address code review feedback

Author: Alvaro Muñoz

go/ql/lib/semmle/go/frameworks/SQL.qll

@@ -294,46 +294,41 @@ module Xorm {
  * Provides classes for working with the [Bun](https://bun.uptrace.dev/) package.
  */
 module Bun {
-  /** Gets the package name for Bun. */
-  string packagePath() { result = package("github.com/uptrace/bun", "") }
+  /** Gets the package name for Bun package. */
+  private string packagePath() { result = package("github.com/uptrace/bun", "") }
 
   /** A model for sinks of Bun. */
   private class BunSink extends SQL::QueryString::Range {
     BunSink() {
-      exists(Function f, int arg |
-        f.(Method)
-            .hasQualifiedName(packagePath(), ["DB", "Conn"],
-              ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"]) and
+      exists(Function f, string m, int arg | this = f.getACall().getArgument(arg) |
+        f.hasQualifiedName(packagePath(), m) and
+        m = "NewRawQuery" and
         arg = 1
-        or
-        f.(Method)
-            .hasQualifiedName(packagePath(), ["DB", "Conn"],
-              ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"]) and
-        arg = 0
-        or
-        exists(string tp, string m | f.(Method).hasQualifiedName(packagePath(), tp, m) |
+      )
+      or
+      exists(Method f, string tp, string m, int arg | this = f.getACall().getArgument(arg) |
+        f.hasQualifiedName(packagePath(), tp, m) and
+        (
+          tp = ["DB", "Conn"] and
+          m = ["ExecContext", "PrepareContext", "QueryContext", "QueryRowContext"] and
+          arg = 1
+          or
+          tp = ["DB", "Conn"] and
+          m = ["Exec", "NewRaw", "Prepare", "Query", "QueryRow", "Raw"] and
+          arg = 0
+          or
           tp.matches("%Query") and
           m =
             [
               "ColumnExpr", "DistinctOn", "For", "GroupExpr", "Having", "ModelTableExpr",
-              "OrderExpr", "TableExpr", "Where", "WhereIn", "WhereInMulti", "WhereOr"
+              "OrderExpr", "TableExpr", "Where", "WhereOr"
             ] and
           arg = 0
           or
-          tp.matches("%Query") and
-          m = ["FormatQuery", "With", "WithRecursive"] and
-          arg = 1
-          or
           tp = "RawQuery" and
           m = "NewRaw" and
           arg = 0
-          or
-          tp = "RawQuery" and
-          m = "NewRawQuery" and
-          arg = 1
         )
-      |
-        this = f.getACall().getArgument(arg)
       )
     }
   }

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.expected

@@ -1,16 +1,17 @@
-| bun.go:27:10:27:18 | untrusted | github.com/uptrace/bun | DB | Exec |
-| bun.go:28:22:28:30 | untrusted | github.com/uptrace/bun | DB | ExecContext |
-| bun.go:29:26:29:34 | untrusted | github.com/uptrace/bun | DB | QueryRowContext |
-| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | SelectQuery | ColumnExpr |
-| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | countQuery | ColumnExpr |
-| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | selectExistsQuery | ColumnExpr |
-| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | selectQueryBuilder | ColumnExpr |
-| bun.go:30:28:30:36 | untrusted | github.com/uptrace/bun | whereExistsQuery | ColumnExpr |
-| bun.go:31:12:31:20 | untrusted | github.com/uptrace/bun | DB | NewRaw |
-| bun.go:32:23:32:31 | untrusted | github.com/uptrace/bun | DB | QueryContext |
-| bun.go:33:26:33:34 | untrusted | github.com/uptrace/bun | DB | QueryRowContext |
-| bun.go:34:14:34:22 | untrusted | github.com/uptrace/bun | DB | QueryRow |
-| bun.go:35:9:35:17 | untrusted | github.com/uptrace/bun | DB | Raw |
-| bun.go:36:11:36:19 | untrusted | github.com/uptrace/bun | DB | Query |
-| bun.go:37:13:37:21 | untrusted | github.com/uptrace/bun | DB | Prepare |
-| bun.go:38:25:38:33 | untrusted | github.com/uptrace/bun | DB | PrepareContext |
+| bun.go:26:10:26:18 | untrusted | github.com/uptrace/bun.DB | Exec |
+| bun.go:27:22:27:30 | untrusted | github.com/uptrace/bun.DB | ExecContext |
+| bun.go:28:26:28:34 | untrusted | github.com/uptrace/bun.DB | QueryRowContext |
+| bun.go:29:28:29:36 | untrusted | github.com/uptrace/bun.SelectQuery | ColumnExpr |
+| bun.go:29:28:29:36 | untrusted | github.com/uptrace/bun.countQuery | ColumnExpr |
+| bun.go:29:28:29:36 | untrusted | github.com/uptrace/bun.selectExistsQuery | ColumnExpr |
+| bun.go:29:28:29:36 | untrusted | github.com/uptrace/bun.selectQueryBuilder | ColumnExpr |
+| bun.go:29:28:29:36 | untrusted | github.com/uptrace/bun.whereExistsQuery | ColumnExpr |
+| bun.go:30:12:30:20 | untrusted | github.com/uptrace/bun.DB | NewRaw |
+| bun.go:31:23:31:31 | untrusted | github.com/uptrace/bun.DB | QueryContext |
+| bun.go:32:26:32:34 | untrusted | github.com/uptrace/bun.DB | QueryRowContext |
+| bun.go:33:14:33:22 | untrusted | github.com/uptrace/bun.DB | QueryRow |
+| bun.go:34:9:34:17 | untrusted | github.com/uptrace/bun.DB | Raw |
+| bun.go:35:11:35:19 | untrusted | github.com/uptrace/bun.DB | Query |
+| bun.go:36:13:36:21 | untrusted | github.com/uptrace/bun.DB | Prepare |
+| bun.go:37:25:37:33 | untrusted | github.com/uptrace/bun.DB | PrepareContext |
+| bun.go:38:22:38:30 | untrusted | github.com/uptrace/bun | NewRawQuery |

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.go

@@ -7,7 +7,6 @@ import (
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/dialect/sqlitedialect"
 	"github.com/uptrace/bun/driver/sqliteshim"
-	"github.com/uptrace/bun/extra/bundebug"
 )
 
 func getUntrustedString() string {
@@ -36,4 +35,5 @@ func main() {
 	db.Query(untrusted)
 	db.Prepare(untrusted)
 	db.PrepareContext(ctx, untrusted)
+	bun.NewRawQuery(db, untrusted)
 }

go/ql/test/library-tests/semmle/go/frameworks/SQL/bun/bun.ql

@@ -1,5 +1,7 @@
 import go
 
-from SQL::QueryString qs, Method meth, string a, string b, string c
-where meth.hasQualifiedName(a, b, c) and qs = meth.getACall().getSyntacticArgument(_)
-select qs, a, b, c
+from SQL::QueryString qs, Function func, string a, string b
+where
+  func.hasQualifiedName(a, b) and
+  qs = func.getACall().getSyntacticArgument(_)
+select qs, a, b