Fix missing go-jose package path

Author: owen-mc

go/ql/lib/ext/github.com.go-jose.go-jose.jwt.model.yml

@@ -3,9 +3,10 @@ extensions:
       pack: codeql/go-all
       extensible: packageGrouping
     data:
-      - ["go-jose/jwt", "github.com/go-jose/go-jose/jwt"]
       - ["go-jose/jwt", "gopkg.in/square/go-jose/jwt"]
+      - ["go-jose/jwt", "gopkg.in/go-jose/go-jose/jwt"]
       - ["go-jose/jwt", "github.com/square/go-jose/jwt"]
+      - ["go-jose/jwt", "github.com/go-jose/go-jose/jwt"]
   - addsTo:
       pack: codeql/go-all
       extensible: sinkModel

go/ql/lib/ext/github.com.go-jose.go-jose.model.yml

@@ -3,9 +3,10 @@ extensions:
       pack: codeql/go-all
       extensible: packageGrouping
     data:
-      - ["go-jose", "github.com/go-jose/go-jose"]
       - ["go-jose", "gopkg.in/square/go-jose"]
+      - ["go-jose", "gopkg.in/go-jose/go-jose"]
       - ["go-jose", "github.com/square/go-jose"]
+      - ["go-jose", "github.com/go-jose/go-jose"]
   - addsTo:
       pack: codeql/go-all
       extensible: sinkModel

go/ql/lib/semmle/go/frameworks/GoJose.qll

@@ -1,6 +1,6 @@
 /**
- * Provides classes for working with the `github.com/square/go-jose`, `github.com/go-jose/go-jose`,
- * and `gopkg.in/square-go-jose.v2` packages.
+ * Provides classes for working with the `gopkg.in/square/go-jose` and `github.com/go-jose/go-jose`
+ * packages.
  */
 
 import go
@@ -22,9 +22,16 @@ private module GoJose {
       override int getTokenArgNum() { result = -1 }
     }
 
-    /** Gets the package names `gopkg.in/square/go-jose/jwt` and `github.com/go-jose/go-jose/jwt`. */
+    /**
+     * Gets the package names `gopkg.in/square/go-jose/jwt`, `gopkg.in/go-jose/go-jose/jwt`,
+     * `github.com/square/go-jose/jwt`, and `github.com/go-jose/go-jose/jwt`.
+     */
     private string goJoseJwtPackage() {
-      result = package(["gopkg.in/square/go-jose", "github.com/go-jose/go-jose"], "jwt")
+      result =
+        package([
+            "gopkg.in/square/go-jose", "gopkg.in/go-jose/go-jose", "github.com/square/go-jose",
+            "github.com/go-jose/go-jose"
+          ], "jwt")
     }
   }
 }

go/ql/lib/semmle/go/security/ExternalAPIs.qll

@@ -36,7 +36,10 @@ private class DefaultSafeExternalApiFunction extends SafeExternalApiFunction {
   DefaultSafeExternalApiFunction() {
     this instanceof BuiltinFunction or
     isDefaultSafePackage(this.getPackage()) or
-    this.hasQualifiedName(package("gopkg.in/square/go-jose", "jwt"), "ParseSigned") or
+    this.hasQualifiedName(package([
+          "gopkg.in/square/go-jose", "gopkg.in/go-jose/go-jose", "github.com/square/go-jose",
+          "github.com/go-jose/go-jose"
+        ], "jwt"), "ParseSigned") or
     this.(Method).hasQualifiedName(Gorm::packagePath(), "DB", "Update") or
     this.hasQualifiedName("crypto/hmac", "Equal") or
     this.hasQualifiedName("crypto/subtle", "ConstantTimeCompare") or

go/ql/src/experimental/frameworks/JWT.qll

@@ -172,7 +172,11 @@ class GolangJwtParseFromRequestWithClaims extends JwtParseWithKeyFunction {
  * Gets `gopkg.in/square/go-jose` and `github.com/go-jose/go-jose` jwt package
  */
 string goJoseJwtPackage() {
-  result = package(["gopkg.in/square/go-jose", "github.com/go-jose/go-jose"], "jwt")
+  result =
+    package([
+        "gopkg.in/square/go-jose", "gopkg.in/go-jose/go-jose", "github.com/square/go-jose",
+        "github.com/go-jose/go-jose"
+      ], "jwt")
 }
 
 /**