From adc3ce827447486e44b4f08a781aa065fb3fb422 Mon Sep 17 00:00:00 2001
From: Max Schaefer <max-schaefer@github.com>
Date: Fri, 22 May 2020 10:09:07 +0100
Subject: [PATCH] Extend documentation for `package` and use it in two more
 places.

The predicate now works with an empty package path.

The way this is implemented is perhaps slightly non-obvious: the `($|/)\\Q" + path + "\\E"` part of the regular expression either matches the end of the string (and `path` must then be empty), or a slash followed by `path` (which may or may not be empty).

We do allow non-canonical import paths ending in `/`, which the compiler rejects. We could disallow that by putting a `(?!$)` assertion after the `/`, but that seems overkill.
---
 ql/src/semmle/go/Packages.qll       | 9 ++++++---
 ql/src/semmle/go/frameworks/SQL.qll | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/ql/src/semmle/go/Packages.qll b/ql/src/semmle/go/Packages.qll
index 2187bcf47c2..a88cc2a7368 100644
--- a/ql/src/semmle/go/Packages.qll
+++ b/ql/src/semmle/go/Packages.qll
@@ -26,10 +26,13 @@ class Package extends @package {
 }
 
 /**
- * Gets the Go import string that may identify a package in module `mod` with the given path,
- * possibly modulo semantic import versioning.
+ * Gets an import path that identifies a package in module `mod` with the given path,
+ * possibly modulo [semantic import versioning](https://github.com/golang/go/wiki/Modules#semantic-import-versioning).
+ *
+ * For example, `package("github.com/go-pg/pg", "types")` gets an import path that can
+ * refer to `"github.com/go-pg/pg/types"`, but also to `"github.com/go-pg/pg/v10/types"`.
  */
 bindingset[result, mod, path]
 string package(string mod, string path) {
-  result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?/\\Q" + path + "\\E")
+  result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?($|/)\\Q" + path + "\\E")
 }
diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll
index a0b22c0cada..1244e5cc778 100644
--- a/ql/src/semmle/go/frameworks/SQL.qll
+++ b/ql/src/semmle/go/frameworks/SQL.qll
@@ -76,11 +76,11 @@ module SQL {
 
     /** A string that might identify package `go-pg/pg` or a specific version of it. */
     bindingset[result]
-    private string gopg() { result.regexpMatch("github.com/go-pg/pg(/v[^/]+)?") }
+    private string gopg() { result = package("github.com/go-pg/pg", "") }
 
     /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
     bindingset[result]
-    private string gopgorm() { result.regexpMatch("github.com/go-pg/pg(/v[^/]+)?/orm") }
+    private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }
 
     /**
      * A string argument to an API of `go-pg/pg` that is directly interpreted as SQL without