Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go: Enable GoKit module into the default list #14276

Merged
merged 4 commits into from
Oct 15, 2023
Merged

Go: Enable GoKit module into the default list #14276

merged 4 commits into from
Oct 15, 2023

Conversation

flabbergastedbd
Copy link
Contributor

Changes

Enable GoKit framework by default in go.qll

@flabbergastedbd flabbergastedbd requested a review from a team as a code owner September 20, 2023 18:57
@github-actions github-actions bot added the Go label Sep 20, 2023
@owen-mc
Copy link
Contributor

owen-mc commented Sep 21, 2023

Is there a particular reason you think we should include it in the default list now? The reasoning behind the current situation is here.

@smowton
Copy link
Contributor

smowton commented Sep 21, 2023

Presumably when adding this in 3ed9e66 the idea must have been that it's common for gokit to be used in a scenario where "remote" data is actually coming from another microservice under our control and the data is in fact trusted. What makes you think it ought to be enabled by default?

@flabbergastedbd
Copy link
Contributor Author

Thanks for the context around why this is an opt-in and not a default. My reasoning is two fold:

  • GoKit is also used by externally exposed applications as well (an api gateway example existed since long time), as it can support different transports and serialisation including JSON over HTTP. Even if it used for inter service calls, security issues often arise due to the differing assumptions around data sanitisation across service boundaries.
  • GoKit is very similar in abstractions for when compared to GoMicro, which is included by default.

I do not have enough large enough dataset around usage types of GoKit library, but if the team strongly feels that this should remain an opt-in due to known data/usage patterns; it makes sense.

@owen-mc
Copy link
Contributor

owen-mc commented Sep 28, 2023
edited
Loading

After some internal discussion we agree with you.

Please remove the line import semmle.go.frameworks.GoKit from go/ql/test/library-tests/semmle/go/frameworks/GoKit/untrustedflowsource.ql. Then I will check that CI passes, then do a larger test on many repositories that use GoKit to check how many new alerts this will produce. If that is all fine then I will merge the PR.

@flabbergastedbd flabbergastedbd force-pushed the enable-gokit-by-default branch from 18f5b2a to 53a291a Compare October 3, 2023 10:09
@flabbergastedbd
Copy link
Contributor Author

Ping @owen-mc

@owen-mc owen-mc changed the title Enable GoKit module into the default list Go: Enable GoKit module into the default list Oct 5, 2023
owen-mc
owen-mc approved these changes Oct 15, 2023
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this contribution.

@owen-mc owen-mc merged commit 39bca2d into github:main Oct 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@owen-mc owen-mc owen-mc approved these changes

Assignees
No one assigned
Labels
documentation Go
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@flabbergastedbd @owen-mc @smowton