hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14207 from github/felicitymay-11595-VS-code-docs

Browse Source 
Updates to the Java and VS Code docs
This commit is contained in:
Felicity Chapman
2023-09-18 18:35:58 +01:00
committed by GitHub
parent 8dd7602dff 7ed4f5b292
commit 31b0c423a4
17 changed files with 679 additions and 451 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/codeql/codeql-for-visual-studio-code/index.rst
View File

@@ -37,7 +37,10 @@ The CodeQL extension for Visual Studio Code adds rich language support for CodeQ
CodeQL queries using the Visual Studio Code extension.
- :doc:`Working with CodeQL packs in Visual Studio Code
<working-with-codeql-packs-in-visual-studio-code>`: You can view and edit CodeQL packs in Visual Studio Code.
<working-with-codeql-packs-in-visual-studio-code>`: You can view, create, and edit all types of CodeQL pack in Visual Studio Code.
- :doc:`Using the CodeQL model editor
<using-the-codeql-model-editor>`: You can view, create, and edit CodeQL model packs using a dedicated editor.
- :doc:`Customizing settings
<customizing-settings>`: You can edit the settings for the
@@ -67,6 +70,7 @@ The CodeQL extension for Visual Studio Code adds rich language support for CodeQ
running-codeql-queries-at-scale-with-mrva
testing-codeql-queries-in-visual-studio-code
working-with-codeql-packs-in-visual-studio-code
using-the-codeql-model-editor
customizing-settings
troubleshooting-codeql-for-visual-studio-code
troubleshooting-variant-analysis

2
docs/codeql/codeql-for-visual-studio-code/setting-up-codeql-in-visual-studio-code.rst
View File

@@ -74,6 +74,8 @@ To use the starter workspace:
#. In VS Code, use the **File** > **Open Workspace** option to open the ``vscode-codeql-starter.code-workspace`` file from your checkout of the workspace repository.
Remember to update the ``ql`` submodule in the starter workspace periodically to ensure that it remains compatible with newer versions of the VS Code extension and the CodeQL CLI.
.. _existing-workspace:
Updating an existing workspace for CodeQL

139
docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst Normal file
View File

@@ -0,0 +1,139 @@
:tocdepth: 1
.. _using-the-codeql-model-editor:
Using the CodeQL model editor
=============================
.. include:: ../reusables/beta-note-model-pack-editor-vsc.rst
You can view, write, and edit CodeQL packs in Visual Studio Code using the CodeQL extension. The model editor is designed to help you model external dependencies of your codebase that are not supported by the standard CodeQL Libraries.
About the CodeQL model editor
-----------------------------
The CodeQL model editor guides you through modeling the calls to external dependencies in your application or fully modeling all the public entry and exit points in an external dependency.
When you open the model editor, it analyzes the currently selected CodeQL database and identifies where the application uses external APIs and all public methods. An external (or third party) API is any API that is not part of the CodeQL database you have selected.
The model editor has two different modes:
- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for the specific codebase.
- Dependency mode: The editor identifies all of the publicly accessible APIs in the selected CodeQL database. This view guides you through modeling each public API that the codebase makes available. When you have finished modeling the entire API, you can save the model and use it to improve the CodeQL analysis for all codebases that use the dependency.
Displaying the CodeQL model editor
----------------------------------
#. Open your CodeQL workspace in VS Code, for example, the ``vscode-codeql-starter`` workspace.
If you haven't updated the ``ql`` submodule for a while, update it from ``main`` to ensure that you have the queries used to gather data for the model editor.
#. Open the CodeQL extension and select the CodeQL database that you want to model from the "Databases" section of the left side pane.
#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
#. The CodeQL model editor will open in a new tab and run a series of telemetry queries to identify APIs in the code.
#. When the queries are complete, the APIs that have been identified are shown in the editor.
Modeling the calls your codebase makes to external APIs
-------------------------------------------------------
You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is usually when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
#. Select the CodeQL database that you want to improve CodeQL coverage for.
#. Display the CodeQL model editor. By default the editor runs in application mode, so the list of external APIs used by the selected codebase is shown.
.. image:: ../images/codeql-for-visual-studio-code/model-application-mode.png
:width: 800
:alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the external frameworks used by the "sofa-jraft" codebase.
#. Click to expand an external API and view the list of calls from the codebase to the external dependency.
#. Click **View** associated with an API call or method to show where it is used in your codebase.
.. image:: ../images/codeql-for-visual-studio-code/model-application-mode-expanded.png
:width: 800
:alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing the calls to the "rocksdbjni" framework ready for modeling. The "View" option for the first call is highlighted with a dark orange outline.
#. When you have determined how to model the call or method, define the **Model type**.
#. The remaining fields are updated with available options:
- **Source**: choose the **Output** element to model.
- **Sink**: choose the **Input** element to model.
- **Flow summary**: choose the **Input** and **Output** elements to model.
#. Define the **Kind** of dataflow for the model.
#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
The models are stored in a series of YAML data extension files, one for each external API. For example:
.. code-block:: none
.github/codeql/extensions/sofa-jraft-java # the model pack directory
models
jmh-core.model.yml # models calls to jmh-core@1.20
rocksdbjni.model.yml # models calls to rocksdbjni@7.7.3
Modeling the public API of a codebase
-------------------------------------
You typically use this method when you want to model a framework or library that your organization uses in more than one codebase. Once you have finished creating and testing the model, you can publish the CodeQL model pack to the GitHub Container Registry for your whole organization to use.
#. Select the CodeQL database that you want to model.
#. Display the CodeQL model editor. By default the editor runs in application mode. Click **Model as dependency** to display dependency mode. The screen changes to show the public API of the framework or library.
.. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode.png
:width: 800
:alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the packages published by the "sofa-jraft" codebase.
#. Click to expand a package and view the list of available methods.
#. Click **View** associated with a method to show its definition.
.. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png
:width: 800
:alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing the public methods available in the "com.alipay.soft.jraft.option" package ready for modeling. The "View" option for the first method is highlighted with a dark orange outline.
#. When you have determined how to model the method, define the **Model type**.
#. The remaining fields are updated with available options:
- **Source**: choose the **Output** element to model.
- **Sink**: choose the **Input** element to model.
- **Flow summary**: choose the **Input** and **Output** elements to model.
#. Define the **Kind** of dataflow for the model.
#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
The models are stored in a series of YAML data extension files, one for each public method. For example:
.. code-block:: none
.github/codeql/extensions/sofa-jraft-java # the model pack directory
models
com.alipay.sofa.jraft.option.model.yml # models public methods in package
com.alipay.sofa.jraft.rhea.options.model.yml # models public methods in package
The editor will create a separate model file for each package that you model.
Testing CodeQL model packs
--------------------------
You can test any CodeQL model packs you create in VS Code by toggling the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
- To run queries on a CodeQL database with any model packs that are stored within the ``.github/codeql/extensions`` directory of the workspace, update your ``settings.json`` file with: ``"codeQL.runningQueries.useModelPacks": all,``
- To run queries on a CodeQL database without using model packs, update your ``settings.json`` file with: ``"codeQL.runningQueries.useModelPacks": none,``
If your model is working well, you should see a difference in the results of the two different runs. If you don't see any differences in results, you may need to introduce a known bug to verify that the model behaves as expected.
Using CodeQL model packs with code scanning
-------------------------------------------
There are two methods for using CodeQL model packs with code scanning:
#. Copy the model pack directory into the ``.github/codeql/extensions`` directory of the repository. It will automatically be used by all future code scanning analysis for the repository (default setup or advanced setup).
#. Publish the model pack to the GitHub Container Registry as a CodeQL model pack. This can be downloaded and used by advanced setup for code scanning or by the CodeQL CLI running in an external CI system.
For more information, see the following articles on the GitHub Docs site:
- Default setup of code scanning: `Extending CodeQL coverage with CodeQL model packs in default setup <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup>`__
- Advanced setup of code scanning: `Extending CodeQL coverage with CodeQL model packs <https://docs.github.com//en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs>`__
- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#using-model-packs-to-analyze-calls-to-custom-dependencies>`__

40
docs/codeql/codeql-for-visual-studio-code/working-with-codeql-packs-in-visual-studio-code.rst
View File

@@ -7,33 +7,49 @@ Working with CodeQL packs in Visual Studio Code
.. include:: ../reusables/beta-note-package-management.rst
You can view CodeQL packs and write and edit queries for them in Visual Studio Code.
You can view, write, and edit all types of CodeQL packs in Visual Studio Code using the CodeQL extension.
About CodeQL packs
------------------
CodeQL packs are used to create, share, depend on, and run CodeQL queries and libraries. You can publish your own CodeQL packs and download packs created by others. For more information, see "`About CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs>`__."
You use CodeQL packs to share your expertise in query writing, CodeQL library development, and modeling dependencies with other users. The CodeQL package management system ensures that when you publish a CodeQL pack it is ready to use, without any compilation. Anything the CodeQL pack depends on is explicitly defined within the pack. You can publish your own CodeQL packs and download packs created by others. For more information, see "`About CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/codeql-cli-reference/about-codeql-packs>`__."
Using standard CodeQL packs in Visual Studio Code
--------------------------------------------------------------
There are three types of CodeQL packs, each with a specific purpose.
- Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.
- Model packs are used to model dependencies that are not supported by the standard CodeQL libraries. When you add a model pack to your analysis, all relevant queries also recognize the sources, sinks and flow steps of the dependencies defined in the pack.
- Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.
Using the CodeQL packs shipped with the CLI in Visual Studio Code
-----------------------------------------------------------------
To install dependencies for a CodeQL pack in your Visual Studio Code workspace, run the **CodeQL: Install Pack Dependencies** command from the Command Palette and select the packs you want to install dependencies for.
You can write and run query packs that depend on the CodeQL standard libraries, without needing to check out the standard libraries in your workspace. Instead, you can install only the dependencies required by the query packs you want to use.
Creating and editing CodeQL packs in Visual Studio Code
-------------------------------------------------------
To create a new CodeQL pack, you will need to use the CodeQL CLI from a terminal, which you can do within Visual Studio Code or outside of it with the ``codeql pack init`` command. Once you create an empty pack, you can edit the ``qlpack.yml`` file or run the ``codeql pack add`` command to add dependencies or change the name or version. For more information, see "`Creating and working with CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-and-working-with-codeql-packs>`__."
Working with CodeQL query packs
-------------------------------
One of the main benefits of working with a CodeQL query pack is that all dependencies are resolved, not just those defined within the query and standard libraries.
Creating and editing CodeQL query packs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To create a new query pack, you will need to use the CodeQL CLI from a terminal, which you can do within Visual Studio Code or outside of it with the ``codeql pack init`` command. Once you create an empty pack, you can edit the ``qlpack.yml`` file or run the ``codeql pack add`` command to add dependencies or change the name or version. For detailed information, see "`Creating and working with CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/creating-and-working-with-codeql-packs>`__."
You can create or edit queries in a CodeQL pack in Visual Studio Code as you would with any CodeQL query, using the standard code editing features such as autocomplete suggestions to find elements to use from the pack's dependencies.
You can then use the CodeQL CLI to publish your pack to share with others. For more information, see "`Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs>`__."
You can then use the CodeQL CLI to publish your pack to share with others. For detailed information, see "`Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-codeql-cli/publishing-and-using-codeql-packs>`__."
Viewing CodeQL packs and their dependencies in Visual Studio Code
-----------------------------------------------------------------
To download a CodeQL pack that someone else has created, run the **CodeQL: Download Packs** command from the Command Palette.
You can download all the core CodeQL query packs, or enter the full name of a specific pack to download. For example, to download the core queries for analyzing Java or Kotlin, enter ``codeql/java-queries``.
Viewing CodeQL query packs and their dependencies
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To download a query pack that someone else has created, run the **CodeQL: Download Packs** command from the Command Palette.
You can download all the core query packs, or enter the full name of a specific pack to download. For example, to download the core queries for analyzing Java and Kotlin, enter ``codeql/java-queries``.
Whether you have downloaded a CodeQL pack or created your own, you can open the ``qlpack.yml`` file in the root of a CodeQL pack directory in Visual Studio Code and view the dependencies section to see what libraries the pack depends on.
If you want to understand a query in a CodeQL pack better, you can open the query file and view the code, using the IntelliSense code editing features of Visual Studio Code. For example, if you hover over an element from a library depended on by the pack, Visual Studio Code will resolve it so you can see documentation about the element.
To view the full definition of an element of a query, you can right-click and choose **Go to Definition**. If the library pack is present within the same Visual Studio Code workspace, this will take you to the definition within the workspace. Otherwise it will take you to the definition within your package cache, the shared location where downloaded dependencies are stored, which is in your home directory by default.
Working with CodeQL model packs
-------------------------------
The CodeQL extension for Visual Studio Code includes a dedicated editor for creating and editing model packs. For information on using the model editor, see ":ref:`Using the CodeQL model editor <using-the-codeql-model-editor>`."

3
docs/codeql/codeql-language-guides/codeql-for-java.rst
View File

@@ -25,6 +25,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
javadoc
working-with-source-locations
abstract-syntax-tree-classes-for-working-with-java-programs
customizing-library-models-for-java-and-kotlin
- :doc:`Basic query for Java code <basic-query-for-java-code>`: Learn to write and run a simple CodeQL query.
@@ -45,3 +46,5 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
- :doc:`Working with source locations <working-with-source-locations>`: You can use the location of entities within Java code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem.
- :doc:`Abstract syntax tree classes for working with Java programs <abstract-syntax-tree-classes-for-working-with-java-programs>`: CodeQL has a large selection of classes for representing the abstract syntax tree of Java programs.
- :doc:`Customizing library models for Java and Kotlin <customizing-library-models-for-java-and-kotlin>`: You can model frameworks and libraries that your code base depends on using data extensions and publish them as CodeQL model packs.

4
docs/codeql/codeql-language-guides/codeql-for-javascript.rst
View File

@@ -1,7 +1,7 @@
.. _codeql-for-javascript:
CodeQL for JavaScript
=====================
CodeQL for JavaScript and TypeScript
====================================
Experiment and learn how to write effective and efficient queries for CodeQL databases generated from JavaScript codebases.

293
docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst Normal file
View File

@@ -0,0 +1,293 @@
.. _customizing-library-models-for-java-and-kotlin:
Customizing library models for Java and Kotlin
==============================================
You can model the methods and callables that control data flow in any framework or library. This is especially useful for custom frameworks or niche libraries, that are not supported by the standard CodeQL libraries.
.. include:: ../reusables/kotlin-beta-note.rst
.. include:: ../reusables/beta-note-model-packs-java.rst
About this article
------------------
This article contains reference material about how to define custom models for sources, sinks and flow summaries for Java dependencies in data extension files.
The best way to create your own models is using the CodeQL model editor in the CodeQL extension for Visual Studio Code. The model editor automatically guides you through the process of defining models, displaying the properties you need to define and the options available. You can save the resulting models as data extension files in CodeQL model packs and use them without worrying about the syntax.
For more information, see ":ref:`Using the CodeQL model editor <using-the-codeql-model-editor>`."
About data extensions
---------------------
You can customize analysis by defining models (summaries, sinks, and sources) of your code's dependencies in data extension files. Each model defines the behavior of one or more elements of your library or framework, such as methods and callables. When you run dataflow analysis, these models expand the potential sources and sinks tracked by dataflow analysis and improve the precision of results.
Most of the security queries search for paths from a source of untrusted input to a sink that represents a vulnerability. This is known as taint tracking. Each source is a starting point for dataflow analysis to track tainted data and each sink is an end point.
Taint tracking queries also need to know how data can flow through elements that are not included in the source code. These are modeled as summaries. A summary model enables queries to synthesize the flow behavior through elements in dependency code that is not stored in your repository.
Syntax used to define an element in an extension file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Each model of an element is defined using a data extension where each tuple constitutes a model.
A data extension file to extend the standard Java queries included with CodeQL is a YAML file with the form:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: <name of extensible predicate>
data:
- <tuple1>
- <tuple2>
- ...
Each YAML file may contain one or more top-level extensions.
- ``addsTo`` defines the CodeQL pack name and extensible predicate that the extension is injected into.
- ``data`` defines one or more rows of tuples that are injected as values into the extensible predicate. The number of columns and their types must match the definition of the extensible predicate.
Data extensions use union semantics, which means that the tuples of all extensions for a single extensible predicate are combined, duplicates are removed, and all of the remaining tuples are queryable by referencing the extensible predicate.
Publish data extension files in a CodeQL model pack to share
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You can group one or more data extention files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see "`Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack/>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
Extensible predicates used to create custom models in Java and Kotlin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The CodeQL library for Java and Kotlin analysis exposes the following extensible predicates:
- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data.
- ``sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)``. This is used to model sinks where tainted data maybe used in a way that makes the code vulnerable.
- ``summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)``. This is used to model flow through elements.
- ``neutralModel(package, type, name, signature, kind, provenance)``. This is similar to a summary model but used to model the flow of values that have only a minor impact on the dataflow analysis.
The extensible predicates are populated using the models defined in data extension files.
Examples of custom model definitions
------------------------------------
The examples in this section are taken from the standard CodeQL Java query pack published by GitHub. They demonstrate how to add tuples to extend extensible predicates that are used by the standard queries.
Example: Taint sink in the ``java.sql`` package
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This example shows how the Java query pack models the argument of the ``execute`` method as a SQL injection sink.
This is the ``execute`` method in the ``Statement`` class, which is located in the ``java.sql`` package.
.. code-block:: java
public static void taintsink(Connection conn, String query) throws SQLException {
Statement stmt = conn.createStatement();
stmt.execute(query); // The argument to this method is a SQL injection sink.
}
We need to add a tuple to the ``sinkModel``\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate by updating a data extension file.
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[0]", "sql-injection", "manual"]
Since we want to add a new sink, we need to add a tuple to the ``sinkModel`` extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a sink.
- The first value ``java.sql`` is the package name.
- The second value ``Statement`` is the name of the class (type) that contains the method.
- The third value ``True`` is a flag that indicates whether or not the sink also applies to all overrides of the method.
- The fourth value ``execute`` is the method name.
- The fifth value ``(String)`` is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the sink.
- The seventh value ``Argument[0]`` is the ``access path`` to the first argument passed to the method, which means that this is the location of the sink.
- The eighth value ``sql-injection`` is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries.
- The ninth value ``manual`` is the provenance of the sink, which is used to identify the origin of the sink.
Example: Taint source from the ``java.net`` package
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This example shows how the Java query pack models the return value from the ``getInputStream`` method as a ``remote`` source.
This is the ``getInputStream`` method in the ``Socket`` class, which is located in the ``java.net`` package.
.. code-block:: java
public static void tainted(Socket socket) throws IOException {
InputStream stream = socket.getInputStream(); // The return value of this method is a remote source of taint.
...
}
We need to add a tuple to the ``sourceModel``\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate by updating a data extension file.
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
Since we are adding a new source, we need to add a tuple to the ``sourceModel`` extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a source.
- The first value ``java.net`` is the package name.
- The second value ``Socket`` is the name of the class (type) that contains the source.
- The third value ``False`` is a flag that indicates whether or not the source also applies to all overrides of the method.
- The fourth value ``getInputStream`` is the method name.
- The fifth value ``()`` is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the source.
- The seventh value ``ReturnValue`` is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
- The eighth value ``remote`` is the kind of the source. The source kind is used to define the queries where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources.
- The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source.
Example: Add flow through the ``concat`` method
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This example shows how the Java query pack models flow through a method for a simple case.
This pattern covers many of the cases where we need to summarize flow through a method that is stored in a library or framework outside the repository.
.. code-block:: java
public static void taintflow(String s1, String s2) {
String t = s1.concat(s2); // There is taint flow from s1 and s2 to t.
...
}
We need to add tuples to the ``summaryModel``\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate by updating a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.lang", "String", False, "concat", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
Since we are adding flow through a method, we need to add tuples to the ``summaryModel`` extensible predicate.
Each tuple defines flow from one argument to the return value.
The first row defines flow from the qualifier (``s1`` in the example) to the return value (``t`` in the example) and the second row defines flow from the first argument (``s2`` in the example) to the return value (``t`` in the example).
The first five values identify the callable (in this case a method) to be modeled as a summary.
These are the same for both of the rows above as we are adding two summaries for the same method.
- The first value ``java.lang`` is the package name.
- The second value ``String`` is the class (type) name.
- The third value ``False`` is a flag that indicates whether or not the summary also applies to all overrides of the method.
- The fourth value ``concat`` is the method name.
- The fifth value ``(String)`` is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the summary.
- The seventh value is the access path to the input (where data flows from). ``Argument[this]`` is the access path to the qualifier (``s1`` in the example) and ``Argument[0]`` is the access path to the first argument (``s2`` in the example).
- The eighth value ``ReturnValue`` is the access path to the output (where data flows to), in this case ``ReturnValue``, which means that the input flows to the return value.
- The ninth value ``taint`` is the kind of the flow. ``taint`` means that taint is propagated through the call.
- The tenth value ``manual`` is the provenance of the summary, which is used to identify the origin of the summary.
Example: Add flow through the ``map`` method
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This example shows how the Java query pack models a more complex flow through a method.
Here we model flow through higher order methods and collection types.
.. code-block:: java
public static void taintflow(Stream<String> s) {
Stream<String> l = s.map(e -> e.concat("\n"));
...
}
We need to add tuples to the ``summaryModel``\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate by updating a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"]
Since we are adding flow through a method, we need to add tuples to the ``summaryModel`` extensible predicate.
Each tuple defines part of the flow that comprises the total flow through the ``map`` method.
The first five values identify the callable (in this case a method) to be modeled as a summary.
These are the same for both of the rows above as we are adding two summaries for the same method.
- The first value ``java.util.stream`` is the package name.
- The second value ``Stream`` is the class (type) name.
- The third value ``True`` is a flag that indicates whether or not the summary also applies to all overrides of the method.
- The fourth value ``map`` is the method name.
- The fifth value ``Function`` is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the summary definition.
- The seventh value is the access path to the ``input`` (where data flows from).
- The eighth value is the access path to the ``output`` (where data flows to).
For the first row:
- The seventh value is ``Argument[this].Element``, which is the access path to the elements of the qualifier (the elements of the stream ``s`` in the example).
- The eight value is ``Argument[0].Parameter[0]``, which is the access path to the first parameter of the ``Function`` argument of ``map`` (the lambda parameter ``e`` in the example).
For the second row:
- The seventh value is ``Argument[0].ReturnValue``, which is the access path to the return value of the ``Function`` argument of ``map`` (the return value of the lambda in the example).
- The eighth value is ``ReturnValue.Element``, which is the access path to the elements of the return value of ``map`` (the elements of the stream ``l`` in the example).
For the remaining values for both rows:
- The ninth value ``value`` is the kind of the flow. ``value`` means that the value is preserved.
- The tenth value ``manual`` is the provenance of the summary, which is used to identify the origin of the summary.
That is, the first row specifies that values can flow from the elements of the qualifier stream into the first argument of the function provided to ``map``. The second row specifies that values can flow from the return value of the function to the elements of the stream returned from ``map``.
Example: Add a ``neutral`` method
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This example shows how the Java query pack models the ``now`` method as being neutral with respect to flow.
A neutral model is used to define that there is no flow through a method.
.. code-block:: java
public static void taintflow() {
Instant t = Instant.now(); // There is no flow from now to t.
...
}
We need to add a tuple to the ``neutralModel``\(package, type, name, signature, kind, provenance) extensible predicate by updating a data extension file.
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.time", "Instant", "now", "()", "summary", "manual"]
Since we are adding a neutral model, we need to add tuples to the ``neutralModel`` extensible predicate.
The first four values identify the callable (in this case a method) to be modeled as a neutral, the fifth value is the kind, and the sixth value is the provenance (origin) of the neutral.
- The first value ``java.time`` is the package name.
- The second value ``Instant`` is the class (type) name.
- The third value ``now`` is the method name.
- The fourth value ``()`` is the method input type signature.
- The fifth value ``summary`` is the kind of the neutral.
- The sixth value ``manual`` is the provenance of the neutral.

435
docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst
View File

@@ -1,435 +0,0 @@
.. _customizing-library-models-for-java:
:orphan:
:nosearch:
Customizing Library Models for Java
===================================
.. include:: ../reusables/beta-note-customizing-library-models.rst
The Java analysis can be customized by adding library models (summaries, sinks and sources) in data extension files.
A model is a definition of a behavior of a library element, such as a method, that is used to improve the data flow analysis precision by identifying more results.
Most of the security related queries are taint tracking queries that try to find paths from a source of untrusted input to a sink that represents a vulnerability. Sources are the starting points of a taint tracking data flow analysis, and sinks are the end points of a taint tracking data flow analysis.
Furthermore, the taint tracking queries also need to know how data can flow through elements that are not included in the source code. These are named summaries: they are models of elements that allow us to synthesize the elements flow behavior without having them in the source code. This is especially helpful when using a third party (or the standard) library.
The models are defined using data extensions where each tuple constitutes a model.
A data extension file for Java is a YAML file in the form:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: <name of extensible predicate>
data:
- <tuple1>
- <tuple2>
- ...
Data extensions contribute to the extensible predicates defined in the CodeQL library. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation.
The CodeQL library for Java exposes the following extensible predicates:
- **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance). This is used for **source** models.
- **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance). This is used for **sink** models.
- **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance). This is used for **summary** models.
- **neutralModel**\(package, type, name, signature, kind, provenance). This is used for **neutral** models, which only have minor impact on the data flow analysis.
The extensible predicates are populated using data extensions specified in YAML files.
In the sections below, we will provide examples of how to add tuples to the different extensible predicates.
The extensible predicates are used to customize and improve the existing data flow queries, by providing sources, sinks, and flow through (summaries) for library elements.
The :ref:`reference-material` section will provide details on the *mini DSLs* that define models for each extensible predicate.
Example: Taint sink in the **java.sql** package
------------------------------------------------
In this example we will show how to model the argument of the **execute** method as a SQL injection sink.
This is the **execute** method in the **Statement** class, which is located in the **java.sql** package.
Note that this sink is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintsink(Connection conn, String query) throws SQLException {
Statement stmt = conn.createStatement();
stmt.execute(query); // The argument to this method is a SQL injection sink.
}
We need to add a tuple to the **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["java.sql", "Statement", True, "execute", "(String)", "", "Argument[0]", "sql", "manual"]
Since we are adding a new sink, we need to add a tuple to the **sinkModel** extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a sink.
- The first value **java.sql** is the package name.
- The second value **Statement** is the name of the class (type) that contains the method.
- The third value **True** is a flag that indicates whether or not the sink also applies to all overrides of the method.
- The fourth value **execute** is the method name.
- The fifth value **(String)** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the sink.
- The seventh value **Argument[0]** is the **access path** to the first argument passed to the method, which means that this is the location of the sink.
- The eighth value **sql** is the kind of the sink. The sink kind is used to define the queries where the sink is in scope. In this case - the SQL injection queries.
- The ninth value **manual** is the provenance of the sink, which is used to identify the origin of the sink.
Example: Taint source from the **java.net** package
----------------------------------------------------
In this example we show how to model the return value from the **getInputStream** method as a **remote** source.
This is the **getInputStream** method in the **Socket** class, which is located in the **java.net** package.
Note that this source is already added to the CodeQL Java analysis.
.. code-block:: java
public static void tainted(Socket socket) throws IOException {
InputStream stream = socket.getInputStream(); // The return value of this method is a remote source of taint.
...
}
We need to add a tuple to the **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["java.net", "Socket", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
Since we are adding a new source, we need to add a tuple to the **sourceModel** extensible predicate.
The first five values identify the callable (in this case a method) to be modeled as a source.
- The first value **java.net** is the package name.
- The second value **Socket** is the name of the class (type) that contains the source.
- The third value **False** is a flag that indicates whether or not the source also applies to all overrides of the method.
- The fourth value **getInputStream** is the method name.
- The fifth value **()** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the source.
- The seventh value **ReturnValue** is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
- The eighth value **remote** is the kind of the source. The source kind is used to define the queries where the source is in scope. **remote** applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses **remote** sources.
- The ninth value **manual** is the provenance of the source, which is used to identify the origin of the source.
Example: Add flow through the **concat** method
------------------------------------------------
In this example we show how to model flow through a method for a simple case.
This pattern covers many of the cases where we need to define flow through a method.
Note that the flow through the **concat** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow(String s1, String s2) {
String t = s1.concat(s2); // There is taint flow from s1 and s2 to t.
...
}
We need to add tuples to the **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.lang", "String", False, "concat", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
Reasoning:
Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate.
Each tuple defines flow from one argument to the return value.
The first row defines flow from the qualifier (**s1** in the example) to the return value (**t** in the example) and the second row defines flow from the first argument (**s2** in the example) to the return value (**t** in the example).
The first five values identify the callable (in this case a method) to be modeled as a summary.
These are the same for both of the rows above as we are adding two summaries for the same method.
- The first value **java.lang** is the package name.
- The second value **String** is the class (type) name.
- The third value **False** is a flag that indicates whether or not the summary also applies to all overrides of the method.
- The fourth value **concat** is the method name.
- The fifth value **(String)** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary.
- The seventh value is the access path to the input (where data flows from). **Argument[this]** is the access path to the qualifier (**s1** in the example) and **Argument[0]** is the access path to the first argument (**s2** in the example).
- The eighth value **ReturnValue** is the access path to the output (where data flows to), in this case **ReturnValue**, which means that the input flows to the return value.
- The ninth value **taint** is the kind of the flow. **taint** means that taint is propagated through the call.
- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary.
Example: Add flow through the **map** method
---------------------------------------------
In this example, we will see a more complex example of modeling flow through a method.
This pattern shows how to model flow through higher order methods and collection types.
Note that the flow through the **map** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow(Stream<String> s) {
Stream<String> l = s.map(e -> e.concat("\n"));
...
}
To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
- ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"]
Since we are adding flow through a method, we need to add tuples to the **summaryModel** extensible predicate.
Each tuple defines part of the flow that comprises the total flow through the **map** method.
The first five values identify the callable (in this case a method) to be modeled as a summary.
These are the same for both of the rows above as we are adding two summaries for the same method.
- The first value **java.util.stream** is the package name.
- The second value **Stream** is the class (type) name.
- The third value **True** is a flag that indicates whether or not the summary also applies to all overrides of the method.
- The fourth value **map** is the method name.
- The fifth value **Function** is the method input type signature.
The sixth value should be left empty and is out of scope for this documentation.
The remaining values are used to define the **access path**, the **kind**, and the **provenance** (origin) of the summary definition.
- The seventh value is the access path to the **input** (where data flows from).
- The eighth value is the access path to the **output** (where data flows to).
For the first row:
- The seventh value is **Argument[this].Element**, which is the access path to the elements of the qualifier (the elements of the stream **s** in the example).
- The eight value is **Argument[0].Parameter[0]**, which is the access path to the first parameter of the **Function** argument of **map** (the lambda parameter **e** in the example).
For the second row:
- The seventh value is **Argument[0].ReturnValue**, which is the access path to the return value of the **Function** argument of **map** (the return value of the lambda in the example).
- The eighth value is **ReturnValue.Element**, which is the access path to the elements of the return value of **map** (the elements of the stream **l** in the example).
For the remaining values for both rows:
- The ninth value **value** is the kind of the flow. **value** means that the value is preserved.
- The tenth value **manual** is the provenance of the summary, which is used to identify the origin of the summary.
That is, the first row models that there is value flow from the elements of the qualifier stream into the first argument of the function provided to **map** and the second row models that there is value flow from the return value of the function to the elements of the stream returned from **map**.
Example: Add a **neutral** method
----------------------------------
In this example we will show how to model the **now** method as being neutral with respect to flow.
A neutral model is used to define that there is no flow through a method.
Note that the neutral model for the **now** method is already added to the CodeQL Java analysis.
.. code-block:: java
public static void taintflow() {
Instant t = Instant.now(); // There is no flow from now to t.
...
}
We need to add a tuple to the **neutralModel**\(package, type, name, signature, kind, provenance) extensible predicate. To do this, add the following to a data extension file:
.. code-block:: yaml
extensions:
- addsTo:
pack: codeql/java-all
extensible: neutralModel
data:
- ["java.time", "Instant", "now", "()", "summary", "manual"]
Since we are adding a neutral model, we need to add tuples to the **neutralModel** extensible predicate.
The first four values identify the callable (in this case a method) to be modeled as a neutral, the fifth value is the kind, and the sixth value is the provenance (origin) of the neutral.
- The first value **java.time** is the package name.
- The second value **Instant** is the class (type) name.
- The third value **now** is the method name.
- The fourth value **()** is the method input type signature.
- The fifth value **summary** is the kind of the neutral.
- The sixth value **manual** is the provenance of the neutral.
.. _reference-material:
Reference material
------------------
The following sections provide reference material for extensible predicates.
This includes descriptions of each of the arguments (e.g. access paths, kinds and provenance).
Extensible predicates
---------------------
Below is a description of the columns for each extensible predicate.
Sources, sinks, summaries and neutrals are commonly known as models.
The semantics of many of the columns of the extensible predicates are shared.
The shared columns are:
- **package**: Name of the package containing the element(s) to be modeled.
- **type**: Name of the type containing the element(s) to be modeled.
- **subtypes**: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s).
- **name**: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria.
- **signature**: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria.
- **ext**: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document.
- **provenance**: Provenance (origin) of the model definition.
The columns **package**, **type**, **subtypes**, **name**, and **signature** are used to select the element(s) that the model applies to.
The :ref:`access-paths` section describes how access paths are composed.
This is the most complicated part of the extensible predicates and the **mini DSL** for access paths is shared across all extensible predicates.
sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind.
- **output**: Access path to the source, where the possibly tainted data flows from.
- **kind**: Kind of the source.
- **provenance**: Provenance (origin) of the source definition.
As most sources are used by all taint tracking queries there are only a few different source kinds.
The following source kinds are supported:
- **remote**: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries.
Below is an enumeration of the remaining source kinds, but they are out of scope for this documentation:
- **contentprovider**, **android-external-storage-dir**.
sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific.
- **input**: Access path to the sink, where we want to check if tainted data can flow into.
- **kind**: Kind of the sink.
The following sink kinds are supported:
- **bean-validation**: A sink that can be used for insecure bean validation, such as in calls to **ConstraintValidatorContext.buildConstraintViolationWithTemplate**.
- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **Runtime.exec**.
- **file-content-store**: A sink that can be used to control the contents of a file, such as in a **Files.write** call.
- **fragment-injection**: A sink that can be used for Android fragment injection, such as in a **FragmentTransaction.replace** call.
- **groovy-injection**: A sink that can be used for Groovy injection, such as in a **GroovyShell.evaluate** call.
- **hostname-verification**: A sink that can be used for unsafe hostname verification, such as in calls to **HttpsURLConnection.setHostnameVerifier**.
- **html-injection**: A sink that can be used for XSS via HTML injection, such as in a **ResponseStream.write** call.
- **information-leak**: A sink that can be used to leak information to an HTTP response, such as in calls to **HttpServletResponse.sendError**.
- **intent-redirection**: A sink that can be used for Android intent redirection, such as in a **Context.startActivity** call.
- **jexl-injection**: A sink that can be used for JEXL expression injection, such as in a **JexlExpression.evaluate** call.
- **jndi-injection**: A sink that can be used for JNDI injection, such as in a **Context.lookup** call.
- **js-injection**: A sink that can be used for XSS via JavaScript injection, such as in a **Webview.evaluateJavaScript** call.
- **ldap-injection**: A sink that can be used for LDAP injection, such as in a **DirContext.search** call.
- **log-injection**: A sink that can be used for log injection, such as in a **Logger.warn** call.
- **mvel-injection**: A sink that can be used for MVEL expression injection, such as in a **MVEL.eval** call.
- **ognl-injection**: A sink that can be used for OGNL injection, such as in an **Ognl.getValue** call.
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **new FileReader**.
- **pending-intents**: A sink that can be used to send an implicit and mutable `PendingIntent` to a third party, such as in an **Activity.setResult** call.
- **request-forgery**: A sink that controls the URL of a request, such as in an **HttpRequest.newBuilder** call.
- **response-splitting**: A sink that can be used for HTTP response splitting, such as in calls to **HttpServletResponse.setHeader**.
- **sql-injection**: A sink that can be used for SQL injection, such as in a **Statement.executeQuery** call.
- **template-injection**: A sink that can be used for server side template injection, such as in a **Velocity.evaluate** call.
- **trust-boundary-violation**: A sink that can be used to cross a trust boundary, such as in a **HttpSession.setAttribute** call.
- **url-redirection**: A sink that can be used to redirect the user to a malicious URL, such as in a **Response.temporaryRedirect** call.
- **xpath-injection**: A sink that can be used for XPath injection, such as in a **XPath.evaluate** call.
- **xslt-injection**: A sink that can be used for XSLT injection, such as in a **Transformer.transform** call.
summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Flow through (summary). This extensible predicate is used to model flow through elements.
- **input**: Access path to the input of the element (where data will flow from to the output).
- **output**: Access path to the output of the element (where data will flow to from the input).
- **kind**: Kind of the flow through.
- **provenance**: Provenance (origin) of the flow through.
The following kinds are supported:
- **taint**: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
- **value**: This means that the output equals the input or a copy of the input such that all of its properties are preserved.
neutralModel(package, type, name, signature, kind, provenance)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This extensible predicate is not typically needed externally, but included here for completeness.
It only has minor impact on the data flow analysis.
Manual neutrals are considered high confidence dispatch call targets and can reduce the number of dispatch call targets during data flow analysis (a performance optimization).
- **kind**: Kind of the neutral. For neutrals the kind can be **summary**, **source**, or **sink** to indicate that the callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
- **provenance**: Provenance (origin) of the flow through.
.. _access-paths:
Access paths
------------
The **input**, and **output** columns consist of a **.**-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.
The following components are supported:
- **Argument[**\ `n`\ **]** selects the argument at index `n` (zero-indexed).
- **Argument[**\ `this`\ **]** selects the qualifier (instance parameter).
- **Argument[**\ `n1..n2`\ **]** selects the arguments in the given range (both ends included).
- **Parameter[**\ `n`\ **]** selects the parameter at index `n` (zero-indexed).
- **Parameter[**\ `n1..n2`\ **]** selects the parameters in the given range (both ends included).
- **ReturnValue** selects the return value.
- **Field[**\ `name`\ **]** selects the field with the fully qualified name `name`.
- **SyntheticField[**\ `name`\ **]** selects the synthetic field with name `name`.
- **SyntheticGlobal[**\ `name`\ **]** selects the synthetic global with name `name`.
- **ArrayElement** selects the elements of an array.
- **Element** selects the elements of a collection-like container.
- **WithoutElement** selects a collection-like container without its elements. This is for input only.
- **WithElement** selects the elements of a collection-like container, but points to the container itself. This is for input only.
- **MapKey** selects the element keys of a map.
- **MapValue** selects the element values of a map.
Provenance
----------
The **provenance** column is used to specify the provenance (origin) of the model definition and how the model was verified.
The following values are supported:
- **manual**: The model was manually created and added to the extensible predicate.
or values in the form **origin-verification**, where origin is one of:
- **ai**: The model was generated by AI.
- **df**: The model was generated by the dataflow model generator.
- **tb**: The model was generated by the type based model generator.
- **hq**: The model was generated using a heuristic query.
and verification is one of:
- **manual**: The model was verified by a human.
- **generated**: The model was generated, but not verified by a human.
The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated.
Furthermore, it impacts the data flow analysis in the following way:
- A **manual** model takes precedence over **generated** models. If a **manual** model exists for an element then all **generated** models are ignored.
- A **generated** model is ignored during analysis, if the source code of the element it is modeling is available.
That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available.
.. include:: ../reusables/data-extensions.rst

183
docs/codeql/codeql-language-guides/extensible-predicates.rst Normal file
View File

@@ -0,0 +1,183 @@
.. _extensible-predicates:
:orphan:
:nosearch:
Extensible predicates and their interaction with data extensions
================================================================
You can use data extensions to model the methods and callables that control dataflow in any framework or library. This is especially useful for custom frameworks or niche libraries, that are not supported by the standard CodeQL libraries.
.. include:: ../reusables/beta-note-model-packs-java.rst
About this article
------------------
This reference article describes the available inputs for the extensible predicates, including access paths, kinds, and provenance.
Sources, sinks, summaries, and neutrals are commonly known as models. These models support several shared arguments and a few model-specific arguments. The arguments populate a series of columns for each extensible predicate.
About extensible predicates
---------------------------
At a high level, there are two main components to using data extensions. The query writer defines one or more extensible predicates in their query libraries. CLI and code scanning users who want to augment these predicates supply one or more extension files whose data gets injected into the extensible predicate during evaluation. The extension files are either stored directly in the repository where the codebase to be analyzed is hosted, or downloaded as CodeQL model packs.
This example of an extensible predicate for a source is taken from the core Java libraries https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/dataflow/ExternalFlowExtensions.qll#L8-L11
.. code-block:: ql
extensible predicate sourceModel(
string package, string type, boolean subtypes, string name,
string signature, string ext, string output, string kind,
string provenance
);
An extensible predicate is a CodeQL predicate with the following restrictions:
- It uses the ``extensible`` keyword.
- It has no body.
- All predicate parameters have primitive types.
- It is not in a module.
Columns shared by all extensible predicates
-------------------------------------------
The semantics of many of the columns of the extensible predicates are shared. The columns ``package``, ``type``, ``subtypes``, ``name``, and ``signature`` define which element(s) the model applies to.
- ``package``: Name of the package containing the element(s) to be modeled.
- ``type``: Name of the type containing the element(s) to be modeled.
- ``subtypes``: A boolean flag indicating whether the model should also apply to all overrides of the selected element(s).
- ``name``: Name of the element (optional). If this is left blank, it means all elements matching the previous selection criteria.
- ``signature``: Type signature of the selected element (optional). If this is left blank, it means all elements matching the previous selection criteria.
- ``ext``: Specifies additional API-graph-like edges (mostly empty) and out of scope for this document.
- ``provenance``: Provenance (origin) of the model definition. For more information, see ":ref:`provenance`."
The sematics for access paths are also common to all extensible predicates. For more information, see ":ref:`access-paths`."
sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
------------------------------------------------------------------------------------
Taint source. Most taint tracking queries will use all sources added to this extensible predicate regardless of their kind.
- ``output``: Access path to the source, where the possibly tainted data flows from.
- ``kind``: Kind of the source.
As most sources are used by all taint tracking queries there are only a few different source kinds.
The following source kinds are supported:
- ``remote``: A remote source of possibly tainted data. This is the most common kind for a source. Sources of this kind are used for almost all taint tracking queries.
- ``contentprovider``, ``android-external-storage-dir``: These kinds are also supported but usage is advanced.
sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
---------------------------------------------------------------------------------
Taint sink. As opposed to source kinds, there are many different kinds of sinks as these tend to be more query specific.
- ``input``: Access path to the sink, where we want to check if tainted data can flow into.
- ``kind``: Kind of the sink.
The following sink kinds are supported:
- ``bean-validation``: A sink that can be used for insecure bean validation, such as in calls to ``ConstraintValidatorContext.buildConstraintViolationWithTemplate``.
- ``command-injection``: A sink that can be used to inject shell commands, such as in calls to ``Runtime.exec``.
- ``file-content-store``: A sink that can be used to control the contents of a file, such as in a ``Files.write`` call.
- ``fragment-injection``: A sink that can be used for Android fragment injection, such as in a ``FragmentTransaction.replace`` call.
- ``groovy-injection``: A sink that can be used for Groovy injection, such as in a ``GroovyShell.evaluate`` call.
- ``hostname-verification``: A sink that can be used for unsafe hostname verification, such as in calls to ``HttpsURLConnection.setHostnameVerifier``.
- ``html-injection``: A sink that can be used for XSS via HTML injection, such as in a ``ResponseStream.write`` call.
- ``information-leak``: A sink that can be used to leak information to an HTTP response, such as in calls to ``HttpServletResponse.sendError``.
- ``intent-redirection``: A sink that can be used for Android intent redirection, such as in a ``Context.startActivity`` call.
- ``jexl-injection``: A sink that can be used for JEXL expression injection, such as in a ``JexlExpression.evaluate`` call.
- ``jndi-injection``: A sink that can be used for JNDI injection, such as in a ``Context.lookup`` call.
- ``js-injection``: A sink that can be used for XSS via JavaScript injection, such as in a ``Webview.evaluateJavaScript`` call.
- ``ldap-injection``: A sink that can be used for LDAP injection, such as in a ``DirContext.search`` call.
- ``log-injection``: A sink that can be used for log injection, such as in a ``Logger.warn`` call.
- ``mvel-injection``: A sink that can be used for MVEL expression injection, such as in a ``MVEL.eval`` call.
- ``ognl-injection``: A sink that can be used for OGNL injection, such as in an ``Ognl.getValue`` call.
- ``path-injection``: A sink that can be used for path injection in a file system access, such as in calls to ``new FileReader``.
- ``pending-intents``: A sink that can be used to send an implicit and mutable `PendingIntent` to a third party, such as in an ``Activity.setResult`` call.
- ``request-forgery``: A sink that controls the URL of a request, such as in an ``HttpRequest.newBuilder`` call.
- ``response-splitting``: A sink that can be used for HTTP response splitting, such as in calls to ``HttpServletResponse.setHeader``.
- ``sql-injection``: A sink that can be used for SQL injection, such as in a ``Statement.executeQuery`` call.
- ``template-injection``: A sink that can be used for server-side template injection, such as in a ``Velocity.evaluate`` call.
- ``trust-boundary-violation``: A sink that can be used to cross a trust boundary, such as in a ``HttpSession.setAttribute`` call.
- ``url-redirection``: A sink that can be used to redirect the user to a malicious URL, such as in a ``Response.temporaryRedirect`` call.
- ``xpath-injection``: A sink that can be used for XPath injection, such as in a ``XPath.evaluate`` call.
- ``xslt-injection``: A sink that can be used for XSLT injection, such as in a ``Transformer.transform`` call.
summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)
--------------------------------------------------------------------------------------------
Flow through (summary). This extensible predicate is used to model flow through elements.
- ``input``: Access path to the input of the element (where data will flow from to the output).
- ``output``: Access path to the output of the element (where data will flow to from the input).
- ``kind``: Kind of the flow through.
The following kinds are supported:
- ``taint``: This means the output is not necessarily equal to the input, but it was derived from the input in an unrestrictive way. An attacker who controls the input will have significant control over the output as well.
- ``value``: This means that the output equals the input or a copy of the input such that all of its properties are preserved.
neutralModel(package, type, name, signature, kind, provenance)
--------------------------------------------------------------
This extensible predicate is not typically needed externally, but is included here for completeness.
It has limited impact on dataflow analysis.
Manual neutrals are considered high-confidence dispatch call targets and can reduce the number of dispatch call targets during dataflow analysis (a performance optimization).
- ``kind``: Kind of the neutral. For neutrals the kind can be ``summary``, ``source``, or ``sink`` to indicate that the callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink).
.. _access-paths:
Access paths
------------
The ``input``, and ``output`` columns consist of a ``.``-separated list of components, which is evaluated from left to right, with each step selecting a new set of values derived from the previous set of values.
The following components are supported:
- ``Argument[``\ `n`\ ``]`` selects the argument at index `n` (zero-indexed).
- ``Argument[``\ `this`\ ``]`` selects the qualifier (instance parameter).
- ``Argument[``\ `n1..n2`\ ``]`` selects the arguments in the given range (both ends included).
- ``Parameter[``\ `n`\ ``]`` selects the parameter at index `n` (zero-indexed).
- ``Parameter[``\ `n1..n2`\ ``]`` selects the parameters in the given range (both ends included).
- ``ReturnValue`` selects the return value.
- ``Field[``\ `name`\ ``]`` selects the field with the fully qualified name `name`.
- ``SyntheticField[``\ `name`\ ``]`` selects the synthetic field with name `name`.
- ``SyntheticGlobal[``\ `name`\ ``]`` selects the synthetic global with name `name`.
- ``ArrayElement`` selects the elements of an array.
- ``Element`` selects the elements of a collection-like container.
- ``WithoutElement`` selects a collection-like container without its elements. This is for input only.
- ``WithElement`` selects the elements of a collection-like container, but points to the container itself. This is for input only.
- ``MapKey`` selects the element keys of a map.
- ``MapValue`` selects the element values of a map.
.. _provenance:
Provenance
----------
The ``provenance`` column is used to specify the provenance (origin) of the model definition and how the model was verified.
The following values are supported.
- ``manual``: The model was manually created and added to the extensible predicate.
Values can also take the form ``ORIGIN-VERIFICATION``, where ``ORIGIN`` is one of:
- ``ai``: The model was generated by artificial intelligence (AI).
- ``df``: The model was generated by the dataflow model generator.
- ``tb``: The model was generated by the type based model generator.
- ``hq``: The model was generated using a heuristic query.
And ``VERIFICATION`` is one of:
- ``manual``: The model was verified by a human.
- ``generated``: The model was generated, but not verified by a human.
The provenance is used to distinguish between models that are manually added (or verified) to the extensible predicate and models that are automatically generated.
Furthermore, it impacts the dataflow analysis in the following way:
- A ``manual`` model takes precedence over ``generated`` models. If a ``manual`` model exists for an element then all ``generated`` models are ignored.
- A ``generated`` model is ignored during analysis, if the source code of the element it is modeling is available.
That is, generated models are less trusted than manual models and only used if neither source code nor a manual model is available.

13
docs/codeql/codeql-overview/codeql-glossary.rst
View File

@@ -34,6 +34,19 @@ A database (or CodeQL database) is a directory containing:
- log files generated during database creation, query
execution, and other operations.
.. _codeql-packs:
CodeQL packs
------------
CodeQL packs are used to create, share, depend on, and run CodeQL queries, libraries, and models. You can publish your own CodeQL packs and download packs created by others. CodeQL query packs may contain queries, library files, query suites, and metadata. CodeQL library packs include one or more CodeQL libraries. CodeQL model packs include one or more data extension files that extend the core libraries by modeling additional libraries and frameworks (dependencies of your code base).
.. _data-extensions:
Data extensions
---------------
When you want to model the sources and sinks of a custom dependency, you can create a CodeQL library (``.qll`` file) and write queries that use it, but it's usually much simpler to create a data extension file. If you model the sources and sinks in data extension, you can use this information to expand the standard queries to cover your custom dependencies. You don't need to write any new queries.
.. _dil:
DIL

BIN
docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/model-application-mode.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

5
docs/codeql/reusables/beta-note-model-pack-editor-vsc.rst Normal file
View File

@@ -0,0 +1,5 @@
.. pull-quote::
Note
The CodeQL model editor and CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL extension for Visual Studio Code.

5
docs/codeql/reusables/beta-note-model-packs-java.rst Normal file
View File

@@ -0,0 +1,5 @@
.. pull-quote::
Note
CodeQL model packs are currently in beta and subject to change. During the beta, model packs are supported only by Java/Kotlin analysis. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases.

2
docs/codeql/reusables/beta-note-package-management.rst
View File

@@ -2,4 +2,4 @@
Note
The CodeQL package management functionality, including CodeQL packs, is currently available as a beta release and is subject to change. During the beta release, CodeQL packs are available only using GitHub Packages - the GitHub Container registry. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases.
The CodeQL package management functionality, including all types of CodeQL pack, is currently available as a beta release and is subject to change. During the beta release, CodeQL packs are available only using GitHub Packages - the GitHub Container registry. To use this beta functionality, install the latest version of the CodeQL CLI bundle from: https://github.com/github/codeql-action/releases.