hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19718 from geoffw0/taintreach

Browse Source 
Rust: Adjust the taint reach metric for better stability.
This commit is contained in:
Geoffrey White
2025-06-11 17:51:50 +01:00
committed by GitHub
parent 31770edc26 e64d083fc1
commit bd21a03fc3
2 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rust/ql/src/queries/summary/Stats.qll
View File

@@ -189,6 +189,8 @@ predicate taintStats(string key, int value) {
or
key = "Taint reach - nodes tainted" and value = getTaintedNodesCount()
or
key = "Taint reach - total non-summary nodes" and value = getTotalNodesCount()
or
key = "Taint reach - per million nodes" and value = getTaintReach().floor()
or
key = "Taint sinks - query sinks" and value = getQuerySinksCount()

21
rust/ql/src/queries/summary/TaintReach.qll
View File

@@ -7,6 +7,7 @@ import rust
private import codeql.rust.Concepts
private import codeql.rust.dataflow.DataFlow
private import codeql.rust.dataflow.TaintTracking
private import codeql.rust.dataflow.internal.Node
/**
* A taint configuration for taint reach (flow to any node from any modeled source).
@@ -21,11 +22,27 @@ private module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
/**
* Gets the total number of data flow nodes that taint reaches (from any source).
*
* We don't include flow summary nodes, as their number is unstable (varies when models
* are added).
*/
int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
int getTaintedNodesCount() {
result = count(DataFlow::Node n | TaintReachFlow::flowTo(n) and not n instanceof FlowSummaryNode)
}
/**
* Gets the total number of data flow nodes.
*
* We don't include flow summary nodes, as their number is unstable (varies when models
* are added).
*/
int getTotalNodesCount() { result = count(DataFlow::Node n | not n instanceof FlowSummaryNode) }
/**
* Gets the proportion of data flow nodes that taint reaches (from any source),
* expressed as a count per million nodes.
*
* We don't include flow summary nodes, as their number is unstable (varies when models
* are added).
*/
float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }
float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / getTotalNodesCount() }