fix: Updated MissingMinVersionTLS query to check go version

[Apostlex0]

resolves #27

This PR updates the MissingMinVersionTLS query to check the project's Go version (from go.mod) and only flag TLS configurations when the default MinVersion is actually insecure, based on the Go version in use.

[CLAassistant]

All committers have signed the CLA.

[GrosQuildu]

Thanks, gonna review soon.

[mschwager]

Nice work! Although it looks like the tests are failing. I've also reproduced the failures locally, so I think there's still some work to be done. I just updated the testing functionality in this repo, which should make it easier to have a consistent environment both locally and CI: #30. So hopefully that helps 👍

[Apostlex0]

@mschwager yeah so codeql was giving some problems on my local setup so i couldn't properly test things on my end.
i should be able to make necessary changes and complete this by eod.

[mschwager]

Yeah, we've been fighting the tests for a while too. CodeQL makes this difficult.

One thing to consider, when upgrading our Go queries to the latest dependency versions (codeql pack upgrade go/src/ and codeql pack upgrade go/test/) I get the following test failures:

$ codeql test run go/test/
...
--- expected
+++ actual
@@ -1,10 +1,9 @@
+WARNING: type 'NamedType' has been deprecated and may be removed in future (MissingMinVersionTLS.ql:97,12-21)
+WARNING: type 'NamedType' has been deprecated and may be removed in future (MissingMinVersionTLS.ql:102,12-21)
 | MissingMinVersionTLS.go:25:14:25:25 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:25:3:25:8 | config | config |
 | MissingMinVersionTLS.go:35:14:37:3 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:35:3:35:8 | config | config |
 | MissingMinVersionTLS.go:50:13:50:24 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:50:3:50:8 | config | config |
 | MissingMinVersionTLS.go:61:13:61:24 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:61:3:61:8 | config | config |
-| MissingMinVersionTLS.go:91:12:91:23 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:110:3:110:3 | c | c |
-| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:118:3:118:3 | c | c |
-| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:149:3:149:3 | c | c |
 | MissingMinVersionTLS.go:126:23:126:62 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:126:3:126:3 | c | c |
 | MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:135:3:135:5 | tmp | tmp |
 | MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:136:3:136:3 | c | c |
[4/4 comp 166ms eval 668ms] FAILED(RESULT) /Users/matt/tob/codeql-queries/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.qlref

So perhaps this is related to the issues you're seeing. That is, the latest dependency versions are removing 3 expected test results. That's something we need to look into, but it could be affecting your testing too.

[Apostlex0]

Yeah, we've been fighting the tests for a while too. CodeQL makes this difficult.

One thing to consider, when upgrading our Go queries to the latest dependency versions (codeql pack upgrade go/src/ and codeql pack upgrade go/test/) I get the following test failures:

$ codeql test run go/test/
...
--- expected
+++ actual
@@ -1,10 +1,9 @@
+WARNING: type 'NamedType' has been deprecated and may be removed in future (MissingMinVersionTLS.ql:97,12-21)
+WARNING: type 'NamedType' has been deprecated and may be removed in future (MissingMinVersionTLS.ql:102,12-21)
 | MissingMinVersionTLS.go:25:14:25:25 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:25:3:25:8 | config | config |
 | MissingMinVersionTLS.go:35:14:37:3 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:35:3:35:8 | config | config |
 | MissingMinVersionTLS.go:50:13:50:24 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:50:3:50:8 | config | config |
 | MissingMinVersionTLS.go:61:13:61:24 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:61:3:61:8 | config | config |
-| MissingMinVersionTLS.go:91:12:91:23 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:110:3:110:3 | c | c |
-| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:118:3:118:3 | c | c |
-| MissingMinVersionTLS.go:103:12:105:2 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:149:3:149:3 | c | c |
 | MissingMinVersionTLS.go:126:23:126:62 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:126:3:126:3 | c | c |
 | MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:135:3:135:5 | tmp | tmp |
 | MissingMinVersionTLS.go:135:10:135:49 | struct literal | TLS.Config.MinVersion is never set for variable $@  | MissingMinVersionTLS.go:136:3:136:3 | c | c |
[4/4 comp 166ms eval 668ms] FAILED(RESULT) /Users/matt/tob/codeql-queries/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.qlref

So perhaps this is related to the issues you're seeing. That is, the latest dependency versions are removing 3 expected test results. That's something we need to look into, but it could be affecting your testing too.

i ran the tests with CodeQL command-line toolchain release 2.23.8 and the tests passed without issues, though i had to make some changes to the MissingMinVersionTLS.expected to fit some necessary conditions.

❯ codeql test run go/test/
Executing 4 tests in 4 directories.
Extracting test database in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/crypto/MsgNotHashedBeforeSigVerfication.
Compiling /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/crypto/MsgNotHashedBeforeSigVerfication/MsgNotHashedBeforeSigVerfication.ql.
Found in cache: /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/crypto/MsgNotHashedBeforeSigVerfication/MsgNotHashedBeforeSigVerfication.ql (332ms).
Executing tests in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/crypto/MsgNotHashedBeforeSigVerfication.
[1/4 comp 332ms eval 1.2s] PASSED /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/crypto/MsgNotHashedBeforeSigVerfication/MsgNotHashedBeforeSigVerfication.qlref
Extracting test database in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/FilePermsFlaws.
Compiling /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/security/FilePermsFlaws/FilePermsFlaws.ql.
Found in cache: /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/security/FilePermsFlaws/FilePermsFlaws.ql (67ms).
Executing tests in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/FilePermsFlaws.
[2/4 comp 67ms eval 39ms] PASSED /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/FilePermsFlaws/FilePermsFlaws.qlref
Extracting test database in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/TrimMisuse.
Compiling /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/security/TrimMisuse/TrimMisuse.ql.
Found in cache: /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/security/TrimMisuse/TrimMisuse.ql (146ms).
Executing tests in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/TrimMisuse.
[3/4 comp 146ms eval 607ms] PASSED /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/TrimMisuse/TrimMisuse.qlref
Extracting test database in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/MissingMinVersionTLS.
Compiling /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql.
Found in cache: /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/src/security/MissingMinVersionTLS/MissingMinVersionTLS.ql (160ms).
Executing tests in /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/MissingMinVersionTLS.
[4/4 comp 160ms eval 843ms] PASSED /Users/sachinbansal/Documents/OpenSource/codeql-queries/go/test/query-tests/security/MissingMinVersionTLS/MissingMinVersionTLS.qlref
Completed in 10.7s (extract 6s comp 705ms eval 3.2s).
All 4 tests passed.

[mschwager]

It looks like the test results begin to change here. Not sure why the diff isn't displaying that correctly.

I believe some of these shifted by a single line because the // BAD for Go < 1.18 comment was added. That's fine, but it looks like there are also 3 additional findings. I think line 13, 16, and 17 are new. Is that expected?

[Apostlex0]

yeah, the one-line shifts are from the added comment, and the 3 extra findings are expected-

One new row is for the block labeled // BAD for Go < 1.18: config used for a client. After the fix in this pr we now flag client-side TLSClientConfig when go.mod allows Go < 1.18, because clients defaulted to TLS 1.0 before 1.18 the old query excluded client configs, so it didn’t show up before.

The other two new rows come from the case where the same config literal flows into c and then into both TLSClientConfig: c(client) and TLSConfig:c (server) and since results are emitted per (struct literal-- variable), we get additional findings.

[mschwager]

Okay, I think these could be considered duplicate results in some cases, but I understand why they are written the way they are in the updated query. I think this query could use a number of improvements (e.g. move to path-problem, change the lengthy where clause to class types with restrictive characteristic predicates, update to the latest go-all dependency version which currently breaks the tests, etc.), but I don't want to block this PR on those changes. So I think this is in good enough shape to move forward with the PR.

[mschwager]

Nice work! Thank you for improving this query, I know it takes a lot of work!

[mschwager]

Okay, I think these could be considered duplicate results in some cases, but I understand why they are written the way they are in the updated query. I think this query could use a number of improvements (e.g. move to path-problem, change the lengthy where clause to class types with restrictive characteristic predicates, update to the latest go-all dependency version which currently breaks the tests, etc.), but I don't want to block this PR on those changes. So I think this is in good enough shape to move forward with the PR.

[Apostlex0]

Nice work! Thank you for improving this query, I know it takes a lot of work!

No problem ser!👍