You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/customizing-library-models-for-go.rst
+47Lines changed: 47 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -148,6 +148,53 @@ The remaining values are used to define the ``access path``, the ``kind``, and t
148
148
- The eighth value ``remote`` is the kind of the source. The source kind is used to define the threat model where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources. For more information, see ":ref:`Threat models <threat-models-go>`."
149
149
- The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source.
150
150
151
+
Example: Add flow through the ``Max`` function
152
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
153
+
154
+
This example shows how the Go query pack models flow through a function for a simple case.
155
+
This pattern covers many of the cases where we need to summarize flow through a function that is stored in a library or framework outside the repository.
156
+
157
+
.. code-block:: go
158
+
159
+
import "slices"
160
+
161
+
func ValueFlow {
162
+
a := []int{1, 2, 3}
163
+
max := slices.Max(a) // There is taint flow from `a` to `max`.
164
+
...
165
+
}
166
+
167
+
We need to add a tuple to the ``summaryModel``\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate by updating a data extension file:
Since we are adding flow through a method, we need to add tuples to the ``summaryModel`` extensible predicate.
179
+
Each tuple defines flow from one argument to the return value.
180
+
The first row defines flow from the first argument (``a`` in the example) to the return value (``max`` in the example).
181
+
182
+
The first five values identify the function to be modeled as a summary.
183
+
These are the same for both of the rows above as we are adding two summaries for the same method.
184
+
185
+
- The first value ``slices`` is the package name.
186
+
- The second value ``""`` is left blank, since the function is not a method of a type.
187
+
- The third value ``False`` is a flag that indicates whether or not the sink also applies to subtypes. This has no effect for non-method functions.
188
+
- The fourth value ``Max`` is the function name.
189
+
- The fifth value ``""`` is left blank, since specifying the signature is optional and Go does not allow multiple signature overloads for the same function.
190
+
191
+
The sixth value should be left empty and is out of scope for this documentation.
192
+
The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the summary.
193
+
194
+
- The seventh value is the access path to the input (where data flows from). ``Argument[0]`` is the access path to the first argument.
195
+
- The eighth value ``ReturnValue`` is the access path to the output (where data flows to), in this case ``ReturnValue``, which means that the input flows to the return value.
196
+
- The ninth value ``value`` is the kind of the flow. ``value`` flow indicates an entire value is moved, ``taint`` means that taint is propagated through the call.
197
+
- The tenth value ``manual`` is the provenance of the summary, which is used to identify the origin of the summary.
151
198
Example: Add flow through the ``Join`` function
152
199
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
153
200
This example shows how the Go query pack models flow through a method for a simple case.
0 commit comments