Go: Model log/slog as a logging sink#22004
Conversation
Sorry, something went wrong.
The standard-library structured logger `log/slog` (Go 1.21+) was not modeled, so `go/log-injection` and `go/clear-text-logging` were blind to any code that logs through it. Model its logging functions and `*slog.Logger` methods — `Debug`, `Info`, `Warn`, `Error`, their `Context` variants, and `Log`/`LogAttrs` — as `log-injection` sinks (the kind that feeds `LoggerCall`, powering both queries). Adds `log/slog` cases to the `LoggerCall` library test. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds CodeQL Go sink modeling for the standard-library log/slog (Go 1.21+) so that go/log-injection and go/clear-text-logging can recognize slog logging calls via LoggerCall, and extends the corresponding library test coverage.
Changes:
- Added
sinkModelentries forlog/slogpackage-level functions and*slog.Loggermethods (includingContextvariants andLog/LogAttrs). - Added
log/slogcall sites to theLoggerCalllibrary test suite. - Bumped the test module’s Go version to 1.21 to enable
log/slog.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/slog.go | Adds slog call sites with inline expectations for LoggerCall. |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go | Introduces key constant and invokes slogTest(). |
| go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod | Updates Go version to 1.21 for log/slog availability. |
| go/ql/lib/ext/log.slog.model.yml | Adds log/slog sink models for log-injection. |
| go/ql/lib/change-notes/2026-06-17-model-log-slog.md | Documents the new log/slog models in change notes. |
Sorry, something went wrong.
Copilot review on github#22004: the Log/LogAttrs test cases didn't pass any variadic args/attrs, so the Argument[..3] portion of the sink range was untested. Pass an ...any arg to slog.Log/Logger.Log and a slog.Attr to slog.LogAttrs/Logger.LogAttrs, with inline expectations asserting they're captured as logged components. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. Click to show differences in coveragegoGenerated file changes for go
- `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,612,104
+ `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``, ``weak``",52,612,124
- Totals,,688,1072,1557
+ Totals,,688,1072,1577
- log,20,,3,,,,20,,,,,,,,,,,,,,,,,,,3,
+ log,40,,3,,,,40,,,,,,,,,,,,,,,,,,,3, |
Sorry, something went wrong.
owen-mc
merged commit 330e904
into
github:main
Jun 18, 2026
|
Hi Sauyon. Long time, no see! Thanks for this contribution. I've been meaning to get around to it since we skipped it 😬 . There are a few extra things that could be modeled ( |
Sorry, something went wrong.
Reviewers
Copilot code review Copilot Copilot left review comments
The standard-library structured logger
log/slog(Go 1.21+) was not modeled, sogo/log-injectionandgo/clear-text-loggingwere blind to any code that logs through it.Model its logging functions and
*slog.Loggermethods —Debug,Info,Warn,Error, theirContextvariants, andLog/LogAttrs— aslog-injectionsinks (the kind that feedsLoggerCall, powering both queries). Addslog/slogcases to theLoggerCalllibrary test.