Skip to content

Go: more models for log.slog#22006

Merged
owen-mc merged 3 commits into
github:mainfrom
owen-mc:go/more-slog-models
Jun 30, 2026
Merged

Go: more models for log.slog#22006
owen-mc merged 3 commits into
github:mainfrom
owen-mc:go/more-slog-models

Conversation

@owen-mc

@owen-mc owen-mc commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Follow-on from #22004.

@owen-mc owen-mc requested a review from a team as a code owner June 18, 2026 11:13
@owen-mc owen-mc requested review from a team and Copilot June 18, 2026 11:13
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

go

Generated file changes for go

  • Changes to framework-coverage-go.rst:
-    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,612,124
+    `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,625,127
-    Totals,,688,1072,1577
+    Totals,,688,1085,1580
  • Changes to framework-coverage-go.csv:
- log,40,,3,,,,40,,,,,,,,,,,,,,,,,,,3,
+ log,43,,16,,,,43,,,,,,,,,,,,,,,,,,,16,

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Not ready to approve

The updated change note is now incomplete/inaccurate relative to the expanded log/slog modeling added in this PR.

Pull request overview

This PR extends the Go standard-library log/slog modeling to cover additional APIs beyond the core logging calls, building on the earlier LoggerCall/log-injection support to improve query coverage and model validation.

Changes:

  • Add log/slog models for With/WithGroup as log-injection sinks and add summary models for Attr/Value construction/accessors.
  • Add a new frameworks/Slog library-test module to validate taint/value flows through the new models.
  • Extend the LoggerCall concept library test cases to include With/WithGroup.
File summaries
File Description
go/ql/test/library-tests/semmle/go/frameworks/Slog/test.go New Go test cases exercising slog calls, Logger methods, With/WithGroup, and Attr/Value helpers.
go/ql/test/library-tests/semmle/go/frameworks/Slog/TaintFlows.ql New inline-flow test query configuration for validating modeled sinks/summaries.
go/ql/test/library-tests/semmle/go/frameworks/Slog/TaintFlows.expected Expected output marker file for the inline-flow test.
go/ql/test/library-tests/semmle/go/frameworks/Slog/go.mod New Go module file (Go 1.21) for the Slog library test.
go/ql/test/library-tests/semmle/go/concepts/LoggerCall/slog.go Adds With/WithGroup cases to the LoggerCall library test.
go/ql/lib/ext/log.slog.model.yml Adds sink models for With/WithGroup and summary models for Attr/Value constructors/accessors.
go/ql/lib/change-notes/2026-06-17-model-log-slog.md Updates the change note text (needs adjustment to reflect the full modeled surface).

Copilot's findings

  • Files reviewed: 7/7 changed files
  • Comments generated: 1

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

Comment thread go/ql/lib/change-notes/2026-06-17-model-log-slog.md Outdated
BazookaMusic
BazookaMusic previously approved these changes Jun 29, 2026

@BazookaMusic BazookaMusic left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The modelling looks good

@owen-mc

owen-mc commented Jun 30, 2026

Copy link
Copy Markdown
Contributor Author

I had to rebase to fix a merge conflict in the change note, and that dismissed reviews 😢 .

- ["log/slog", "Logger", True, "ErrorContext", "", "", "Argument[1..2]", "log-injection", "manual"]
- ["log/slog", "Logger", True, "Log", "", "", "Argument[2..3]", "log-injection", "manual"]
- ["log/slog", "Logger", True, "LogAttrs", "", "", "Argument[2..3]", "log-injection", "manual"]
# With/WithGroup add attributes that are included in every subsequent log call.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While these function names do make them unique - is there a particular reason why we don't have "Handler", "Attr" and "Value" specified as the class?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean in the signature column? Go doesn't allow overloading, so there is never any need to specify the signature. The docs say it should always be empty.

@jacknojo jacknojo Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I meant the second (the "type") column. We do have it in other entries, for example
["log/slog", "Attr", True, "String", "", "", "Argument[receiver]", "ReturnValue", "taint", "manual"]
Is this because it's related to the "receiver"?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Models with an empty string in the "type" column are for functions which are not methods on a class. (This isn't possible in java, so you might not have seen it before.)

@jacknojo jacknojo Jul 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, now I get it.

The entry
["log/slog", "Logger", True, "With", "", "", "Argument[0]", "log-injection", "manual"] is for this function:

func (l *Logger) With(args ...any) *Logger

The entry
["log/slog", "", False, "With", "", "", "Argument[0]", "log-injection", "manual"], which has no "type" / class, is for (a function I had not seen until now)

func With(args ...any) *Logger

Thank you.

@owen-mc owen-mc merged commit 8447b76 into github:main Jun 30, 2026
17 checks passed
@owen-mc owen-mc deleted the go/more-slog-models branch June 30, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants