Java: Avoid low-confidence dispatch to InputStream methods

Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
2025-12-22 19:56:32 +01:00 · 2023-07-19 11:30:44 +02:00
parent 8a46ff344a
commit 2dbbcc2413
2 changed files with 3 additions and 0 deletions
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -116,6 +116,7 @@ extensions:
      - ["java.io", "File", "isDirectory", "()", "summary", "manual"]
      - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
      - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
+      - ["java.io", "InputStream", "read", "()", "summary", "manual"]
      - ["java.io", "InputStream", "close", "()", "summary", "manual"]
      - ["java.io", "OutputStream", "flush", "()", "summary", "manual"]
      # The below APIs have numeric flow and are currently being stored as neutral models.
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -102,6 +102,8 @@ private module Dispatch {
    or
    t instanceof Interface and not t.fromSource()
    or
+    t.hasQualifiedName("java.io", "InputStream")
+    or
    t.hasQualifiedName("java.io", "Serializable")
    or
    t.hasQualifiedName("java.lang", "Iterable")