Add test for Sqlx

ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/go.mod

@@ -0,0 +1,7 @@
+module gormtest
+
+go 1.14
+
+require (
+	github.com/jmoiron/sqlx v1.2.0
+)

ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.expected

@@ -0,0 +1,12 @@
+| sqlx.go:15:17:15:25 | untrusted |
+| sqlx.go:16:14:16:22 | untrusted |
+| sqlx.go:17:14:17:22 | untrusted |
+| sqlx.go:18:12:18:20 | untrusted |
+| sqlx.go:19:15:19:23 | untrusted |
+| sqlx.go:20:16:20:24 | untrusted |
+| sqlx.go:23:17:23:25 | untrusted |
+| sqlx.go:24:14:24:22 | untrusted |
+| sqlx.go:25:14:25:22 | untrusted |
+| sqlx.go:26:12:26:20 | untrusted |
+| sqlx.go:27:15:27:23 | untrusted |
+| sqlx.go:28:16:28:24 | untrusted |

ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.go

@@ -0,0 +1,30 @@
+package sqlxtest
+
+import (
+	"github.com/jmoiron/sqlx"
+)
+
+func getUntrustedString() string {
+	return "trouble"
+}
+
+func main() {
+
+	db := sqlx.DB{}
+	untrusted := getUntrustedString()
+	db.Select(nil, untrusted)
+	db.Get(nil, untrusted)
+	db.MustExec(untrusted)
+	db.Queryx(untrusted)
+	db.NamedExec(untrusted, nil)
+	db.NamedQuery(untrusted, nil)
+
+	tx := sqlx.Tx{}
+	tx.Select(nil, untrusted)
+	tx.Get(nil, untrusted)
+	tx.MustExec(untrusted)
+	tx.Queryx(untrusted)
+	tx.NamedExec(untrusted, nil)
+	tx.NamedQuery(untrusted, nil)
+
+}

ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/sqlx.ql

@@ -0,0 +1,4 @@
+import go
+
+from SQL::QueryString qs
+select qs

ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/github.com/jmoiron/sqlx/stub.go

@@ -0,0 +1,581 @@
+// Code generated by depstubber. DO NOT EDIT.
+// This is a simple stub for github.com/jmoiron/sqlx, strictly for use in testing.
+
+// See the LICENSE file for information about the licensing of the original library.
+// Source: github.com/jmoiron/sqlx (exports: DB,Tx; functions: )
+
+// Package sqlx is a stub of github.com/jmoiron/sqlx, generated by depstubber.
+package sqlx
+
+import (
+	context "context"
+	sql "database/sql"
+	driver "database/sql/driver"
+	time "time"
+)
+
+type DB struct {
+	DB     *sql.DB
+	Mapper interface{}
+}
+
+func (_ DB) Begin() (*sql.Tx, error) {
+	return nil, nil
+}
+
+func (_ DB) BeginTx(_ context.Context, _ *sql.TxOptions) (*sql.Tx, error) {
+	return nil, nil
+}
+
+func (_ DB) Close() error {
+	return nil
+}
+
+func (_ DB) Conn(_ context.Context) (*sql.Conn, error) {
+	return nil, nil
+}
+
+func (_ DB) Driver() driver.Driver {
+	return nil
+}
+
+func (_ DB) Exec(_ string, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ DB) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ DB) Ping() error {
+	return nil
+}
+
+func (_ DB) PingContext(_ context.Context) error {
+	return nil
+}
+
+func (_ DB) Prepare(_ string) (*sql.Stmt, error) {
+	return nil, nil
+}
+
+func (_ DB) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) {
+	return nil, nil
+}
+
+func (_ DB) Query(_ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ DB) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ DB) QueryRow(_ string, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ DB) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ DB) SetConnMaxLifetime(_ time.Duration) {}
+
+func (_ DB) SetMaxIdleConns(_ int) {}
+
+func (_ DB) SetMaxOpenConns(_ int) {}
+
+func (_ DB) Stats() sql.DBStats {
+	return sql.DBStats{}
+}
+
+func (_ *DB) BeginTxx(_ context.Context, _ *sql.TxOptions) (*Tx, error) {
+	return nil, nil
+}
+
+func (_ *DB) Beginx() (*Tx, error) {
+	return nil, nil
+}
+
+func (_ *DB) BindNamed(_ string, _ interface{}) (string, []interface{}, error) {
+	return "", nil, nil
+}
+
+func (_ *DB) DriverName() string {
+	return ""
+}
+
+func (_ *DB) Get(_ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *DB) GetContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *DB) MapperFunc(_ func(string) string) {}
+
+func (_ *DB) MustBegin() *Tx {
+	return nil
+}
+
+func (_ *DB) MustBeginTx(_ context.Context, _ *sql.TxOptions) *Tx {
+	return nil
+}
+
+func (_ *DB) MustExec(_ string, _ ...interface{}) sql.Result {
+	return nil
+}
+
+func (_ *DB) MustExecContext(_ context.Context, _ string, _ ...interface{}) sql.Result {
+	return nil
+}
+
+func (_ *DB) NamedExec(_ string, _ interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *DB) NamedExecContext(_ context.Context, _ string, _ interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *DB) NamedQuery(_ string, _ interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) NamedQueryContext(_ context.Context, _ string, _ interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) PrepareNamed(_ string) (*NamedStmt, error) {
+	return nil, nil
+}
+
+func (_ *DB) PrepareNamedContext(_ context.Context, _ string) (*NamedStmt, error) {
+	return nil, nil
+}
+
+func (_ *DB) Preparex(_ string) (*Stmt, error) {
+	return nil, nil
+}
+
+func (_ *DB) PreparexContext(_ context.Context, _ string) (*Stmt, error) {
+	return nil, nil
+}
+
+func (_ *DB) QueryRowx(_ string, _ ...interface{}) *Row {
+	return nil
+}
+
+func (_ *DB) QueryRowxContext(_ context.Context, _ string, _ ...interface{}) *Row {
+	return nil
+}
+
+func (_ *DB) Queryx(_ string, _ ...interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) QueryxContext(_ context.Context, _ string, _ ...interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *DB) Rebind(_ string) string {
+	return ""
+}
+
+func (_ *DB) Select(_ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *DB) SelectContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *DB) Unsafe() *DB {
+	return nil
+}
+
+type NamedStmt struct {
+	Params      []string
+	QueryString string
+	Stmt        *Stmt
+}
+
+func (_ *NamedStmt) Close() error {
+	return nil
+}
+
+func (_ *NamedStmt) Exec(_ interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *NamedStmt) ExecContext(_ context.Context, _ interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *NamedStmt) Get(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *NamedStmt) GetContext(_ context.Context, _ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *NamedStmt) MustExec(_ interface{}) sql.Result {
+	return nil
+}
+
+func (_ *NamedStmt) MustExecContext(_ context.Context, _ interface{}) sql.Result {
+	return nil
+}
+
+func (_ *NamedStmt) Query(_ interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ *NamedStmt) QueryContext(_ context.Context, _ interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ *NamedStmt) QueryRow(_ interface{}) *Row {
+	return nil
+}
+
+func (_ *NamedStmt) QueryRowContext(_ context.Context, _ interface{}) *Row {
+	return nil
+}
+
+func (_ *NamedStmt) QueryRowx(_ interface{}) *Row {
+	return nil
+}
+
+func (_ *NamedStmt) QueryRowxContext(_ context.Context, _ interface{}) *Row {
+	return nil
+}
+
+func (_ *NamedStmt) Queryx(_ interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *NamedStmt) QueryxContext(_ context.Context, _ interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *NamedStmt) Select(_ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *NamedStmt) SelectContext(_ context.Context, _ interface{}, _ interface{}) error {
+	return nil
+}
+
+func (_ *NamedStmt) Unsafe() *NamedStmt {
+	return nil
+}
+
+type Row struct {
+	Mapper interface{}
+}
+
+func (_ *Row) ColumnTypes() ([]*sql.ColumnType, error) {
+	return nil, nil
+}
+
+func (_ *Row) Columns() ([]string, error) {
+	return nil, nil
+}
+
+func (_ *Row) Err() error {
+	return nil
+}
+
+func (_ *Row) MapScan(_ map[string]interface{}) error {
+	return nil
+}
+
+func (_ *Row) Scan(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *Row) SliceScan() ([]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *Row) StructScan(_ interface{}) error {
+	return nil
+}
+
+type Rows struct {
+	Rows   *sql.Rows
+	Mapper interface{}
+}
+
+func (_ Rows) Close() error {
+	return nil
+}
+
+func (_ Rows) ColumnTypes() ([]*sql.ColumnType, error) {
+	return nil, nil
+}
+
+func (_ Rows) Columns() ([]string, error) {
+	return nil, nil
+}
+
+func (_ Rows) Err() error {
+	return nil
+}
+
+func (_ Rows) Next() bool {
+	return false
+}
+
+func (_ Rows) NextResultSet() bool {
+	return false
+}
+
+func (_ Rows) Scan(_ ...interface{}) error {
+	return nil
+}
+
+func (_ *Rows) MapScan(_ map[string]interface{}) error {
+	return nil
+}
+
+func (_ *Rows) SliceScan() ([]interface{}, error) {
+	return nil, nil
+}
+
+func (_ *Rows) StructScan(_ interface{}) error {
+	return nil
+}
+
+type Stmt struct {
+	Stmt   *sql.Stmt
+	Mapper interface{}
+}
+
+func (_ Stmt) Close() error {
+	return nil
+}
+
+func (_ Stmt) Exec(_ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ Stmt) ExecContext(_ context.Context, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ Stmt) Query(_ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ Stmt) QueryContext(_ context.Context, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ Stmt) QueryRow(_ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ Stmt) QueryRowContext(_ context.Context, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ *Stmt) Get(_ interface{}, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Stmt) GetContext(_ context.Context, _ interface{}, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Stmt) MustExec(_ ...interface{}) sql.Result {
+	return nil
+}
+
+func (_ *Stmt) MustExecContext(_ context.Context, _ ...interface{}) sql.Result {
+	return nil
+}
+
+func (_ *Stmt) QueryRowx(_ ...interface{}) *Row {
+	return nil
+}
+
+func (_ *Stmt) QueryRowxContext(_ context.Context, _ ...interface{}) *Row {
+	return nil
+}
+
+func (_ *Stmt) Queryx(_ ...interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *Stmt) QueryxContext(_ context.Context, _ ...interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *Stmt) Select(_ interface{}, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Stmt) SelectContext(_ context.Context, _ interface{}, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Stmt) Unsafe() *Stmt {
+	return nil
+}
+
+type Tx struct {
+	Tx     *sql.Tx
+	Mapper interface{}
+}
+
+func (_ Tx) Commit() error {
+	return nil
+}
+
+func (_ Tx) Exec(_ string, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ Tx) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ Tx) Prepare(_ string) (*sql.Stmt, error) {
+	return nil, nil
+}
+
+func (_ Tx) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) {
+	return nil, nil
+}
+
+func (_ Tx) Query(_ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ Tx) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) {
+	return nil, nil
+}
+
+func (_ Tx) QueryRow(_ string, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ Tx) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row {
+	return nil
+}
+
+func (_ Tx) Rollback() error {
+	return nil
+}
+
+func (_ Tx) Stmt(_ *sql.Stmt) *sql.Stmt {
+	return nil
+}
+
+func (_ Tx) StmtContext(_ context.Context, _ *sql.Stmt) *sql.Stmt {
+	return nil
+}
+
+func (_ *Tx) BindNamed(_ string, _ interface{}) (string, []interface{}, error) {
+	return "", nil, nil
+}
+
+func (_ *Tx) DriverName() string {
+	return ""
+}
+
+func (_ *Tx) Get(_ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Tx) GetContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Tx) MustExec(_ string, _ ...interface{}) sql.Result {
+	return nil
+}
+
+func (_ *Tx) MustExecContext(_ context.Context, _ string, _ ...interface{}) sql.Result {
+	return nil
+}
+
+func (_ *Tx) NamedExec(_ string, _ interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *Tx) NamedExecContext(_ context.Context, _ string, _ interface{}) (sql.Result, error) {
+	return nil, nil
+}
+
+func (_ *Tx) NamedQuery(_ string, _ interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *Tx) NamedStmt(_ *NamedStmt) *NamedStmt {
+	return nil
+}
+
+func (_ *Tx) NamedStmtContext(_ context.Context, _ *NamedStmt) *NamedStmt {
+	return nil
+}
+
+func (_ *Tx) PrepareNamed(_ string) (*NamedStmt, error) {
+	return nil, nil
+}
+
+func (_ *Tx) PrepareNamedContext(_ context.Context, _ string) (*NamedStmt, error) {
+	return nil, nil
+}
+
+func (_ *Tx) Preparex(_ string) (*Stmt, error) {
+	return nil, nil
+}
+
+func (_ *Tx) PreparexContext(_ context.Context, _ string) (*Stmt, error) {
+	return nil, nil
+}
+
+func (_ *Tx) QueryRowx(_ string, _ ...interface{}) *Row {
+	return nil
+}
+
+func (_ *Tx) QueryRowxContext(_ context.Context, _ string, _ ...interface{}) *Row {
+	return nil
+}
+
+func (_ *Tx) Queryx(_ string, _ ...interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *Tx) QueryxContext(_ context.Context, _ string, _ ...interface{}) (*Rows, error) {
+	return nil, nil
+}
+
+func (_ *Tx) Rebind(_ string) string {
+	return ""
+}
+
+func (_ *Tx) Select(_ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Tx) SelectContext(_ context.Context, _ interface{}, _ string, _ ...interface{}) error {
+	return nil
+}
+
+func (_ *Tx) Stmtx(_ interface{}) *Stmt {
+	return nil
+}
+
+func (_ *Tx) StmtxContext(_ context.Context, _ interface{}) *Stmt {
+	return nil
+}
+
+func (_ *Tx) Unsafe() *Tx {
+	return nil
+}

ql/test/library-tests/semmle/go/frameworks/SQL/Sqlx/vendor/modules.txt

@@ -0,0 +1,3 @@
+# github.com/jmoiron/sqlx v1.2.0
+## explicit
+github.com/jmoiron/sqlx