In https://github.com/github/codeql/pull/8641, `localFlowExit` was
changed to use `Stage2::readStepCand` instead of `read`, which means
that the big-step relation is broken up less. This causes test result
changes. Nothing is lost from the `select` clause, but some results may
have fewer paths, and fewer nodes and edges are output in the test
results.
In the `subpaths` section, the last node is now printed without its type
if it is the sink of the path.
This comes from the commit "Dataflow: Bugfix: include subpaths ending at
a sink. " in https://github.com/github/codeql/pull/7526
This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`.
However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP.
On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.
As of go 1.19 it will try to format markdown nicely, but in both these cases the formatting isn't supposed to be interpreted this way, so indent it to make it a preformatted block.
I overlooked the fact that this has a WriteInstruction, which wasn't bound in the channel-write case, but somehow the evaluator discarded the implied cartesian product until last night's performance evaluation.
Rather than try to cram channel writes into WriteInstruction, just handle them as their own beast.
