Merge pull request #9256 from michaelnebel/csharp/test-ranking

C#: Rank summaries and source code in dataflow callables.
2026-04-28 18:25:24 +02:00 · 2022-05-23 10:29:52 +02:00
parent f2218944f6 f141336f64
commit c82ab6813f
3 changed files with 27 additions and 4 deletions
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -83,13 +83,26 @@ newtype TReturnKind =
    )
  }

+/**
+ * Holds if the summary for `c` should be used for dataflow analysis.
+ */
+predicate useFlowSummary(FlowSummary::SummarizedCallable c) {
+  not c.fromSource()
+  or
+  c.fromSource() and not c.isAutoGenerated()
+}
+
 private module Cached {
+  /**
+   * The following heuristic is used to rank when to use source code or when to use summaries for DataFlowCallables.
+   * 1. Use hand written summaries.
+   * 2. Use source code.
+   * 3. Use auto generated summaries.
+   */
  cached
  newtype TDataFlowCallable =
-    TDotNetCallable(DotNet::Callable c) {
-      c.isUnboundDeclaration() and not c instanceof FlowSummary::SummarizedCallable
-    } or
-    TSummarizedCallable(FlowSummary::SummarizedCallable c)
+    TDotNetCallable(DotNet::Callable c) { c.isUnboundDeclaration() and not useFlowSummary(c) } or
+    TSummarizedCallable(FlowSummary::SummarizedCallable c) { useFlowSummary(c) }

  cached
  newtype TDataFlowCall =
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -743,9 +743,11 @@ private module Cached {
      FlowSummaryImpl::Public::SummarizedCallable c,
      FlowSummaryImpl::Private::SummaryNodeState state
    ) {
+      useFlowSummary(c) and
      FlowSummaryImpl::Private::summaryNodeRange(c, state)
    } or
    TSummaryParameterNode(FlowSummaryImpl::Public::SummarizedCallable c, ParameterPosition pos) {
+      useFlowSummary(c) and
      FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
    } or
    TParamsArgumentNode(ControlFlow::Node callCfn) {
--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql
@@ -53,6 +53,14 @@ class Conf extends TaintTracking::Configuration {
  }
 }

+/**
+ * Simulate that methods with summaries are not included in the source code.
+ * This is relevant for dataflow analysis using summaries tagged as generated.
+ */
+private class MyMethod extends Method {
+  override predicate fromSource() { none() }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, Conf conf
 where conf.hasFlowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()