Merge pull request #665 from owen-mc/update-function-get-a-call

Update `Function.getACall()`

ql/lib/semmle/go/Scopes.qll

@@ -366,13 +366,14 @@ class PromotedField extends Field {
 
 /** A built-in or declared function. */
 class Function extends ValueEntity, @functionobject {
-  /** Gets a call to this function. */
+  /**
+   * Gets a call to this function.
+   *
+   * This includes calls that target this function indirectly, by calling an
+   * interface method that this function implements.
+   */
   pragma[nomagic]
-  DataFlow::CallNode getACall() {
-    this = result.getTarget()
-    or
-    this = result.getACalleeIncludingExternals().asFunction()
-  }
+  DataFlow::CallNode getACall() { this = result.getACalleeIncludingExternals().asFunction() }
 
   /** Gets the declaration of this function, if any. */
   FuncDecl getFuncDecl() { none() }

ql/lib/semmle/go/security/ExternalAPIs.qll

@@ -74,7 +74,7 @@ class ExternalAPIDataNode extends DataFlow::Node {
     // Not already modeled as a taint step
     not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and
     // Not a call to a known safe external API
-    not call = any(SafeExternalAPIFunction f).getACall()
+    not call.getTarget() instanceof SafeExternalAPIFunction
   }
 
   /** Gets the called API `Function`. */

ql/lib/semmle/go/security/InsecureRandomnessCustomizations.qll

@@ -60,7 +60,7 @@ module InsecureRandomness {
         // Some interfaces in the `crypto` package are the same as interfaces
         // elsewhere, e.g. tls.listener is the same as net.Listener
         not fn.hasQualifiedName(nonCryptoInterface(), _) and
-        this = fn.getACall().getAnArgument()
+        exists(DataFlow::CallNode call | call.getTarget() = fn and this = call.getAnArgument())
       )
     }