My only reservation is how this would treat a combination of a constant value and a non-constant value. I think that currently the query would report that, but it shouldn't. Luckily this is easy to change: just make ConstantStateFlowConf extend DataFlow::Configuration instead of TaintTracking::Configuration. Please also add a test case for this situation.

Yep, found that in a test run on lgtm.com

I think the best solution would be to keep the taint analysis, but only exclude cases where the constant joins a variable.

Now I just need to figure out how to write that into the query. Any suggestions? Maybe a similar situation in another query?

I think the best solution would be to keep the taint analysis, but only exclude cases where the constant joins a variable.

It seems to me like this isn't really necessary. What patterns are you hoping to catch by using taint flow? I think it might be better to include those specifically.

It seems to me like this isn't really necessary. What patterns are you hoping to catch by using taint flow? I think it might be better to include those specifically.

I was thinking about cases where a call fmt.Sprintf only uses constants, and scenarios like that.

I was thinking about cases where a call fmt.Sprintf only uses constants, and scenarios like that.

You know what? I'll leave that out. So far haven't found a single example.

How do I fix the stubbed dependencies?

@gagliardetto could you elaborate what's wrong?

This query tests depend on golang.org/x/oauth2 package.

I need to somehow add this dependency without completely revolutionizing the go.mod file of codeql-go and without using the official vendoring mechanism of go mod (need to use depstubber instead).

I'm obviously doing something wrong with those two elements, but I'm not sure what.

That's the reason why the test fails, BTW.

@gagliardetto I believe it is failing because it doesn't have a go.mod file in the test folder. I made a file of that name with the following contents and then the tests passed.

module custom-queries-go-tests/constant-oauth2-state

go 1.14

require golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d

Thank you @owen-mc !

Thanks everyone!