Merge branch 'master' into rc/1.24

Author: Max Schaefer

.devcontainer/devcontainer.json

@@ -0,0 +1,11 @@
+{
+    "extensions": [
+        "github.vscode-codeql",
+        "slevesque.vscode-zipexplorer"
+    ],
+    "settings": {
+        "codeQL.experimentalBqrsParsing": true,
+        "codeQL.experimentalFeatures": true,
+        "codeQL.runningQueries.debug": true
+    }
+}

.github/workflows/codeqltest.yml

@@ -20,7 +20,7 @@ jobs:
         echo "Done"
         cd $HOME
         echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.0.3/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.1.1/codeql.zip -L -o codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         unzip -q codeql.zip
@@ -53,7 +53,7 @@ jobs:
         echo "Done"
         cd $HOME
         echo "Downloading CodeQL CLI..."
-        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.0.3/codeql.zip -L -o codeql.zip
+        curl https://github.com/github/codeql-cli-binaries/releases/download/v2.1.1/codeql.zip -L -o codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
         unzip -q codeql.zip
@@ -86,10 +86,10 @@ jobs:
         echo "Done"
         cd "$HOME"
         echo "Downloading CodeQL CLI..."
-        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.0.3/codeql.zip -OutFile codeql.zip
+        Invoke-WebRequest -Uri https://github.com/github/codeql-cli-binaries/releases/download/v2.1.1/codeql.zip -OutFile codeql.zip
         echo "Done"
         echo "Unpacking CodeQL CLI..."
-        unzip -q codeql.zip
+        Expand-Archive codeql.zip -DestinationPath $HOME
         rm -fo codeql.zip
         echo "Done"
 

.gitignore

@@ -22,3 +22,4 @@ tools/linux64
 tools/osx64
 tools/win64
 tools/tokenizer.jar
+main

Makefile

@@ -18,7 +18,7 @@ CODEQL_TOOLS = $(addprefix codeql-tools/,autobuild.cmd autobuild.sh index.cmd in
 
 EXTRACTOR_PACK_OUT = build/codeql-extractor-go
 
-BINARIES = go-extractor go-tokenizer go-autobuilder go-bootstrap
+BINARIES = go-extractor go-tokenizer go-autobuilder go-bootstrap go-gen-dbscheme
 
 .PHONY: tools tools-codeql tools-codeql-full clean \
 	tools-linux64 tools-osx64 tools-win64
@@ -81,8 +81,8 @@ tools/net/sourceforge/pmd/cpd/GoLanguage.class: extractor/net/sourceforge/pmd/cp
 	rm tools/net/sourceforge/pmd/cpd/TokenEntry.class
 	rm tools/net/sourceforge/pmd/cpd/Tokenizer.class
 
-ql/src/go.dbscheme: tools/$(CODEQL_PLATFORM)/go-extractor$(EXE)
-	env TRAP_FOLDER=/tmp $< --dbscheme $@
+ql/src/go.dbscheme: tools/$(CODEQL_PLATFORM)/go-gen-dbscheme$(EXE)
+	$< $@
 
 build/stats/src.stamp:
 	mkdir -p $(@D)/src
@@ -109,3 +109,10 @@ build/testdb/go.dbscheme: upgrades/initial/go.dbscheme
 	rm -rf build/testdb
 	echo >build/empty.trap
 	codeql dataset import -S upgrades/initial/go.dbscheme build/testdb build/empty.trap
+
+.PHONY: sync-dataflow-libraries
+sync-dataflow-libraries:
+	for f in DataFlowImpl.qll DataFlowImplCommon.qll tainttracking1/TaintTrackingImpl.qll;\
+	do\
+		curl -s -o ./ql/src/semmle/go/dataflow/internal/$$f https://raw.githubusercontent.com/github/codeql/master/java/ql/src/semmle/code/java/dataflow/internal/$$f;\
+	done

README.md

@@ -12,6 +12,9 @@ It contains two major components:
 
 The goal of this project is to provide comprehensive static analysis support for Go in CodeQL.
 
+For the queries and libraries that power CodeQL support for other languages, visit [the CodeQL
+repository](https://github.com/github/codeql).
+
 ## Installation
 
 Simply clone this repository. There are no external dependencies.
@@ -21,9 +24,10 @@ Code workspace.
 
 ## Usage
 
-To analyze a Go codebase, either use the CodeQL command-line interface to create a database
-yourself, or download a pre-built database from LGTM.com. You can then run any of the queries
-contained in this repository either on the command line or using the VS Code extension.
+To analyze a Go codebase, either use the [CodeQL command-line
+interface](https://help.semmle.com/codeql/codeql-cli.html) to create a database yourself, or
+download a pre-built database from [LGTM.com](https://lgtm.com/). You can then run any of the
+queries contained in this repository either on the command line or using the VS Code extension.
 
 Note that the [lgtm.com](https://github.com/github/codeql-go/tree/lgtm.com) branch of this
 repository corresponds to the version of the queries that is currently deployed on LGTM.com.

change-notes/2020-05-01-bad-redirect-check.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Bad redirect check" (`go/bad-redirect-check`) now requires that the checked variable is actually used in a redirect as opposed to relying on a name-based heuristic. This eliminates some false positive results, and adds more true positive results.

change-notes/2020-05-01-macaron-model.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Basic support for the [Macaron](https://go-macaron.com/) HTTP library has been added, which may lead to more results from the security queries.

change-notes/2020-05-05-clear-text-logging.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Clear-text logging of sensitive information" has been improved to recognize more logging APIs, which may lead to more alerts.

change-notes/2020-05-05-mux-model.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Basic support for the [Mux](https://github.com/gorilla/mux/) HTTP library has been added, which
+  may lead to more results from the security queries.

change-notes/2020-05-07-update-data-flow.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The data-flow library has been improved, which affects and improves most security queries. In particular,
+  flow through functions involving nested field reads and writes is now modeled more fully.