diff --git a/change-notes/1.24/analysis-go.md b/change-notes/1.24/analysis-go.md index 26ea820c8d2..4a335191f18 100644 --- a/change-notes/1.24/analysis-go.md +++ b/change-notes/1.24/analysis-go.md @@ -2,11 +2,11 @@ ## General improvements -* Alert suppression can now be done with single-line block comments (`/* ... */`) as well as line comments (`// ...`). +* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`). * Analysis of flow through fields and elements of arrays and slices has been improved, which may lead to more results from the security queries. * Detection of test code has been improved. LGTM will not show alerts in test code by default. * Go 1.14 library changes have been modeled. -* More sources of untrusted input as well as vulnerable sinks are modelled, which may lead to more results from the security queries. +* More sources of untrusted input as well as vulnerable sinks are modeled, which may lead to more results from the security queries. ## New queries @@ -26,14 +26,14 @@ The CodeQL library for Go now contains a folder of simple "cookbook" queries tha ## Changes to existing queries -| **Query** | **Expected impact** | **Change** | -|-------------------------------------------------------------------------------|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Arbitrary file write during zip extraction ("zip slip") (`go/zipslip`) | Fewer false positives | The query now recognizes more cases where it is safe to use a path extractor from an archive. | -| Bitwise exclusive-or used like exponentiation (`go/mistyped-exponentiation`) | Fewer false positives | The query now identifies when the value of an xor is assigned to a mask object, and excludes such results. | -| Command built from user-controlled sources (`go/command-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. | -| Database query built from user-controlled sources (`go/sql-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases. | -| Identical operands (`go/redundant-operation`) | Fewer false positives | The query no longer flags cases where the operands have the same value but are syntactically distinct, since this is usually intentional. | -| Incomplete regular expression for hostnames (`go/incomplete-hostname-regexp`) | More results | The query now flags unescaped dots before the TLD in a hostname regex. | -| Open URL redirect (`go/unvalidated-url-redirection`) | Fewer false positives | The query now identifies some sources that are not attacker-controlled, and excludes results with such sources. | -| Reflected cross-site scripting (`go/reflected-xss`) | Fewer results | Untrusted input flowing into an HTTP header definition or into an `fmt.Fprintf` call with a constant prefix is no longer flagged, since it is in both cases often harmless. | -| Useless assignment to field (`go/useless-assignment-to-field`) | Fewer false positives | The query now conservatively handles fields promoted through embedded pointer types. | +| **Query** | **Expected impact** | **Change** | +|-------------------------------------------------------------------------------|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Arbitrary file write during zip extraction ("zip slip") (`go/zipslip`) | Fewer false positive results | The query now excludes more cases where it is safe to use a path extractor from an archive. | +| Bitwise exclusive-or used like exponentiation (`go/mistyped-exponentiation`) | Fewer false positive results | The query now identifies when the value of an xor is assigned to a mask object, and excludes such results. | +| Command built from user-controlled sources (`go/command-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. | +| Database query built from user-controlled sources (`go/sql-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases. | +| Identical operands (`go/redundant-operation`) | Fewer false positive results | The query no longer flags cases where the operands have the same value but are syntactically distinct, since this is usually intentional. | +| Incomplete regular expression for hostnames (`go/incomplete-hostname-regexp`) | More results | The query now flags unescaped dots before the TLD in a hostname regex. | +| Open URL redirect (`go/unvalidated-url-redirection`) | Fewer false positive results | The query now identifies some sources that are not attacker-controlled, and excludes results with such sources. | +| Reflected cross-site scripting (`go/reflected-xss`) | Fewer results | Untrusted input flowing into an HTTP header definition or into an `fmt.Fprintf` call with a constant prefix is no longer flagged, since it is in both cases often harmless. | +| Useless assignment to field (`go/useless-assignment-to-field`) | Fewer false positive results | The query now conservatively handles fields promoted through embedded pointer types. | diff --git a/change-notes/1.24/extractor-go.md b/change-notes/1.24/extractor-go.md index 5f3a1a02eea..c51d47a78d1 100644 --- a/change-notes/1.24/extractor-go.md +++ b/change-notes/1.24/extractor-go.md @@ -2,15 +2,18 @@ # Improvements to Go analysis +## Improvements to the autobuilder + +* When Makefiles or custom build scripts are present in the codebase, the autobuilder uses them to install dependencies. The build command + to invoke can be configured via `lgtm.yml`, or by setting the environment variable `CODEQL_EXTRACTOR_GO_BUILD_COMMAND`. +* The autobuilder now attempts to automatically detect when dependencies have been vendored and use `-mod=vendor` appropriately. + ## Changes to code extraction +* The extractor now supports Go 1.14. * In resource-constrained environments, the environment variable `CODEQL_EXTRACTOR_GO_MAX_GOROUTINES` can be used to limit the number of parallel goroutines started by the extractor, which reduces CPU and memory requirements. The default value for this variable is 32. -* The autobuilder now runs Makefiles or custom build scripts present in the codebase to install dependencies. The build command - to invoke can be configured via `lgtm.yml`, or by setting the environment variable `CODEQL_EXTRACTOR_GO_BUILD_COMMAND`. -* The autobuilder now attempts to automatically detect when dependencies have been vendored and use `-mod=vendor` appropriately. * The extractor now uses buffered i/o for writing database files, which reduces the amount of time taken for extraction. * The extractor now compresses intermediate files used for constructing databases, which reduces the amount of disk space it requires. -* The extractor now supports extracting go.mod files, enabling queries on dependencies and their versions. -* The extractor now supports Go 1.14. +* The extractor now supports extracting `go.mod` files, enabling queries on dependencies and their versions.