hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

codeql-go merge prep: move into go/ directory

Browse Source
This commit is contained in:
Chuan-kai Lin
2022-05-20 10:07:19 -07:00
parent 415c3d1c72
commit aa514fff32
2277 changed files with 0 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
go/old-change-notes/1.23/analysis-go.md Normal file
View File

@@ -0,0 +1,15 @@
# Improvements to Go analysis
## New queries
| **Query** | **Tags** | **Purpose** |
|---------------------------------------------------------------------------|----------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| Clear-text logging of sensitive information (`go/clear-text-logging`) | security, external/cwe/cwe-312, external/cwe/cwe-315, external/cwe/cwe-359 | Highlights code that writes sensitive information to a log file, or to the console, without encryption or hashing. Results are shown on LGTM by default. |
| Open URL redirect (`go/unvalidated-url-redirection`) | security, external/cwe/cwe-601 | Highlights code that redirects to a URL that may be controlled by an attacker. Results are shown on LGTM by default. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|-----------------------------------------------------|------------------------------|-----------------------------------------------------------|
| Expression has no effect (`go/useless-expression`) | Fewer false positive results | This query no longer flags calls to empty stub functions. |
| Hard-coded credentials (`go/hardcoded-credentials`) | Fewer false positive results | This query now recognizes more placeholder credentials. |

39
go/old-change-notes/1.24/analysis-go.md Normal file
View File

@@ -0,0 +1,39 @@
# Improvements to Go analysis
## General improvements
* You can now suppress alerts using either single-line block comments (`/* ... */`) or line comments (`// ...`).
* Analysis of flow through fields and elements of arrays and slices has been improved, which may lead to more results from the security queries.
* Detection of test code has been improved. LGTM will not show alerts in test code by default.
* Go 1.14 library changes have been modeled.
* More sources of untrusted input as well as vulnerable sinks are modeled, which may lead to more results from the security queries.
## New queries
The CodeQL library for Go now contains a folder of simple "cookbook" queries that show how to access basic Go elements using the predicates defined by the standard library. They're intended to give you a starting point for your own experiments and to help you work out the best way to frame your questions using CodeQL. You can find them in the `examples/snippets` folder in the [CodeQL for Go repository](https://github.com/github/codeql-go/tree/main/ql/examples/snippets).
| **Query** | **Tags** | **Purpose** |
|------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Bad check of redirect URL (`go/bad-redirect-check`) | correctness, security, external/cwe/cwe-601 | Highlights checks that ensure redirect URLs start with `/` but don't check for `//` or `/\`. Results are shown on LGTM by default. |
| Constant length comparison (`go/constant-length-comparison`) | correctness | Highlights code that checks the length of an array or slice against a constant before indexing it using a variable, suggesting a logic error. Results are shown on LGTM by default. |
| Disabled TLS certificate check (`go/disabled-certificate-check`) | security, external/cwe/295 | Highlights code that disables TLS certificate checking. Results are shown on LGTM by default. |
| Impossible interface nil check (`go/impossible-interface-nil-check`) | correctness | Highlights code that compares an interface value that cannot be `nil` to `nil`, suggesting a logic error. Results are shown on LGTM by default. |
| Incomplete URL scheme check (`go/incomplete-url-scheme-check`) | correctness, security, external/cwe/cwe-020 | Highlights checks for `javascript` URLs that do not take `data` or `vbscript` URLs into account. Results are shown on LGTM by default. |
| Potentially unsafe quoting (`go/unsafe-quoting`) | correctness, security, external/cwe/cwe-078, external/cwe/cwe-089, external/cwe/cwe-094 | Highlights code that constructs a quoted string literal containing data that may itself contain quotes. Results are shown on LGTM by default. |
| Size computation for allocation may overflow (`go/allocation-size-overflow`) | correctness, security, external/cwe/cwe-190 | Highlights code that computes the size of an allocation based on the size of a potentially large object. Results are shown on LGTM by default. |
| Uncontrolled data used in network request (`go/request-forgery`) | correctness, security, external/cwe/cwe-918 | Highlights code that uses uncontrolled user input to make a request. Results are shown on LGTM by default. |
| XPath injection (`go/xml/xpath-injection`) | security, external/cwe/cwe-643 | Highlights code that uses remote input in an XPath expression. Results are shown on LGTM by default. |
## Changes to existing queries
| **Query** | **Expected impact** | **Change** |
|-------------------------------------------------------------------------------|------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Arbitrary file write during zip extraction ("zip slip") (`go/zipslip`) | Fewer false positive results | The query now excludes more cases where it is safe to use a path extractor from an archive. |
| Bitwise exclusive-or used like exponentiation (`go/mistyped-exponentiation`) | Fewer false positive results | The query now identifies when the value of an xor is assigned to a mask object, and excludes such results. |
| Command built from user-controlled sources (`go/command-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments. |
| Database query built from user-controlled sources (`go/sql-injection`) | More results | The library models used by the query have been improved, allowing it to flag more potentially problematic cases. |
| Identical operands (`go/redundant-operation`) | Fewer false positive results | The query no longer flags cases where the operands have the same value but are syntactically distinct, since this is usually intentional. |
| Incomplete regular expression for hostnames (`go/incomplete-hostname-regexp`) | More results | The query now flags unescaped dots before the TLD in a hostname regex. |
| Open URL redirect (`go/unvalidated-url-redirection`) | Fewer false positive results | The query now identifies some sources that are not attacker-controlled, and excludes results with such sources. |
| Reflected cross-site scripting (`go/reflected-xss`) | Fewer results | Untrusted input flowing into an HTTP header definition or into an `fmt.Fprintf` call with a constant prefix is no longer flagged, since it is in both cases often harmless. |
| Useless assignment to field (`go/useless-assignment-to-field`) | Fewer false positive results | The query now conservatively handles fields promoted through embedded pointer types. |

19
go/old-change-notes/1.24/extractor-go.md Normal file
View File

@@ -0,0 +1,19 @@
[[ condition: enterprise-only ]]
# Improvements to Go analysis
## Improvements to the autobuilder
* When Makefiles or custom build scripts are present in the codebase, the autobuilder uses them to install dependencies. The build command
to invoke can be configured via `lgtm.yml`, or by setting the environment variable `CODEQL_EXTRACTOR_GO_BUILD_COMMAND`.
* The autobuilder now attempts to automatically detect when dependencies have been vendored and use `-mod=vendor` appropriately.
## Changes to code extraction
* The extractor now supports Go 1.14.
* In resource-constrained environments, the environment variable `CODEQL_EXTRACTOR_GO_MAX_GOROUTINES` can be used to limit the
number of parallel goroutines started by the extractor, which reduces CPU and memory requirements. The default value for this
variable is 32.
* The extractor now uses buffered i/o for writing database files, which reduces the amount of time taken for extraction.
* The extractor now compresses intermediate files used for constructing databases, which reduces the amount of disk space it requires.
* The extractor now supports extracting `go.mod` files, enabling queries on dependencies and their versions.

2
go/old-change-notes/2020-04-30-syscall-functions.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Command built from user-controlled sources" has been improved to recognize methods from the `syscall` library, which may lead to more alerts.

2
go/old-change-notes/2020-05-01-bad-redirect-check.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Bad redirect check" (`go/bad-redirect-check`) now requires that the checked variable is actually used in a redirect as opposed to relying on a name-based heuristic. This eliminates some false positive results, and adds more true positive results.

2
go/old-change-notes/2020-05-01-macaron-model.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Basic support for the [Macaron](https://go-macaron.com/) HTTP library has been added, which may lead to more results from the security queries.

2
go/old-change-notes/2020-05-05-clear-text-logging.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Clear-text logging of sensitive information" has been improved to recognize more logging APIs, which may lead to more alerts.

3
go/old-change-notes/2020-05-05-mux-model.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Basic support for the [Mux](https://github.com/gorilla/mux/) HTTP library has been added, which
may lead to more results from the security queries.

3
go/old-change-notes/2020-05-07-update-data-flow.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The data-flow library has been improved, which affects and improves most security queries. In particular,
flow through functions involving nested field reads and writes is now modeled more fully.

3
go/old-change-notes/2020-05-11-reflected-xss.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The query "Reflected cross-site scripting" has been improved to recognize more cases where the
value should be considered to be safe, which should lead to fewer false positive results.

4
go/old-change-notes/2020-05-12-tainted-path.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The queries "Uncontrolled data used in path expression" and "Arbitrary file write during zip
extraction ("zip slip")" have been improved to recognize more file APIs, which may lead to more
alerts.

3
go/old-change-notes/2020-05-13-io-model.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Modeling of the standard `io` library has been improved, which may lead to more results from the
security queries.

2
go/old-change-notes/2020-05-18-redundant-recover.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query "Redundant call to recover" (`go/redundant-recover`) has been added. The query detects calls to `recover` that have no effect.

3
go/old-change-notes/2020-05-20-mongodb-model.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Modeling of the `go.mongodb.org/mongo-driver/mongo` package has been added, which may lead to more
results from the security queries.

2
go/old-change-notes/2020-05-20-request-forgery-sanitizers.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Uncontrolled data used in network request" is now more precise, which may reduce the number of false positives.

3
go/old-change-notes/2020-05-22-websocket-model.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Modeling of several WebSocket libraries has been added, which may lead to more results from the
security queries.

2
go/old-change-notes/2020-05-29-open-redirect.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Open URL redirect" (`go/unvalidated-url-redirection`) now recognizes values returned by method `http.Request.FormValue` as possibly user controlled, allowing it to flag more true positive results.

5
go/old-change-notes/2020-06-11-build-tracing.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* The Go extractor now supports build tracing, allowing users to supply a build command when
creating databases with the CodeQL CLI or via configuration. It currently only supports projects
that use Go modules. To opt-in, set the environment variable `CODEQL_EXTRACTOR_GO_BUILD_TRACING`
to `on`, or supply a build command.

2
go/old-change-notes/2020-06-12-more-dependency-extraction.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The extractor now attempts to extract the AST of all dependencies that are related to the packages passed explicitly on the commandline, which is determined by using the module root or, if not using modules, the directory containing the source for those packages. In particular, this means if a package passed to the extractor depends on another package inside the same module, the dependency's AST will now be extracted.

2
go/old-change-notes/2020-06-16-email-injection.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Email injection" (`go/email-injection`) has been moved out of the experimental folder. The query detects when untrusted input can be incorporated directly into an email.

3
go/old-change-notes/2020-06-17-reflected-xss-refinements.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The query "Reflected cross-site scripting" has been improved to more correctly determine whether
an HTML mime type will be sniffed, which should lead to more accurate results.

2
go/old-change-notes/2020-06-19-call-graph.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Resolution of method calls through interfaces has been improved, resulting in more precise call-graph information, which in turn may eliminate false positives from the security queries.

2
go/old-change-notes/2020-06-19-cyclic-field-lookup.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A bug has been fixed that could cause the analysis not to terminate in the presence of cycles through embedded struct fields.

2
go/old-change-notes/2020-06-19-switch-block-without-test.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A bug has been fixed that could cause the incorrect analysis of control flow around switch statements.

2
go/old-change-notes/2020-06-24-clear-text-logging.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Clear-text logging of sensitive information" has been improved to recognize more sources of sensitive data, which may lead to more alerts. The query is now also more precise, which may reduce the number of false positives.

2
go/old-change-notes/2020-06-24-open-redirect.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Open URL redirect" (`go/unvalidated-url-redirection`) now recognizes more problematic fields of `URL` objects, allowing it to flag more results.

3
go/old-change-notes/2020-06-26-taint-model-tar-zip.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Modeling of the `archive/tar` and `archive/zip` packages has been added, which may lead to more
results from the security queries.

2
go/old-change-notes/2020-06-26-taint-through-range.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Taint tracking through `range` statements has been improved, which may cause more results from the security queries.

2
go/old-change-notes/2020-07-06-repo-with-file-url-origin.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A bug has been fixed that caused the autobuilder to not work on repositories with a `file://` URL as `origin`.

2
go/old-change-notes/2020-07-06-tolerate-more-unreachable-returns.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Unreachable statement" (`go/unreachable-statement`) now tolerates more unreachable return statements, which can often be required in Go following a function call that cannot return. Newly tolerated statements include `return true`, `return MyStruct{0, true}`, and any return when the return value has type `error`. This eliminates some nuisance results.

2
go/old-change-notes/2020-07-07-missing-error-check.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* New query "Missing error check" (`go/missing-error-check`) added. This checks for dangerous pointer dereferences when an accompanying error value returned from a call has not been checked.

2
go/old-change-notes/2020-07-15-insecure-tls.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Query "Insecure TLS configuration" (`go/insecure-tls`) is promoted from experimental status. This checks for use of insecure SSL/TLS versions and cipher suites.

2
go/old-change-notes/2020-07-22-ssh-host-checking.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Query "Use of insecure HostKeyCallback implementation" (`go/insecure-hostkeycallback`) is promoted from experimental status. This checks for insecurely omitting SSH host-key verification.

9
go/old-change-notes/2020-07-28-library-models.md Normal file
View File

@@ -0,0 +1,9 @@
lgtm,codescanning
* Basic support for the [Go-restful](https://github.com/emicklei/go-restful) HTTP library has been added, which
may lead to more results from the security queries.
* Basic support for the [Gorm](https://github.com/go-gorm/gorm) ORM library has been added (specifically, its SQL statement building facilities), which
may lead to more results from the security queries.
* Basic support for the [Sqlx](https://github.com/jmoiron/sqlx) database access library has been added, which
may lead to more results from the security queries.
* Basic support for the [Json-iterator](https://github.com/json-iterator/go) JSON library has been added, which
may lead to more results from the security queries.

2
go/old-change-notes/2020-08-05-incorrect-integer-conversion.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Query "Incorrect integer conversion" (`go/incorrect-integer-conversion`) is promoted from experimental status. This checks for parsing a string to an integer and then assigning it to an integer type of a smaller bit size.

3
go/old-change-notes/2020-08-07-negative-length-check.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Query "Redundant check for negative value" (`go/negative-length-check`) has been expanded to consider unsigned integers, along
with the return values of `len` and `cap` which it already handled. It has also been renamed to match its expanded role.

2
go/old-change-notes/2020-08-18-oauth2.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Use of constant `state` value in OAuth 2.0 URL" (`go/constant-oauth2-state`) has been promoted from experimental status. This checks for use of a constant state value in generating an OAuth2 redirect URL, which may open the way for a CSRF attack.

2
go/old-change-notes/2020-08-19-gin-model.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Basic support for the [Gin](https://github.com/gin-gonic/gin) HTTP library has been added (extending UntrustedFlowSource), which may lead to more results from the security queries.

2
go/old-change-notes/2020-08-27-protobufs.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Taint is now propagated across protocol buffer ("protobuf") marshalling and unmarshalling operations. This may result in more results from existing queries where the protocol buffer format is used.

4
go/old-change-notes/2020-08-28-allocation-size-overflow-sanitizers.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* The query "Size computation for allocation may overflow" has been improved to recognize more
cases where the value should be considered to be safe, which should lead to fewer false
positive results.

4
go/old-change-notes/2020-09-10-gorm-model-improved.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* Support for the [GORM](https://github.com/go-gorm/gorm) ORM library (specifically, its SQL
statement building facilities) has been improved, which may lead to more results from the
security queries.

2
go/old-change-notes/2020-09-10-xss-false-positives.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Reflected cross-site scripting" (`go/reflected-xss`) now recognizes more cases of JSON marshaled data, which cannot serve as a vector for an XSS attack. This may reduce false-positive results for this query.

2
go/old-change-notes/2020-09-14-split-string-sanitizer.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Splitting a string by whitespace or a colon is now considered sanitizing by the `go/clear-text-logging` query, because this is frequently used to split a username and password or other secret.

2
go/old-change-notes/2020-09-15-chi.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the Chi web framework

2
go/old-change-notes/2020-09-17-echo.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the Echo web framework

2
go/old-change-notes/2020-09-22-suspicious-character-in-regexp.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query `go/suspicious-character-in-regex` has been added. The query flags uses of `\b` and `\a` in regular expressions, where a character class was likely intended.

2
go/old-change-notes/2020-09-23-stdlib.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Add/improve taint-tracking models for 63 Go standard library packages. This means that all queries that track tainted data may produce more results; these include queries scanning for cross-site scripting vulnerabilities and SQL injection vulnerabilities among others.

2
go/old-change-notes/2020-10-01-gomod-extraction.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The extractor now only extracts go.mod files belonging to extracted packages. In particular, vendored go.mod files will no longer be extracted unless the vendored package is explicitly passed to the extractor. This will remove unexpected `GoModExpr` and similar expressions seen by queries.

2
go/old-change-notes/2020-10-01-stack-trace-exposure.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query `go/stack-trace-exposure` has been added. The query flags exposure of a stack trace to a remote party.

2
go/old-change-notes/2020-10-12-old-context-package.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the `golang.org/x/net/context` package, which was already supported under its modern standard-library name `context`.

3
go/old-change-notes/2020-10-12-x-net-html.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Added partial support for the `golang.org/x/net/html` package, modeling tainted data flow from a retrieved HTML document to its attributes and other data.
* Modeled more ways of writing data to an `net/http.ResponseWriter`. This may produce more results from queries such as `go/reflected-xss` which look for data flowing to an HTTP response.

2
go/old-change-notes/2020-10-14-allocation-overflow-accuracy.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The accuracy of the `go/allocation-size-overflow` query was improved, excluding more false-positives in which a small array could be mistaken for one of unbounded size.

2
go/old-change-notes/2020-10-14-spew.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the Spew deep pretty-printing framework. This may cause the `go/clear-text-logging` query to return more results when sensitive data is exposed using this library.

2
go/old-change-notes/2020-10-19-revel.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added basic support for the Revel web framework.

2
go/old-change-notes/2020-11-03-underscore-assigns.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Fixed a bug that meant partially-ignored parallel assignments, such as `x, _ := a, b`, could produce an incorrect control-flow graph.

2
go/old-change-notes/2020-11-04-unsafe-unzip-symlink.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query `go/unsafe-unzip-symlink` has been added. The query checks for extracting symbolic links from an archive without using `filepath.EvalSymlinks`. This could lead to a file being written outside the destination directory.

2
go/old-change-notes/2020-11-09-suspicious-character-in-regexp-improvement.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Suspicious characters in a regular expression" has been improved to recognize raw string literals, which should lead to fewer false positives.

2
go/old-change-notes/2020-11-11-stored-command.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query "Command built from stored data" (`go/stored-command`) has been added. The query detects command executions that contain data from a database or a similar possibly user-controllable source.

2
go/old-change-notes/2020-11-11-stored-xss.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A new query "Stored cross-site scripting" (`go/stored-xss`) has been added. The query detects HTTP request responses that contain data from a database or a similar possibly user-controllable source.

2
go/old-change-notes/2020-11-12-zipslip-sanitizers.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Improved recongition of sanitizer functions for the `go/zipslip` query. This may reduce false-positives (but also perhaps false-negatives) when application code attempts to check a zip header entry does not contain an illegal path traversal attempt.

2
go/old-change-notes/2020-11-19-dataflow-edges.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Fixed a bug that meant data-flow through a checked typecast (e.g. `cast, ok = x.(*Type)`) could be missed.

4
go/old-change-notes/2020-11-27-external-api.md Normal file
View File

@@ -0,0 +1,4 @@
lgtm,codescanning
* A new query "Untrusted data passed to external API" (`go/untrusted-data-to-external-api`) has been added. The query reports external APIs that use untrusted data. This query is designed primarily to help identify which APIs may be relevant for security analysis of this application.
* A new query "Untrusted data passed to unknown external API" (`go/untrusted-data-to-unknown-external-api`) has been added. The query reports external APIs that use untrusted data and which are not already known to be safe. This query is designed primarily to help identify which APIs may be relevant for security analysis of this application.
* A new query "Frequency counts for external APIs that are used with untrusted data" (`go/count-untrusted-data-external-api`) has been added. The query reports external APIs that use untrusted data. It displays the same results as "Untrusted data passed to external API" (`go/untrusted-data-to-external-api`) but in a table.

2
go/old-change-notes/2020-11-27-guarding-functions.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Improved ability to recognise a sanitizing function (for example, `func f(s string) bool { return isClean(s) }`). This may reduce false-positives for any query employing a sanitizing test.

2
go/old-change-notes/2020-11-30-evanphx-json-patch.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Support for the [json-patch](https://github.com/evanphx/json-patch/) library has been added, which may lead to more results from the security queries.

2
go/old-change-notes/2020-12-01-fmt-errorf.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Recognised function `fmt.Errorf` to always return non-nil strings. This may reduce false-positives that depend on a function possibly returning nil.

2
go/old-change-notes/2020-12-08-beego.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the Beego web framework

2
go/old-change-notes/2020-12-08-k8s-io-apimachinery-pkg-runtime.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Support for the [k8s.io/apimachinery/pkg/runtime](https://pkg.go.dev/k8s.io/apimachinery/pkg/runtime) library has been added, which may lead to more results from the security queries.

2
go/old-change-notes/2020-12-09-clear-text-logging-source.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The query "Clear-text logging of sensitive information" has been improved to recognize `SecretInterface` from `k8s.io/client-go/kubernetes/typed/core/v1` as a source of sensitive data, which may lead to more alerts.

2
go/old-change-notes/2020-12-14-insecure-randomness.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Query "Use of insufficient randomness as the key of a cryptographic algorithm" (`go/insecure-randomness`) is promoted from experimental status. This checks for use of an insecure random number generator in a security component.

2
go/old-change-notes/2020-12-15-beego-orm.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the ORM subpackage of the Beego web framework

5
go/old-change-notes/2020-12-18-goproxy.md Normal file
View File

@@ -0,0 +1,5 @@
lgtm,codescanning
* Added support for the `github.com/elazarl/goproxy` package.
* The query "Incomplete regular expression for hostnames" has been improved to recognize some cases
when the regexp in question is guarding an HTTP error response, which will lead to fewer false
positives.

2
go/old-change-notes/2020-12-23-regexp-anchors.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Query `go/regex/missing-regexp-anchor` now recognizes the start- and end-of-text anchors `\A` and `\z`. This reduces false-positives relating to unanchored expressions.

2
go/old-change-notes/2021-01-07-gokit-sources.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Models for gokit request sources have been added as an opt-in feature; import `semmle.go.frameworks.GoKit` in a query to enable these sources.

2
go/old-change-notes/2021-01-08-git-as-interpreter.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added `git` as a potentially-exploitable command interpreter for the purposes of the `go/command-injection` query. Because some of its options can cause it to execute an arbitrary command, unsanitized user data can be dangerous to include in its argument list. Such cases will now be flagged as an alert.

2
go/old-change-notes/2021-01-12-model-couchbase.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for [the offical Couchbase Go SDK library](https://github.com/couchbase/gocb), v1 and v2. The `go/sql-injection` query (which also handles non-SQL databases such as Couchbase) will now identify Couchbase queries built from untrusted external input.

2
go/old-change-notes/2021-01-21-default-sanitizer-guard.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* An equality comparison with a constant value now sanitizes the other value. This was already the case in XSS queries, but it now applies in all queries involving tainted data flow. This should lead to fewer false positive results.

2
go/old-change-notes/2021-02-02-constant-comparison-sanitizer-guard.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* A function which compares a value with a list of constants now acts as a sanitizer guard. This should lead to fewer false positive results.

2
go/old-change-notes/2021-02-09-html-templates.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Improved our modeling of Go's builtin `html/template` package to understand that these templates provide context-sensitive escaping of HTML and Javascript special characters. This may reduce false-positives seen by the `go/reflected-xss` query, as well as other queries for which HTML escaping is relevant.

2
go/old-change-notes/2021-02-10-cfg-equality-panic-edges.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Improved the Go control-flow graph to exclude more edges representing panics due to comparisons when the types of the compared values indicate a panic is impossible (for example, comparing integers cannot panic). This may reduce false-positives or false-negatives for any query for which control-flow is relevant.

2
go/old-change-notes/2021-02-10-yaml.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the [gopkg.in/yaml](https://pkg.go.dev/gopkg.in/yaml.v3) package, which may lead to more results from the security queries.

2
go/old-change-notes/2021-02-11-zap.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for [the Zap logging framework](https://pkg.go.dev/go.uber.org/zap). This may cause the `go/clear-text-logging` query to return more results when sensitive data is exposed using this library.

2
go/old-change-notes/2021-02-15-logrus-updated.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Modeling of the `Logrus` logging library has been improved. This may cause the `go/clear-text-logging` query to return more results when sensitive data is exposed using this library.

2
go/old-change-notes/2021-02-18-go-116.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The extractor now supports Go 1.16 and the new `io/fs` library that was introduced.

2
go/old-change-notes/2021-03-05-dataflow-promoted-fields.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The data-flow library has been improved to represent reads and writes of promoted fields correctly, which may lead to more alerts.

2
go/old-change-notes/2021-03-16-html-tracing.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Support for extracting HTML files has been added, alongside support for Raw Revel templates.

2
go/old-change-notes/2021-03-16-nethttp-updated.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the `Transport.RoundTrip` method in `net/http`.

2
go/old-change-notes/2021-04-19-http-request-taint-flow.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* `net/http.Request` and `mime/multipart.Part`'s models have been improved. `Request`'s error returns are no longer considered tainted, and `Part`'s methods propagate taint (for example, the `Part.FileName()` of a tainted `Part` is itself tainted). This should lead to more accurate results from any query where `Request` or `Part` methods occurred in a taint-flow path.

2
go/old-change-notes/2021-04-20-tuple-types.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Fixed a bug where data flow was not correctly computed through two-value index expressions (for example, `got, ok := myMap[someIndex]`). This may lead to extra results from any dataflow query when an index expression would form part of an important dataflow path.

2
go/old-change-notes/2021-05-06-xorm.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added support for the `xorm.io/xorm` package

2
go/old-change-notes/2021-07-28-insufficient-key-size.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Query "Use of a weak cryptographic key" (`go/insufficient-key-size`) is promoted from experimental status. This checks that any RSA keys which are generated have a size of at least 2048 bits.

2
go/old-change-notes/2021-08-17-go-117.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* The extractor now supports Go 1.17 features and models the changed libraries.

2
go/old-change-notes/2021-08-23-getPrimaryQlClasses.md Normal file
View File

@@ -0,0 +1,2 @@
lgtm,codescanning
* Added `AstNode.getPrimaryQlClasses()` predicate, which gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.

3
go/old-change-notes/2021-10-27-insufficient-key-size-sanitizer.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* The query "Use of a weak cryptographic key" has been improved to recognize more cases where the
key size should be considered to be safe, which should lead to fewer false positive results.