Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Go: database local source models #17905

Open
wants to merge 31 commits into
base: main
Choose a base branch
from
+281 −0
Open

Go: database local source models #17905

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
5dac5a4
Model database/sql and database/sql/driver sources
egregius313 Oct 16, 2024
bce95a0
couchbase models
egregius313 Oct 16, 2024
d806d93
Model github.com/gogf/gf/database/gdb
egregius313 Oct 23, 2024
0e02ce0
Model github.com/masterminds/squirrel
egregius313 Oct 23, 2024
4458fc3
Model github.com/rqlite/gorqlite
egregius313 Oct 23, 2024
686d994
Model github.com/uptrace/bun
egregius313 Oct 23, 2024
9628dca
Fix issues in models
egregius313 Oct 23, 2024
f02aea7
Fix models
egregius313 Nov 4, 2024
3c00954
beego/orm stub
egregius313 Jan 8, 2025
e2413e6
couchbase stub
egregius313 Jan 8, 2025
d9911f7
gogf stub
egregius313 Jan 8, 2025
72f1d2f
Shared test file
egregius313 Jan 8, 2025
1882809
Change note
egregius313 Nov 4, 2024
e1168cb
Fix test results
egregius313 Nov 25, 2024
408e5e6
Add `SearchResults::Hits`
egregius313 Dec 3, 2024
c2f6802
gogf model suggestions
egregius313 Dec 13, 2024
14923dc
Add `.ArrayElement` modifier to `Row` and `Rows` model
egregius313 Jan 3, 2025
5cef61e
`database/sql` models order
egregius313 Jan 3, 2025
6a98936
Update beego orm stub
egregius313 Jan 9, 2025
0c25765
Remove stdlib, gorm, and sqlx tests from test.go
egregius313 Jan 10, 2025
e8b7975
beego tests
egregius313 Jan 10, 2025
e2c66d2
Add missing models
egregius313 Jan 15, 2025
a963b4b
Fix model ordering in couchbase models
egregius313 Jan 15, 2025
6754914
Sort model ordering
egregius313 Feb 20, 2025
bc51b55
Remove already-merged packages from change note
egregius313 Feb 21, 2025
360223d
Move model to TaintTracking::FunctionModel
egregius313 Feb 26, 2025
de2692a
Add QueryResult::Slice
egregius313 Feb 26, 2025
76f7578
Add kanikanema path
egregius313 Feb 26, 2025
4ef3d31
Functionally rename file by merging files
egregius313 Feb 26, 2025
d29ccb0
Remove old test
egregius313 Feb 27, 2025
15f5055
Remove gorqlite from change notes
egregius313 Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions go/ql/lib/change-notes/2025-02-21-database-local-source-models.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
category: minorAnalysis
---
* Local source models for APIs reading from databases have been added for the following libraries and ORMs:
- `github.com/couchbase/gocb`
- `github.com/gogf/gf/database/gdb`
- `github.com/mastermind/squirrel`
- `github.com/uptrace/bun`
56 changes: 56 additions & 0 deletions go/ql/lib/ext/github.com.couchbase.gocb.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,32 @@ extensions:
- ["gocb2", "github.com/couchbase/gocb/v2"]
- ["gocb2", "gopkg.in/couchbase/gocb.v2"]
- ["gocb2", "github.com/couchbaselabs/gocb/v2"]
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["group:gocb1", "Cluster", True, "ExecuteAnalyticsQuery", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb1", "Cluster", True, "ExecuteN1qlQuery", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb1", "Cluster", True, "ExecuteSearchQuery", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Cluster", True, "AnalyticsQuery", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Cluster", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Scope", True, "AnalyticsQuery", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Scope", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "Get", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "GetAndLock", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "GetAndTouch", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "GetAnyReplica", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "LookupIn", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "LookupInAllReplicas", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "LookupInAnyReplica", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "Collection", True, "Scan", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "TransactionAttemptContext", True, "Get", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "TransactionAttemptContext", True, "GetReplicaFromPreferredServerGroup", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "TransactionAttemptContext", True, "Insert", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "TransactionAttemptContext", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "TransactionAttemptContext", True, "Replace", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "ViewIndexManager", True, "GetAllDesignDocuments", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:gocb2", "ViewIndexManager", True, "GetDesignDocument", "", "", "ReturnValue[0]", "database", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sinkModel
Expand All @@ -27,6 +53,9 @@ extensions:
data:
- ["group:gocb1", "", False, "NewAnalyticsQuery", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "", False, "NewN1qlQuery", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "AnalyticsResults", True, "One", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb1", "AnalyticsResults", True, "Next", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb1", "AnalyticsResults", True, "NextBytes", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "AnalyticsQuery", True, "ContextId", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "AnalyticsQuery", True, "Deferred", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "AnalyticsQuery", True, "Pretty", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
Expand All @@ -43,3 +72,30 @@ extensions:
- ["group:gocb1", "N1qlQuery", True, "ReadOnly", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "N1qlQuery", True, "ScanCap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "N1qlQuery", True, "Timeout", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "QueryResults", True, "One", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb1", "QueryResults", True, "Next", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb1", "QueryResults", True, "NextBytes", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb1", "SearchResults", True, "Hits", "", "", "Argument[receiver]", "ReturnValue.ArrayElement", "taint", "manual"]
- ["group:gocb2", "AnalyticsResult", True, "One", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "AnalyticsResult", True, "Raw", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "AnalyticsResult", True, "Row", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "AnalyticsResultRaw", True, "NextBytes", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "GetResult", True, "Content", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "LookupInResult", True, "ContentAt", "", "", "Argument[receiver]", "Argument[1]", "taint", "manual"]
- ["group:gocb2", "LookupInAllReplicasResult", True, "Next", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "MutateInResult", True, "ContentAt", "", "", "Argument[receiver]", "Argument[1]", "taint", "manual"]
- ["group:gocb2", "QueryResult", True, "One", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "QueryResult", True, "Raw", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "QueryResult", True, "Row", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "QueryResultRaw", True, "NextBytes", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "ScanResult", True, "Next", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "ScanResultItem", True, "Content", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "SearchResult", True, "Raw", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "SearchResult", True, "Row", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "SearchResultRaw", True, "NextBytes", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "TransactionGetResult", True, "Content", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "TransactionQueryResult", True, "One", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "TransactionQueryResult", True, "Row", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["group:gocb2", "ViewResult", True, "Raw", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "ViewResult", True, "Row", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["group:gocb2", "ViewResultRaw", True, "NextBytes", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
51 changes: 51 additions & 0 deletions go/ql/lib/ext/github.com.gogf.gf.database.gdb.model.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,3 +55,54 @@ extensions:
- ["github.com/gogf/gf/database/gdb", "Tx", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
- ["github.com/gogf/gf/database/gdb", "Tx", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
- ["github.com/gogf/gf/database/gdb", "Tx", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
# These models are for v1. Some of them hold for v2, but we should model v2 properly.
- ["github.com/gogf/gf/database/gdb", "DB", True, "DoExec", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "DoGetAll", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "DoQuery", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "GetAll", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "GetOne", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "GetValue", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "Raw", "", "", "ReturnValue[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "GetScan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "GetStruct", "", "", "Argument[0]", "database", "manual"]
- ["github.com/gogf/gf/database/gdb", "DB", True, "GetStructs", "", "", "Argument[0]", "database", "manual"]
Comment on lines +63 to +73
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you should copy these for Core, and maybe TX too.

- ["github.com/gogf/gf/database/gdb", "Model", True, "Raw", "", "", "ReturnValue[0]", "database", "manual"]
- addsTo:
pack: codeql/go-all
extensible: summaryModel
data:
- ["github.com/gogf/gf/database/gdb", "Model", True, "All", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "Array", "", "", "Argument[receiver]", "ReturnValue[0].ArrayElement", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "FindAll", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "FindArray", "", "", "Argument[receiver]", "ReturnValue[0].ArrayElement", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "FindOne", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "FindValue", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "FindScan", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Model", True, "One", "", "", "Argument[receiver]", "ReturnValue[0]", "taint", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also want models for methods Scan, ScanList, Select, Struct and Structs on Model.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, most of these methods on Model return a Model, which we aren't modelling at the moment. It would mean a huge number of models though. But without that, the examples they give, like db.Model("user").Where("id", 1).Scan(&user) , won't get the taint tracked through it properly. I'm not sure what to do here, to be honest.

- ["github.com/gogf/gf/database/gdb", "Record", True, "GMap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Record", True, "Interface", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Record", True, "Json", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Record", True, "Map", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Record", True, "Struct", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Record", True, "Xml", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "Array", "", "", "Argument[receiver]", "ReturnValue.ArrayElement", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "Chunk", "", "", "Argument[receiver]", "ReturnValue.ArrayElement", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "Interface", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "Json", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "List", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyInt", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyStr", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyUint", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyValue", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyInt", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyStr", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyUint", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyValue", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "ScanList", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "Structs", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
- ["github.com/gogf/gf/database/gdb", "Result", True, "Xml", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
17 changes: 17 additions & 0 deletions go/ql/lib/ext/github.com.mastermind.squirrel.model.yml
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also needs models for QueryContextWith, QueryWith, QueryRowContextWith, QueryRowWith, Row.Scan (it seems to override the inherited Scan method from embedding RowScanner), *Builder.Query (different method signature to QueryRower.Query, unfortunately), *Builder.QueryContext, *Builder.QueryRow, *Builder.QueryRowContext, *Builder.Scan, *Builder.ScanContext. (Do we care about all the Builders? Delete? I guess safest to model them all...)

Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,20 @@ extensions:
- ["group:squirrel", "UpdateBuilder", True, "Suffix", "", "", "Argument[0]", "sql-injection", "manual"]
- ["group:squirrel", "UpdateBuilder", True, "Table", "", "", "Argument[0]", "sql-injection", "manual"]
# UpdateBuilder.Where has to be modeled in QL to avoid FPs when a non-string argument is used
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["group:squirrel", "QueryRower", True, "QueryRow", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:squirrel", "QueryRowerContext", True, "QueryRowContext", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:squirrel", "Queryer", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:squirrel", "QueryerContext", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:squirrel", "StdSql", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:squirrel", "StdSql", True, "QueryRow", "", "", "ReturnValue", "database", "manual"]
- ["group:squirrel", "StdSqlCtx", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"]
- ["group:squirrel", "StdSqlCtx", True, "QueryRowContext", "", "", "ReturnValue", "database", "manual"]
- addsTo:
pack: codeql/go-all
extensible: summaryModel
data:
- ["group:squirrel", "RowScanner", True, "Scan", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I remember correctly, this model won't work because dataflow out of a variadic parameter doesn't work currently. It can be modeled in QL using TaintTracking::FunctionModel.

22 changes: 22 additions & 0 deletions go/ql/lib/ext/github.com.uptrace.bun.model.yml
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last example here shows that we need to model Exec as well (in QL). And this part of the docs.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These docs make me think we need source models for DB.Query* and summary models for DB.ScanRow and DB.ScanRows.

Original file line number Diff line number Diff line change
@@ -1,4 +1,26 @@
extensions:
- addsTo:
pack: codeql/go-all
extensible: sourceModel
data:
- ["github.com/uptrace/bun", "AddColumnQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "CreateIndexQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "CreateTableQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "DeleteQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "DropIndexQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "DropTableQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "InsertQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "MergeQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "SelectQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "TruncateQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "UpdateQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "DeleteQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "InsertQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "MergeQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "RawQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "SelectQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "TruncateQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- ["github.com/uptrace/bun", "UpdateQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"]
- addsTo:
pack: codeql/go-all
extensible: sinkModel
Expand Down
39 changes: 39 additions & 0 deletions go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
package test

import (
"context"
"fmt"

gocb "github.com/couchbase/gocb/v2"
"github.com/gogf/gf/database/gdb"
"github.com/rqlite/gorqlite"
"go.mongodb.org/mongo-driver/mongo"
)

func gogf(g gdb.DB) {
u1, err := g.GetOne("SELECT user from users") // $source

if err != nil {
return
}

fmt.Println(u1)
}

func couchbase(coll *gocb.Collection) {
type User struct {
Name string
}

var user User

result, err := coll.Get("documentID", nil) // $source

if err != nil {
return
}

result.Content(&user)

fmt.Println(user)
}
27 changes: 27 additions & 0 deletions ...semmle/go/dataflow/flowsources/local/database/vendor/github.com/couchbase/gocb/v2/stub.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading