[Go]: Add support of github.com/jackc/pgx and related packages

[japroc]

Query

Link to pull request with your CodeQL query:

Relevant PR: github/codeql-go#607

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

• no CVEs

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.

The idea of this PR is to improve default SqlInjection.ql query by adding github.com/jackc/pgx module and related.

I basically reused existing SqlInjection.ql query, and created a custom PgxSqlInjection.ql query. The CodeQL custom module with implements pgx sql argument is defined in Pgx.qll file. I think that pgx support should be implemented by extending SQL::QueryString.

When this module will be moved from experimental folder to standart library, it would automatically improve existing Sqlnjection.ql query. But for now, for a demonstration, i created a separate query which imports experimental module and repeats standart query. I also added snippet for pgx usage and qhelp.

• [x ] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.

I have made a series of queries using lgtm.com.
There are findings:

https://lgtm.com/query/4453866281735326417/

• Alex-Kuz/tp-database
• averageflow/joes-warehouse
• cauli/mulungu

https://lgtm.com/query/2344985243544414322/

• fhirbase/fhirbase
• flynn/flynn
• hackfeed/remrratality
• hasura/pgdeltastream

https://lgtm.com/query/3110488658498384350/

• huvalk/tech-db-huvalk
• just1689/pg-gateway
• krok-o/krok
• mysteriumnetwork/discovery

[JarLob]

Hi @japroc,
In order to be eligible for bounty your query must find at least one CVE that was not previously found by an existing query, in a released version (older releases are also permitted) of an open source project that is actually used (no demo, training, vulnerable on purpose).

[antonio-morales]

Hi @japroc,

any updates on this?

[japroc]

Hi antonio-morales,

I faced some problems with writing tests. And completely forgot about that issue :)
Let me few days. I will make one more try on writing tests on the upcoming weekends. And also try to find some CVEs. Thanks.

[JarLob]

Do you have an update?

[JarLob]

I'm closing the issue, but feel free to open it again if you have updates on it.

[ghsecuritylab]

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed