Hi@rh-tguittet ! 👋🏼 Thank you for posting the question and the accompanying clear description. The CodeQL Go team has reviewed your question and will be posting a response. Since it is close to the end of the day in European time zones (where the team works), you may only receive a response with suggestions / solutions only early next week. I just wanted to acknowledge that your question is being reviewed.

I will look into why nothing appears in this case.

I don't think there is any way to force a node to appear in the path explanation, except addingoverride predicate includeHiddenNodes() { any() } to your Config (though that doesn't seem to work in this case).

I believe you are getting a different result when you useJson.Unmarshal because it is modelled with MaD. Could you use MaD to model this method instead?

Using MaD would also solve your second problem. For the output, instead of "Argument[2]" you can write "Argument[2].Field[pkg.classname.fieldname]" to indicate that the taint flows into theField f which satisfiesf.hasQualifiedName(pkg, className, fieldName). (Other options include "ArrayElement", "Element", "MapKey" and "MapValue".) It seems that none of the Go MaD models use this at the moment, but you can see examples in these two tests:one,two.

I have had an opportunity to look into this more and talk it through with some colleagues. Let me take your questions in turn.

1. Why does the path explanation jump straight fromreq in the list of parameters to the use ofsample.Spec.Foo in the call toSink?
   We used to have a problem that our path explanations were too long, and contained lots of extraneous detail. The predicatelocalFlowBigStephere is what breaks up the long list of small steps into a smaller list of big steps. One of the things that we make sure to report is when the flows goes into a call or comes out of a call. However, the way that flow is modelled forFunctionModel skips actually going into the call. You are absolutely right that this is confusing, and I will see if I can fix it.

Note that I mentioned overridingincludeHiddenNodes in your config. For Go, the only nodes which this affects relate to MaD, and they don't have locations, so they show up as the empty steps 3 and 4 in your second post. This is mainly intended as a debugging tool. My apologies for mentioning something which was not helpful.

2. Why doesjson.Unmarshal show the right thing?
   As I said above, it is because it is modelled with MaD, so the flow does actually go into a call and back out again, solocalFlowBigStep does the correct thing.

3. Why is taint step 5 not in the method call when using MaD?
   Note that taint step 2 is what you would expect, where the flow goes into the method call. This was missing from the original example. As I explained above, rather than flowing tosample as the third argument to the method call the taint actually flows to the definition whichsample is a use of, which is what step 5 shows. (I should have included the terminology, which is "post-update node".) This is due to Go's use of def-use flow, which we hope to one day replace with use-use flow, which would avoid this problem. In the meantime I will think about whether we could insert an additional node so that the path explanation makes more sense.

4. Is it possible to only taint particular fields of a struct?
   Yes, but only using MaD, notFunctionModel.

5. Why does your attempt to use MaD to taint a field work?
   I am still investigating this. To show you how to debug such a thing, let me show you how far I have got. I want to use partial flow to see where the taint is flowing to (and with what content, i.e. is it in a field or an array or something like that). Partial flow is explained in more detailhere. Unfortunately we are in the process of changing the dataflow API, so the instructions given in that blog post don't work. First I converted the dataflow configuration to use the new API:

module MyConf implements DataFlow::ConfigSig {  predicate isSource(DataFlow::Node node) { node.asParameter() instanceof MySource }  predicate isSink(DataFlow::Node node) { node instanceof CommandInjection::Sink }}module MyFlow = TaintTracking::Global<MyConf>;import MyFlow::PathGraphfrom MyFlow::PathNode source, MyFlow::PathNode sinkwhere MyFlow::flowPath(source, sink)select sink.getNode(), source, sink, "Found path"

Then I adapted it to use partial flow (I don't think there is any documentation on how to do this yet - I had to use trial-and-error):

module MyConf implements DataFlow::ConfigSig {  predicate isSource(DataFlow::Node node) { node.asParameter() instanceof MySource }  predicate isSink(DataFlow::Node node) { node instanceof CommandInjection::Sink }}module MyFlow = TaintTracking::Global<MyConf>;int myExplorationLimit() { result = 100 }import MyFlow::FlowExploration<myExplorationLimit/0>import PartialPathGraphfrom PartialPathNode source, PartialPathNode sinkwhere partialFlow(source, sink, _)select sink.getNode(), source, sink, "Found path"

The results tell me that the taint is flowing to all the right uses ofsample, with the right content (the fieldSpec), but for some reason it isn't flowing intosample.Spec (with no content).

I will update you when I have discovered the cause of the problem.

Please let me know if there is a question that I have not addressed.

The reason why the flow doesn't work is thatArgument[2] issample, which is defined to be&cachev1.Sample{}, a pointer to a struct, so it doesn't have any fields. (Go allows you to writesample.Spec instead of(*sample).Spec (orsample->Spec in C or C++), and we deal with this by inserting an implicit dereference node.) There is currently no way to specify what you want. I have madea PR to allow you to writeArgument[2].Dereference.Field[...].

I have also madea PR to address your initial point that when a flow path goes through a function modeled withFunctionModel, the steps you would expect to see are missing.