Today, we launched support for the Go language on LGTM.com, and you can now write and run QL queries to analyze your Go projects. This feature is currently in beta, and is only available for a limited number of projects, such as rclone, terraform, and docker/distribution.
To see the Go projects currently available on LGTM, use this search.
What is QL?
QL treats code as data, allowing you to write custom queries to explore your code, and eradicate all variants of security vulnerabilities before they even become a problem. QL ships with extensive libraries to perform control-flow, data-flow, taint-tracking analysis, and explore known threat models, without having to worry about low-level language concepts and compiler specifics.
In the example below, we detect a common error where a variable
v, defined outside a loop, is bound in a closure inside the loop that is run in a goroutine. This will often cause the closures to be run with the value of
v after the loop has finished, as the goroutines will likely not run until after the loop.
import go from LoopStmt loop, Variable var, FuncLit func, GoStmt go where // var is defined outside the loop not var.getScope().getOuterScope*() = loop.getScope() and // var is incremented or decremented inside the loop exists(IncDecStmt stmt | stmt.getExpr() = var.getAUse() and stmt.getParent*() = loop.getBody()) and // the go statement calls the closure func, inside the loop go.getParent+() = loop.getBody() and go.getCall().getCalleeExpr() = func and // var is used by the closure func var.getAUse().getParent+() = func.getBody() select go, "Variable " + var.getName() + ", updated in a loop, is used in the closure passed to this go statement in the same loop, which will be executed with only the variable's last value."
You can visit our documentation for more information about the analysis of the Go language, and more specifically:
Send us some feedback
Keep in mind that Go analysis is still in beta. During this phase we'd appreciate your feedback, comments and suggestions: you can leave a message on our forum. Thank you!
We will be adding more projects in the days and weeks to come, and later this year, it will be possible for you to add your very own Go projects. Until then, let us know if you have any project that you would like to see on LGTM.com.
To learn about our vision for the future, join Semmle's CEO Oege de Moor and Semmle’s CSO Fermín Serna, on October 3rd, for a webinar "Incorporating community-powered security into the developer workflow".