Add support for qualifier flow

java/ql/src/utils/model-generator/CaptureSummaryModels.ql

@@ -4,3 +4,33 @@
  * @id TBD
  */
 
+import java
+import ModelGeneratorUtils
+
+string captureFlow(Callable api) { result = captureQualifierFlow(api) }
+
+string captureQualifierFlow(Callable api) {
+  exists(ReturnStmt rtn |
+    rtn.getEnclosingCallable() = api and
+    rtn.getResult() instanceof ThisAccess
+  ) and
+  result = asValueModel(api, "Argument[-1]", "ReturnValue")
+}
+
+// TODO: handle cases like Ticker
+// TODO: "com.google.common.base;Converter;true;convertAll;(Iterable);;Element of Argument[0];Element of ReturnValue;taint",
+// TODO: infer interface from multiple implementations? e.g. UriComponentsContributor
+// TODO: distinguish between taint and value flows. If we find a value flow, omit the taint flow
+class TargetAPI extends Callable {
+  TargetAPI() {
+    this.isPublic() and
+    this.fromSource() and
+    this.getDeclaringType().isPublic() and
+    not this.getCompilationUnit().getFile().getAbsolutePath().matches("%src/test/%") and
+    not this.getCompilationUnit().getFile().getAbsolutePath().matches("%src/guava-tests/%")
+  }
+}
+
+from TargetAPI api, string flow
+where flow = captureFlow(api)
+select flow order by flow

java/ql/src/utils/model-generator/ModelGeneratorUtils.qll

@@ -0,0 +1,28 @@
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+string isExtensible(RefType ref) { if ref.isFinal() then result = "false" else result = "true" }
+
+bindingset[input, output]
+string asTaintModel(Callable api, string input, string output) {
+  result = asSummaryModel(api, input, output, "taint")
+}
+
+bindingset[input, output]
+string asValueModel(Callable api, string input, string output) {
+  result = asSummaryModel(api, input, output, "value")
+}
+
+bindingset[input, output, kind]
+string asSummaryModel(Callable api, string input, string output, string kind) {
+  result =
+    api.getCompilationUnit().getPackage().getName() + ";" //
+      + api.getDeclaringType().nestedName() + ";" //
+      + isExtensible(api.getDeclaringType()).toString() + ";" //
+      + api.getName() + ";" //
+      + paramsString(api) + ";" //
+      + /* ext + */ ";" //
+      + input + ";" //
+      + output + ";" //
+      + kind + ";" //
+}

java/ql/test/utils/model-generator/CaptureSummaryModels.expected

@@ -0,0 +1 @@
+| p;FluentAPI;false;returnsThis;(String);;Argument[-1];ReturnValue;value; |

java/ql/test/utils/model-generator/p/FluentAPI.java

@@ -0,0 +1,9 @@
+package p;
+
+public final class FluentAPI {
+
+    public FluentAPI returnsThis(String input) {
+        return this;
+    }
+
+}