Create a dataflow instance specifically for the Serializability library

Otherwise because this dataflow instance populates AdditionalTaintStep there is an ever-present danger that a user will stumble into creating a recursive configuration, or at least that by using DataFlow5::Configuration for any other purpose they will needlessly recalculate the Serializability dataflow results.
2026-05-02 20:25:13 +02:00 · 2021-07-02 14:48:46 +01:00
parent f83f950be6
commit 75310a6609
5 changed files with 4495 additions and 4 deletions
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -6,6 +6,7 @@
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowForSerializability.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowForSerializability.qll
@@ -0,0 +1,10 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+
+import java
+
+module DataFlowForSerializability {
+  import semmle.code.java.dataflow.internal.DataFlowImplForSerializability
+}
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll
--- a/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
+++ b/java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
@@ -1,7 +1,7 @@
 import java
 import semmle.code.java.Serializability
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow5
+import semmle.code.java.dataflow.internal.DataFlowForSerializability

 /** The method `parseAs` in `com.google.api.client.http.HttpResponse`. */
 private class ParseAsMethod extends Method {
@@ -11,7 +11,7 @@ private class ParseAsMethod extends Method {
  }
 }

-private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configuration {
+private class TypeLiteralToParseAsFlowConfiguration extends DataFlowForSerializability::Configuration {
  TypeLiteralToParseAsFlowConfiguration() {
    this = "GoogleHttpClientApi::TypeLiteralToParseAsFlowConfiguration"
  }
--- a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -7,7 +7,7 @@ import java
 import semmle.code.java.Serializability
 import semmle.code.java.Reflection
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow5
+import semmle.code.java.dataflow.internal.DataFlowForSerializability
 import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.ExternalFlow

@@ -85,7 +85,7 @@ private class FieldReferencedJacksonSerializableType extends JacksonSerializable
 /** A type whose values may be deserialized by the Jackson JSON framework. */
 abstract class JacksonDeserializableType extends Type { }

-private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlow5::Configuration {
+private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlowForSerializability::Configuration {
  TypeLiteralToJacksonDatabindFlowConfiguration() {
    this = "TypeLiteralToJacksonDatabindFlowConfiguration"
  }