Refactor Revocation checking

java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql

@@ -13,8 +13,8 @@
 
 import java
 import RevocationCheckingLib
-import DataFlow::PathGraph
+import DisabledRevocationCheckingFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, DisabledRevocationCheckingConfig config
+from DisabledRevocationCheckingFlow::PathNode source, DisabledRevocationCheckingFlow::PathNode sink
-where config.hasFlowPath(source, sink)
+where DisabledRevocationCheckingFlow::flowPath(source, sink)
 select source.getNode(), source, sink, "This disables revocation checking."

java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll

@@ -5,16 +5,16 @@ import DataFlow
 /**
  * A taint-tracking configuration for disabling revocation checking.
  */
-class DisabledRevocationCheckingConfig extends TaintTracking::Configuration {
+module DisabledRevocationCheckingConfig implements DataFlow::ConfigSig {
-  DisabledRevocationCheckingConfig() { this = "DisabledRevocationCheckingConfig" }
+  predicate isSource(DataFlow::Node source) {
-
+    source.asExpr().(BooleanLiteral).getBooleanValue() = false
-  override predicate isSource(DataFlow::Node source) {
-    exists(BooleanLiteral b | b.getBooleanValue() = false | source.asExpr() = b)
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof SetRevocationEnabledSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof SetRevocationEnabledSink }
 }
 
+module DisabledRevocationCheckingFlow = TaintTracking::Global<DisabledRevocationCheckingConfig>;
+
 /**
  * A sink that disables revocation checking,
  * i.e. calling `PKIXParameters.setRevocationEnabled(false)`