Merge pull request #12645 from aschackmull/dataflow/renaming

Dataflow: Rename Make to Global and hasFlow to flow

python/ql/lib/change-notes/2023-03-23-dataflow-renaming.md

@@ -0,0 +1,6 @@
+---
+category: deprecated
+---
+* The recently introduced new data flow and taint tracking APIs have had a
+  number of module and predicate renamings. The old APIs remain in place for
+  now.

python/ql/lib/semmle/python/dataflow/new/internal/DataFlow.qll

@@ -2,7 +2,7 @@
  * Provides an implementation of global (interprocedural) data flow. This file
  * re-exports the local (intraprocedural) data flow analysis from
  * `DataFlowImplSpecific::Public` and adds a global analysis, mainly exposed
- * through the `Make` and `MakeWithState` modules.
+ * through the `Global` and `GlobalWithState` modules.
  */
 
 private import DataFlowImplCommon
@@ -73,10 +73,10 @@ signature module ConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -166,10 +166,10 @@ signature module StateConfigSig {
    */
   default FlowFeature getAFeature() { none() }
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   default predicate sourceGrouping(Node source, string sourceGroup) { none() }
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   default predicate sinkGrouping(Node sink, string sinkGroup) { none() }
 
   /**
@@ -182,15 +182,15 @@ signature module StateConfigSig {
 }
 
 /**
- * Gets the exploration limit for `hasPartialFlow` and `hasPartialFlowRev`
+ * Gets the exploration limit for `partialFlow` and `partialFlowRev`
  * measured in approximate number of interprocedural steps.
  */
 signature int explorationLimitSig();
 
 /**
- * The output of a data flow computation.
+ * The output of a global data flow computation.
  */
-signature module DataFlowSig {
+signature module GlobalFlowSig {
   /**
    * A `Node` augmented with a call context (except for sinks) and an access path.
    * Only those `PathNode`s that are reachable from a source, and which can reach a sink, are generated.
@@ -203,28 +203,28 @@ signature module DataFlowSig {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink);
+  predicate flowPath(PathNode source, PathNode sink);
 
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink);
+  predicate flow(Node source, Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink);
+  predicate flowTo(Node sink);
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink);
+  predicate flowToExpr(DataFlowExpr sink);
 }
 
 /**
  * Constructs a standard data flow computation.
  */
-module Make<ConfigSig Config> implements DataFlowSig {
+module Global<ConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import DefaultState<Config>
     import Config
@@ -233,10 +233,15 @@ module Make<ConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<ConfigSig Config> implements GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
  * Constructs a data flow computation using flow state.
  */
-module MakeWithState<StateConfigSig Config> implements DataFlowSig {
+module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
   private module C implements FullStateConfigSig {
     import Config
   }
@@ -244,6 +249,11 @@ module MakeWithState<StateConfigSig Config> implements DataFlowSig {
   import Impl<C>
 }
 
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<StateConfigSig Config> implements GlobalFlowSig {
+  import GlobalWithState<Config>
+}
+
 signature class PathNodeSig {
   /** Gets a textual representation of this element. */
   string toString();

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll

@@ -91,10 +91,10 @@ signature module FullStateConfigSig {
    */
   FlowFeature getAFeature();
 
-  /** Holds if sources should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sources should be grouped in the result of `flowPath`. */
   predicate sourceGrouping(Node source, string sourceGroup);
 
-  /** Holds if sinks should be grouped in the result of `hasFlowPath`. */
+  /** Holds if sinks should be grouped in the result of `flowPath`. */
   predicate sinkGrouping(Node sink, string sinkGroup);
 
   /**
@@ -3629,7 +3629,7 @@ module Impl<FullStateConfigSig Config> {
    * The corresponding paths are generated from the end-points and the graph
    * included in the module `PathGraph`.
    */
-  predicate hasFlowPath(PathNode source, PathNode sink) {
+  predicate flowPath(PathNode source, PathNode sink) {
     exists(PathNodeImpl flowsource, PathNodeImpl flowsink |
       source = flowsource and sink = flowsink
     |
@@ -3639,6 +3639,9 @@ module Impl<FullStateConfigSig Config> {
     )
   }
 
+  /** DEPRECATED: Use `flowPath` instead. */
+  deprecated predicate hasFlowPath = flowPath/2;
+
   private predicate flowsTo(PathNodeImpl flowsource, PathNodeSink flowsink, Node source, Node sink) {
     flowsource.isSource() and
     flowsource.getNodeEx().asNode() = source and
@@ -3649,17 +3652,26 @@ module Impl<FullStateConfigSig Config> {
   /**
    * Holds if data can flow from `source` to `sink`.
    */
-  predicate hasFlow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+  predicate flow(Node source, Node sink) { flowsTo(_, _, source, sink) }
+
+  /** DEPRECATED: Use `flow` instead. */
+  deprecated predicate hasFlow = flow/2;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+  predicate flowTo(Node sink) { sink = any(PathNodeSink n).getNodeEx().asNode() }
+
+  /** DEPRECATED: Use `flowTo` instead. */
+  deprecated predicate hasFlowTo = flowTo/1;
 
   /**
    * Holds if data can flow from some source to `sink`.
    */
-  predicate hasFlowToExpr(DataFlowExpr sink) { hasFlowTo(exprNode(sink)) }
+  predicate flowToExpr(DataFlowExpr sink) { flowTo(exprNode(sink)) }
+
+  /** DEPRECATED: Use `flowToExpr` instead. */
+  deprecated predicate hasFlowToExpr = flowToExpr/1;
 
   private predicate finalStats(
     boolean fwd, int nodes, int fields, int conscand, int states, int tuples
@@ -4570,7 +4582,7 @@ module Impl<FullStateConfigSig Config> {
      *
      * To use this in a `path-problem` query, import the module `PartialPathGraph`.
      */
-    predicate hasPartialFlow(PartialPathNode source, PartialPathNode node, int dist) {
+    predicate partialFlow(PartialPathNode source, PartialPathNode node, int dist) {
       partialFlow(source, node) and
       dist = node.getSourceDistance()
     }
@@ -4590,7 +4602,7 @@ module Impl<FullStateConfigSig Config> {
      * Note that reverse flow has slightly lower precision than the corresponding
      * forward flow, as reverse flow disregards type pruning among other features.
      */
-    predicate hasPartialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
+    predicate partialFlowRev(PartialPathNode node, PartialPathNode sink, int dist) {
       revPartialFlow(node, sink) and
       dist = node.getSinkDistance()
     }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplForRegExp.qll

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Make` and `MakeWithState` instead.
+ * DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.
@@ -388,7 +388,7 @@ private predicate hasFlow(Node source, Node sink, Configuration config) {
 }
 
 private predicate hasFlowPath(PathNode source, PathNode sink, Configuration config) {
-  hasFlowPath(source, sink) and source.getConfiguration() = config
+  flowPath(source, sink) and source.getConfiguration() = config
 }
 
 private predicate hasFlowTo(Node sink, Configuration config) { hasFlow(_, sink, config) }

python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTracking.qll

@@ -35,7 +35,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
 /**
  * Constructs a standard taint tracking computation.
  */
-module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
+module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
   private module Config0 implements DataFlowInternal::FullStateConfigSig {
     import DataFlowInternal::DefaultState<Config>
     import Config
@@ -48,10 +48,15 @@ module Make<DataFlow::ConfigSig Config> implements DataFlow::DataFlowSig {
   import DataFlowInternal::Impl<C>
 }
 
+/** DEPRECATED: Use `Global` instead. */
+deprecated module Make<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import Global<Config>
+}
+
 /**
  * Constructs a taint tracking computation using flow state.
  */
-module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataFlowSig {
+module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
   private module Config0 implements DataFlowInternal::FullStateConfigSig {
     import Config
   }
@@ -62,3 +67,8 @@ module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::DataF
 
   import DataFlowInternal::Impl<C>
 }
+
+/** DEPRECATED: Use `GlobalWithState` instead. */
+deprecated module MakeWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
+  import GlobalWithState<Config>
+}

python/ql/src/Security/CWE-327/FluentApiModel.qll

@@ -112,7 +112,7 @@ module InsecureContextConfiguration2 implements DataFlow::StateConfigSig {
   }
 }
 
-private module InsecureContextFlow = DataFlow::MakeWithState<InsecureContextConfiguration2>;
+private module InsecureContextFlow = DataFlow::GlobalWithState<InsecureContextConfiguration2>;
 
 /**
  * Holds if `conectionCreation` marks the creation of a connection based on the contex
@@ -127,7 +127,7 @@ predicate unsafe_connection_creation_with_context(
 ) {
   // Connection created from a context allowing `insecure_version`.
   exists(InsecureContextFlow::PathNode src, InsecureContextFlow::PathNode sink |
-    InsecureContextFlow::hasFlowPath(src, sink) and
+    InsecureContextFlow::flowPath(src, sink) and
     src.getNode() = contextOrigin and
     sink.getNode() = connectionCreation and
     sink.getState().allowsInsecureVersion(insecure_version) and