codeql: Improve unclosed resources query with better cleanup detection by AriehSchneier · Pull Request #10 · go-git/x

AriehSchneier · 2026-05-10T15:32:21Z

Summary

Significantly enhances the unclosed-resources.ql CodeQL query with precise AST-based tracking to achieve 100% precision (zero false positives) while improving leak detection coverage. Replaces conservative heuristics with exact pattern matching for all cleanup mechanisms.

Motivation

The original query used conservative fallbacks (e.g., "if any defer Close() exists in the function, assume all resources are cleaned up") which caused both false positives and false negatives. This made the query less useful for catching real leaks because developers would see false alarms and some real leaks were missed.

Changes

Query Improvements

Precise cleanup detection (replaces conservative heuristics):

Tuple assignment support - Correctly handles r, err := git.Clone(...) followed by defer func() { _ = r.Close() }()
- Uses DefineStmt.getLhs(0) to access first element of tuple assignments
Type assertion cleanup - Detects defer func() { if c, ok := st.(io.Closer); ok { c.Close() } }() patterns
- Analyzes TypeAssertExpr and SelectorExpr in defer statements
- Verifies Close() is actually called on the asserted value
Wrapper pattern exclusion - Recognizes when resources are passed to wrapper types that are properly closed
- Example: temporal := filesystem.NewStorage(...) passed to transactional.NewStorage(base, temporal) where the wrapper is closed
Type conversion support - Handles temporal := storage.Storer(filesystem.NewStorage(...)) patterns
Returned callback detection - Excludes resources closed via callback functions returned to caller
- Example: closeAll := func() error { st.Close() }; return ..., closeAll
- Verifies Close() is actually called in the callback (not just referenced)
Testing cleanup patterns - Recognizes t.Cleanup(func() { r.Close() }) and b.Cleanup() patterns
- Matches specific resource variables (not just any cleanup)
- Handles both direct Close() and type assertion patterns
Embedded field handling - Detects st.Close() even when dataflow doesn't track through embedded fields

Factory function tracking:

Detects leaks from user-defined factory functions returning Repository/Storage
Filters out factories that only create memory storage (no cleanup needed)
Uses proper target binding (not just name matching) to avoid false matches
Properly handles both direct creation functions and factory wrappers

Detection layers (in order of precision):

Direct Close() calls via dataflow analysis
defer patterns matched by exact variable name (handles tuple assignments)
Close() on same variable (handles embedded fields)
testing.TB.Cleanup() with variable tracking
Type assertion cleanup patterns with Close() verification
Wrapper ownership transfer patterns
Returned callback function analysis with Close() verification

Recent Precision Improvements (PR review fixes)

Better factory matching - Now binds to function target instead of name-only matching
Stricter cleanup verification - All cleanup predicates now verify Close() is actually called
Variable-specific tracking - Testing cleanup now tracks specific variables instead of assuming any cleanup covers all resources
Type assertion validation - Verifies the asserted value is actually closed, not just asserted

These improvements caught 2 additional real leaks that were previously missed, bringing total detection from 108 to 110 leaks.

CI Workflow Update

Sets CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_TESTS=true to include *_test.go files in CodeQL database
Without this, the Go extractor excludes test files by default, preventing detection of leaks in test code

Documentation

Updated README.md to reflect precise tracking approach
Documented all detection techniques and exclusion patterns
Clarified known limitations and scope (struct literals vs all field assignments)

Results

Testing verified against go-git main branch before and after leak fixes:

Case	Issues Detected	Status
Baseline (main with no fixes)	110 real leaks	✅ All detected
Fixed branch (all leaks resolved)	0	✅ No false positives

Key achievement: 100% precision (0 false positives) with full coverage (110 real leaks detected)

Example Patterns Detected

// ✅ DETECTED: Missing Close()
func bad() error {
    r, err := git.PlainOpen("/path/to/repo")
    if err != nil {
        return err
    }
    // Missing: defer func() { _ = r.Close() }()
    _, err = r.Head()
    return err
}

// ✅ EXCLUDED: Proper defer cleanup
func good() error {
    r, err := git.PlainOpen("/path/to/repo")
    if err != nil {
        return err
    }
    defer func() { _ = r.Close() }()
    _, err = r.Head()
    return err
}

// ✅ EXCLUDED: Factory function (caller's responsibility)
func createRepo() (*git.Repository, error) {
    return git.PlainOpen("/path/to/repo")
}

// ✅ EXCLUDED: Wrapper pattern
func goodWrapper() error {
    temporal := filesystem.NewStorage(fs, cache)
    st := transactional.NewStorage(base, temporal)
    defer st.Close()  // Closes both st and temporal
    return nil
}

// ✅ EXCLUDED: Callback ownership transfer
func goodCallback() (io.Reader, func() error, error) {
    st, _ := loader.Load(url)
    cleanup := func() error { return st.Close() }
    return reader, cleanup, nil  // Caller must call cleanup()
}

Testing

Created CodeQL databases with CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_TESTS=true for both baseline and fixed branches and verified:

Zero false positives on fixed code
All 110 known leaks detected on baseline
Correct exclusion of legitimate cleanup patterns

🤖 Generated with Claude Code

Enhance the unclosed-resources.ql query to recognize additional cleanup patterns and reduce false positives: - Add support for testing.TB.Cleanup() pattern used in test files - Handle Close() calls on variables even when dataflow doesn't track through embedded fields (e.g., st.Close() where st contains embedded storage.ObjectStorage) - Support both := (DefineStmt) and = (AssignStmt) variable assignments - Recognize factory functions returning EncodedObjectStorer interface - Exclude memory.NewStorage() which doesn't need closing Configure CI workflow and document local usage to include test files during CodeQL database creation by setting the environment variable CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_TESTS=true. Without this setting, the Go extractor excludes *_test.go files by default. The query now produces zero false positives on the fixed codebase while still catching all real resource leaks including those in test files. Results: - fix-remote-test-file-handles branch: 0 issues (previously had false positives from testing.Cleanup patterns) - unfixed main branch: 68 issues detected including all original leaks Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Enhanced the unclosed-resources CodeQL query to eliminate false positives while maintaining full leak detection coverage. Replaced conservative heuristics with precise AST-based tracking of cleanup patterns. Key improvements: - Factory function tracking: detect leaks from functions returning Repository/Storage - Tuple assignment support: r, err := git.Clone(...) patterns - Type assertion detection: defer func() { if c, ok := st.(io.Closer); ok { c.Close() } }() - Wrapper pattern exclusion: resources passed to properly-closed wrappers - Type conversion support: temporal := storage.Storer(filesystem.NewStorage(...)) - Returned callback detection: cleanup functions returned to caller - Memory-only factory filtering: exclude factories that only create memory storage Results: - Baseline (before fixes): 108 real leaks detected - Fix branch (after fixes): 0 false positives - 100% precision with full coverage The query now uses layered detection: 1. Direct Close() via dataflow 2. defer patterns matched by variable name 3. Type assertion cleanup patterns 4. testing.TB.Cleanup() patterns 5. Wrapper ownership transfer 6. Returned callback cleanup Updated documentation to reflect the new precise tracking approach. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

AriehSchneier · 2026-05-11T04:32:30Z

Note, this isn't picking up issues in the root folder, I have opened a PR to fix that here:
github/codeql#21826

Copilot

Pull request overview

Enhances the custom Go CodeQL query for detecting unclosed Repository/Storage resources by adding several new cleanup/exclusion heuristics, and updates CI/docs to include test files in the CodeQL database.

Changes:

Reworked unclosed-resources.ql to use DataFlow::CallNode and additional AST-based patterns for detecting cleanup and ownership transfer.
Updated CodeQL GitHub Actions workflow to enable extracting *_test.go files.
Updated codeql/README.md to document the expanded detection/exclusion techniques and the test-extraction configuration.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File	Description
`codeql/queries/unclosed-resources.ql`	Major query rewrite adding new cleanup/exclusion predicates and factory/wrapper handling.
`codeql/README.md`	Documents new detection/exclusion behaviors and how to include test files.
`.github/workflows/codeql.yml`	Sets Go extractor env to include tests during CodeQL database creation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

+  exists(FuncDef factory, string name |
+    // Match function by name
+    name = call.getTarget().getName() and
+    factory.getName() = name and


+  // Exclude direct calls to memory.NewStorage (doesn't need closing)
+  not create.getTarget().hasQualifiedName("github.com/go-git/go-git/v6/storage/memory", "NewStorage") and
+  // Exclude calls to factory functions that only create memory storage
+  not factoryCallCreatesOnlyMemoryStorage(create) and


+ * Checks if there's a testing.TB.Cleanup() call with Close() in the function.
+ * This handles patterns like: t.Cleanup(func() { _ = r.Close() })
+ */
+predicate hasTestingCleanupWithClose(FuncDef f) {
+  exists(DataFlow::CallNode cleanup, FuncLit cleanupFunc, SelectorExpr sel |
+    cleanup.getTarget().getName() = "Cleanup" and
+    cleanup.asExpr().getEnclosingFunction() = f and
+    cleanupFunc = cleanup.getArgument(0).asExpr() and
+    sel.getParent+() = cleanupFunc and
+    sel.getSelector().getName() = "Close"


+    // A function literal is defined in the same function
+    callback.getEnclosingFunction() = f and
+    // The resource variable is referenced inside the function literal
+    resourceVar.getParent+() = callback and
+    resourceVar.getName() = varName and


+predicate hasDeferWithTypeAssertion(DataFlow::CallNode create, FuncDef f) {
+  exists(DeferStmt defer, TypeAssertExpr typeAssert, Ident assertedVar, Ident createVar, string varName |
+    // The defer statement is in the same function
+    defer.getEnclosingFunction() = f and
+    // There's a type assertion to io.Closer inside the defer
+    typeAssert.getParent+() = defer.getCall() and
+    typeAssert.getTypeExpr().(SelectorExpr).getSelector().getName() = "Closer" and
+    // The type assertion is on our variable


 ### Using GitHub Actions

-The queries run automatically via the CodeQL workflow on pull requests.
+The queries run automatically via the CodeQL workflow on pull requests and include test files.


+
+**What it excludes (to avoid false positives):**
+- Factory functions that return Repository/Storage to the caller
+- Resources assigned to struct fields (managed by struct lifecycle)


      - name: Initialize CodeQL
        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
        with:
          languages: go
          config: |
            paths:
              - go-git
            queries:
              - uses: ./codeql/queries/unclosed-resources.ql
+        env:
+          CODEQL_EXTRACTOR_GO_OPTION_EXTRACT_TESTS: true



Fix precision issues in cleanup detection predicates: - factoryCallCreatesOnlyMemoryStorage: Use target binding instead of name matching - hasTestingCleanupWithClose: Match specific resource variable and handle type assertions - isClosedViaReturnedCallback: Verify Close() is called and handle type assertions - hasDeferWithTypeAssertion: Verify Close() is called on asserted value Update README: - Clarify "struct fields" to "struct literals" - Fix workflow trigger description (pushes to main, not PRs) Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

AriehSchneier · 2026-05-11T14:31:43Z

Addressed PR Review Comments

Fixed all 8 review comments from Copilot:

Query Improvements

factoryCallCreatesOnlyMemoryStorage type safety - Now binds directly to call.getTarget().getFuncDecl() instead of matching by name only, preventing false matches across packages.
hasTestingCleanupWithClose precision - Now requires the specific created resource variable to be closed in the Cleanup, and handles type assertion patterns like if c, ok := r.(io.Closer); ok { c.Close() }.
isClosedViaReturnedCallback verification - Now verifies Close() is actually called in the callback (either directly or via type assertion), not just referenced.
hasDeferWithTypeAssertion verification - Now verifies Close() is called on the asserted value, not just that a type assertion exists.

Documentation Fixes

README struct fields claim - Changed "Resources assigned to struct fields" to "Resources stored in struct literals" to accurately reflect what the query checks.
README workflow triggers - Updated to correctly state the workflow runs "on pushes to main and can be manually triggered" instead of incorrectly claiming it runs on PRs.

All changes maintain 0 false positives while improving precision and avoiding incorrect exclusions.

Exclude test cases that expect errors by detecting error assertions following resource creation. This filters out legitimate test patterns like: r, err := Open(memory.NewStorage(), nil) require.Error(t, err) // Expects the call to fail Detects common error assertion methods: - Error, ErrorIs, ErrorAs, ErrorContains - testing.Fatal, testing.Fatalf Matches the error variable from tuple assignments to assertions using basic line-based ordering heuristics. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Enhance the query to handle more cleanup patterns and reduce false positives: - Add NotNil to error assertion methods for error path detection - Add dataflow-based cleanup detection for indirect patterns (e.g., resource assigned to struct field, then copied to local var for cleanup) - Support var declarations in wrapper detection (var x Type = NewStorage(...)) - Handle inline resource arguments (r := Open(NewStorage(...), ...)) These improvements address cases where resources are properly closed but the query couldn't detect the cleanup due to indirect assignments or inline argument passing. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Use getName(0) instead of getNameExpr() for ValueSpec, as getNameExpr() is not a valid method on Decls::ValueSpec in the CodeQL Go library. Also fixed the logic structure to properly group the variable name extraction cases. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Handle the pattern where a resource is assigned to a struct field, then copied to a local variable that is closed in a cleanup callback: s.Field = Create() r := s.Field t.Cleanup(func() { r.Close() }) The previous dataflow-based approach didn't work because localFlow doesn't track through struct field assignments. This adds a syntactic pattern that matches the field name from creation to cleanup. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Add detection for "getter" factory functions that return pre-existing resources rather than creating new ones. These functions don't create any storage or repository internally - they just return resources from maps, struct fields, or parameters. Example: MapLoader.Load() returns a storage from a map without creating it, so the caller of Load() is not responsible for closing it. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Add detection for cache-or-create factory functions that create resources and also register cleanup for them within the factory itself. Example: NewRepositoryFromPackfile() creates a repository and immediately registers t.Cleanup() for it before caching and returning it. The caller doesn't need to close the resource because the factory already registered cleanup. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

AriehSchneier · 2026-05-14T18:04:50Z

@pjbgf I've made some more changes after running it in the go-git (see here) can you please get Copilot to review again

Document the new detection techniques and exclusions added to the unclosed-resources query: - Error path detection for tests that expect creation to fail - Struct field cleanup patterns - Variable declaration support - Inline argument detection - Getter factory exclusion - Cache-or-create factory exclusion - Enhanced dataflow tracking for t.Cleanup() Also added examples for error path tests, cleanup callbacks, and inline wrapper patterns. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Remove checks for specific type name "Closer" which broke with: - Dot imports: import . "io" then st.(Closer) - Custom closer interfaces - Aliased imports: import iolib "io" then st.(iolib.Closer) Now accepts any type assertion followed by Close() call, making the query work with io.Closer, custom interfaces, and all import styles. Affected predicates: - hasDeferWithTypeAssertion - isClosedViaReturnedCallback Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

AriehSchneier · 2026-05-15T00:13:52Z

PS you can see the warnings from before all my fixes:
https://github.com/go-git/go-git/actions/runs/25891994253/job/76096996370?pr=2123#step:6:63
Compared to what it will be with my last few that were picked up here:
https://github.com/go-git/go-git/actions/runs/25892486684/job/76098474074?pr=2123#step:6:58

- Add PR triggers for changes to codeql/** and workflow file - Add manual build step for test files and examples - Add SARIF results display in logs (upload: never for testing) - Remove unnecessary fetch-depth: 0 from checkouts - Move permissions to job level Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

AriehSchneier · 2026-05-15T01:12:52Z

CodeQL just ran successfully on this PR against main in go-git!
In the results you can see a few actual leaks and a few false positives (will be fixed by this PR once this is merged), note the false positives are where the Close() call was not with creation and therefore CodeQL couldn't see it

I will squash all the commits once you have reviewed.

Output SARIF results using GitHub Actions annotation format so they appear in the Annotations section below the logs with clickable links. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Include file and line location in log output after each annotation so the logs show both the message and where it occurred. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

Escape special characters (%, newlines, carriage returns) in annotation messages to ensure they display correctly in GitHub Actions UI. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

GitHub Actions limits annotations to 10 per step. Update the summary notice to inform users when there are more results that can only be seen in the logs. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>

AriehSchneier force-pushed the improve-unclosed-resources-query branch from 71adbea to 48fa9d0 Compare May 10, 2026 15:37

AriehSchneier requested a review from pjbgf May 10, 2026 15:37

pjbgf requested a review from Copilot May 11, 2026 14:06

Copilot started reviewing on behalf of pjbgf May 11, 2026 14:06 View session

Copilot AI reviewed May 11, 2026

View reviewed changes

AriehSchneier added 6 commits May 15, 2026 01:18

AriehSchneier added 2 commits May 15, 2026 04:13

AriehSchneier added 4 commits May 15, 2026 11:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

codeql: Improve unclosed resources query with better cleanup detection#10

codeql: Improve unclosed resources query with better cleanup detection#10
AriehSchneier wants to merge 16 commits into
go-git:mainfrom
AriehSchneier:improve-unclosed-resources-query

AriehSchneier commented May 10, 2026 •

edited

Loading

Uh oh!

AriehSchneier commented May 11, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

AriehSchneier commented May 11, 2026

Uh oh!

AriehSchneier commented May 14, 2026

Uh oh!

AriehSchneier commented May 15, 2026

Uh oh!

AriehSchneier commented May 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

AriehSchneier commented May 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Motivation

Changes

Query Improvements

Recent Precision Improvements (PR review fixes)

CI Workflow Update

Documentation

Results

Example Patterns Detected

Testing

Uh oh!

AriehSchneier commented May 11, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

AriehSchneier commented May 11, 2026

Addressed PR Review Comments

Query Improvements

Documentation Fixes

Uh oh!

AriehSchneier commented May 14, 2026

Uh oh!

AriehSchneier commented May 15, 2026

Uh oh!

AriehSchneier commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

AriehSchneier commented May 10, 2026 •

edited

Loading

AriehSchneier commented May 15, 2026 •

edited

Loading