How to query types with a specific composite type in CodeQL Go?

[cokeBeer]

I am working on defining a dataflow source for web framework Beego.
I tried this query on my project written in beego (https://github.com/cokeBeer/go-sec-code):

import go

from Type c
where  c.hasQualifiedName("go-sec-code/controllers", "CommandInjectVuln1Controller")
select c.getMethod("Get")

it turned out no results，but I do have a go-sec-code/controllers.CommandInjectVuln1Controller.Get Method
https://github.com/cokeBeer/go-sec-code/blob/main/controllers/commandInject.go#L23

I think the problem may come from that Beego.Controller is a composite type which looks like:

package controllers

import (
	"fmt"
	"go-sec-code/utils"
	"os/exec"

	beego "github.com/beego/beego/v2/server/web"
)

type CommandInjectVuln1Controller struct {
	beego.Controller
}

moreover, I've noted that there is a BeegoControllerSource in CodeQL Go standard library semmle.go.frameworks.Beego.qll.

I tried only query the souce node with vscode's help on the same project, but it turned out not found GetString() method called

How can I make a source defination that can find all Controllers that composite Beego.Controller?

[cokeBeer]

found that Beego's latest package name has became ""github.com/beego/beego/v2/server/web"

After I add the package name, I can successfully query the results by BeegoControllerSource.
May I got a PR to fix it?

[cokeBeer]

Also, the NetHttp.qll lose some fields like "Host"

which makes me lose a result

[smowton]

The guess there is that Host is often not user-controlled because the request had to somehow get routed here, whereas of course they do control other parts of the request.

Can I take it you've solved your Beego problem?

[cokeBeer]

@smowton yes, seems I don't need to query a composite struct now. What about a PR to fix the module name "github.com/beego/beego/v2/server/web"?

[smowton]

Sure, please do submit one