Go: Do not track taint into a sync.Map via the key of a key-value pair

[owen-mc]

There is no way of reading the keys stored in the sync.Map back.

[Copilot]

PR Overview

This pull request updates the taint tracking rules for Go’s sync.Map by no longer tracking taint through the key of a key-value pair, and it removes tests that validate key-based taint propagation.

• Updated change note documenting the new behavior.
• Modified sync.Map model configuration to track only the value argument for LoadOrStore, Store, and Swap.
• Removed tests that previously witnessed taint flow from sync.Map keys.

Reviewed Changes

File	Description
go/ql/lib/change-notes/2025-03-04-improve-models-for-sync-map.md	Added change note explaining the updated taint behavior for sync.Map.
go/ql/lib/ext/sync.model.yml	Adjusted taint tracking configuration to ignore the key by switching from tracking both key and receiver to tracking only the value argument.
go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go	Removed tests that expected key-based taint flow for sync.Map.

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (2)

go/ql/lib/ext/sync.model.yml:9

• Verify that switching the taint propagation from "Argument[0..1]" to "Argument[1]" for LoadOrStore aligns with the intended behavior, ensuring that no necessary taint information is lost.

      - ["sync", "Map", True, "LoadOrStore", "", "", "Argument[1]", "Argument[receiver]", "taint", "manual"]

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Sync.go:16

• [nitpick] Since tests related to key-based taint propagation have been removed, consider adding or updating tests to validate that taint only flows through the value side of sync.Map operations.

func TaintStepTest_SyncMapLoadOrStore_B1I0O0(sourceCQL interface{}) interface{} {

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

[mbg]

There is no way of reading the keys stored in the sync.Map back.

https://pkg.go.dev/sync#Map.Range seems to allow reading all the keys in a sync.Map, so I think we should probably continue tracking which keys are tainted.

[owen-mc]

Hmm. But we don't model Range in any way, so we wouldn't track taint flow through it anyway. In the future we might, but we can always switch to synthetic fields for key and value when that happens.