Merge pull request #15267 from atorralba/atorralba/go/fmt-appenderorsprinter-mad

Go: Migrate AppenderOrSprinter model to models-as-data
2026-04-23 07:45:17 +02:00 · 2024-01-10 13:31:19 +01:00
parent e64ce228bb 46df5857ec
commit ca0a1dc7ae
12 changed files with 115 additions and 4 deletions
--- a/go/ql/lib/change-notes/2024-01-09-fmt-apprender-or-sprinter-deprecated.md
+++ b/go/ql/lib/change-notes/2024-01-09-fmt-apprender-or-sprinter-deprecated.md
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The class `Fmt::AppenderOrSprinter` of the `Fmt.qll` module has been deprecated. Use the new `Fmt::AppenderOrSprinterFunc` class instead. Its taint flow features have been migrated to models-as-data.
--- a/go/ql/lib/ext/fmt.model.yml
+++ b/go/ql/lib/ext/fmt.model.yml
@@ -8,3 +8,14 @@ extensions:
      - ["fmt", "ScanState", True, "Token", "", "", "Argument[-1]", "ReturnValue[0]", "taint", "manual"]
      - ["fmt", "State", True, "Write", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
      - ["fmt", "Stringer", True, "String", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Append", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Append", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendf", "", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendf", "", "", "Argument[2].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendln", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Appendln", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprint", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprintf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprintf", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
+      - ["fmt", "", True, "Sprintln", "", "", "Argument[0].ArrayElement", "ReturnValue", "taint", "manual"]
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Fmt.qll
@@ -7,8 +7,12 @@ import go
 // Some TaintTracking::FunctionModel subclasses remain because varargs functions don't work with Models-as-Data sumamries yet.
 /** Provides models of commonly used functions in the `fmt` package. */
 module Fmt {
-  /** The `Sprint` or `Append` functions or one of their variants. */
-  class AppenderOrSprinter extends TaintTracking::FunctionModel {
+  /**
+   * The `Sprint` or `Append` functions or one of their variants.
+   *
+   * DEPRECATED: Use AppenderOrSprinterFunc instead.
+   */
+  deprecated class AppenderOrSprinter extends TaintTracking::FunctionModel {
    AppenderOrSprinter() { this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"]) }

    override predicate hasTaintFlow(FunctionInput inp, FunctionOutput outp) {
@@ -16,8 +20,15 @@ module Fmt {
    }
  }

+  /** The `Sprint` or `Append` functions or one of their variants. */
+  class AppenderOrSprinterFunc extends Function {
+    AppenderOrSprinterFunc() {
+      this.hasQualifiedName("fmt", ["Append", "Sprint"] + ["", "f", "ln"])
+    }
+  }
+
  /** The `Sprint` function or one of its variants. */
-  class Sprinter extends AppenderOrSprinter {
+  class Sprinter extends AppenderOrSprinterFunc {
    Sprinter() { this.getName().matches("Sprint%") }
  }

--- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
+++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -99,7 +99,7 @@ module PrivateUrlFlowsToAuthCodeUrlCallConfig implements DataFlow::ConfigSig {
    or
    // Propagate across Sprintf and similar calls
    exists(DataFlow::CallNode cn |
-      cn.getACalleeIncludingExternals().asFunction() instanceof Fmt::AppenderOrSprinter
+      cn.getACalleeIncludingExternals().asFunction() instanceof Fmt::AppenderOrSprinterFunc
    |
      pred = cn.getASyntacticArgument() and succ = cn.getResult()
    )
--- a/go/ql/test/experimental/CWE-74/DsnInjection.expected
+++ b/go/ql/test/experimental/CWE-74/DsnInjection.expected
@@ -1,9 +1,12 @@
 edges
 | Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:49:102:49:105 | name |
+| Dsn.go:49:11:49:106 | []type{args} [array] | Dsn.go:49:11:49:106 | call to Sprintf |
 | Dsn.go:49:11:49:106 | call to Sprintf | Dsn.go:50:29:50:33 | dbDSN |
+| Dsn.go:49:102:49:105 | name | Dsn.go:49:11:49:106 | []type{args} [array] |
 | Dsn.go:49:102:49:105 | name | Dsn.go:49:11:49:106 | call to Sprintf |
 nodes
 | Dsn.go:47:10:47:30 | call to FormValue | semmle.label | call to FormValue |
+| Dsn.go:49:11:49:106 | []type{args} [array] | semmle.label | []type{args} [array] |
 | Dsn.go:49:11:49:106 | call to Sprintf | semmle.label | call to Sprintf |
 | Dsn.go:49:102:49:105 | name | semmle.label | name |
 | Dsn.go:50:29:50:33 | dbDSN | semmle.label | dbDSN |
--- a/go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected
+++ b/go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected
@@ -1,6 +1,8 @@
 edges
 | Dsn.go:26:11:26:17 | selection of Args | Dsn.go:28:102:28:109 | index expression |
+| Dsn.go:28:11:28:110 | []type{args} [array] | Dsn.go:28:11:28:110 | call to Sprintf |
 | Dsn.go:28:11:28:110 | call to Sprintf | Dsn.go:29:29:29:33 | dbDSN |
+| Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | []type{args} [array] |
 | Dsn.go:28:102:28:109 | index expression | Dsn.go:28:11:28:110 | call to Sprintf |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:63:9:63:11 | cfg [pointer] |
 | Dsn.go:62:2:62:4 | definition of cfg [pointer] | Dsn.go:67:102:67:104 | cfg [pointer] |
@@ -10,13 +12,16 @@ edges
 | Dsn.go:63:9:63:11 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn |
 | Dsn.go:63:19:63:25 | selection of Args | Dsn.go:63:19:63:29 | slice expression |
 | Dsn.go:63:19:63:29 | slice expression | Dsn.go:63:9:63:11 | implicit dereference |
+| Dsn.go:67:11:67:109 | []type{args} [array] | Dsn.go:67:11:67:109 | call to Sprintf |
 | Dsn.go:67:11:67:109 | call to Sprintf | Dsn.go:68:29:68:33 | dbDSN |
 | Dsn.go:67:102:67:104 | cfg [pointer] | Dsn.go:67:102:67:104 | implicit dereference |
 | Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:63:9:63:11 | implicit dereference |
 | Dsn.go:67:102:67:104 | implicit dereference | Dsn.go:67:102:67:108 | selection of dsn |
+| Dsn.go:67:102:67:108 | selection of dsn | Dsn.go:67:11:67:109 | []type{args} [array] |
 | Dsn.go:67:102:67:108 | selection of dsn | Dsn.go:67:11:67:109 | call to Sprintf |
 nodes
 | Dsn.go:26:11:26:17 | selection of Args | semmle.label | selection of Args |
+| Dsn.go:28:11:28:110 | []type{args} [array] | semmle.label | []type{args} [array] |
 | Dsn.go:28:11:28:110 | call to Sprintf | semmle.label | call to Sprintf |
 | Dsn.go:28:102:28:109 | index expression | semmle.label | index expression |
 | Dsn.go:29:29:29:33 | dbDSN | semmle.label | dbDSN |
@@ -25,6 +30,7 @@ nodes
 | Dsn.go:63:9:63:11 | implicit dereference | semmle.label | implicit dereference |
 | Dsn.go:63:19:63:25 | selection of Args | semmle.label | selection of Args |
 | Dsn.go:63:19:63:29 | slice expression | semmle.label | slice expression |
+| Dsn.go:67:11:67:109 | []type{args} [array] | semmle.label | []type{args} [array] |
 | Dsn.go:67:11:67:109 | call to Sprintf | semmle.label | call to Sprintf |
 | Dsn.go:67:102:67:104 | cfg [pointer] | semmle.label | cfg [pointer] |
 | Dsn.go:67:102:67:104 | implicit dereference | semmle.label | implicit dereference |
--- a/go/ql/test/experimental/CWE-918/SSRF.expected
+++ b/go/ql/test/experimental/CWE-918/SSRF.expected
@@ -7,8 +7,14 @@ edges
 | new-tests.go:26:26:26:30 | &... | new-tests.go:31:48:31:56 | selection of word |
 | new-tests.go:26:26:26:30 | &... | new-tests.go:32:48:32:56 | selection of safe |
 | new-tests.go:26:26:26:30 | &... | new-tests.go:35:49:35:57 | selection of word |
+| new-tests.go:31:11:31:57 | []type{args} [array] | new-tests.go:31:11:31:57 | call to Sprintf |
+| new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | []type{args} [array] |
 | new-tests.go:31:48:31:56 | selection of word | new-tests.go:31:11:31:57 | call to Sprintf |
+| new-tests.go:32:11:32:57 | []type{args} [array] | new-tests.go:32:11:32:57 | call to Sprintf |
+| new-tests.go:32:48:32:56 | selection of safe | new-tests.go:32:11:32:57 | []type{args} [array] |
 | new-tests.go:32:48:32:56 | selection of safe | new-tests.go:32:11:32:57 | call to Sprintf |
+| new-tests.go:35:12:35:58 | []type{args} [array] | new-tests.go:35:12:35:58 | call to Sprintf |
+| new-tests.go:35:49:35:57 | selection of word | new-tests.go:35:12:35:58 | []type{args} [array] |
 | new-tests.go:35:49:35:57 | selection of word | new-tests.go:35:12:35:58 | call to Sprintf |
 | new-tests.go:39:18:39:30 | call to Param | new-tests.go:47:11:47:46 | ...+... |
 | new-tests.go:49:18:49:30 | call to Query | new-tests.go:50:11:50:46 | ...+... |
@@ -18,8 +24,14 @@ edges
 | new-tests.go:63:26:63:30 | &... | new-tests.go:68:48:68:56 | selection of word |
 | new-tests.go:63:26:63:30 | &... | new-tests.go:69:48:69:56 | selection of safe |
 | new-tests.go:63:26:63:30 | &... | new-tests.go:74:49:74:57 | selection of word |
+| new-tests.go:68:11:68:57 | []type{args} [array] | new-tests.go:68:11:68:57 | call to Sprintf |
+| new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | []type{args} [array] |
 | new-tests.go:68:48:68:56 | selection of word | new-tests.go:68:11:68:57 | call to Sprintf |
+| new-tests.go:69:11:69:57 | []type{args} [array] | new-tests.go:69:11:69:57 | call to Sprintf |
+| new-tests.go:69:48:69:56 | selection of safe | new-tests.go:69:11:69:57 | []type{args} [array] |
 | new-tests.go:69:48:69:56 | selection of safe | new-tests.go:69:11:69:57 | call to Sprintf |
+| new-tests.go:74:12:74:58 | []type{args} [array] | new-tests.go:74:12:74:58 | call to Sprintf |
+| new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | []type{args} [array] |
 | new-tests.go:74:49:74:57 | selection of word | new-tests.go:74:12:74:58 | call to Sprintf |
 | new-tests.go:78:18:78:24 | selection of URL | new-tests.go:78:18:78:32 | call to Query |
 | new-tests.go:78:18:78:32 | call to Query | new-tests.go:78:18:78:46 | call to Get |
@@ -41,10 +53,13 @@ nodes
 | builtin.go:129:21:129:31 | call to Referer | semmle.label | call to Referer |
 | builtin.go:132:38:132:51 | untrustedInput | semmle.label | untrustedInput |
 | new-tests.go:26:26:26:30 | &... | semmle.label | &... |
+| new-tests.go:31:11:31:57 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:31:11:31:57 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:31:48:31:56 | selection of word | semmle.label | selection of word |
+| new-tests.go:32:11:32:57 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:32:11:32:57 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:32:48:32:56 | selection of safe | semmle.label | selection of safe |
+| new-tests.go:35:12:35:58 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:35:12:35:58 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:35:49:35:57 | selection of word | semmle.label | selection of word |
 | new-tests.go:39:18:39:30 | call to Param | semmle.label | call to Param |
@@ -55,10 +70,13 @@ nodes
 | new-tests.go:62:31:62:38 | selection of Body | semmle.label | selection of Body |
 | new-tests.go:63:17:63:23 | reqBody | semmle.label | reqBody |
 | new-tests.go:63:26:63:30 | &... | semmle.label | &... |
+| new-tests.go:68:11:68:57 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:68:11:68:57 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:68:48:68:56 | selection of word | semmle.label | selection of word |
+| new-tests.go:69:11:69:57 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:69:11:69:57 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:69:48:69:56 | selection of safe | semmle.label | selection of safe |
+| new-tests.go:74:12:74:58 | []type{args} [array] | semmle.label | []type{args} [array] |
 | new-tests.go:74:12:74:58 | call to Sprintf | semmle.label | call to Sprintf |
 | new-tests.go:74:49:74:57 | selection of word | semmle.label | selection of word |
 | new-tests.go:78:18:78:24 | selection of URL | semmle.label | selection of URL |
--- a/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/FlowSteps/LocalTaintStep.expected
@@ -1,7 +1,10 @@
+| file://:0:0:0:0 | [summary param] 0 in Append | file://:0:0:0:0 | [summary] to write: ReturnValue in Append |
 | file://:0:0:0:0 | [summary param] 0 in AppendQuote | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuote |
 | file://:0:0:0:0 | [summary param] 0 in AppendQuoteToASCII | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToASCII |
 | file://:0:0:0:0 | [summary param] 0 in AppendQuoteToGraphic | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToGraphic |
 | file://:0:0:0:0 | [summary param] 0 in AppendSlice | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendSlice |
+| file://:0:0:0:0 | [summary param] 0 in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
+| file://:0:0:0:0 | [summary param] 0 in Appendln | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendln |
 | file://:0:0:0:0 | [summary param] 0 in As | file://:0:0:0:0 | [summary] to write: Argument[1] in As |
 | file://:0:0:0:0 | [summary param] 0 in Base | file://:0:0:0:0 | [summary] to write: ReturnValue in Base |
 | file://:0:0:0:0 | [summary param] 0 in BytePtrFromString | file://:0:0:0:0 | [summary] to write: ReturnValue in BytePtrFromString |
@@ -67,6 +70,7 @@
 | file://:0:0:0:0 | [summary param] 0 in SplitAfter | file://:0:0:0:0 | [summary] to write: ReturnValue in SplitAfter |
 | file://:0:0:0:0 | [summary param] 0 in SplitAfterN | file://:0:0:0:0 | [summary] to write: ReturnValue in SplitAfterN |
 | file://:0:0:0:0 | [summary param] 0 in SplitN | file://:0:0:0:0 | [summary] to write: ReturnValue in SplitN |
+| file://:0:0:0:0 | [summary param] 0 in Sprintf | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintf |
 | file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
 | file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
 | file://:0:0:0:0 | [summary param] 0 in Store | file://:0:0:0:0 | [summary] to write: Argument[-1] in Store |
@@ -133,6 +137,7 @@
 | file://:0:0:0:0 | [summary param] 1 in AppendQuoteToASCII | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToASCII |
 | file://:0:0:0:0 | [summary param] 1 in AppendQuoteToGraphic | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendQuoteToGraphic |
 | file://:0:0:0:0 | [summary param] 1 in AppendSlice | file://:0:0:0:0 | [summary] to write: ReturnValue in AppendSlice |
+| file://:0:0:0:0 | [summary param] 1 in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
 | file://:0:0:0:0 | [summary param] 1 in Copy | file://:0:0:0:0 | [summary] to write: Argument[0] in Copy |
 | file://:0:0:0:0 | [summary param] 1 in Copy | file://:0:0:0:0 | [summary] to write: Argument[0] in Copy |
 | file://:0:0:0:0 | [summary param] 1 in CopyBuffer | file://:0:0:0:0 | [summary] to write: Argument[0] in CopyBuffer |
@@ -287,6 +292,12 @@
 | file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
 | file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
 | file://:0:0:0:0 | [summary param] -1 in WriteTo | file://:0:0:0:0 | [summary] to write: Argument[0] in WriteTo |
+| file://:0:0:0:0 | [summary] read: Argument[0].ArrayElement in Sprint | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprint |
+| file://:0:0:0:0 | [summary] read: Argument[0].ArrayElement in Sprintln | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintln |
+| file://:0:0:0:0 | [summary] read: Argument[1].ArrayElement in Append | file://:0:0:0:0 | [summary] to write: ReturnValue in Append |
+| file://:0:0:0:0 | [summary] read: Argument[1].ArrayElement in Appendln | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendln |
+| file://:0:0:0:0 | [summary] read: Argument[1].ArrayElement in Sprintf | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintf |
+| file://:0:0:0:0 | [summary] read: Argument[2].ArrayElement in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[0] |
 | main.go:26:11:26:17 | type assertion | main.go:26:2:26:17 | ... := ...[1] |
 | main.go:38:13:38:13 | 1 | main.go:38:7:38:20 | slice literal |
--- a/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
+++ b/go/ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected
@@ -318,9 +318,14 @@
 | errors.As | file://:0:0:0:0 | [summary param] 0 in As | file://:0:0:0:0 | [summary] to write: Argument[1] in As |
 | errors.New | file://:0:0:0:0 | [summary param] 0 in New | file://:0:0:0:0 | [summary] to write: ReturnValue in New |
 | errors.Unwrap | file://:0:0:0:0 | [summary param] 0 in Unwrap | file://:0:0:0:0 | [summary] to write: ReturnValue in Unwrap |
+| fmt.Append | file://:0:0:0:0 | [summary param] 0 in Append | file://:0:0:0:0 | [summary] to write: ReturnValue in Append |
+| fmt.Appendf | file://:0:0:0:0 | [summary param] 0 in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
+| fmt.Appendf | file://:0:0:0:0 | [summary param] 1 in Appendf | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendf |
+| fmt.Appendln | file://:0:0:0:0 | [summary param] 0 in Appendln | file://:0:0:0:0 | [summary] to write: ReturnValue in Appendln |
 | fmt.GoStringer.GoString | file://:0:0:0:0 | [summary param] -1 in GoString | file://:0:0:0:0 | [summary] to write: ReturnValue in GoString |
 | fmt.ScanState.Read | file://:0:0:0:0 | [summary param] -1 in Read | file://:0:0:0:0 | [summary] to write: Argument[0] in Read |
 | fmt.ScanState.Token | file://:0:0:0:0 | [summary param] -1 in Token | file://:0:0:0:0 | [summary] to write: ReturnValue in Token |
+| fmt.Sprintf | file://:0:0:0:0 | [summary param] 0 in Sprintf | file://:0:0:0:0 | [summary] to write: ReturnValue in Sprintf |
 | fmt.State.Write | file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
 | fmt.Stringer.String | file://:0:0:0:0 | [summary param] -1 in String | file://:0:0:0:0 | [summary] to write: ReturnValue in String |
 | fmt.pp.Write | file://:0:0:0:0 | [summary param] 0 in Write | file://:0:0:0:0 | [summary] to write: Argument[-1] in Write |
--- a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -13,9 +13,13 @@ edges
 | reflectedxsstest.go:31:2:31:44 | ... := ...[1] | reflectedxsstest.go:34:46:34:60 | selection of Filename |
 | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | reflectedxsstest.go:33:49:33:55 | content |
 | reflectedxsstest.go:32:34:32:37 | file | reflectedxsstest.go:32:2:32:38 | ... := ...[0] |
+| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | reflectedxsstest.go:33:17:33:56 | call to Sprintf |
 | reflectedxsstest.go:33:17:33:56 | call to Sprintf | reflectedxsstest.go:33:10:33:57 | type conversion |
+| reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | []type{args} [array] |
 | reflectedxsstest.go:33:49:33:55 | content | reflectedxsstest.go:33:17:33:56 | call to Sprintf |
+| reflectedxsstest.go:34:17:34:61 | []type{args} [array] | reflectedxsstest.go:34:17:34:61 | call to Sprintf |
 | reflectedxsstest.go:34:17:34:61 | call to Sprintf | reflectedxsstest.go:34:10:34:62 | type conversion |
+| reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:17:34:61 | []type{args} [array] |
 | reflectedxsstest.go:34:46:34:60 | selection of Filename | reflectedxsstest.go:34:17:34:61 | call to Sprintf |
 | reflectedxsstest.go:38:2:38:35 | ... := ...[0] | reflectedxsstest.go:39:16:39:21 | reader |
 | reflectedxsstest.go:39:2:39:32 | ... := ...[0] | reflectedxsstest.go:40:14:40:17 | part |
@@ -25,7 +29,9 @@ edges
 | reflectedxsstest.go:40:14:40:28 | call to FileName | reflectedxsstest.go:44:46:44:53 | partName |
 | reflectedxsstest.go:41:2:41:10 | definition of byteSlice | reflectedxsstest.go:45:10:45:18 | byteSlice |
 | reflectedxsstest.go:42:2:42:5 | part | reflectedxsstest.go:41:2:41:10 | definition of byteSlice |
+| reflectedxsstest.go:44:17:44:54 | []type{args} [array] | reflectedxsstest.go:44:17:44:54 | call to Sprintf |
 | reflectedxsstest.go:44:17:44:54 | call to Sprintf | reflectedxsstest.go:44:10:44:55 | type conversion |
+| reflectedxsstest.go:44:46:44:53 | partName | reflectedxsstest.go:44:17:44:54 | []type{args} [array] |
 | reflectedxsstest.go:44:46:44:53 | partName | reflectedxsstest.go:44:17:44:54 | call to Sprintf |
 | reflectedxsstest.go:51:14:51:18 | selection of URL | reflectedxsstest.go:51:14:51:26 | call to Query |
 | reflectedxsstest.go:51:14:51:26 | call to Query | reflectedxsstest.go:54:11:54:21 | type conversion |
@@ -64,9 +70,11 @@ nodes
 | reflectedxsstest.go:32:2:32:38 | ... := ...[0] | semmle.label | ... := ...[0] |
 | reflectedxsstest.go:32:34:32:37 | file | semmle.label | file |
 | reflectedxsstest.go:33:10:33:57 | type conversion | semmle.label | type conversion |
+| reflectedxsstest.go:33:17:33:56 | []type{args} [array] | semmle.label | []type{args} [array] |
 | reflectedxsstest.go:33:17:33:56 | call to Sprintf | semmle.label | call to Sprintf |
 | reflectedxsstest.go:33:49:33:55 | content | semmle.label | content |
 | reflectedxsstest.go:34:10:34:62 | type conversion | semmle.label | type conversion |
+| reflectedxsstest.go:34:17:34:61 | []type{args} [array] | semmle.label | []type{args} [array] |
 | reflectedxsstest.go:34:17:34:61 | call to Sprintf | semmle.label | call to Sprintf |
 | reflectedxsstest.go:34:46:34:60 | selection of Filename | semmle.label | selection of Filename |
 | reflectedxsstest.go:38:2:38:35 | ... := ...[0] | semmle.label | ... := ...[0] |
@@ -77,6 +85,7 @@ nodes
 | reflectedxsstest.go:41:2:41:10 | definition of byteSlice | semmle.label | definition of byteSlice |
 | reflectedxsstest.go:42:2:42:5 | part | semmle.label | part |
 | reflectedxsstest.go:44:10:44:55 | type conversion | semmle.label | type conversion |
+| reflectedxsstest.go:44:17:44:54 | []type{args} [array] | semmle.label | []type{args} [array] |
 | reflectedxsstest.go:44:17:44:54 | call to Sprintf | semmle.label | call to Sprintf |
 | reflectedxsstest.go:44:46:44:53 | partName | semmle.label | partName |
 | reflectedxsstest.go:45:10:45:18 | byteSlice | semmle.label | byteSlice |
--- a/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
+++ b/go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
@@ -1,40 +1,54 @@
 edges
+| SqlInjection.go:10:7:11:30 | []type{args} [array] | SqlInjection.go:10:7:11:30 | call to Sprintf |
 | SqlInjection.go:10:7:11:30 | call to Sprintf | SqlInjection.go:12:11:12:11 | q |
 | SqlInjection.go:11:3:11:9 | selection of URL | SqlInjection.go:11:3:11:17 | call to Query |
 | SqlInjection.go:11:3:11:17 | call to Query | SqlInjection.go:11:3:11:29 | index expression |
+| SqlInjection.go:11:3:11:29 | index expression | SqlInjection.go:10:7:11:30 | []type{args} [array] |
 | SqlInjection.go:11:3:11:29 | index expression | SqlInjection.go:10:7:11:30 | call to Sprintf |
 | issue48.go:17:2:17:33 | ... := ...[0] | issue48.go:18:17:18:17 | b |
 | issue48.go:17:25:17:32 | selection of Body | issue48.go:17:2:17:33 | ... := ...[0] |
 | issue48.go:18:17:18:17 | b | issue48.go:18:20:18:39 | &... |
 | issue48.go:18:20:18:39 | &... | issue48.go:21:3:21:33 | index expression |
+| issue48.go:20:8:21:34 | []type{args} [array] | issue48.go:20:8:21:34 | call to Sprintf |
 | issue48.go:20:8:21:34 | call to Sprintf | issue48.go:22:11:22:12 | q3 |
+| issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | []type{args} [array] |
 | issue48.go:21:3:21:33 | index expression | issue48.go:20:8:21:34 | call to Sprintf |
 | issue48.go:27:2:27:34 | ... := ...[0] | issue48.go:28:17:28:18 | b2 |
 | issue48.go:27:26:27:33 | selection of Body | issue48.go:27:2:27:34 | ... := ...[0] |
 | issue48.go:28:17:28:18 | b2 | issue48.go:28:21:28:41 | &... |
 | issue48.go:28:21:28:41 | &... | issue48.go:31:3:31:31 | selection of Category |
+| issue48.go:30:8:31:32 | []type{args} [array] | issue48.go:30:8:31:32 | call to Sprintf |
 | issue48.go:30:8:31:32 | call to Sprintf | issue48.go:32:11:32:12 | q4 |
+| issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | []type{args} [array] |
 | issue48.go:31:3:31:31 | selection of Category | issue48.go:30:8:31:32 | call to Sprintf |
 | issue48.go:37:17:37:50 | type conversion | issue48.go:37:53:37:73 | &... |
 | issue48.go:37:24:37:30 | selection of URL | issue48.go:37:24:37:38 | call to Query |
 | issue48.go:37:24:37:38 | call to Query | issue48.go:37:17:37:50 | type conversion |
 | issue48.go:37:53:37:73 | &... | issue48.go:40:3:40:31 | selection of Category |
+| issue48.go:39:8:40:32 | []type{args} [array] | issue48.go:39:8:40:32 | call to Sprintf |
 | issue48.go:39:8:40:32 | call to Sprintf | issue48.go:41:11:41:12 | q5 |
+| issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | []type{args} [array] |
 | issue48.go:40:3:40:31 | selection of Category | issue48.go:39:8:40:32 | call to Sprintf |
 | main.go:11:11:11:16 | selection of Form | main.go:11:11:11:28 | index expression |
+| main.go:15:11:15:84 | []type{args} [array] | main.go:15:11:15:84 | call to Sprintf |
 | main.go:15:63:15:67 | selection of URL | main.go:15:63:15:75 | call to Query |
 | main.go:15:63:15:75 | call to Query | main.go:15:63:15:83 | index expression |
+| main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | []type{args} [array] |
 | main.go:15:63:15:83 | index expression | main.go:15:11:15:84 | call to Sprintf |
+| main.go:16:11:16:85 | []type{args} [array] | main.go:16:11:16:85 | call to Sprintf |
 | main.go:16:63:16:70 | selection of Header | main.go:16:63:16:84 | call to Get |
+| main.go:16:63:16:84 | call to Get | main.go:16:11:16:85 | []type{args} [array] |
 | main.go:16:63:16:84 | call to Get | main.go:16:11:16:85 | call to Sprintf |
 | main.go:28:17:31:2 | &... [pointer, Category] | main.go:34:3:34:13 | RequestData [pointer, Category] |
 | main.go:28:18:31:2 | struct literal [Category] | main.go:28:17:31:2 | &... [pointer, Category] |
 | main.go:30:13:30:19 | selection of URL | main.go:30:13:30:27 | call to Query |
 | main.go:30:13:30:27 | call to Query | main.go:30:13:30:39 | index expression |
 | main.go:30:13:30:39 | index expression | main.go:28:18:31:2 | struct literal [Category] |
+| main.go:33:7:34:23 | []type{args} [array] | main.go:33:7:34:23 | call to Sprintf |
 | main.go:33:7:34:23 | call to Sprintf | main.go:35:11:35:11 | q |
 | main.go:34:3:34:13 | RequestData [pointer, Category] | main.go:34:3:34:13 | implicit dereference [Category] |
 | main.go:34:3:34:13 | implicit dereference [Category] | main.go:34:3:34:22 | selection of Category |
+| main.go:34:3:34:22 | selection of Category | main.go:33:7:34:23 | []type{args} [array] |
 | main.go:34:3:34:22 | selection of Category | main.go:33:7:34:23 | call to Sprintf |
 | main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:40:2:40:12 | RequestData [pointer, Category] |
 | main.go:39:2:39:12 | definition of RequestData [pointer, Category] | main.go:43:3:43:13 | RequestData [pointer, Category] |
@@ -43,9 +57,11 @@ edges
 | main.go:40:25:40:31 | selection of URL | main.go:40:25:40:39 | call to Query |
 | main.go:40:25:40:39 | call to Query | main.go:40:25:40:51 | index expression |
 | main.go:40:25:40:51 | index expression | main.go:40:2:40:12 | implicit dereference [Category] |
+| main.go:42:7:43:23 | []type{args} [array] | main.go:42:7:43:23 | call to Sprintf |
 | main.go:42:7:43:23 | call to Sprintf | main.go:44:11:44:11 | q |
 | main.go:43:3:43:13 | RequestData [pointer, Category] | main.go:43:3:43:13 | implicit dereference [Category] |
 | main.go:43:3:43:13 | implicit dereference [Category] | main.go:43:3:43:22 | selection of Category |
+| main.go:43:3:43:22 | selection of Category | main.go:42:7:43:23 | []type{args} [array] |
 | main.go:43:3:43:22 | selection of Category | main.go:42:7:43:23 | call to Sprintf |
 | main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:49:4:49:14 | RequestData [pointer, Category] |
 | main.go:48:2:48:12 | definition of RequestData [pointer, Category] | main.go:52:3:52:13 | RequestData [pointer, Category] |
@@ -54,9 +70,11 @@ edges
 | main.go:49:28:49:34 | selection of URL | main.go:49:28:49:42 | call to Query |
 | main.go:49:28:49:42 | call to Query | main.go:49:28:49:54 | index expression |
 | main.go:49:28:49:54 | index expression | main.go:49:3:49:14 | star expression [Category] |
+| main.go:51:7:52:23 | []type{args} [array] | main.go:51:7:52:23 | call to Sprintf |
 | main.go:51:7:52:23 | call to Sprintf | main.go:53:11:53:11 | q |
 | main.go:52:3:52:13 | RequestData [pointer, Category] | main.go:52:3:52:13 | implicit dereference [Category] |
 | main.go:52:3:52:13 | implicit dereference [Category] | main.go:52:3:52:22 | selection of Category |
+| main.go:52:3:52:22 | selection of Category | main.go:51:7:52:23 | []type{args} [array] |
 | main.go:52:3:52:22 | selection of Category | main.go:51:7:52:23 | call to Sprintf |
 | main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:58:4:58:14 | RequestData [pointer, Category] |
 | main.go:57:2:57:12 | definition of RequestData [pointer, Category] | main.go:61:5:61:15 | RequestData [pointer, Category] |
@@ -65,7 +83,9 @@ edges
 | main.go:58:28:58:34 | selection of URL | main.go:58:28:58:42 | call to Query |
 | main.go:58:28:58:42 | call to Query | main.go:58:28:58:54 | index expression |
 | main.go:58:28:58:54 | index expression | main.go:58:3:58:14 | star expression [Category] |
+| main.go:60:7:61:26 | []type{args} [array] | main.go:60:7:61:26 | call to Sprintf |
 | main.go:60:7:61:26 | call to Sprintf | main.go:62:11:62:11 | q |
+| main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | []type{args} [array] |
 | main.go:61:3:61:25 | selection of Category | main.go:60:7:61:26 | call to Sprintf |
 | main.go:61:4:61:15 | star expression [Category] | main.go:61:3:61:25 | selection of Category |
 | main.go:61:5:61:15 | RequestData [pointer, Category] | main.go:61:4:61:15 | star expression [Category] |
@@ -88,6 +108,7 @@ edges
 | mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline |
 | mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal |
 nodes
+| SqlInjection.go:10:7:11:30 | []type{args} [array] | semmle.label | []type{args} [array] |
 | SqlInjection.go:10:7:11:30 | call to Sprintf | semmle.label | call to Sprintf |
 | SqlInjection.go:11:3:11:9 | selection of URL | semmle.label | selection of URL |
 | SqlInjection.go:11:3:11:17 | call to Query | semmle.label | call to Query |
@@ -97,6 +118,7 @@ nodes
 | issue48.go:17:25:17:32 | selection of Body | semmle.label | selection of Body |
 | issue48.go:18:17:18:17 | b | semmle.label | b |
 | issue48.go:18:20:18:39 | &... | semmle.label | &... |
+| issue48.go:20:8:21:34 | []type{args} [array] | semmle.label | []type{args} [array] |
 | issue48.go:20:8:21:34 | call to Sprintf | semmle.label | call to Sprintf |
 | issue48.go:21:3:21:33 | index expression | semmle.label | index expression |
 | issue48.go:22:11:22:12 | q3 | semmle.label | q3 |
@@ -104,6 +126,7 @@ nodes
 | issue48.go:27:26:27:33 | selection of Body | semmle.label | selection of Body |
 | issue48.go:28:17:28:18 | b2 | semmle.label | b2 |
 | issue48.go:28:21:28:41 | &... | semmle.label | &... |
+| issue48.go:30:8:31:32 | []type{args} [array] | semmle.label | []type{args} [array] |
 | issue48.go:30:8:31:32 | call to Sprintf | semmle.label | call to Sprintf |
 | issue48.go:31:3:31:31 | selection of Category | semmle.label | selection of Category |
 | issue48.go:32:11:32:12 | q4 | semmle.label | q4 |
@@ -111,15 +134,18 @@ nodes
 | issue48.go:37:24:37:30 | selection of URL | semmle.label | selection of URL |
 | issue48.go:37:24:37:38 | call to Query | semmle.label | call to Query |
 | issue48.go:37:53:37:73 | &... | semmle.label | &... |
+| issue48.go:39:8:40:32 | []type{args} [array] | semmle.label | []type{args} [array] |
 | issue48.go:39:8:40:32 | call to Sprintf | semmle.label | call to Sprintf |
 | issue48.go:40:3:40:31 | selection of Category | semmle.label | selection of Category |
 | issue48.go:41:11:41:12 | q5 | semmle.label | q5 |
 | main.go:11:11:11:16 | selection of Form | semmle.label | selection of Form |
 | main.go:11:11:11:28 | index expression | semmle.label | index expression |
+| main.go:15:11:15:84 | []type{args} [array] | semmle.label | []type{args} [array] |
 | main.go:15:11:15:84 | call to Sprintf | semmle.label | call to Sprintf |
 | main.go:15:63:15:67 | selection of URL | semmle.label | selection of URL |
 | main.go:15:63:15:75 | call to Query | semmle.label | call to Query |
 | main.go:15:63:15:83 | index expression | semmle.label | index expression |
+| main.go:16:11:16:85 | []type{args} [array] | semmle.label | []type{args} [array] |
 | main.go:16:11:16:85 | call to Sprintf | semmle.label | call to Sprintf |
 | main.go:16:63:16:70 | selection of Header | semmle.label | selection of Header |
 | main.go:16:63:16:84 | call to Get | semmle.label | call to Get |
@@ -128,6 +154,7 @@ nodes
 | main.go:30:13:30:19 | selection of URL | semmle.label | selection of URL |
 | main.go:30:13:30:27 | call to Query | semmle.label | call to Query |
 | main.go:30:13:30:39 | index expression | semmle.label | index expression |
+| main.go:33:7:34:23 | []type{args} [array] | semmle.label | []type{args} [array] |
 | main.go:33:7:34:23 | call to Sprintf | semmle.label | call to Sprintf |
 | main.go:34:3:34:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
 | main.go:34:3:34:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
@@ -139,6 +166,7 @@ nodes
 | main.go:40:25:40:31 | selection of URL | semmle.label | selection of URL |
 | main.go:40:25:40:39 | call to Query | semmle.label | call to Query |
 | main.go:40:25:40:51 | index expression | semmle.label | index expression |
+| main.go:42:7:43:23 | []type{args} [array] | semmle.label | []type{args} [array] |
 | main.go:42:7:43:23 | call to Sprintf | semmle.label | call to Sprintf |
 | main.go:43:3:43:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
 | main.go:43:3:43:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
@@ -150,6 +178,7 @@ nodes
 | main.go:49:28:49:34 | selection of URL | semmle.label | selection of URL |
 | main.go:49:28:49:42 | call to Query | semmle.label | call to Query |
 | main.go:49:28:49:54 | index expression | semmle.label | index expression |
+| main.go:51:7:52:23 | []type{args} [array] | semmle.label | []type{args} [array] |
 | main.go:51:7:52:23 | call to Sprintf | semmle.label | call to Sprintf |
 | main.go:52:3:52:13 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
 | main.go:52:3:52:13 | implicit dereference [Category] | semmle.label | implicit dereference [Category] |
@@ -161,6 +190,7 @@ nodes
 | main.go:58:28:58:34 | selection of URL | semmle.label | selection of URL |
 | main.go:58:28:58:42 | call to Query | semmle.label | call to Query |
 | main.go:58:28:58:54 | index expression | semmle.label | index expression |
+| main.go:60:7:61:26 | []type{args} [array] | semmle.label | []type{args} [array] |
 | main.go:60:7:61:26 | call to Sprintf | semmle.label | call to Sprintf |
 | main.go:61:3:61:25 | selection of Category | semmle.label | selection of Category |
 | main.go:61:4:61:15 | star expression [Category] | semmle.label | star expression [Category] |
--- a/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
+++ b/go/ql/test/query-tests/Security/CWE-338/InsecureRandomness/InsecureRandomness.expected
@@ -1,7 +1,9 @@
 edges
 | sample.go:15:10:15:64 | call to Sum256 | sample.go:16:9:16:15 | slice expression |
 | sample.go:15:24:15:63 | type conversion | sample.go:15:10:15:64 | call to Sum256 |
+| sample.go:15:31:15:62 | []type{args} [array] | sample.go:15:31:15:62 | call to Sprintf |
 | sample.go:15:31:15:62 | call to Sprintf | sample.go:15:24:15:63 | type conversion |
+| sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | []type{args} [array] |
 | sample.go:15:49:15:61 | call to Uint32 | sample.go:15:31:15:62 | call to Sprintf |
 | sample.go:16:9:16:15 | slice expression | sample.go:26:25:26:30 | call to Guid |
 | sample.go:33:2:33:6 | definition of nonce | sample.go:37:25:37:29 | nonce |
@@ -12,6 +14,7 @@ nodes
 | InsecureRandomness.go:12:18:12:40 | call to Intn | semmle.label | call to Intn |
 | sample.go:15:10:15:64 | call to Sum256 | semmle.label | call to Sum256 |
 | sample.go:15:24:15:63 | type conversion | semmle.label | type conversion |
+| sample.go:15:31:15:62 | []type{args} [array] | semmle.label | []type{args} [array] |
 | sample.go:15:31:15:62 | call to Sprintf | semmle.label | call to Sprintf |
 | sample.go:15:49:15:61 | call to Uint32 | semmle.label | call to Uint32 |
 | sample.go:16:9:16:15 | slice expression | semmle.label | slice expression |