Fix IncorrectIntegerConversion for use-use flow

We were assuming that `sink` only had one successor, the TypeCastNode, but it
can now have an adjacent use as well.

Author: owen-mc

go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll

@@ -290,13 +290,17 @@ private predicate integerTypeBound(IntegerType it, int bitSize, int architecture
  * the type assertion succeeded. If it is not checked then there will be a
  * run-time panic if the type assertion fails, so we can assume it succeeded.
  */
-class TypeAssertionCheck extends DataFlow::ExprNode, FlowStateTransformer {
+class TypeAssertionCheck extends DataFlow::InstructionNode, FlowStateTransformer {
   IntegerType it;
 
   TypeAssertionCheck() {
-    exists(TypeAssertExpr tae |
-      this = DataFlow::exprNode(tae.getExpr()) and
-      it = tae.getTypeExpr().getType().getUnderlyingType()
+    exists(IR::Instruction evalAssert, TypeAssertExpr assert |
+      it = assert.getTypeExpr().getType().getUnderlyingType() and
+      evalAssert = IR::evalExprInstruction(assert)
+    |
+      if exists(IR::extractTupleElement(evalAssert, _))
+      then this.asInstruction() = IR::extractTupleElement(evalAssert, 0)
+      else this.asInstruction() = evalAssert
     )
   }
 

go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql

@@ -18,7 +18,8 @@ import semmle.go.security.IncorrectIntegerConversionLib
 import Flow::PathGraph
 
 from
-  Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call, DataFlow::Node sinkConverted
+  Flow::PathNode source, Flow::PathNode sink, DataFlow::CallNode call,
+  DataFlow::TypeCastNode sinkConverted
 where
   Flow::flowPath(source, sink) and
   call.getResult(0) = source.getNode() and