Merge pull request #20917 from owen-mc/go/enable-data-flow-consistency-checks

Go: enable data flow consistency checks

Author: owen-mc

go/Makefile

@@ -54,9 +54,9 @@ ql/lib/go.dbscheme.stats: ql/lib/go.dbscheme build/stats/src.stamp extractor
 	codeql dataset measure -o $@ build/stats/database/db-go
 
 test: all build/testdb/check-upgrade-path
-	codeql test run -j0 ql/test --search-path .. --check-diff-informed --consistency-queries ql/test/consistency --compilation-cache=$(cache) --dynamic-join-order-mode=$(rtjo) --check-databases --fail-on-trap-errors --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition
+	codeql test run -j0 ql/test --search-path .. --check-diff-informed --consistency-queries ql/consistency-queries --compilation-cache=$(cache) --dynamic-join-order-mode=$(rtjo) --check-databases --fail-on-trap-errors --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition
 #	use GOOS=linux because GOOS=darwin GOARCH=386 is no longer supported
-	env GOOS=linux GOARCH=386 codeql$(EXE) test run -j0 ql/test/query-tests/Security/CWE-681 --search-path .. --check-diff-informed --consistency-queries ql/test/consistency --compilation-cache=$(cache) --dynamic-join-order-mode=$(rtjo)
+	env GOOS=linux GOARCH=386 codeql$(EXE) test run -j0 ql/test/query-tests/Security/CWE-681 --search-path .. --check-diff-informed --consistency-queries ql/consistency-queries --compilation-cache=$(cache) --dynamic-join-order-mode=$(rtjo)
 	cd extractor; $(BAZEL) test ...
 	bash extractor-smoke-test/test.sh || (echo "Extractor smoke test FAILED"; exit 1)
 

go/ql/test/consistency/UnexpectedFrontendErrors.ql renamed to go/ql/consistency-queries/UnexpectedFrontendErrors.ql

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The query `go/unexpected-frontend-error` has been moved from the `codeql/go-queries` query  to the `codeql-go-consistency-queries` query pack.

go/ql/lib/change-notes/2025-11-26-unexpected-frontend-errors-query-moved.md

@@ -5,10 +5,25 @@
 
 private import go
 private import DataFlowImplSpecific as Impl
+private import DataFlowUtil
 private import TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
 private import semmle.go.dataflow.internal.DataFlowNodes
 
-private module Input implements InputSig<Location, Impl::GoDataFlow> { }
+private module Input implements InputSig<Location, Impl::GoDataFlow> {
+  predicate missingLocationExclude(DataFlow::Node n) {
+    n instanceof DataFlow::GlobalFunctionNode or n instanceof Private::FlowSummaryNode
+  }
+
+  predicate uniqueNodeLocationExclude(DataFlow::Node n) { missingLocationExclude(n) }
+
+  predicate localFlowIsLocalExclude(DataFlow::Node n1, DataFlow::Node n2) {
+    n1 instanceof DataFlow::FunctionNode and simpleLocalFlowStep(n1, n2, _)
+  }
+
+  predicate argHasPostUpdateExclude(DataFlow::ArgumentNode n) {
+    not DataFlow::insnHasPostUpdateNode(n.asInstruction())
+  }
+}
 
 module Consistency = MakeConsistency<Location, Impl::GoDataFlow, GoTaintTracking, Input>;

go/ql/lib/semmle/go/dataflow/internal/DataFlowImplConsistency.qll

@@ -0,0 +1,3 @@
+identityLocalStep
+| main.go:46:18:46:18 | n | Node steps to itself |
+| main.go:47:3:47:3 | c | Node steps to itself |

go/ql/test/consistency/UnexpectedFrontendErrors.expected

@@ -0,0 +1,5 @@
+reverseRead
+| timing.go:15:18:15:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| timing.go:28:18:28:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| timing.go:41:18:41:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| timing.go:53:18:53:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/example-tests/snippets/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,4 @@
+reverseRead
+| ImproperLdapAuth.go:18:18:18:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| ImproperLdapAuth.go:39:18:39:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| ImproperLdapAuth.go:64:18:64:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/experimental/CWE-203/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,3 @@
+reverseRead
+| go-jose.v3.go:16:17:16:17 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| golang-jwt-v5.go:22:17:22:17 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/experimental/CWE-287/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,10 @@
+reverseRead
+| DivideByZero.go:10:12:10:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:17:12:17:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:24:12:24:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:31:12:31:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:38:12:38:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:45:12:45:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:54:12:54:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:63:12:63:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| DivideByZero.go:72:12:72:12 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |