C#: Re-factor isSupported for the telemetry queries.

2026-04-30 03:05:15 +02:00 · 2023-02-20 13:37:27 +01:00
parent 658cc33bb8
commit f594411c43
4 changed files with 11 additions and 16 deletions
--- a/csharp/ql/src/Telemetry/ExternalApi.qll
+++ b/csharp/ql/src/Telemetry/ExternalApi.qll
@@ -8,6 +8,7 @@ private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlowDispatch
+private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 private import semmle.code.csharp.security.dataflow.flowsources.Remote

@@ -104,8 +105,14 @@ class ExternalApi extends DotNet::Callable {
  pragma[nomagic]
  predicate isSink() { sinkNode(this.getAnInput(), _) }

+  /** Holds if this API is a known neutral. */
+  pragma[nomagic]
+  predicate isNeutral() { this instanceof FlowSummaryImpl::Public::NeutralCallable }
+
  /** Holds if this API is supported by existing CodeQL libraries, that is, it is either a recognized source or sink or has a flow summary. */
-  predicate isSupported() { this.hasSummary() or this.isSource() or this.isSink() }
+  predicate isSupported() {
+    this.hasSummary() or this.isSource() or this.isSink() or this.isNeutral()
+  }
 }

 /**
--- a/csharp/ql/src/Telemetry/SupportedExternalApis.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalApis.ql
@@ -8,13 +8,9 @@

 private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import ExternalApi

-private predicate relevant(ExternalApi api) {
-  api.isSupported() or
-  api instanceof FlowSummaryImpl::Public::NeutralCallable
-}
+private predicate relevant(ExternalApi api) { api.isSupported() }

 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)
--- a/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+++ b/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
@@ -7,14 +7,9 @@
 */

 private import csharp
-private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NeutralCallable
-}
+private predicate relevant(ExternalApi api) { not api.isSupported() }

 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)
--- a/csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql
+++ b/csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql
@@ -9,13 +9,10 @@
 */

 private import csharp
-private import semmle.code.csharp.dispatch.Dispatch
-private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 private import Telemetry.ExternalApi

 from Call c, ExternalApi api
 where
  c.getTarget().getUnboundDeclaration() = api and
-  not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NeutralCallable
+  not api.isSupported()
 select c, "Call to unsupported external API $@.", api, api.toString()