hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Go: Use shared modelCoverage.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2025-12-12 11:24:39 +01:00
parent 4b2e8c0b57
commit 8564b4ea66
2 changed files with 37 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
go/ql/lib/semmle/go/dataflow/ExternalFlow.qll
View File

@@ -96,7 +96,21 @@ private import internal.FlowSummaryImpl::Private::External
private import codeql.mad.ModelValidation as SharedModelVal private import codeql.mad.ModelValidation as SharedModelVal
private import codeql.mad.static.MaD as SharedMaD private import codeql.mad.static.MaD as SharedMaD
private module MadInput implements SharedMaD::InputSig { } private module MadInput implements SharedMaD::InputSig {
string namespaceSegmentSeparator() { result = "/" }
bindingset[p]
string cleanNamespace(string p) {
exists(string noPrefix |
p = fixedVersionPrefix() + noPrefix
or
not p = fixedVersionPrefix() + any(string s) and
noPrefix = p
|
result = noPrefix.regexpReplaceAll(majorVersionSuffixRegex(), "")
)
}
}
private module MaD = SharedMaD::ModelsAsData<Extensions, MadInput>; private module MaD = SharedMaD::ModelsAsData<Extensions, MadInput>;
@@ -107,78 +121,6 @@ module FlowExtensions = Extensions;
/** Gets the prefix for a group of packages. */ /** Gets the prefix for a group of packages. */
private string groupPrefix() { result = "group:" } private string groupPrefix() { result = "group:" }
bindingset[p]
private string cleanPackage(string p) {
exists(string noPrefix |
p = fixedVersionPrefix() + noPrefix
or
not p = fixedVersionPrefix() + any(string s) and
noPrefix = p
|
result = noPrefix.regexpReplaceAll(majorVersionSuffixRegex(), "")
)
}
private predicate relevantPackage(string package) {
exists(string p | package = cleanPackage(p) |
sourceModel(p, _, _, _, _, _, _, _, _, _) or
sinkModel(p, _, _, _, _, _, _, _, _, _) or
summaryModel(p, _, _, _, _, _, _, _, _, _, _)
)
}
private predicate packageLink(string shortpkg, string longpkg) {
relevantPackage(shortpkg) and
relevantPackage(longpkg) and
longpkg.prefix(longpkg.indexOf("/")) = shortpkg
}
private predicate canonicalPackage(string package) {
relevantPackage(package) and not packageLink(_, package)
}
private predicate canonicalPkgLink(string package, string subpkg) {
canonicalPackage(package) and
(subpkg = package or packageLink(package, subpkg))
}
/**
* Holds if MaD framework coverage of `package` is `n` api endpoints of the
* kind `(kind, part)`, and `pkgs` is the number of subpackages of `package`
* which have MaD framework coverage (including `package` itself).
*/
predicate modelCoverage(string package, int pkgs, string kind, string part, int n) {
pkgs = strictcount(string subpkg | canonicalPkgLink(package, subpkg)) and
(
part = "source" and
n =
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
string ext, string output, string provenance, string x |
canonicalPkgLink(package, subpkg) and
subpkg = cleanPackage(x) and
sourceModel(x, type, subtypes, name, signature, ext, output, kind, provenance, _)
)
or
part = "sink" and
n =
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
string ext, string input, string provenance, string x |
canonicalPkgLink(package, subpkg) and
subpkg = cleanPackage(x) and
sinkModel(x, type, subtypes, name, signature, ext, input, kind, provenance, _)
)
or
part = "summary" and
n =
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
string ext, string input, string output, string provenance, string x |
canonicalPkgLink(package, subpkg) and
subpkg = cleanPackage(x) and
summaryModel(x, type, subtypes, name, signature, ext, input, output, kind, provenance, _)
)
)
}
/** Provides a query predicate to check the MaD models for validation errors. */ /** Provides a query predicate to check the MaD models for validation errors. */
module ModelValidation { module ModelValidation {
private import codeql.dataflow.internal.AccessPathSyntax as AccessPathSyntax private import codeql.dataflow.internal.AccessPathSyntax as AccessPathSyntax

35
shared/mad/codeql/mad/static/MaD.qll
View File

@@ -87,8 +87,12 @@ signature module InputSig {
none() none()
} }
/** Get the separator used between namespace segments. */ /** Gets the separator used between namespace segments. */
default string namespaceSegmentSeparator() { result = "." } default string namespaceSegmentSeparator() { result = "." }
/** Gets a cleaned-up version of the namespace for presentation in model coverage. */
bindingset[ns]
default string cleanNamespace(string ns) { result = ns }
} }
module ModelsAsData<ExtensionsSig Extensions, InputSig Input> { module ModelsAsData<ExtensionsSig Extensions, InputSig Input> {
@@ -278,9 +282,11 @@ module ModelsAsData<ExtensionsSig Extensions, InputSig Input> {
} }
private predicate relevantNamespace(string namespace) { private predicate relevantNamespace(string namespace) {
sourceModel(namespace, _, _, _, _, _, _, _, _, _) or exists(string ns | namespace = Input::cleanNamespace(ns) |
sinkModel(namespace, _, _, _, _, _, _, _, _, _) or sourceModel(ns, _, _, _, _, _, _, _, _, _) or
summaryModel(namespace, _, _, _, _, _, _, _, _, _, _) sinkModel(ns, _, _, _, _, _, _, _, _, _) or
summaryModel(ns, _, _, _, _, _, _, _, _, _, _)
)
} }
private predicate namespaceLink(string shortns, string longns) { private predicate namespaceLink(string shortns, string longns) {
@@ -309,25 +315,28 @@ module ModelsAsData<ExtensionsSig Extensions, InputSig Input> {
( (
part = "source" and part = "source" and
n = n =
strictcount(string subns, string type, boolean subtypes, string name, string signature, strictcount(string subns, string subnsClean, string type, boolean subtypes, string name,
string ext, string output, string provenance | string signature, string ext, string output, string provenance |
canonicalNamespaceLink(namespace, subns) and canonicalNamespaceLink(namespace, subnsClean) and
subnsClean = Input::cleanNamespace(subns) and
sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, _) sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, _)
) )
or or
part = "sink" and part = "sink" and
n = n =
strictcount(string subns, string type, boolean subtypes, string name, string signature, strictcount(string subns, string subnsClean, string type, boolean subtypes, string name,
string ext, string input, string provenance | string signature, string ext, string input, string provenance |
canonicalNamespaceLink(namespace, subns) and canonicalNamespaceLink(namespace, subnsClean) and
subnsClean = Input::cleanNamespace(subns) and
sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, _) sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, _)
) )
or or
part = "summary" and part = "summary" and
n = n =
strictcount(string subns, string type, boolean subtypes, string name, string signature, strictcount(string subns, string subnsClean, string type, boolean subtypes, string name,
string ext, string input, string output, string provenance | string signature, string ext, string input, string output, string provenance |
canonicalNamespaceLink(namespace, subns) and canonicalNamespaceLink(namespace, subnsClean) and
subnsClean = Input::cleanNamespace(subns) and
summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance, summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance,
_) _)
) )