Commit Graph

3625 Commits

Author SHA1 Message Date
sauyon
b7ef551b52 Address review: exercise variadic args/attrs in slog Log/LogAttrs tests
Copilot review on #22004: the Log/LogAttrs test cases didn't pass any
variadic args/attrs, so the Argument[..3] portion of the sink range was
untested. Pass an ...any arg to slog.Log/Logger.Log and a slog.Attr to
slog.LogAttrs/Logger.LogAttrs, with inline expectations asserting they're
captured as logged components.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 20:27:00 -07:00
sauyon
00427d204c Go: Model log/slog as a logging sink
The standard-library structured logger `log/slog` (Go 1.21+) was not
modeled, so `go/log-injection` and `go/clear-text-logging` were blind to
any code that logs through it.

Model its logging functions and `*slog.Logger` methods — `Debug`, `Info`,
`Warn`, `Error`, their `Context` variants, and `Log`/`LogAttrs` — as
`log-injection` sinks (the kind that feeds `LoggerCall`, powering both
queries). Adds `log/slog` cases to the `LoggerCall` library test.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-17 20:02:29 -07:00
Owen Mansel-Chan
1154db4f86 Merge pull request #21957 from owen-mc/go/fix-result-node
Go: fix `DataFlow::ResultNode` and some related things
2026-06-17 12:20:27 +01:00
Owen Mansel-Chan
0a065c93de Update QLDoc for ResultNode 2026-06-17 11:03:23 +01:00
Owen Mansel-Chan
6161922ba4 Merge pull request #21940 from owen-mc/go/unhandled-writable-file-close
Go: Improve precision of `go/unhandled-writable-file-close`
2026-06-17 10:58:08 +01:00
dependabot[bot]
1ac079d066 Bump golang.org/x/tools
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-12 03:03:31 +00:00
Owen Mansel-Chan
b4a9689341 Convert .qlref test to inline expectations 2026-06-11 07:15:54 +02:00
Owen Mansel-Chan
6a8e20a0c8 Fix pre-existing whitespace issues in go test files 2026-06-11 07:15:09 +02:00
Owen Mansel-Chan
4c411bbcb5 Convert hand-rolled inline expectations test 2026-06-11 07:13:48 +02:00
Owen Mansel-Chan
990913519d Make comment clearer 2026-06-09 12:20:10 +02:00
Owen Mansel-Chan
e22f9fadd7 Fix mistakes in change notes
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-06-09 12:20:08 +02:00
Owen Mansel-Chan
071a0e3d7d Add change notes 2026-06-09 12:20:06 +02:00
Owen Mansel-Chan
a92349683e Deprecate FuncTypeExpr.getResultDecl()
It is unused in this library. It could easily be used incorrectly and
silently omit results when `getNumResult() > 1`.
2026-06-09 12:20:04 +02:00
Owen Mansel-Chan
8ce543bf4d Fix: getNumResult() was wrong in some cases
It was the number of result declarations, which is
different from the number of results when one
result declaration declares more than one
variable, as in `x, y int`.
2026-06-09 12:20:02 +02:00
Owen Mansel-Chan
da777a455d Improve QLDoc 2026-06-09 12:19:58 +02:00
Owen Mansel-Chan
f4f17b01c1 Fix result node and remove SPURIOUS test result 2026-06-09 12:19:56 +02:00
Owen Mansel-Chan
1c47084479 Add result node test with SPURIOUS result 2026-06-09 12:19:51 +02:00
Owen Mansel-Chan
c241049384 Add control flow test for result read steps 2026-06-09 12:19:49 +02:00
dependabot[bot]
72fcf27d1a Bump golang.org/x/mod
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/mod` from 0.36.0 to 0.37.0
- [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-09 03:03:37 +00:00
github-actions[bot]
5a38cbd5d5 Go: Update to 1.26.4 2026-06-08 04:30:10 +00:00
Owen Mansel-Chan
c170002fb1 Update test output 2026-06-04 13:52:05 +01:00
Owen Mansel-Chan
14e3ee2fb0 Add change note 2026-06-04 13:39:42 +01:00
Owen Mansel-Chan
50e0354911 Tidy up comments in isSink 2026-06-04 13:39:36 +01:00
Owen Mansel-Chan
101812310c Inline isCloseCall into isSink 2026-06-04 13:39:24 +01:00
Owen Mansel-Chan
c87bfd5f28 Remove redundant call to isCloseSink 2026-06-04 13:09:10 +01:00
Owen Mansel-Chan
05e21adc53 Accept test changes 2026-06-04 13:09:07 +01:00
Owen Mansel-Chan
f67d0ea961 Go: Account for deferred Close in writable-file-close query
A deferred Close runs at function exit, but the CFG splices it in at the exit node where it can be reached along paths that never execute Sync. The previous dominance check therefore produced a false positive when a statement followed the if-block that registered the defer (e.g. deferredCloseWithSync2). For deferred closes, require instead that a handled Sync post-dominates the point where the defer is registered, which guarantees Sync runs before Close on every path on which Close is registered. Non-deferred closes keep the existing dominance check.
2026-06-04 13:09:05 +01:00
Owen Mansel-Chan
5217ede621 Go: Tidy up comments in writable-file-close query
Correct the doc for unhandledCall (it also matches expression statements where the result is discarded) and remove a stale commented-out line in isWritableFileHandle.
2026-06-04 13:09:03 +01:00
Owen Mansel-Chan
59908124c1 Add test showing limits of DeferStmt in CFG
There are paths to the exit of the function which go through the defer
statement and paths which don't, so we add an optional call to the
deferred function. This causes FPs in the query as it stands.
2026-06-04 12:21:38 +01:00
Owen Mansel-Chan
d55ff83568 Merge pull request #21269 from owen-mc/go/improve-tests-for-varargs-flow
Go: improve tests for varargs flow
2026-06-03 12:39:46 +01:00
Owen Mansel-Chan
9dbe9adb00 Update tests 2026-06-02 09:34:03 +01:00
Owen Mansel-Chan
703cea2b65 Model panicking log functions better 2026-06-02 01:32:00 +01:00
Owen Mansel-Chan
e6e8e3d005 Taint doesn't flow through panicking functions 2026-06-02 01:31:44 +01:00
Owen Mansel-Chan
adc9b7714b Accept changed test output 2026-06-02 00:57:06 +01:00
Owen Mansel-Chan
e706c5f444 Improve test for non-returning fns 2026-06-02 00:56:12 +01:00
Owen Mansel-Chan
8a1e6d4f64 Add missing QLDocs 2026-06-02 00:41:48 +01:00
Owen Mansel-Chan
1a747dd8be (Trivial) Fix QLDoc grammar 2026-06-02 00:39:25 +01:00
Owen Mansel-Chan
28bb1a6870 Add change note 2026-06-02 00:16:23 +01:00
Owen Mansel-Chan
45b1253b23 Improve glog and klog tests 2026-06-02 00:16:21 +01:00
Owen Mansel-Chan
c99dab1d71 Improve glog (and klog) modelling 2026-06-02 00:16:19 +01:00
Owen Mansel-Chan
f3e3647209 Improve noretFunctions test 2026-06-02 00:16:17 +01:00
Owen Mansel-Chan
8d099cbe38 Recognize more non-returning logging functions 2026-06-02 00:15:58 +01:00
github-actions[bot]
cfb18c2477 Post-release preparation for codeql-cli-2.25.6 2026-05-29 12:04:35 +00:00
github-actions[bot]
8b6f969cdb Release preparation for version 2.25.6 2026-05-29 11:27:54 +00:00
Henry Mercer
9bc0c1b1ab Revert "Release preparation for version 2.25.6" 2026-05-29 12:13:50 +01:00
github-actions[bot]
44a914e40f Release preparation for version 2.25.6 2026-05-25 10:23:26 +00:00
github-actions[bot]
9f64000962 Post-release preparation for codeql-cli-2.25.5 2026-05-18 15:20:31 +00:00
github-actions[bot]
e38616a2ef Release preparation for version 2.25.5 2026-05-18 12:05:32 +00:00
Jeroen Ketema
76f71dd235 Merge pull request #21817 from jketema/go-version
Go: Make version parsing robust in the face of custom Go builds
2026-05-18 10:45:55 +02:00
Owen Mansel-Chan
6b65866ff4 Merge branch 'main' into fix/go-extractor-root-test-files 2026-05-11 17:18:43 +01:00