fix a test mistake, add comments for JWT extension points

am0o0 · am0o0 · commit 7d73808d6038 · 2023-10-06T13:31:09.000+02:00
diff --git a/go/ql/src/experimental/frameworks/JWT.qll b/go/ql/src/experimental/frameworks/JWT.qll
@@ -1,7 +1,7 @@
 import go
 
 /**
- * A abstract class which responsible for parsing a JWT token
+ * A abstract class which responsible for parsing a JWT token.
  */
 abstract class JwtParseBase extends Function {
   /**
@@ -23,7 +23,9 @@ abstract class JwtParseBase extends Function {
 }
 
 /**
- * A abstract class which responsible for parsing a JWT token which the key parameter is a function type
+ * A abstract class which responsible for parsing a JWT token which the key parameter is a function type.
+ *
+ * Extends this class for Jwt parsing methods that accepts a function type as key.
  */
 abstract class JwtParseWithKeyFunction extends JwtParseBase {
   /**
@@ -38,7 +40,9 @@ abstract class JwtParseWithKeyFunction extends JwtParseBase {
 }
 
 /**
- * A abstract class which responsible for parsing a JWT token which the key parameter can be a string or byte type
+ * A abstract class which responsible for parsing a JWT token which the key parameter can be a string or byte type.
+ *
+ * Extends this class for Jwt parsing methods that accepts a non-function type as key.
  */
 abstract class JwtParse extends JwtParseBase {
   /**
@@ -54,6 +58,8 @@ abstract class JwtParse extends JwtParseBase {
 
 /**
  * A abstract class which responsible for parsing a JWT without verifying it
+ *
+ * Extends this class for Jwt parsing methods that don't verify JWT signature
  */
 abstract class JwtUnverifiedParse extends JwtParseBase { }
 
diff --git a/go/ql/test/experimental/CWE-347/ParseJWTWithoutVerification.expected b/go/ql/test/experimental/CWE-347/ParseJWTWithoutVerification.expected
@@ -4,8 +4,8 @@ edges
 | go-jose.v3.go:25:16:25:47 | call to Get | go-jose.v3.go:26:15:26:25 | signedToken |
 | go-jose.v3.go:26:15:26:25 | signedToken | go-jose.v3.go:29:19:29:29 | definition of signedToken |
 | go-jose.v3.go:29:19:29:29 | definition of signedToken | go-jose.v3.go:31:37:31:47 | signedToken |
-| go-jose.v3.go:31:21:31:48 | call to ParseSigned | go-jose.v3.go:33:12:33:23 | DecodedToken |
-| go-jose.v3.go:31:37:31:47 | signedToken | go-jose.v3.go:31:21:31:48 | call to ParseSigned |
+| go-jose.v3.go:31:2:31:48 | ... := ...[0] | go-jose.v3.go:33:12:33:23 | DecodedToken |
+| go-jose.v3.go:31:37:31:47 | signedToken | go-jose.v3.go:31:2:31:48 | ... := ...[0] |
 | golang-jwt-v5.go:28:16:28:20 | selection of URL | golang-jwt-v5.go:28:16:28:28 | call to Query |
 | golang-jwt-v5.go:28:16:28:28 | call to Query | golang-jwt-v5.go:28:16:28:47 | call to Get |
 | golang-jwt-v5.go:28:16:28:47 | call to Get | golang-jwt-v5.go:29:25:29:35 | signedToken |
@@ -17,7 +17,7 @@ nodes
 | go-jose.v3.go:25:16:25:47 | call to Get | semmle.label | call to Get |
 | go-jose.v3.go:26:15:26:25 | signedToken | semmle.label | signedToken |
 | go-jose.v3.go:29:19:29:29 | definition of signedToken | semmle.label | definition of signedToken |
-| go-jose.v3.go:31:21:31:48 | call to ParseSigned | semmle.label | call to ParseSigned |
+| go-jose.v3.go:31:2:31:48 | ... := ...[0] | semmle.label | ... := ...[0] |
 | go-jose.v3.go:31:37:31:47 | signedToken | semmle.label | signedToken |
 | go-jose.v3.go:33:12:33:23 | DecodedToken | semmle.label | DecodedToken |
 | golang-jwt-v5.go:28:16:28:20 | selection of URL | semmle.label | selection of URL |
