C++: Implement YML extension models.

cpp/ql/lib/ext/empty.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  # Make sure that the extensible model predicates have at least one definition
+  # to avoid errors about undefined extensionals.
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: []
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: []
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: []

cpp/ql/lib/qlpack.yml

@@ -14,4 +14,6 @@ dependencies:
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
   codeql/xml: ${workspace}
+dataExtensions:
+  - ext/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -78,6 +78,7 @@ private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
+private import internal.ExternalFlowExtensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
 private import codeql.util.Unit
 
@@ -138,6 +139,9 @@ predicate sourceModel(
     row.splitAt(";", 7) = kind
   ) and
   provenance = "manual"
+  or
+  Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance,
+    _)
 }
 
 /** Holds if a sink model exists for the given parameters. */
@@ -158,6 +162,8 @@ predicate sinkModel(
     row.splitAt(";", 7) = kind
   ) and
   provenance = "manual"
+  or
+  Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance, _)
 }
 
 /** Holds if a summary model exists for the given parameters. */
@@ -179,6 +185,9 @@ predicate summaryModel(
     row.splitAt(";", 8) = kind
   ) and
   provenance = "manual"
+  or
+  Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+    provenance, _)
 }
 
 private predicate relevantNamespace(string namespace) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -0,0 +1,27 @@
+/**
+ * This module provides extensible predicates for defining MaD models.
+ */
+
+/**
+ * Holds if an external source model exists for the given parameters.
+ */
+extensible predicate sourceModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if an external sink model exists for the given parameters.
+ */
+extensible predicate sinkModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string kind, string provenance, QlBuiltins::ExtensionId madId
+);
+
+/**
+ * Holds if an external summary model exists for the given parameters.
+ */
+extensible predicate summaryModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
+);

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "ymlSource", "", "", "ReturnValue", "local", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "ymlSink", "", "", "Argument[0]", "test-sink", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "ymlStep", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -0,0 +1,3 @@
+| test.cpp:9:10:9:10 | 0 | test-sink |
+| test.cpp:11:10:11:10 | x | test-sink |
+| test.cpp:15:10:15:10 | y | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sinks.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "ymlSink", "", "", "Argument[0]", "test-sink", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -0,0 +1 @@
+| test.cpp:7:10:7:18 | call to ymlSource | local |

cpp/ql/test/library-tests/dataflow/external-models/sources.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "ymlSource", "", "", "ReturnValue", "local", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/steps.expected

@@ -0,0 +1 @@
+| test.cpp:13:18:13:18 | x | test.cpp:13:10:13:16 | call to ymlStep |

cpp/ql/test/library-tests/dataflow/external-models/steps.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "ymlStep", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -8,9 +8,9 @@ void test() {
 
 	ymlSink(0);
 
-	ymlSink(x); // $ MISSING: ir
+	ymlSink(x); // $ ir
 
 	int y = ymlStep(x);
 
-	ymlSink(y); // $ MISSING: ir
+	ymlSink(y); // $ ir
 }