Associate endpoints with their potential endpoint types and check these when determining candidates.

This prevents us from associating a sink candidate with a source type and vice versa. However, this does not fix the problem of negative characteristics for sink types excluding source candidates.
2025-12-21 19:26:31 +01:00 · 2024-01-11 11:34:40 +00:00
parent a6d996b478
commit 03ca244df2
3 changed files with 31 additions and 4 deletions
--- a/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
+++ b/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
@@ -96,6 +96,18 @@ abstract private class ApplicationModeEndpoint extends TApplicationModeEndpoint
      else none() // if both exist, it would be a summaryModel (not yet supported)
  }

+  /**
+   * Gets a potential type of this endpoint to make sure that sources are
+   * associated with source types and sinks with sink types.
+   */
+  AutomodelEndpointTypes::EndpointType getAPotentialType() {
+    this.getExtensibleType() = "sourceModel" and
+    result instanceof AutomodelEndpointTypes::SourceType
+    or
+    this.getExtensibleType() = "sinkModel" and
+    result instanceof AutomodelEndpointTypes::SinkType
+  }
+
  abstract string toString();
 }

--- a/java/ql/automodel/src/AutomodelFrameworkModeCharacteristics.qll
+++ b/java/ql/automodel/src/AutomodelFrameworkModeCharacteristics.qll
@@ -90,6 +90,18 @@ abstract class FrameworkModeEndpoint extends TFrameworkModeEndpoint {

  abstract string getExtensibleType();

+  /**
+   * Gets a potential type of this endpoint to make sure that sources are
+   * associated with source types and sinks with sink types.
+   */
+  AutomodelEndpointTypes::EndpointType getAPotentialType() {
+    this.getExtensibleType() = "sourceModel" and
+    result instanceof AutomodelEndpointTypes::SourceType
+    or
+    this.getExtensibleType() = "sinkModel" and
+    result instanceof AutomodelEndpointTypes::SinkType
+  }
+
  string toString() { result = this.asTop().toString() }

  Location getLocation() { result = this.asTop().getLocation() }
--- a/java/ql/automodel/src/AutomodelSharedCharacteristics.qll
+++ b/java/ql/automodel/src/AutomodelSharedCharacteristics.qll
@@ -16,7 +16,9 @@ signature module CandidateSig {
   * An endpoint is a potential candidate for modeling. This will typically be bound to the language's
   * DataFlow node class, or a subtype thereof.
   */
-  class Endpoint;
+  class Endpoint {
+    EndpointType getAPotentialType();
+  }

  /**
   * A related location for an endpoint. This will typically be bound to the supertype of all AST nodes (eg., `Top`).
@@ -122,9 +124,10 @@ module SharedCharacteristics<CandidateSig Candidate> {
   *
   * A candidate is an endpoint that cannot be excluded from `endpointType` based on its characteristics.
   */
-  predicate isCandidate(Candidate::Endpoint candidateSink, Candidate::EndpointType sinkType) {
-    not sinkType instanceof Candidate::NegativeEndpointType and
-    not exists(getAnExcludingCharacteristic(candidateSink, sinkType))
+  predicate isCandidate(Candidate::Endpoint endpoint, Candidate::EndpointType endpointType) {
+    not endpointType instanceof Candidate::NegativeEndpointType and
+    endpointType = endpoint.getAPotentialType() and
+    not exists(getAnExcludingCharacteristic(endpoint, endpointType))
  }

  /**