Go: Model os.Args as a commandargs source

go/ql/lib/change-notes/2024-12-13-os-args-model.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added a `commandargs` local source model for the `os.Args` variable.
+

go/ql/lib/semmle/go/frameworks/stdlib/Os.qll

@@ -43,4 +43,10 @@ module Os {
       input = inp and output = outp
     }
   }
+
+  private class ArgsSource extends SourceNode {
+    ArgsSource() { exists(Variable v | v.hasQualifiedName("os", "Args") | this = v.getARead()) }
+
+    override string getThreatModel() { result = "commandargs" }
+  }
 }

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/commandargs/test.expected

@@ -0,0 +1,3 @@
+testFailures
+invalidModelRow
+failures

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/commandargs/test.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["commandargs", true, 0]

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/commandargs/test.ql

@@ -0,0 +1,19 @@
+import go
+import ModelValidation
+import TestUtilities.InlineExpectationsTest
+
+module SourceTest implements TestSig {
+  string getARelevantTag() { result = "source" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(ActiveThreatModelSource s |
+      s.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
+        location.getStartColumn(), location.getEndLine(), location.getEndColumn()) and
+      element = s.toString() and
+      value = "" and
+      tag = "source"
+    )
+  }
+}
+
+import MakeTest<SourceTest>

go/ql/test/library-tests/semmle/go/dataflow/flowsources/local/commandargs/test_os.go

@@ -0,0 +1,9 @@
+package test
+
+import "os"
+
+func loopThroughCommandArgs() {
+	for _, arg := range os.Args { // $ source
+		_ = arg
+	}
+}