Merge pull request #9553 from michaelnebel/csharp/narrowtelemetry

C#/Java: Only display 1k most relevant results for ExternalApi telemetry queries.
2026-04-26 17:25:19 +02:00 · 2022-06-22 07:35:56 +02:00
parent 9fe238f20c dc02a6e1a7
commit 2b892bc000
12 changed files with 136 additions and 24 deletions
--- a/csharp/ql/src/Telemetry/ExternalApi.qll
+++ b/csharp/ql/src/Telemetry/ExternalApi.qll
@@ -107,3 +107,36 @@ class ExternalApi extends DotNet::Callable {
  /** Holds if this API is supported by existing CodeQL libraries, that is, it is either a recognized source or sink or has a flow summary. */
  predicate isSupported() { this.hasSummary() or this.isSource() or this.isSink() }
 }
+
+/**
+ * Gets the limit for the number of results produced by a telemetry query.
+ */
+int resultLimit() { result = 1000 }
+
+/**
+ * Holds if the relevant usage count of `api` is `usages`.
+ */
+signature predicate relevantUsagesSig(ExternalApi api, int usages);
+
+/**
+ * Given a predicate to count relevant API usages, this module provides a predicate
+ * for restricting the number or returned results based on a certain limit.
+ */
+module Results<relevantUsagesSig/2 getRelevantUsages> {
+  private int getOrder(ExternalApi api) {
+    api =
+      rank[result](ExternalApi a, int usages |
+        getRelevantUsages(a, usages)
+      |
+        a order by usages desc, a.getInfo()
+      )
+  }
+
+  /**
+   * Holds if `api` is being used `usages` times and if it is
+   * in the top results (guarded by resultLimit).
+   */
+  predicate restrict(ExternalApi api, int usages) {
+    getRelevantUsages(api, usages) and getOrder(api) <= resultLimit()
+  }
+}
--- a/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
+++ b/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
@@ -10,12 +10,23 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-from int usages, string info
-where
+private predicate getRelevantUsages(string info, int usages) {
  usages =
    strictcount(DispatchCall c, ExternalApi api |
      c = api.getACall() and
      api.getInfoPrefix() = info and
      not api.isUninteresting()
    )
+}
+
+private int getOrder(string info) {
+  info =
+    rank[result](string i, int usages | getRelevantUsages(i, usages) | i order by usages desc, i)
+}
+
+from ExternalApi api, string info, int usages
+where
+  info = api.getInfoPrefix() and
+  getRelevantUsages(info, usages) and
+  getOrder(info) <= resultLimit()
 select info, usages order by usages desc
--- a/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
@@ -10,9 +10,12 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-from ExternalApi api, int usages
-where
+private predicate getRelevantUsages(ExternalApi api, int usages) {
  not api.isUninteresting() and
  api.isSink() and
  usages = strictcount(DispatchCall c | c = api.getACall())
+}
+
+from ExternalApi api, int usages
+where Results<getRelevantUsages/2>::restrict(api, usages)
 select api.getInfo() as info, usages order by usages desc
--- a/csharp/ql/src/Telemetry/SupportedExternalSources.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalSources.ql
@@ -10,9 +10,12 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-from ExternalApi api, int usages
-where
+private predicate getRelevantUsages(ExternalApi api, int usages) {
  not api.isUninteresting() and
  api.isSource() and
  usages = strictcount(DispatchCall c | c = api.getACall())
+}
+
+from ExternalApi api, int usages
+where Results<getRelevantUsages/2>::restrict(api, usages)
 select api.getInfo() as info, usages order by usages desc
--- a/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
@@ -10,9 +10,12 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-from ExternalApi api, int usages
-where
+private predicate getRelevantUsages(ExternalApi api, int usages) {
  not api.isUninteresting() and
  api.hasSummary() and
  usages = strictcount(DispatchCall c | c = api.getACall())
+}
+
+from ExternalApi api, int usages
+where Results<getRelevantUsages/2>::restrict(api, usages)
 select api.getInfo() as info, usages order by usages desc
--- a/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+++ b/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
@@ -10,9 +10,12 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-from ExternalApi api, int usages
-where
+private predicate getRelevantUsages(ExternalApi api, int usages) {
  not api.isUninteresting() and
  not api.isSupported() and
  usages = strictcount(DispatchCall c | c = api.getACall())
+}
+
+from ExternalApi api, int usages
+where Results<getRelevantUsages/2>::restrict(api, usages)
 select api.getInfo() as info, usages order by usages desc