Automodel: Improve handling of varargs and overriding in extraction queries #15554
+112
−47
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…lter out known flow steps.
…hod for which we have a model.
If an existing source/sink model specifies `subtypes=True` we should apply it to endpoints on overriding methods.
![github-advanced-security[bot]](https://web.archive.org/web/20240213201334im_/https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| exists(string package, string type, string name, string signature, string ext, string input | | ||
| sinkSpec(e, package, type, name, signature, ext, input) and | ||
| exists( | ||
| string package, string type, boolean subtypes, string name, string signature, string ext, |
Check warning
Code scanning / CodeQL
Omittable 'exists' variable Warning
| exists(string package, string type, string name, string signature, string ext, string input | | ||
| sinkSpec(e, package, type, name, signature, ext, input) and | ||
| exists( | ||
| string package, string type, boolean subtypes, string name, string signature, string ext, |
Check warning
Code scanning / CodeQL
Omittable 'exists' variable Warning
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The two fixes are conceptually independent, but both came up during a recent triage (#15486).
The first one is to do with implicit varargs arrays: the extraction queries for mining endpoint candidates aim to exclude known models, but were previously failing to properly match up implicit varargs arrays in application mode. That's because we were using the data-flow nodes of the individual arguments collected into the varargs array to represent the endpoints, but the MaD models refer to the
ImplicitVarargsArraynode. We now do the latter as well.The second one is to do with recognising existing models for method parameters and return values: if an existing model is marked as
subtypes=True, we should consider overriding methods to also be covered by that model, but previously we did not handle this correctly.Finally, the
isNeutralpredicate didn't look quite right, so I fixed that as well.I did a comparison of results on
apache/geodebefore and after this PR, and all changes seem reasonable:org.apache.http.impl.clientendpoints called out in the triage PR are gone, and similar for PrintWriter and JarOutputStreamorg.apache.http.impl.client(cf above)