Crypto: To get unreferenced parameters as general sources for Java, I've included the caveat that if a function is called, all the calls appear to be in test files.

2025-12-16 16:53:25 +01:00 · 2025-10-15 14:20:16 -04:00
parent c6174fbb93
commit 9a6aac1300
1 changed files with 12 additions and 1 deletions
--- a/java/ql/lib/experimental/quantum/Language.qll
+++ b/java/ql/lib/experimental/quantum/Language.qll
@@ -55,7 +55,18 @@ final class DefaultRemoteFlowSource = RemoteFlowSource;

 private class GenericUnreferencedParameterSource extends Crypto::GenericUnreferencedParameterSource {
  GenericUnreferencedParameterSource() {
-    exists(Parameter p | this = p and not exists(p.getAnArgument()))
+    exists(Parameter p |
+      this = p and
+      (
+        not exists(p.getAnArgument())
+        or
+        // If all calls to a function occur in a test file, ignore those calls
+        // and consider the parameter to the function a potential source as well.
+        forall(Call testCall | testCall.getCallee() = p.getCallable() |
+          testCall.getFile().getBaseName().toUpperCase().matches("%TEST%")
+        )
+      )
+    )
  }

  override predicate flowsTo(Crypto::FlowAwareElement other) {