feat: Go third-party QueryType classes + GORM SQLi & Gin SSRF rules

[shivasurya]

Summary

• Adds 15 new QueryType classes in python-sdk/codepathfinder/go_rule.py for popular Go frameworks: GORM, Gin, Echo, Fiber, gRPC, pgx, sqlx, go-redis, MongoDB, golang-jwt, Gorilla Mux, Resty, Chi, Viper, YAML v3
• Adds two example security rules demonstrating type-constrained detection:
  • rules/golang/gorm_sqli_taint.py — GORM SQL injection (CWE-89) with Gin/Echo/net-http sources
  • rules/golang/gin_ssrf.py — SSRF (CWE-918) via Resty HTTP client with Gin/net-http sources
• Adds 27 tests in test_go_thirdparty_querytypes.py covering FQN correctness, multi-FQN types, MethodMatcher IR output, negative matching, and a no-duplicate-FQN invariant

Why

Rule authors can now write type-constrained matchers like GoGormDB.method("Raw", "Exec") instead of fragile calls("*Raw"). This eliminates false positives from unrelated Raw() calls on non-GORM types, and enables cross-framework taint tracking:

flows(
    from_sources=[GoGinContext.method("Query")],
    to_sinks=[GoGormDB.method("Raw")],
)

Dependencies

Stacked on PR-03 (shiva/pr-03-golang-thirdparty): package-level var resolution + StdlibLoader embed fix.

Test plan

• cd python-sdk && python3 -m pytest tests/test_go_thirdparty_querytypes.py -v — 27 new tests pass
• cd python-sdk && python3 -m pytest tests/ -v — 408 total tests, zero regressions
• python3 -c "from codepathfinder.go_rule import GoGormDB, GoGinContext" — imports work
• CI green on all checks

🤖 Generated with Claude Code

[safedep]

SafeDep Report Summary

No dependency changes detected. Nothing to scan.

View complete scan results →

_{This report is generated by SafeDep Github App}

[github-actions]

Code Pathfinder Security Scan

No security issues detected.

Metric	Value
Files Scanned	4
Rules	205

---

_{Powered by Code Pathfinder}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.24%. Comparing base (81346a6) to head (19785a8).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #644   +/-   ##
=======================================
  Coverage   84.24%   84.24%           
=======================================
  Files         162      162           
  Lines       23358    23358           
=======================================
  Hits        19677    19677           
  Misses       2941     2941           
  Partials      740      740           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[shivasurya]

• feat(cache): delta-based incremental SQLite analysis cache for Go #649
• feat: GoThirdPartyCombinedLoader — CDN-first + local fallback routing #648
• feat: CDN registry generator for Go third-party packages #647
• feat: GoThirdPartyRegistryRemote CDN loader with manifest-first lazy loading #646
• feat: Go resolution statistics in resolution-report command #645
• feat: Go third-party QueryType classes + GORM SQLi & Gin SSRF rules #644 👈 (View in Graphite)
• feat(go): package-level var Source 3 + StdlibLoader embed resolution #643
• feat(go): eager scope creation + parameter-aware RHS inference #642
• feat(go): third-party type resolution from vendor/GOMODCACHE #641
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[shivasurya]

Merge activity

• Apr 7, 8:35 PM UTC: A user started a stack merge that includes this pull request via Graphite.
• Apr 7, 8:41 PM UTC: Graphite rebased this pull request as part of a merge.
• Apr 7, 8:41 PM UTC: @shivasurya merged this pull request with Graphite.