Convert barrier for cleartext logging to MaD

owen-mc · owen-mc · commit 44c32c6e8504 · 2025-12-16T17:38:35.000Z
diff --git a/go/ql/lib/ext/builtin.model.yml b/go/ql/lib/ext/builtin.model.yml
@@ -1,4 +1,9 @@
 extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: barrierModel
+    data:
+      - ["", "error", False, "Error", "", "", "ReturnValue", "go/clear-text-logging", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/ext/fmt.model.yml b/go/ql/lib/ext/fmt.model.yml
@@ -6,6 +6,11 @@ extensions:
       - ["fmt", "", False, "Print", "", "", "Argument[0]", "log-injection", "manual"]
       - ["fmt", "", False, "Printf",  "", "", "Argument[0..1]", "log-injection", "manual"]
       - ["fmt", "", False, "Println", "", "", "Argument[0]", "log-injection", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: barrierModel
+    data:
+      - ["fmt", "Stringer", False, "String", "", "", "ReturnValue", "go/clear-text-logging", "manual"]
   - addsTo:
       pack: codeql/go-all
       extensible: summaryModel
diff --git a/go/ql/lib/semmle/go/security/CleartextLogging.qll b/go/ql/lib/semmle/go/security/CleartextLogging.qll
@@ -22,15 +22,8 @@ module CleartextLogging {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) {
-      node instanceof Barrier
-      or
+      node instanceof Barrier or
       barrierNode(node, "go/clear-text-logging")
-      or
-      exists(DataFlow::CallNode call | node = call.getResult() |
-        call.getTarget() = Builtin::error().getType().getMethod("Error")
-        or
-        call.getTarget().(Method).hasQualifiedName("fmt", "Stringer", "String")
-      )
     }
 
     predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
