Merge pull request github#14547 from owen-mc/go/enable-data-flow-consistency-checks

owen-mc · web-flow · commit 27646ce97184 · 2023-10-25T11:15:44.000+01:00
Go: make data flow consistency checks available (and fix some)
diff --git a/go/ql/consistency-queries/DataFlowConsistency.ql b/go/ql/consistency-queries/DataFlowConsistency.ql
@@ -0,0 +1 @@
+import semmle.go.dataflow.internal.DataFlowImplConsistency::Consistency
diff --git a/go/ql/consistency-queries/qlpack.yml b/go/ql/consistency-queries/qlpack.yml
@@ -0,0 +1,9 @@
+name: codeql-go-consistency-queries
+version: 0.0.0
+groups:
+  - go
+  - queries
+extractor: go
+dependencies:
+  codeql/go-all: ${workspace}
+warnOnImplicitThis: true
diff --git a/go/ql/lib/change-notes/2023-10-20-enclosing-callable-for-external-files.md b/go/ql/lib/change-notes/2023-10-20-enclosing-callable-for-external-files.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing `Callable`. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplConsistency.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplConsistency.qll
@@ -0,0 +1,13 @@
+/**
+ * Provides consistency queries for checking invariants in the language-specific
+ * data-flow classes and predicates.
+ */
+
+private import go
+private import DataFlowImplSpecific
+private import TaintTrackingImplSpecific
+private import codeql.dataflow.internal.DataFlowImplConsistency
+
+private module Input implements InputSig<GoDataFlow> { }
+
+module Consistency = MakeConsistency<GoDataFlow, GoTaintTracking, Input>;
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
@@ -21,9 +21,14 @@ module Private {
   DataFlowCallable nodeGetEnclosingCallable(Node n) {
     result.asCallable() = n.getEnclosingCallable()
     or
-    (n = MkInstructionNode(_) or n = MkSsaNode(_) or n = MkGlobalFunctionNode(_)) and
+    not n instanceof FlowSummaryNode and
     not exists(n.getEnclosingCallable()) and
-    result.asFileScope() = n.getFile()
+    (
+      result.asFileScope() = n.getFile()
+      or
+      not exists(n.getFile()) and
+      result.isExternalFileScope()
+    )
     or
     result.asSummarizedCallable() = n.(FlowSummaryNode).getSummarizedCallable()
   }
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowPrivate.qll
@@ -256,6 +256,7 @@ class DataFlowLocation = Location;
 private newtype TDataFlowCallable =
   TCallable(Callable c) or
   TFileScope(File f) or
+  TExternalFileScope() or
   TSummarizedCallable(FlowSummary::SummarizedCallable c)
 
 class DataFlowCallable extends TDataFlowCallable {
@@ -269,6 +270,11 @@ class DataFlowCallable extends TDataFlowCallable {
    */
   File asFileScope() { this = TFileScope(result) }
 
+  /**
+   * Holds if this `DataFlowCallable` is an external file scope.
+   */
+  predicate isExternalFileScope() { this = TExternalFileScope() }
+
   /**
    * Gets the `SummarizedCallable` corresponding to this `DataFlowCallable`, if any.
    */

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+import semmle.go.dataflow.internal.DataFlowImplConsistency::Consistency`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing `Callable`. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.