Skip to content

Go: reinstate models-as-data sink conversions with fixes#17494

Merged
owen-mc merged 30 commits intogithub:mainfrom
owen-mc:go/reinstate-mad-with-fixes
Nov 20, 2024
Merged

Go: reinstate models-as-data sink conversions with fixes#17494
owen-mc merged 30 commits intogithub:mainfrom
owen-mc:go/reinstate-mad-with-fixes

Conversation

@owen-mc
Copy link
Copy Markdown
Contributor

@owen-mc owen-mc commented Sep 17, 2024
edited
Loading

The first 14 commits are reinstating commits that were reverted in #17296. Then there are some commits fixing things: reverting some models back to QL and adding some models-as-data models for logrus.FieldLogger. Then there are some commits adding tests that would have caught the problems in the first place. Finally, there are some commits adding a heuristic for logger calls to replace results that we now miss because we have converted all logging models to MaD (because QL models normally use Method.getACall(), which is too broad and matches any interface method which the modeled method implements).

@github-actions github-actions bot added the Go label Sep 17, 2024
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 17, 2024
edited
Loading

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

go

Generated file changes for go

  • Changes to framework-coverage-go.rst:
-    `Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",,36,
+    `Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",,36,16
-    `Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,,18,
+    `Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,,18,8
-    `Glog <https://github.com/golang/glog>`_,"``github.com/golang/glog*``, ``gopkg.in/glog*``, ``k8s.io/klog*``",,,
+    `Glog <https://github.com/golang/glog>`_,"``github.com/golang/glog*``, ``gopkg.in/glog*``, ``k8s.io/klog*``",,,270
-    `Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,
+    `Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,9
-    `Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,
+    `Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,290
-    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",33,587,51
+    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",33,587,104
-    `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",63,63,21
+    `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",63,63,213
-    `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,
+    `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
-    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,
+    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
-    Others,"``github.com/caarlos0/env``, ``github.com/gobuffalo/envy``, ``github.com/hashicorp/go-envparse``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``",23,2,
+    Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``xorm.io/xorm``",23,2,391
-    Totals,,307,911,268
+    Totals,,307,911,1532
  • Changes to framework-coverage-go.csv:
- package,sink,source,summary,sink:command-injection,sink:credentials-key,sink:jwt,sink:path-injection,sink:regex-use[0],sink:regex-use[1],sink:regex-use[c],sink:request-forgery,sink:request-forgery[TCP Addr + Port],sink:url-redirection,sink:url-redirection[0],sink:url-redirection[receiver],sink:xpath-injection,source:environment,source:file,source:remote,source:stdin,summary:taint,summary:value
+ package,sink,source,summary,sink:command-injection,sink:credentials-key,sink:jwt,sink:log-injection,sink:nosql-injection,sink:path-injection,sink:regex-use[0],sink:regex-use[1],sink:regex-use[c],sink:request-forgery,sink:request-forgery[TCP Addr + Port],sink:sql-injection,sink:url-redirection,sink:url-redirection[0],sink:url-redirection[receiver],sink:xpath-injection,source:environment,source:file,source:remote,source:stdin,summary:taint,summary:value
- ,,,8,,,,,,,,,,,,,,,,,,3,5
+ ,,,8,,,,,,,,,,,,,,,,,,,,,3,5
- archive/tar,,,5,,,,,,,,,,,,,,,,,,5,
+ archive/tar,,,5,,,,,,,,,,,,,,,,,,,,,5,
- archive/zip,,,6,,,,,,,,,,,,,,,,,,6,
+ archive/zip,,,6,,,,,,,,,,,,,,,,,,,,,6,
- bufio,,,17,,,,,,,,,,,,,,,,,,17,
+ bufio,,,17,,,,,,,,,,,,,,,,,,,,,17,
- bytes,,,43,,,,,,,,,,,,,,,,,,43,
+ bytes,,,43,,,,,,,,,,,,,,,,,,,,,43,
- clevergo.tech/clevergo,1,,,,,,,,,,,,,,1,,,,,,,
+ clevergo.tech/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,
- compress/bzip2,,,1,,,,,,,,,,,,,,,,,,1,
+ compress/bzip2,,,1,,,,,,,,,,,,,,,,,,,,,1,
- compress/flate,,,4,,,,,,,,,,,,,,,,,,4,
+ compress/flate,,,4,,,,,,,,,,,,,,,,,,,,,4,
- compress/gzip,,,3,,,,,,,,,,,,,,,,,,3,
+ compress/gzip,,,3,,,,,,,,,,,,,,,,,,,,,3,
- compress/lzw,,,1,,,,,,,,,,,,,,,,,,1,
+ compress/lzw,,,1,,,,,,,,,,,,,,,,,,,,,1,
- compress/zlib,,,4,,,,,,,,,,,,,,,,,,4,
+ compress/zlib,,,4,,,,,,,,,,,,,,,,,,,,,4,
- container/heap,,,5,,,,,,,,,,,,,,,,,,5,
+ container/heap,,,5,,,,,,,,,,,,,,,,,,,,,5,
- container/list,,,20,,,,,,,,,,,,,,,,,,20,
+ container/list,,,20,,,,,,,,,,,,,,,,,,,,,20,
- container/ring,,,5,,,,,,,,,,,,,,,,,,5,
+ container/ring,,,5,,,,,,,,,,,,,,,,,,,,,5,
- context,,,5,,,,,,,,,,,,,,,,,,5,
+ context,,,5,,,,,,,,,,,,,,,,,,,,,5,
- crypto,,,10,,,,,,,,,,,,,,,,,,10,
+ crypto,,,10,,,,,,,,,,,,,,,,,,,,,10,
- database/sql,,,11,,,,,,,,,,,,,,,,,,11,
+ database/sql,30,,11,,,,,,,,,,,,30,,,,,,,,,11,
- encoding,,,77,,,,,,,,,,,,,,,,,,77,
+ encoding,,,77,,,,,,,,,,,,,,,,,,,,,77,
- errors,,,3,,,,,,,,,,,,,,,,,,3,
+ errors,,,3,,,,,,,,,,,,,,,,,,,,,3,
- expvar,,,6,,,,,,,,,,,,,,,,,,6,
+ expvar,,,6,,,,,,,,,,,,,,,,,,,,,6,
- fmt,,,16,,,,,,,,,,,,,,,,,,16,
+ fmt,3,,16,,,,3,,,,,,,,,,,,,,,,,16,
- github.com/ChrisTrenkamp/goxpath,3,,,,,,,,,,,,,,,3,,,,,,
+ github.com/ChrisTrenkamp/goxpath,3,,,,,,,,,,,,,,,,,,3,,,,,,
+ github.com/Masterminds/squirrel,32,,,,,,,,,,,,,,32,,,,,,,,,,
+ github.com/Sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,
- github.com/antchfx/htmlquery,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/antchfx/htmlquery,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/antchfx/jsonquery,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/antchfx/jsonquery,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/antchfx/xmlquery,8,,,,,,,,,,,,,,,8,,,,,,
+ github.com/antchfx/xmlquery,8,,,,,,,,,,,,,,,,,,8,,,,,,
- github.com/antchfx/xpath,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/antchfx/xpath,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/appleboy/gin-jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/appleboy/gin-jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
- github.com/astaxie/beego,7,21,21,,,,5,,,,,,2,,,,,,21,,21,
+ github.com/astaxie/beego,71,21,21,,,,34,,5,,,,,,30,2,,,,,,21,,21,
- github.com/beego/beego,14,42,42,,,,10,,,,,,4,,,,,,42,,42,
+ github.com/beego/beego,142,42,42,,,,68,,10,,,,,,60,4,,,,,,42,,42,
- github.com/caarlos0/env,,5,2,,,,,,,,,,,,,,5,,,,1,1
+ github.com/caarlos0/env,,5,2,,,,,,,,,,,,,,,,,5,,,,1,1
- github.com/clevergo/clevergo,1,,,,,,,,,,,,,,1,,,,,,,
+ github.com/clevergo/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,
- github.com/codeskyblue/go-sh,4,,,4,,,,,,,,,,,,,,,,,,
+ github.com/codeskyblue/go-sh,4,,,4,,,,,,,,,,,,,,,,,,,,,
- github.com/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+ github.com/couchbase/gocb,8,,18,,,,,8,,,,,,,,,,,,,,,,18,
- github.com/couchbaselabs/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+ github.com/couchbaselabs/gocb,8,,18,,,,,8,,,,,,,,,,,,,,,,18,
- github.com/crankycoder/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/crankycoder/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/cristalhq/jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/cristalhq/jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
+ github.com/davecgh/go-spew/spew,9,,,,,,9,,,,,,,,,,,,,,,,,,
- github.com/dgrijalva/jwt-go,3,,9,,2,1,,,,,,,,,,,,,,,9,
+ github.com/dgrijalva/jwt-go,3,,9,,2,1,,,,,,,,,,,,,,,,,,9,
- github.com/elazarl/goproxy,,2,2,,,,,,,,,,,,,,,,2,,2,
+ github.com/elazarl/goproxy,2,2,2,,,,2,,,,,,,,,,,,,,,2,,2,
- github.com/emicklei/go-restful,,7,,,,,,,,,,,,,,,,,7,,,
+ github.com/emicklei/go-restful,,7,,,,,,,,,,,,,,,,,,,,7,,,
- github.com/evanphx/json-patch,,,12,,,,,,,,,,,,,,,,,,12,
+ github.com/evanphx/json-patch,,,12,,,,,,,,,,,,,,,,,,,,,12,
- github.com/form3tech-oss/jwt-go,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/form3tech-oss/jwt-go,2,,,,2,,,,,,,,,,,,,,,,,,,,
- github.com/gin-gonic/gin,3,46,2,,,,3,,,,,,,,,,,,46,,2,
+ github.com/gin-gonic/gin,3,46,2,,,,,,3,,,,,,,,,,,,,46,,2,
- github.com/go-chi/chi,,3,,,,,,,,,,,,,,,,,3,,,
+ github.com/go-chi/chi,,3,,,,,,,,,,,,,,,,,,,,3,,,
- github.com/go-chi/jwtauth,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/go-chi/jwtauth,1,,,,1,,,,,,,,,,,,,,,,,,,,
+ github.com/go-gorm/gorm,13,,,,,,,,,,,,,,13,,,,,,,,,,
- github.com/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ github.com/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
- github.com/go-kit/kit/auth/jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/go-kit/kit/auth/jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
- github.com/go-pg/pg/orm,,,6,,,,,,,,,,,,,,,,,,6,
+ github.com/go-pg/pg/orm,,,6,,,,,,,,,,,,,,,,,,,,,6,
- github.com/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
+ github.com/go-xorm/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,
- github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,7,,,,,
+ github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,,,,7,,,,,
- github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,2,,,
+ github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,,,,2,,,
- github.com/gofiber/fiber,5,,,,,,4,,,,,,,,1,,,,,,,
+ github.com/gofiber/fiber,5,,,,,,,,4,,,,,,,,,1,,,,,,,
- github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
+ github.com/gogf/gf/database/gdb,51,,,,,,,,,,,,,,51,,,,,,,,,,
- github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,11,
+ github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,,,,11,
+ github.com/golang/glog,90,,,,,,90,,,,,,,,,,,,,,,,,,
- github.com/golang/protobuf/proto,,,4,,,,,,,,,,,,,,,,,,4,
+ github.com/golang/protobuf/proto,,,4,,,,,,,,,,,,,,,,,,,,,4,
- github.com/gorilla/mux,,1,,,,,,,,,,,,,,,,,1,,,
+ github.com/gorilla/mux,,1,,,,,,,,,,,,,,,,,,,,1,,,
- github.com/gorilla/websocket,,3,,,,,,,,,,,,,,,,,3,,,
+ github.com/gorilla/websocket,,3,,,,,,,,,,,,,,,,,,,,3,,,
- github.com/hashicorp/go-envparse,,1,,,,,,,,,,,,,,,1,,,,,
+ github.com/hashicorp/go-envparse,,1,,,,,,,,,,,,,,,,,,1,,,,,
- github.com/jbowtie/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/jbowtie/gokogiri/xml,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/jbowtie/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,,
+ github.com/jbowtie/gokogiri/xpath,1,,,,,,,,,,,,,,,,,,1,,,,,,
+ github.com/jinzhu/gorm,13,,,,,,,,,,,,,,13,,,,,,,,,,
+ github.com/jmoiron/sqlx,12,,,,,,,,,,,,,,12,,,,,,,,,,
- github.com/joho/godotenv,,4,,,,,,,,,,,,,,,4,,,,,
+ github.com/joho/godotenv,,4,,,,,,,,,,,,,,,,,,4,,,,,
- github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,,4,
+ github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,,,,,4,
- github.com/kataras/iris/context,6,,,,,,6,,,,,,,,,,,,,,,
+ github.com/kataras/iris/context,6,,,,,,,,6,,,,,,,,,,,,,,,,
- github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,,,,,
- github.com/kataras/iris/server/web/context,6,,,,,,6,,,,,,,,,,,,,,,
+ github.com/kataras/iris/server/web/context,6,,,,,,,,6,,,,,,,,,,,,,,,,
- github.com/kataras/jwt,5,,,,5,,,,,,,,,,,,,,,,,
+ github.com/kataras/jwt,5,,,,5,,,,,,,,,,,,,,,,,,,,
- github.com/kelseyhightower/envconfig,,6,,,,,,,,,,,,,,,6,,,,,
+ github.com/kelseyhightower/envconfig,,6,,,,,,,,,,,,,,,,,,6,,,,,
- github.com/labstack/echo,3,12,2,,,,2,,,,,,1,,,,,,12,,2,
+ github.com/labstack/echo,3,12,2,,,,,,2,,,,,,,1,,,,,,12,,2,
+ github.com/lann/squirrel,32,,,,,,,,,,,,,,32,,,,,,,,,,
- github.com/lestrrat-go/jwx,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/lestrrat-go/jwx,2,,,,2,,,,,,,,,,,,,,,,,,,,
- github.com/lestrrat-go/libxml2/parser,3,,,,,,,,,,,,,,,3,,,,,,
+ github.com/lestrrat-go/libxml2/parser,3,,,,,,,,,,,,,,,,,,3,,,,,,
- github.com/lestrrat/go-jwx/jwk,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/lestrrat/go-jwx/jwk,1,,,,1,,,,,,,,,,,,,,,,,,,,
- github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,,
+ github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,,,,1,,,,,,
- github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,,,,,
+ github.com/raindog308/gorqlite,24,,,,,,,,,,,,,,24,,,,,,,,,,
- github.com/revel/revel,2,23,10,,,,1,,,,,,1,,,,,,23,,10,
+ github.com/revel/revel,2,23,10,,,,,,1,,,,,,,1,,,,,,23,,10,
- github.com/robfig/revel,2,23,10,,,,1,,,,,,1,,,,,,23,,10,
+ github.com/robfig/revel,2,23,10,,,,,,1,,,,,,,1,,,,,,23,,10,
+ github.com/rqlite/gorqlite,24,,,,,,,,,,,,,,24,,,,,,,,,,
- github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,1,
+ github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,,,,1,
+ github.com/sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,
- github.com/spf13/afero,34,,,,,,34,,,,,,,,,,,,,,,
+ github.com/spf13/afero,34,,,,,,,,34,,,,,,,,,,,,,,,,
- github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
+ github.com/uptrace/bun,63,,,,,,,,,,,,,,63,,,,,,,,,,
- github.com/valyala/fasthttp,35,50,5,,,,8,,,,17,8,2,,,,,,50,,5,
+ github.com/valyala/fasthttp,35,50,5,,,,,,8,,,,17,8,,2,,,,,,50,,5,
+ go.mongodb.org/mongo-driver/mongo,14,,,,,,,14,,,,,,,,,,,,,,,,,
- go.uber.org/zap,,,11,,,,,,,,,,,,,,,,,,11,
+ go.uber.org/zap,33,,11,,,,33,,,,,,,,,,,,,,,,,11,
- golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,,
+ golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,,,,,
- golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,,5,
+ golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,,,,,5,
- golang.org/x/net/html,,,16,,,,,,,,,,,,,,,,,,16,
+ golang.org/x/net/html,,,16,,,,,,,,,,,,,,,,,,,,,16,
- golang.org/x/net/websocket,,2,,,,,,,,,,,,,,,,,2,,,
+ golang.org/x/net/websocket,,2,,,,,,,,,,,,,,,,,,,,2,,,
- google.golang.org/protobuf/internal/encoding/text,,,1,,,,,,,,,,,,,,,,,,1,
+ google.golang.org/protobuf/internal/encoding/text,,,1,,,,,,,,,,,,,,,,,,,,,1,
- google.golang.org/protobuf/internal/impl,,,2,,,,,,,,,,,,,,,,,,2,
+ google.golang.org/protobuf/internal/impl,,,2,,,,,,,,,,,,,,,,,,,,,2,
- google.golang.org/protobuf/proto,,,8,,,,,,,,,,,,,,,,,,8,
+ google.golang.org/protobuf/proto,,,8,,,,,,,,,,,,,,,,,,,,,8,
- google.golang.org/protobuf/reflect/protoreflect,,,1,,,,,,,,,,,,,,,,,,1,
+ google.golang.org/protobuf/reflect/protoreflect,,,1,,,,,,,,,,,,,,,,,,,,,1,
+ gopkg.in/Masterminds/squirrel,32,,,,,,,,,,,,,,32,,,,,,,,,,
- gopkg.in/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+ gopkg.in/couchbase/gocb,8,,18,,,,,8,,,,,,,,,,,,,,,,18,
+ gopkg.in/glog,90,,,,,,90,,,,,,,,,,,,,,,,,,
- gopkg.in/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ gopkg.in/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
- gopkg.in/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ gopkg.in/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- gopkg.in/macaron,1,12,1,,,,,,,,,,,,1,,,,12,,1,
+ gopkg.in/macaron,1,12,1,,,,,,,,,,,,,,,1,,,,12,,1,
- gopkg.in/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ gopkg.in/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
- gopkg.in/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ gopkg.in/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- gopkg.in/yaml,,,9,,,,,,,,,,,,,,,,,,9,
+ gopkg.in/yaml,,,9,,,,,,,,,,,,,,,,,,,,,9,
+ gorm.io/gorm,13,,,,,,,,,,,,,,13,,,,,,,,,,
- html,,,8,,,,,,,,,,,,,,,,,,8,
+ html,,,8,,,,,,,,,,,,,,,,,,,,,8,
- io,5,4,34,,,,5,,,,,,,,,,,4,,,34,
+ io,5,4,34,,,,,,5,,,,,,,,,,,,4,,,34,
- k8s.io/api/core,,,10,,,,,,,,,,,,,,,,,,10,
+ k8s.io/api/core,,,10,,,,,,,,,,,,,,,,,,,,,10,
- k8s.io/apimachinery/pkg/runtime,,,47,,,,,,,,,,,,,,,,,,47,
+ k8s.io/apimachinery/pkg/runtime,,,47,,,,,,,,,,,,,,,,,,,,,47,
+ k8s.io/klog,90,,,,,,90,,,,,,,,,,,,,,,,,,
- launchpad.net/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ launchpad.net/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- log,,,3,,,,,,,,,,,,,,,,,,3,
+ log,20,,3,,,,20,,,,,,,,,,,,,,,,,3,
- math/big,,,1,,,,,,,,,,,,,,,,,,1,
+ math/big,,,1,,,,,,,,,,,,,,,,,,,,,1,
- mime,,,14,,,,,,,,,,,,,,,,,,14,
+ mime,,,14,,,,,,,,,,,,,,,,,,,,,14,
- net,2,16,100,,,,1,,,,,,,1,,,,,16,,100,
+ net,2,16,100,,,,,,1,,,,,,,,1,,,,,16,,100,
- nhooyr.io/websocket,,2,,,,,,,,,,,,,,,,,2,,,
+ nhooyr.io/websocket,,2,,,,,,,,,,,,,,,,,,,,2,,,
- os,29,11,6,3,,,26,,,,,,,,,,7,3,,1,6,
+ os,29,11,6,3,,,,,26,,,,,,,,,,,7,3,,1,6,
- path,,,18,,,,,,,,,,,,,,,,,,18,
+ path,,,18,,,,,,,,,,,,,,,,,,,,,18,
- reflect,,,37,,,,,,,,,,,,,,,,,,37,
+ reflect,,,37,,,,,,,,,,,,,,,,,,,,,37,
- regexp,10,,20,,,,,3,3,4,,,,,,,,,,,20,
+ regexp,10,,20,,,,,,,3,3,4,,,,,,,,,,,,20,
- sort,,,1,,,,,,,,,,,,,,,,,,1,
+ sort,,,1,,,,,,,,,,,,,,,,,,,,,1,
- strconv,,,9,,,,,,,,,,,,,,,,,,9,
+ strconv,,,9,,,,,,,,,,,,,,,,,,,,,9,
- strings,,,34,,,,,,,,,,,,,,,,,,34,
+ strings,,,34,,,,,,,,,,,,,,,,,,,,,34,
- sync,,,34,,,,,,,,,,,,,,,,,,34,
+ sync,,,34,,,,,,,,,,,,,,,,,,,,,34,
- syscall,5,2,8,5,,,,,,,,,,,,,2,,,,8,
+ syscall,5,2,8,5,,,,,,,,,,,,,,,,2,,,,8,
- text/scanner,,,3,,,,,,,,,,,,,,,,,,3,
+ text/scanner,,,3,,,,,,,,,,,,,,,,,,,,,3,
- text/tabwriter,,,1,,,,,,,,,,,,,,,,,,1,
+ text/tabwriter,,,1,,,,,,,,,,,,,,,,,,,,,1,
- text/template,,,6,,,,,,,,,,,,,,,,,,6,
+ text/template,,,6,,,,,,,,,,,,,,,,,,,,,6,
+ xorm.io/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,

@owen-mc owen-mc force-pushed the go/reinstate-mad-with-fixes branch 3 times, most recently from 23bb353 to e0f6acc Compare September 19, 2024 16:02
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 19, 2024
View reviewed changes
owen-mc and others added 24 commits November 19, 2024 11:13
@owen-mc
Convert squirrel sql-injection sinks to MaD (non-existent methods rem…
924467b 
…oved)

Various non-existent methods were modeled, and I couldn't find any
evidence that they used to exist. They aren't in the stubs or tests. I
have removed them.
@owen-mc
Upgrade and convert gorqlite sql-injection sinks to MaD
1315a1e
@owen-mc
Convert gogf/gf sql-injection sinks to MaD
d9d3e74
@owen-mc
Convert sqlx sql-injection sinks to MaD
fb050e8
@owen-mc
Convert Gorm sql-injection sinks to MaD
1ab50fc
@owen-mc
Convert Xorm sql-injection sinks to MaD
1c305aa
@owen-mc
Convert Bun sql-injection sinks to MaD
2282a81
@owen-mc
Convert Beego orm sql-injection sinks to MaD
4cca6cf
@owen-mc
Convert database/sql sql-injection sinks to MaD
e4eef67
@owen-mc
Convert database/sql/driver sql-injection sinks to MaD
b4c84be
@owen-mc
Convert mongodb nosql-injection sinks to MaD
fbaad09
@owen-mc
Convert gocb nosql-injection sinks to MaD
85c7e8c
@owen-mc
Convert logging sinks to use MaD
35cbc16
@owen-mc @egregius313
Fix typo in package path
a0729fc 
Co-authored-by: Edward Minnix III <egregius313@github.com>
@owen-mc
Model some squirrel methods in QL
25cd4d4 
We need to put a restriction on the type of the argument.
@owen-mc
Model some Xorm methods in QL
d37c816
@owen-mc
Model logrus.FieldLogger using models-as-data
8cbab0c
@owen-mc
Add tests for squirrel.Eq
5a0cd2e
@owen-mc
Add tests for Xorm first argument of varargs slice
cc62db7
@owen-mc
Add tests for logrus.FieldLogger
791313f
@owen-mc
Make Logrus log injection tests more comprehensive
bc78426
@owen-mc
Set Subtypes column correctly
81907bc 
We set it to False when it has no meaning and True otherwise.
@owen-mc
Update test expectations
874dc83
@owen-mc
Fix typo in unrelated QLDoc
9fc0dc5
@owen-mc owen-mc force-pushed the go/reinstate-mad-with-fixes branch from e0f6acc to 307fdc0 Compare November 19, 2024 11:42
@owen-mc owen-mc marked this pull request as ready for review November 20, 2024 00:01
@owen-mc owen-mc requested a review from a team as a code owner November 20, 2024 00:01
@owen-mc
Copy link
Copy Markdown
Contributor Author

owen-mc commented Nov 20, 2024

I put the change note in the src folder because it changes query output, but now I think about it I'm actually changing the library, so it should go into the lib folder, shouldn't it?

@owen-mc owen-mc requested a review from a team as a code owner November 20, 2024 13:52
@github-actions github-actions bot added the C# label Nov 20, 2024
michaelnebel
michaelnebel reviewed Nov 20, 2024
View reviewed changes
csharp/ql/campaigns/Solorigate/lib/change-notes/2024-11-20-heuristic-logging-sinks.md
---
category: minorAnalysis
---
* A call to a method whose name starts with "Debug", "Error", "Fatal", "Info", "Log", "Output", "Panic", "Print", "Trace", "Warn" or "With" defined on an interface whose name ends in "logger" or "Logger" is now considered a LoggerCall. In particular, it is a sink for `go/clear-text-logging` and `go/log-injection`. This may lead to some more alerts in those queries.
Copy link
Copy Markdown
Contributor

@michaelnebel michaelnebel Nov 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this the right location for the change note?

Copy link
Copy Markdown
Contributor Author

@owen-mc owen-mc Nov 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For some reason VS code is always trying to recommend this directory for change notes, and I finally fell for it 🤦🏻 .

@owen-mc
Copy link
Copy Markdown
Contributor Author

owen-mc commented Nov 20, 2024

I've now looked through the QA results from ~5,000 repos. We get a lot of extra results for log injection (~1,500) and cleartext logging (~300). I sampled them and they all seem to be valid results from us adding a heuristic for local logger interfaces. I looked in detail at all the repos where we lost results. (We lost ~40 results in total.) Some were because they are calling logger functions using a variable, which isn't currently supported. I shouldn't be too hard but there may be a performance penalty. I will file a follow-up issue to look into that. I also found a bug in my recent work to fix models-as-data inheritance, which I will fix as a follow-up. There are also a handful of lost alerts because we were previously matching something we hadn't actually modeled because of the known issue where Function.getACall() (which is routinely used in QL models) also matches calls to an interface method which the function implements. This means that we are accidentally matching some libraries that we haven't modeled, just because they have similarities with libraries that we have modelled.

Overall I think these results are very good, and the handful of lost alerts shouldn't stop this PR from being merged.

@smowton
Copy link
Copy Markdown
Contributor

smowton commented Nov 20, 2024

Change note needs moving as @michaelnebel notes; then happy to merge per that description.

@github-actions github-actions bot removed the C# label Nov 20, 2024
smowton
smowton approved these changes Nov 20, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@smowton smowton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks plausible

@owen-mc owen-mc merged commit 9aede5f into github:main Nov 20, 2024
@owen-mc owen-mc deleted the go/reinstate-mad-with-fixes branch November 20, 2024 14:50
@owen-mc owen-mc mentioned this pull request Nov 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

@smowton smowton smowton approved these changes

Assignees

No one assigned

Labels

documentation Go

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@owen-mc @smowton @michaelnebel @github-advanced-security