From 5b09d35668cbbfc9325bc12429e5dc4854677d92 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 11 Mar 2021 11:53:02 +0000 Subject: [PATCH 1/3] Add missing QLDoc for public declarations --- .../WeakCryptoAlgorithmCustomizations.qll | 5 +++++ ql/src/semmle/go/Expr.qll | 1 + ql/src/semmle/go/frameworks/Beego.qll | 4 ++++ ql/src/semmle/go/frameworks/BeegoOrm.qll | 4 ++++ ql/src/semmle/go/frameworks/GoRestfulHttp.qll | 4 ++++ ql/src/semmle/go/frameworks/SQL.qll | 3 +++ .../go/frameworks/SystemCommandExecutors.qll | 4 ++++ ql/src/semmle/go/frameworks/WebSocket.qll | 15 +++++++++++++++ ql/src/semmle/go/frameworks/XPath.qll | 3 +++ ql/src/semmle/go/security/CommandInjection.qll | 7 ++++++- .../InsecureRandomnessCustomizations.qll | 16 ++++++++++++++-- 11 files changed, 63 insertions(+), 3 deletions(-) diff --git a/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll b/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll index 81bd15a92f3..7348d8afb8c 100644 --- a/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll +++ b/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll @@ -8,6 +8,11 @@ import go private import semmle.go.security.SensitiveActions private import CryptoLibraries +/** + * Provides default sources, sinks and sanitizers for reasoning about + * sensitive information in weak cryptographic algorithms, + * as well as extension points for adding your own. + */ module WeakCryptoAlgorithm { /** * A data flow source for sensitive information in weak cryptographic algorithms. diff --git a/ql/src/semmle/go/Expr.qll b/ql/src/semmle/go/Expr.qll index a2bc9b21cba..3d2cf956c11 100644 --- a/ql/src/semmle/go/Expr.qll +++ b/ql/src/semmle/go/Expr.qll @@ -344,6 +344,7 @@ class RuneLit = CharLit; class StringLit extends @stringlit, BasicLit { override string getAPrimaryQlClass() { result = "StringLit" } + /** Holds if this string literal is a raw string literal. */ predicate isRaw() { this.getText().matches("`%`") } } diff --git a/ql/src/semmle/go/frameworks/Beego.qll b/ql/src/semmle/go/frameworks/Beego.qll index a893da684ed..74fbdc842dd 100644 --- a/ql/src/semmle/go/frameworks/Beego.qll +++ b/ql/src/semmle/go/frameworks/Beego.qll @@ -7,6 +7,10 @@ import go import semmle.go.security.Xss private import semmle.go.security.SafeUrlFlowCustomizations +/** + * Provides classes for working with untrusted flow sources, sinks and taint propagators + * from the [Beego](`github.com/beego/beego`) package. + */ module Beego { /** Gets the module path `github.com/astaxie/beego` or `github.com/beego/beego`. */ bindingset[result] diff --git a/ql/src/semmle/go/frameworks/BeegoOrm.qll b/ql/src/semmle/go/frameworks/BeegoOrm.qll index c6410bd117d..61eb17cc13f 100644 --- a/ql/src/semmle/go/frameworks/BeegoOrm.qll +++ b/ql/src/semmle/go/frameworks/BeegoOrm.qll @@ -6,6 +6,10 @@ import go private import semmle.go.security.StoredXssCustomizations +/** + * Provides classes for working with untrusted flow sources, sinks and taint propagators + * from the [Beego ORM](`github.com/astaxie/beego/orm`) subpackage. + */ module BeegoOrm { /** Gets the package name `github.com/astaxie/beego/orm`. */ bindingset[result] diff --git a/ql/src/semmle/go/frameworks/GoRestfulHttp.qll b/ql/src/semmle/go/frameworks/GoRestfulHttp.qll index 05ad3095376..2b102d534cb 100644 --- a/ql/src/semmle/go/frameworks/GoRestfulHttp.qll +++ b/ql/src/semmle/go/frameworks/GoRestfulHttp.qll @@ -1,3 +1,7 @@ +/** + * Provides models of the [go-restful library](https://github.com/emicklei/go-restful). + */ + import go /** diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index 191f833d45d..b2558ead930 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -217,6 +217,9 @@ module SQL { } } +/** + * Provides classes for working with the [GORM](https://gorm.io/) package. + */ module Gorm { /** Gets the package name for Gorm. */ bindingset[result] diff --git a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll index af121ae151d..59038ba3657 100644 --- a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll +++ b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll @@ -77,6 +77,10 @@ private class GoShCommandExecution extends SystemCommandExecution::Range, DataFl override DataFlow::Node getCommandName() { result = this.getArgument(0) } } +/** + * Provides classes for working with the + * [golang.org/x/crypto/ssh](https://pkg.go.dev/golang.org/x/crypto/ssh) package. + */ module CryptoSsh { /** Gets the package path `golang.org/x/crypto/ssh`. */ bindingset[result] diff --git a/ql/src/semmle/go/frameworks/WebSocket.qll b/ql/src/semmle/go/frameworks/WebSocket.qll index 02ab3940210..060d83e5fd5 100644 --- a/ql/src/semmle/go/frameworks/WebSocket.qll +++ b/ql/src/semmle/go/frameworks/WebSocket.qll @@ -298,24 +298,39 @@ module WebSocketReader { } } +/** + * Provides classes for working with the [Gorilla WebSocket](https://github.com/gorilla/websocket) + * package. + */ module GorillaWebsocket { /** Gets the package name `github.com/gorilla/websocket`. */ bindingset[result] string packagePath() { result = package("github.com/gorilla", "websocket") } } +/** + * Provides classes for working with the + * [golang.org/x/net/websocket](https://pkg.go.dev/golang.org/x/net/websocket) package. + */ module GolangOrgXNetWebsocket { /** Gets the package name `golang.org/x/net/websocket`. */ bindingset[result] string packagePath() { result = package("golang.org/x/net", "websocket") } } +/** + * Provides classes for working with the [nhooyr.io/websocket](http://nhooyr.io/websocket) + * package. + */ module NhooyrWebSocket { /** Gets the package name `nhooyr.io/websocket/`. */ bindingset[result] string packagePath() { result = package("nhooyr.io/websocket", "") } } +/** + * Provides classes for working with the [ws](https://github.com/gobwas/ws) package. + */ module GobwasWs { /** Gets the package name `github.com/gobwas/ws`. */ bindingset[result] diff --git a/ql/src/semmle/go/frameworks/XPath.qll b/ql/src/semmle/go/frameworks/XPath.qll index 70651c9ae75..a216feb7025 100644 --- a/ql/src/semmle/go/frameworks/XPath.qll +++ b/ql/src/semmle/go/frameworks/XPath.qll @@ -189,6 +189,9 @@ module XPath { } } +/** + * Provides classes for working with the [xmlpath](https://gopkg.in/xmlpath.v2) package. + */ module XmlPath { /** Gets the package name `github.com/go-xmlpath/xmlpath` or `gopkg.in/xmlpath`. */ bindingset[result] diff --git a/ql/src/semmle/go/security/CommandInjection.qll b/ql/src/semmle/go/security/CommandInjection.qll index 13963a2c546..6f36760b3b4 100644 --- a/ql/src/semmle/go/security/CommandInjection.qll +++ b/ql/src/semmle/go/security/CommandInjection.qll @@ -17,7 +17,8 @@ module CommandInjection { import CommandInjectionCustomizations::CommandInjection /** - * A taint-tracking configuration for reasoning about command-injection vulnerabilities. + * A taint-tracking configuration for reasoning about command-injection vulnerabilities + * with sinks which are not sanitized by `--`. */ class Configuration extends TaintTracking::Configuration { Configuration() { this = "CommandInjection" } @@ -77,6 +78,10 @@ module CommandInjection { } } + /** + * A taint-tracking configuration for reasoning about command-injection vulnerabilities + * with sinks which are sanitized by `--`. + */ class DoubleDashSanitizingConfiguration extends TaintTracking::Configuration { DoubleDashSanitizingConfiguration() { this = "CommandInjectionWithDoubleDashSanitizer" } diff --git a/ql/src/semmle/go/security/InsecureRandomnessCustomizations.qll b/ql/src/semmle/go/security/InsecureRandomnessCustomizations.qll index 57abb3aa185..db8ff731fbc 100644 --- a/ql/src/semmle/go/security/InsecureRandomnessCustomizations.qll +++ b/ql/src/semmle/go/security/InsecureRandomnessCustomizations.qll @@ -5,6 +5,10 @@ import go +/** + * Provides default sources, sinks and sanitizers for reasoning about random values that are + * not cryptographically secure, as well as extension points for adding your own. + */ module InsecureRandomness { /** * A data flow source for insufficient random sources @@ -32,6 +36,10 @@ module InsecureRandomness { InsecureRandomSource() { this.getTarget().getPackage().getPath() = "math/rand" } } + /** + * Gets an interface outside of the `crypto` package which is the same as an + * interface in the `crypto` package. + */ string nonCryptoInterface() { result = ["io.Writer", "io.Reader", "sync.Mutex", "net.Listener"] } /** @@ -47,8 +55,11 @@ module InsecureRandomness { pkg.regexpMatch("crypto/.*") and not pkg = getAHashPkg() and not (pkg = "crypto/rand" and name = "Read") and - not (pkg = "crypto/cipher" and name = ["Read", "Write"]) and // crypto/cipher APIs for reading/writing encrypted streams - not fn.hasQualifiedName(nonCryptoInterface(), _) and // some interfaces in crypto are the same as interfaces elsewhere, e.g. tls.listener is the same as net.Listener + // `crypto/cipher` APIs for reading/writing encrypted streams + not (pkg = "crypto/cipher" and name = ["Read", "Write"]) and + // Some interfaces in the `crypto` package are the same as interfaces + // elsewhere, e.g. tls.listener is the same as net.Listener + not fn.hasQualifiedName(nonCryptoInterface(), _) and this = fn.getACall().getAnArgument() ) } @@ -71,6 +82,7 @@ module InsecureRandomness { override string getKind() { result = "a password-related function" } } + /** Gets a package that implements hash algorithms. */ bindingset[result] private string getAHashPkg() { result.regexpMatch("crypto/(md5|sha(1|256|512)|rand)") } From 426a65b981faffbeeb7f7b462e271ad92e5db707 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Fri, 5 Mar 2021 03:40:59 -0800 Subject: [PATCH 2/3] Restrict 'package' to real package paths --- ql/src/semmle/go/Packages.qll | 5 +++-- .../library-tests/semmle/go/Packages/main.go | 2 ++ .../semmle/go/Packages/package.ql | 22 +++++++++---------- .../github.com/nonexistent/test/stub.go | 1 + .../github.com/nonexistent/v2/test/stub.go | 1 + 5 files changed, 18 insertions(+), 13 deletions(-) create mode 100644 ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/test/stub.go create mode 100644 ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/v2/test/stub.go diff --git a/ql/src/semmle/go/Packages.qll b/ql/src/semmle/go/Packages.qll index 0b134110ae1..bc51911da27 100644 --- a/ql/src/semmle/go/Packages.qll +++ b/ql/src/semmle/go/Packages.qll @@ -32,9 +32,10 @@ class Package extends @package { * For example, `package("github.com/go-pg/pg", "types")` gets an import path that can * refer to `"github.com/go-pg/pg/types"`, but also to `"github.com/go-pg/pg/v10/types"`. */ -bindingset[result, mod, path] +bindingset[mod, path] string package(string mod, string path) { // "\Q" and "\E" start and end a quoted section of a regular expression. Anything like "." or "*" that // "*" that comes between them is not interpreted as it would normally be in a regular expression. - result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?($|/)\\Q" + path + "\\E") + result.regexpMatch("\\Q" + mod + "\\E([/.]v[^/]+)?($|/)\\Q" + path + "\\E") and + result = any(Package p).getPath() } diff --git a/ql/test/library-tests/semmle/go/Packages/main.go b/ql/test/library-tests/semmle/go/Packages/main.go index 77f2609a533..cd3014221d4 100644 --- a/ql/test/library-tests/semmle/go/Packages/main.go +++ b/ql/test/library-tests/semmle/go/Packages/main.go @@ -4,6 +4,8 @@ import ( "fmt" "github.com/nonexistent-test-pkg" + "github.com/nonexistent/test" + test2 "github.com/nonexistent/v2/test" ) func main() { diff --git a/ql/test/library-tests/semmle/go/Packages/package.ql b/ql/test/library-tests/semmle/go/Packages/package.ql index ff083b52aa7..41ee771ecdf 100644 --- a/ql/test/library-tests/semmle/go/Packages/package.ql +++ b/ql/test/library-tests/semmle/go/Packages/package.ql @@ -3,16 +3,16 @@ import go from string path where ( - path = "PackageName/v2/test" or // OK - path = "PackageName/test" or // OK - path = "PackageName//v//test" or // NOT OK - path = "PackageName//v/test" or // NOT OK - path = "PackageName/v//test" or // NOT OK - path = "PackageName/v/asd/v2/test" or // NOT OK - path = "PackageName/v/test" or // NOT OK - path = "PackageName//v2//test" or // NOT OK - path = "PackageName//v2/test" or // NOT OK - path = "PackageName/v2//test" // NOT OK + path = "github.com/nonexistent/v2/test" or // OK + path = "github.com/nonexistent/test" or // OK + path = "github.com/nonexistent//v//test" or // NOT OK + path = "github.com/nonexistent//v/test" or // NOT OK + path = "github.com/nonexistent/v//test" or // NOT OK + path = "github.com/nonexistent/v/asd/v2/test" or // NOT OK + path = "github.com/nonexistent/v/test" or // NOT OK + path = "github.com/nonexistent//v2//test" or // NOT OK + path = "github.com/nonexistent//v2/test" or // NOT OK + path = "github.com/nonexistent/v2//test" // NOT OK ) and - path = package("PackageName", "test") + path = package("github.com/nonexistent", "test") select path diff --git a/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/test/stub.go b/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/test/stub.go new file mode 100644 index 00000000000..56e54040790 --- /dev/null +++ b/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/test/stub.go @@ -0,0 +1 @@ +package test diff --git a/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/v2/test/stub.go b/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/v2/test/stub.go new file mode 100644 index 00000000000..56e54040790 --- /dev/null +++ b/ql/test/library-tests/semmle/go/Packages/vendor/github.com/nonexistent/v2/test/stub.go @@ -0,0 +1 @@ +package test From bcee55c402ba585b037905f7b0cca0dcba857580 Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Fri, 5 Mar 2021 03:41:09 -0800 Subject: [PATCH 3/3] Remove now-unnecessary bindingset annotations --- ql/src/semmle/go/frameworks/Beego.qll | 5 ----- ql/src/semmle/go/frameworks/BeegoOrm.qll | 1 - ql/src/semmle/go/frameworks/Chi.qll | 1 - ql/src/semmle/go/frameworks/Couchbase.qll | 1 - ql/src/semmle/go/frameworks/Echo.qll | 1 - ql/src/semmle/go/frameworks/ElazarlGoproxy.qll | 1 - ql/src/semmle/go/frameworks/Email.qll | 1 - ql/src/semmle/go/frameworks/Encoding.qll | 1 - ql/src/semmle/go/frameworks/EvanphxJsonPatch.qll | 1 - ql/src/semmle/go/frameworks/Gin.qll | 1 - ql/src/semmle/go/frameworks/GoKit.qll | 2 -- ql/src/semmle/go/frameworks/GoRestfulHttp.qll | 1 - ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll | 1 - ql/src/semmle/go/frameworks/K8sIoApimachineryPkgRuntime.qll | 1 - ql/src/semmle/go/frameworks/K8sIoClientGo.qll | 1 - ql/src/semmle/go/frameworks/Logrus.qll | 1 - ql/src/semmle/go/frameworks/Protobuf.qll | 4 ---- ql/src/semmle/go/frameworks/Revel.qll | 1 - ql/src/semmle/go/frameworks/SQL.qll | 3 --- ql/src/semmle/go/frameworks/Spew.qll | 1 - ql/src/semmle/go/frameworks/SystemCommandExecutors.qll | 1 - ql/src/semmle/go/frameworks/Testing.qll | 1 - ql/src/semmle/go/frameworks/WebSocket.qll | 4 ---- ql/src/semmle/go/frameworks/XNetHtml.qll | 1 - ql/src/semmle/go/frameworks/XPath.qll | 1 - ql/src/semmle/go/frameworks/Yaml.qll | 1 - ql/src/semmle/go/frameworks/Zap.qll | 1 - ql/src/semmle/go/frameworks/stdlib/Context.qll | 1 - ql/test/library-tests/semmle/go/Packages/main.go | 4 ++-- ql/test/library-tests/semmle/go/Packages/package.expected | 4 ++-- 30 files changed, 4 insertions(+), 45 deletions(-) diff --git a/ql/src/semmle/go/frameworks/Beego.qll b/ql/src/semmle/go/frameworks/Beego.qll index 74fbdc842dd..bff7d27fb96 100644 --- a/ql/src/semmle/go/frameworks/Beego.qll +++ b/ql/src/semmle/go/frameworks/Beego.qll @@ -13,23 +13,18 @@ private import semmle.go.security.SafeUrlFlowCustomizations */ module Beego { /** Gets the module path `github.com/astaxie/beego` or `github.com/beego/beego`. */ - bindingset[result] string modulePath() { result = ["github.com/astaxie/beego", "github.com/beego/beego"] } /** Gets the path for the root package of beego. */ - bindingset[result] string packagePath() { result = package(modulePath(), "") } /** Gets the path for the context package of beego. */ - bindingset[result] string contextPackagePath() { result = package(modulePath(), "context") } /** Gets the path for the logs package of beego. */ - bindingset[result] string logsPackagePath() { result = package(modulePath(), "logs") } /** Gets the path for the utils package of beego. */ - bindingset[result] string utilsPackagePath() { result = package(modulePath(), "utils") } /** diff --git a/ql/src/semmle/go/frameworks/BeegoOrm.qll b/ql/src/semmle/go/frameworks/BeegoOrm.qll index 61eb17cc13f..657f89d59b2 100644 --- a/ql/src/semmle/go/frameworks/BeegoOrm.qll +++ b/ql/src/semmle/go/frameworks/BeegoOrm.qll @@ -12,7 +12,6 @@ private import semmle.go.security.StoredXssCustomizations */ module BeegoOrm { /** Gets the package name `github.com/astaxie/beego/orm`. */ - bindingset[result] string packagePath() { result = package("github.com/astaxie/beego", "orm") } private class DbSink extends SQL::QueryString::Range { diff --git a/ql/src/semmle/go/frameworks/Chi.qll b/ql/src/semmle/go/frameworks/Chi.qll index c50a56641ce..89f1a41d350 100644 --- a/ql/src/semmle/go/frameworks/Chi.qll +++ b/ql/src/semmle/go/frameworks/Chi.qll @@ -6,7 +6,6 @@ import go private module Chi { /** Gets the package name `github.com/go-chi/chi`. */ - bindingset[result] string packagePath() { result = package("github.com/go-chi/chi", "") } /** diff --git a/ql/src/semmle/go/frameworks/Couchbase.qll b/ql/src/semmle/go/frameworks/Couchbase.qll index 7d339c197c7..983c445d710 100644 --- a/ql/src/semmle/go/frameworks/Couchbase.qll +++ b/ql/src/semmle/go/frameworks/Couchbase.qll @@ -14,7 +14,6 @@ module Couchbase { * Note that v1 and v2 have different APIs, but the names are disjoint so there is no need to * distinguish between them. */ - bindingset[result] string packagePath() { result = package([ diff --git a/ql/src/semmle/go/frameworks/Echo.qll b/ql/src/semmle/go/frameworks/Echo.qll index 330868f1d68..df58b492b87 100644 --- a/ql/src/semmle/go/frameworks/Echo.qll +++ b/ql/src/semmle/go/frameworks/Echo.qll @@ -7,7 +7,6 @@ import go private module Echo { /** Gets the package name `github.com/labstack/echo`. */ - bindingset[result] private string packagePath() { result = package("github.com/labstack/echo", "") } /** diff --git a/ql/src/semmle/go/frameworks/ElazarlGoproxy.qll b/ql/src/semmle/go/frameworks/ElazarlGoproxy.qll index f6023ba12c7..0ab4e48375b 100644 --- a/ql/src/semmle/go/frameworks/ElazarlGoproxy.qll +++ b/ql/src/semmle/go/frameworks/ElazarlGoproxy.qll @@ -9,7 +9,6 @@ import go */ module ElazarlGoproxy { /** Gets the package name. */ - bindingset[result] string packagePath() { result = package("github.com/elazarl/goproxy", "") } private class NewResponse extends HTTP::HeaderWrite::Range, DataFlow::CallNode { diff --git a/ql/src/semmle/go/frameworks/Email.qll b/ql/src/semmle/go/frameworks/Email.qll index c4234ae6e20..049af5f87bf 100644 --- a/ql/src/semmle/go/frameworks/Email.qll +++ b/ql/src/semmle/go/frameworks/Email.qll @@ -44,7 +44,6 @@ module EmailData { } /** Gets the package name `github.com/sendgrid/sendgrid-go/helpers/mail`. */ - bindingset[result] private string sendgridMail() { result = package("github.com/sendgrid/sendgrid-go", "helpers/mail") } diff --git a/ql/src/semmle/go/frameworks/Encoding.qll b/ql/src/semmle/go/frameworks/Encoding.qll index ad1fabf5522..a53f36bec48 100644 --- a/ql/src/semmle/go/frameworks/Encoding.qll +++ b/ql/src/semmle/go/frameworks/Encoding.qll @@ -5,7 +5,6 @@ import go /** Gets the package name `github.com/json-iterator/go`. */ -bindingset[result] private string packagePath() { result = package("github.com/json-iterator/go", "") } /** A model of json-iterator's `Unmarshal` function, propagating taint from the JSON input to the decoded object. */ diff --git a/ql/src/semmle/go/frameworks/EvanphxJsonPatch.qll b/ql/src/semmle/go/frameworks/EvanphxJsonPatch.qll index 7904fea7a03..6408b3d1d4c 100644 --- a/ql/src/semmle/go/frameworks/EvanphxJsonPatch.qll +++ b/ql/src/semmle/go/frameworks/EvanphxJsonPatch.qll @@ -6,7 +6,6 @@ import go private module EvanphxJsonPatch { /** Gets the package name `github.com/evanphx/json-patch`. */ - bindingset[result] private string packagePath() { result = package("github.com/evanphx/json-patch", "") } private class MergeMergePatches extends TaintTracking::FunctionModel { diff --git a/ql/src/semmle/go/frameworks/Gin.qll b/ql/src/semmle/go/frameworks/Gin.qll index 7007177d1fe..87212868ae3 100644 --- a/ql/src/semmle/go/frameworks/Gin.qll +++ b/ql/src/semmle/go/frameworks/Gin.qll @@ -6,7 +6,6 @@ import go private module Gin { /** Gets the package name `github.com/gin-gonic/gin`. */ - bindingset[result] string packagePath() { result = package("github.com/gin-gonic/gin", "") } /** diff --git a/ql/src/semmle/go/frameworks/GoKit.qll b/ql/src/semmle/go/frameworks/GoKit.qll index 2d19e06cdbc..c501858997c 100644 --- a/ql/src/semmle/go/frameworks/GoKit.qll +++ b/ql/src/semmle/go/frameworks/GoKit.qll @@ -12,7 +12,6 @@ import go */ module GoKit { /** Gets the package name. */ - bindingset[result] string packagePath() { result = package("github.com/go-kit/kit", "") } /** @@ -21,7 +20,6 @@ module GoKit { */ module Endpoint { /** Gets the package name. */ - bindingset[result] string endpointPackagePath() { result = package("github.com/go-kit/kit", "endpoint") } // gets a function that returns an endpoint diff --git a/ql/src/semmle/go/frameworks/GoRestfulHttp.qll b/ql/src/semmle/go/frameworks/GoRestfulHttp.qll index 2b102d534cb..ddaf4dde544 100644 --- a/ql/src/semmle/go/frameworks/GoRestfulHttp.qll +++ b/ql/src/semmle/go/frameworks/GoRestfulHttp.qll @@ -9,7 +9,6 @@ import go */ private module GoRestfulHttp { /** Gets the package name `github.com/emicklei/go-restful`. */ - bindingset[result] string packagePath() { result = package("github.com/emicklei/go-restful", "") } /** diff --git a/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll b/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll index 9b4bd97c37b..7752a95f400 100644 --- a/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll +++ b/ql/src/semmle/go/frameworks/K8sIoApiCoreV1.qll @@ -7,7 +7,6 @@ import go */ module K8sIoApiCoreV1 { /** Gets the package name `k8s.io/api/core/v1`. */ - bindingset[result] string packagePath() { result = package("k8s.io/api", "core/v1") } private class SecretDeepCopy extends TaintTracking::FunctionModel, Method { diff --git a/ql/src/semmle/go/frameworks/K8sIoApimachineryPkgRuntime.qll b/ql/src/semmle/go/frameworks/K8sIoApimachineryPkgRuntime.qll index 774322c41e2..aecc2166ffe 100644 --- a/ql/src/semmle/go/frameworks/K8sIoApimachineryPkgRuntime.qll +++ b/ql/src/semmle/go/frameworks/K8sIoApimachineryPkgRuntime.qll @@ -7,7 +7,6 @@ import go */ module K8sIoApimachineryPkgRuntime { /** Gets the package name `k8s.io/apimachinery/pkg/runtime`. */ - bindingset[result] string packagePath() { result = package("k8s.io/apimachinery", "pkg/runtime") } private class ConvertTypeToType extends TaintTracking::FunctionModel { diff --git a/ql/src/semmle/go/frameworks/K8sIoClientGo.qll b/ql/src/semmle/go/frameworks/K8sIoClientGo.qll index c4c9ca34673..c087cc26ff8 100644 --- a/ql/src/semmle/go/frameworks/K8sIoClientGo.qll +++ b/ql/src/semmle/go/frameworks/K8sIoClientGo.qll @@ -8,7 +8,6 @@ import go */ module K8sIoClientGo { /** Gets the package name `k8s.io/client-go/kubernetes/typed/core/v1`. */ - bindingset[result] string packagePath() { result = package("k8s.io/client-go", "kubernetes/typed/core/v1") } /** diff --git a/ql/src/semmle/go/frameworks/Logrus.qll b/ql/src/semmle/go/frameworks/Logrus.qll index d89fc9db35f..1106cb57b06 100644 --- a/ql/src/semmle/go/frameworks/Logrus.qll +++ b/ql/src/semmle/go/frameworks/Logrus.qll @@ -5,7 +5,6 @@ import go /** Provides models of commonly used functions in the `github.com/sirupsen/logrus` package. */ module Logrus { /** Gets the package name `github.com/sirupsen/logrus`. */ - bindingset[result] string packagePath() { result = package(["github.com/sirupsen/logrus", "github.com/Sirupsen/logrus"], "") } diff --git a/ql/src/semmle/go/frameworks/Protobuf.qll b/ql/src/semmle/go/frameworks/Protobuf.qll index 2a0c3bf61b9..9603b015473 100644 --- a/ql/src/semmle/go/frameworks/Protobuf.qll +++ b/ql/src/semmle/go/frameworks/Protobuf.qll @@ -5,23 +5,19 @@ import go /** Provides models of commonly used functions and types in the protobuf packages. */ module Protobuf { /** Gets the name of the modern protobuf top-level implementation package. */ - bindingset[result] string modernProtobufPackage() { result = package("google.golang.org/protobuf", "proto") } /** Gets the name of the modern protobuf implementation's `protoiface` subpackage. */ - bindingset[result] string protobufIfacePackage() { result = package("google.golang.org/protobuf", "runtime/protoiface") } /** Gets the name of the modern protobuf implementation's `protoreflect` subpackage. */ - bindingset[result] string protobufReflectPackage() { result = package("google.golang.org/protobuf", "reflect/protoreflect") } /** Gets the name of a top-level protobuf implementation package. */ - bindingset[result] string protobufPackages() { result in [package("github.com/golang/protobuf", "proto"), modernProtobufPackage()] } diff --git a/ql/src/semmle/go/frameworks/Revel.qll b/ql/src/semmle/go/frameworks/Revel.qll index 5081eb92e2f..1058c54c713 100644 --- a/ql/src/semmle/go/frameworks/Revel.qll +++ b/ql/src/semmle/go/frameworks/Revel.qll @@ -8,7 +8,6 @@ private import semmle.go.security.OpenUrlRedirectCustomizations /** Provides classes and methods modelling the Revel web framework. */ module Revel { /** Gets the package name `github.com/revel/revel`. */ - bindingset[result] string packagePath() { result = package(["github.com/revel", "github.com/robfig"], "revel") } private class ControllerParams extends UntrustedFlowSource::Range, DataFlow::FieldReadNode { diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll index b2558ead930..f626fe097ca 100644 --- a/ql/src/semmle/go/frameworks/SQL.qll +++ b/ql/src/semmle/go/frameworks/SQL.qll @@ -101,11 +101,9 @@ module SQL { } /** A string that might identify package `go-pg/pg` or a specific version of it. */ - bindingset[result] private string gopg() { result = package("github.com/go-pg/pg", "") } /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */ - bindingset[result] private string gopgorm() { result = package("github.com/go-pg/pg", "orm") } /** @@ -222,7 +220,6 @@ module SQL { */ module Gorm { /** Gets the package name for Gorm. */ - bindingset[result] string packagePath() { result = package(["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"], "") } diff --git a/ql/src/semmle/go/frameworks/Spew.qll b/ql/src/semmle/go/frameworks/Spew.qll index ff82bf6fc4d..30490ac6608 100644 --- a/ql/src/semmle/go/frameworks/Spew.qll +++ b/ql/src/semmle/go/frameworks/Spew.qll @@ -9,7 +9,6 @@ import go */ module Spew { /** Gets the package path `github.com/davecgh/go-spew/spew`. */ - bindingset[result] private string packagePath() { result = package("github.com/davecgh/go-spew", "spew") } private class SpewCall extends LoggerCall::Range, DataFlow::CallNode { diff --git a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll index 59038ba3657..b97dd48945a 100644 --- a/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll +++ b/ql/src/semmle/go/frameworks/SystemCommandExecutors.qll @@ -83,7 +83,6 @@ private class GoShCommandExecution extends SystemCommandExecution::Range, DataFl */ module CryptoSsh { /** Gets the package path `golang.org/x/crypto/ssh`. */ - bindingset[result] string packagePath() { result = package("golang.org/x/crypto", "ssh") } /** diff --git a/ql/src/semmle/go/frameworks/Testing.qll b/ql/src/semmle/go/frameworks/Testing.qll index 8dc8c8b484c..728e33f31ef 100644 --- a/ql/src/semmle/go/frameworks/Testing.qll +++ b/ql/src/semmle/go/frameworks/Testing.qll @@ -90,7 +90,6 @@ module TestFile { /** Provides classes modelling Ginkgo. */ module Ginkgo { /** Gets the package path `github.com/onsi/ginkgo`. */ - bindingset[result] string packagePath() { result = package("github.com/onsi/ginkgo", "") } /** The Ginkgo `Fail` function, which always panics. */ diff --git a/ql/src/semmle/go/frameworks/WebSocket.qll b/ql/src/semmle/go/frameworks/WebSocket.qll index 060d83e5fd5..55f36709a5c 100644 --- a/ql/src/semmle/go/frameworks/WebSocket.qll +++ b/ql/src/semmle/go/frameworks/WebSocket.qll @@ -304,7 +304,6 @@ module WebSocketReader { */ module GorillaWebsocket { /** Gets the package name `github.com/gorilla/websocket`. */ - bindingset[result] string packagePath() { result = package("github.com/gorilla", "websocket") } } @@ -314,7 +313,6 @@ module GorillaWebsocket { */ module GolangOrgXNetWebsocket { /** Gets the package name `golang.org/x/net/websocket`. */ - bindingset[result] string packagePath() { result = package("golang.org/x/net", "websocket") } } @@ -324,7 +322,6 @@ module GolangOrgXNetWebsocket { */ module NhooyrWebSocket { /** Gets the package name `nhooyr.io/websocket/`. */ - bindingset[result] string packagePath() { result = package("nhooyr.io/websocket", "") } } @@ -333,6 +330,5 @@ module NhooyrWebSocket { */ module GobwasWs { /** Gets the package name `github.com/gobwas/ws`. */ - bindingset[result] string packagePath() { result = package("github.com/gobwas/ws", "") } } diff --git a/ql/src/semmle/go/frameworks/XNetHtml.qll b/ql/src/semmle/go/frameworks/XNetHtml.qll index 50a7d008344..6a7c56713d6 100644 --- a/ql/src/semmle/go/frameworks/XNetHtml.qll +++ b/ql/src/semmle/go/frameworks/XNetHtml.qll @@ -12,7 +12,6 @@ import go /** Provides models of commonly used functions in the `golang.org/x/net/html` subpackage. */ module XNetHtml { /** Gets the package name `golang.org/x/net/html`. */ - bindingset[result] string packagePath() { result = package("golang.org/x/net", "html") } private class EscapeString extends HtmlEscapeFunction, TaintTracking::FunctionModel { diff --git a/ql/src/semmle/go/frameworks/XPath.qll b/ql/src/semmle/go/frameworks/XPath.qll index a216feb7025..896007f4641 100644 --- a/ql/src/semmle/go/frameworks/XPath.qll +++ b/ql/src/semmle/go/frameworks/XPath.qll @@ -194,7 +194,6 @@ module XPath { */ module XmlPath { /** Gets the package name `github.com/go-xmlpath/xmlpath` or `gopkg.in/xmlpath`. */ - bindingset[result] string packagePath() { result = package(["github.com/go-xmlpath/xmlpath", "gopkg.in/xmlpath"], "") } diff --git a/ql/src/semmle/go/frameworks/Yaml.qll b/ql/src/semmle/go/frameworks/Yaml.qll index b661021f573..583591c5e65 100644 --- a/ql/src/semmle/go/frameworks/Yaml.qll +++ b/ql/src/semmle/go/frameworks/Yaml.qll @@ -9,7 +9,6 @@ import go */ module Yaml { /** Gets a package path for the Yaml package. */ - bindingset[result] string packagePath() { result = package("gopkg.in/yaml", "") } private class MarshalFunction extends TaintTracking::FunctionModel, MarshalingFunction::Range { diff --git a/ql/src/semmle/go/frameworks/Zap.qll b/ql/src/semmle/go/frameworks/Zap.qll index 8a368fe64f6..27c4b6d2235 100644 --- a/ql/src/semmle/go/frameworks/Zap.qll +++ b/ql/src/semmle/go/frameworks/Zap.qll @@ -9,7 +9,6 @@ import go */ module Zap { /** Gets the package path `go.uber.org/zap`. */ - bindingset[result] private string packagePath() { result = package("go.uber.org/zap", "") } /** Gets a suffix for a method on `zap.SugaredLogger`. */ diff --git a/ql/src/semmle/go/frameworks/stdlib/Context.qll b/ql/src/semmle/go/frameworks/stdlib/Context.qll index f94c24a8529..d8e7a133726 100644 --- a/ql/src/semmle/go/frameworks/stdlib/Context.qll +++ b/ql/src/semmle/go/frameworks/stdlib/Context.qll @@ -12,7 +12,6 @@ module Context { * The two packages are identical; before Go 1.7 it was only available * under `golang.org/x`; as of Go 1.7 it is included in the standard library. */ - bindingset[result] private string packagePath() { result = ["context", package("golang.org/x/net", "context")] } private class FunctionModels extends TaintTracking::FunctionModel { diff --git a/ql/test/library-tests/semmle/go/Packages/main.go b/ql/test/library-tests/semmle/go/Packages/main.go index cd3014221d4..640439e0e92 100644 --- a/ql/test/library-tests/semmle/go/Packages/main.go +++ b/ql/test/library-tests/semmle/go/Packages/main.go @@ -4,8 +4,8 @@ import ( "fmt" "github.com/nonexistent-test-pkg" - "github.com/nonexistent/test" - test2 "github.com/nonexistent/v2/test" + _ "github.com/nonexistent/test" + _ "github.com/nonexistent/v2/test" ) func main() { diff --git a/ql/test/library-tests/semmle/go/Packages/package.expected b/ql/test/library-tests/semmle/go/Packages/package.expected index 256819c6151..8c4d8ab8e94 100644 --- a/ql/test/library-tests/semmle/go/Packages/package.expected +++ b/ql/test/library-tests/semmle/go/Packages/package.expected @@ -1,2 +1,2 @@ -| PackageName/test | -| PackageName/v2/test | +| github.com/nonexistent/test | +| github.com/nonexistent/v2/test |