Go: Revert problematic conversion from QL-specified sink nodes to models-as-data; add change note for one correct but undocumented fix

[smowton]

This PR:

• Reverts most of Go: convert sql-injection and nosql-injection sinks to use models-as-data #17242, retaining the commits that update and improve test cases and the refactoring commit "Add Argument.getACorrespondingSyntacticArgument"
• Reverts specifically the conversion of logging sinks in Go: Convert log-injection, path-injection and command-injection sinks to use models-as-data #17162
• Adds a change note documenting that Go: Convert log-injection, path-injection and command-injection sinks to use models-as-data #17162, in converting the sinks for io/ioutil.WriteFile, actually fixed a bug wherein writing user-controlled data to a non-user-controlled path would be incorrectly flagged as a path-injection vulnerability.

Note there was a small amount of conflict resolution around the revert, due to Beego having converted other kinds of models to MaD (uneventfully) in the meantime, and conflicts surrounding the introduction of DefaultLoggerCall, which will need resolving again on reinstating these commits.

The problems leading to the reverts were:

1. The QL models for Squirrel's SelectBuilder methods use an argument-type filter; the MaD version doesn't, meaning safely-specified "cooked" SQL is incorrectly flagged as vulnerable (new FPs).
2. The QL models for Xorm's Session.Exec function distinguished its first parameter (a SQL string) from its second and subsequent parameters (variables for safe interpolation into the SQL string). The MaD version doesn't (it tries to, but use of varargs prevents it), meaning we get new FPs for such safe interpolation arguments.
3. A common issue across sql-injection, log-injection and clear-text-logging sinks: all three of these widely make use of interface embedding, implementation, and compatible interfaces, but it becomes clear that there are significant differences between the method calls identified by a QL modelling pattern any(Method m | m.hasQualifiedName("mypackage", "MyType", "mymethod").getACall()), which accounts for embedding (via hasQualifiedName) and interface implementation including subinterfaces (via getACall). Some relevant MaD models simply set subtypes = false, but some that set subtypes = true still missed the subinterface case (e.g. using logrus.FieldLogger, a subinterface of the modelled logrus.Logger). This lead to widespread new false negatives.

Release QA showing the full extent of the trouble can be found at https://dataexplorer.azure.com/dashboards/751779bb-c379-4cc4-8f09-0448e8c0cb39?p-tag_left=v-QA-2.18.2-2024-08-21&p-tag_right=v-QA-2.18.3-2024-08-21&p-languages=v-go&p-_build_modes=all&p-_runner_oses=all&p-_measure=v-steps%3A+e2e#5f0f4e2a-de2f-4853-b62f-be252143fd87

I now intend to create a DCA run to quickly confirm that all alert differences have been removed between codeql-cli-2.18.2 and this PR tip, except for the correct FP resolutions caused by the conversion of io/ioutil.WriteFile to MaD.

[smowton]

DCA: https://github.com/github/codeql-dca-main/issues/23230

[smowton]

That didn't work because latest semmle-code no longer works with 2.18.2 ql. New DCA: https://github.com/github/codeql-dca-main/issues/23231

[egregius313]

LGTM

[smowton]

See https://github.com/github/codeql-dca-main/issues/23231 for detailed outcome of DCA -- 4 projects continue to cause trouble in DCA due to go1.23 requirement; they don't appear to cause trouble in QA. Issues otherwise resolved as expected.