SSH host checking: Expand definition of a host-key checking function to include calls with multiple return types

For example, https://godoc.org/golang.org/x/crypto/ssh/knownhosts#New returns a host-key checker and an error value, and we previously didn't consider the first return value a candidate checker function.

Author: smowton

ql/src/Security/CWE-322/InsecureHostKeyCallback.ql

@@ -31,8 +31,9 @@ class HostKeyCallbackFunc extends DataFlow::Node {
     (
       this instanceof DataFlow::FunctionNode
       or
-      this instanceof DataFlow::CallNode and
-      not exists(this.(DataFlow::CallNode).getACallee().getBody())
+      exists(DataFlow::CallNode call | not exists(call.getACallee().getBody()) |
+        this = call.getAResult()
+      )
     )
   }
 }
@@ -41,7 +42,7 @@ class HostKeyCallbackFunc extends DataFlow::Node {
 class InsecureHostKeyCallbackFunc extends HostKeyCallbackFunc {
   InsecureHostKeyCallbackFunc() {
     // Either a call to InsecureIgnoreHostKey(), which we know returns an insecure callback.
-    this = any(InsecureIgnoreHostKey f).getACall()
+    this = any(InsecureIgnoreHostKey f).getACall().getAResult()
     or
     // Or a callback function in the source code (named or anonymous) that always returns nil.
     forex(DataFlow::ResultNode returnValue |