Background
While auditing the shared call-stack machinery on feat/callstack-ast-detach, we confirmed that Go does not support cross-file resolution, on two independent axes:
-
No hook-based cross-scope resolution. GoDetectionEngine only calls handler.addCallToCallStack(...) — it never calls addHookToHookRepository(...). Only the Java and Python engines register hooks. As a result, a crypto asset reached only through a wrapper function (in the same file or another file) is not resolved for Go. Concretely, given:
// CrossFileHookWrapper.go
func HashIt(data []byte) [16]byte { return md5.Sum(data) }
// CrossFileHookCaller.go
func RunHash() [16]byte { return HashIt([]byte("data")) }
the MD5 usage inside HashIt is not surfaced at the HashIt(...) call site.
-
Single-file test harness. GoVerifier (org.sonar.go.testing.GoVerifier) parses exactly one source via SingleFileVerifier (one parse of foo.go). There is no multi-file scan entry point, so even once resolution exists it cannot be verified end-to-end without harness work.
This is a functional gap versus Java (which resolves cross-file via sonar.java.binaries). Python has the same gap on axis 1 but is tracked separately.
Objective
Enable scan-level cross-file resolution for Go so crypto assets reached through wrapper functions across file boundaries are detected and reported in the CBOM, matching Java behaviour.
Proposed approach
Testing strategy
Acceptance criteria
References
- Guard test + fixtures added in commit
d39f087d (branch feat/callstack-ast-detach).
- Shared machinery:
engine/src/main/java/com/ibm/engine/callstack/CallStackAgent.java (onNewHookSubscription, bucketsToScan), engine/src/main/java/com/ibm/engine/language/go/GoDetectionEngine.java.
Background
While auditing the shared call-stack machinery on
feat/callstack-ast-detach, we confirmed that Go does not support cross-file resolution, on two independent axes:No hook-based cross-scope resolution.
GoDetectionEngineonly callshandler.addCallToCallStack(...)— it never callsaddHookToHookRepository(...). Only the Java and Python engines register hooks. As a result, a crypto asset reached only through a wrapper function (in the same file or another file) is not resolved for Go. Concretely, given:the MD5 usage inside
HashItis not surfaced at theHashIt(...)call site.Single-file test harness.
GoVerifier(org.sonar.go.testing.GoVerifier) parses exactly one source viaSingleFileVerifier(oneparseoffoo.go). There is no multi-file scan entry point, so even once resolution exists it cannot be verified end-to-end without harness work.This is a functional gap versus Java (which resolves cross-file via
sonar.java.binaries). Python has the same gap on axis 1 but is tracked separately.Objective
Enable scan-level cross-file resolution for Go so crypto assets reached through wrapper functions across file boundaries are detected and reported in the CBOM, matching Java behaviour.
Proposed approach
GoDetectionEngine(mirrorJavaDetectionEngine/PythonDetectionEngine:MethodInvocationHookWithParameterResolvement/WithReturnResolvement/EnumHookas applicable) so wrapper-parameter resolution flows through the sharedHookRepository+CallStackAgent.getKeyFormT(record time, viacreateForHookContext()) aligns with the matcher-lookup key so the sharedbucketsToScannarrowing does not silently drop Go detections.GoVerifierwith a multi-file entry point (e.g.verify(List<String>, check)) that analyzes several sources in one scan sharing the sameHandler/ call stack.Testing strategy
@Disabledguardgo/src/test/java/com/ibm/plugin/rules/detection/crossfile/CrossFileHookDetachTest.java(fixturesCrossFileHookCaller.go/CrossFileHookWrapper.goalready committed) — it must resolve the wrapped MD5 across the file boundary.ResolveValuesWithHooksTest) to cover axis 1 independently of the harness change.Acceptance criteria
CrossFileHookDetachTestis enabled (no@Disabled) and passes.References
d39f087d(branchfeat/callstack-ast-detach).engine/src/main/java/com/ibm/engine/callstack/CallStackAgent.java(onNewHookSubscription,bucketsToScan),engine/src/main/java/com/ibm/engine/language/go/GoDetectionEngine.java.