Go: Adds sources and sinks to go/clear-text-logging

[atorralba]

Handles log.Output as a logging sink, and secretkey (case insensitive) as a potentially sensitive variable name. It also adds a barrier-in for sources to go/clear-text-logging, so that overlapping paths are removed.

This adds coverage for CVE-2023-46742.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. A recent commit removed the previously reported differences.

[owen-mc]

Note that, because of this line, any argument is considered a message component (and hence a sink to two queries), including calldepth int.

[atorralba]

You're right. I had to follow a slightly more complicated approach and introduce a new class instead of modifying the existing one to take this into account. See cf94554.

[owen-mc]

One downside of the way you've done it is that there are now lots more instances of the LogCall class. An approach we've used elsewhere is to add a field containing the index of the first message component, and then getAMessageComponent by getSyntacticArgument(i) where i >= this index. This code is a good example.

[atorralba]

Good point. What about now?

[owen-mc]

Ideally you would update the tests to cover the new source, new sink and new barrier

[atorralba]

I added a bunch of missing tests, not only for my new sink. The new barrier is hard to test because it only affects sources, but the test expectations only care about sinks currently (although we lose a few edges in certain test cases, so that may count as a test?). Also, it felt slightly overkill to test all the possible variations of SensitiveActions::HeuristicNames::maybePassword since that apparently isn't tested anywhere else. And just adding a test for the new secretKey without all the rest seemed off as well, but I can still do it if you want.

[owen-mc]

I was actually thinking you could put Output as part of LogFunction and have firstPrintedArg be a field on that, with a getter I suppose, and use the getter in LogCall. Then you don't need a new class just for Output.

[owen-mc]

You should also model (and test) the top-level version.

[atorralba]

I was actually thinking you could put Output as part of LogFunction and have firstPrintedArg be a field on that, with a getter I suppose, and use the getter in LogCall. Then you don't need a new class just for Output.

It seemed weird to reference an *Arg in a Function, where we should be talking about parameters instead, but I guess that is more in line with the other example you gave. Also I completely missed the top level of Output, so I thought it would be too much work to create a base abstract class that LogFunction and LogOutput would need to extend so that they shared the getter. But since there's a top level as well it's easier to combine them into one class.

Anyway, done in 5e8c63c.

[owen-mc]

Looks good. Thanks for improving the tests.