Recognize the model generator involvement in the models' provenances

2025-12-17 01:03:14 +01:00 · 2024-03-14 08:55:47 +01:00
parent 5b88b8a3ed
commit eecab9122a
10 changed files with 45 additions and 46 deletions
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -80,7 +80,6 @@ extensions:
      - ["java.io", "File", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "File", True, "getParentFile", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "File", True, "getPath", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["java.io", "File", True, "listFiles", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "File", True, "toPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -116,12 +115,12 @@ extensions:
      - ["java.io", "File", "isFile", "()", "summary", "manual"]
      - ["java.io", "File", "length", "()", "summary", "manual"]
      - ["java.io", "File", "isDirectory", "()", "summary", "manual"]
-      - ["java.io", "File", "listFiles", "", "summary", "manual"]
+      - ["java.io", "File", "listFiles", "", "summary", "df-manual"]
      - ["java.io", "File", "mkdirs", "()", "summary", "manual"]
      - ["java.io", "FileInputStream", "FileInputStream", "(File)", "summary", "manual"]
-      - ["java.io", "FileInputStream", "FileInputStream", "(String)", "summary", "manual"]
+      - ["java.io", "FileInputStream", "FileInputStream", "(String)", "summary", "df-manual"]
      - ["java.io", "InputStream", "close", "()", "summary", "manual"]
-      - ["java.io", "ObjectInput", "readObject", "()", "summary", "manual"]
+      - ["java.io", "ObjectInput", "readObject", "()", "summary", "df-manual"] # this is a deserialization sink modeled in regular CodeQL
      - ["java.io", "OutputStream", "flush", "()", "summary", "manual"]
      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.