Merge pull request #12118 from michaelnebel/telemetry/performancefix

C#/Java: Materialize sink/source/summary predicates to avoid bad join order.
2025-12-28 22:56:32 +01:00 · 2023-02-09 09:39:38 +01:00
parent f2904ca29b f6a02310d3
commit 3e2bf23bfe
2 changed files with 30 additions and 20 deletions
--- a/csharp/ql/src/Telemetry/ExternalApi.qll
+++ b/csharp/ql/src/Telemetry/ExternalApi.qll
@@ -11,17 +11,19 @@ private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlow
 private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 private import semmle.code.csharp.security.dataflow.flowsources.Remote

+pragma[nomagic]
+private predicate isTestNamespace(Namespace ns) {
+  ns.getFullName()
+      .matches([
+          "NUnit.Framework%", "Xunit%", "Microsoft.VisualStudio.TestTools.UnitTesting%", "Moq%"
+        ])
+}
+
 /**
 * A test library.
 */
 class TestLibrary extends RefType {
-  TestLibrary() {
-    this.getNamespace()
-        .getFullName()
-        .matches([
-            "NUnit.Framework%", "Xunit%", "Microsoft.VisualStudio.TestTools.UnitTesting%", "Moq%"
-          ])
-  }
+  TestLibrary() { isTestNamespace(this.getNamespace()) }
 }

 /** Holds if the given callable is not worth supporting. */
@@ -85,6 +87,7 @@ class ExternalApi extends DotNet::Callable {
  }

  /** Holds if this API has a supported summary. */
+  pragma[nomagic]
  predicate hasSummary() {
    this instanceof SummarizedCallable
    or
@@ -92,11 +95,13 @@ class ExternalApi extends DotNet::Callable {
  }

  /** Holds if this API is a known source. */
+  pragma[nomagic]
  predicate isSource() {
    this.getAnOutput() instanceof RemoteFlowSource or sourceNode(this.getAnOutput(), _)
  }

  /** Holds if this API is a known sink. */
+  pragma[nomagic]
  predicate isSink() { sinkNode(this.getAnInput(), _) }

  /** Holds if this API is supported by existing CodeQL libraries, that is, it is either a recognized source or sink or has a flow summary. */
--- a/java/ql/src/Telemetry/ExternalApi.qll
+++ b/java/ql/src/Telemetry/ExternalApi.qll
@@ -8,23 +8,25 @@ private import semmle.code.java.dataflow.FlowSummary
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 private import semmle.code.java.dataflow.TaintTracking

+pragma[nomagic]
+private predicate isTestPackage(Package p) {
+  p.getName()
+      .matches([
+          "org.junit%", "junit.%", "org.mockito%", "org.assertj%",
+          "com.github.tomakehurst.wiremock%", "org.hamcrest%", "org.springframework.test.%",
+          "org.springframework.mock.%", "org.springframework.boot.test.%", "reactor.test%",
+          "org.xmlunit%", "org.testcontainers.%", "org.opentest4j%", "org.mockserver%",
+          "org.powermock%", "org.skyscreamer.jsonassert%", "org.rnorth.visibleassertions",
+          "org.openqa.selenium%", "com.gargoylesoftware.htmlunit%", "org.jboss.arquillian.testng%",
+          "org.testng%"
+        ])
+}
+
 /**
 * A test library.
 */
 private class TestLibrary extends RefType {
-  TestLibrary() {
-    this.getPackage()
-        .getName()
-        .matches([
-            "org.junit%", "junit.%", "org.mockito%", "org.assertj%",
-            "com.github.tomakehurst.wiremock%", "org.hamcrest%", "org.springframework.test.%",
-            "org.springframework.mock.%", "org.springframework.boot.test.%", "reactor.test%",
-            "org.xmlunit%", "org.testcontainers.%", "org.opentest4j%", "org.mockserver%",
-            "org.powermock%", "org.skyscreamer.jsonassert%", "org.rnorth.visibleassertions",
-            "org.openqa.selenium%", "com.gargoylesoftware.htmlunit%",
-            "org.jboss.arquillian.testng%", "org.testng%"
-          ])
-  }
+  TestLibrary() { isTestPackage(this.getPackage()) }
 }

 private string containerAsJar(Container container) {
@@ -74,16 +76,19 @@ class ExternalApi extends Callable {
  }

  /** Holds if this API has a supported summary. */
+  pragma[nomagic]
  predicate hasSummary() {
    this = any(SummarizedCallable sc).asCallable() or
    TaintTracking::localAdditionalTaintStep(this.getAnInput(), _)
  }

+  pragma[nomagic]
  predicate isSource() {
    this.getAnOutput() instanceof RemoteFlowSource or sourceNode(this.getAnOutput(), _)
  }

  /** Holds if this API is a known sink. */
+  pragma[nomagic]
  predicate isSink() { sinkNode(this.getAnInput(), _) }

  /** Holds if this API is supported by existing CodeQL libraries, that is, it is either a recognized source or sink or has a flow summary. */