Make taint tracking tests use InlineFlowTest

go/ql/test/experimental/frameworks/CleverGo/TaintTracking.go

@@ -17,7 +17,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
 		{
 			fromString598 := source().(string)
 			intoString631 := clevergo.CleanPath(fromString598)
-			sink(intoString631) // $ taintSink
+			sink(intoString631) // $ hasTaintFlow="intoString631"
 		}
 	}
 	// Taint-tracking through method calls.
@@ -30,13 +30,13 @@ func TaintTracking_ClevergoTechClevergoV052() {
 					fromString165 := source().(string)
 					var mediumObjCQL clevergo.Application
 					intoURL150, _ := mediumObjCQL.RouteURL(fromString165, "")
-					sink(intoURL150) // $ taintSink
+					sink(intoURL150) // $ hasTaintFlow="intoURL150"
 				}
 				{
 					fromString340 := source().(string)
 					var mediumObjCQL clevergo.Application
 					intoURL471, _ := mediumObjCQL.RouteURL("", fromString340)
-					sink(intoURL471) // $ taintSink
+					sink(intoURL471) // $ hasTaintFlow="intoURL471"
 				}
 			}
 		}
@@ -46,7 +46,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
 			{
 				fromContext290 := source().(clevergo.Context)
 				intoContext758 := fromContext290.Context()
-				sink(intoContext758) // $ taintSink
+				sink(intoContext758) // $ hasTaintFlow="intoContext758"
 			}
 		}
 		// Taint-tracking through method calls on clevergo.tech/clevergo.Params.
@@ -55,7 +55,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
 			{
 				fromParams396 := source().(clevergo.Params)
 				intoString707 := fromParams396.String("")
-				sink(intoString707) // $ taintSink untrustedFlowSource
+				sink(intoString707) // $ hasTaintFlow="intoString707" untrustedFlowSource
 			}
 		}
 	}
@@ -69,7 +69,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
 				var intoInterface718 interface{}
 				var mediumObjCQL clevergo.Decoder
 				mediumObjCQL.Decode(fromRequest912, intoInterface718)
-				sink(intoInterface718) // $ taintSink untrustedFlowSource
+				sink(intoInterface718) // $ hasTaintFlow="intoInterface718" untrustedFlowSource
 			}
 		}
 		// Taint-tracking through method calls on clevergo.tech/clevergo.Renderer interface.
@@ -80,7 +80,7 @@ func TaintTracking_ClevergoTechClevergoV052() {
 				var intoWriter633 io.Writer
 				var mediumObjCQL clevergo.Renderer
 				mediumObjCQL.Render(intoWriter633, "", fromInterface972, nil)
-				sink(intoWriter633) // $ taintSink
+				sink(intoWriter633) // $ hasTaintFlow="intoWriter633"
 			}
 		}
 	}

go/ql/test/experimental/frameworks/CleverGo/TaintTracking.ql

@@ -1,31 +1,4 @@
 import go
-import TestUtilities.InlineExpectationsTest
 import experimental.frameworks.CleverGo
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "test-configuration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(Function fn | fn.hasQualifiedName(_, "source") | source = fn.getACall().getResult())
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
-  }
-}
-
-module TaintTrackingTest implements TestSig {
-  string getARelevantTag() { result = "taintSink" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "taintSink" and
-    exists(DataFlow::Node sink | any(Configuration c).hasFlow(_, sink) |
-      element = sink.toString() and
-      value = "" and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
-    )
-  }
-}
-
-import MakeTest<TaintTrackingTest>
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest

go/ql/test/experimental/frameworks/Fiber/TaintTracking.go

@@ -15,7 +15,7 @@ func TaintTracking_GithubComGofiberFiberV1146() {
 		{
 			fromString656 := source().(string)
 			intoError414 := fiber.NewError(0, fromString656)
-			sink(intoError414) // $ taintSink
+			sink(intoError414) // $ hasTaintFlow="intoError414"
 		}
 	}
 }
@@ -28,79 +28,79 @@ func TaintTracking_GithubComGofiberUtilsV0010() {
 		{
 			fromString989 := source().(string)
 			intoByte982 := utils.GetBytes(fromString989)
-			sink(intoByte982) // $ taintSink
+			sink(intoByte982) // $ hasTaintFlow="intoByte982"
 		}
 		// func GetString(b []byte) string
 		{
 			fromByte417 := source().([]byte)
 			intoString584 := utils.GetString(fromByte417)
-			sink(intoString584) // $ taintSink
+			sink(intoString584) // $ hasTaintFlow="intoString584"
 		}
 		// func ImmutableString(s string) string
 		{
 			fromString991 := source().(string)
 			intoString881 := utils.ImmutableString(fromString991)
-			sink(intoString881) // $ taintSink
+			sink(intoString881) // $ hasTaintFlow="intoString881"
 		}
 		// func ToLower(b string) string
 		{
 			fromString494 := source().(string)
 			intoString873 := utils.ToLower(fromString494)
-			sink(intoString873) // $ taintSink
+			sink(intoString873) // $ hasTaintFlow="intoString873"
 		}
 		// func ToLowerBytes(b []byte) []byte
 		{
 			fromByte599 := source().([]byte)
 			intoByte409 := utils.ToLowerBytes(fromByte599)
-			sink(intoByte409) // $ taintSink
+			sink(intoByte409) // $ hasTaintFlow="intoByte409"
 		}
 		// func ToUpper(b string) string
 		{
 			fromString246 := source().(string)
 			intoString898 := utils.ToUpper(fromString246)
-			sink(intoString898) // $ taintSink
+			sink(intoString898) // $ hasTaintFlow="intoString898"
 		}
 		// func ToUpperBytes(b []byte) []byte
 		{
 			fromByte598 := source().([]byte)
 			intoByte631 := utils.ToUpperBytes(fromByte598)
-			sink(intoByte631) // $ taintSink
+			sink(intoByte631) // $ hasTaintFlow="intoByte631"
 		}
 		// func Trim(s string, cutset byte) string
 		{
 			fromString165 := source().(string)
 			intoString150 := utils.Trim(fromString165, 0)
-			sink(intoString150) // $ taintSink
+			sink(intoString150) // $ hasTaintFlow="intoString150"
 		}
 		// func TrimBytes(b []byte, cutset byte) []byte
 		{
 			fromByte340 := source().([]byte)
 			intoByte471 := utils.TrimBytes(fromByte340, 0)
-			sink(intoByte471) // $ taintSink
+			sink(intoByte471) // $ hasTaintFlow="intoByte471"
 		}
 		// func TrimLeft(s string, cutset byte) string
 		{
 			fromString290 := source().(string)
 			intoString758 := utils.TrimLeft(fromString290, 0)
-			sink(intoString758) // $ taintSink
+			sink(intoString758) // $ hasTaintFlow="intoString758"
 		}
 		// func TrimLeftBytes(b []byte, cutset byte) []byte
 		{
 			fromByte396 := source().([]byte)
 			intoByte707 := utils.TrimLeftBytes(fromByte396, 0)
-			sink(intoByte707) // $ taintSink
+			sink(intoByte707) // $ hasTaintFlow="intoByte707"
 		}
 		// func TrimRight(s string, cutset byte) string
 		{
 			fromString912 := source().(string)
 			intoString718 := utils.TrimRight(fromString912, 0)
-			sink(intoString718) // $ taintSink
+			sink(intoString718) // $ hasTaintFlow="intoString718"
 		}
 		// func TrimRightBytes(b []byte, cutset byte) []byte
 		{
 			fromByte972 := source().([]byte)
 			intoByte633 := utils.TrimRightBytes(fromByte972, 0)
-			sink(intoByte633) // $ taintSink
+			sink(intoByte633) // $ hasTaintFlow="intoByte633"
 		}
 	}
 }

go/ql/test/experimental/frameworks/Fiber/TaintTracking.ql

@@ -1,31 +1,4 @@
 import go
-import TestUtilities.InlineExpectationsTest
 import experimental.frameworks.Fiber
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "test-configuration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    exists(Function fn | fn.hasQualifiedName(_, "source") | source = fn.getACall().getResult())
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
-  }
-}
-
-module TaintTrackingTest implements TestSig {
-  string getARelevantTag() { result = "taintSink" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "taintSink" and
-    exists(DataFlow::Node sink | any(Configuration c).hasFlow(_, sink) |
-      element = sink.toString() and
-      value = "" and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
-    )
-  }
-}
-
-import MakeTest<TaintTrackingTest>
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest

go/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.go

@@ -138,14 +138,14 @@ func main() {
 		if switchStatementReturningTrueOnlyWhenConstant(s) {
 			sink(s)
 		} else {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		}
 	}
 
 	{
 		s := source()
 		if switchStatementReturningFalseOnlyWhenConstant("", s) {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		} else {
 			sink(s)
 		}
@@ -157,7 +157,7 @@ func main() {
 		if err != nil {
 			sink(s)
 		} else {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		}
 	}
 
@@ -166,7 +166,7 @@ func main() {
 		if switchStatementReturningNilOnlyWhenConstant(s) == nil {
 			sink(s)
 		} else {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		}
 	}
 
@@ -175,25 +175,25 @@ func main() {
 		if multipleSwitchStatementReturningTrueOnlyWhenConstant(s, getRandomString()) {
 			sink(s)
 		} else {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		}
 	}
 
 	{
 		s := source()
 		if switchStatementWithoutUsefulInfo(s) {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		} else {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		}
 	}
 
 	{
 		s := source()
 		if switchStatementOverRandomString(s) {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		} else {
-			sink(s) // $ dataflow=s
+			sink(s) // $ hasTaintFlow="s"
 		}
 	}
 

go/ql/test/library-tests/semmle/go/dataflow/ListOfConstantsSanitizerGuards/test.ql

@@ -1,30 +1,3 @@
 import go
-import TestUtilities.InlineExpectationsTest
-
-class TestConfig extends TaintTracking::Configuration {
-  TestConfig() { this = "test config" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.(DataFlow::CallNode).getTarget().getName() = "source"
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(DataFlow::CallNode c | c.getTarget().getName() = "sink").getAnArgument()
-  }
-}
-
-module DataFlowTest implements TestSig {
-  string getARelevantTag() { result = "dataflow" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "dataflow" and
-    exists(DataFlow::Node sink | any(TestConfig c).hasFlow(_, sink) |
-      element = sink.toString() and
-      value = sink.toString() and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
-    )
-  }
-}
-
-import MakeTest<DataFlowTest>
+import TestUtilities.InlineFlowTest
+import TaintFlowTest<DefaultFlowConfig>

go/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/TaintFlows.ql

@@ -1,33 +1,20 @@
 import go
-import TestUtilities.InlineExpectationsTest
+import TestUtilities.InlineFlowTest
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "test-configuration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source =
-      any(DataFlow::CallNode c | c.getCalleeName() in ["getTaintedByteArray", "getTaintedPatch"])
-          .getResult(0)
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink =
-      any(DataFlow::CallNode c | c.getCalleeName() in ["sinkByteArray", "sinkPatch"]).getArgument(0)
-  }
-}
-
-module TaintFlowTest implements TestSig {
-  string getARelevantTag() { result = "taintflow" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "taintflow" and
-    exists(DataFlow::Node sink | any(Configuration c).hasFlow(_, sink) |
-      element = sink.toString() and
-      value = "" and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(Function fn | fn.hasQualifiedName(_, ["getTaintedByteArray", "getTaintedPatch"]) |
+      source = fn.getACall().getResult()
     )
   }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Function fn | fn.hasQualifiedName(_, ["sinkByteArray", "sinkPatch"]) |
+      sink = fn.getACall().getAnArgument()
+    )
+  }
+
+  int fieldFlowBranchLimit() { result = 1000 }
 }
 
-import MakeTest<TaintFlowTest>
+import TaintFlowTest<Config>

go/ql/test/library-tests/semmle/go/frameworks/EvanphxJsonPatch/main.go

@@ -5,7 +5,7 @@ package main
 import patch "github.com/evanphx/json-patch/v5"
 
 func getTaintedByteArray() []byte {
-	return make([]byte, 1, 1)
+	return make([]byte, 1)
 }
 
 func getTaintedPatch() patch.Patch {
@@ -20,59 +20,59 @@ func sinkPatch(patch.Patch) {
 }
 
 func main() {
-	untaintedByteArray := make([]byte, 1, 1)
+	untaintedByteArray := make([]byte, 1)
 	var untaintedPatch patch.Patch
 
 	// func MergeMergePatches(patch1Data, patch2Data []byte) ([]byte, error)
 	b1, _ := patch.MergeMergePatches(getTaintedByteArray(), untaintedByteArray)
-	sinkByteArray(b1) // $ taintflow
+	sinkByteArray(b1) // $ hasTaintFlow="b1"
 
 	b2, _ := patch.MergeMergePatches(untaintedByteArray, getTaintedByteArray())
-	sinkByteArray(b2) // $ taintflow
+	sinkByteArray(b2) // $ hasTaintFlow="b2"
 
 	// func MergePatch(docData, patchData []byte) ([]byte, error)
 	b3, _ := patch.MergePatch(getTaintedByteArray(), untaintedByteArray)
-	sinkByteArray(b3) // $ taintflow
+	sinkByteArray(b3) // $ hasTaintFlow="b3"
 
 	b4, _ := patch.MergePatch(untaintedByteArray, getTaintedByteArray())
-	sinkByteArray(b4) // $ taintflow
+	sinkByteArray(b4) // $ hasTaintFlow="b4"
 
 	// func CreateMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error)
 	b5, _ := patch.CreateMergePatch(getTaintedByteArray(), untaintedByteArray)
-	sinkByteArray(b5) // $ taintflow
+	sinkByteArray(b5) // $ hasTaintFlow="b5"
 
 	b6, _ := patch.CreateMergePatch(untaintedByteArray, getTaintedByteArray())
-	sinkByteArray(b6) // $ taintflow
+	sinkByteArray(b6) // $ hasTaintFlow="b6"
 
 	// func DecodePatch(buf []byte) (Patch, error)
 	p7, _ := patch.DecodePatch(getTaintedByteArray())
-	sinkPatch(p7) // $ taintflow
+	sinkPatch(p7) // $ hasTaintFlow="p7"
 
 	// func (p Patch) Apply(doc []byte) ([]byte, error)
 	b8, _ := untaintedPatch.Apply(getTaintedByteArray())
-	sinkByteArray(b8) // $ taintflow
+	sinkByteArray(b8) // $ hasTaintFlow="b8"
 
 	b9, _ := getTaintedPatch().Apply(untaintedByteArray)
-	sinkByteArray(b9) // $ taintflow
+	sinkByteArray(b9) // $ hasTaintFlow="b9"
 
 	// func (p Patch) ApplyIndent(doc []byte, indent string) ([]byte, error)
 	b10, _ := untaintedPatch.ApplyIndent(getTaintedByteArray(), "  ")
-	sinkByteArray(b10) // $ taintflow
+	sinkByteArray(b10) // $ hasTaintFlow="b10"
 
 	b11, _ := getTaintedPatch().ApplyIndent(untaintedByteArray, "  ")
-	sinkByteArray(b11) // $ taintflow
+	sinkByteArray(b11) // $ hasTaintFlow="b11"
 
 	// func (p Patch) ApplyWithOptions(doc []byte, options *ApplyOptions) ([]byte, error)
 	b12, _ := untaintedPatch.ApplyWithOptions(getTaintedByteArray(), nil)
-	sinkByteArray(b12) // $ taintflow
+	sinkByteArray(b12) // $ hasTaintFlow="b12"
 
 	b13, _ := getTaintedPatch().ApplyWithOptions(untaintedByteArray, nil)
-	sinkByteArray(b13) // $ taintflow
+	sinkByteArray(b13) // $ hasTaintFlow="b13"
 
 	// func (p Patch) ApplyIndentWithOptions(doc []byte, indent string, options *ApplyOptions) ([]byte, error)
 	b14, _ := untaintedPatch.ApplyIndentWithOptions(getTaintedByteArray(), "  ", nil)
-	sinkByteArray(b14) // $ taintflow
+	sinkByteArray(b14) // $ hasTaintFlow="b14"
 
 	b15, _ := getTaintedPatch().ApplyIndentWithOptions(untaintedByteArray, "  ", nil)
-	sinkByteArray(b15) // $ taintflow
+	sinkByteArray(b15) // $ hasTaintFlow="b15"
 }

go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/TaintFlowsInline.ql

@@ -1,39 +1,3 @@
 import go
-import TestUtilities.InlineExpectationsTest
-
-class SourceFunction extends Function {
-  SourceFunction() { this.getName() = "source" }
-}
-
-class SinkFunction extends Function {
-  SinkFunction() { this.getName() = "sink" }
-}
-
-class TestConfig extends TaintTracking::Configuration {
-  TestConfig() { this = "testconfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source = any(SourceFunction f).getACall().getResult(0)
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(SinkFunction f).getACall().getArgument(0)
-  }
-}
-
-module K8sIoApiCoreV1Test implements TestSig {
-  string getARelevantTag() { result = "KsIoApiCoreV" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(TestConfig config, DataFlow::PathNode sink |
-      config.hasFlowPath(_, sink) and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-      element = sink.toString() and
-      value = "" and
-      tag = "KsIoApiCoreV"
-    )
-  }
-}
-
-import MakeTest<K8sIoApiCoreV1Test>
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest

go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/main.go

@@ -9,86 +9,88 @@ import (
 //go:generate depstubber -vendor k8s.io/apimachinery/pkg/runtime ProtobufMarshaller,ProtobufReverseMarshaller
 
 func source() interface{} {
-	return make([]byte, 1, 1)
+	return make([]byte, 1)
 }
 
-func sink(...interface{}) {
+func sink(interface{}) {
 }
 
 func main() {
 
 	{
 		// func (in *Secret) DeepCopy() *Secret
-		sink(source().(*corev1.Secret).DeepCopy()) // $ KsIoApiCoreV
+		sink(source().(*corev1.Secret).DeepCopy()) // $ hasTaintFlow="call to DeepCopy"
 	}
 	{
 		// func (in *Secret) DeepCopyInto(out *Secret)
 		var out *corev1.Secret
 		source().(*corev1.Secret).DeepCopyInto(out)
-		sink(out) // $ KsIoApiCoreV
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func (in *Secret) DeepCopyObject() runtime.Object
-		sink(source().(*corev1.Secret).DeepCopyObject()) // $ KsIoApiCoreV
+		sink(source().(*corev1.Secret).DeepCopyObject()) // $ hasTaintFlow="call to DeepCopyObject"
 	}
 	{
 		// func (m *Secret) Marshal() (dAtA []byte, err error)
-		sink(source().(*corev1.Secret).Marshal()) // $ KsIoApiCoreV
+		out, _ := source().(*corev1.Secret).Marshal()
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func (m *Secret) MarshalTo(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*corev1.Secret).MarshalTo(dAtA)
-		sink(dAtA) // $ KsIoApiCoreV
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *Secret) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*corev1.Secret).MarshalToSizedBuffer(dAtA)
-		sink(dAtA) // $ KsIoApiCoreV
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *Secret) Unmarshal(dAtA []byte) error
 		var dAtA []byte
 		source().(*corev1.Secret).Unmarshal(dAtA)
-		sink(dAtA) // $ KsIoApiCoreV
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 
 	{
 		// func (in *SecretList) DeepCopy() *SecretList
-		sink(source().(*corev1.SecretList).DeepCopy()) // $ KsIoApiCoreV
+		sink(source().(*corev1.SecretList).DeepCopy()) // $ hasTaintFlow="call to DeepCopy"
 	}
 	{
 		// func (in *SecretList) DeepCopyInto(out *SecretList)
 		var out *corev1.SecretList
 		source().(*corev1.SecretList).DeepCopyInto(out)
-		sink(out) // $ KsIoApiCoreV
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func (in *SecretList) DeepCopyObject() runtime.Object
-		sink(source().(*corev1.SecretList).DeepCopyObject()) // $ KsIoApiCoreV
+		sink(source().(*corev1.SecretList).DeepCopyObject()) // $ hasTaintFlow="call to DeepCopyObject"
 	}
 	{
 		// func (m *SecretList) Marshal() (dAtA []byte, err error)
-		sink(source().(*corev1.SecretList).Marshal()) // $ KsIoApiCoreV
+		out, _ := source().(*corev1.SecretList).Marshal()
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func (m *SecretList) MarshalTo(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*corev1.SecretList).MarshalTo(dAtA)
-		sink(dAtA) // $ KsIoApiCoreV
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *SecretList) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*corev1.SecretList).MarshalToSizedBuffer(dAtA)
-		sink(dAtA) // $ KsIoApiCoreV
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *SecretList) Unmarshal(dAtA []byte) error
 		var dAtA []byte
 		source().(*corev1.SecretList).Unmarshal(dAtA)
-		sink(dAtA) // $ KsIoApiCoreV
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 }
 

go/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/TaintFlowsInline.ql

@@ -1,39 +1,3 @@
 import go
-import TestUtilities.InlineExpectationsTest
-
-class SourceFunction extends Function {
-  SourceFunction() { this.getName() = "source" }
-}
-
-class SinkFunction extends Function {
-  SinkFunction() { this.getName() = "sink" }
-}
-
-class TestConfig extends TaintTracking::Configuration {
-  TestConfig() { this = "testconfig" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source = any(SourceFunction f).getACall().getAResult()
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(SinkFunction f).getACall().getAnArgument()
-  }
-}
-
-module K8sIoApimachineryPkgRuntimeTest implements TestSig {
-  string getARelevantTag() { result = "KsIoApimachineryPkgRuntime" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(TestConfig config, DataFlow::PathNode sink |
-      config.hasFlowPath(_, sink) and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
-      element = sink.toString() and
-      value = "" and
-      tag = "KsIoApimachineryPkgRuntime"
-    )
-  }
-}
-
-import MakeTest<K8sIoApimachineryPkgRuntimeTest>
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest

go/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/main.go

@@ -31,93 +31,93 @@ func main() {
 		// func Convert_Slice_string_To_Pointer_int64(in *[]string, out **int64, s conversion.Scope) error
 		var out **int64
 		runtime.Convert_Slice_string_To_Pointer_int64(source().(*[]string), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_Slice_string_To_int(in *[]string, out *int, s conversion.Scope) error
 		var out *int
 		runtime.Convert_Slice_string_To_int(source().(*[]string), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_Slice_string_To_int64(in *[]string, out *int64, s conversion.Scope) error
 		var out *int64
 		runtime.Convert_Slice_string_To_int64(source().(*[]string), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_Slice_string_To_string(in *[]string, out *string, s conversion.Scope) error
 		var out *string
 		runtime.Convert_Slice_string_To_string(source().(*[]string), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_runtime_Object_To_runtime_RawExtension(in *Object, out *RawExtension, s conversion.Scope) error
 		var out *runtime.RawExtension
 		runtime.Convert_runtime_Object_To_runtime_RawExtension(source().(*runtime.Object), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_runtime_RawExtension_To_runtime_Object(in *RawExtension, out *Object, s conversion.Scope) error
 		var out *runtime.Object
 		runtime.Convert_runtime_RawExtension_To_runtime_Object(source().(*runtime.RawExtension), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_string_To_Pointer_int64(in *string, out **int64, s conversion.Scope) error
 		var out **int64
 		runtime.Convert_string_To_Pointer_int64(source().(*string), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func Convert_string_To_int64(in *string, out *int64, s conversion.Scope) error
 		var out *int64
 		runtime.Convert_string_To_int64(source().(*string), out, s)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func DecodeInto(d Decoder, data []byte, into Object) error
 		var o runtime.Object
 		runtime.DecodeInto(decoder, source().([]byte), o)
-		sink(o) // $ KsIoApimachineryPkgRuntime
+		sink(o) // $ hasTaintFlow="o"
 	}
 	{
 		// func DeepCopyJSON(x map[string]interface{}) map[string]interface{}
-		sink(runtime.DeepCopyJSON(source().(map[string]interface{}))) // $ KsIoApimachineryPkgRuntime
+		sink(runtime.DeepCopyJSON(source().(map[string]interface{}))) // $ hasTaintFlow="call to DeepCopyJSON"
 	}
 	{
 		// func DeepCopyJSONValue(x interface{}) interface{}
-		sink(runtime.DeepCopyJSONValue(source().(map[string]interface{}))) // $ KsIoApimachineryPkgRuntime
+		sink(runtime.DeepCopyJSONValue(source().(map[string]interface{}))) // $ hasTaintFlow="call to DeepCopyJSONValue"
 	}
 	{
 		// func Encode(e Encoder, obj Object) ([]byte, error)
 		x, _ := runtime.Encode(encoder, source().(runtime.Object))
-		sink(x) // $ KsIoApimachineryPkgRuntime
+		sink(x) // $ hasTaintFlow="x"
 	}
 	{
 		// func EncodeOrDie(e Encoder, obj Object) string
-		sink(runtime.EncodeOrDie(encoder, source().(runtime.Object))) // $ KsIoApimachineryPkgRuntime
+		sink(runtime.EncodeOrDie(encoder, source().(runtime.Object))) // $ hasTaintFlow="call to EncodeOrDie"
 	}
 	{
 		// func Field(v reflect.Value, fieldName string, dest interface{}) error
 		var fieldName string
 		var dest interface{}
 		runtime.Field(source().(reflect.Value), fieldName, dest)
-		sink(dest) // $ KsIoApimachineryPkgRuntime
+		sink(dest) // $ hasTaintFlow="dest"
 	}
 	{
 		// func FieldPtr(v reflect.Value, fieldName string, dest interface{}) error
 		var fieldName string
 		var dest interface{}
 		runtime.FieldPtr(source().(reflect.Value), fieldName, dest)
-		sink(dest) // $ KsIoApimachineryPkgRuntime
+		sink(dest) // $ hasTaintFlow="dest"
 	}
 	{
 		// func SetField(src interface{}, v reflect.Value, fieldName string) error
 		var v reflect.Value
 		var fieldName string
 		runtime.SetField(source(), v, fieldName)
-		sink(v) // $ KsIoApimachineryPkgRuntime
+		sink(v) // $ hasTaintFlow="v"
 	}
 	{
 		//    CacheEncode(id Identifier, encode func(Object, io.Writer) error, w io.Writer) error
@@ -125,19 +125,19 @@ func main() {
 		var encode func(runtime.Object, io.Writer) error
 		var w io.Writer
 		source().(myCacheableObject).CacheEncode(id, encode, w)
-		sink(w) // $ KsIoApimachineryPkgRuntime
+		sink(w) // $ hasTaintFlow="w"
 	}
 	{
 		//    GetObject() Object
-		sink(source().(myCacheableObject).GetObject()) // $ KsIoApimachineryPkgRuntime
+		sink(source().(myCacheableObject).GetObject()) // $ hasTaintFlow="call to GetObject"
 	}
 	{
 		// Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error)
 		var defaults *schema.GroupVersionKind
 		var into runtime.Object
 		x, _, _ := decoder.Decode(source().([]byte), defaults, into)
-		sink(x)    // $ KsIoApimachineryPkgRuntime
-		sink(into) // $ KsIoApimachineryPkgRuntime
+		sink(x)    // $ hasTaintFlow="x"
+		sink(into) // $ hasTaintFlow="into"
 	}
 	{
 		// Decode(data []byte, defaults *schema.GroupVersionKind, into Object) (Object, *schema.GroupVersionKind, error)
@@ -145,47 +145,47 @@ func main() {
 		var into runtime.Object
 		var withoutVersionDecoder runtime.WithoutVersionDecoder
 		x, _, _ := withoutVersionDecoder.Decode(source().([]byte), defaults, into)
-		sink(x)    // $ KsIoApimachineryPkgRuntime
-		sink(into) // $ KsIoApimachineryPkgRuntime
+		sink(x)    // $ hasTaintFlow="x"
+		sink(into) // $ hasTaintFlow="into"
 	}
 	{
 		// Encode(obj Object, w io.Writer) error
 		var w io.Writer
 		encoder.Encode(source().(runtime.Object), w)
-		sink(w) // $ KsIoApimachineryPkgRuntime
+		sink(w) // $ hasTaintFlow="w"
 	}
 	{
 		// Encode(obj Object, w io.Writer) error
 		var w io.Writer
 		var withVersionEncoder runtime.WithVersionEncoder
 		withVersionEncoder.Encode(source().(runtime.Object), w)
-		sink(w) // $ KsIoApimachineryPkgRuntime
+		sink(w) // $ hasTaintFlow="w"
 	}
 	{
 		var framer myFramer
 
 		// NewFrameReader(r io.ReadCloser) io.ReadCloser
-		sink(framer.NewFrameReader(source().(io.ReadCloser))) // $ KsIoApimachineryPkgRuntime
+		sink(framer.NewFrameReader(source().(io.ReadCloser))) // $ hasTaintFlow="call to NewFrameReader"
 
 		// NewFrameWriter(w io.Writer) io.Writer
-		sink(framer.NewFrameWriter(source().(io.Writer))) // $ KsIoApimachineryPkgRuntime
+		sink(framer.NewFrameWriter(source().(io.Writer))) // $ hasTaintFlow="call to NewFrameWriter"
 	}
 	{
 		// DeepCopyObject() Object
-		sink(source().(runtime.Object).DeepCopyObject()) // $ KsIoApimachineryPkgRuntime
+		sink(source().(runtime.Object).DeepCopyObject()) // $ hasTaintFlow="call to DeepCopyObject"
 	}
 	{
 		// func Decode(d Decoder, data []byte) (Object, error)
 		o, _ := runtime.Decode(decoder, source().([]byte))
-		sink(o) // $ KsIoApimachineryPkgRuntime
+		sink(o) // $ hasTaintFlow="o"
 	}
 	{
 		// func NewEncodable(e Encoder, obj Object, versions ...schema.GroupVersion) Object
-		sink(runtime.NewEncodable(encoder, source().(runtime.Object))) // $ KsIoApimachineryPkgRuntime
+		sink(runtime.NewEncodable(encoder, source().(runtime.Object))) // $ hasTaintFlow="call to NewEncodable"
 	}
 	{
 		// func NewEncodableList(e Encoder, objects []Object, versions ...schema.GroupVersion) []Object
-		sink(runtime.NewEncodableList(encoder, source().([]runtime.Object))) // $ KsIoApimachineryPkgRuntime
+		sink(runtime.NewEncodableList(encoder, source().([]runtime.Object))) // $ hasTaintFlow="call to NewEncodableList"
 	}
 	{
 		// func UseOrCreateObject(t ObjectTyper, c ObjectCreater, gvk schema.GroupVersionKind, obj Object) (Object, error)
@@ -193,7 +193,7 @@ func main() {
 		var c runtime.ObjectCreater
 		var gvk schema.GroupVersionKind
 		o, _ := runtime.UseOrCreateObject(t, c, gvk, source().(runtime.Object))
-		sink(o) // $ KsIoApimachineryPkgRuntime
+		sink(o) // $ hasTaintFlow="o"
 	}
 	{
 		var objectConverter myObjectConverter
@@ -201,12 +201,12 @@ func main() {
 		//    Convert(in, out, context interface{}) error
 		var out, context interface{}
 		objectConverter.Convert(source(), out, context)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 
 		//    ConvertToVersion(in Object, gv GroupVersioner) (out Object, err error)
 		var gv runtime.GroupVersioner
 		o, _ := objectConverter.ConvertToVersion(source().(runtime.Object), gv)
-		sink(o) // $ KsIoApimachineryPkgRuntime
+		sink(o) // $ hasTaintFlow="o"
 	}
 	{
 		var parameterCodec myParameterCodec
@@ -215,110 +215,110 @@ func main() {
 		var gv schema.GroupVersion
 		var into runtime.Object
 		parameterCodec.DecodeParameters(source().(url.Values), gv, into)
-		sink(into) // $ KsIoApimachineryPkgRuntime
+		sink(into) // $ hasTaintFlow="into"
 
 		//    EncodeParameters(obj Object, to schema.GroupVersion) (url.Values, error)
 		urlValues, _ := parameterCodec.EncodeParameters(source().(runtime.Object), gv)
-		sink(urlValues) // $ KsIoApimachineryPkgRuntime
+		sink(urlValues) // $ hasTaintFlow="urlValues"
 	}
 	{
 		//    MarshalTo(data []byte) (int, error)
 		var data []byte
 		source().(myProtobufMarshaller).MarshalTo(data)
-		sink(data) // $ KsIoApimachineryPkgRuntime
+		sink(data) // $ hasTaintFlow="data"
 	}
 	{
 		//    MarshalToSizedBuffer(data []byte) (int, error)
 		var data []byte
 		source().(myProtobufReverseMarshaller).MarshalToSizedBuffer(data)
-		sink(data) // $ KsIoApimachineryPkgRuntime
+		sink(data) // $ hasTaintFlow="data"
 	}
 	{
 		// func (in *RawExtension) DeepCopy() *RawExtension
-		sink(source().(*runtime.RawExtension).DeepCopy()) // $ KsIoApimachineryPkgRuntime
+		sink(source().(*runtime.RawExtension).DeepCopy()) // $ hasTaintFlow="call to DeepCopy"
 	}
 	{
 		// func (in *RawExtension) DeepCopyInto(out *RawExtension)
 		var out *runtime.RawExtension
 		source().(*runtime.RawExtension).DeepCopyInto(out)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func (m *RawExtension) Marshal() (dAtA []byte, err error)
 		dAtA, _ := source().(*runtime.RawExtension).Marshal()
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *RawExtension) MarshalTo(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*runtime.RawExtension).MarshalTo(dAtA)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *RawExtension) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*runtime.RawExtension).MarshalToSizedBuffer(dAtA)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *RawExtension) Unmarshal(dAtA []byte) error
 		var dAtA []byte
 		source().(*runtime.RawExtension).Unmarshal(dAtA)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (in *Unknown) DeepCopy() *Unknown
-		sink(source().(*runtime.Unknown).DeepCopy()) // $ KsIoApimachineryPkgRuntime
+		sink(source().(*runtime.Unknown).DeepCopy()) // $ hasTaintFlow="call to DeepCopy"
 	}
 	{
 		// func (in *Unknown) DeepCopyObject() Object
-		sink(source().(*runtime.Unknown).DeepCopyObject()) // $ KsIoApimachineryPkgRuntime
+		sink(source().(*runtime.Unknown).DeepCopyObject()) // $ hasTaintFlow="call to DeepCopyObject"
 	}
 	{
 		// func (in *Unknown) DeepCopyInto(out *Unknown)
 		var out *runtime.Unknown
 		source().(*runtime.Unknown).DeepCopyInto(out)
-		sink(out) // $ KsIoApimachineryPkgRuntime
+		sink(out) // $ hasTaintFlow="out"
 	}
 	{
 		// func (m *Unknown) Marshal() (dAtA []byte, err error)
 		dAtA, _ := source().(*runtime.Unknown).Marshal()
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *Unknown) MarshalTo(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*runtime.Unknown).MarshalTo(dAtA)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *Unknown) MarshalToSizedBuffer(dAtA []byte) (int, error)
 		var dAtA []byte
 		source().(*runtime.Unknown).MarshalToSizedBuffer(dAtA)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *Unknown) NestedMarshalTo(data []byte, b ProtobufMarshaller, size uint64) (int, error)
 		var dAtA []byte
 		var b myProtobufMarshaller
 		source().(*runtime.Unknown).NestedMarshalTo(dAtA, b, 1)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		// func (m *Unknown) Unmarshal(dAtA []byte) error
 		var dAtA []byte
 		source().(*runtime.Unknown).Unmarshal(dAtA)
-		sink(dAtA) // $ KsIoApimachineryPkgRuntime
+		sink(dAtA) // $ hasTaintFlow="dAtA"
 	}
 	{
 		//    UnstructuredContent() map[string]interface{}
-		sink(source().(myUnstructured).UnstructuredContent()) // $ KsIoApimachineryPkgRuntime
+		sink(source().(myUnstructured).UnstructuredContent()) // $ hasTaintFlow="call to UnstructuredContent"
 	}
 	{
 		//    SetUnstructuredContent(map[string]interface{})
 		var unstructured myUnstructured
 		unstructured.SetUnstructuredContent(source().(map[string]interface{}))
-		sink(unstructured) // $ KsIoApimachineryPkgRuntime
+		sink(unstructured) // $ hasTaintFlow="unstructured"
 	}
 }
 

go/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.expected

@@ -1,33 +1,2 @@
-| testDeprecatedApi.go:22:22:22:41 | call to getUntrustedString | testDeprecatedApi.go:26:12:26:21 | serialized |
-| testDeprecatedApi.go:31:22:31:41 | call to getUntrustedString | testDeprecatedApi.go:37:12:37:21 | serialized |
-| testDeprecatedApi.go:41:25:41:43 | call to getUntrustedBytes | testDeprecatedApi.go:45:13:45:29 | selection of Description |
-| testDeprecatedApi.go:49:25:49:43 | call to getUntrustedBytes | testDeprecatedApi.go:53:13:53:34 | call to GetDescription |
-| testDeprecatedApi.go:58:23:58:42 | call to getUntrustedString | testDeprecatedApi.go:65:12:65:21 | serialized |
-| testDeprecatedApi.go:70:14:70:33 | call to getUntrustedString | testDeprecatedApi.go:77:12:77:21 | serialized |
-| testDeprecatedApi.go:85:24:85:43 | call to getUntrustedString | testDeprecatedApi.go:89:12:89:21 | serialized |
-| testDeprecatedApi.go:93:25:93:43 | call to getUntrustedBytes | testDeprecatedApi.go:97:13:97:31 | selection of Msg |
-| testDeprecatedApi.go:104:22:104:41 | call to getUntrustedString | testDeprecatedApi.go:105:13:105:20 | selection of Id |
-| testDeprecatedApi.go:112:22:112:41 | call to getUntrustedString | testDeprecatedApi.go:117:12:117:21 | serialized |
-| testDeprecatedApi.go:133:29:133:48 | call to getUntrustedString | testDeprecatedApi.go:137:12:137:21 | serialized |
-| testDeprecatedApi.go:143:20:143:39 | call to getUntrustedString | testDeprecatedApi.go:148:12:148:21 | serialized |
-| testDeprecatedApi.go:152:25:152:43 | call to getUntrustedBytes | testDeprecatedApi.go:157:13:157:36 | index expression |
-| testDeprecatedApi.go:161:25:161:43 | call to getUntrustedBytes | testDeprecatedApi.go:168:13:168:25 | index expression |
-| testDeprecatedApi.go:176:24:176:43 | call to getUntrustedString | testDeprecatedApi.go:180:12:180:21 | serialized |
-| testModernApi.go:11:22:11:41 | call to getUntrustedString | testModernApi.go:15:12:15:21 | serialized |
-| testModernApi.go:20:22:20:41 | call to getUntrustedString | testModernApi.go:26:12:26:21 | serialized |
-| testModernApi.go:30:25:30:43 | call to getUntrustedBytes | testModernApi.go:34:13:34:29 | selection of Description |
-| testModernApi.go:38:25:38:43 | call to getUntrustedBytes | testModernApi.go:42:13:42:34 | call to GetDescription |
-| testModernApi.go:47:23:47:42 | call to getUntrustedString | testModernApi.go:54:12:54:21 | serialized |
-| testModernApi.go:59:22:59:41 | call to getUntrustedString | testModernApi.go:64:12:64:21 | serialized |
-| testModernApi.go:71:22:71:41 | call to getUntrustedString | testModernApi.go:77:12:77:21 | serialized |
-| testModernApi.go:98:14:98:33 | call to getUntrustedString | testModernApi.go:105:12:105:21 | serialized |
-| testModernApi.go:113:24:113:43 | call to getUntrustedString | testModernApi.go:117:12:117:21 | serialized |
-| testModernApi.go:121:25:121:43 | call to getUntrustedBytes | testModernApi.go:125:13:125:31 | selection of Msg |
-| testModernApi.go:131:25:131:43 | call to getUntrustedBytes | testModernApi.go:135:13:135:29 | selection of Description |
-| testModernApi.go:142:22:142:41 | call to getUntrustedString | testModernApi.go:143:13:143:20 | selection of Id |
-| testModernApi.go:150:22:150:41 | call to getUntrustedString | testModernApi.go:155:12:155:21 | serialized |
-| testModernApi.go:190:29:190:48 | call to getUntrustedString | testModernApi.go:194:12:194:21 | serialized |
-| testModernApi.go:200:20:200:39 | call to getUntrustedString | testModernApi.go:205:12:205:21 | serialized |
-| testModernApi.go:209:25:209:43 | call to getUntrustedBytes | testModernApi.go:214:13:214:36 | index expression |
-| testModernApi.go:218:25:218:43 | call to getUntrustedBytes | testModernApi.go:225:13:225:25 | index expression |
-| testModernApi.go:233:24:233:43 | call to getUntrustedString | testModernApi.go:237:12:237:21 | serialized |
+failures
+testFailures

go/ql/test/library-tests/semmle/go/frameworks/Protobuf/TaintFlows.ql

@@ -1,27 +1,18 @@
 import go
+import TestUtilities.InlineFlowTest
 
-class UntrustedFunction extends Function {
-  UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedBytes"] }
-}
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(Function fn | fn.hasQualifiedName(_, ["getUntrustedString", "getUntrustedBytes"]) |
+      source = fn.getACall().getResult()
+    )
+  }
 
-class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
-  UntrustedSource() { this = any(UntrustedFunction f).getACall() }
-}
-
-class SinkFunction extends Function {
-  SinkFunction() { this.getName() = ["sinkString", "sinkBytes"] }
-}
-
-class TestConfig extends TaintTracking::Configuration {
-  TestConfig() { this = "testconfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(SinkFunction f).getACall().getAnArgument()
+  predicate isSink(DataFlow::Node sink) {
+    exists(Function fn | fn.hasQualifiedName(_, ["sinkString", "sinkBytes"]) |
+      sink = fn.getACall().getAnArgument()
+    )
   }
 }
 
-from TaintTracking::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select source, sink
+import TaintFlowTest<Config>

go/ql/test/library-tests/semmle/go/frameworks/Protobuf/testDeprecatedApi.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"codeql-go-tests/protobuf/protos/query"
+
 	"github.com/golang/protobuf/proto"
 )
 
@@ -23,7 +24,7 @@ func testMarshal() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testCloneThenMarshal() {
@@ -34,7 +35,7 @@ func testCloneThenMarshal() {
 
 	serialized, _ := proto.Marshal(queryClone)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testUnmarshalFieldAccess() {
@@ -42,7 +43,7 @@ func testUnmarshalFieldAccess() {
 	query := &query.Query{}
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.Description) // BAD
+	sinkString(query.Description) // $ hasTaintFlow="selection of Description"
 }
 
 func testUnmarshalGetter() {
@@ -50,7 +51,7 @@ func testUnmarshalGetter() {
 	query := &query.Query{}
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.GetDescription()) // BAD
+	sinkString(query.GetDescription()) // $ hasTaintFlow="call to GetDescription"
 }
 
 func testMergeThenMarshal() {
@@ -62,7 +63,7 @@ func testMergeThenMarshal() {
 
 	serialized, _ := proto.Marshal(query2)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedSubmessage() {
@@ -74,7 +75,7 @@ func testTaintedSubmessage() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedSubmessageInPlace() {
@@ -86,7 +87,7 @@ func testTaintedSubmessageInPlace() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testUnmarshalTaintedSubmessage() {
@@ -94,7 +95,7 @@ func testUnmarshalTaintedSubmessage() {
 	query := &query.Query{}
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.Alerts[0].Msg) // BAD
+	sinkString(query.Alerts[0].Msg) // $ hasTaintFlow="selection of Msg"
 }
 
 // This test should be ok, but is flagged because writing taint to a field of a Message
@@ -102,7 +103,7 @@ func testUnmarshalTaintedSubmessage() {
 func testFieldConflationFalsePositive() {
 	query := &query.Query{}
 	query.Description = getUntrustedString()
-	sinkString(query.Id) // OK (but incorrectly tainted)
+	sinkString(query.Id) // $ SPURIOUS: hasTaintFlow="selection of Id"
 }
 
 // This test should be ok, but it flagged because our current implementation doesn't notice
@@ -114,7 +115,7 @@ func testMessageReuseFalsePositive() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // OK (but incorrectly tainted)
+	sinkBytes(serialized) // $ SPURIOUS: hasTaintFlow="serialized"
 }
 
 // This test should be flagged, but we don't notice tainting via an alias of a field.
@@ -125,7 +126,7 @@ func testSubmessageAliasFalseNegative() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD (but not noticed by our current implementation)
+	sinkBytes(serialized) // $ MISSING: hasTaintFlow="serialized"
 }
 
 func testTaintedMapFieldWrite() {
@@ -134,7 +135,7 @@ func testTaintedMapFieldWrite() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedMapWriteWholeMap() {
@@ -145,7 +146,7 @@ func testTaintedMapWriteWholeMap() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedMapFieldRead() {
@@ -154,7 +155,7 @@ func testTaintedMapFieldRead() {
 
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.KeyValuePairs[123]) // BAD
+	sinkString(query.KeyValuePairs[123]) // $ hasTaintFlow="index expression"
 }
 
 func testTaintedMapFieldReadViaAlias() {
@@ -165,7 +166,7 @@ func testTaintedMapFieldReadViaAlias() {
 
 	alias := &query.KeyValuePairs
 
-	sinkString((*alias)[123]) // BAD
+	sinkString((*alias)[123]) // $ hasTaintFlow="index expression"
 }
 
 func testTaintedSubmessageInPlaceNonPointerBase() {
@@ -177,5 +178,5 @@ func testTaintedSubmessageInPlaceNonPointerBase() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD (but not detected by our current analysis)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }

go/ql/test/library-tests/semmle/go/frameworks/Protobuf/testModernApi.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"codeql-go-tests/protobuf/protos/query"
+
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/runtime/protoiface"
 )
@@ -12,7 +13,7 @@ func testMarshalModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testCloneThenMarshalModern() {
@@ -23,7 +24,7 @@ func testCloneThenMarshalModern() {
 
 	serialized, _ := proto.Marshal(queryClone)
 
-	sinkBytes(serialized)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testUnmarshalFieldAccessModern() {
@@ -31,7 +32,7 @@ func testUnmarshalFieldAccessModern() {
 	query := &query.Query{}
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.Description)
+	sinkString(query.Description) // $ hasTaintFlow="selection of Description"
 }
 
 func testUnmarshalGetterModern() {
@@ -39,7 +40,7 @@ func testUnmarshalGetterModern() {
 	query := &query.Query{}
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.GetDescription())
+	sinkString(query.GetDescription()) // $ hasTaintFlow="call to GetDescription"
 }
 
 func testMergeThenMarshalModern() {
@@ -51,7 +52,7 @@ func testMergeThenMarshalModern() {
 
 	serialized, _ := proto.Marshal(query2)
 
-	sinkBytes(serialized)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testMarshalWithOptionsModern() {
@@ -61,7 +62,7 @@ func testMarshalWithOptionsModern() {
 	options := proto.MarshalOptions{}
 	serialized, _ := options.Marshal(query)
 
-	sinkBytes(serialized)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 // Tests only applicable to the modern API:
@@ -74,7 +75,7 @@ func testMarshalAppend() {
 	emptyArray := []byte{}
 	serialized, _ := options.MarshalAppend(emptyArray, query)
 
-	sinkBytes(serialized)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testMarshalState() {
@@ -102,7 +103,7 @@ func testTaintedSubmessageModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedSubmessageInPlaceModern() {
@@ -114,7 +115,7 @@ func testTaintedSubmessageInPlaceModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testUnmarshalTaintedSubmessageModern() {
@@ -122,7 +123,7 @@ func testUnmarshalTaintedSubmessageModern() {
 	query := &query.Query{}
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.Alerts[0].Msg) // BAD
+	sinkString(query.Alerts[0].Msg) // $ hasTaintFlow="selection of Msg"
 }
 
 func testUnmarshalOptions() {
@@ -132,7 +133,7 @@ func testUnmarshalOptions() {
 	query := &query.Query{}
 	options.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.Description) // BAD
+	sinkString(query.Description) // $ hasTaintFlow="selection of Description"
 }
 
 // This test should be ok, but is flagged because writing taint to a field of a Message
@@ -140,7 +141,7 @@ func testUnmarshalOptions() {
 func testFieldConflationFalsePositiveModern() {
 	query := &query.Query{}
 	query.Description = getUntrustedString()
-	sinkString(query.Id) // OK (but incorrectly tainted)
+	sinkString(query.Id) // $ SPURIOUS: hasTaintFlow="selection of Id"
 }
 
 // This test should be ok, but it flagged because our current implementation doesn't notice
@@ -152,7 +153,7 @@ func testMessageReuseFalsePositiveModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // OK (but incorrectly tainted)
+	sinkBytes(serialized) // $ SPURIOUS: hasTaintFlow="serialized"
 }
 
 // This test should be flagged, but we don't notice tainting via an alias of a field.
@@ -163,7 +164,7 @@ func testSubmessageAliasFalseNegativeModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD (but not noticed by our current implementation)
+	sinkBytes(serialized) // $ MISSING: hasTaintFlow="serialized"
 }
 
 // This test should be flagged, but we don't notice that marshalState2.Message is the
@@ -182,7 +183,7 @@ func testMarshalStateFalseNegative() {
 	marshalState2 := marshalState
 	serialized, _ := options.MarshalState(marshalState2)
 
-	sinkBytes(serialized.Buf) // BAD (but not noticed by our current implementation)
+	sinkBytes(serialized.Buf) // $ MISSING: hasTaintFlow="selection of Buf"
 }
 
 func testTaintedMapFieldWriteModern() {
@@ -191,7 +192,7 @@ func testTaintedMapFieldWriteModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedMapWriteWholeMapModern() {
@@ -202,7 +203,7 @@ func testTaintedMapWriteWholeMapModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }
 
 func testTaintedMapFieldReadModern() {
@@ -211,7 +212,7 @@ func testTaintedMapFieldReadModern() {
 
 	proto.Unmarshal(untrustedSerialized, query)
 
-	sinkString(query.KeyValuePairs[123]) // BAD
+	sinkString(query.KeyValuePairs[123]) // $ hasTaintFlow="index expression"
 }
 
 func testTaintedMapFieldReadViaAliasModern() {
@@ -222,7 +223,7 @@ func testTaintedMapFieldReadViaAliasModern() {
 
 	alias := &query.KeyValuePairs
 
-	sinkString((*alias)[123]) // BAD
+	sinkString((*alias)[123]) // $ hasTaintFlow="index expression"
 }
 
 func testTaintedSubmessageInPlaceNonPointerBaseModern() {
@@ -234,5 +235,5 @@ func testTaintedSubmessageInPlaceNonPointerBaseModern() {
 
 	serialized, _ := proto.Marshal(query)
 
-	sinkBytes(serialized) // BAD (but not detected by our current implementation)
+	sinkBytes(serialized) // $ hasTaintFlow="serialized"
 }

go/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.expected

@@ -1,17 +1,2 @@
-| test.go:26:16:26:35 | call to getUntrustedString | test.go:33:14:33:23 | sUntrusted |
-| test.go:26:16:26:35 | call to getUntrustedString | test.go:35:14:35:23 | sUntrusted |
-| test.go:26:16:26:35 | call to getUntrustedString | test.go:41:18:41:27 | sUntrusted |
-| test.go:26:16:26:35 | call to getUntrustedString | test.go:51:13:51:16 | str3 |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:30:12:30:21 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:31:13:31:22 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:32:15:32:24 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:34:17:34:26 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:36:17:36:26 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:38:16:38:25 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:39:17:39:26 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:40:19:40:28 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:42:21:42:30 | pUntrusted |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:45:13:45:16 | str1 |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:48:13:48:16 | str2 |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:54:13:54:16 | str4 |
-| test.go:28:16:28:35 | call to getUntrustedStruct | test.go:57:13:57:16 | str5 |
+failures
+testFailures

go/ql/test/library-tests/semmle/go/frameworks/Spew/TaintFlows.ql

@@ -1,28 +1,18 @@
 import go
+import TestUtilities.InlineFlowTest
 
-class UntrustedFunction extends Function {
-  UntrustedFunction() { this.getName() = ["getUntrustedString", "getUntrustedStruct"] }
-}
+module TestConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source =
+      any(Function f | f.getName() = ["getUntrustedString", "getUntrustedStruct"])
+          .getACall()
+          .getResult()
+  }
 
-class UntrustedSource extends DataFlow::Node, UntrustedFlowSource::Range {
-  UntrustedSource() { this = any(UntrustedFunction f).getACall() }
-}
-
-class SinkFunction extends Function {
-  SinkFunction() { this.getName() = "sinkString" }
-}
-
-class TestConfig extends TaintTracking::Configuration {
-  TestConfig() { this = "testconfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(SinkFunction f).getACall().getAnArgument() or
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(Function f | f.getName() = "sinkString").getACall().getAnArgument() or
     sink = any(LoggerCall log).getAMessageComponent()
   }
 }
 
-from TaintTracking::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select source, sink
+import FlowTest<TestConfig, TestConfig>

go/ql/test/library-tests/semmle/go/frameworks/Spew/test.go

@@ -27,32 +27,32 @@ func testSpew(w io.Writer) {
 	p := Person{}
 	pUntrusted := getUntrustedStruct()
 
-	spew.Dump(pUntrusted)      // NOT OK
-	spew.Print(pUntrusted)     // NOT OK
-	spew.Println(pUntrusted)   // NOT OK
-	spew.Errorf(sUntrusted, p) // NOT OK
-	spew.Errorf(s, pUntrusted) // NOT OK
-	spew.Printf(sUntrusted, p) // NOT OK
-	spew.Printf(s, pUntrusted) // NOT OK
+	spew.Dump(pUntrusted)      // $ hasValueFlow="pUntrusted"
+	spew.Print(pUntrusted)     // $ hasValueFlow="pUntrusted"
+	spew.Println(pUntrusted)   // $ hasValueFlow="pUntrusted"
+	spew.Errorf(sUntrusted, p) // $ hasValueFlow="sUntrusted"
+	spew.Errorf(s, pUntrusted) // $ hasValueFlow="pUntrusted"
+	spew.Printf(sUntrusted, p) // $ hasValueFlow="sUntrusted"
+	spew.Printf(s, pUntrusted) // $ hasValueFlow="pUntrusted"
 
-	spew.Fdump(w, pUntrusted)      // NOT OK
-	spew.Fprint(w, pUntrusted)     // NOT OK
-	spew.Fprintln(w, pUntrusted)   // NOT OK
-	spew.Fprintf(w, sUntrusted, p) // NOT OK
-	spew.Fprintf(w, s, pUntrusted) // NOT OK
+	spew.Fdump(w, pUntrusted)      // $ hasValueFlow="pUntrusted"
+	spew.Fprint(w, pUntrusted)     // $ hasValueFlow="pUntrusted"
+	spew.Fprintln(w, pUntrusted)   // $ hasValueFlow="pUntrusted"
+	spew.Fprintf(w, sUntrusted, p) // $ hasValueFlow="sUntrusted"
+	spew.Fprintf(w, s, pUntrusted) // $ hasValueFlow="pUntrusted"
 
 	str1 := spew.Sdump(pUntrusted)
-	sinkString(str1) // NOT OK
+	sinkString(str1) // $ hasTaintFlow="str1"
 
 	str2 := spew.Sprint(pUntrusted)
-	sinkString(str2) // NOT OK
+	sinkString(str2) // $ hasTaintFlow="str2"
 
 	str3 := spew.Sprintf(sUntrusted, p)
-	sinkString(str3) // NOT OK
+	sinkString(str3) // $ hasTaintFlow="str3"
 
 	str4 := spew.Sprintf(s, pUntrusted)
-	sinkString(str4) // NOT OK
+	sinkString(str4) // $ hasTaintFlow="str4"
 
 	str5 := spew.Sprintln(pUntrusted)
-	sinkString(str5) // NOT OK
+	sinkString(str5) // $ hasTaintFlow="str5"
 }

go/ql/test/library-tests/semmle/go/frameworks/Zap/TaintFlows.ql

@@ -1,30 +1,12 @@
 import go
-import TestUtilities.InlineExpectationsTest
+import TestUtilities.InlineFlowTest
 
-class TestConfig extends TaintTracking::Configuration {
-  TestConfig() { this = "test config" }
-
-  override predicate isSource(DataFlow::Node source) {
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     source.(DataFlow::CallNode).getTarget().getName() = ["getUntrustedData", "getUntrustedString"]
   }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink = any(LoggerCall log).getAMessageComponent()
-  }
+  predicate isSink(DataFlow::Node sink) { sink = any(LoggerCall log).getAMessageComponent() }
 }
 
-module ZapTest implements TestSig {
-  string getARelevantTag() { result = "zap" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "zap" and
-    exists(DataFlow::Node sink | any(TestConfig c).hasFlow(_, sink) |
-      element = sink.toString() and
-      value = "\"" + sink.toString() + "\"" and
-      sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
-        location.getStartColumn(), location.getEndLine(), location.getEndColumn())
-    )
-  }
-}
-
-import MakeTest<ZapTest>
+import FlowTest<Config, Config>

go/ql/test/library-tests/semmle/go/frameworks/Zap/test.go

@@ -18,72 +18,72 @@ func getUntrustedString() string {
 
 func testZapLoggerDPanic() {
 	logger, _ := zap.NewProduction()
-	logger.DPanic(getUntrustedString()) // $ zap="call to getUntrustedString"
+	logger.DPanic(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapLoggerFatal() {
 	logger := zap.NewExample()
-	logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $ zap="call to String"
+	logger.Fatal("msg", zap.String(getUntrustedString(), "value")) // $ hasTaintFlow="call to String"
 }
 
 func testZapLoggerPanic() {
 	logger, _ := zap.NewDevelopment()
-	logger.Panic("msg", zap.Any("key", getUntrustedData())) // $ zap="call to Any"
+	logger.Panic("msg", zap.Any("key", getUntrustedData())) // $ hasTaintFlow="call to Any"
 }
 
 func testZapLoggerDebug(core zapcore.Core, byteArray []byte) {
 	logger := zap.New(core)
-	logger.Debug(getUntrustedString())                                      // $ zap="call to getUntrustedString"
-	logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray))        // $ zap="call to Binary"
-	logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $ zap="call to ByteString"
+	logger.Debug(getUntrustedString())                                      // $ hasValueFlow="call to getUntrustedString"
+	logger.Debug("msg", zap.Binary(getUntrustedString(), byteArray))        // $ hasTaintFlow="call to Binary"
+	logger.Debug("msg", zap.ByteString("key", getUntrustedData().([]byte))) // $ hasTaintFlow="call to ByteString"
 }
 
 func testZapLoggerError(bss [][]byte) {
 	logger := zap.L()
-	logger.Error(getUntrustedString())                              // $ zap="call to getUntrustedString"
-	logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $ zap="call to ByteStrings"
-	logger.Error("msg", zap.Error(getUntrustedData().(error)))      // $ zap="call to Error"
+	logger.Error(getUntrustedString())                              // $ hasValueFlow="call to getUntrustedString"
+	logger.Error("msg", zap.ByteStrings(getUntrustedString(), bss)) // $ hasTaintFlow="call to ByteStrings"
+	logger.Error("msg", zap.Error(getUntrustedData().(error)))      // $ hasTaintFlow="call to Error"
 }
 
 func testZapLoggerInfo(logger *zap.Logger, errs []error) {
-	logger.Info(getUntrustedString())                                     // $ zap="call to getUntrustedString"
-	logger.Info("msg", zap.Errors(getUntrustedString(), errs))            // $ zap="call to Errors"
-	logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $ zap="call to NamedError"
+	logger.Info(getUntrustedString())                                     // $ hasValueFlow="call to getUntrustedString"
+	logger.Info("msg", zap.Errors(getUntrustedString(), errs))            // $ hasTaintFlow="call to Errors"
+	logger.Info("msg", zap.NamedError("key", getUntrustedData().(error))) // $ hasTaintFlow="call to NamedError"
 }
 
 func testZapLoggerWarn(logger *zap.Logger) {
-	logger.Warn(getUntrustedString())                                     // $ zap="call to getUntrustedString"
-	logger.Warn("msg", zap.Reflect(getUntrustedString(), nil))            // $ zap="call to Reflect"
-	logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string)))  // $ zap="call to Stringp"
-	logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $ zap="call to Strings"
+	logger.Warn(getUntrustedString())                                     // $ hasValueFlow="call to getUntrustedString"
+	logger.Warn("msg", zap.Reflect(getUntrustedString(), nil))            // $ hasTaintFlow="call to Reflect"
+	logger.Warn("msg", zap.Stringp("key", getUntrustedData().(*string)))  // $ hasTaintFlow="call to Stringp"
+	logger.Warn("msg", zap.Strings("key", getUntrustedData().([]string))) // $ hasTaintFlow="call to Strings"
 }
 
 func testZapLoggerNop() {
 	// We do not currently recognise that a logger made using NewNop() does not actually do any logging
 	logger := zap.NewNop()
-	logger.Debug(getUntrustedString()) // $ SPURIOUS: zap="call to getUntrustedString"
+	logger.Debug(getUntrustedString()) // $ SPURIOUS: hasValueFlow="call to getUntrustedString"
 }
 
 func testLoggerNamed(logger *zap.Logger) {
-	namedLogger := logger.Named(getUntrustedString()) // $ zap="call to getUntrustedString"
+	namedLogger := logger.Named(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 	namedLogger.Info("hello world")
 }
 
 func testLoggerWith(logger *zap.Logger) *zap.Logger {
-	logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $ zap="call to Any"
+	logger1 := logger.With(zap.Any(getUntrustedString(), nil)) // $ hasTaintFlow="call to Any"
 	logger1.Info("hello world")
-	logger2 := logger.With(zap.String("key", getUntrustedString())) // $ zap="call to String"
+	logger2 := logger.With(zap.String("key", getUntrustedString())) // $ hasTaintFlow="call to String"
 	logger2.Info("hello world")
-	logger3 := logger.With(zap.String("key", getUntrustedString())) // $ SPURIOUS: zap="call to String"
+	logger3 := logger.With(zap.String("key", getUntrustedString())) // $ SPURIOUS: hasTaintFlow="call to String"
 	return logger3
 }
 
 func getLoggerWithUntrustedField() *zap.Logger {
-	return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ zap="call to NamedError"
+	return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ hasTaintFlow="call to NamedError"
 }
 
 func getLoggerWithUntrustedFieldUnused() *zap.Logger {
-	return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ SPURIOUS: zap="call to NamedError"
+	return zap.NewExample().With(zap.NamedError("key", getUntrustedData().(error))) // $ SPURIOUS: hasTaintFlow="call to NamedError"
 }
 
 func testLoggerWithAcrossFunctionBoundary() {
@@ -91,91 +91,91 @@ func testLoggerWithAcrossFunctionBoundary() {
 }
 
 func testLoggerWithOptions(logger *zap.Logger) *zap.Logger {
-	logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $ zap="call to Fields"
+	logger1 := logger.WithOptions(zap.Fields(zap.Any(getUntrustedString(), nil))) // $ hasTaintFlow="call to Fields"
 	logger1.Info("hello world")
-	logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ zap="call to Fields"
+	logger2 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ hasTaintFlow="call to Fields"
 	logger2.Info("hello world")
-	logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ SPURIOUS: zap="call to Fields"
+	logger3 := logger.WithOptions(zap.Fields(zap.String("key", getUntrustedString()))) // $ SPURIOUS: hasTaintFlow="call to Fields"
 	return logger3
 }
 
 func testZapSugaredLoggerDPanic(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.DPanic(getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.DPanic(getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerDPanicf(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.DPanicf(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.DPanicf(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapSugaredLoggerDPanicw(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.DPanicw(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.DPanicw(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapSugaredLoggerFatal(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.Fatal(getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.Fatal(getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerFatalf(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.Fatalf(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.Fatalf(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapSugaredLoggerFatalw(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.Fatalw(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.Fatalw(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapSugaredLoggerPanic(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.Panic(getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.Panic(getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerPanicf(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.Panicf(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.Panicf(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapSugaredLoggerPanicw(sugaredLogger *zap.SugaredLogger) {
-	sugaredLogger.Panicw(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.Panicw(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 }
 
 func testZapSugaredLoggerDebug() {
 	sugaredLogger := zap.S()
-	sugaredLogger.Debug(getUntrustedData())                // $ zap="call to getUntrustedData"
-	sugaredLogger.Debugf("msg", getUntrustedData())        // $ zap="call to getUntrustedData"
-	sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.Debug(getUntrustedData())                // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Debugf("msg", getUntrustedData())        // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Debugw("msg", "key", getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerError() {
 	logger, _ := zap.NewProduction()
 	sugaredLogger := logger.Sugar()
-	sugaredLogger.Error(getUntrustedData())                // $ zap="call to getUntrustedData"
-	sugaredLogger.Errorf("msg", getUntrustedData())        // $ zap="call to getUntrustedData"
-	sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.Error(getUntrustedData())                // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Errorf("msg", getUntrustedData())        // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Errorw("msg", "key", getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerInfo() {
 	logger := zap.NewExample()
 	sugaredLogger := logger.Sugar()
-	sugaredLogger.Info(getUntrustedData())                // $ zap="call to getUntrustedData"
-	sugaredLogger.Infof("msg", getUntrustedData())        // $ zap="call to getUntrustedData"
-	sugaredLogger.Infow("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.Info(getUntrustedData())                // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Infof("msg", getUntrustedData())        // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Infow("msg", "key", getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerWarn() {
 	logger, _ := zap.NewDevelopment()
 	sugaredLogger := logger.Sugar()
-	sugaredLogger.Warn(getUntrustedData())                // $ zap="call to getUntrustedData"
-	sugaredLogger.Warnf("msg", getUntrustedData())        // $ zap="call to getUntrustedData"
-	sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.Warn(getUntrustedData())                // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Warnf("msg", getUntrustedData())        // $ hasValueFlow="call to getUntrustedData"
+	sugaredLogger.Warnw("msg", "key", getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 }
 
 func testZapSugaredLoggerNamed() {
 	logger := zap.L()
 	sugaredLogger := logger.Sugar()
-	sugaredLogger.Named(getUntrustedString()) // $ zap="call to getUntrustedString"
+	sugaredLogger.Named(getUntrustedString()) // $ hasValueFlow="call to getUntrustedString"
 	sugaredLogger.Info("msg")
 }
 
 func testZapSugaredLoggerWith() {
 	logger := zap.L()
 	sugaredLogger := logger.Sugar()
-	sugaredLogger.With("key", getUntrustedData()) // $ zap="call to getUntrustedData"
+	sugaredLogger.With("key", getUntrustedData()) // $ hasValueFlow="call to getUntrustedData"
 	sugaredLogger.Info("msg")
 }