hohn/codeql-info
1
0
Fork 0
mirror of https://github.com/hohn/codeql-info.git synced 2025-12-16 20:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
codeql-info/ql/docs/language/learn-ql/build.html-5f4acb8/codeql-language-guides/extensible-predicates.html
Michael Hohn e52393de06 Build class-based dataflow documentation
2023-11-20 11:57:03 -08:00

362 lines
35 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en" data-content_root="../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Extensible predicates and their interaction with data extensions &#8212; CodeQL</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/alabaster.css?v=93459777" />
<script src="../_static/documentation_options.js?v=5929fcd5"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<link rel="icon" href="../_static/favicon.ico"/>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<title>CodeQL docs</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="../_static/custom.css" type="text/css" />
<link rel="stylesheet" href="../_static/primer.css" type="text/css" />
</head><body>
<header class="Header">
<div class="Header-item--full">
<a href="https://codeql.github.com/docs" class="Header-link f2 d-flex flex-items-center">
<!-- <%= octicon "mark-github", class: "mr-2", height: 32 %> -->
<svg height="32" class="octicon octicon-mark-github mr-2" viewBox="0 0 16 16" version="1.1" width="32"
aria-hidden="true">
<path fill-rule="evenodd"
d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z">
</path>
</svg>
<span class="hide-sm">CodeQL documentation</span>
</a>
</div>
<div class="Header-item hide-sm hide-md">
<script src="https://addsearch.com/js/?key=93b4d287e2fc079a4089412b669785d5&categories=!0xhelp.semmle.com,0xcodeql.github.com,1xdocs,1xcodeql-standard-libraries,1xcodeql-query-help"></script>
</div>
<div class="Header-item">
<details class="dropdown details-reset details-overlay d-inline-block">
<summary class="btn bg-gray-dark text-white border" aria-haspopup="true">
CodeQL resources
<div class="dropdown-caret"></div>
</summary>
<ul class="dropdown-menu dropdown-menu-se dropdown-menu-dark">
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-overview">CodeQL overview</a></li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL tools
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-for-visual-studio-code">CodeQL for VS Code</a>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-cli">CodeQL CLI</a>
</li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL guides
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/writing-codeql-queries">Writing CodeQL queries</a></li>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-language-guides">CodeQL language guides</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Reference docs
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/ql-language-reference/">QL language
reference</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-standard-libraries">CodeQL
standard-libraries</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-query-help">CodeQL
query help</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Source files
</div>
<li><a class="dropdown-item" href="https://github.com/github/codeql">CodeQL repository</a>
</ul>
</details>
</div>
</header>
<main class="bg-gray-light clearfix">
<nav class="SideNav position-sticky top-0 col-lg-3 col-md-3 float-left p-4 hide-sm hide-md overflow-y-auto">
<ul>
<li class="toctree-l1"><a class="reference internal" href="../codeql-overview/index.html">CodeQL overview</a></li>
<li class="toctree-l1"><a class="reference internal" href="../codeql-for-visual-studio-code/index.html">CodeQL for Visual Studio Code</a></li>
<li class="toctree-l1"><a class="reference internal" href="../codeql-cli/index.html">CodeQL CLI</a></li>
<li class="toctree-l1"><a class="reference internal" href="../writing-codeql-queries/index.html">Writing CodeQL queries</a></li>
<li class="toctree-l1"><a class="reference internal" href="index.html">CodeQL language guides</a></li>
<li class="toctree-l1"><a class="reference internal" href="../ql-language-reference/index.html">QL language reference</a></li>
</ul>
</nav>
<div class="body col-sm-12 col-md-9 col-lg-9 float-left border-left">
<div class="hide-lg hide-xl px-4 pt-4">
<div class="related" role="navigation" aria-label="related navigation">
<ul>
<li class="nav-item nav-item-0"><a href="../contents.html">CodeQL</a> &#187;</li>
</ul>
</div>
</div>
<article class="p-4 col-lg-10 col-md-10 col-sm-12">
<section id="extensible-predicates-and-their-interaction-with-data-extensions">
<h1>Extensible predicates and their interaction with data extensions<a class="headerlink" href="#extensible-predicates-and-their-interaction-with-data-extensions" title="Link to this heading"></a></h1>
<p>You can use data extensions to model the methods and callables that control dataflow in any framework or library. This is especially useful for custom frameworks or niche libraries, that are not supported by the standard CodeQL libraries.</p>
<blockquote class="pull-quote">
<div><p>Note</p>
<p>CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: <a class="reference external" href="https://github.com/github/codeql-action/releases">https://github.com/github/codeql-action/releases</a>.</p>
</div></blockquote>
<section id="about-this-article">
<h2>About this article<a class="headerlink" href="#about-this-article" title="Link to this heading"></a></h2>
<p>This reference article describes the available inputs for the extensible predicates, including access paths, kinds, and provenance.</p>
<p>Sources, sinks, summaries, and neutrals are commonly known as models. These models support several shared arguments and a few model-specific arguments. The arguments populate a series of columns for each extensible predicate.</p>
</section>
<section id="about-extensible-predicates">
<h2>About extensible predicates<a class="headerlink" href="#about-extensible-predicates" title="Link to this heading"></a></h2>
<p>At a high level, there are two main components to using data extensions. The query writer defines one or more extensible predicates in their query libraries. CLI and code scanning users who want to augment these predicates supply one or more extension files whose data gets injected into the extensible predicate during evaluation. The extension files are either stored directly in the repository where the codebase to be analyzed is hosted, or downloaded as CodeQL model packs.</p>
<p>This example of an extensible predicate for a source is taken from the core Java libraries <a class="reference external" href="https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll#L8-L11">https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll#L8-L11</a></p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>extensible predicate sourceModel(
string package, string type, boolean subtypes, string name,
string signature, string ext, string output, string kind,
string provenance
);
</pre></div>
</div>
<p>An extensible predicate is a CodeQL predicate with the following restrictions:</p>
<ul class="simple">
<li><p>It uses the <code class="docutils literal notranslate"><span class="pre">extensible</span></code> keyword.</p></li>
<li><p>It has no body.</p></li>
<li><p>All predicate parameters have primitive types.</p></li>
<li><p>It is not in a module.</p></li>
</ul>
</section>
<section id="columns-shared-by-all-extensible-predicates">
<h2>Columns shared by all extensible predicates<a class="headerlink" href="#columns-shared-by-all-extensible-predicates" title="Link to this heading"></a></h2>
<p>The semantics of many of the columns of the extensible predicates are shared. The columns <code class="docutils literal notranslate"><span class="pre">package</span></code>, <code class="docutils literal notranslate"><span class="pre">type</span></code>, <code class="docutils literal notranslate"><span class="pre">subtypes</span></code>, <code class="docutils literal notranslate"><span class="pre">name</span></code>, and <code class="docutils literal notranslate"><span class="pre">signature</span></code> define which element(s) the model applies to.</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">package</span></code>: Name of the package containing the element(s) to be modeled.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">type</span></code>: Name of the type containing the element(s) to be modeled.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">subtypes</span></code>: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">name</span></code>: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">signature</span></code>: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ext</span></code>: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">provenance</span></code>: Provenance (origin) of the model definition. For more information, see “<a class="reference internal" href="#provenance"><span class="std std-ref">Provenance</span></a>.”</p></li>
</ul>
<p>The sematics for access paths are also common to all extensible predicates. For more information, see “<a class="reference internal" href="#access-paths"><span class="std std-ref">Access paths</span></a>.”</p>
</section>
<section id="sourcemodel-package-type-subtypes-name-signature-ext-output-kind-provenance">
<h2>sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)<a class="headerlink" href="#sourcemodel-package-type-subtypes-name-signature-ext-output-kind-provenance" title="Link to this heading"></a></h2>
<p>Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind.</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">output</span></code>: Access path to the source, where the possibly tainted data flows from.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">kind</span></code>: Kind of the source.</p></li>
</ul>
<p>As most sources are used by all taint tracking queries there are only a few different source kinds.
The following source kinds are supported:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">remote</span></code>: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">contentprovider</span></code>, <code class="docutils literal notranslate"><span class="pre">android-external-storage-dir</span></code>: These kinds are also supported but usage is advanced.</p></li>
</ul>
</section>
<section id="sinkmodel-package-type-subtypes-name-signature-ext-input-kind-provenance">
<h2>sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)<a class="headerlink" href="#sinkmodel-package-type-subtypes-name-signature-ext-input-kind-provenance" title="Link to this heading"></a></h2>
<p>Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific.</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">input</span></code>: Access path to the sink, where we want to check if tainted data can flow into.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">kind</span></code>: Kind of the sink.</p></li>
</ul>
<p>The following sink kinds are supported:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">bean-validation</span></code>: A sink that can be used for insecure bean validation, such as in calls to <code class="docutils literal notranslate"><span class="pre">ConstraintValidatorContext.buildConstraintViolationWithTemplate</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">command-injection</span></code>: A sink that can be used to inject shell commands, such as in calls to <code class="docutils literal notranslate"><span class="pre">Runtime.exec</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">file-content-store</span></code>: A sink that can be used to control the contents of a file, such as in a <code class="docutils literal notranslate"><span class="pre">Files.write</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">fragment-injection</span></code>: A sink that can be used for Android fragment injection, such as in a <code class="docutils literal notranslate"><span class="pre">FragmentTransaction.replace</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">groovy-injection</span></code>: A sink that can be used for Groovy injection, such as in a <code class="docutils literal notranslate"><span class="pre">GroovyShell.evaluate</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">hostname-verification</span></code>: A sink that can be used for unsafe hostname verification, such as in calls to <code class="docutils literal notranslate"><span class="pre">HttpsURLConnection.setHostnameVerifier</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">html-injection</span></code>: A sink that can be used for XSS via HTML injection, such as in a <code class="docutils literal notranslate"><span class="pre">ResponseStream.write</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">information-leak</span></code>: A sink that can be used to leak information to an HTTP response, such as in calls to <code class="docutils literal notranslate"><span class="pre">HttpServletResponse.sendError</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">intent-redirection</span></code>: A sink that can be used for Android intent redirection, such as in a <code class="docutils literal notranslate"><span class="pre">Context.startActivity</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">jexl-injection</span></code>: A sink that can be used for JEXL expression injection, such as in a <code class="docutils literal notranslate"><span class="pre">JexlExpression.evaluate</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">jndi-injection</span></code>: A sink that can be used for JNDI injection, such as in a <code class="docutils literal notranslate"><span class="pre">Context.lookup</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">js-injection</span></code>: A sink that can be used for XSS via JavaScript injection, such as in a <code class="docutils literal notranslate"><span class="pre">Webview.evaluateJavaScript</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ldap-injection</span></code>: A sink that can be used for LDAP injection, such as in a <code class="docutils literal notranslate"><span class="pre">DirContext.search</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">log-injection</span></code>: A sink that can be used for log injection, such as in a <code class="docutils literal notranslate"><span class="pre">Logger.warn</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">mvel-injection</span></code>: A sink that can be used for MVEL expression injection, such as in a <code class="docutils literal notranslate"><span class="pre">MVEL.eval</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ognl-injection</span></code>: A sink that can be used for OGNL injection, such as in an <code class="docutils literal notranslate"><span class="pre">Ognl.getValue</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">path-injection</span></code>: A sink that can be used for path injection in a file system access, such as in calls to <code class="docutils literal notranslate"><span class="pre">new</span> <span class="pre">FileReader</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">pending-intents</span></code>: A sink that can be used to send an implicit and mutable <cite>PendingIntent</cite> to a third party, such as in an <code class="docutils literal notranslate"><span class="pre">Activity.setResult</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">request-forgery</span></code>: A sink that controls the URL of a request, such as in an <code class="docutils literal notranslate"><span class="pre">HttpRequest.newBuilder</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">response-splitting</span></code>: A sink that can be used for HTTP response splitting, such as in calls to <code class="docutils literal notranslate"><span class="pre">HttpServletResponse.setHeader</span></code>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">sql-injection</span></code>: A sink that can be used for SQL injection, such as in a <code class="docutils literal notranslate"><span class="pre">Statement.executeQuery</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">template-injection</span></code>: A sink that can be used for server-side template injection, such as in a <code class="docutils literal notranslate"><span class="pre">Velocity.evaluate</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">trust-boundary-violation</span></code>: A sink that can be used to cross a trust boundary, such as in a <code class="docutils literal notranslate"><span class="pre">HttpSession.setAttribute</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">url-redirection</span></code>: A sink that can be used to redirect the user to a malicious URL, such as in a <code class="docutils literal notranslate"><span class="pre">Response.temporaryRedirect</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">xpath-injection</span></code>: A sink that can be used for XPath injection, such as in a <code class="docutils literal notranslate"><span class="pre">XPath.evaluate</span></code> call.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">xslt-injection</span></code>: A sink that can be used for XSLT injection, such as in a <code class="docutils literal notranslate"><span class="pre">Transformer.transform</span></code> call.</p></li>
</ul>
</section>
<section id="summarymodel-package-type-subtypes-name-signature-ext-input-output-kind-provenance">
<h2>summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)<a class="headerlink" href="#summarymodel-package-type-subtypes-name-signature-ext-input-output-kind-provenance" title="Link to this heading"></a></h2>
<p>Flow through (summary). This extensible predicate is used to model flow through elements.</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">input</span></code>: Access path to the input of the element (where data will flow from to the output).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">output</span></code>: Access path to the output of the element (where data will flow to from the input).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">kind</span></code>: Kind of the flow through.</p></li>
</ul>
<p>The following kinds are supported:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">taint</span></code>: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">value</span></code>: This means that the output equals the input or a copy of the input such that all of its properties are preserved.</p></li>
</ul>
</section>
<section id="neutralmodel-package-type-name-signature-kind-provenance">
<h2>neutralModel(package, type, name, signature, kind, provenance)<a class="headerlink" href="#neutralmodel-package-type-name-signature-kind-provenance" title="Link to this heading"></a></h2>
<p>This extensible predicate is not typically needed externally, but is included here for completeness.
It has limited impact on dataflow analysis.
Manual neutrals are considered high-confidence dispatch call targets and can reduce the number of dispatch call targets during dataflow analysis (a performance optimization).</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">kind</span></code>: Kind of the neutral. For neutrals the kind can be <code class="docutils literal notranslate"><span class="pre">summary</span></code>, <code class="docutils literal notranslate"><span class="pre">source</span></code>, or <code class="docutils literal notranslate"><span class="pre">sink</span></code> to indicate that the callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).</p></li>
</ul>
</section>
<section id="access-paths">
<span id="id1"></span><h2>Access paths<a class="headerlink" href="#access-paths" title="Link to this heading"></a></h2>
<p>The <code class="docutils literal notranslate"><span class="pre">input</span></code>, and <code class="docutils literal notranslate"><span class="pre">output</span></code> columns consist of a <code class="docutils literal notranslate"><span class="pre">.</span></code>-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.</p>
<p>The following components are supported:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">Argument[</span></code><cite>n</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the argument at index <cite>n</cite> (zero-indexed).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Argument[</span></code><cite>this</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the qualifier (instance parameter).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Argument[</span></code><cite>n1..n2</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the arguments in the given range (both ends included).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Parameter[</span></code><cite>n</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the parameter at index <cite>n</cite> (zero-indexed).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Parameter[</span></code><cite>n1..n2</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the parameters in the given range (both ends included).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ReturnValue</span></code> selects the return value.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Field[</span></code><cite>name</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the field with the fully qualified name <cite>name</cite>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">SyntheticField[</span></code><cite>name</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the synthetic field with name <cite>name</cite>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">SyntheticGlobal[</span></code><cite>name</cite><code class="docutils literal notranslate"><span class="pre">]</span></code> selects the synthetic global with name <cite>name</cite>.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">ArrayElement</span></code> selects the elements of an array.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Element</span></code> selects the elements of a collection-like container.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">WithoutElement</span></code> selects a collection-like container without its elements. This is for input only.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">WithElement</span></code> selects the elements of a collection-like container, but points to the container itself. This is for input only.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">MapKey</span></code> selects the element keys of a map.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">MapValue</span></code> selects the element values of a map.</p></li>
</ul>
</section>
<section id="provenance">
<span id="id2"></span><h2>Provenance<a class="headerlink" href="#provenance" title="Link to this heading"></a></h2>
<p>The <code class="docutils literal notranslate"><span class="pre">provenance</span></code> column is used to specify the provenance (origin) of the model definition and how the model was verified.
The following values are supported.</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">manual</span></code>: The model was manually created and added to the extensible predicate.</p></li>
</ul>
<p>Values can also take the form <code class="docutils literal notranslate"><span class="pre">ORIGIN-VERIFICATION</span></code>, where <code class="docutils literal notranslate"><span class="pre">ORIGIN</span></code> is one of:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">ai</span></code>: The model was generated by artificial intelligence (AI).</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">df</span></code>: The model was generated by the dataflow model generator.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">tb</span></code>: The model was generated by the type based model generator.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">hq</span></code>: The model was generated using a heuristic query.</p></li>
</ul>
<p>And <code class="docutils literal notranslate"><span class="pre">VERIFICATION</span></code> is one of:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">manual</span></code>: The model was verified by a human.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">generated</span></code>: The model was generated, but not verified by a human.</p></li>
</ul>
<p>The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated.
Furthermore, it impacts the dataflow analysis in the following way:</p>
<ul class="simple">
<li><p>A <code class="docutils literal notranslate"><span class="pre">manual</span></code> model takes precedence over <code class="docutils literal notranslate"><span class="pre">generated</span></code> models. If a <code class="docutils literal notranslate"><span class="pre">manual</span></code> model exists for an element then all <code class="docutils literal notranslate"><span class="pre">generated</span></code> models are ignored.</p></li>
<li><p>A <code class="docutils literal notranslate"><span class="pre">generated</span></code> model is ignored during analysis, if the source code of the element it is modeling is available.</p></li>
</ul>
<p>That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available.</p>
</section>
</section>
</article>
<!-- GitHub footer, with links to terms and privacy statement -->
<div class="px-3 px-md-6 f6 py-4 d-sm-flex flex-justify-between flex-row-reverse flex-items-center border-top">
<ul class="list-style-none d-flex flex-items-center mb-3 mb-sm-0 lh-condensed-ultra">
<li class="mr-3">
<a href="https://twitter.com/github" title="GitHub on Twitter" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 273.5 222.3" class="d-block" height="18">
<path
d="M273.5 26.3a109.77 109.77 0 0 1-32.2 8.8 56.07 56.07 0 0 0 24.7-31 113.39 113.39 0 0 1-35.7 13.6 56.1 56.1 0 0 0-97 38.4 54 54 0 0 0 1.5 12.8A159.68 159.68 0 0 1 19.1 10.3a56.12 56.12 0 0 0 17.4 74.9 56.06 56.06 0 0 1-25.4-7v.7a56.11 56.11 0 0 0 45 55 55.65 55.65 0 0 1-14.8 2 62.39 62.39 0 0 1-10.6-1 56.24 56.24 0 0 0 52.4 39 112.87 112.87 0 0 1-69.7 24 119 119 0 0 1-13.4-.8 158.83 158.83 0 0 0 86 25.2c103.2 0 159.6-85.5 159.6-159.6 0-2.4-.1-4.9-.2-7.3a114.25 114.25 0 0 0 28.1-29.1"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3">
<a href="https://www.facebook.com/GitHub" title="GitHub on Facebook" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 15.3 15.4" class="d-block" height="18">
<path
d="M14.5 0H.8a.88.88 0 0 0-.8.9v13.6a.88.88 0 0 0 .8.9h7.3v-6h-2V7.1h2V5.4a2.87 2.87 0 0 1 2.5-3.1h.5a10.87 10.87 0 0 1 1.8.1v2.1h-1.3c-1 0-1.1.5-1.1 1.1v1.5h2.3l-.3 2.3h-2v5.9h3.9a.88.88 0 0 0 .9-.8V.8a.86.86 0 0 0-.8-.8z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3">
<a href="https://www.youtube.com/github" title="GitHub on YouTube" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.17 13.6" class="d-block" height="16">
<path
d="M18.77 2.13A2.4 2.4 0 0 0 17.09.42C15.59 0 9.58 0 9.58 0a57.55 57.55 0 0 0-7.5.4A2.49 2.49 0 0 0 .39 2.13 26.27 26.27 0 0 0 0 6.8a26.15 26.15 0 0 0 .39 4.67 2.43 2.43 0 0 0 1.69 1.71c1.52.42 7.5.42 7.5.42a57.69 57.69 0 0 0 7.51-.4 2.4 2.4 0 0 0 1.68-1.71 25.63 25.63 0 0 0 .4-4.67 24 24 0 0 0-.4-4.69zM7.67 9.71V3.89l5 2.91z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3 flex-self-start">
<a href="https://www.linkedin.com/company/github" title="GitHub on Linkedin" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19 18" class="d-block" height="18">
<path
d="M3.94 2A2 2 0 1 1 2 0a2 2 0 0 1 1.94 2zM4 5.48H0V18h4zm6.32 0H6.34V18h3.94v-6.57c0-3.66 4.77-4 4.77 0V18H19v-7.93c0-6.17-7.06-5.94-8.72-2.91z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li>
<a href="https://github.com/github" title="GitHub's organization" style="color: #959da5;">
<svg version="1.1" width="20" height="20" viewBox="0 0 16 16" class="octicon octicon-mark-github"
aria-hidden="true">
<path fill-rule="evenodd"
d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z">
</path>
</svg>
</a>
</li>
</ul>
<ul class="list-style-none d-flex text-gray">
<li class="mr-3">&copy;
<script type="text/javascript">document.write(new Date().getFullYear());</script> GitHub, Inc.</li>
<li class="mr-3"><a
href="https://docs.github.com/github/site-policy/github-terms-of-service"
class="link-gray">Terms </a></li>
<li><a href="https://docs.github.com/github/site-policy/github-privacy-statement"
class="link-gray">Privacy </a></li>
</ul>
</div>
</div>
</main>
<script type="text/javascript">
$(document).ready(function () {
$(".toggle > *").hide();
$(".toggle .name").show();
$(".toggle .name").click(function () {
$(this).parent().children().not(".name").toggle(400);
$(this).parent().children(".name").toggleClass("open");
})
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink