Update java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2026-04-23 15:55:18 +02:00 · 2024-08-28 15:04:38 +02:00
parent 15b06907dd
commit e8595e28e9
1 changed files with 6 additions and 3 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -43,9 +43,12 @@ private module DispatchImpl {
  /**
   * Gets a viable implementation of the target of the given `Call`.
   * The following heuristic is applied for finding the appropriate callable:
-   * 1. If an exact manual model exists, only dispatch to the summarized callable.
-   * 2. If a (non exact) manual model exists and/or if the source code is available, dispatch to both/either.
-   * 3. Only dispatch to a summarized callable in case the static call target in not in source.
+   * In general, dispatch to both any existing model and any viable source dispatch.
+   * However, if the model is generated and the static call target is in the source then
+   * we trust the source more than the model and skip dispatch to the model.
+   * Vice versa, if the model is manual and the source dispatch has a comparatively low
+   * confidence then we only dispatch to the model. Additionally, manual models that
+   * match a source dispatch exactly take precedence over the source.
   */
  DataFlowCallable viableCallable(DataFlowCall c) {
    exists(Call call | call = c.asCall() |