codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Go: reinstate models-as-data sink conversions with fixes

Open owen-mc opened this issue 1 year ago • 1 comments
trafficstars

The first 14 commits are reinstating commits that were reverted in https://github.com/github/codeql/pull/17296. Then there are some commits fixing things: reverting some models back to QL and adding some models-as-data models for logrus.FieldLogger. Then there are some commits adding tests that would have caught the problems in the first place.

owen-mc avatar Sep 17 '24 10:09 owen-mc

:warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

go

Generated file changes for go

  • Changes to framework-coverage-go.rst:
-    `Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",,36,
+    `Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",,36,16
-    `Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,,18,
+    `Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,,18,8
-    `Glog <https://github.com/golang/glog>`_,"``github.com/golang/glog*``, ``gopkg.in/glog*``, ``k8s.io/klog*``",,,
+    `Glog <https://github.com/golang/glog>`_,"``github.com/golang/glog*``, ``gopkg.in/glog*``, ``k8s.io/klog*``",,,270
-    `Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,
+    `Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,9
-    `Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,
+    `Logrus <https://github.com/sirupsen/logrus>`_,"``github.com/Sirupsen/logrus*``, ``github.com/sirupsen/logrus*``",,,290
-    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",33,587,51
+    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",33,587,104
-    `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",63,63,21
+    `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",63,63,213
-    `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,
+    `goproxy <https://github.com/elazarl/goproxy>`_,``github.com/elazarl/goproxy*``,2,2,2
-    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,
+    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
-    Others,"``github.com/caarlos0/env``, ``github.com/gobuffalo/envy``, ``github.com/hashicorp/go-envparse``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``",23,2,
+    Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``xorm.io/xorm``",23,2,391
-    Totals,,307,911,268
+    Totals,,307,911,1532
  • Changes to framework-coverage-go.csv:
- package,sink,source,summary,sink:command-injection,sink:credentials-key,sink:jwt,sink:path-injection,sink:regex-use[0],sink:regex-use[1],sink:regex-use[c],sink:request-forgery,sink:request-forgery[TCP Addr + Port],sink:url-redirection,sink:url-redirection[0],sink:url-redirection[receiver],sink:xpath-injection,source:environment,source:file,source:remote,source:stdin,summary:taint,summary:value
+ package,sink,source,summary,sink:command-injection,sink:credentials-key,sink:jwt,sink:log-injection,sink:nosql-injection,sink:path-injection,sink:regex-use[0],sink:regex-use[1],sink:regex-use[c],sink:request-forgery,sink:request-forgery[TCP Addr + Port],sink:sql-injection,sink:url-redirection,sink:url-redirection[0],sink:url-redirection[receiver],sink:xpath-injection,source:environment,source:file,source:remote,source:stdin,summary:taint,summary:value
- ,,,8,,,,,,,,,,,,,,,,,,3,5
+ ,,,8,,,,,,,,,,,,,,,,,,,,,3,5
- archive/tar,,,5,,,,,,,,,,,,,,,,,,5,
+ archive/tar,,,5,,,,,,,,,,,,,,,,,,,,,5,
- archive/zip,,,6,,,,,,,,,,,,,,,,,,6,
+ archive/zip,,,6,,,,,,,,,,,,,,,,,,,,,6,
- bufio,,,17,,,,,,,,,,,,,,,,,,17,
+ bufio,,,17,,,,,,,,,,,,,,,,,,,,,17,
- bytes,,,43,,,,,,,,,,,,,,,,,,43,
+ bytes,,,43,,,,,,,,,,,,,,,,,,,,,43,
- clevergo.tech/clevergo,1,,,,,,,,,,,,,,1,,,,,,,
+ clevergo.tech/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,
- compress/bzip2,,,1,,,,,,,,,,,,,,,,,,1,
+ compress/bzip2,,,1,,,,,,,,,,,,,,,,,,,,,1,
- compress/flate,,,4,,,,,,,,,,,,,,,,,,4,
+ compress/flate,,,4,,,,,,,,,,,,,,,,,,,,,4,
- compress/gzip,,,3,,,,,,,,,,,,,,,,,,3,
+ compress/gzip,,,3,,,,,,,,,,,,,,,,,,,,,3,
- compress/lzw,,,1,,,,,,,,,,,,,,,,,,1,
+ compress/lzw,,,1,,,,,,,,,,,,,,,,,,,,,1,
- compress/zlib,,,4,,,,,,,,,,,,,,,,,,4,
+ compress/zlib,,,4,,,,,,,,,,,,,,,,,,,,,4,
- container/heap,,,5,,,,,,,,,,,,,,,,,,5,
+ container/heap,,,5,,,,,,,,,,,,,,,,,,,,,5,
- container/list,,,20,,,,,,,,,,,,,,,,,,20,
+ container/list,,,20,,,,,,,,,,,,,,,,,,,,,20,
- container/ring,,,5,,,,,,,,,,,,,,,,,,5,
+ container/ring,,,5,,,,,,,,,,,,,,,,,,,,,5,
- context,,,5,,,,,,,,,,,,,,,,,,5,
+ context,,,5,,,,,,,,,,,,,,,,,,,,,5,
- crypto,,,10,,,,,,,,,,,,,,,,,,10,
+ crypto,,,10,,,,,,,,,,,,,,,,,,,,,10,
- database/sql,,,11,,,,,,,,,,,,,,,,,,11,
+ database/sql,30,,11,,,,,,,,,,,,30,,,,,,,,,11,
- encoding,,,77,,,,,,,,,,,,,,,,,,77,
+ encoding,,,77,,,,,,,,,,,,,,,,,,,,,77,
- errors,,,3,,,,,,,,,,,,,,,,,,3,
+ errors,,,3,,,,,,,,,,,,,,,,,,,,,3,
- expvar,,,6,,,,,,,,,,,,,,,,,,6,
+ expvar,,,6,,,,,,,,,,,,,,,,,,,,,6,
- fmt,,,16,,,,,,,,,,,,,,,,,,16,
+ fmt,3,,16,,,,3,,,,,,,,,,,,,,,,,16,
- github.com/ChrisTrenkamp/goxpath,3,,,,,,,,,,,,,,,3,,,,,,
+ github.com/ChrisTrenkamp/goxpath,3,,,,,,,,,,,,,,,,,,3,,,,,,
+ github.com/Masterminds/squirrel,32,,,,,,,,,,,,,,32,,,,,,,,,,
+ github.com/Sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,
- github.com/antchfx/htmlquery,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/antchfx/htmlquery,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/antchfx/jsonquery,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/antchfx/jsonquery,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/antchfx/xmlquery,8,,,,,,,,,,,,,,,8,,,,,,
+ github.com/antchfx/xmlquery,8,,,,,,,,,,,,,,,,,,8,,,,,,
- github.com/antchfx/xpath,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/antchfx/xpath,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/appleboy/gin-jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/appleboy/gin-jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
- github.com/astaxie/beego,7,21,21,,,,5,,,,,,2,,,,,,21,,21,
+ github.com/astaxie/beego,71,21,21,,,,34,,5,,,,,,30,2,,,,,,21,,21,
- github.com/beego/beego,14,42,42,,,,10,,,,,,4,,,,,,42,,42,
+ github.com/beego/beego,142,42,42,,,,68,,10,,,,,,60,4,,,,,,42,,42,
- github.com/caarlos0/env,,5,2,,,,,,,,,,,,,,5,,,,1,1
+ github.com/caarlos0/env,,5,2,,,,,,,,,,,,,,,,,5,,,,1,1
- github.com/clevergo/clevergo,1,,,,,,,,,,,,,,1,,,,,,,
+ github.com/clevergo/clevergo,1,,,,,,,,,,,,,,,,,1,,,,,,,
- github.com/codeskyblue/go-sh,4,,,4,,,,,,,,,,,,,,,,,,
+ github.com/codeskyblue/go-sh,4,,,4,,,,,,,,,,,,,,,,,,,,,
- github.com/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+ github.com/couchbase/gocb,8,,18,,,,,8,,,,,,,,,,,,,,,,18,
- github.com/couchbaselabs/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+ github.com/couchbaselabs/gocb,8,,18,,,,,8,,,,,,,,,,,,,,,,18,
- github.com/crankycoder/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/crankycoder/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/cristalhq/jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/cristalhq/jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
+ github.com/davecgh/go-spew/spew,9,,,,,,9,,,,,,,,,,,,,,,,,,
- github.com/dgrijalva/jwt-go,3,,9,,2,1,,,,,,,,,,,,,,,9,
+ github.com/dgrijalva/jwt-go,3,,9,,2,1,,,,,,,,,,,,,,,,,,9,
- github.com/elazarl/goproxy,,2,2,,,,,,,,,,,,,,,,2,,2,
+ github.com/elazarl/goproxy,2,2,2,,,,2,,,,,,,,,,,,,,,2,,2,
- github.com/emicklei/go-restful,,7,,,,,,,,,,,,,,,,,7,,,
+ github.com/emicklei/go-restful,,7,,,,,,,,,,,,,,,,,,,,7,,,
- github.com/evanphx/json-patch,,,12,,,,,,,,,,,,,,,,,,12,
+ github.com/evanphx/json-patch,,,12,,,,,,,,,,,,,,,,,,,,,12,
- github.com/form3tech-oss/jwt-go,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/form3tech-oss/jwt-go,2,,,,2,,,,,,,,,,,,,,,,,,,,
- github.com/gin-gonic/gin,3,46,2,,,,3,,,,,,,,,,,,46,,2,
+ github.com/gin-gonic/gin,3,46,2,,,,,,3,,,,,,,,,,,,,46,,2,
- github.com/go-chi/chi,,3,,,,,,,,,,,,,,,,,3,,,
+ github.com/go-chi/chi,,3,,,,,,,,,,,,,,,,,,,,3,,,
- github.com/go-chi/jwtauth,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/go-chi/jwtauth,1,,,,1,,,,,,,,,,,,,,,,,,,,
+ github.com/go-gorm/gorm,13,,,,,,,,,,,,,,13,,,,,,,,,,
- github.com/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ github.com/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
- github.com/go-kit/kit/auth/jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/go-kit/kit/auth/jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
- github.com/go-pg/pg/orm,,,6,,,,,,,,,,,,,,,,,,6,
+ github.com/go-pg/pg/orm,,,6,,,,,,,,,,,,,,,,,,,,,6,
- github.com/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
+ github.com/go-xorm/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,
- github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,7,,,,,
+ github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,,,,7,,,,,
- github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,2,,,
+ github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,,,,2,,,
- github.com/gofiber/fiber,5,,,,,,4,,,,,,,,1,,,,,,,
+ github.com/gofiber/fiber,5,,,,,,,,4,,,,,,,,,1,,,,,,,
- github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,
+ github.com/gogf/gf/database/gdb,51,,,,,,,,,,,,,,51,,,,,,,,,,
- github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,11,
+ github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,,,,11,
+ github.com/golang/glog,90,,,,,,90,,,,,,,,,,,,,,,,,,
- github.com/golang/protobuf/proto,,,4,,,,,,,,,,,,,,,,,,4,
+ github.com/golang/protobuf/proto,,,4,,,,,,,,,,,,,,,,,,,,,4,
- github.com/gorilla/mux,,1,,,,,,,,,,,,,,,,,1,,,
+ github.com/gorilla/mux,,1,,,,,,,,,,,,,,,,,,,,1,,,
- github.com/gorilla/websocket,,3,,,,,,,,,,,,,,,,,3,,,
+ github.com/gorilla/websocket,,3,,,,,,,,,,,,,,,,,,,,3,,,
- github.com/hashicorp/go-envparse,,1,,,,,,,,,,,,,,,1,,,,,
+ github.com/hashicorp/go-envparse,,1,,,,,,,,,,,,,,,,,,1,,,,,
- github.com/jbowtie/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/jbowtie/gokogiri/xml,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/jbowtie/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,,
+ github.com/jbowtie/gokogiri/xpath,1,,,,,,,,,,,,,,,,,,1,,,,,,
+ github.com/jinzhu/gorm,13,,,,,,,,,,,,,,13,,,,,,,,,,
+ github.com/jmoiron/sqlx,12,,,,,,,,,,,,,,12,,,,,,,,,,
- github.com/joho/godotenv,,4,,,,,,,,,,,,,,,4,,,,,
+ github.com/joho/godotenv,,4,,,,,,,,,,,,,,,,,,4,,,,,
- github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,,4,
+ github.com/json-iterator/go,,,4,,,,,,,,,,,,,,,,,,,,,4,
- github.com/kataras/iris/context,6,,,,,,6,,,,,,,,,,,,,,,
+ github.com/kataras/iris/context,6,,,,,,,,6,,,,,,,,,,,,,,,,
- github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/kataras/iris/middleware/jwt,2,,,,2,,,,,,,,,,,,,,,,,,,,
- github.com/kataras/iris/server/web/context,6,,,,,,6,,,,,,,,,,,,,,,
+ github.com/kataras/iris/server/web/context,6,,,,,,,,6,,,,,,,,,,,,,,,,
- github.com/kataras/jwt,5,,,,5,,,,,,,,,,,,,,,,,
+ github.com/kataras/jwt,5,,,,5,,,,,,,,,,,,,,,,,,,,
- github.com/kelseyhightower/envconfig,,6,,,,,,,,,,,,,,,6,,,,,
+ github.com/kelseyhightower/envconfig,,6,,,,,,,,,,,,,,,,,,6,,,,,
- github.com/labstack/echo,3,12,2,,,,2,,,,,,1,,,,,,12,,2,
+ github.com/labstack/echo,3,12,2,,,,,,2,,,,,,,1,,,,,,12,,2,
+ github.com/lann/squirrel,32,,,,,,,,,,,,,,32,,,,,,,,,,
- github.com/lestrrat-go/jwx,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/lestrrat-go/jwx,2,,,,2,,,,,,,,,,,,,,,,,,,,
- github.com/lestrrat-go/libxml2/parser,3,,,,,,,,,,,,,,,3,,,,,,
+ github.com/lestrrat-go/libxml2/parser,3,,,,,,,,,,,,,,,,,,3,,,,,,
- github.com/lestrrat/go-jwx/jwk,1,,,,1,,,,,,,,,,,,,,,,,
+ github.com/lestrrat/go-jwx/jwk,1,,,,1,,,,,,,,,,,,,,,,,,,,
- github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/masterzen/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,4,,,,,,
+ github.com/moovweb/gokogiri/xml,4,,,,,,,,,,,,,,,,,,4,,,,,,
- github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,1,,,,,,
+ github.com/moovweb/gokogiri/xpath,1,,,,,,,,,,,,,,,,,,1,,,,,,
- github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,,
+ github.com/ory/fosite/token/jwt,2,,,,2,,,,,,,,,,,,,,,,,,,,
+ github.com/raindog308/gorqlite,24,,,,,,,,,,,,,,24,,,,,,,,,,
- github.com/revel/revel,2,23,10,,,,1,,,,,,1,,,,,,23,,10,
+ github.com/revel/revel,2,23,10,,,,,,1,,,,,,,1,,,,,,23,,10,
- github.com/robfig/revel,2,23,10,,,,1,,,,,,1,,,,,,23,,10,
+ github.com/robfig/revel,2,23,10,,,,,,1,,,,,,,1,,,,,,23,,10,
+ github.com/rqlite/gorqlite,24,,,,,,,,,,,,,,24,,,,,,,,,,
- github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,2,,,,,,
+ github.com/santhosh-tekuri/xpathparser,2,,,,,,,,,,,,,,,,,,2,,,,,,
- github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,1,
+ github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,,,,1,
+ github.com/sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,
- github.com/spf13/afero,34,,,,,,34,,,,,,,,,,,,,,,
+ github.com/spf13/afero,34,,,,,,,,34,,,,,,,,,,,,,,,,
- github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
+ github.com/uptrace/bun,63,,,,,,,,,,,,,,63,,,,,,,,,,
- github.com/valyala/fasthttp,35,50,5,,,,8,,,,17,8,2,,,,,,50,,5,
+ github.com/valyala/fasthttp,35,50,5,,,,,,8,,,,17,8,,2,,,,,,50,,5,
+ go.mongodb.org/mongo-driver/mongo,14,,,,,,,14,,,,,,,,,,,,,,,,,
- go.uber.org/zap,,,11,,,,,,,,,,,,,,,,,,11,
+ go.uber.org/zap,33,,11,,,,33,,,,,,,,,,,,,,,,,11,
- golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,,
+ golang.org/x/crypto/ssh,4,,,4,,,,,,,,,,,,,,,,,,,,,
- golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,,5,
+ golang.org/x/net/context,,,5,,,,,,,,,,,,,,,,,,,,,5,
- golang.org/x/net/html,,,16,,,,,,,,,,,,,,,,,,16,
+ golang.org/x/net/html,,,16,,,,,,,,,,,,,,,,,,,,,16,
- golang.org/x/net/websocket,,2,,,,,,,,,,,,,,,,,2,,,
+ golang.org/x/net/websocket,,2,,,,,,,,,,,,,,,,,,,,2,,,
- google.golang.org/protobuf/internal/encoding/text,,,1,,,,,,,,,,,,,,,,,,1,
+ google.golang.org/protobuf/internal/encoding/text,,,1,,,,,,,,,,,,,,,,,,,,,1,
- google.golang.org/protobuf/internal/impl,,,2,,,,,,,,,,,,,,,,,,2,
+ google.golang.org/protobuf/internal/impl,,,2,,,,,,,,,,,,,,,,,,,,,2,
- google.golang.org/protobuf/proto,,,8,,,,,,,,,,,,,,,,,,8,
+ google.golang.org/protobuf/proto,,,8,,,,,,,,,,,,,,,,,,,,,8,
- google.golang.org/protobuf/reflect/protoreflect,,,1,,,,,,,,,,,,,,,,,,1,
+ google.golang.org/protobuf/reflect/protoreflect,,,1,,,,,,,,,,,,,,,,,,,,,1,
+ gopkg.in/Masterminds/squirrel,32,,,,,,,,,,,,,,32,,,,,,,,,,
- gopkg.in/couchbase/gocb,,,18,,,,,,,,,,,,,,,,,,18,
+ gopkg.in/couchbase/gocb,8,,18,,,,,8,,,,,,,,,,,,,,,,18,
+ gopkg.in/glog,90,,,,,,90,,,,,,,,,,,,,,,,,,
- gopkg.in/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ gopkg.in/go-jose/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
- gopkg.in/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ gopkg.in/go-xmlpath/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- gopkg.in/macaron,1,12,1,,,,,,,,,,,,1,,,,12,,1,
+ gopkg.in/macaron,1,12,1,,,,,,,,,,,,,,,1,,,,12,,1,
- gopkg.in/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,4,
+ gopkg.in/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,4,
- gopkg.in/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ gopkg.in/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- gopkg.in/yaml,,,9,,,,,,,,,,,,,,,,,,9,
+ gopkg.in/yaml,,,9,,,,,,,,,,,,,,,,,,,,,9,
+ gorm.io/gorm,13,,,,,,,,,,,,,,13,,,,,,,,,,
- html,,,8,,,,,,,,,,,,,,,,,,8,
+ html,,,8,,,,,,,,,,,,,,,,,,,,,8,
- io,5,4,34,,,,5,,,,,,,,,,,4,,,34,
+ io,5,4,34,,,,,,5,,,,,,,,,,,,4,,,34,
- k8s.io/api/core,,,10,,,,,,,,,,,,,,,,,,10,
+ k8s.io/api/core,,,10,,,,,,,,,,,,,,,,,,,,,10,
- k8s.io/apimachinery/pkg/runtime,,,47,,,,,,,,,,,,,,,,,,47,
+ k8s.io/apimachinery/pkg/runtime,,,47,,,,,,,,,,,,,,,,,,,,,47,
+ k8s.io/klog,90,,,,,,90,,,,,,,,,,,,,,,,,,
- launchpad.net/xmlpath,2,,,,,,,,,,,,,,,2,,,,,,
+ launchpad.net/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,
- log,,,3,,,,,,,,,,,,,,,,,,3,
+ log,20,,3,,,,20,,,,,,,,,,,,,,,,,3,
- math/big,,,1,,,,,,,,,,,,,,,,,,1,
+ math/big,,,1,,,,,,,,,,,,,,,,,,,,,1,
- mime,,,14,,,,,,,,,,,,,,,,,,14,
+ mime,,,14,,,,,,,,,,,,,,,,,,,,,14,
- net,2,16,100,,,,1,,,,,,,1,,,,,16,,100,
+ net,2,16,100,,,,,,1,,,,,,,,1,,,,,16,,100,
- nhooyr.io/websocket,,2,,,,,,,,,,,,,,,,,2,,,
+ nhooyr.io/websocket,,2,,,,,,,,,,,,,,,,,,,,2,,,
- os,29,11,6,3,,,26,,,,,,,,,,7,3,,1,6,
+ os,29,11,6,3,,,,,26,,,,,,,,,,,7,3,,1,6,
- path,,,18,,,,,,,,,,,,,,,,,,18,
+ path,,,18,,,,,,,,,,,,,,,,,,,,,18,
- reflect,,,37,,,,,,,,,,,,,,,,,,37,
+ reflect,,,37,,,,,,,,,,,,,,,,,,,,,37,
- regexp,10,,20,,,,,3,3,4,,,,,,,,,,,20,
+ regexp,10,,20,,,,,,,3,3,4,,,,,,,,,,,,20,
- sort,,,1,,,,,,,,,,,,,,,,,,1,
+ sort,,,1,,,,,,,,,,,,,,,,,,,,,1,
- strconv,,,9,,,,,,,,,,,,,,,,,,9,
+ strconv,,,9,,,,,,,,,,,,,,,,,,,,,9,
- strings,,,34,,,,,,,,,,,,,,,,,,34,
+ strings,,,34,,,,,,,,,,,,,,,,,,,,,34,
- sync,,,34,,,,,,,,,,,,,,,,,,34,
+ sync,,,34,,,,,,,,,,,,,,,,,,,,,34,
- syscall,5,2,8,5,,,,,,,,,,,,,2,,,,8,
+ syscall,5,2,8,5,,,,,,,,,,,,,,,,2,,,,8,
- text/scanner,,,3,,,,,,,,,,,,,,,,,,3,
+ text/scanner,,,3,,,,,,,,,,,,,,,,,,,,,3,
- text/tabwriter,,,1,,,,,,,,,,,,,,,,,,1,
+ text/tabwriter,,,1,,,,,,,,,,,,,,,,,,,,,1,
- text/template,,,6,,,,,,,,,,,,,,,,,,6,
+ text/template,,,6,,,,,,,,,,,,,,,,,,,,,6,
+ xorm.io/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,

github-actions[bot] avatar Sep 17 '24 10:09 github-actions[bot]

I put the change note in the src folder because it changes query output, but now I think about it I'm actually changing the library, so it should go into the lib folder, shouldn't it?

owen-mc avatar Nov 20 '24 09:11 owen-mc

I've now looked through the QA results from ~5,000 repos. We get a lot of extra results for log injection (~1,500) and cleartext logging (~300). I sampled them and they all seem to be valid results from us adding a heuristic for local logger interfaces. I looked in detail at all the repos where we lost results. (We lost ~40 results in total.) Some were because they are calling logger functions using a variable, which isn't currently supported. I shouldn't be too hard but there may be a performance penalty. I will file a follow-up issue to look into that. I also found a bug in my recent work to fix models-as-data inheritance, which I will fix as a follow-up. There are also a handful of lost alerts because we were previously matching something we hadn't actually modeled because of the known issue where Function.getACall() (which is routinely used in QL models) also matches calls to an interface method which the function implements. This means that we are accidentally matching some libraries that we haven't modeled, just because they have similarities with libraries that we have modelled.

Overall I think these results are very good, and the handful of lost alerts shouldn't stop this PR from being merged.

owen-mc avatar Nov 20 '24 14:11 owen-mc

Change note needs moving as @michaelnebel notes; then happy to merge per that description.

smowton avatar Nov 20 '24 14:11 smowton