Add alternative package locations

owen-mc · owen-mc · commit 95c1f754c6a6 · 2020-09-09T14:52:26.000+01:00
diff --git a/ql/src/semmle/go/frameworks/SQL.qll b/ql/src/semmle/go/frameworks/SQL.qll
@@ -161,12 +161,13 @@ module SQL {
     }
   }
 
-  /** A model for sinks of github.com/jinzhu/gorm. */
+  /** A model for sinks of GORM. */
   private class GormSink extends SQL::QueryString::Range {
     GormSink() {
-      exists(Method meth, string name |
-        meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and
+      exists(Method meth, string package, string name |
+        meth.hasQualifiedName(package, "DB", name) and
         this = meth.getACall().getArgument(0) and
+        package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and
         name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -161,12 +161,13 @@ module SQL {`
`161`	`161`	`}`
`162`	`162`	`}`
`163`	`163`
`164`		`- /** A model for sinks of github.com/jinzhu/gorm. */`
	`164`	`+ /** A model for sinks of GORM. */`
`165`	`165`	`private class GormSink extends SQL::QueryString::Range {`
`166`	`166`	`GormSink() {`
`167`		`- exists(Method meth, string name \|`
`168`		`- meth.hasQualifiedName("github.com/jinzhu/gorm", "DB", name) and`
	`167`	`+ exists(Method meth, string package, string name \|`
	`168`	`+ meth.hasQualifiedName(package, "DB", name) and`
`169`	`169`	`this = meth.getACall().getArgument(0) and`
	`170`	`+ package in ["github.com/jinzhu/gorm", "github.com/go-gorm/gorm", "gorm.io/gorm"] and`
`170`	`171`	`name in ["Where", "Raw", "Order", "Not", "Or", "Select", "Table", "Group", "Having", "Joins"]`
`171`	`172`	`)`
`172`	`173`	`}`