add individual per-security-query counting queries

2026-04-29 18:55:14 +02:00 · 2022-05-12 13:58:10 +01:00
parent 728ccafe2b
commit 33964383d7
6 changed files with 132 additions and 0 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountCodeInjection.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountCodeInjection.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `CodeInjection` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.CodeInjectionQuery as CodeInjection
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(CodeInjection::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(CodeInjection::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountNosqlInjection.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountNosqlInjection.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `NosqlInection` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(NosqlInjection::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(NosqlInjection::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountSqlInjection.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountSqlInjection.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `SqlInection` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(SqlInjection::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(SqlInjection::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountTaintedPath.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountTaintedPath.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `TaintedPath` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.TaintedPathQuery as TaintedPath
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(TaintedPath::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(TaintedPath::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXss.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXss.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `DomBasedXss` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(DomBasedXss::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(DomBasedXss::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXssThroughDom.ql
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXssThroughDom.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `XssThroughDom` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.XssThroughDomQuery as XssThroughDom
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(XssThroughDom::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(XssThroughDom::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks