Merge pull request #748 from github/revert-682-patch-1

Revert #682

ql/lib/semmle/go/frameworks/SQL.qll

@@ -92,14 +92,11 @@ module SQL {
             // first argument to `squirrel.Expr`
             fn.hasQualifiedName(sq, "Expr")
             or
-            // first argument `pred`, `sql`, `from` to most methods of one of the `*Builder` classes
+            // first argument to the `Prefix`, `Suffix` or `Where` method of one of the `*Builder` classes
             exists(string builder | builder.matches("%Builder") |
-              fn.(Method)
-                  .hasQualifiedName(sq, builder,
-                    [
-                      "Prefix", "Column", "From", "JoinClause", "Join", "LeftJoin", "RightJoin",
-                      "InnerJoin", "CrossJoin", "Where", "Having", "OrderByClause", "Suffix"
-                    ])
+              fn.(Method).hasQualifiedName(sq, builder, "Prefix") or
+              fn.(Method).hasQualifiedName(sq, builder, "Suffix") or
+              fn.(Method).hasQualifiedName(sq, builder, "Where")
             )
           ) and
           this = fn.getACall().getArgument(0) and

ql/test/library-tests/semmle/go/frameworks/SQL/go.mod

@@ -3,7 +3,7 @@ module semmle.go.frameworks.SQL
 go 1.13
 
 require (
-	github.com/Masterminds/squirrel v1.5.2
+	github.com/Masterminds/squirrel v1.1.0
 	github.com/go-pg/pg v8.0.6+incompatible
 	github.com/go-pg/pg/v9 v9.1.3
 	github.com/go-sql-driver/mysql v1.6.0 // indirect

ql/test/library-tests/semmle/go/frameworks/SQL/main.go

@@ -43,18 +43,8 @@ func test(db *sql.DB, ctx context.Context) {
 }
 
 func squirrelTest(querypart string) {
-	squirrel.Select("*").From("users").Prefix(querypart)               // $ querystring=querypart
-	squirrel.Select("*").From("users").Column(querypart)               // $ querystring=querypart
-	squirrel.Select("*").From("users").From(querypart)                 // $ querystring=querypart
-	squirrel.Select("*").From("users").JoinClause(querypart)           // $ querystring=querypart
-	squirrel.Select("*").From("users").Join(querypart)                 // $ querystring=querypart
-	squirrel.Select("*").From("users").LeftJoin(querypart)             // $ querystring=querypart
-	squirrel.Select("*").From("users").RightJoin(querypart)            // $ querystring=querypart
-	squirrel.Select("*").From("users").InnerJoin(querypart)            // $ querystring=querypart
 	squirrel.Select("*").From("users").Where(squirrel.Expr(querypart)) // $ querystring=querypart
 	squirrel.Select("*").From("users").Where(querypart)                // $ querystring=querypart
-	squirrel.Select("*").From("users").Having(querypart)               // $ querystring=querypart
-	squirrel.Select("*").From("users").OrderByClause(querypart)        // $ querystring=querypart
 	squirrel.Select("*").From("users").Suffix(querypart)               // $ querystring=querypart
 }
 

ql/test/query-tests/Security/CWE-089/go.mod

@@ -3,6 +3,6 @@ module Security.CWE-089
 go 1.14
 
 require (
-	github.com/Masterminds/squirrel v1.5.2
+	github.com/Masterminds/squirrel v1.1.0
 	go.mongodb.org/mongo-driver v1.3.3
 )

ql/test/query-tests/Security/CWE-089/vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/Masterminds/squirrel v1.5.2
+# github.com/Masterminds/squirrel v1.1.0
 ## explicit
 github.com/Masterminds/squirrel
 # go.mongodb.org/mongo-driver v1.3.3