Go: Model log/slog as a logging sink#22004
Open
sauyon wants to merge 2 commits into
Open
Conversation
The standard-library structured logger `log/slog` (Go 1.21+) was not modeled, so `go/log-injection` and `go/clear-text-logging` were blind to any code that logs through it. Model its logging functions and `*slog.Logger` methods — `Debug`, `Info`, `Warn`, `Error`, their `Context` variants, and `Log`/`LogAttrs` — as `log-injection` sinks (the kind that feeds `LoggerCall`, powering both queries). Adds `log/slog` cases to the `LoggerCall` library test. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds CodeQL Go sink modeling for the standard-library log/slog (Go 1.21+) so that go/log-injection and go/clear-text-logging can recognize slog logging calls via LoggerCall, and extends the corresponding library test coverage.
Changes:
- Added
sinkModelentries forlog/slogpackage-level functions and*slog.Loggermethods (includingContextvariants andLog/LogAttrs). - Added
log/slogcall sites to theLoggerCalllibrary test suite. - Bumped the test module’s Go version to 1.21 to enable
log/slog.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/slog.go | Adds slog call sites with inline expectations for LoggerCall. |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go | Introduces key constant and invokes slogTest(). |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod | Updates Go version to 1.21 for log/slog availability. |
| go/ql/lib/ext/log.slog.model.yml | Adds log/slog sink models for log-injection. |
| go/ql/lib/change-notes/2026-06-17-model-log-slog.md | Documents the new log/slog models in change notes. |
Copilot review on github#22004: the Log/LogAttrs test cases didn't pass any variadic args/attrs, so the Argument[..3] portion of the sink range was untested. Pass an ...any arg to slog.Log/Logger.Log and a slog.Attr to slog.LogAttrs/Logger.LogAttrs, with inline expectations asserting they're captured as logged components. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Click to show differences in coveragegoGenerated file changes for go
- `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,612,104
+ `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,612,124
- Totals,,688,1072,1557
+ Totals,,688,1072,1577
- log,20,,3,,,,20,,,,,,,,,,,,,,,,,,,3,
+ log,40,,3,,,,40,,,,,,,,,,,,,,,,,,,3, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The standard-library structured logger
log/slog(Go 1.21+) was not modeled, sogo/log-injectionandgo/clear-text-loggingwere blind to any code that logs through it.Model its logging functions and
*slog.Loggermethods —Debug,Info,Warn,Error, theirContextvariants, andLog/LogAttrs— aslog-injectionsinks (the kind that feedsLoggerCall, powering both queries). Addslog/slogcases to theLoggerCalllibrary test.