diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 7cf3b937ac5..1ec501a85dd 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -10,6 +10,10 @@ * `namespace; type; subtypes; name; signature; ext; input; kind` * - Summaries: * `namespace; type; subtypes; name; signature; ext; input; output; kind` + * - Barriers: + * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `namespace; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * * The interpretation of a row is similar to API-graphs with a left-to-right * reading. @@ -86,7 +90,11 @@ * value, and * - flow from the _second_ indirection of the 0th argument to the first * indirection of the return value, etc. - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false". In the future "no-exception", "not-zero", "null", "not-null" may be + * supported. + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll index 024e9cf119d..2b4264fc432 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll @@ -11,6 +11,10 @@ * `namespace; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: * `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance` + * - Barriers: + * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `namespace; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * - Neutrals: * `namespace; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -69,14 +73,17 @@ * - "Field[f]": Selects the contents of field `f`. * - "Property[p]": Selects the contents of property `p`. * - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false", "no-exception", "not-zero", "null", "not-null". + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a * globally applicable value-preserving step. For neutrals the kind can be `summary`, * `source` or `sink` to indicate that the neutral is neutral with respect to * flow (no summary), source (is not a source) or sink (is not a sink). - * 9. The `provenance` column is a tag to indicate the origin and verification of a model. + * 10. The `provenance` column is a tag to indicate the origin and verification of a model. * The format is {origin}-{verification} or just "manual" where the origin describes * the origin of the model and verification describes how the model has been verified. * Some examples are: diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index e1170aeda24..3812b3df449 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -11,6 +11,10 @@ * `package; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: * `package; type; subtypes; name; signature; ext; input; output; kind; provenance` + * - Barriers: + * `package; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `package; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * - Neutrals: * `package; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -78,7 +82,11 @@ * - "MapValue": Selects a value in a map. * - "Dereference": Selects the value referenced by a pointer. * - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false". In the future "no-exception", "not-zero", "null", "not-null" may be + * supported. + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 1536c81aa08..45db15897f7 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -11,6 +11,10 @@ * `package; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: * `package; type; subtypes; name; signature; ext; input; output; kind; provenance` + * - Barriers: + * `package; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `package; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * - Neutrals: * `package; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -69,14 +73,17 @@ * in the given range. The range is inclusive at both ends. * - "ReturnValue": Selects the return value of a call to the selected element. * - "Element": Selects the collection elements of the selected element. - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false", "no-exception", "not-zero", "null", "not-null". + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a * globally applicable value-preserving step. For neutrals the kind can be `summary`, * `source` or `sink` to indicate that the neutral is neutral with respect to * flow (no summary), source (is not a source) or sink (is not a sink). - * 9. The `provenance` column is a tag to indicate the origin and verification of a model. + * 10. The `provenance` column is a tag to indicate the origin and verification of a model. * The format is {origin}-{verification} or just "manual" where the origin describes * the origin of the model and verification describes how the model has been verified. * Some examples are: diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll index 60fe40e716d..34bf3267522 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll @@ -10,6 +10,10 @@ * `type, path, kind` * - Summaries: * `type, path, input, output, kind` + * - Barriers: + * `type, path, kind` + * - BarrierGuards: + * `type, path, branch, kind` * - Types: * `type1, type2, path` * @@ -42,7 +46,8 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `kind` column is a tag that can be referenced from QL to determine to + * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll index 60fe40e716d..34bf3267522 100644 --- a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll +++ b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll @@ -10,6 +10,10 @@ * `type, path, kind` * - Summaries: * `type, path, input, output, kind` + * - Barriers: + * `type, path, kind` + * - BarrierGuards: + * `type, path, branch, kind` * - Types: * `type1, type2, path` * @@ -42,7 +46,8 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `kind` column is a tag that can be referenced from QL to determine to + * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll index 60fe40e716d..34bf3267522 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll @@ -10,6 +10,10 @@ * `type, path, kind` * - Summaries: * `type, path, input, output, kind` + * - Barriers: + * `type, path, kind` + * - BarrierGuards: + * `type, path, branch, kind` * - Types: * `type1, type2, path` * @@ -42,7 +46,8 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `kind` column is a tag that can be referenced from QL to determine to + * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll index 4d28dd8de81..a21d50ed8ad 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll @@ -9,6 +9,10 @@ * `path; input; kind; provenance` * - Summaries: * `path; input; output; kind; provenance` + * - Barriers: + * `path; output; kind; provenance` + * - BarrierGuards: + * `path; input; branch; kind; provenance` * * The interpretation of a row is similar to API-graphs with a left-to-right * reading. @@ -34,12 +38,15 @@ * - `Field[i]`: the `i`th element of a tuple. * - `Reference`: the referenced value. * - `Future`: the value being computed asynchronously. - * 3. The `kind` column is a tag that can be referenced from QL to determine to + * 3. The `branch` column of barrier guard models specifies which branch of the + * guard is blocking flow. It can be "true" or "false". In the future + * "no-exception", "not-zero", "null", "not-null" may be supported. + * 4. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a * globally applicable value-preserving step. - * 4. The `provenance` column is mainly used internally, and should be set to `"manual"` for + * 5. The `provenance` column is mainly used internally, and should be set to `"manual"` for * all custom models. */