Revert "Upgrade and convert gorqlite sql-injection sinks to MaD"

This reverts commit ce0cb12.

Author: smowton

go/ql/lib/ext/github.com.rqlite.gorqlite.model.yml

@@ -81,6 +81,11 @@ module SQL {
     /** A string that might identify package `go-pg/pg/orm` or a specific version of it. */
     private string gopgorm() { result = package("github.com/go-pg/pg", "orm") }
 
+    /** A string that might identify package `github.com/rqlite/gorqlite` or `github.com/raindog308/gorqlite` or a specific version of it. */
+    private string gorqlite() {
+      result = package(["github.com/rqlite/gorqlite", "github.com/raindog308/gorqlite"], "")
+    }
+
     /** A string that might identify package `github.com/gogf/gf/database/gdb` or a specific version of it. */
     private string gogf() { result = package("github.com/gogf/gf", "database/gdb") }
 
@@ -149,6 +154,25 @@ module SQL {
       }
     }
 
+    /**
+     * A string argument to an API of `github.com/rqlite/gorqlite`, or a specific version of it, that is directly interpreted as SQL without
+     * taking syntactic structure into account.
+     */
+    private class GorqliteQueryString extends Range {
+      GorqliteQueryString() {
+        // func (conn *Connection) Query(sqlStatements []string) (results []QueryResult, err error)
+        // func (conn *Connection) QueryOne(sqlStatement string) (qr QueryResult, err error)
+        // func (conn *Connection) Queue(sqlStatements []string) (seq int64, err error)
+        // func (conn *Connection) QueueOne(sqlStatement string) (seq int64, err error)
+        // func (conn *Connection) Write(sqlStatements []string) (results []WriteResult, err error)
+        // func (conn *Connection) WriteOne(sqlStatement string) (wr WriteResult, err error)
+        exists(Method m, string name | m.hasQualifiedName(gorqlite(), "Connection", name) |
+          name = ["Query", "QueryOne", "Queue", "QueueOne", "Write", "WriteOne"] and
+          this = m.getACall().getArgument(0)
+        )
+      }
+    }
+
     /**
      * A string argument to an API of `github.com/gogf/gf/database/gdb`, or a specific version of it, that is directly interpreted as SQL without
      * taking syntactic structure into account.

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -2,4 +2,4 @@ module main
 
 go 1.18
 
-require github.com/rqlite/gorqlite v0.0.0-20240808172217-12ae7d03ef19
+require github.com/rqlite/gorqlite v0.0.0-20220528150909-c4e99ae96be6

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/QueryString.expected

@@ -0,0 +1,6 @@
+| gorqlite.go:11:13:11:16 | sqls |
+| gorqlite.go:12:13:12:16 | sqls |
+| gorqlite.go:13:13:13:16 | sqls |
+| gorqlite.go:14:16:14:18 | sql |
+| gorqlite.go:15:16:15:18 | sql |
+| gorqlite.go:16:16:16:18 | sql |

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/QueryString.ql

@@ -1,49 +1,20 @@
 package main
 
-//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection,ParameterizedStatement Open
+//go:generate depstubber -vendor github.com/rqlite/gorqlite Connection Open
 
 import (
-	"context"
-
 	"github.com/rqlite/gorqlite"
 )
 
-func gorqlitetest(sql string, sqls []string, param_sql gorqlite.ParameterizedStatement, param_sqls []gorqlite.ParameterizedStatement, ctx context.Context) {
+func gorqlitetest(sql string, sqls []string) {
 	conn, _ := gorqlite.Open("dbUrl")
-
-	conn.Query(sqls) // $ querystring=sqls
-	conn.Queue(sqls) // $ querystring=sqls
-	conn.Write(sqls) // $ querystring=sqls
-
+	conn.Query(sqls)   // $ querystring=sqls
+	conn.Queue(sqls)   // $ querystring=sqls
+	conn.Write(sqls)   // $ querystring=sqls
 	conn.QueryOne(sql) // $ querystring=sql
 	conn.QueueOne(sql) // $ querystring=sql
 	conn.WriteOne(sql) // $ querystring=sql
-
-	conn.QueryParameterized(param_sqls) // $ querystring=param_sqls
-	conn.QueueParameterized(param_sqls) // $ querystring=param_sqls
-	conn.WriteParameterized(param_sqls) // $ querystring=param_sqls
-
-	conn.QueryOneParameterized(param_sql) // $ querystring=param_sql
-	conn.QueueOneParameterized(param_sql) // $ querystring=param_sql
-	conn.WriteOneParameterized(param_sql) // $ querystring=param_sql
-
-	conn.QueryContext(ctx, sqls) // $ querystring=sqls
-	conn.QueueContext(ctx, sqls) // $ querystring=sqls
-	conn.WriteContext(ctx, sqls) // $ querystring=sqls
-
-	conn.QueryOneContext(ctx, sql) // $ querystring=sql
-	conn.QueueOneContext(ctx, sql) // $ querystring=sql
-	conn.WriteOneContext(ctx, sql) // $ querystring=sql
-
-	conn.QueryParameterizedContext(ctx, param_sqls) // $ querystring=param_sqls
-	conn.QueueParameterizedContext(ctx, param_sqls) // $ querystring=param_sqls
-	conn.WriteParameterizedContext(ctx, param_sqls) // $ querystring=param_sqls
-
-	conn.QueryOneParameterizedContext(ctx, param_sql) // $ querystring=param_sql
-	conn.QueueOneParameterizedContext(ctx, param_sql) // $ querystring=param_sql
-	conn.WriteOneParameterizedContext(ctx, param_sql) // $ querystring=param_sql
 }
-
 func main() {
 	return
 }

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/go.mod

@@ -0,0 +1,4 @@
+import go
+
+from SQL::QueryString qs
+select qs

go/ql/test/library-tests/semmle/go/frameworks/SQL/gorqlite/gorqlite.expected

@@ -1,3 +1,3 @@
-# github.com/rqlite/gorqlite v0.0.0-20240808172217-12ae7d03ef19
+# github.com/rqlite/gorqlite v0.0.0-20220528150909-c4e99ae96be6
 ## explicit
 github.com/rqlite/gorqlite