Java: Add some spurious source and sink model generation examples.

2026-04-22 23:35:14 +02:00 · 2024-06-14 13:41:29 +02:00
parent ed3f1e40db
commit 1185e28ea2
3 changed files with 45 additions and 0 deletions
--- a/java/ql/test/utils/modelgenerator/dataflow/CaptureSourceModels.ext.yml
+++ b/java/ql/test/utils/modelgenerator/dataflow/CaptureSourceModels.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - [ "p", "Sources", False, "source", "()", "", "ReturnValue", "test-source", "manual" ]
--- a/java/ql/test/utils/modelgenerator/dataflow/p/Sinks.java
+++ b/java/ql/test/utils/modelgenerator/dataflow/p/Sinks.java
@@ -64,4 +64,12 @@ public class Sinks {
  public void compoundPropgate(Sinks s) {
    s.fieldSink();
  }
+
+  // Not a new sink because a simple type is used in an intermediate step
+  // SPURIOUS-sink=p;Sinks;true;wrapSinkSimpleType;(String);;Argument[0];test-sink;df-generated
+  // neutral=p;Sinks;wrapSinkSimpleType;(String);summary;df-generated
+  public void wrapSinkSimpleType(String s) {
+    Boolean b = s == "hello";
+    sink(b);
+  }
 }
--- a/java/ql/test/utils/modelgenerator/dataflow/p/Sources.java
+++ b/java/ql/test/utils/modelgenerator/dataflow/p/Sources.java
@@ -8,6 +8,12 @@ import java.util.List;

 public class Sources {

+  // Defined as a source in the model file next to the test.
+  // neutral=p;Sources;source;();summary;df-generated
+  public String source() {
+    return "";
+  }
+
  // source=p;Sources;true;readUrl;(URL);;ReturnValue;remote;df-generated
  // sink=p;Sources;true;readUrl;(URL);;Argument[0];request-forgery;df-generated
  // neutral=p;Sources;readUrl;(URL);summary;df-generated
@@ -37,4 +43,28 @@ public class Sources {
    streams[0] = socket.accept().getInputStream();
    otherStreams.add(socket.accept().getInputStream());
  }
+
+  // Not a new source because a simple type is used in an intermediate step
+  // SPURIOUS-source=p;Sources;true;wrapSourceGetBool;();;ReturnValue;test-source;df-generated
+  // neutral=p;Sources;wrapSourceGetBool;();summary;df-generated
+  public Boolean wrapSourceGetBool() {
+    String s = source();
+    return s == "hello";
+  }
+
+  public class SourceReader {
+    @Override
+    public String toString() {
+      return source();
+    }
+  }
+
+  public class MyContainer<T> {
+    private T value;
+
+    // neutral=p;Sources$MyContainer;read;();summary;df-generated
+    public String read() {
+      return value.toString();
+    }
+  }
 }