:15:40:25 | selection of field | provenance | Sink:MaD:1 |
 nodes
 | jsoniter.go:23:20:23:38 | call to getUntrustedBytes | semmle.label | call to getUntrustedBytes |
 | jsoniter.go:24:21:24:40 | call to getUntrustedString | semmle.label | call to getUntrustedString |
 | jsoniter.go:27:17:27:30 | untrustedInput | semmle.label | untrustedInput |
-| jsoniter.go:27:33:27:37 | &... | semmle.label | &... |
+| jsoniter.go:27:33:27:37 | &... [postupdate] | semmle.label | &... [postupdate] |
 | jsoniter.go:28:15:28:24 | selection of field | semmle.label | selection of field |
 | jsoniter.go:31:21:31:34 | untrustedInput | semmle.label | untrustedInput |
-| jsoniter.go:31:37:31:42 | &... | semmle.label | &... |
+| jsoniter.go:31:37:31:42 | &... [postupdate] | semmle.label | &... [postupdate] |
 | jsoniter.go:32:15:32:25 | selection of field | semmle.label | selection of field |
 | jsoniter.go:35:27:35:41 | untrustedString | semmle.label | untrustedString |
-| jsoniter.go:35:44:35:49 | &... | semmle.label | &... |
+| jsoniter.go:35:44:35:49 | &... [postupdate] | semmle.label | &... [postupdate] |
 | jsoniter.go:36:15:36:25 | selection of field | semmle.label | selection of field |
 | jsoniter.go:39:31:39:45 | untrustedString | semmle.label | untrustedString |
-| jsoniter.go:39:48:39:53 | &... | semmle.label | &... |
+| jsoniter.go:39:48:39:53 | &... [postupdate] | semmle.label | &... [postupdate] |
 | jsoniter.go:40:15:40:25 | selection of field | semmle.label | selection of field |
 subpaths
 invalidModelRow
--- a/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Fasthttp/fasthttp.go
@@ -169,10 +169,10 @@ func fasthttpServer() {
 		fmt.Println(body1, body2, body3, body4)
 		requestCtx.Request.BodyStream() // $ RemoteFlowSource="call to BodyStream"
-		requestCtx.Request.ReadBody(&bufio.Reader{}, 100, 1000)               // $ RemoteFlowSource="&..."
+		requestCtx.Request.ReadBody(&bufio.Reader{}, 100, 1000)               // $ RemoteFlowSource="&..." RemoteFlowSource="&... [postupdate]"
-		requestCtx.Request.ReadLimitBody(&bufio.Reader{}, 100)                // $ RemoteFlowSource="&..."
+		requestCtx.Request.ReadLimitBody(&bufio.Reader{}, 100)                // $ RemoteFlowSource="&..." RemoteFlowSource="&... [postupdate]"
-		requestCtx.Request.ContinueReadBodyStream(&bufio.Reader{}, 100, true) // $ RemoteFlowSource="&..."
+		requestCtx.Request.ContinueReadBodyStream(&bufio.Reader{}, 100, true) // $ RemoteFlowSource="&..." RemoteFlowSource="&... [postupdate]"
-		requestCtx.Request.ContinueReadBody(&bufio.Reader{}, 100)             // $ RemoteFlowSource="&..."
+		requestCtx.Request.ContinueReadBody(&bufio.Reader{}, 100)             // $ RemoteFlowSource="&..." RemoteFlowSource="&... [postupdate]"
 		// Response methods
 		// Xss Sinks Related method
--- a/go/ql/test/library-tests/semmle/go/frameworks/Gin/Gin.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Gin/Gin.expected
@@ -31,39 +31,39 @@
 | Gin.go:158:10:158:19 | selection of Params |
 | Gin.go:162:13:162:22 | selection of Params |
 | Gin.go:168:12:168:21 | selection of Params |
-| Gin.go:178:16:178:22 | &... |
+| Gin.go:178:16:178:22 | &... [postupdate] |
-| Gin.go:182:7:182:19 | definition of personPointer |
+| Gin.go:183:16:183:28 | personPointer [postupdate] |
-| Gin.go:188:15:188:21 | &... |
+| Gin.go:188:15:188:21 | &... [postupdate] |
-| Gin.go:192:7:192:19 | definition of personPointer |
+| Gin.go:193:15:193:27 | personPointer [postupdate] |
-| Gin.go:198:16:198:22 | &... |
+| Gin.go:198:16:198:22 | &... [postupdate] |
-| Gin.go:202:7:202:19 | definition of personPointer |
+| Gin.go:203:16:203:28 | personPointer [postupdate] |
-| Gin.go:208:15:208:21 | &... |
+| Gin.go:208:15:208:21 | &... [postupdate] |
-| Gin.go:212:7:212:19 | definition of personPointer |
+| Gin.go:213:15:213:27 | personPointer [postupdate] |
-| Gin.go:218:17:218:23 | &... |
+| Gin.go:218:17:218:23 | &... [postupdate] |
-| Gin.go:222:7:222:19 | definition of personPointer |
+| Gin.go:223:17:223:29 | personPointer [postupdate] |
-| Gin.go:228:20:228:26 | &... |
+| Gin.go:228:20:228:26 | &... [postupdate] |
-| Gin.go:232:7:232:19 | definition of personPointer |
+| Gin.go:233:20:233:32 | personPointer [postupdate] |
-| Gin.go:238:16:238:22 | &... |
+| Gin.go:238:16:238:22 | &... [postupdate] |
-| Gin.go:242:7:242:19 | definition of personPointer |
+| Gin.go:243:16:243:28 | personPointer [postupdate] |
-| Gin.go:248:12:248:18 | &... |
+| Gin.go:248:12:248:18 | &... [postupdate] |
-| Gin.go:252:7:252:19 | definition of personPointer |
+| Gin.go:253:12:253:24 | personPointer [postupdate] |
-| Gin.go:258:18:258:24 | &... |
+| Gin.go:258:18:258:24 | &... [postupdate] |
-| Gin.go:262:7:262:19 | definition of personPointer |
+| Gin.go:263:18:263:30 | personPointer [postupdate] |
-| Gin.go:268:26:268:32 | &... |
+| Gin.go:268:26:268:32 | &... [postupdate] |
-| Gin.go:272:7:272:19 | definition of personPointer |
+| Gin.go:273:26:273:38 | personPointer [postupdate] |
-| Gin.go:278:22:278:28 | &... |
+| Gin.go:278:22:278:28 | &... [postupdate] |
-| Gin.go:282:7:282:19 | definition of personPointer |
+| Gin.go:283:22:283:34 | personPointer [postupdate] |
-| Gin.go:288:23:288:29 | &... |
+| Gin.go:288:23:288:29 | &... [postupdate] |
-| Gin.go:292:7:292:19 | definition of personPointer |
+| Gin.go:293:23:293:35 | personPointer [postupdate] |
-| Gin.go:298:21:298:27 | &... |
+| Gin.go:298:21:298:27 | &... [postupdate] |
-| Gin.go:302:7:302:19 | definition of personPointer |
+| Gin.go:303:21:303:33 | personPointer [postupdate] |
-| Gin.go:308:22:308:28 | &... |
+| Gin.go:308:22:308:28 | &... [postupdate] |
-| Gin.go:312:7:312:19 | definition of personPointer |
+| Gin.go:313:22:313:34 | personPointer [postupdate] |
-| Gin.go:318:21:318:27 | &... |
+| Gin.go:318:21:318:27 | &... [postupdate] |
-| Gin.go:322:7:322:19 | definition of personPointer |
+| Gin.go:323:21:323:33 | personPointer [postupdate] |
-| Gin.go:328:22:328:28 | &... |
+| Gin.go:328:22:328:28 | &... [postupdate] |
-| Gin.go:332:7:332:19 | definition of personPointer |
+| Gin.go:333:22:333:34 | personPointer [postupdate] |
-| Gin.go:338:18:338:24 | &... |
+| Gin.go:338:18:338:24 | &... [postupdate] |
-| Gin.go:342:7:342:19 | definition of personPointer |
+| Gin.go:343:18:343:30 | personPointer [postupdate] |
-| Gin.go:348:24:348:30 | &... |
+| Gin.go:348:24:348:30 | &... [postupdate] |
-| Gin.go:352:7:352:19 | definition of personPointer |
+| Gin.go:353:24:353:36 | personPointer [postupdate] |
--- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/LogInjection.expected
@@ -1,26 +1,8 @@
 edges
 | main.go:18:46:18:48 | definition of req | main.go:18:46:18:48 | definition of req [Return] | provenance |  |
 | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | provenance |  |
 | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | provenance |  |
 | main.go:18:46:18:48 | definition of req [Return] | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance |  |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in [Return] | provenance |  |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:86:37:86:38 | in | provenance |  |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | proto/Hello.pb.micro.go:86:37:86:38 | in | provenance |  |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in [Return] | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance |  |
 | proto/Hello.pb.micro.go:86:37:86:38 | in | main.go:18:46:18:48 | definition of req | provenance |  |
 | proto/Hello.pb.micro.go:86:37:86:38 | in | main.go:18:46:18:48 | definition of req | provenance |  |
 | proto/Hello.pb.micro.go:86:37:86:38 | in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance |  |
 | proto/Hello.pb.micro.go:86:37:86:38 | in | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | provenance |  |
 nodes
 | main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
 | main.go:18:46:18:48 | definition of req | semmle.label | definition of req |
 | main.go:18:46:18:48 | definition of req [Return] | semmle.label | definition of req [Return] |
 | main.go:21:28:21:31 | name | semmle.label | name |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | semmle.label | definition of in |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in | semmle.label | definition of in |
 | proto/Hello.pb.micro.go:85:53:85:54 | definition of in [Return] | semmle.label | definition of in [Return] |
 | proto/Hello.pb.micro.go:86:37:86:38 | in | semmle.label | in |
 | proto/Hello.pb.micro.go:86:37:86:38 | in | semmle.label | in |
 subpaths
 #select
 | main.go:21:28:21:31 | name | main.go:18:46:18:48 | definition of req | main.go:21:28:21:31 | name | This log entry depends on a $@. | main.go:18:46:18:48 | definition of req | user-provided value |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Gorestful/gorestful.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Gorestful/gorestful.expected
@@ -8,11 +8,11 @@ edges
 | gorestful.go:15:15:15:44 | call to QueryParameters | gorestful.go:15:15:15:47 | index expression | provenance | Src:MaD:4 Sink:MaD:1 |
 | gorestful.go:17:2:17:39 | ... := ...[0] | gorestful.go:18:15:18:17 | val | provenance | Src:MaD:2 Sink:MaD:1 |
 | gorestful.go:21:15:21:38 | call to PathParameters | gorestful.go:21:15:21:45 | index expression | provenance | Src:MaD:3 Sink:MaD:1 |
-| gorestful.go:23:21:23:24 | &... | gorestful.go:24:15:24:21 | selection of cmd | provenance | Src:MaD:5 Sink:MaD:1 |
+| gorestful.go:23:21:23:24 | &... [postupdate] | gorestful.go:24:15:24:21 | selection of cmd | provenance | Src:MaD:5 Sink:MaD:1 |
 | gorestful_v2.go:15:15:15:44 | call to QueryParameters | gorestful_v2.go:15:15:15:47 | index expression | provenance | Src:MaD:4 Sink:MaD:1 |
 | gorestful_v2.go:17:2:17:39 | ... := ...[0] | gorestful_v2.go:18:15:18:17 | val | provenance | Src:MaD:2 Sink:MaD:1 |
 | gorestful_v2.go:21:15:21:38 | call to PathParameters | gorestful_v2.go:21:15:21:45 | index expression | provenance | Src:MaD:3 Sink:MaD:1 |
-| gorestful_v2.go:23:21:23:24 | &... | gorestful_v2.go:24:15:24:21 | selection of cmd | provenance | Src:MaD:5 Sink:MaD:1 |
+| gorestful_v2.go:23:21:23:24 | &... [postupdate] | gorestful_v2.go:24:15:24:21 | selection of cmd | provenance | Src:MaD:5 Sink:MaD:1 |
 nodes
 | gorestful.go:15:15:15:44 | call to QueryParameters | semmle.label | call to QueryParameters |
 | gorestful.go:15:15:15:47 | index expression | semmle.label | index expression |
@@ -23,7 +23,7 @@ nodes
 | gorestful.go:20:15:20:42 | call to PathParameter | semmle.label | call to PathParameter |
 | gorestful.go:21:15:21:38 | call to PathParameters | semmle.label | call to PathParameters |
 | gorestful.go:21:15:21:45 | index expression | semmle.label | index expression |
-| gorestful.go:23:21:23:24 | &... | semmle.label | &... |
+| gorestful.go:23:21:23:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | gorestful.go:24:15:24:21 | selection of cmd | semmle.label | selection of cmd |
 | gorestful_v2.go:15:15:15:44 | call to QueryParameters | semmle.label | call to QueryParameters |
 | gorestful_v2.go:15:15:15:47 | index expression | semmle.label | index expression |
@@ -34,7 +34,7 @@ nodes
 | gorestful_v2.go:20:15:20:42 | call to PathParameter | semmle.label | call to PathParameter |
 | gorestful_v2.go:21:15:21:38 | call to PathParameters | semmle.label | call to PathParameters |
 | gorestful_v2.go:21:15:21:45 | index expression | semmle.label | index expression |
-| gorestful_v2.go:23:21:23:24 | &... | semmle.label | &... |
+| gorestful_v2.go:23:21:23:24 | &... [postupdate] | semmle.label | &... [postupdate] |
 | gorestful_v2.go:24:15:24:21 | selection of cmd | semmle.label | selection of cmd |
 subpaths
 invalidModelRow
@@ -45,11 +45,11 @@ invalidModelRow
 | gorestful.go:19:15:19:44 | call to HeaderParameter | gorestful.go:19:15:19:44 | call to HeaderParameter | gorestful.go:19:15:19:44 | call to HeaderParameter | This command depends on $@. | gorestful.go:19:15:19:44 | call to HeaderParameter | a user-provided value |
 | gorestful.go:20:15:20:42 | call to PathParameter | gorestful.go:20:15:20:42 | call to PathParameter | gorestful.go:20:15:20:42 | call to PathParameter | This command depends on $@. | gorestful.go:20:15:20:42 | call to PathParameter | a user-provided value |
 | gorestful.go:21:15:21:45 | index expression | gorestful.go:21:15:21:38 | call to PathParameters | gorestful.go:21:15:21:45 | index expression | This command depends on $@. | gorestful.go:21:15:21:38 | call to PathParameters | a user-provided value |
-| gorestful.go:24:15:24:21 | selection of cmd | gorestful.go:23:21:23:24 | &... | gorestful.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful.go:23:21:23:24 | &... | a user-provided value |
+| gorestful.go:24:15:24:21 | selection of cmd | gorestful.go:23:21:23:24 | &... [postupdate] | gorestful.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful.go:23:21:23:24 | &... [postupdate] | a user-provided value |
 | gorestful_v2.go:15:15:15:47 | index expression | gorestful_v2.go:15:15:15:44 | call to QueryParameters | gorestful_v2.go:15:15:15:47 | index expression | This command depends on $@. | gorestful_v2.go:15:15:15:44 | call to QueryParameters | a user-provided value |
 | gorestful_v2.go:16:15:16:43 | call to QueryParameter | gorestful_v2.go:16:15:16:43 | call to QueryParameter | gorestful_v2.go:16:15:16:43 | call to QueryParameter | This command depends on $@. | gorestful_v2.go:16:15:16:43 | call to QueryParameter | a user-provided value |
 | gorestful_v2.go:18:15:18:17 | val | gorestful_v2.go:17:2:17:39 | ... := ...[0] | gorestful_v2.go:18:15:18:17 | val | This command depends on $@. | gorestful_v2.go:17:2:17:39 | ... := ...[0] | a user-provided value |
 | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | This command depends on $@. | gorestful_v2.go:19:15:19:44 | call to HeaderParameter | a user-provided value |
 | gorestful_v2.go:20:15:20:42 | call to PathParameter | gorestful_v2.go:20:15:20:42 | call to PathParameter | gorestful_v2.go:20:15:20:42 | call to PathParameter | This command depends on $@. | gorestful_v2.go:20:15:20:42 | call to PathParameter | a user-provided value |
 | gorestful_v2.go:21:15:21:45 | index expression | gorestful_v2.go:21:15:21:38 | call to PathParameters | gorestful_v2.go:21:15:21:45 | index expression | This command depends on $@. | gorestful_v2.go:21:15:21:38 | call to PathParameters | a user-provided value |
-| gorestful_v2.go:24:15:24:21 | selection of cmd | gorestful_v2.go:23:21:23:24 | &... | gorestful_v2.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful_v2.go:23:21:23:24 | &... | a user-provided value |
+| gorestful_v2.go:24:15:24:21 | selection of cmd | gorestful_v2.go:23:21:23:24 | &... [postupdate] | gorestful_v2.go:24:15:24:21 | selection of cmd | This command depends on $@. | gorestful_v2.go:23:21:23:24 | &... [postupdate] | a user-provided value |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/OpenRedirect.expected
@@ -1,10 +1,11 @@
 #select
 | EndToEnd.go:94:20:94:49 | call to Get | EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:49 | call to Get | This path to an untrusted URL redirection depends on a $@. | EndToEnd.go:94:20:94:27 | selection of Params | user-provided value |
 edges
-| EndToEnd.go:94:20:94:27 | implicit dereference | EndToEnd.go:94:20:94:27 | selection of Params | provenance | Config |
+| EndToEnd.go:94:20:94:27 | implicit dereference | EndToEnd.go:94:20:94:27 | selection of Params [postupdate] | provenance | Config |
 | EndToEnd.go:94:20:94:27 | implicit dereference | EndToEnd.go:94:20:94:32 | selection of Form | provenance | Config |
 | EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:27 | implicit dereference | provenance | Src:MaD:2 Config |
 | EndToEnd.go:94:20:94:27 | selection of Params | EndToEnd.go:94:20:94:32 | selection of Form | provenance | Src:MaD:2 Config |
 | EndToEnd.go:94:20:94:27 | selection of Params [postupdate] | EndToEnd.go:94:20:94:27 | implicit dereference | provenance | Config |
 | EndToEnd.go:94:20:94:32 | selection of Form | EndToEnd.go:94:20:94:49 | call to Get | provenance | Config Sink:MaD:1 |
 models
 | 1 | Sink: group:revel; Controller; true; Redirect; ; ; Argument[0]; url-redirection; manual |
@@ -12,6 +13,7 @@ models
 nodes
 | EndToEnd.go:94:20:94:27 | implicit dereference | semmle.label | implicit dereference |
 | EndToEnd.go:94:20:94:27 | selection of Params | semmle.label | selection of Params |
 | EndToEnd.go:94:20:94:27 | selection of Params [postupdate] | semmle.label | selection of Params [postupdate] |
 | EndToEnd.go:94:20:94:32 | selection of Form | semmle.label | selection of Form |
 | EndToEnd.go:94:20:94:49 | call to Get | semmle.label | call to Get |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/ReflectedXss.expected
@@ -5,10 +5,10 @@
 | examples/booking/app/init.go:36:44:36:53 | selection of Path | examples/booking/app/init.go:36:44:36:48 | selection of URL | examples/booking/app/init.go:36:44:36:53 | selection of Path | Cross-site scripting vulnerability due to $@. | examples/booking/app/init.go:36:44:36:48 | selection of URL | user-provided value | examples/booking/app/init.go:0:0:0:0 | examples/booking/app/init.go |  |
 | examples/booking/app/init.go:40:49:40:58 | selection of Path | examples/booking/app/init.go:40:49:40:53 | selection of URL | examples/booking/app/init.go:40:49:40:58 | selection of Path | Cross-site scripting vulnerability due to $@. | examples/booking/app/init.go:40:49:40:53 | selection of URL | user-provided value | examples/booking/app/init.go:0:0:0:0 | examples/booking/app/init.go |  |
 edges
-| EndToEnd.go:35:2:35:4 | definition of buf | EndToEnd.go:37:24:37:26 | buf | provenance |  |
+| EndToEnd.go:36:2:36:4 | buf [postupdate] | EndToEnd.go:37:24:37:26 | buf | provenance |  |
 | EndToEnd.go:36:18:36:25 | selection of Params | EndToEnd.go:36:18:36:30 | selection of Form | provenance | Src:MaD:1  |
 | EndToEnd.go:36:18:36:30 | selection of Form | EndToEnd.go:36:18:36:47 | call to Get | provenance | MaD:4 |
-| EndToEnd.go:36:18:36:47 | call to Get | EndToEnd.go:35:2:35:4 | definition of buf | provenance | MaD:3 |
+| EndToEnd.go:36:18:36:47 | call to Get | EndToEnd.go:36:2:36:4 | buf [postupdate] | provenance | MaD:3 |
 | EndToEnd.go:69:22:69:29 | selection of Params | EndToEnd.go:69:22:69:34 | selection of Form | provenance | Src:MaD:1  |
 | EndToEnd.go:69:22:69:34 | selection of Form | EndToEnd.go:69:22:69:51 | call to Get | provenance | MaD:4 |
 | Revel.go:70:22:70:29 | selection of Params | Revel.go:70:22:70:35 | selection of Query | provenance | Src:MaD:1  |
@@ -20,7 +20,7 @@ models
 | 3 | Summary: io; StringWriter; true; WriteString; ; ; Argument[0]; Argument[receiver]; taint; manual |
 | 4 | Summary: net/url; Values; true; Get; ; ; Argument[receiver]; ReturnValue; taint; manual |
 nodes
-| EndToEnd.go:35:2:35:4 | definition of buf | semmle.label | definition of buf |
+| EndToEnd.go:36:2:36:4 | buf [postupdate] | semmle.label | buf [postupdate] |
 | EndToEnd.go:36:18:36:25 | selection of Params | semmle.label | selection of Params |
 | EndToEnd.go:36:18:36:30 | selection of Form | semmle.label | selection of Form |
 | EndToEnd.go:36:18:36:47 | call to Get | semmle.label | call to Get |
--- a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
@@ -8,64 +8,76 @@ invalidModelRow
 | crypto.go:11:18:11:57 | call to Open | crypto.go:11:2:11:57 | ... := ...[1] |
 | crypto.go:11:42:11:51 | ciphertext | crypto.go:11:2:11:57 | ... := ...[0] |
 | io.go:14:31:14:43 | "some string" | io.go:14:13:14:44 | call to NewReader |
-| io.go:16:3:16:3 | definition of w | io.go:16:23:16:27 | &... |
+| io.go:16:23:16:27 | &... | io.go:16:24:16:27 | buf1 [postupdate] |
-| io.go:16:3:16:3 | definition of w | io.go:16:30:16:34 | &... |
+| io.go:16:23:16:27 | &... [postupdate] | io.go:16:24:16:27 | buf1 [postupdate] |
 | io.go:16:23:16:27 | &... | io.go:15:7:15:10 | definition of buf1 |
 | io.go:16:24:16:27 | buf1 | io.go:16:23:16:27 | &... |
-| io.go:16:30:16:34 | &... | io.go:15:13:15:16 | definition of buf2 |
+| io.go:16:24:16:27 | buf1 [postupdate] | io.go:16:23:16:27 | &... |
 | io.go:16:30:16:34 | &... | io.go:16:31:16:34 | buf2 [postupdate] |
 | io.go:16:30:16:34 | &... [postupdate] | io.go:16:31:16:34 | buf2 [postupdate] |
 | io.go:16:31:16:34 | buf2 | io.go:16:30:16:34 | &... |
-| io.go:18:14:18:19 | reader | io.go:16:3:16:3 | definition of w |
+| io.go:16:31:16:34 | buf2 [postupdate] | io.go:16:30:16:34 | &... |
 | io.go:18:11:18:11 | w [postupdate] | io.go:16:23:16:27 | &... [postupdate] |
 | io.go:18:11:18:11 | w [postupdate] | io.go:16:30:16:34 | &... [postupdate] |
 | io.go:18:14:18:19 | reader | io.go:18:11:18:11 | w [postupdate] |
 | io.go:22:31:22:43 | "some string" | io.go:22:13:22:44 | call to NewReader |
-| io.go:25:19:25:23 | &... | io.go:23:7:23:10 | definition of buf1 |
+| io.go:25:19:25:23 | &... | io.go:25:20:25:23 | buf1 [postupdate] |
 | io.go:25:19:25:23 | &... [postupdate] | io.go:25:20:25:23 | buf1 [postupdate] |
 | io.go:25:20:25:23 | buf1 | io.go:25:19:25:23 | &... |
-| io.go:27:21:27:26 | reader | io.go:25:3:25:4 | definition of w2 |
+| io.go:25:20:25:23 | buf1 [postupdate] | io.go:25:19:25:23 | &... |
 | io.go:27:21:27:26 | reader | io.go:27:17:27:18 | w2 [postupdate] |
 | io.go:31:31:31:43 | "some string" | io.go:31:13:31:44 | call to NewReader |
-| io.go:33:19:33:23 | &... | io.go:32:7:32:10 | definition of buf1 |
+| io.go:33:19:33:23 | &... | io.go:33:20:33:23 | buf1 [postupdate] |
 | io.go:33:19:33:23 | &... [postupdate] | io.go:33:20:33:23 | buf1 [postupdate] |
 | io.go:33:20:33:23 | buf1 | io.go:33:19:33:23 | &... |
-| io.go:35:16:35:21 | reader | io.go:33:3:33:4 | definition of w2 |
+| io.go:33:20:33:23 | buf1 [postupdate] | io.go:33:19:33:23 | &... |
-| io.go:39:6:39:6 | definition of w | io.go:39:3:39:19 | ... := ...[0] |
+| io.go:35:16:35:21 | reader | io.go:35:12:35:13 | w2 [postupdate] |
 | io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[0] |
 | io.go:39:11:39:19 | call to Pipe | io.go:39:3:39:19 | ... := ...[1] |
-| io.go:40:17:40:31 | "some string\\n" | io.go:39:6:39:6 | definition of w |
+| io.go:40:14:40:14 | w [postupdate] | io.go:39:3:39:19 | ... := ...[0] |
-| io.go:43:16:43:16 | r | io.go:42:3:42:5 | definition of buf |
+| io.go:40:17:40:31 | "some string\\n" | io.go:40:14:40:14 | w [postupdate] |
 | io.go:43:16:43:16 | r | io.go:43:3:43:5 | buf [postupdate] |
 | io.go:44:13:44:15 | buf | io.go:44:13:44:24 | call to String |
 | io.go:48:31:48:43 | "some string" | io.go:48:13:48:44 | call to NewReader |
-| io.go:50:18:50:23 | reader | io.go:49:3:49:5 | definition of buf |
+| io.go:50:18:50:23 | reader | io.go:50:26:50:28 | buf [postupdate] |
 | io.go:54:31:54:43 | "some string" | io.go:54:13:54:44 | call to NewReader |
-| io.go:56:15:56:20 | reader | io.go:55:3:55:5 | definition of buf |
+| io.go:56:15:56:20 | reader | io.go:56:23:56:25 | buf [postupdate] |
-| io.go:61:18:61:21 | &... | io.go:60:7:60:9 | definition of buf |
+| io.go:61:18:61:21 | &... | io.go:61:19:61:21 | buf [postupdate] |
 | io.go:61:18:61:21 | &... [postupdate] | io.go:61:19:61:21 | buf [postupdate] |
 | io.go:61:19:61:21 | buf | io.go:61:18:61:21 | &... |
-| io.go:62:21:62:26 | "test" | io.go:61:3:61:3 | definition of w |
+| io.go:61:19:61:21 | buf [postupdate] | io.go:61:18:61:21 | &... |
 | io.go:62:21:62:26 | "test" | io.go:62:18:62:18 | w [postupdate] |
 | io.go:65:31:65:43 | "some string" | io.go:65:13:65:44 | call to NewReader |
-| io.go:67:3:67:8 | reader | io.go:66:3:66:5 | definition of buf |
+| io.go:67:3:67:8 | reader | io.go:67:15:67:17 | buf [postupdate] |
 | io.go:70:31:70:43 | "some string" | io.go:70:13:70:44 | call to NewReader |
-| io.go:72:3:72:8 | reader | io.go:71:3:71:5 | definition of buf |
+| io.go:72:3:72:8 | reader | io.go:72:17:72:19 | buf [postupdate] |
 | io.go:76:31:76:43 | "some string" | io.go:76:13:76:44 | call to NewReader |
 | io.go:77:24:77:29 | reader | io.go:77:9:77:33 | call to LimitReader |
-| io.go:78:22:78:23 | lr | io.go:78:11:78:19 | selection of Stdout |
+| io.go:78:22:78:23 | lr | io.go:78:11:78:19 | selection of Stdout [postupdate] |
 | io.go:82:27:82:36 | "reader1 " | io.go:82:9:82:37 | call to NewReader |
 | io.go:83:27:83:36 | "reader2 " | io.go:83:9:83:37 | call to NewReader |
 | io.go:84:27:84:35 | "reader3" | io.go:84:9:84:36 | call to NewReader |
 | io.go:85:23:85:24 | r1 | io.go:85:8:85:33 | call to MultiReader |
 | io.go:85:27:85:28 | r2 | io.go:85:8:85:33 | call to MultiReader |
 | io.go:85:31:85:32 | r3 | io.go:85:8:85:33 | call to MultiReader |
-| io.go:86:22:86:22 | r | io.go:86:11:86:19 | selection of Stdout |
+| io.go:86:22:86:22 | r | io.go:86:11:86:19 | selection of Stdout [postupdate] |
 | io.go:89:26:89:38 | "some string" | io.go:89:8:89:39 | call to NewReader |
 | io.go:91:23:91:23 | r | io.go:91:10:91:30 | call to TeeReader |
-| io.go:91:23:91:23 | r | io.go:91:26:91:29 | &... |
+| io.go:91:23:91:23 | r | io.go:91:26:91:29 | &... [postupdate] |
-| io.go:91:26:91:29 | &... | io.go:90:7:90:9 | definition of buf |
+| io.go:91:26:91:29 | &... | io.go:91:27:91:29 | buf [postupdate] |
 | io.go:91:26:91:29 | &... [postupdate] | io.go:91:27:91:29 | buf [postupdate] |
 | io.go:91:27:91:29 | buf | io.go:91:26:91:29 | &... |
-| io.go:93:22:93:24 | tee | io.go:93:11:93:19 | selection of Stdout |
+| io.go:91:27:91:29 | buf [postupdate] | io.go:91:26:91:29 | &... |
 | io.go:93:22:93:24 | tee | io.go:93:11:93:19 | selection of Stdout [postupdate] |
 | io.go:96:26:96:38 | "some string" | io.go:96:8:96:39 | call to NewReader |
 | io.go:97:28:97:28 | r | io.go:97:8:97:36 | call to NewSectionReader |
-| io.go:98:22:98:22 | s | io.go:98:11:98:19 | selection of Stdout |
+| io.go:98:22:98:22 | s | io.go:98:11:98:19 | selection of Stdout [postupdate] |
 | io.go:101:26:101:38 | "some string" | io.go:101:8:101:39 | call to NewReader |
-| io.go:102:3:102:3 | r | io.go:102:13:102:21 | selection of Stdout |
+| io.go:102:3:102:3 | r | io.go:102:13:102:21 | selection of Stdout [postupdate] |
 | io.go:108:30:108:42 | "some string" | io.go:108:12:108:43 | call to NewReader |
 | io.go:109:12:109:33 | call to ReadAll | io.go:109:2:109:33 | ... := ...[0] |
 | io.go:109:12:109:33 | call to ReadAll | io.go:109:2:109:33 | ... := ...[1] |
 | io.go:109:27:109:32 | reader | io.go:109:2:109:33 | ... := ...[0] |
-| io.go:110:18:110:20 | buf | io.go:110:2:110:10 | selection of Stdout |
+| io.go:110:18:110:20 | buf | io.go:110:2:110:10 | selection of Stdout [postupdate] |
 | main.go:11:12:11:26 | call to Marshal | main.go:11:2:11:26 | ... := ...[0] |
 | main.go:11:12:11:26 | call to Marshal | main.go:11:2:11:26 | ... := ...[1] |
 | main.go:11:25:11:25 | v | main.go:11:2:11:26 | ... := ...[0] |
@@ -84,11 +96,13 @@ invalidModelRow
 | main.go:23:25:23:31 | decoded | main.go:23:9:23:48 | slice literal |
 | main.go:23:34:23:36 | err | main.go:23:9:23:48 | slice literal |
 | main.go:23:39:23:47 | reEncoded | main.go:23:9:23:48 | slice literal |
-| main.go:28:2:28:4 | implicit dereference | main.go:26:15:26:17 | definition of req |
+| main.go:28:2:28:4 | implicit dereference | main.go:28:2:28:4 | req [postupdate] |
 | main.go:28:2:28:4 | implicit dereference | main.go:28:2:28:9 | selection of Body |
 | main.go:28:2:28:4 | req | main.go:28:2:28:4 | implicit dereference |
-| main.go:28:2:28:9 | selection of Body | main.go:27:2:27:2 | definition of b |
+| main.go:28:2:28:4 | req [postupdate] | main.go:28:2:28:4 | implicit dereference |
-| main.go:34:2:34:4 | implicit dereference | main.go:32:16:32:18 | definition of req |
+| main.go:28:2:28:9 | selection of Body | main.go:28:16:28:16 | b [postupdate] |
 | main.go:34:2:34:4 | implicit dereference | main.go:34:2:34:4 | req [postupdate] |
 | main.go:34:2:34:4 | implicit dereference | main.go:34:2:34:9 | selection of Body |
 | main.go:34:2:34:4 | req | main.go:34:2:34:4 | implicit dereference |
-| main.go:34:2:34:9 | selection of Body | main.go:33:2:33:2 | definition of b |
+| main.go:34:2:34:4 | req [postupdate] | main.go:34:2:34:4 | implicit dereference |
 | main.go:34:2:34:9 | selection of Body | main.go:34:16:34:16 | b [postupdate] |
--- a/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Twirp/RequestForgery.expected
@@ -3,42 +3,28 @@
 | server/main.go:30:38:30:48 | selection of Text | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | The $@ of this request depends on a $@. | server/main.go:30:38:30:48 | selection of Text | URL | server/main.go:19:56:19:61 | definition of params | user-provided value |
 edges
 | client/main.go:16:35:16:78 | &... | server/main.go:19:56:19:61 | definition of params | provenance |  |
-| rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | provenance |  |
+| client/main.go:16:35:16:78 | &... [postupdate] | client/main.go:16:35:16:78 | &... | provenance |  |
 | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance |  |
 | rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | rpc/notes/service.twirp.go:495:35:495:44 | reqContent | provenance |  |
 | rpc/notes/service.twirp.go:495:35:495:44 | reqContent | server/main.go:19:56:19:61 | definition of params | provenance |  |
 | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | rpc/notes/service.twirp.go:544:27:544:29 | buf | provenance |  |
 | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | provenance | Src:MaD:1 MaD:3 |
-| rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance |  |
+| rpc/notes/service.twirp.go:544:27:544:29 | buf | rpc/notes/service.twirp.go:544:32:544:41 | reqContent [postupdate] | provenance | MaD:2 |
-| rpc/notes/service.twirp.go:544:27:544:29 | buf | rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | provenance | MaD:2 |
+| rpc/notes/service.twirp.go:544:32:544:41 | reqContent [postupdate] | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance |  |
 | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | provenance |  |
 | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | server/main.go:19:56:19:61 | definition of params | provenance |  |
 | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | provenance |  |
 | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | server/main.go:19:56:19:61 | definition of params | provenance |  |
 | server/main.go:19:56:19:61 | definition of params | server/main.go:19:56:19:61 | definition of params [Return] | provenance |  |
 | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | provenance |  |
 | server/main.go:19:56:19:61 | definition of params | server/main.go:30:38:30:48 | selection of Text | provenance |  |
-| server/main.go:19:56:19:61 | definition of params [Return] | client/main.go:16:35:16:78 | &... | provenance |  |
+| server/main.go:19:56:19:61 | definition of params [Return] | client/main.go:16:35:16:78 | &... [postupdate] | provenance |  |
 | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | provenance |  |
 | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | provenance |  |
 | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | provenance |  |
 | server/main.go:19:56:19:61 | definition of params [Return] | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | provenance |  |
 models
 | 1 | Source: net/http; Request; true; Body; ; ; ; remote; manual |
 | 2 | Summary: google.golang.org/protobuf/proto; ; false; Unmarshal; ; ; Argument[0]; Argument[1]; taint; manual |
 | 3 | Summary: io; ; false; ReadAll; ; ; Argument[0]; ReturnValue[0]; taint; manual |
 nodes
 | client/main.go:16:35:16:78 | &... | semmle.label | &... |
-| rpc/notes/service.twirp.go:473:6:473:13 | definition of typedReq | semmle.label | definition of typedReq |
+| client/main.go:16:35:16:78 | &... [postupdate] | semmle.label | &... [postupdate] |
 | rpc/notes/service.twirp.go:477:44:477:51 | typedReq | semmle.label | typedReq |
 | rpc/notes/service.twirp.go:493:2:496:2 | capture variable reqContent | semmle.label | capture variable reqContent |
 | rpc/notes/service.twirp.go:495:35:495:44 | reqContent | semmle.label | reqContent |
 | rpc/notes/service.twirp.go:538:2:538:33 | ... := ...[0] | semmle.label | ... := ...[0] |
 | rpc/notes/service.twirp.go:538:25:538:32 | selection of Body | semmle.label | selection of Body |
 | rpc/notes/service.twirp.go:543:2:543:11 | definition of reqContent | semmle.label | definition of reqContent |
 | rpc/notes/service.twirp.go:544:27:544:29 | buf | semmle.label | buf |
-| rpc/notes/service.twirp.go:554:6:554:13 | definition of typedReq | semmle.label | definition of typedReq |
+| rpc/notes/service.twirp.go:544:32:544:41 | reqContent [postupdate] | semmle.label | reqContent [postupdate] |
 | rpc/notes/service.twirp.go:558:44:558:51 | typedReq | semmle.label | typedReq |
 | rpc/notes/service.twirp.go:574:2:577:2 | capture variable reqContent | semmle.label | capture variable reqContent |
 | rpc/notes/service.twirp.go:576:35:576:44 | reqContent | semmle.label | reqContent |
 | server/main.go:19:56:19:61 | definition of params | semmle.label | definition of params |
--- a/go/ql/test/library-tests/semmle/go/frameworks/WebSocket/Read.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/WebSocket/Read.expected
@@ -1,8 +1,8 @@
-| WebSocketReadWrite.go:31:7:31:10 | definition of xnet |
+| WebSocketReadWrite.go:32:11:32:14 | xnet [postupdate] |
-| WebSocketReadWrite.go:35:3:35:7 | definition of xnet2 |
+| WebSocketReadWrite.go:36:21:36:25 | xnet2 [postupdate] |
 | WebSocketReadWrite.go:41:3:41:40 | ... := ...[1] |
 | WebSocketReadWrite.go:44:3:44:48 | ... := ...[1] |
-| WebSocketReadWrite.go:51:7:51:16 | definition of gorillaMsg |
+| WebSocketReadWrite.go:52:26:52:35 | gorillaMsg [postupdate] |
-| WebSocketReadWrite.go:55:3:55:10 | definition of gorilla2 |
+| WebSocketReadWrite.go:56:17:56:24 | gorilla2 [postupdate] |
 | WebSocketReadWrite.go:61:3:61:38 | ... := ...[1] |
 | WebSocketReadWrite.go:67:3:67:36 | ... := ...[0] |
--- a/go/ql/test/library-tests/semmle/go/frameworks/WebSocket/RemoteFlowSources.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/WebSocket/RemoteFlowSources.expected
@@ -1,9 +1,9 @@
 | WebSocketReadWrite.go:27:9:27:16 | selection of Header |
-| WebSocketReadWrite.go:31:7:31:10 | definition of xnet |
+| WebSocketReadWrite.go:32:11:32:14 | xnet [postupdate] |
-| WebSocketReadWrite.go:35:3:35:7 | definition of xnet2 |
+| WebSocketReadWrite.go:36:21:36:25 | xnet2 [postupdate] |
 | WebSocketReadWrite.go:41:3:41:40 | ... := ...[1] |
 | WebSocketReadWrite.go:44:3:44:48 | ... := ...[1] |
-| WebSocketReadWrite.go:51:7:51:16 | definition of gorillaMsg |
+| WebSocketReadWrite.go:52:26:52:35 | gorillaMsg [postupdate] |
-| WebSocketReadWrite.go:55:3:55:10 | definition of gorilla2 |
+| WebSocketReadWrite.go:56:17:56:24 | gorilla2 [postupdate] |
 | WebSocketReadWrite.go:61:3:61:38 | ... := ...[1] |
 | WebSocketReadWrite.go:67:3:67:36 | ... := ...[0] |
--- a/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/XNetHtml/ReflectedXss.expected
@@ -44,28 +44,20 @@ edges
 | test.go:39:23:39:77 | call to NewTokenizerFragment | test.go:40:15:40:31 | tokenizerFragment | provenance |  |
 | test.go:39:49:39:60 | selection of Body | test.go:39:23:39:77 | call to NewTokenizerFragment | provenance | Src:MaD:1 MaD:4 |
 | test.go:40:15:40:31 | tokenizerFragment | test.go:40:15:40:42 | call to Buffered | provenance | MaD:12 |
 | test.go:42:6:42:14 | definition of cleanNode | test.go:45:22:45:31 | &... | provenance |  |
 | test.go:42:6:42:14 | definition of cleanNode | test.go:45:22:45:31 | &... | provenance |  |
 | test.go:42:6:42:14 | definition of cleanNode | test.go:45:23:45:31 | cleanNode | provenance |  |
 | test.go:43:2:43:43 | ... := ...[0] | test.go:44:24:44:34 | taintedNode | provenance |  |
 | test.go:43:31:43:42 | selection of Body | test.go:43:2:43:43 | ... := ...[0] | provenance | Src:MaD:1 MaD:5 |
-| test.go:44:24:44:34 | taintedNode | test.go:42:6:42:14 | definition of cleanNode | provenance | MaD:10 |
+| test.go:44:2:44:10 | cleanNode [postupdate] | test.go:45:22:45:31 | &... | provenance |  |
-| test.go:45:22:45:31 | &... | test.go:45:23:45:31 | cleanNode | provenance |  |
+| test.go:44:2:44:10 | cleanNode [postupdate] | test.go:45:23:45:31 | cleanNode | provenance |  |
 | test.go:44:24:44:34 | taintedNode | test.go:44:2:44:10 | cleanNode [postupdate] | provenance | MaD:10 |
 | test.go:45:22:45:31 | &... [pointer] | test.go:45:22:45:31 | &... | provenance |  |
 | test.go:45:22:45:31 | &... [pointer] | test.go:45:22:45:31 | &... | provenance |  |
 | test.go:45:22:45:31 | &... [pointer] | test.go:45:23:45:31 | cleanNode | provenance |  |
 | test.go:45:23:45:31 | cleanNode | test.go:45:22:45:31 | &... | provenance |  |
 | test.go:45:23:45:31 | cleanNode | test.go:45:22:45:31 | &... [pointer] | provenance |  |
 | test.go:47:6:47:15 | definition of cleanNode2 | test.go:50:22:50:32 | &... | provenance |  |
 | test.go:47:6:47:15 | definition of cleanNode2 | test.go:50:22:50:32 | &... | provenance |  |
 | test.go:47:6:47:15 | definition of cleanNode2 | test.go:50:23:50:32 | cleanNode2 | provenance |  |
 | test.go:48:2:48:44 | ... := ...[0] | test.go:49:26:49:37 | taintedNode2 | provenance |  |
 | test.go:48:32:48:43 | selection of Body | test.go:48:2:48:44 | ... := ...[0] | provenance | Src:MaD:1 MaD:5 |
-| test.go:49:26:49:37 | taintedNode2 | test.go:47:6:47:15 | definition of cleanNode2 | provenance | MaD:11 |
+| test.go:49:2:49:11 | cleanNode2 [postupdate] | test.go:50:22:50:32 | &... | provenance |  |
-| test.go:50:22:50:32 | &... | test.go:50:23:50:32 | cleanNode2 | provenance |  |
+| test.go:49:2:49:11 | cleanNode2 [postupdate] | test.go:50:23:50:32 | cleanNode2 | provenance |  |
 | test.go:49:26:49:37 | taintedNode2 | test.go:49:2:49:11 | cleanNode2 [postupdate] | provenance | MaD:11 |
 | test.go:50:22:50:32 | &... [pointer] | test.go:50:22:50:32 | &... | provenance |  |
 | test.go:50:22:50:32 | &... [pointer] | test.go:50:22:50:32 | &... | provenance |  |
 | test.go:50:22:50:32 | &... [pointer] | test.go:50:23:50:32 | cleanNode2 | provenance |  |
 | test.go:50:23:50:32 | cleanNode2 | test.go:50:22:50:32 | &... | provenance |  |
 | test.go:50:23:50:32 | cleanNode2 | test.go:50:22:50:32 | &... [pointer] | provenance |  |
 models
@@ -125,20 +117,18 @@ nodes
 | test.go:39:49:39:60 | selection of Body | semmle.label | selection of Body |
 | test.go:40:15:40:31 | tokenizerFragment | semmle.label | tokenizerFragment |
 | test.go:40:15:40:42 | call to Buffered | semmle.label | call to Buffered |
 | test.go:42:6:42:14 | definition of cleanNode | semmle.label | definition of cleanNode |
 | test.go:43:2:43:43 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:43:31:43:42 | selection of Body | semmle.label | selection of Body |
 | test.go:44:2:44:10 | cleanNode [postupdate] | semmle.label | cleanNode [postupdate] |
 | test.go:44:24:44:34 | taintedNode | semmle.label | taintedNode |
 | test.go:45:22:45:31 | &... | semmle.label | &... |
 | test.go:45:22:45:31 | &... | semmle.label | &... |
 | test.go:45:22:45:31 | &... [pointer] | semmle.label | &... [pointer] |
 | test.go:45:23:45:31 | cleanNode | semmle.label | cleanNode |
 | test.go:47:6:47:15 | definition of cleanNode2 | semmle.label | definition of cleanNode2 |
 | test.go:48:2:48:44 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:48:32:48:43 | selection of Body | semmle.label | selection of Body |
 | test.go:49:2:49:11 | cleanNode2 [postupdate] | semmle.label | cleanNode2 [postupdate] |
 | test.go:49:26:49:37 | taintedNode2 | semmle.label | taintedNode2 |
 | test.go:50:22:50:32 | &... | semmle.label | &... |
 | test.go:50:22:50:32 | &... | semmle.label | &... |
 | test.go:50:22:50:32 | &... [pointer] | semmle.label | &... [pointer] |
 | test.go:50:23:50:32 | cleanNode2 | semmle.label | cleanNode2 |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Yaml/yaml.go
@@ -13,30 +13,30 @@ func main() {
 	var inb []byte
 	out, _ = yaml1.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]"
-	yaml1.Unmarshal(inb, out)  // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
+	yaml1.Unmarshal(inb, out)  // $ unmarshaler="yaml: inb -> out [postupdate]" ttfnmodelstep="inb -> out [postupdate]"
 	out, _ = yaml2.Marshal(in)      // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]"
-	yaml2.Unmarshal(inb, out)       // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
+	yaml2.Unmarshal(inb, out)       // $ unmarshaler="yaml: inb -> out [postupdate]" ttfnmodelstep="inb -> out [postupdate]"
-	yaml2.UnmarshalStrict(inb, out) // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
+	yaml2.UnmarshalStrict(inb, out) // $ unmarshaler="yaml: inb -> out [postupdate]" ttfnmodelstep="inb -> out [postupdate]"
 	var r io.Reader
 	d := yaml2.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder"
-	d.Decode(out)            // $ ttfnmodelstep="d -> definition of out"
+	d.Decode(out)            // $ ttfnmodelstep="d -> out [postupdate]"
 	var w io.Writer
-	e := yaml2.NewEncoder(w) // $ ttfnmodelstep="definition of e -> definition of w"
+	e := yaml2.NewEncoder(w) // $ ttfnmodelstep="definition of e -> w [postupdate]"
-	e.Encode(in)             // $ ttfnmodelstep="in -> definition of e"
+	e.Encode(in)             // $ ttfnmodelstep="in -> e [postupdate]"
 	out, _ = yaml3.Marshal(in) // $ marshaler="yaml: in -> ... = ...[0]" ttfnmodelstep="in -> ... = ...[0]"
-	yaml3.Unmarshal(inb, out)  // $ unmarshaler="yaml: inb -> definition of out" ttfnmodelstep="inb -> definition of out"
+	yaml3.Unmarshal(inb, out)  // $ unmarshaler="yaml: inb -> out [postupdate]" ttfnmodelstep="inb -> out [postupdate]"
 	d1 := yaml3.NewDecoder(r) // $ ttfnmodelstep="r -> call to NewDecoder"
-	d1.Decode(out)            // $ ttfnmodelstep="d1 -> definition of out"
+	d1.Decode(out)            // $ ttfnmodelstep="d1 -> out [postupdate]"
-	e1 := yaml3.NewEncoder(w) // $ ttfnmodelstep="definition of e1 -> definition of w"
+	e1 := yaml3.NewEncoder(w) // $ ttfnmodelstep="definition of e1 -> w [postupdate]"
-	e1.Encode(in)             // $ ttfnmodelstep="in -> definition of e1"
+	e1.Encode(in)             // $ ttfnmodelstep="in -> e1 [postupdate]"
 	var n1 yaml3.Node
-	n1.Decode(out) // $ ttfnmodelstep="n1 -> definition of out"
+	n1.Decode(out) // $ ttfnmodelstep="n1 -> out [postupdate]"
-	n1.Encode(in)  // $ ttfnmodelstep="in -> definition of n1"
+	n1.Encode(in)  // $ ttfnmodelstep="in -> n1 [postupdate]"
 }
--- a/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.expected
+++ b/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.expected
@@ -17,17 +17,18 @@
 | SafeUrlFlow.go:74:70:74:85 | call to String | SafeUrlFlow.go:54:13:54:19 | selection of URL | SafeUrlFlow.go:74:70:74:85 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:54:13:54:19 | selection of URL | here |
 | SafeUrlFlow.go:78:40:78:55 | call to String | SafeUrlFlow.go:54:13:54:19 | selection of URL | SafeUrlFlow.go:78:40:78:55 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:54:13:54:19 | selection of URL | here |
 | SafeUrlFlow.go:89:24:89:41 | call to String | SafeUrlFlow.go:84:14:84:21 | selection of Host | SafeUrlFlow.go:89:24:89:41 | call to String | A safe URL flows here from $@. | SafeUrlFlow.go:84:14:84:21 | selection of Host | here |
-| SafeUrlFlow.go:109:11:109:23 | reconstructed | SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:109:11:109:23 | reconstructed | A safe URL flows here from $@. | SafeUrlFlow.go:100:13:100:19 | selection of URL | here |
+| SafeUrlFlow.go:105:11:105:23 | reconstructed | SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:105:11:105:23 | reconstructed | A safe URL flows here from $@. | SafeUrlFlow.go:96:13:96:19 | selection of URL | here |
-| SafeUrlFlow.go:112:24:112:50 | ...+... | SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:112:24:112:50 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:100:13:100:19 | selection of URL | here |
+| SafeUrlFlow.go:108:24:108:50 | ...+... | SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:108:24:108:50 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:96:13:96:19 | selection of URL | here |
-| SafeUrlFlow.go:113:29:113:58 | ...+... | SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:113:29:113:58 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:100:13:100:19 | selection of URL | here |
+| SafeUrlFlow.go:109:29:109:58 | ...+... | SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:109:29:109:58 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:96:13:96:19 | selection of URL | here |
-| SafeUrlFlow.go:114:12:114:42 | ...+... | SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:114:12:114:42 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:100:13:100:19 | selection of URL | here |
+| SafeUrlFlow.go:110:12:110:42 | ...+... | SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:110:12:110:42 | ...+... | A safe URL flows here from $@. | SafeUrlFlow.go:96:13:96:19 | selection of URL | here |
-| SafeUrlFlow.go:115:12:115:25 | safeOpaquePart | SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:115:12:115:25 | safeOpaquePart | A safe URL flows here from $@. | SafeUrlFlow.go:100:13:100:19 | selection of URL | here |
+| SafeUrlFlow.go:111:12:111:25 | safeOpaquePart | SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:111:12:111:25 | safeOpaquePart | A safe URL flows here from $@. | SafeUrlFlow.go:96:13:96:19 | selection of URL | here |
 edges
 | SafeUrlFlow.go:10:14:10:21 | selection of Host | SafeUrlFlow.go:11:24:11:50 | ...+... | provenance | Sink:MaD:1 |
 | SafeUrlFlow.go:10:14:10:21 | selection of Host | SafeUrlFlow.go:17:19:17:26 | safeHost | provenance |  |
 | SafeUrlFlow.go:13:13:13:19 | selection of URL | SafeUrlFlow.go:14:29:14:35 | safeURL | provenance | Src:MaD:2  |
 | SafeUrlFlow.go:14:29:14:35 | safeURL | SafeUrlFlow.go:14:29:14:44 | call to String | provenance | MaD:3 |
-| SafeUrlFlow.go:17:19:17:26 | safeHost | SafeUrlFlow.go:18:11:18:19 | targetURL | provenance | Config |
+| SafeUrlFlow.go:17:2:17:10 | targetURL [postupdate] | SafeUrlFlow.go:18:11:18:19 | targetURL | provenance |  |
 | SafeUrlFlow.go:17:19:17:26 | safeHost | SafeUrlFlow.go:17:2:17:10 | targetURL [postupdate] | provenance | Config |
 | SafeUrlFlow.go:18:11:18:19 | targetURL | SafeUrlFlow.go:18:11:18:28 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:45:24:45:61 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
 | SafeUrlFlow.go:37:13:37:19 | selection of URL | SafeUrlFlow.go:46:29:46:55 | ...+... | provenance | Src:MaD:2  |
@@ -55,13 +56,16 @@ edges
 | SafeUrlFlow.go:74:70:74:76 | safeURL | SafeUrlFlow.go:74:70:74:85 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:78:40:78:46 | safeURL | SafeUrlFlow.go:78:40:78:55 | call to String | provenance | MaD:3 |
 | SafeUrlFlow.go:84:14:84:21 | selection of Host | SafeUrlFlow.go:87:19:87:26 | safeHost | provenance |  |
-| SafeUrlFlow.go:87:19:87:26 | safeHost | SafeUrlFlow.go:89:24:89:32 | targetURL | provenance | Config |
+| SafeUrlFlow.go:87:2:87:10 | implicit dereference [postupdate] | SafeUrlFlow.go:87:2:87:10 | targetURL [postupdate] | provenance |  |
 | SafeUrlFlow.go:87:2:87:10 | targetURL [postupdate] | SafeUrlFlow.go:89:24:89:32 | targetURL | provenance |  |
 | SafeUrlFlow.go:87:19:87:26 | safeHost | SafeUrlFlow.go:87:2:87:10 | implicit dereference [postupdate] | provenance | Config |
 | SafeUrlFlow.go:87:19:87:26 | safeHost | SafeUrlFlow.go:87:2:87:10 | targetURL [postupdate] | provenance | Config |
 | SafeUrlFlow.go:89:24:89:32 | targetURL | SafeUrlFlow.go:89:24:89:41 | call to String | provenance | MaD:3 Sink:MaD:1 |
-| SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:109:11:109:23 | reconstructed | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:105:11:105:23 | reconstructed | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:112:24:112:50 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
+| SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:108:24:108:50 | ...+... | provenance | Src:MaD:2 Sink:MaD:1 |
-| SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:113:29:113:58 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:109:29:109:58 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:114:12:114:42 | ...+... | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:110:12:110:42 | ...+... | provenance | Src:MaD:2  |
-| SafeUrlFlow.go:100:13:100:19 | selection of URL | SafeUrlFlow.go:115:12:115:25 | safeOpaquePart | provenance | Src:MaD:2  |
+| SafeUrlFlow.go:96:13:96:19 | selection of URL | SafeUrlFlow.go:111:12:111:25 | safeOpaquePart | provenance | Src:MaD:2  |
 models
 | 1 | Sink: net/http; ; false; Redirect; ; ; Argument[2]; url-redirection[0]; manual |
 | 2 | Source: net/http; Request; true; URL; ; ; ; remote; manual |
@@ -72,6 +76,7 @@ nodes
 | SafeUrlFlow.go:13:13:13:19 | selection of URL | semmle.label | selection of URL |
 | SafeUrlFlow.go:14:29:14:35 | safeURL | semmle.label | safeURL |
 | SafeUrlFlow.go:14:29:14:44 | call to String | semmle.label | call to String |
 | SafeUrlFlow.go:17:2:17:10 | targetURL [postupdate] | semmle.label | targetURL [postupdate] |
 | SafeUrlFlow.go:17:19:17:26 | safeHost | semmle.label | safeHost |
 | SafeUrlFlow.go:18:11:18:19 | targetURL | semmle.label | targetURL |
 | SafeUrlFlow.go:18:11:18:28 | call to String | semmle.label | call to String |
@@ -103,13 +108,15 @@ nodes
 | SafeUrlFlow.go:78:40:78:46 | safeURL | semmle.label | safeURL |
 | SafeUrlFlow.go:78:40:78:55 | call to String | semmle.label | call to String |
 | SafeUrlFlow.go:84:14:84:21 | selection of Host | semmle.label | selection of Host |
 | SafeUrlFlow.go:87:2:87:10 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
 | SafeUrlFlow.go:87:2:87:10 | targetURL [postupdate] | semmle.label | targetURL [postupdate] |
 | SafeUrlFlow.go:87:19:87:26 | safeHost | semmle.label | safeHost |
 | SafeUrlFlow.go:89:24:89:32 | targetURL | semmle.label | targetURL |
 | SafeUrlFlow.go:89:24:89:41 | call to String | semmle.label | call to String |
-| SafeUrlFlow.go:100:13:100:19 | selection of URL | semmle.label | selection of URL |
+| SafeUrlFlow.go:96:13:96:19 | selection of URL | semmle.label | selection of URL |
-| SafeUrlFlow.go:109:11:109:23 | reconstructed | semmle.label | reconstructed |
+| SafeUrlFlow.go:105:11:105:23 | reconstructed | semmle.label | reconstructed |
-| SafeUrlFlow.go:112:24:112:50 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:108:24:108:50 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:113:29:113:58 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:109:29:109:58 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:114:12:114:42 | ...+... | semmle.label | ...+... |
+| SafeUrlFlow.go:110:12:110:42 | ...+... | semmle.label | ...+... |
-| SafeUrlFlow.go:115:12:115:25 | safeOpaquePart | semmle.label | safeOpaquePart |
+| SafeUrlFlow.go:111:12:111:25 | safeOpaquePart | semmle.label | safeOpaquePart |
 subpaths
--- a/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.go
+++ b/go/ql/test/library-tests/semmle/go/security/SafeUrlFlow/SafeUrlFlow.go
@@ -87,13 +87,9 @@ func testHostFieldAssignmentFlow(w http.ResponseWriter, req *http.Request) {
 	targetURL.Host = safeHost // URL is safe if Host is safe
 	http.Redirect(w, req, targetURL.String(), http.StatusFound) // $ Alert
 }
-func testHostFieldOverwritten(w http.ResponseWriter, req *http.Request) {
+	targetURL.Host = "something.else.com" // targetURL is not guaranteed to be safe now that Host is overwritten
-	safeURL := req.URL
+	http.Get(targetURL.String())
 	safeURL.Host = "something.else.com" // safeURL is not guaranteed to be safe now that Host is overwritten
 	http.Get(safeURL.String())          // not guaranteed to be safe
 }
 func testFieldAccess(w http.ResponseWriter, req *http.Request) {
--- a/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
+++ b/go/ql/test/query-tests/Security/CWE-022/TaintedPath.expected
@@ -6,8 +6,8 @@ edges
 | TaintedPath.go:15:18:15:22 | selection of URL | TaintedPath.go:15:18:15:30 | call to Query | provenance | Src:MaD:2 MaD:3 |
 | TaintedPath.go:15:18:15:30 | call to Query | TaintedPath.go:18:29:18:40 | tainted_path | provenance | Sink:MaD:1 |
 | TaintedPath.go:15:18:15:30 | call to Query | TaintedPath.go:22:57:22:68 | tainted_path | provenance |  |
 | TaintedPath.go:15:18:15:30 | call to Query | TaintedPath.go:74:39:74:56 | ...+... | provenance |  |
 | TaintedPath.go:22:57:22:68 | tainted_path | TaintedPath.go:22:28:22:69 | call to Join | provenance | FunctionModel Sink:MaD:1 |
 | TaintedPath.go:22:57:22:68 | tainted_path | TaintedPath.go:74:39:74:56 | ...+... | provenance |  |
 | TaintedPath.go:74:39:74:56 | ...+... | TaintedPath.go:74:28:74:57 | call to Clean | provenance | MaD:4 Sink:MaD:1 |
 models
 | 1 | Sink: io/ioutil; ; false; ReadFile; ; ; Argument[0]; path-injection; manual |
--- a/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/go/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -48,14 +48,14 @@ edges
 | GitSubcommands.go:11:13:11:27 | call to Query | GitSubcommands.go:17:36:17:42 | tainted | provenance |  |
 | GitSubcommands.go:33:13:33:19 | selection of URL | GitSubcommands.go:33:13:33:27 | call to Query | provenance | Src:MaD:2 MaD:7 |
 | GitSubcommands.go:33:13:33:27 | call to Query | GitSubcommands.go:38:32:38:38 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance |  |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance | Config |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance | Config |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance | Config |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance | Config |
 | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | SanitizingDoubleDash.go:9:13:9:27 | call to Query | provenance | Src:MaD:2 MaD:7 |
-| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:13:25:13:31 | tainted | provenance |  |
+| SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:14:23:14:33 | slice expression | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:39:31:39:37 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:52:24:52:30 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:68:31:68:37 | tainted | provenance |  |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | SanitizingDoubleDash.go:80:23:80:29 | tainted | provenance |  |
 | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | provenance |  |
 | SanitizingDoubleDash.go:13:25:13:31 | tainted | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | provenance |  |
 | SanitizingDoubleDash.go:14:23:14:30 | arrayLit [array] | SanitizingDoubleDash.go:14:23:14:33 | slice element node | provenance |  |
@@ -67,6 +67,7 @@ edges
 | SanitizingDoubleDash.go:39:31:39:37 | tainted | SanitizingDoubleDash.go:39:14:39:44 | []type{args} [array] | provenance |  |
 | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | SanitizingDoubleDash.go:53:21:53:28 | arrayLit [array] | provenance |  |
 | SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:52:15:52:31 | slice literal [array] | provenance |  |
 | SanitizingDoubleDash.go:52:24:52:30 | tainted | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:53:14:53:35 | call to append | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:53:14:53:35 | call to append [array] | SanitizingDoubleDash.go:54:23:54:30 | arrayLit | provenance |  |
 | SanitizingDoubleDash.go:53:21:53:28 | arrayLit | SanitizingDoubleDash.go:53:14:53:35 | call to append | provenance | MaD:4 |
@@ -180,6 +181,7 @@ nodes
 | GitSubcommands.go:33:13:33:19 | selection of URL | semmle.label | selection of URL |
 | GitSubcommands.go:33:13:33:27 | call to Query | semmle.label | call to Query |
 | GitSubcommands.go:38:32:38:38 | tainted | semmle.label | tainted |
 | SanitizingDoubleDash.go:9:2:9:8 | definition of tainted | semmle.label | definition of tainted |
 | SanitizingDoubleDash.go:9:13:9:19 | selection of URL | semmle.label | selection of URL |
 | SanitizingDoubleDash.go:9:13:9:27 | call to Query | semmle.label | call to Query |
 | SanitizingDoubleDash.go:13:15:13:32 | array literal [array] | semmle.label | array literal [array] |
--- a/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go
+++ b/go/ql/test/query-tests/Security/CWE-078/SanitizingDoubleDash.go
@@ -93,62 +93,62 @@ func testDoubleDashIrrelevant(req *http.Request) {
 	{
 		arrayLit := [1]string{tainted}
-		exec.Command("sudo", arrayLit[:]...)
+		exec.Command("sudo", arrayLit[:]...) // BAD
 	}
 	{
 		arrayLit := [2]string{"--", tainted}
-		exec.Command("sudo", arrayLit[:]...)
+		exec.Command("sudo", arrayLit[:]...) // BAD
 	}
 	{
 		arrayLit := []string{"--", tainted}
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
 		arrayLit := []string{}
 		arrayLit = append(arrayLit, "--", tainted)
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
 		arrayLit := []string{}
 		arrayLit = append(arrayLit, tainted, "--")
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
 		arrayLit := []string{"--"}
 		arrayLit = append(arrayLit, tainted)
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
 		arrayLit := []string{tainted}
 		arrayLit = append(arrayLit, "--")
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
 		arrayLit := []string{"--"}
 		arrayLit = append(arrayLit, "something else")
 		arrayLit = append(arrayLit, tainted)
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
 		arrayLit := []string{"something else"}
 		arrayLit = append(arrayLit, tainted)
 		arrayLit = append(arrayLit, "--")
-		exec.Command("sudo", arrayLit...)
+		exec.Command("sudo", arrayLit...) // BAD
 	}
 	{
-		exec.Command("sudo", "--", tainted)
+		exec.Command("sudo", "--", tainted) // BAD
 	}
 	{
-		exec.Command("sudo", tainted, "--")
+		exec.Command("sudo", tainted, "--") // BAD
 	}
 }
--- a/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected
+++ b/go/ql/test/query-tests/Security/CWE-078/StoredCommand.expected
@@ -2,14 +2,14 @@
 | StoredCommand.go:14:22:14:28 | cmdName | StoredCommand.go:11:2:11:27 | ... := ...[0] | StoredCommand.go:14:22:14:28 | cmdName | This command depends on a $@. | StoredCommand.go:11:2:11:27 | ... := ...[0] | stored value |
 edges
 | StoredCommand.go:11:2:11:27 | ... := ...[0] | StoredCommand.go:13:2:13:5 | rows | provenance | Src:MaD:2  |
-| StoredCommand.go:13:2:13:5 | rows | StoredCommand.go:13:12:13:19 | &... | provenance | FunctionModel |
+| StoredCommand.go:13:2:13:5 | rows | StoredCommand.go:13:12:13:19 | &... [postupdate] | provenance | FunctionModel |
-| StoredCommand.go:13:12:13:19 | &... | StoredCommand.go:14:22:14:28 | cmdName | provenance | Sink:MaD:1 |
+| StoredCommand.go:13:12:13:19 | &... [postupdate] | StoredCommand.go:14:22:14:28 | cmdName | provenance | Sink:MaD:1 |
 models
 | 1 | Sink: os/exec; ; false; Command; ; ; Argument[0]; command-injection; manual |
 | 2 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
 | StoredCommand.go:11:2:11:27 | ... := ...[0] | semmle.label | ... := ...[0] |
 | StoredCommand.go:13:2:13:5 | rows | semmle.label | rows |
-| StoredCommand.go:13:12:13:19 | &... | semmle.label | &... |
+| StoredCommand.go:13:12:13:19 | &... [postupdate] | semmle.label | &... [postupdate] |
 | StoredCommand.go:14:22:14:28 | cmdName | semmle.label | cmdName |
 subpaths
--- a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -13,11 +13,11 @@
 | reflectedxsstest.go:54:11:54:21 | type conversion | reflectedxsstest.go:51:14:51:18 | selection of URL | reflectedxsstest.go:54:11:54:21 | type conversion | Cross-site scripting vulnerability due to $@. | reflectedxsstest.go:51:14:51:18 | selection of URL | user-provided value | reflectedxsstest.go:0:0:0:0 | reflectedxsstest.go |  |
 | tst.go:18:12:18:39 | type conversion | tst.go:14:15:14:20 | selection of Form | tst.go:18:12:18:39 | type conversion | Cross-site scripting vulnerability due to $@. | tst.go:14:15:14:20 | selection of Form | user-provided value | tst.go:0:0:0:0 | tst.go |  |
 | tst.go:53:12:53:26 | type conversion | tst.go:48:14:48:19 | selection of Form | tst.go:53:12:53:26 | type conversion | Cross-site scripting vulnerability due to $@. | tst.go:48:14:48:19 | selection of Form | user-provided value | tst.go:0:0:0:0 | tst.go |  |
-| websocketXss.go:32:24:32:27 | xnet | websocketXss.go:30:7:30:10 | definition of xnet | websocketXss.go:32:24:32:27 | xnet | Cross-site scripting vulnerability due to $@. | websocketXss.go:30:7:30:10 | definition of xnet | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
+| websocketXss.go:32:24:32:27 | xnet | websocketXss.go:31:11:31:14 | xnet [postupdate] | websocketXss.go:32:24:32:27 | xnet | Cross-site scripting vulnerability due to $@. | websocketXss.go:31:11:31:14 | xnet [postupdate] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
-| websocketXss.go:36:24:36:28 | xnet2 | websocketXss.go:34:3:34:7 | definition of xnet2 | websocketXss.go:36:24:36:28 | xnet2 | Cross-site scripting vulnerability due to $@. | websocketXss.go:34:3:34:7 | definition of xnet2 | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
+| websocketXss.go:36:24:36:28 | xnet2 | websocketXss.go:35:21:35:25 | xnet2 [postupdate] | websocketXss.go:36:24:36:28 | xnet2 | Cross-site scripting vulnerability due to $@. | websocketXss.go:35:21:35:25 | xnet2 [postupdate] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
 | websocketXss.go:41:24:41:29 | nhooyr | websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | Cross-site scripting vulnerability due to $@. | websocketXss.go:40:3:40:40 | ... := ...[1] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
-| websocketXss.go:48:24:48:33 | gorillaMsg | websocketXss.go:46:7:46:16 | definition of gorillaMsg | websocketXss.go:48:24:48:33 | gorillaMsg | Cross-site scripting vulnerability due to $@. | websocketXss.go:46:7:46:16 | definition of gorillaMsg | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
+| websocketXss.go:48:24:48:33 | gorillaMsg | websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | websocketXss.go:48:24:48:33 | gorillaMsg | Cross-site scripting vulnerability due to $@. | websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
-| websocketXss.go:52:24:52:31 | gorilla2 | websocketXss.go:50:3:50:10 | definition of gorilla2 | websocketXss.go:52:24:52:31 | gorilla2 | Cross-site scripting vulnerability due to $@. | websocketXss.go:50:3:50:10 | definition of gorilla2 | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
+| websocketXss.go:52:24:52:31 | gorilla2 | websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | websocketXss.go:52:24:52:31 | gorilla2 | Cross-site scripting vulnerability due to $@. | websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
 | websocketXss.go:55:24:55:31 | gorilla3 | websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | Cross-site scripting vulnerability due to $@. | websocketXss.go:54:3:54:38 | ... := ...[1] | user-provided value | websocketXss.go:0:0:0:0 | websocketXss.go |  |
 edges
 | ReflectedXss.go:11:15:11:20 | selection of Form | ReflectedXss.go:11:15:11:36 | call to Get | provenance | Src:MaD:6 MaD:18 |
@@ -48,8 +48,8 @@ edges
 | reflectedxsstest.go:39:16:39:21 | reader | reflectedxsstest.go:39:2:39:32 | ... := ...[0] | provenance | MaD:16 |
 | reflectedxsstest.go:40:14:40:17 | part | reflectedxsstest.go:40:14:40:28 | call to FileName | provenance | MaD:15 |
 | reflectedxsstest.go:40:14:40:28 | call to FileName | reflectedxsstest.go:44:46:44:53 | partName | provenance |  |
-| reflectedxsstest.go:41:2:41:10 | definition of byteSlice | reflectedxsstest.go:45:10:45:18 | byteSlice | provenance |  |
+| reflectedxsstest.go:42:2:42:5 | part | reflectedxsstest.go:42:12:42:20 | byteSlice [postupdate] | provenance | MaD:14 |
-| reflectedxsstest.go:42:2:42:5 | part | reflectedxsstest.go:41:2:41:10 | definition of byteSlice | provenance | MaD:14 |
+| reflectedxsstest.go:42:12:42:20 | byteSlice [postupdate] | reflectedxsstest.go:45:10:45:18 | byteSlice | provenance |  |
 | reflectedxsstest.go:44:17:44:54 | []type{args} [array] | reflectedxsstest.go:44:17:44:54 | call to Sprintf | provenance | MaD:12 |
 | reflectedxsstest.go:44:17:44:54 | call to Sprintf | reflectedxsstest.go:44:10:44:55 | type conversion | provenance |  |
 | reflectedxsstest.go:44:46:44:53 | partName | reflectedxsstest.go:44:17:44:54 | []type{args} [array] | provenance |  |
@@ -62,11 +62,11 @@ edges
 | tst.go:18:32:18:32 | a | tst.go:18:19:18:38 | call to Join | provenance | MaD:19 |
 | tst.go:48:14:48:19 | selection of Form | tst.go:48:14:48:34 | call to Get | provenance | Src:MaD:6 MaD:18 |
 | tst.go:48:14:48:34 | call to Get | tst.go:53:12:53:26 | type conversion | provenance |  |
-| websocketXss.go:30:7:30:10 | definition of xnet | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5  |
+| websocketXss.go:31:11:31:14 | xnet [postupdate] | websocketXss.go:32:24:32:27 | xnet | provenance | Src:MaD:5  |
-| websocketXss.go:34:3:34:7 | definition of xnet2 | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4  |
+| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | websocketXss.go:36:24:36:28 | xnet2 | provenance | Src:MaD:4  |
 | websocketXss.go:40:3:40:40 | ... := ...[1] | websocketXss.go:41:24:41:29 | nhooyr | provenance | Src:MaD:11  |
-| websocketXss.go:46:7:46:16 | definition of gorillaMsg | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1  |
+| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | websocketXss.go:48:24:48:33 | gorillaMsg | provenance | Src:MaD:1  |
-| websocketXss.go:50:3:50:10 | definition of gorilla2 | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2  |
+| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | websocketXss.go:52:24:52:31 | gorilla2 | provenance | Src:MaD:2  |
 | websocketXss.go:54:3:54:38 | ... := ...[1] | websocketXss.go:55:24:55:31 | gorilla3 | provenance | Src:MaD:3  |
 models
 | 1 | Source: github.com/gorilla/websocket; ; false; ReadJSON; ; ; Argument[1]; remote; manual |
@@ -123,8 +123,8 @@ nodes
 | reflectedxsstest.go:39:16:39:21 | reader | semmle.label | reader |
 | reflectedxsstest.go:40:14:40:17 | part | semmle.label | part |
 | reflectedxsstest.go:40:14:40:28 | call to FileName | semmle.label | call to FileName |
 | reflectedxsstest.go:41:2:41:10 | definition of byteSlice | semmle.label | definition of byteSlice |
 | reflectedxsstest.go:42:2:42:5 | part | semmle.label | part |
 | reflectedxsstest.go:42:12:42:20 | byteSlice [postupdate] | semmle.label | byteSlice [postupdate] |
 | reflectedxsstest.go:44:10:44:55 | type conversion | semmle.label | type conversion |
 | reflectedxsstest.go:44:17:44:54 | []type{args} [array] | semmle.label | []type{args} [array] |
 | reflectedxsstest.go:44:17:44:54 | call to Sprintf | semmle.label | call to Sprintf |
@@ -141,16 +141,25 @@ nodes
 | tst.go:48:14:48:19 | selection of Form | semmle.label | selection of Form |
 | tst.go:48:14:48:34 | call to Get | semmle.label | call to Get |
 | tst.go:53:12:53:26 | type conversion | semmle.label | type conversion |
-| websocketXss.go:30:7:30:10 | definition of xnet | semmle.label | definition of xnet |
+| websocketXss.go:31:11:31:14 | xnet [postupdate] | semmle.label | xnet [postupdate] |
 | websocketXss.go:32:24:32:27 | xnet | semmle.label | xnet |
-| websocketXss.go:34:3:34:7 | definition of xnet2 | semmle.label | definition of xnet2 |
+| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | semmle.label | xnet2 [postupdate] |
 | websocketXss.go:36:24:36:28 | xnet2 | semmle.label | xnet2 |
 | websocketXss.go:40:3:40:40 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:41:24:41:29 | nhooyr | semmle.label | nhooyr |
-| websocketXss.go:46:7:46:16 | definition of gorillaMsg | semmle.label | definition of gorillaMsg |
+| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | semmle.label | gorillaMsg [postupdate] |
 | websocketXss.go:48:24:48:33 | gorillaMsg | semmle.label | gorillaMsg |
-| websocketXss.go:50:3:50:10 | definition of gorilla2 | semmle.label | definition of gorilla2 |
+| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | semmle.label | gorilla2 [postupdate] |
 | websocketXss.go:52:24:52:31 | gorilla2 | semmle.label | gorilla2 |
 | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
 subpaths
 testFailures
 | websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
 | websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
 | websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
 | websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
 | websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
 | websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
 | websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
 | websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |
--- a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -3,15 +3,15 @@
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | definition of path | stored value |
 edges
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
-| stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... | provenance | FunctionModel |
+| stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
-| stored.go:25:29:25:33 | &... | stored.go:30:22:30:25 | name | provenance |  |
+| stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance |  |
 | stored.go:59:30:59:33 | definition of path | stored.go:61:22:61:25 | path | provenance |  |
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
-| stored.go:25:29:25:33 | &... | semmle.label | &... |
+| stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
 | stored.go:30:22:30:25 | name | semmle.label | name |
 | stored.go:59:30:59:33 | definition of path | semmle.label | definition of path |
 | stored.go:61:22:61:25 | path | semmle.label | path |
--- a/Show More
+++ b/Show More