0c6c135967
This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`. However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP. On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.
Go analysis support for CodeQL
This open-source repository contains the extractor, CodeQL libraries, and queries that power Go support in LGTM and the other CodeQL products that GitHub makes available to its customers worldwide.
It contains two major components:
- an extractor, itself written in Go, that parses Go source code and converts it into a database that can be queried using CodeQL.
- static analysis libraries and queries written in CodeQL that can be used to analyze such a database to find coding mistakes or security vulnerabilities.
The goal of this project is to provide comprehensive static analysis support for Go in CodeQL.
For the queries and libraries that power CodeQL support for other languages, visit the CodeQL repository.
Installation
Clone this repository.
Run scripts/install-deps.sh. This will ensure that the necessary external CodeQL packs are
downloaded to your machine. You will need to re-run this script whenever you pull new commits from
the repo.
If you want to use the CodeQL extension for Visual Studio Code, import this repository into your VS Code workspace.
Usage
To analyze a Go codebase, either use the CodeQL command-line interface to create a database yourself, or download a pre-built database from LGTM.com. You can then run any of the queries contained in this repository either on the command line or using the VS Code extension.
Note that the lgtm.com branch of this repository corresponds to the version of the queries that is currently deployed on LGTM.com. The main branch may contain changes that have not been deployed yet, so you may need to upgrade databases downloaded from LGTM.com before running queries on them.
Contributions
Contributions are welcome! Please see our contribution guidelines and our code of conduct for details on how to participate in our community.
Licensing
The code in this repository is licensed under the MIT license.