hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Add taint reach to rust/summary/summary-statistics.

Browse Source
This commit is contained in:
Geoffrey White
2025-01-14 17:57:16 +00:00
parent 7904ed965b
commit 72c62ac192
3 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
rust/ql/src/queries/summary/SummaryStats.ql
View File

@@ -12,6 +12,7 @@ import codeql.rust.security.SensitiveData
import codeql.rust.security.WeakSensitiveDataHashingExtensions
import codeql.rust.Diagnostics
import Stats
import TaintReach
from string key, int value
where
@@ -59,6 +60,10 @@ where
or
key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
or
key = "Taint reach - nodes tainted" and value = getTaintedNodesCount()
or
key = "Taint reach - per million nodes" and value = getTaintReach().floor()
or
key = "Sensitive data" and value = count(SensitiveData d)
or
key = "Taint sinks - query sinks" and value = getQuerySinksCount()

31
rust/ql/src/queries/summary/TaintReach.qll Normal file
View File

@@ -0,0 +1,31 @@
/**
* Taint reach computation. Taint reach is the proportion of all dataflow nodes that can be reached
* via taint flow from any active thread model source. It's usually expressed per million nodes.
*/
import rust
private import codeql.rust.Concepts
private import codeql.rust.dataflow.DataFlow
private import codeql.rust.dataflow.TaintTracking
/**
* A taint configuration for taint reach (flow to any node from any modelled source).
*/
private module TaintReachConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
predicate isSink(DataFlow::Node node) { any() }
}
private module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
/**
* Gets the total number of dataflow nodes that taint reaches (from any source).
*/
int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
/**
* Gets the proportion of dataflow nodes that taint reaches (from any source),
* expressed as a count per million nodes.
*/
float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }

2
rust/ql/test/query-tests/diagnostics/SummaryStats.expected
View File

@@ -15,6 +15,8 @@
| Macro calls - total | 9 |
| Macro calls - unresolved | 1 |
| Sensitive data | 0 |
| Taint reach - nodes tainted | 0 |
| Taint reach - per million nodes | 0 |
| Taint sinks - cryptographic operations | 0 |
| Taint sinks - query sinks | 0 |
| Taint sources - active | 0 |