Merge pull request #19203 from owen-mc/review/egregius313/17905

 Go: Add database source models for `uptrace/bun` and `gogf/gf/database/gdb`

Author: owen-mc

go/ql/lib/change-notes/2025-03-27-database-local-source-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Local source models for APIs reading from databases have been added for `github.com/gogf/gf/database/gdb` and `github.com/uptrace/bun`.

go/ql/lib/ext/github.com.gogf.gf.database.gdb.model.yml

@@ -55,3 +55,76 @@ extensions:
       - ["github.com/gogf/gf/database/gdb", "Tx", True, "Prepare", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["github.com/gogf/gf/database/gdb", "Tx", True, "Query", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["github.com/gogf/gf/database/gdb", "Tx", True, "Raw", "", "", "Argument[0]", "sql-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      # These models are for v1. Some of them hold for v2, but we should model v2 properly.
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoGetAll", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "DoQuery", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetAll", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetArray", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetScan", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetStruct", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetStructs", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "GetValue", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Core", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoGetAll", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "DoQuery", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetAll", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetArray", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetScan", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "GetValue", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "DB", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "All", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "Array", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "FindAll", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "FindArray", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "FindOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "FindScan", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "FindValue", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "One", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "Scan", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "ScanList", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "Select", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "Struct", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "Structs", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Model", True, "Value", "", "", "ReturnValue[0]", "database", "manual"]
+
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "GetAll", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "GetOne", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "GetScan", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "GetStruct", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "GetStructs", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "GetValue", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "TX", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/gogf/gf/database/gdb", "Record", True, "GMap", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Record", True, "Interface", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Record", True, "Json", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Record", True, "Map", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Record", True, "Struct", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Record", True, "Xml", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "Array", "", "", "Argument[receiver]", "ReturnValue.ArrayElement", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "Chunk", "", "", "Argument[receiver]", "ReturnValue.ArrayElement", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "Interface", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "Json", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "List", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyInt", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyStr", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyUint", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "MapKeyValue", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyInt", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyStr", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "RecordKeyUint", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "ScanList", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "Structs", "", "", "Argument[receiver]", "Argument[0]", "taint", "manual"]
+      - ["github.com/gogf/gf/database/gdb", "Result", True, "Xml", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]

go/ql/lib/ext/github.com.uptrace.bun.model.yml

@@ -1,4 +1,21 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/uptrace/bun", "DB", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/uptrace/bun", "DB", True, "QueryRow", "", "", "ReturnValue", "database", "manual"]
+      - ["github.com/uptrace/bun", "IDB", True, "QueryContext", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/uptrace/bun", "IDB", True, "QueryRowContext", "", "", "ReturnValue", "database", "manual"]
+      # - ["github.com/uptrace/bun", "RawQuery", True, "Exec", "", "", "Argument[0]", "database", "manual"] # Implemented in QL because variadic arguments as sources aren't supported in this format yet
+      # - ["github.com/uptrace/bun", "RawQuery", True, "Scan", "", "", "Argument[0]", "database", "manual"] # Implemented in QL because variadic arguments as sources aren't supported in this format yet
+      # - ["github.com/uptrace/bun", "SelectQuery", True, "Exec", "", "", "Argument[0]", "database", "manual"] # Implemented in QL because variadic arguments as sources aren't supported in this format yet
+      - ["github.com/uptrace/bun", "SelectQuery", True, "Model", "", "", "Argument[0]", "database", "manual"]
+      - ["github.com/uptrace/bun", "SelectQuery", True, "Rows", "", "", "ReturnValue[0]", "database", "manual"]
+      # - ["github.com/uptrace/bun", "SelectQuery", True, "Scan", "", "", "Argument[1]", "database", "manual"] # Implemented in QL because variadic arguments as sources aren't supported in this format yet
+      # - ["github.com/uptrace/bun", "SelectQuery", True, "ScanAndCount", "", "", "Argument[1]", "database", "manual"] # Implemented in QL because variadic arguments as sources aren't supported in this format yet
+      - ["github.com/uptrace/bun", "Tx", True, "Query", "", "", "ReturnValue[0]", "database", "manual"]
+      - ["github.com/uptrace/bun", "Tx", True, "QueryRow", "", "", "ReturnValue", "database", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: sinkModel
@@ -66,3 +83,9 @@ extensions:
       - ["github.com/uptrace/bun", "UpdateQuery", True, "TableExpr", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["github.com/uptrace/bun", "UpdateQuery", True, "Where", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["github.com/uptrace/bun", "UpdateQuery", True, "WhereOr", "", "", "Argument[0]", "sql-injection", "manual"]
+  # - addsTo:
+  #     pack: codeql/go-all
+  #     extensible: summaryModel
+  #   data:
+      # - ["github.com/uptrace/bun", "DB", True, "ScanRow", "", "", "Argument[1]", "Argument[2].ArrayElement", "taint", "manual"] # Implemented in QL because variadic arguments as outputs aren't supported in this format yet
+      # - ["github.com/uptrace/bun", "DB", True, "ScanRows", "", "", "Argument[1]", "Argument[2].ArrayElement", "taint", "manual"] # Implemented in QL because variadic arguments as outputs aren't supported in this format yet

go/ql/lib/go.qll

@@ -32,6 +32,7 @@ import semmle.go.frameworks.Afero
 import semmle.go.frameworks.AwsLambda
 import semmle.go.frameworks.Beego
 import semmle.go.frameworks.BeegoOrm
+import semmle.go.frameworks.Bun
 import semmle.go.frameworks.RsCors
 import semmle.go.frameworks.Couchbase
 import semmle.go.frameworks.Echo

go/ql/lib/semmle/go/frameworks/Bun.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `Bun` package.
+ */
+
+import go
+
+/**
+ * Provides classes modeling security-relevant aspects of the `Bun` package.
+ */
+private module Bun {
+  private string packagePath() { result = package("github.com/uptrace/bun", "") }
+
+  private class RawQuerySources extends SourceNode {
+    RawQuerySources() {
+      // func (q *RawQuery) Exec(ctx context.Context, dest ...interface{}) (sql.Result, error)
+      // func (q *RawQuery) Scan(ctx context.Context, dest ...interface{}) error
+      exists(DataFlow::CallNode cn, int i |
+        cn.getTarget().(Method).hasQualifiedName(packagePath(), "RawQuery", ["Exec", "Scan"]) and
+        i >= 1
+      |
+        this = cn.getSyntacticArgument(i)
+      )
+    }
+
+    override string getThreatModel() { result = "database" }
+  }
+
+  private class SelectQuerySources extends SourceNode {
+    SelectQuerySources() {
+      // func (q *SelectQuery) Exec(ctx context.Context, dest ...interface{}) (res sql.Result, err error)
+      // func (q *SelectQuery) Scan(ctx context.Context, dest ...interface{}) error
+      // func (q *SelectQuery) ScanAndCount(ctx context.Context, dest ...interface{}) (int, error)
+      exists(DataFlow::CallNode cn, int i |
+        cn.getTarget()
+            .(Method)
+            .hasQualifiedName(packagePath(), "SelectQuery", ["Exec", "Scan", "ScanAndCount"]) and
+        i >= 1
+      |
+        this = cn.getSyntacticArgument(i)
+      )
+    }
+
+    override string getThreatModel() { result = "database" }
+  }
+
+  private class DBScanRows extends TaintTracking::FunctionModel, Method {
+    FunctionInput inp;
+    FunctionOutput outp;
+
+    DBScanRows() {
+      // func (db *DB) ScanRow(ctx context.Context, rows *sql.Rows, dest ...interface{}) error
+      // func (db *DB) ScanRows(ctx context.Context, rows *sql.Rows, dest ...interface{}) error
+      this.hasQualifiedName(packagePath(), "DB", ["ScanRow", "ScanRows"]) and
+      inp.isParameter(1) and
+      outp.isParameter(any(int i | i >= 2))
+    }
+
+    override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+      input = inp and output = outp
+    }
+  }
+}

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/go.mod

@@ -7,12 +7,13 @@ require (
 	github.com/beego/beego/v2 v2.3.5
 	github.com/couchbase/gocb v1.6.7
 	github.com/couchbase/gocb/v2 v2.9.4
+	github.com/gogf/gf v1.16.9
 	github.com/jmoiron/sqlx v1.4.0
 	github.com/Masterminds/squirrel v1.5.4
 	github.com/rqlite/gorqlite v0.0.0-20250128004930-114c7828b55a
+	github.com/uptrace/bun v1.2.11
 	go.mongodb.org/mongo-driver v1.17.3
 	gorm.io/gorm v1.25.12
-	github.com/nonexistent/sources v0.0.0-20250300000000-000000000000
 )
 
 require (

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/source.ext.yml

@@ -8,4 +8,4 @@ extensions:
       pack: codeql/go-all
       extensible: sourceModel
     data:
-      - ["github.com/nonexistent/sources", "", False, "Source", "", "", "ReturnValue", "database", "manual"]
+      - ["test", "", False, "Source", "", "", "ReturnValue", "database", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test.ext.yml

@@ -10,4 +10,4 @@ extensions:
       pack: codeql/go-all
       extensible: sourceModel
     data:
-      - ["github.com/nonexistent/sources", "", False, "Source", "", "", "ReturnValue", "database", "manual"]
+      - ["test", "", False, "Source", "", "", "ReturnValue", "database", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/database/test_Masterminds_squirrel.go

@@ -6,9 +6,12 @@ import (
 	"context"
 
 	"github.com/Masterminds/squirrel"
-	src "github.com/nonexistent/sources"
 )
 
+func Source[T any]() T {
+	return *new(T)
+}
+
 func test_Masterminds_squirrel_QueryRower(ctx context.Context, db squirrel.QueryRower, sqlizer squirrel.Sqlizer) {
 	scanner := db.QueryRow("") // $ source
 
@@ -136,7 +139,7 @@ func test_Masterminds_squirrel_DeleteBuilder(ctx context.Context, builder squirr
 	sink(r32) // $ hasTaintFlow="r32"
 	sink(r33) // $ hasTaintFlow="r33"
 
-	builder2 := src.Source[squirrel.DeleteBuilder]() // $ source
+	builder2 := Source[squirrel.DeleteBuilder]() // $ source
 
 	var r41, r42, r43 string
 	builder2.ScanContext(ctx, &r41, &r42, &r43)
@@ -177,7 +180,7 @@ func test_Masterminds_squirrel_InsertBuilder(ctx context.Context, builder squirr
 	sink(r42) // $ hasTaintFlow="r42"
 	sink(r43) // $ hasTaintFlow="r43"
 
-	builder2 := src.Source[squirrel.InsertBuilder]() // $ source
+	builder2 := Source[squirrel.InsertBuilder]() // $ source
 
 	var r51, r52, r53 string
 	builder2.Scan(&r51, &r52, &r53)
@@ -225,7 +228,7 @@ func test_Masterminds_squirrel_SelectBuilder(ctx context.Context, builder squirr
 	sink(r42) // $ hasTaintFlow="r42"
 	sink(r43) // $ hasTaintFlow="r43"
 
-	builder2 := src.Source[squirrel.SelectBuilder]() // $ source
+	builder2 := Source[squirrel.SelectBuilder]() // $ source
 
 	var r51, r52, r53 string
 	builder2.Scan(&r51, &r52, &r53)
@@ -273,7 +276,7 @@ func test_Masterminds_squirrel_UpdateBuilder(ctx context.Context, builder squirr
 	sink(r42) // $ hasTaintFlow="r42"
 	sink(r43) // $ hasTaintFlow="r43"
 
-	builder2 := src.Source[squirrel.UpdateBuilder]() // $ source
+	builder2 := Source[squirrel.UpdateBuilder]() // $ source
 
 	var r51, r52, r53 string
 	builder2.Scan(&r51, &r52, &r53)