Java: Remove low-confidence dispatch to known neutrals.

java/ql/lib/change-notes/2023-03-14-neutral-dispatch.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom `List.contains` implementations when the best inferrable type at the call site is simply `List`.

java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll

@@ -171,6 +171,8 @@ class SummarizedCallableBase extends TSummarizedCallableBase {
 
 class SummarizedCallable = Impl::Public::SummarizedCallable;
 
+class NeutralCallable = Impl::Public::NeutralCallable;
+
 /**
  * An adapter class to add the flow summaries specified on `SyntheticCallable`
  * to `SummarizedCallable`.

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll

@@ -11,6 +11,8 @@ private module DispatchImpl {
   private predicate hasHighConfidenceTarget(Call c) {
     exists(SummarizedCallable sc | sc.getACall() = c and not sc.isAutoGenerated())
     or
+    exists(NeutralCallable nc | nc.getACall() = c and nc.isManual())
+    or
     exists(Callable srcTgt |
       srcTgt = VirtualDispatch::viableCallable(c) and
       not VirtualDispatch::lowConfidenceDispatchTarget(c, srcTgt)

java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll

@@ -236,6 +236,8 @@ private VirtualMethodAccess objectToString(ObjNode n) {
   result.getQualifier() = n.asExpr() and sink(n)
 }
 
+predicate objectToStringCall(VirtualMethodAccess ma) { ma = objectToString(_) }
+
 /**
  * Holds if the qualifier of the `Object.toString()` call `ma` might have type `t`.
  */

java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll

@@ -93,7 +93,8 @@ private module Dispatch {
       exists(RefType t | qualUnionType(ma, t, false) |
         lowConfidenceDispatchType(t.getSourceDeclaration())
       )
-    )
+    ) and
+    not ObjFlow::objectToStringCall(ma)
   }
 
   private predicate lowConfidenceDispatchType(SrcRefType t) {