Merge pull request #21150 from github/jketema/go-1.26

Go: Update to 1.26

MODULE.bazel

@@ -254,7 +254,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.25.7")
+go_sdk.download(version = "1.26.0")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

docs/codeql/reusables/supported-versions-compilers.rst

@@ -17,7 +17,7 @@
 
    .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
    GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
-   Go (aka Golang), "Go up to 1.25", "Go 1.11 or more recent", ``.go``
+   Go (aka Golang), "Go up to 1.26", "Go 1.11 or more recent", ``.go``
    Java,"Java 7 to 25 [6]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [7]_",``.java``

go/actions/test/action.yml

@@ -4,7 +4,7 @@ inputs:
   go-test-version:
     description: Which Go version to use for running the tests
     required: false
-    default: "~1.25.7"
+    default: "~1.26.0"
   run-code-checks:
     description: Whether to run formatting, code and qhelp generation checks
     required: false

go/extractor/autobuilder/build-environment.go

@@ -12,7 +12,7 @@ import (
 )
 
 var minGoVersion = util.NewSemVer("1.11")
-var maxGoVersion = util.NewSemVer("1.25")
+var maxGoVersion = util.NewSemVer("1.26")
 
 type versionInfo struct {
 	goModVersion util.SemVer // The version of Go found in the go directive in the `go.mod` file.

go/extractor/go.mod

@@ -1,8 +1,8 @@
 module github.com/github/codeql-go/extractor
 
-go 1.25
+go 1.26
 
-toolchain go1.25.7
+toolchain go1.26.0
 
 // when updating this, run
 //    bazel run @rules_go//go -- mod tidy

go/ql/lib/change-notes/2026-01-20-go-version-1-26.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Go 1.26 is now supported.

go/ql/lib/ext/builtin.model.yml

@@ -11,3 +11,4 @@ extensions:
       - ["", "", False, "copy", "", "", "Argument[1].ArrayElement", "Argument[0].ArrayElement", "value", "manual"]
       - ["", "", False, "max", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
       - ["", "", False, "min", "", "", "Argument[0..1000]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "new", "", "", "Argument[0]", "ReturnValue.Dereference", "value", "manual"]

go/ql/lib/ext/bytes.model.yml

@@ -43,6 +43,7 @@ extensions:
       - ["bytes", "", False, "TrimSuffix", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["bytes", "Buffer", True, "Bytes", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
       - ["bytes", "Buffer", True, "Next", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["bytes", "Buffer", True, "Peek", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["bytes", "Buffer", True, "ReadBytes", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["bytes", "Buffer", True, "ReadString", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
       - ["bytes", "Reader", True, "Reset", "", "", "Argument[0]", "Argument[receiver]", "taint", "manual"]

go/ql/lib/ext/errors.model.yml

@@ -4,5 +4,6 @@ extensions:
       extensible: summaryModel
     data:
       - ["errors", "", False, "As", "", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["errors", "", False, "AsType", "", "", "Argument[0]", "ReturnValue[0]", "taint", "manual"]
       - ["errors", "", False, "New", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["errors", "", False, "Unwrap", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

go/ql/lib/semmle/go/dataflow/ExternalFlow.qll

@@ -153,7 +153,10 @@ module ModelValidation {
         not part = "" and
         not (part = "Argument" and pred = "sink") and
         not parseArg(part, _) and
-        not part.getName() = "Field"
+        // If the database does not contain any fields/pointer types then no
+        // FieldContent/PointerContent exists, so we spuriously think that
+        // these spec components are invalid.
+        not part.getName() = ["Field", "Dereference"]
         or
         part = input.getToken(0) and
         parseParam(part, _)
@@ -176,7 +179,10 @@ module ModelValidation {
         invalidSpecComponent(output, part) and
         not part = "" and
         not (part = ["Argument", "Parameter"] and pred = "source") and
-        not part.getName() = "Field"
+        // If the database does not contain any fields/pointer types then no
+        // FieldContent/PointerContent exists, so we spuriously think that
+        // these spec components are invalid.
+        not part.getName() = ["Field", "Dereference"]
         or
         invalidIndexComponent(output, part)
       ) and

go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/go.mod

@@ -1,5 +1,5 @@
 module semmle.go.Packages
 
-go 1.13
+go 1.26
 
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/sinks.expected

@@ -44,4 +44,6 @@ invalidModelRow
 | test.go:199:23:199:26 | arg2 | qltest |
 | test.go:199:29:199:32 | arg3 | qltest |
 | test.go:202:22:202:25 | temp | qltest |
-| test.go:206:10:206:12 | src | qltest |
+| test.go:204:10:204:17 | call to new | qltest |
+| test.go:205:10:205:18 | star expression | qltest |
+| test.go:209:10:209:12 | src | qltest |

go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected

@@ -22,4 +22,4 @@ invalidModelRow
 | test.go:187:24:187:31 | call to Src1 | qltest |
 | test.go:191:24:191:31 | call to Src1 | qltest |
 | test.go:201:10:201:28 | selection of SourceVariable | qltest |
-| test.go:205:15:205:17 | definition of src | qltest |
+| test.go:208:15:208:17 | definition of src | qltest |

go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/test.go

@@ -200,6 +200,9 @@ func simpleflow() {
 
 	temp := test.SourceVariable
 	test.SinkVariable = temp // $ hasTaintFlow="temp"
+
+	b.Sink1(new(src))  // $ hasTaintFlow="call to new"
+	b.Sink1(*new(src)) // $ hasTaintFlow="star expression"
 }
 
 func srcParam(src string, b test.B) {

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/go.mod

@@ -1,5 +1,5 @@
 module semmle.go.Packages
 
-go 1.21
+go 1.26
 
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/sinks.expected

@@ -50,4 +50,6 @@ invalidModelRow
 | test.go:206:10:206:26 | call to min | qltest |
 | test.go:207:10:207:26 | call to min | qltest |
 | test.go:210:22:210:25 | temp | qltest |
-| test.go:214:10:214:12 | src | qltest |
+| test.go:212:10:212:17 | call to new | qltest |
+| test.go:213:10:213:18 | star expression | qltest |
+| test.go:217:10:217:12 | src | qltest |

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected

@@ -22,4 +22,4 @@ invalidModelRow
 | test.go:187:24:187:31 | call to Src1 | qltest |
 | test.go:191:24:191:31 | call to Src1 | qltest |
 | test.go:209:10:209:28 | selection of SourceVariable | qltest |
-| test.go:213:15:213:17 | definition of src | qltest |
+| test.go:216:15:216:17 | definition of src | qltest |

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/test.go

@@ -208,6 +208,9 @@ func simpleflow() {
 
 	temp := test.SourceVariable
 	test.SinkVariable = temp // $ hasValueFlow="temp"
+
+	b.Sink1(new(src))
+	b.Sink1(*new(src)) // $ hasValueFlow="star expression"
 }
 
 func srcParam(src string, b test.B) {

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Builtin.go

@@ -0,0 +1,116 @@
+package main
+
+// Also tested in go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow
+// and go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow.
+
+func TaintStepTest_Append1(sourceCQL interface{}) interface{} {
+	from := sourceCQL.([]byte)
+	var intoInterface interface{}
+	intoInterface = append(from, "a string"...)
+	return intoInterface
+}
+
+func TaintStepTest_Append2(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(int)
+	slice := []int{from}
+	var intoInterface []int
+	intoInterface = append(slice, 0)
+	return intoInterface[0]
+}
+
+func TaintStepTest_Append3(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(string)
+	var intoInterface interface{}
+	intoInterface = append([]byte{}, from...)
+	return intoInterface
+}
+
+func TaintStepTest_Append4(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(int)
+	var intoInterface []int
+	intoInterface = append([]int{}, 0, from, 1)
+	return intoInterface[0]
+}
+
+func TaintStepTest_Copy1(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(string)
+	var intoInterface []byte
+	copy(intoInterface, from)
+	return intoInterface
+}
+
+func TaintStepTest_Copy2(sourceCQL interface{}) interface{} {
+	from := []int{sourceCQL.(int)}
+	var intoInterface []int
+	copy(intoInterface, from)
+	return intoInterface[0]
+}
+
+func TaintStepTest_Max(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(int)
+	var intoInterface int
+	intoInterface = max(0, 1, from, 2, 3)
+	return intoInterface
+}
+
+func TaintStepTest_Min(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(int)
+	var intoInterface int
+	intoInterface = min(0, 1, from, 2, 3)
+	return intoInterface
+}
+
+func TaintStepTest_New(sourceCQL interface{}) interface{} {
+	from := sourceCQL.(int)
+	var intoInterface *int
+	intoInterface = new(from)
+	return *intoInterface
+}
+
+func RunAllTaints_Builtin() {
+	{
+		source := newSource(0)
+		out := TaintStepTest_Append1(source)
+		sink(0, out)
+	}
+	{
+		source := newSource(1)
+		out := TaintStepTest_Append2(source)
+		sink(1, out)
+	}
+	{
+		source := newSource(2)
+		out := TaintStepTest_Append3(source)
+		sink(2, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_Append4(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_Copy1(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_Copy2(source)
+		sink(5, out)
+	}
+	{
+		source := newSource(3)
+		out := TaintStepTest_Max(source)
+		sink(3, out)
+	}
+	{
+		source := newSource(4)
+		out := TaintStepTest_Min(source)
+		sink(4, out)
+	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_New(source)
+		sink(5, out)
+	}
+}

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Bytes.go

@@ -349,6 +349,12 @@ func TaintStepTest_CutSuffix(sourceCQL interface{}) interface{} {
 	return result
 }
 
+func TaintStepTest_BytesBufferPeek(sourceCQL interface{}) interface{} {
+	fromBuffer := sourceCQL.(bytes.Buffer)
+	intoByte, _ := fromBuffer.Peek(128)
+	return intoByte
+}
+
 func RunAllTaints_Bytes() {
 	{
 		source := newSource(0)
@@ -625,4 +631,9 @@ func RunAllTaints_Bytes() {
 		out := TaintStepTest_Clone(source)
 		sink(54, out)
 	}
+	{
+		source := newSource(55)
+		out := TaintStepTest_BytesBufferPeek(source)
+		sink(55, out)
+	}
 }

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Errors.go

@@ -35,6 +35,13 @@ func TaintStepTest_ErrorsJoin2(sourceCQL interface{}) interface{} {
 	return intoError957
 }
 
+func TaintStepTest_ErrorsAsType(sourceCQL interface{}) interface{} {
+	fromError := sourceCQL.(error)
+	var intoInterface interface{}
+	intoInterface, _ = errors.AsType[error](fromError)
+	return intoInterface
+}
+
 func RunAllTaints_Errors() {
 	{
 		source := newSource(0)
@@ -61,4 +68,9 @@ func RunAllTaints_Errors() {
 		out := TaintStepTest_ErrorsJoin2(source)
 		sink(4, out)
 	}
+	{
+		source := newSource(5)
+		out := TaintStepTest_ErrorsAsType(source)
+		sink(5, out)
+	}
 }

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/go.mod

@@ -1,6 +1,6 @@
 module example.com/m
 
-go 1.24
+go 1.26
 
 require (
 	golang.org/x/net v0.0.0-20201010224723-4f7140c49acb