Remove experimental query

2025-12-16 16:53:25 +01:00 · 2025-11-10 09:33:09 +00:00
parent fa30041498
commit 536e885f18
16 changed files with 2 additions and 1874 deletions
--- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll
+++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll
@@ -1,245 +0,0 @@
-import go
-
-private class NetHttpCookieType extends Type {
-  NetHttpCookieType() { this.hasQualifiedName(package("net/http", ""), "Cookie") }
-}
-
-private class GinContextSetCookieMethod extends Method {
-  GinContextSetCookieMethod() {
-    this.hasQualifiedName(package("github.com/gin-gonic/gin", ""), "Context", "SetCookie")
-  }
-}
-
-private class GorillaSessionOptionsField extends Field {
-  GorillaSessionOptionsField() {
-    this.hasQualifiedName(package("github.com/gorilla/sessions", ""), "Session", "Options")
-  }
-}
-
-/**
- * A simplistic points-to alternative: given a struct creation and a field name, get the values that field can be assigned.
- *
- * Assumptions:
- *    - we don't reassign the variable that the creation is stored in
- *    - we always access the creation through the same variable it is initially assigned to
- *
- * This should cover most typical patterns...
- */
-private DataFlow::Node getValueForFieldWrite(StructLit sl, string field) {
-  exists(Write w, DataFlow::Node base, Field f |
-    f.getName() = field and
-    w.writesFieldPreUpdate(base, f, result) and
-    (
-      sl = base.asExpr()
-      or
-      base.asExpr() instanceof VariableName and
-      base.getAPredecessor*().asExpr() = sl
-    )
-  )
-}
-
-/**
- * Holds if the expression or its value has a sensitive name
- */
-private predicate isAuthVariable(Expr expr) {
-  exists(string val |
-    (
-      val = expr.getStringValue() or
-      val = expr.(Name).getTarget().getName()
-    ) and
-    val.regexpMatch("(?i).*(session|login|token|user|auth|credential).*") and
-    not val.regexpMatch("(?i).*(xsrf|csrf|forgery).*")
-  )
-}
-
-/**
- * A cookie passed as the second parameter to `net/http.SetCookie`.
- */
-private class SetCookieSink extends DataFlow::Node {
-  SetCookieSink() {
-    exists(DataFlow::CallNode cn |
-      cn.getTarget().hasQualifiedName(package("net/http", ""), "SetCookie") and
-      this = cn.getArgument(1)
-    )
-  }
-}
-
-private module NameToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof SetCookieSink }
-
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(StructLit sl |
-      sl.getType() instanceof NetHttpCookieType and
-      getValueForFieldWrite(sl, "Name") = pred and
-      sl = succ.asExpr()
-    )
-  }
-}
-
-/** Tracks taint flow from sensitive names to `net/http.SetCookie`. */
-module NameToNetHttpCookieTrackingFlow = TaintTracking::Global<NameToNetHttpCookieTrackingConfig>;
-
-private module BoolToNetHttpCookieTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.getType().getUnderlyingType() instanceof BoolType
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof SetCookieSink }
-
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(StructLit sl |
-      sl.getType() instanceof NetHttpCookieType and
-      getValueForFieldWrite(sl, "HttpOnly") = pred and
-      sl = succ.asExpr()
-    )
-  }
-}
-
-/**
- * Tracks taint flow from a `bool` assigned to `HttpOnly` to
- * `net/http.SetCookie`.
- */
-module BoolToNetHttpCookieTrackingFlow = TaintTracking::Global<BoolToNetHttpCookieTrackingConfig>;
-
-private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.getBoolValue() = false }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(DataFlow::MethodCallNode mcn |
-      mcn.getTarget() instanceof GinContextSetCookieMethod and
-      mcn.getArgument(6) = sink and
-      exists(DataFlow::Node nameArg |
-        NameToGinSetCookieTrackingFlow::flowTo(nameArg) and
-        mcn.getArgument(0) = nameArg
-      )
-    )
-  }
-
-  predicate observeDiffInformedIncrementalMode() {
-    any() // Merged with other flows in CookieWithoutHttpOnly.ql
-  }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
-}
-
-/**
- * Tracks data flow from `HttpOnly` set to `false` to
- * `gin-gonic/gin.Context.SetCookie`.
- */
-module BoolToGinSetCookieTrackingFlow = DataFlow::Global<BoolToGinSetCookieTrackingConfig>;
-
-private module NameToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(DataFlow::MethodCallNode mcn |
-      mcn.getTarget() instanceof GinContextSetCookieMethod and
-      mcn.getArgument(0) = sink
-    )
-  }
-}
-
-/**
- * Tracks taint flow from sensitive names to `gin-gonic/gin.Context.SetCookie`.
- */
-private module NameToGinSetCookieTrackingFlow = DataFlow::Global<NameToGinSetCookieTrackingConfig>;
-
-/**
- * The receiver of `gorilla/sessions.Session.Save` call.
- */
-private class GorillaSessionSaveSink extends DataFlow::Node {
-  GorillaSessionSaveSink() {
-    exists(DataFlow::MethodCallNode mcn |
-      this = mcn.getReceiver() and
-      mcn.getTarget()
-          .hasQualifiedName(package("github.com/gorilla/sessions", ""), "Session", "Save")
-    )
-  }
-}
-
-private class GorillaStoreSaveSink extends DataFlow::Node {
-  GorillaStoreSaveSink() {
-    exists(DataFlow::MethodCallNode mcn |
-      this = mcn.getArgument(2) and
-      mcn.getTarget()
-          .hasQualifiedName(package("github.com/gorilla/sessions", ""), "CookieStore", "Save")
-    )
-  }
-}
-
-private module GorillaCookieStoreSaveTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source
-        .(DataFlow::CallNode)
-        .getTarget()
-        .hasQualifiedName(package("github.com/gorilla/sessions", ""), "NewCookieStore")
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink instanceof GorillaSessionSaveSink or
-    sink instanceof GorillaStoreSaveSink
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::MethodCallNode cn |
-      cn.getTarget()
-          .hasQualifiedName(package("github.com/gorilla/sessions", ""), "CookieStore", "Get") and
-      pred = cn.getReceiver() and
-      succ = cn.getResult(0)
-    )
-  }
-}
-
-/**
- * Tracks data flow from gorilla cookie store creation to
- * `gorilla/sessions.Session.Save`.
- */
-module GorillaCookieStoreSaveTrackingFlow = DataFlow::Global<GorillaCookieStoreSaveTrackingConfig>;
-
-private module GorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(StructLit sl |
-      sl.getType().hasQualifiedName(package("github.com/gorilla/sessions", ""), "Options") and
-      source.asExpr() = sl
-    )
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof GorillaSessionSaveSink }
-
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(GorillaSessionOptionsField f, DataFlow::Write w | w.writesField(succ, f, pred))
-  }
-}
-
-/**
- * Tracks taint flow from session options to
- * `gorilla/sessions.Session.Save`.
- */
-module GorillaSessionOptionsTrackingFlow =
-  TaintTracking::Global<GorillaSessionOptionsTrackingConfig>;
-
-private module BoolToGorillaSessionOptionsTrackingConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.getType().getUnderlyingType() instanceof BoolType
-  }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof GorillaSessionSaveSink }
-
-  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(StructLit sl |
-      getValueForFieldWrite(sl, "HttpOnly") = pred and
-      sl = succ.asExpr()
-    )
-    or
-    exists(GorillaSessionOptionsField f, DataFlow::Write w | w.writesField(succ, f, pred))
-  }
-}
-
-/**
- * Tracks taint flow from a `bool` assigned to `HttpOnly` to
- * `gorilla/sessions.Session.Save`.
- */
-module BoolToGorillaSessionOptionsTrackingFlow =
-  TaintTracking::Global<BoolToGorillaSessionOptionsTrackingConfig>;
--- a/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.qhelp
+++ b/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.qhelp
@@ -1,42 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-Cookies without <code>HttpOnly</code> attribute are accessible to JavaScript running in the same origin. In case of
-Cross-Site Scripting (XSS) vulnerability the cookie can be stolen by malicious script.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Protect sensitive cookies, such as related to authentication, by setting <code>HttpOnly</code> to <code>true</code> to make
-them not accessible to JavaScript.
-</p>
-</recommendation>
-
-<example>
-
-<p>
-In the following example the default <code>HttpOnly</code> value is <code>false</code>.
-</p>
-
-<sample src="CookieWithoutHttpOnlyBad.go" />
-
-<p>
-In the example below <code>HttpOnly</code> is set to <code>true</code>.
-</p>
-
-<sample src="CookieWithoutHttpOnlyGood.go" />
-
-</example>
-
-<references>
-
-<li><a href="https://golang.org/pkg/net/http/#Cookie">type Cookie,</a></li>
-<li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a> Header,</li>
-
-</references>
-</qhelp>
--- a/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
+++ b/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql
@@ -1,99 +0,0 @@
-/**
- * @name 'HttpOnly' attribute is not set to true
- * @description Omitting the 'HttpOnly' attribute for security sensitive data allows
- *              malicious JavaScript to steal it in case of XSS vulnerability. Always set
- *              'HttpOnly' to 'true' to authentication related cookie to make it
- *              not accessible by JavaScript.
- * @kind path-problem
- * @problem.severity warning
- * @precision high
- * @id go/cookie-httponly-not-set
- * @tags security
- *       experimental
- *       external/cwe/cwe-1004
- */
-
-import go
-import AuthCookie
-
-module NetHttpCookieTrackingFlow =
-  DataFlow::MergePathGraph<NameToNetHttpCookieTrackingFlow::PathNode,
-    BoolToNetHttpCookieTrackingFlow::PathNode, NameToNetHttpCookieTrackingFlow::PathGraph,
-    BoolToNetHttpCookieTrackingFlow::PathGraph>;
-
-module GorillaTrackingFlow =
-  DataFlow::MergePathGraph3<GorillaCookieStoreSaveTrackingFlow::PathNode,
-    GorillaSessionOptionsTrackingFlow::PathNode, BoolToGorillaSessionOptionsTrackingFlow::PathNode,
-    GorillaCookieStoreSaveTrackingFlow::PathGraph, GorillaSessionOptionsTrackingFlow::PathGraph,
-    BoolToGorillaSessionOptionsTrackingFlow::PathGraph>;
-
-module MergedFlow =
-  DataFlow::MergePathGraph3<NetHttpCookieTrackingFlow::PathNode,
-    BoolToGinSetCookieTrackingFlow::PathNode, GorillaTrackingFlow::PathNode,
-    NetHttpCookieTrackingFlow::PathGraph, BoolToGinSetCookieTrackingFlow::PathGraph,
-    GorillaTrackingFlow::PathGraph>;
-
-import MergedFlow::PathGraph
-
-/** Holds if `HttpOnly` of `net/http.SetCookie` is set to `false` or not set (default value is used). */
-predicate isNetHttpCookieFlow(
-  NetHttpCookieTrackingFlow::PathNode source, NetHttpCookieTrackingFlow::PathNode sink
-) {
-  exists(
-    NameToNetHttpCookieTrackingFlow::PathNode sensitiveName,
-    NameToNetHttpCookieTrackingFlow::PathNode setCookieSink
-  |
-    NameToNetHttpCookieTrackingFlow::flowPath(sensitiveName, setCookieSink) and
-    (
-      not BoolToNetHttpCookieTrackingFlow::flowTo(sink.getNode()) and
-      source.asPathNode1() = sensitiveName and
-      sink.asPathNode1() = setCookieSink
-      or
-      BoolToNetHttpCookieTrackingFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
-      source.getNode().getBoolValue() = false and
-      setCookieSink.getNode() = sink.getNode()
-    )
-  )
-}
-
-/**
- * Holds if there is gorilla cookie store creation to `Save` path and
- * `HttpOnly` is set to `false` or not set (default value is used).
- */
-predicate isGorillaSessionsCookieFlow(
-  GorillaTrackingFlow::PathNode source, GorillaTrackingFlow::PathNode sink
-) {
-  exists(
-    GorillaCookieStoreSaveTrackingFlow::PathNode cookieStoreCreate,
-    GorillaCookieStoreSaveTrackingFlow::PathNode sessionSave
-  |
-    GorillaCookieStoreSaveTrackingFlow::flowPath(cookieStoreCreate, sessionSave) and
-    (
-      not GorillaSessionOptionsTrackingFlow::flowTo(sink.getNode()) and
-      source.asPathNode1() = cookieStoreCreate and
-      sink.asPathNode1() = sessionSave
-      or
-      exists(GorillaTrackingFlow::PathNode options, GorillaTrackingFlow::PathNode sessionSave2 |
-        GorillaSessionOptionsTrackingFlow::flowPath(options.asPathNode2(),
-          sessionSave2.asPathNode2()) and
-        (
-          not BoolToGorillaSessionOptionsTrackingFlow::flowTo(sink.getNode()) and
-          sink = sessionSave2 and
-          source = options and
-          sessionSave.getNode() = sessionSave2.getNode()
-          or
-          BoolToGorillaSessionOptionsTrackingFlow::flowPath(source.asPathNode3(), sink.asPathNode3()) and
-          source.getNode().getBoolValue() = false and
-          sink.getNode() = sessionSave.getNode()
-        )
-      )
-    )
-  )
-}
-
-from MergedFlow::PathNode source, MergedFlow::PathNode sink
-where
-  isNetHttpCookieFlow(source.asPathNode1(), sink.asPathNode1()) or
-  BoolToGinSetCookieTrackingFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) or
-  isGorillaSessionsCookieFlow(source.asPathNode3(), sink.asPathNode3())
-select sink.getNode(), source, sink, "Cookie attribute 'HttpOnly' is not set to true."
--- a/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnlyBad.go
+++ b/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnlyBad.go
@@ -1,17 +0,0 @@
-package main
-
-import (
-	"net/http"
-)
-
-func handler(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:  "session",
-		Value: "secret",
-	}
-	http.SetCookie(w, &c)
-}
-
-func main() {
-	http.HandleFunc("/", handler)
-}
--- a/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnlyGood.go
+++ b/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnlyGood.go
@@ -1,18 +0,0 @@
-package main
-
-import (
-	"net/http"
-)
-
-func handler(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:     "session",
-		Value:    "secret",
-		HttpOnly: true,
-	}
-	http.SetCookie(w, &c)
-}
-
-func main() {
-	http.HandleFunc("/", handler)
-}
--- a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected
+++ b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.expected
@@ -1,432 +0,0 @@
-edges
-| CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | CookieWithoutHttpOnly.go:15:21:15:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:12:10:12:18 | "session" | CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:15:21:15:21 | c | CookieWithoutHttpOnly.go:15:20:15:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:15:21:15:21 | c | CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | CookieWithoutHttpOnly.go:24:21:24:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:20:13:20:21 | "session" | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:22:13:22:17 | false | CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:24:21:24:21 | c | CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | CookieWithoutHttpOnly.go:33:21:33:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:29:13:29:21 | "session" | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:31:13:31:16 | true | CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:33:21:33:21 | c | CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | CookieWithoutHttpOnly.go:42:21:42:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:38:10:38:18 | "session" | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:41:15:41:18 | true | CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:42:21:42:21 | c | CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | CookieWithoutHttpOnly.go:51:21:51:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:47:10:47:18 | "session" | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:50:15:50:19 | false | CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:51:21:51:21 | c | CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:55:2:55:4 | definition of val | CookieWithoutHttpOnly.go:59:13:59:15 | val | provenance |  |
-| CookieWithoutHttpOnly.go:55:9:55:13 | false | CookieWithoutHttpOnly.go:59:13:59:15 | val | provenance |  |
-| CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | CookieWithoutHttpOnly.go:61:21:61:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:57:13:57:21 | "session" | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:59:13:59:15 | val | CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:61:21:61:21 | c | CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:65:2:65:4 | definition of val | CookieWithoutHttpOnly.go:69:13:69:15 | val | provenance |  |
-| CookieWithoutHttpOnly.go:65:9:65:12 | true | CookieWithoutHttpOnly.go:69:13:69:15 | val | provenance |  |
-| CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | CookieWithoutHttpOnly.go:71:21:71:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:67:13:67:21 | "session" | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:69:13:69:15 | val | CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:71:21:71:21 | c | CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:75:2:75:4 | definition of val | CookieWithoutHttpOnly.go:80:15:80:17 | val | provenance |  |
-| CookieWithoutHttpOnly.go:75:9:75:12 | true | CookieWithoutHttpOnly.go:80:15:80:17 | val | provenance |  |
-| CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | CookieWithoutHttpOnly.go:81:21:81:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:77:10:77:18 | "session" | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:80:15:80:17 | val | CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:81:21:81:21 | c | CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:85:2:85:4 | definition of val | CookieWithoutHttpOnly.go:90:15:90:17 | val | provenance |  |
-| CookieWithoutHttpOnly.go:85:9:85:13 | false | CookieWithoutHttpOnly.go:90:15:90:17 | val | provenance |  |
-| CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | CookieWithoutHttpOnly.go:91:21:91:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:87:10:87:18 | "session" | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:90:15:90:17 | val | CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:91:21:91:21 | c | CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | CookieWithoutHttpOnly.go:100:21:100:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:99:15:99:19 | false | CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:100:21:100:21 | c | CookieWithoutHttpOnly.go:100:20:100:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:100:21:100:21 | c | CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:104:10:104:18 | "session" | CookieWithoutHttpOnly.go:106:10:106:13 | name | provenance |  |
-| CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | CookieWithoutHttpOnly.go:110:21:110:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:106:10:106:13 | name | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:109:15:109:19 | false | CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:110:21:110:21 | c | CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:114:13:114:24 | "login_name" | CookieWithoutHttpOnly.go:116:10:116:16 | session | provenance |  |
-| CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | CookieWithoutHttpOnly.go:120:21:120:21 | c | provenance |  |
-| CookieWithoutHttpOnly.go:116:10:116:16 | session | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:119:15:119:19 | false | CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:120:21:120:21 | c | CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:126:16:126:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:134:16:134:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:146:16:146:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:158:16:158:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:170:16:170:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:183:16:183:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:195:16:195:20 | store | provenance |  |
-| CookieWithoutHttpOnly.go:126:2:126:43 | ... := ...[0] | CookieWithoutHttpOnly.go:129:2:129:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:126:16:126:20 | store | CookieWithoutHttpOnly.go:126:2:126:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:133:2:133:9 | definition of httpOnly | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | provenance |  |
-| CookieWithoutHttpOnly.go:133:14:133:18 | false | CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | provenance |  |
-| CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:142:2:142:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:137:20:140:2 | &... | CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | CookieWithoutHttpOnly.go:137:20:140:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | CookieWithoutHttpOnly.go:137:20:140:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:153:2:153:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:149:20:151:2 | &... | CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | CookieWithoutHttpOnly.go:149:20:151:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:157:2:157:9 | definition of httpOnly | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | provenance |  |
-| CookieWithoutHttpOnly.go:157:14:157:17 | true | CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | provenance |  |
-| CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:166:2:166:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:161:20:164:2 | &... | CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | CookieWithoutHttpOnly.go:161:20:164:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | CookieWithoutHttpOnly.go:161:20:164:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:169:56:169:63 | argument corresponding to httpOnly | CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | provenance |  |
-| CookieWithoutHttpOnly.go:169:56:169:63 | definition of httpOnly | CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | provenance |  |
-| CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | CookieWithoutHttpOnly.go:178:2:178:8 | session | provenance |  |
-| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:173:20:176:2 | &... | CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | provenance | Config |
-| CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | CookieWithoutHttpOnly.go:173:20:176:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | CookieWithoutHttpOnly.go:173:20:176:2 | &... | provenance |  |
-| CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | provenance | Config |
-| CookieWithoutHttpOnly.go:183:2:183:43 | ... := ...[0] | CookieWithoutHttpOnly.go:191:19:191:25 | session | provenance |  |
-| CookieWithoutHttpOnly.go:183:16:183:20 | store | CookieWithoutHttpOnly.go:183:2:183:43 | ... := ...[0] | provenance | Config |
-| CookieWithoutHttpOnly.go:195:2:195:43 | ... := ...[0] | CookieWithoutHttpOnly.go:202:19:202:25 | session | provenance |  |
-| CookieWithoutHttpOnly.go:195:16:195:20 | store | CookieWithoutHttpOnly.go:195:2:195:43 | ... := ...[0] | provenance | Config |
-nodes
-| CookieWithoutHttpOnly.go:11:7:14:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:12:10:12:18 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:15:20:15:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:15:20:15:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:15:21:15:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:19:7:23:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:20:13:20:21 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:22:13:22:17 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:24:21:24:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:24:21:24:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:28:7:32:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:29:13:29:21 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:31:13:31:16 | true | semmle.label | true |
-| CookieWithoutHttpOnly.go:33:20:33:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:33:20:33:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:33:20:33:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:33:21:33:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:33:21:33:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:37:7:40:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:38:10:38:18 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:41:15:41:18 | true | semmle.label | true |
-| CookieWithoutHttpOnly.go:42:20:42:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:42:20:42:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:42:20:42:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:42:21:42:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:42:21:42:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:46:7:49:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:47:10:47:18 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:50:15:50:19 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:51:21:51:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:51:21:51:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:55:2:55:4 | definition of val | semmle.label | definition of val |
-| CookieWithoutHttpOnly.go:55:9:55:13 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:56:7:60:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:57:13:57:21 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:59:13:59:15 | val | semmle.label | val |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:61:21:61:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:61:21:61:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:65:2:65:4 | definition of val | semmle.label | definition of val |
-| CookieWithoutHttpOnly.go:65:9:65:12 | true | semmle.label | true |
-| CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:66:7:70:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:67:13:67:21 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:69:13:69:15 | val | semmle.label | val |
-| CookieWithoutHttpOnly.go:71:20:71:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:71:20:71:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:71:20:71:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:71:21:71:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:71:21:71:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:75:2:75:4 | definition of val | semmle.label | definition of val |
-| CookieWithoutHttpOnly.go:75:9:75:12 | true | semmle.label | true |
-| CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:76:7:79:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:77:10:77:18 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:80:15:80:17 | val | semmle.label | val |
-| CookieWithoutHttpOnly.go:81:20:81:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:81:20:81:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:81:20:81:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:81:21:81:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:81:21:81:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:85:2:85:4 | definition of val | semmle.label | definition of val |
-| CookieWithoutHttpOnly.go:85:9:85:13 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:86:7:89:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:87:10:87:18 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:90:15:90:17 | val | semmle.label | val |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:91:21:91:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:91:21:91:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:95:7:98:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:99:15:99:19 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:100:20:100:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:100:20:100:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:100:21:100:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:104:10:104:18 | "session" | semmle.label | "session" |
-| CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:105:7:108:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:106:10:106:13 | name | semmle.label | name |
-| CookieWithoutHttpOnly.go:109:15:109:19 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:110:21:110:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:110:21:110:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:114:13:114:24 | "login_name" | semmle.label | "login_name" |
-| CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:115:7:118:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:116:10:116:16 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:119:15:119:19 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... [pointer] | semmle.label | &... [pointer] |
-| CookieWithoutHttpOnly.go:120:21:120:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:120:21:120:21 | c | semmle.label | c |
-| CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | semmle.label | call to NewCookieStore |
-| CookieWithoutHttpOnly.go:126:2:126:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:126:16:126:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:129:2:129:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:133:2:133:9 | definition of httpOnly | semmle.label | definition of httpOnly |
-| CookieWithoutHttpOnly.go:133:14:133:18 | false | semmle.label | false |
-| CookieWithoutHttpOnly.go:134:2:134:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:134:16:134:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:137:2:137:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:137:20:140:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:137:20:140:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:137:21:140:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:139:13:139:20 | httpOnly | semmle.label | httpOnly |
-| CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:142:2:142:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:146:2:146:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:146:16:146:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:149:2:149:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:149:2:149:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:149:20:151:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:153:2:153:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:153:2:153:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:157:2:157:9 | definition of httpOnly | semmle.label | definition of httpOnly |
-| CookieWithoutHttpOnly.go:157:14:157:17 | true | semmle.label | true |
-| CookieWithoutHttpOnly.go:158:2:158:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:158:16:158:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:161:2:161:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:161:20:164:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:161:20:164:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:161:21:164:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:163:13:163:20 | httpOnly | semmle.label | httpOnly |
-| CookieWithoutHttpOnly.go:166:2:166:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:166:2:166:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:166:2:166:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:169:56:169:63 | argument corresponding to httpOnly | semmle.label | argument corresponding to httpOnly |
-| CookieWithoutHttpOnly.go:169:56:169:63 | definition of httpOnly | semmle.label | definition of httpOnly |
-| CookieWithoutHttpOnly.go:170:2:170:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:170:16:170:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | implicit dereference [postupdate] | semmle.label | implicit dereference [postupdate] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] | semmle.label | session [postupdate] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:173:2:173:8 | session [postupdate] [pointer] | semmle.label | session [postupdate] [pointer] |
-| CookieWithoutHttpOnly.go:173:20:176:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:173:20:176:2 | &... | semmle.label | &... |
-| CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:173:21:176:2 | struct literal | semmle.label | struct literal |
-| CookieWithoutHttpOnly.go:175:13:175:20 | httpOnly | semmle.label | httpOnly |
-| CookieWithoutHttpOnly.go:178:2:178:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:178:2:178:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:178:2:178:8 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:183:2:183:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:183:16:183:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:191:19:191:25 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:195:2:195:43 | ... := ...[0] | semmle.label | ... := ...[0] |
-| CookieWithoutHttpOnly.go:195:16:195:20 | store | semmle.label | store |
-| CookieWithoutHttpOnly.go:202:19:202:25 | session | semmle.label | session |
-| CookieWithoutHttpOnly.go:214:66:214:70 | false | semmle.label | false |
-subpaths
-#select
-| CookieWithoutHttpOnly.go:15:20:15:21 | &... | CookieWithoutHttpOnly.go:12:10:12:18 | "session" | CookieWithoutHttpOnly.go:15:20:15:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:24:20:24:21 | &... | CookieWithoutHttpOnly.go:22:13:22:17 | false | CookieWithoutHttpOnly.go:24:20:24:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:51:20:51:21 | &... | CookieWithoutHttpOnly.go:50:15:50:19 | false | CookieWithoutHttpOnly.go:51:20:51:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:61:20:61:21 | &... | CookieWithoutHttpOnly.go:55:9:55:13 | false | CookieWithoutHttpOnly.go:61:20:61:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:91:20:91:21 | &... | CookieWithoutHttpOnly.go:85:9:85:13 | false | CookieWithoutHttpOnly.go:91:20:91:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:110:20:110:21 | &... | CookieWithoutHttpOnly.go:109:15:109:19 | false | CookieWithoutHttpOnly.go:110:20:110:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:120:20:120:21 | &... | CookieWithoutHttpOnly.go:119:15:119:19 | false | CookieWithoutHttpOnly.go:120:20:120:21 | &... | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:129:2:129:8 | session | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:129:2:129:8 | session | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:142:2:142:8 | session | CookieWithoutHttpOnly.go:133:14:133:18 | false | CookieWithoutHttpOnly.go:142:2:142:8 | session | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:153:2:153:8 | session | CookieWithoutHttpOnly.go:149:21:151:2 | struct literal | CookieWithoutHttpOnly.go:153:2:153:8 | session | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:191:19:191:25 | session | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:191:19:191:25 | session | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:202:19:202:25 | session | CookieWithoutHttpOnly.go:123:13:123:49 | call to NewCookieStore | CookieWithoutHttpOnly.go:202:19:202:25 | session | Cookie attribute 'HttpOnly' is not set to true. |
-| CookieWithoutHttpOnly.go:214:66:214:70 | false | CookieWithoutHttpOnly.go:214:66:214:70 | false | CookieWithoutHttpOnly.go:214:66:214:70 | false | Cookie attribute 'HttpOnly' is not set to true. |
--- a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.go
+++ b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.go
@@ -1,219 +0,0 @@
-package main
-
-import (
-	"net/http"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gorilla/sessions"
-)
-
-func handler1(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:  "session",
-		Value: "secret",
-	}
-	http.SetCookie(w, &c) // BAD: HttpOnly set to false by default
-}
-
-func handler2(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:     "session",
-		Value:    "secret",
-		HttpOnly: false,
-	}
-	http.SetCookie(w, &c) // BAD: HttpOnly explicitly set to false
-}
-
-func handler3(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:     "session",
-		Value:    "secret",
-		HttpOnly: true,
-	}
-	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
-}
-
-func handler4(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:  "session",
-		Value: "secret",
-	}
-	c.HttpOnly = true
-	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
-}
-
-func handler5(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:  "session",
-		Value: "secret",
-	}
-	c.HttpOnly = false
-	http.SetCookie(w, &c) // BAD: HttpOnly explicitly set to false
-}
-
-func handler6(w http.ResponseWriter, r *http.Request) {
-	val := false
-	c := http.Cookie{
-		Name:     "session",
-		Value:    "secret",
-		HttpOnly: val,
-	}
-	http.SetCookie(w, &c) // BAD: HttpOnly explicitly set to false
-}
-
-func handler7(w http.ResponseWriter, r *http.Request) {
-	val := true
-	c := http.Cookie{
-		Name:     "session",
-		Value:    "secret",
-		HttpOnly: val,
-	}
-	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
-}
-
-func handler8(w http.ResponseWriter, r *http.Request) {
-	val := true
-	c := http.Cookie{
-		Name:  "session",
-		Value: "secret",
-	}
-	c.HttpOnly = val
-	http.SetCookie(w, &c) // GOOD: HttpOnly explicitly set to true
-}
-
-func handler9(w http.ResponseWriter, r *http.Request) {
-	val := false
-	c := http.Cookie{
-		Name:  "session",
-		Value: "secret",
-	}
-	c.HttpOnly = val
-	http.SetCookie(w, &c) // BAD: HttpOnly explicitly set to false
-}
-
-func handler10(w http.ResponseWriter, r *http.Request) {
-	c := http.Cookie{
-		Name:  "consent",
-		Value: "1",
-	}
-	c.HttpOnly = false
-	http.SetCookie(w, &c) // GOOD: Name is not auth related
-}
-
-func handler11(w http.ResponseWriter, r *http.Request) {
-	name := "session"
-	c := http.Cookie{
-		Name:  name,
-		Value: "secret",
-	}
-	c.HttpOnly = false
-	http.SetCookie(w, &c) // BAD: auth related name
-}
-
-func handler12(w http.ResponseWriter, r *http.Request) {
-	session := "login_name"
-	c := http.Cookie{
-		Name:  session,
-		Value: "secret",
-	}
-	c.HttpOnly = false
-	http.SetCookie(w, &c) // BAD: auth related name
-}
-
-var store = sessions.NewCookieStore([]byte("aa"))
-
-func handler13(w http.ResponseWriter, r *http.Request) {
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Save(r, w) // BAD: Default options are set (false)
-}
-
-func handler14(w http.ResponseWriter, r *http.Request) {
-	httpOnly := false
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Options = &sessions.Options{
-		MaxAge:   -1,
-		HttpOnly: httpOnly,
-	}
-
-	session.Save(r, w) // BAD: Explicitly set to false
-}
-
-func handler15(w http.ResponseWriter, r *http.Request) {
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Options = &sessions.Options{
-		MaxAge: -1,
-	}
-
-	session.Save(r, w) // BAD: default (false) is used
-}
-
-func handler16(w http.ResponseWriter, r *http.Request) {
-	httpOnly := true
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Options = &sessions.Options{
-		MaxAge:   -1,
-		HttpOnly: httpOnly,
-	}
-
-	session.Save(r, w) // GOOD: value is true
-}
-
-func handler17(w http.ResponseWriter, r *http.Request, httpOnly bool) {
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Options = &sessions.Options{
-		MaxAge:   -1,
-		HttpOnly: httpOnly,
-	}
-
-	session.Save(r, w) // GOOD: value is unknown
-}
-
-func handler18(w http.ResponseWriter, r *http.Request) {
-	httpOnly := false
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Options = &sessions.Options{
-		MaxAge:   -1,
-		HttpOnly: httpOnly,
-	}
-
-	store.Save(r, w, session) // BAD: Explicitly set to false
-}
-
-func handler19(w http.ResponseWriter, r *http.Request) {
-	session, _ := store.Get(r, "session-name")
-	session.Values["foo"] = "secret"
-
-	session.Options = &sessions.Options{
-		MaxAge: -1,
-	}
-
-	store.Save(r, w, session) // BAD: default (false) is used
-}
-
-func main() {
-
-	router := gin.Default()
-
-	router.GET("/cookie", func(c *gin.Context) {
-
-		_, err := c.Cookie("session")
-
-		if err != nil {
-			c.SetCookie("session", "test", 3600, "/", "localhost", false, false) // BAD: httpOnly set to false
-		}
-	})
-
-	router.Run()
-}
--- a/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.qlref
+++ b/go/ql/test/experimental/CWE-1004/CookieWithoutHttpOnly.qlref
@@ -1 +0,0 @@
-experimental/CWE-1004/CookieWithoutHttpOnly.ql
--- a/go/ql/test/experimental/CWE-1004/go.mod
+++ b/go/ql/test/experimental/CWE-1004/go.mod
@@ -1,8 +0,0 @@
-module example.com/m
-
-go 1.14
-
-require (
-    github.com/gin-gonic/gin v1.7.1
-    github.com/gorilla/sessions v1.2.1
-    )
--- a/go/ql/test/experimental/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE
+++ b/go/ql/test/experimental/CWE-1004/vendor/github.com/gin-gonic/gin/LICENSE
@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2014 Manuel Martínez-Almeida
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
--- a/go/ql/test/experimental/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go
+++ b/go/ql/test/experimental/CWE-1004/vendor/github.com/gin-gonic/gin/binding/stub.go
@@ -1,12 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gin-gonic/gin/binding, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gin-gonic/gin/binding (exports: ; functions: YAML)
-
-// Package binding is a stub of github.com/gin-gonic/gin/binding, generated by depstubber.
-package binding
-
-import ()
-
-var YAML interface{} = nil
--- a/go/ql/test/experimental/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go
+++ b/go/ql/test/experimental/CWE-1004/vendor/github.com/gin-gonic/gin/stub.go
@@ -1,677 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gin-gonic/gin, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gin-gonic/gin (exports: Context; functions: Default)
-
-// Package gin is a stub of github.com/gin-gonic/gin, generated by depstubber.
-package gin
-
-import (
-	bufio "bufio"
-	template "html/template"
-	io "io"
-	multipart "mime/multipart"
-	net "net"
-	http "net/http"
-	time "time"
-)
-
-type Context struct {
-	Request  *http.Request
-	Writer   ResponseWriter
-	Params   Params
-	Keys     map[string]interface{}
-	Errors   interface{}
-	Accepted []string
-}
-
-func (_ *Context) Abort() {}
-
-func (_ *Context) AbortWithError(_ int, _ error) *Error {
-	return nil
-}
-
-func (_ *Context) AbortWithStatus(_ int) {}
-
-func (_ *Context) AbortWithStatusJSON(_ int, _ interface{}) {}
-
-func (_ *Context) AsciiJSON(_ int, _ interface{}) {}
-
-func (_ *Context) Bind(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindHeader(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindJSON(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindQuery(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindUri(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindWith(_ interface{}, _ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindXML(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) BindYAML(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ClientIP() string {
-	return ""
-}
-
-func (_ *Context) ContentType() string {
-	return ""
-}
-
-func (_ *Context) Cookie(_ string) (string, error) {
-	return "", nil
-}
-
-func (_ *Context) Copy() *Context {
-	return nil
-}
-
-func (_ *Context) Data(_ int, _ string, _ []byte) {}
-
-func (_ *Context) DataFromReader(_ int, _ int64, _ string, _ io.Reader, _ map[string]string) {}
-
-func (_ *Context) Deadline() (time.Time, bool) {
-	return time.Time{}, false
-}
-
-func (_ *Context) DefaultPostForm(_ string, _ string) string {
-	return ""
-}
-
-func (_ *Context) DefaultQuery(_ string, _ string) string {
-	return ""
-}
-
-func (_ *Context) Done() <-chan struct{} {
-	return nil
-}
-
-func (_ *Context) Err() error {
-	return nil
-}
-
-func (_ *Context) Error(_ error) *Error {
-	return nil
-}
-
-func (_ *Context) File(_ string) {}
-
-func (_ *Context) FileAttachment(_ string, _ string) {}
-
-func (_ *Context) FileFromFS(_ string, _ http.FileSystem) {}
-
-func (_ *Context) FormFile(_ string) (*multipart.FileHeader, error) {
-	return nil, nil
-}
-
-func (_ *Context) FullPath() string {
-	return ""
-}
-
-func (_ *Context) Get(_ string) (interface{}, bool) {
-	return nil, false
-}
-
-func (_ *Context) GetBool(_ string) bool {
-	return false
-}
-
-func (_ *Context) GetDuration(_ string) time.Duration {
-	return 0
-}
-
-func (_ *Context) GetFloat64(_ string) float64 {
-	return 0
-}
-
-func (_ *Context) GetHeader(_ string) string {
-	return ""
-}
-
-func (_ *Context) GetInt(_ string) int {
-	return 0
-}
-
-func (_ *Context) GetInt64(_ string) int64 {
-	return 0
-}
-
-func (_ *Context) GetPostForm(_ string) (string, bool) {
-	return "", false
-}
-
-func (_ *Context) GetPostFormArray(_ string) ([]string, bool) {
-	return nil, false
-}
-
-func (_ *Context) GetPostFormMap(_ string) (map[string]string, bool) {
-	return nil, false
-}
-
-func (_ *Context) GetQuery(_ string) (string, bool) {
-	return "", false
-}
-
-func (_ *Context) GetQueryArray(_ string) ([]string, bool) {
-	return nil, false
-}
-
-func (_ *Context) GetQueryMap(_ string) (map[string]string, bool) {
-	return nil, false
-}
-
-func (_ *Context) GetRawData() ([]byte, error) {
-	return nil, nil
-}
-
-func (_ *Context) GetString(_ string) string {
-	return ""
-}
-
-func (_ *Context) GetStringMap(_ string) map[string]interface{} {
-	return nil
-}
-
-func (_ *Context) GetStringMapString(_ string) map[string]string {
-	return nil
-}
-
-func (_ *Context) GetStringMapStringSlice(_ string) map[string][]string {
-	return nil
-}
-
-func (_ *Context) GetStringSlice(_ string) []string {
-	return nil
-}
-
-func (_ *Context) GetTime(_ string) time.Time {
-	return time.Time{}
-}
-
-func (_ *Context) GetUint(_ string) uint {
-	return 0
-}
-
-func (_ *Context) GetUint64(_ string) uint64 {
-	return 0
-}
-
-func (_ *Context) HTML(_ int, _ string, _ interface{}) {}
-
-func (_ *Context) Handler() HandlerFunc {
-	return nil
-}
-
-func (_ *Context) HandlerName() string {
-	return ""
-}
-
-func (_ *Context) HandlerNames() []string {
-	return nil
-}
-
-func (_ *Context) Header(_ string, _ string) {}
-
-func (_ *Context) IndentedJSON(_ int, _ interface{}) {}
-
-func (_ *Context) IsAborted() bool {
-	return false
-}
-
-func (_ *Context) IsWebsocket() bool {
-	return false
-}
-
-func (_ *Context) JSON(_ int, _ interface{}) {}
-
-func (_ *Context) JSONP(_ int, _ interface{}) {}
-
-func (_ *Context) MultipartForm() (*multipart.Form, error) {
-	return nil, nil
-}
-
-func (_ *Context) MustBindWith(_ interface{}, _ interface{}) error {
-	return nil
-}
-
-func (_ *Context) MustGet(_ string) interface{} {
-	return nil
-}
-
-func (_ *Context) Negotiate(_ int, _ Negotiate) {}
-
-func (_ *Context) NegotiateFormat(_ ...string) string {
-	return ""
-}
-
-func (_ *Context) Next() {}
-
-func (_ *Context) Param(_ string) string {
-	return ""
-}
-
-func (_ *Context) PostForm(_ string) string {
-	return ""
-}
-
-func (_ *Context) PostFormArray(_ string) []string {
-	return nil
-}
-
-func (_ *Context) PostFormMap(_ string) map[string]string {
-	return nil
-}
-
-func (_ *Context) ProtoBuf(_ int, _ interface{}) {}
-
-func (_ *Context) PureJSON(_ int, _ interface{}) {}
-
-func (_ *Context) Query(_ string) string {
-	return ""
-}
-
-func (_ *Context) QueryArray(_ string) []string {
-	return nil
-}
-
-func (_ *Context) QueryMap(_ string) map[string]string {
-	return nil
-}
-
-func (_ *Context) Redirect(_ int, _ string) {}
-
-func (_ *Context) RemoteIP() (net.IP, bool) {
-	return nil, false
-}
-
-func (_ *Context) Render(_ int, _ interface{}) {}
-
-func (_ *Context) SSEvent(_ string, _ interface{}) {}
-
-func (_ *Context) SaveUploadedFile(_ *multipart.FileHeader, _ string) error {
-	return nil
-}
-
-func (_ *Context) SecureJSON(_ int, _ interface{}) {}
-
-func (_ *Context) Set(_ string, _ interface{}) {}
-
-func (_ *Context) SetAccepted(_ ...string) {}
-
-func (_ *Context) SetCookie(_ string, _ string, _ int, _ string, _ string, _ bool, _ bool) {}
-
-func (_ *Context) SetSameSite(_ http.SameSite) {}
-
-func (_ *Context) ShouldBind(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindBodyWith(_ interface{}, _ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindHeader(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindJSON(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindQuery(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindUri(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindWith(_ interface{}, _ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindXML(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) ShouldBindYAML(_ interface{}) error {
-	return nil
-}
-
-func (_ *Context) Status(_ int) {}
-
-func (_ *Context) Stream(_ func(io.Writer) bool) bool {
-	return false
-}
-
-func (_ *Context) String(_ int, _ string, _ ...interface{}) {}
-
-func (_ *Context) Value(_ interface{}) interface{} {
-	return nil
-}
-
-func (_ *Context) XML(_ int, _ interface{}) {}
-
-func (_ *Context) YAML(_ int, _ interface{}) {}
-
-func Default() *Engine {
-	return nil
-}
-
-type Engine struct {
-	RouterGroup            RouterGroup
-	RedirectTrailingSlash  bool
-	RedirectFixedPath      bool
-	HandleMethodNotAllowed bool
-	ForwardedByClientIP    bool
-	RemoteIPHeaders        []string
-	TrustedProxies         []string
-	AppEngine              bool
-	UseRawPath             bool
-	UnescapePathValues     bool
-	MaxMultipartMemory     int64
-	RemoveExtraSlash       bool
-	HTMLRender             interface{}
-	FuncMap                template.FuncMap
-}
-
-func (_ *Engine) Any(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) BasePath() string {
-	return ""
-}
-
-func (_ *Engine) DELETE(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) Delims(_ string, _ string) *Engine {
-	return nil
-}
-
-func (_ *Engine) GET(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) Group(_ string, _ ...HandlerFunc) *RouterGroup {
-	return nil
-}
-
-func (_ *Engine) HEAD(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) HandleContext(_ *Context) {}
-
-func (_ *Engine) LoadHTMLFiles(_ ...string) {}
-
-func (_ *Engine) LoadHTMLGlob(_ string) {}
-
-func (_ *Engine) NoMethod(_ ...HandlerFunc) {}
-
-func (_ *Engine) NoRoute(_ ...HandlerFunc) {}
-
-func (_ *Engine) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) PATCH(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) POST(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) PUT(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *Engine) Routes() RoutesInfo {
-	return nil
-}
-
-func (_ *Engine) Run(_ ...string) error {
-	return nil
-}
-
-func (_ *Engine) RunFd(_ int) error {
-	return nil
-}
-
-func (_ *Engine) RunListener(_ net.Listener) error {
-	return nil
-}
-
-func (_ *Engine) RunTLS(_ string, _ string, _ string) error {
-	return nil
-}
-
-func (_ *Engine) RunUnix(_ string) error {
-	return nil
-}
-
-func (_ *Engine) SecureJsonPrefix(_ string) *Engine {
-	return nil
-}
-
-func (_ *Engine) ServeHTTP(_ http.ResponseWriter, _ *http.Request) {}
-
-func (_ *Engine) SetFuncMap(_ template.FuncMap) {}
-
-func (_ *Engine) SetHTMLTemplate(_ *template.Template) {}
-
-func (_ *Engine) Static(_ string, _ string) IRoutes {
-	return nil
-}
-
-func (_ *Engine) StaticFS(_ string, _ http.FileSystem) IRoutes {
-	return nil
-}
-
-func (_ *Engine) StaticFile(_ string, _ string) IRoutes {
-	return nil
-}
-
-func (_ *Engine) Use(_ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-type Error struct {
-	Err  error
-	Type ErrorType
-	Meta interface{}
-}
-
-func (_ Error) Error() string {
-	return ""
-}
-
-func (_ *Error) IsType(_ ErrorType) bool {
-	return false
-}
-
-func (_ *Error) JSON() interface{} {
-	return nil
-}
-
-func (_ *Error) MarshalJSON() ([]byte, error) {
-	return nil, nil
-}
-
-func (_ *Error) SetMeta(_ interface{}) *Error {
-	return nil
-}
-
-func (_ *Error) SetType(_ ErrorType) *Error {
-	return nil
-}
-
-func (_ *Error) Unwrap() error {
-	return nil
-}
-
-type ErrorType uint64
-
-type HandlerFunc func(*Context)
-
-type HandlersChain []HandlerFunc
-
-func (_ HandlersChain) Last() HandlerFunc {
-	return nil
-}
-
-type IRoutes interface {
-	Any(_ string, _ ...HandlerFunc) IRoutes
-	DELETE(_ string, _ ...HandlerFunc) IRoutes
-	GET(_ string, _ ...HandlerFunc) IRoutes
-	HEAD(_ string, _ ...HandlerFunc) IRoutes
-	Handle(_ string, _ string, _ ...HandlerFunc) IRoutes
-	OPTIONS(_ string, _ ...HandlerFunc) IRoutes
-	PATCH(_ string, _ ...HandlerFunc) IRoutes
-	POST(_ string, _ ...HandlerFunc) IRoutes
-	PUT(_ string, _ ...HandlerFunc) IRoutes
-	Static(_ string, _ string) IRoutes
-	StaticFS(_ string, _ http.FileSystem) IRoutes
-	StaticFile(_ string, _ string) IRoutes
-	Use(_ ...HandlerFunc) IRoutes
-}
-
-type Negotiate struct {
-	Offered  []string
-	HTMLName string
-	HTMLData interface{}
-	JSONData interface{}
-	XMLData  interface{}
-	YAMLData interface{}
-	Data     interface{}
-}
-
-type Param struct {
-	Key   string
-	Value string
-}
-
-type Params []Param
-
-func (_ Params) ByName(_ string) string {
-	return ""
-}
-
-func (_ Params) Get(_ string) (string, bool) {
-	return "", false
-}
-
-type ResponseWriter interface {
-	CloseNotify() <-chan bool
-	Flush()
-	Header() http.Header
-	Hijack() (net.Conn, *bufio.ReadWriter, error)
-	Pusher() http.Pusher
-	Size() int
-	Status() int
-	Write(_ []byte) (int, error)
-	WriteHeader(_ int)
-	WriteHeaderNow()
-	WriteString(_ string) (int, error)
-	Written() bool
-}
-
-type RouteInfo struct {
-	Method      string
-	Path        string
-	Handler     string
-	HandlerFunc HandlerFunc
-}
-
-type RouterGroup struct {
-	Handlers HandlersChain
-}
-
-func (_ *RouterGroup) Any(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) BasePath() string {
-	return ""
-}
-
-func (_ *RouterGroup) DELETE(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) GET(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) Group(_ string, _ ...HandlerFunc) *RouterGroup {
-	return nil
-}
-
-func (_ *RouterGroup) HEAD(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) Handle(_ string, _ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) OPTIONS(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) PATCH(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) POST(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) PUT(_ string, _ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) Static(_ string, _ string) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) StaticFS(_ string, _ http.FileSystem) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) StaticFile(_ string, _ string) IRoutes {
-	return nil
-}
-
-func (_ *RouterGroup) Use(_ ...HandlerFunc) IRoutes {
-	return nil
-}
-
-type RoutesInfo []RouteInfo
--- a/go/ql/test/experimental/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
+++ b/go/ql/test/experimental/CWE-1004/vendor/github.com/gorilla/sessions/stub.go
@@ -1,75 +0,0 @@
-// Code generated by depstubber. DO NOT EDIT.
-// This is a simple stub for github.com/gorilla/sessions, strictly for use in testing.
-
-// See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/gorilla/sessions (exports: CookieStore; functions: NewCookieStore)
-
-// Package sessions is a stub of github.com/gorilla/sessions, generated by depstubber.
-package sessions
-
-import (
-	http "net/http"
-)
-
-type CookieStore struct {
-	Codecs  []interface{}
-	Options *Options
-}
-
-func (_ *CookieStore) Get(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) MaxAge(_ int) {}
-
-func (_ *CookieStore) New(_ *http.Request, _ string) (*Session, error) {
-	return nil, nil
-}
-
-func (_ *CookieStore) Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error {
-	return nil
-}
-
-func NewCookieStore(_ ...[]byte) *CookieStore {
-	return nil
-}
-
-type Options struct {
-	Path     string
-	Domain   string
-	MaxAge   int
-	Secure   bool
-	HttpOnly bool
-	SameSite http.SameSite
-}
-
-type Session struct {
-	ID      string
-	Values  map[interface{}]interface{}
-	Options *Options
-	IsNew   bool
-}
-
-func (_ *Session) AddFlash(_ interface{}, _ ...string) {}
-
-func (_ *Session) Flashes(_ ...string) []interface{} {
-	return nil
-}
-
-func (_ *Session) Name() string {
-	return ""
-}
-
-func (_ *Session) Save(_ *http.Request, _ http.ResponseWriter) error {
-	return nil
-}
-
-func (_ *Session) Store() Store {
-	return nil
-}
-
-type Store interface {
-	Get(_ *http.Request, _ string) (*Session, error)
-	New(_ *http.Request, _ string) (*Session, error)
-	Save(_ *http.Request, _ http.ResponseWriter, _ *Session) error
-}
--- a/go/ql/test/experimental/CWE-1004/vendor/modules.txt
+++ b/go/ql/test/experimental/CWE-1004/vendor/modules.txt
@@ -1,6 +0,0 @@
-# github.com/gin-gonic/gin v1.7.1
-## explicit
-github.com/gin-gonic/gin
-# github.com/gorilla/sessions v1.2.1
-## explicit
-github.com/gorilla/sessions
--- a/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref
+++ b/go/ql/test/query-tests/Security/CWE-1004/CookieWithoutHttpOnly.qlref
@@ -1,2 +1,2 @@
-query: security/CWE-1004/CookieWithoutHttpOnly.ql
+query: Security/CWE-1004/CookieWithoutHttpOnly.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref
+++ b/go/ql/test/query-tests/Security/CWE-614/CookieWithoutSecure.qlref
@@ -1,2 +1,2 @@
-query: security/CWE-614/CookieWithoutSecure.ql
+query: Security/CWE-614/CookieWithoutSecure.ql
 postprocess: utils/test/InlineExpectationsTestQuery.ql
				`@@ -1 +0,0 @@`
				`experimental/CWE-1004/CookieWithoutHttpOnly.ql`