hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
407493094de3d6bc3be7e5f1065fb765f760ed09
codeql/change-notes/1.24/analysis-go.md
Sauyon Lee dcd6aaf69a Alphabetize change notes
2020-04-03 00:01:19 -07:00

7.5 KiB
Raw Blame History

Improvements to Go analysis

General improvements

  • Alert suppression can now be done with single-line block comments (/* ... */) as well as line comments (// ...).
  • Analysis of flow through fields has been improved.
  • More sources of untrusted input as well as vulnerable sinks are modelled, which may lead to more results from the security queries.
  • Go 1.14 library changes have been modeled.

New queries

The CodeQL library for Go now contains a folder of simple "cookbook" queries that show how to access basic Go elements using the predicates defined by the standard library. They're intended to give you a starting point for your own experiments and to help you work out the best way to frame your questions using CodeQL. You can find them in the examples/snippets folder in the CodeQL for Go repository.

Query Tags Purpose
Bad check of redirect URL (go/bad-redirect-check) correctness, security, external/cwe/cwe-601 Highlights checks that ensure redirect URLs start with / but don't check for // or /\. Results are shown on LGTM by default.
Constant length comparison (go/constant-length-comparison) correctness Highlights code that checks the length of an array or slice against a constant before indexing it using a variable, suggesting a logic error. Results are shown on LGTM by default.
Impossible interface nil check (go/impossible-interface-nil-check) correctness Highlights code that compares an interface value that cannot be nil to nil, suggesting a logic error. Results are shown on LGTM by default.
Incomplete URL scheme check (go/incomplete-url-scheme-check) correctness, security, external/cwe/cwe-020 Highlights checks for javascript URLs that do not take data or vbscript URLs into account. Results are shown on LGTM by default.
Potentially unsafe quoting (go/unsafe-quoting) correctness, security, external/cwe/cwe-078, external/cwe/cwe-089, external/cwe/cwe-094 Highlights code that constructs a quoted string literal containing data that may itself contain quotes. Results are shown on LGTM by default.
Size computation for allocation may overflow (go/allocation-size-overflow) correctness, security, external/cwe/cwe-190 Highlights code that computes the size of an allocation based on the size of a potentially large object. Results are shown on LGTM by default.
Uncontrolled data used in network request (go/request-forgery) correctness, security, external/cwe/cwe-918 Highlights code that uses uncontrolled user input to make a request. Results are shown on LGTM by default.
XPath injection (go/xml/xpath-injection) security, external/cwe/cwe-643 Highlights code that uses remote input in an XPath expression. Results are shown on LGTM by default.

Changes to existing queries

Query Expected impact Change
Bitwise exclusive-or used like exponentiation (go/mistyped-exponentiation) Fewer false positives The query now identifies when the value of an xor is assigned to a mask object, and excludes such results.
Command built from user-controlled sources (go/command-injection) More results The library models used by the query have been improved, allowing it to flag more potentially problematic cases, including sources that flow into shells, sudo, or programming-language interpreters as arguments.
Database query built from user-controlled sources (go/sql-injection) More results The library models used by the query have been improved, allowing it to flag more potentially problematic cases.
Identical operands (go/redundant-operation) Fewer false positives The query no longer flags cases where the operands have the same value but are syntactically distinct, since this is usually intentional.
Incomplete regular expression for hostnames (go/incomplete-hostname-regexp) More results The query now flags unescaped dots before the TLD in a hostname regex.
Open URL redirect (go/unvalidated-url-redirection) Fewer false positives The query now identifies some sources that are not attacker-controlled, and excludes results with such sources.
Reflected cross-site scripting (go/reflected-xss) Fewer results Untrusted input flowing into an HTTP header definition or into an fmt.Fprintf call with a constant prefix is no longer flagged, since it is in both cases often harmless.
Useless assignment to field (go/useless-assignment-to-field) Fewer false positives The query now conservatively handles fields promoted through embedded pointer types.