Summary

• This PR adds taint-tracking for many standard Go library packages for which (in my opinion) it makes sense to have taint tracking (I erred on the side of abundance).
• Each taint-track was manually decided. CodeQL and golang code were generated from those decisions.
• Each taint-tracked element has its own test scenario with golang code ( see https://github.com/gagliardetto/codeql-go/tree/taint-stdlib-a/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow )
• The taint-tracking modules (one module per package, one package per file) are in https://github.com/gagliardetto/codeql-go/tree/taint-stdlib-a/ql/src/semmle/go/frameworks/stdlib

The Taint-Tracking Classes

• For each std lib package, there is one file that contains the module and classes dedicated to the taint-tracking for that package.
• Right now, the codeql classes are in their most human-friendly form (very easily readable); if performance requires it, they can be compressed (ugly-fied) in some very efficient ways.

The Golang Test Code

• For each taint-tracking class, there is a simulation of that scenario in a Golang function.
• I wrote a custom testing query to simplify my life and be able to visually inspect the results in vscode thanks to the CodeQL extension that highlights taint-tracking elements.

TODO

• Any other library you consider worth including?
• I'm still working on some more libraries taint-tracking, that should be added this week.
• Remove duplicates from https://github.com/github/codeql-go/blob/master/ql/src/semmle/go/frameworks/Stdlib.qll and also make sure I did not miss any taint-tracking currently implemented there.
• Establish a standardized directory and file hierarchy and logic.
• Right now, all of the taint-tracking modules are imported inside https://github.com/github/codeql-go/blob/master/ql/src/semmle/go/frameworks/Stdlib.qll (with import semmle.go.frameworks.stdlib.ImportAll), but the imports could be made more selective, deciding case by case.
• Compress (uglify) classes.

The Standard Library (from list available at https://godoc.org/-/go; see also https://golang.org/pkg/)

Go version: go version go1.14.1 linux/amd64

NOTE: ignored all internal and vendor packages.

Each item in the list is a package on its own; those that have a [x] are the ones that have been tracked and have tests.

• archive/tar
• archive/zip
• bufio
• builtin
• bytes
• cmd/api
• cmd/asm
• cmd/buildid
• cmd/cgo
• cmd/compile
• cmd/cover
• cmd/dist
• cmd/doc
• cmd/fix
• cmd/go
• cmd/gofmt
• cmd/link
• cmd/nm
• cmd/objdump
• cmd/pack
• cmd/pprof
• cmd/test2json
• cmd/trace
• cmd/vet
• compress/bzip2
• compress/flate
• compress/gzip
• compress/lzw
• compress/zlib
• container/heap
• container/list
• container/ring
• context
• crypto
• crypto/aes
• crypto/cipher
• crypto/des
• crypto/dsa
• crypto/ecdsa
• crypto/ed25519
• crypto/elliptic
• crypto/hmac
• crypto/md5
• crypto/rand
• crypto/rc4
• crypto/rsa
• crypto/sha1
• crypto/sha256
• crypto/sha512
• crypto/subtle
• crypto/tls
• crypto/x509
• crypto/x509/pkix
• database/sql
• database/sql/driver
• debug/dwarf
• debug/elf
• debug/gosym
• debug/macho
• debug/pe
• debug/plan9obj
• encoding
• encoding/ascii85
• encoding/asn1
• encoding/base32
• encoding/base64
• encoding/binary
• encoding/csv
• encoding/gob
• encoding/hex
• encoding/json
• encoding/pem
• encoding/xml
• errors
• expvar
• flag
• fmt
• go/ast
• go/build
• go/constant
• go/doc
• go/format
• go/importer
• go/parser
• go/printer
• go/scanner
• go/token
• go/types
• hash
• hash/adler32
• hash/crc32
• hash/crc64
• hash/fnv
• hash/maphash
• html
• html/template
• image
• image/color
• image/color/palette
• image/draw
• image/gif
• image/jpeg
• image/png
• index/suffixarray
• io
• io/ioutil
• log
• log/syslog
• math
• math/big
• math/bits
• math/cmplx
• math/rand
• mime
• mime/multipart
• mime/quotedprintable
• net
• net/http
• net/http/cgi
• net/http/cookiejar
• net/http/fcgi
• net/http/httptest
• net/http/httptrace
• net/http/httputil
• net/http/pprof
• net/mail
• net/rpc
• net/rpc/jsonrpc
• net/smtp
• net/textproto
• net/url
• os
• os/exec
• os/signal
• os/user
• path
• path/filepath
• plugin
• reflect
• regexp
• regexp/syntax
• runtime
• runtime/cgo
• runtime/debug
• runtime/pprof
• runtime/race
• runtime/trace
• sort
• strconv
• strings
• sync
• sync/atomic
• syscall
• syscall/js
• testing
• testing/iotest
• testing/quick
• text/scanner
• text/tabwriter
• text/template
• text/template/parse
• time
• unicode
• unicode/utf16
• unicode/utf8
• unsafe