mirror of
https://github.com/github/codeql.git
synced 2026-05-14 11:19:27 +02:00
d4ce252e7b
Read ControlFlowGraphShared.qll, lines 1 to 50 The file compiles successfully. Here's a summary of what was implemented: ControlFlowGraphShared.qll — Shared CFG library instantiation for Go, wrapped in the GoCfg module to coexist with the existing CFG during transition. Key design decisions: Ast module (implements AstSig): Callable = FuncDef with a body IfStmt — only For if-statements without init (those with init use custom steps) LoopStmt — uses characteristic predicate pattern (not direct extension) to avoid return type conflicts with BlockStmt Empty classes for: WhileStmt, DoStmt, ForStmt, ForeachStmt, ThrowStmt, TryStmt, CatchClause, Switch, Case, ConditionalExpr, NullCoalescingExpr (Go doesn't have these constructs) LogicalAndExpr = LandExpr, LogicalOrExpr = LorExpr, LogicalNotExpr = NotExpr BooleanLiteral maps to true/false identifiers skipCfg filters out type expressions, non-rvalue references, parenthesized expressions, etc. Input module (implements InputSig1 + InputSig2): Labels: Go statement labels + fallthrough Custom steps for: if-with-init, for loops, range loops, expression/type switch, case clauses, select statements, defer, go statements Abrupt completions: panic via calls/div/deref/type-assert/index/conversion, fallthrough, goto End abrupt completions: labeled statements catch breaks, goto targets Remaining work (todos 4-6): The GoCfg module is self-contained and doesn't yet replace the existing CFG. Integration with BasicBlocks.qll, IR.qll, and the public ControlFlowGraph.qll API is the next phase — which is a larger effort requiring updates to DataFlow and all downstream consumers.
Go analysis support for CodeQL
This sub-folder contains the extractor, CodeQL libraries, and queries that power Go support for CodeQL.
It contains two major components:
- an extractor, itself written in Go, that parses Go source code and converts it into a database that can be queried using CodeQL.
- static analysis libraries and queries written in CodeQL that can be used to analyze such a database to find coding mistakes or security vulnerabilities.
Usage
To analyze a Go codebase, either use the CodeQL command-line interface to create a database yourself, or download a pre-built database from GitHub.com. You can then run any of the queries contained in this repository either on the command line or using the VS Code extension.
Contributions
Contributions are welcome! Please see our contribution guidelines and our code of conduct for details on how to participate in our community.
Licensing
The code in this repository is licensed under the MIT license.