From 04abb87fef3b9ba4c0640957a280258790a9dd59 Mon Sep 17 00:00:00 2001 From: tiferet Date: Thu, 22 Dec 2022 15:44:48 -0800 Subject: [PATCH] Rewrite `ExtractSinkCandidatesWithFlow.ql` as a `problem` query so we can run it with `codeql database analyze` to output SARIF results. --- .../src/ExtractSinkCandidatesWithFlow.ql | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql b/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql index 1214cc6d002..219a7317d49 100644 --- a/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql +++ b/java/ql/experimental/adaptivethreatmodeling/src/ExtractSinkCandidatesWithFlow.ql @@ -1,10 +1,19 @@ -/* +/** * Surfaces the endpoints that pass the endpoint filters and have flow from a source for each query config, and are - * therefore used as candidates for classifiaction with an ML model. + * therefore used as candidates for classification with an ML model. * * Note: This query does not actually classify the endpoints using the model. * - * TODO: Produce CSV/JSON output describing these endpoints (probably just a URL for each endpoint). + * TODO: Produce CSV/JSON/SARIF output describing these endpoints (probably just a URL for each endpoint). + * + * @name SQL database query built from user-controlled sources (experimental) + * @description Building a database query from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind problem + * @problem.severity error + * @security-severity 8.8 + * @id java/ml-powered/sql-injection + * @tags experimental security */ private import java @@ -18,4 +27,4 @@ private import experimental.adaptivethreatmodeling.SqlInjectionATM as SqlInjecti // private import experimental.adaptivethreatmodeling.XssThroughDomATM as XssThroughDomAtm from DataFlow::PathNode sink where exists(AtmConfig::AtmConfig queryConfig | queryConfig.isSinkCandidateWithFlow(sink)) -select sink.getNode().getLocation() +select sink.getNode(), "SQL injection sink candidate"