Go: Adds sources and sinks to go/clear-text-logging

Author: atorralba

go/ql/lib/semmle/go/frameworks/stdlib/Log.qll

@@ -8,7 +8,7 @@ import go
 module Log {
   private class LogFunction extends Function {
     LogFunction() {
-      exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%"]) |
+      exists(string fn | fn.matches(["Fatal%", "Panic%", "Print%", "Output"]) |
         this.hasQualifiedName("log", fn)
         or
         this.(Method).hasQualifiedName("log", "Logger", fn)

go/ql/lib/semmle/go/security/CleartextLogging.qll

@@ -74,6 +74,8 @@ module CleartextLogging {
       )
     }
 
+    predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
     predicate isAdditionalFlowStep(DataFlow::Node src, DataFlow::Node trg) {
       // A taint propagating data-flow edge through structs: a tainted write taints the entire struct.
       exists(Write write |

go/ql/lib/semmle/go/security/SensitiveActions.qll

@@ -35,7 +35,7 @@ module HeuristicNames {
    */
   string maybePassword() {
     result = "(?is).*pass(wd|word|code|phrase)(?!.*question).*" or
-    result = "(?is).*(auth(entication|ori[sz]ation)?|api)key.*"
+    result = "(?is).*(auth(entication|ori[sz]ation)?|api|secret)key.*"
   }
 
   /**

go/ql/src/change-notes/2024-01-09-cleartext-logging-new-sources-and-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more sources and sinks to the query `go/clear-text-logging`.