From 3987d8d374164e34a4d33ba8f8efb634b2cff851 Mon Sep 17 00:00:00 2001
From: tiferet <tiferet@github.com>
Date: Tue, 3 Jan 2023 15:37:23 -0800
Subject: [PATCH] Small update to SafeExternalApiMethodCharacteristic

---
 .../adaptivethreatmodeling/EndpointCharacteristics.qll     | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
index 0c87663ddff..355b94027d8 100644
--- a/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
+++ b/java/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll
@@ -320,8 +320,9 @@ private class IsSanitizerCharacteristic extends NotASinkCharacteristic {
 }
 
 /**
- * An EndpointFilterCharacteristic that indicates that an endpoint is a sanitizer for some sink type. A sanitizer can
- * never be a sink.
+ * An EndpointFilterCharacteristic that indicates that an endpoint is an argument to a safe external API method.
+ *
+ * Based on java/ql/lib/semmle/code/java/security/ExternalAPIs.qll.
  *
  * TODO: Is this correct?
  */
@@ -330,7 +331,7 @@ private class SafeExternalApiMethodCharacteristic extends NotASinkCharacteristic
 
   override predicate appliesToEndpoint(DataFlow::Node n) {
     exists(Expr::Call call |
-      n.asExpr() = call.getArgument(_) and
+      n.asExpr() = call.getAnArgument() and
       call.getCallee() instanceof ExternalAPIs::SafeExternalApiMethod
     )
   }