Merge pull request #6216 from smowton/smowton/admin/serializability-dataflow

Create a dataflow instance specifically for the Serializability library

config/identical-files.json

@@ -6,6 +6,7 @@
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
     "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
+    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
     "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",

java/ql/src/semmle/code/java/dataflow/internal/DataFlowForSerializability.qll

@@ -0,0 +1,19 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses (for internal use only).
+ *
+ * This copy of the library is exclusively for use by `Serializability.qll` and
+ * related libraries. Configurations computed using this instance of the library
+ * are in scope whenever `java.qll` is imported, and are used to compute among
+ * other things `AdditionalTaintStep`.
+ */
+
+import java
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses (for internal use only).
+ */
+module DataFlowForSerializability {
+  import semmle.code.java.dataflow.internal.DataFlowImplForSerializability
+}

java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll

@@ -1,7 +1,7 @@
 import java
 import semmle.code.java.Serializability
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow5
+private import semmle.code.java.dataflow.internal.DataFlowForSerializability
 
 /** The method `parseAs` in `com.google.api.client.http.HttpResponse`. */
 private class ParseAsMethod extends Method {
@@ -11,7 +11,7 @@ private class ParseAsMethod extends Method {
   }
 }
 
-private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configuration {
+private class TypeLiteralToParseAsFlowConfiguration extends DataFlowForSerializability::Configuration {
   TypeLiteralToParseAsFlowConfiguration() {
     this = "GoogleHttpClientApi::TypeLiteralToParseAsFlowConfiguration"
   }

java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll

@@ -7,7 +7,7 @@ import java
 import semmle.code.java.Serializability
 import semmle.code.java.Reflection
 import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow5
+private import semmle.code.java.dataflow.internal.DataFlowForSerializability
 import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.ExternalFlow
 
@@ -85,7 +85,7 @@ private class FieldReferencedJacksonSerializableType extends JacksonSerializable
 /** A type whose values may be deserialized by the Jackson JSON framework. */
 abstract class JacksonDeserializableType extends Type { }
 
-private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlow5::Configuration {
+private class TypeLiteralToJacksonDatabindFlowConfiguration extends DataFlowForSerializability::Configuration {
   TypeLiteralToJacksonDatabindFlowConfiguration() {
     this = "TypeLiteralToJacksonDatabindFlowConfiguration"
   }