Merge pull request #11631 from jcogs33/jcogs33/update-externalapi-charpredicate

Java/C#: add `isUninteresting` to `ExternalApi` characteristic predicate
2026-05-01 19:55:15 +02:00 · 2022-12-14 08:25:02 -05:00
parent 0b849a319b a889cc4f65
commit f61b817751
15 changed files with 27 additions and 66 deletions
--- a/csharp/ql/src/Telemetry/ExternalApi.qll
+++ b/csharp/ql/src/Telemetry/ExternalApi.qll
@@ -24,6 +24,12 @@ class TestLibrary extends RefType {
  }
 }

+/** Holds if the given callable is not worth supporting. */
+private predicate isUninteresting(DotNet::Callable c) {
+  c.getDeclaringType() instanceof TestLibrary or
+  c.(Constructor).isParameterless()
+}
+
 /**
 * An external API from either the C# Standard Library or a 3rd party library.
 */
@@ -31,7 +37,8 @@ class ExternalApi extends DotNet::Callable {
  ExternalApi() {
    this.isUnboundDeclaration() and
    this.fromLibrary() and
-    this.(Modifiable).isEffectivelyPublic()
+    this.(Modifiable).isEffectivelyPublic() and
+    not isUninteresting(this)
  }

  /**
@@ -84,17 +91,6 @@ class ExternalApi extends DotNet::Callable {
    defaultAdditionalTaintStep(this.getAnInput(), _)
  }

-  /** Holds if this API is a constructor without parameters. */
-  private predicate isParameterlessConstructor() {
-    this instanceof Constructor and this.getNumberOfParameters() = 0
-  }
-
-  /** Holds if this API is part of a common testing library or framework. */
-  private predicate isTestLibrary() { this.getDeclaringType() instanceof TestLibrary }
-
-  /** Holds if this API is not worth supporting. */
-  predicate isUninteresting() { this.isTestLibrary() or this.isParameterlessConstructor() }
-
  /** Holds if this API is a known source. */
  predicate isSource() {
    this.getAnOutput() instanceof RemoteFlowSource or sourceNode(this.getAnOutput(), _)
--- a/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
+++ b/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
@@ -14,8 +14,7 @@ private predicate getRelevantUsages(string namespace, int usages) {
  usages =
    strictcount(Call c, ExternalApi api |
      c.getTarget().getUnboundDeclaration() = api and
-      api.getNamespace() = namespace and
-      not api.isUninteresting()
+      api.getNamespace() = namespace
    )
 }

--- a/csharp/ql/src/Telemetry/SupportedExternalApis.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalApis.ql
@@ -12,11 +12,8 @@ private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSumma
 private import ExternalApi

 private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  (
-    api.isSupported() or
-    api instanceof FlowSummaryImpl::Public::NeutralCallable
-  )
+  api.isSupported() or
+  api instanceof FlowSummaryImpl::Public::NeutralCallable
 }

 from string info, int usages
--- a/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
@@ -10,10 +10,7 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  api.isSink()
-}
+private predicate relevant(ExternalApi api) { api.isSink() }

 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)
--- a/csharp/ql/src/Telemetry/SupportedExternalSources.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalSources.ql
@@ -10,10 +10,7 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  api.isSource()
-}
+private predicate relevant(ExternalApi api) { api.isSource() }

 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)
--- a/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
+++ b/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
@@ -10,10 +10,7 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  api.hasSummary()
-}
+private predicate relevant(ExternalApi api) { api.hasSummary() }

 from string info, int usages
 where Results<relevant/1>::restrict(info, usages)
--- a/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+++ b/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
@@ -12,7 +12,6 @@ private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSumma
 private import ExternalApi

 private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
  not api.isSupported() and
  not api instanceof FlowSummaryImpl::Public::NeutralCallable
 }
--- a/csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql
+++ b/csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql
@@ -16,7 +16,6 @@ private import Telemetry.ExternalApi
 from Call c, ExternalApi api
 where
  c.getTarget().getUnboundDeclaration() = api and
-  not api.isUninteresting() and
  not api.isSupported() and
  not api instanceof FlowSummaryImpl::Public::NeutralCallable
 select c, "Call to unsupported external API $@.", api, api.toString()
--- a/java/ql/src/Telemetry/ExternalApi.qll
+++ b/java/ql/src/Telemetry/ExternalApi.qll
@@ -31,11 +31,17 @@ private string containerAsJar(Container container) {
  if container instanceof JarFile then result = container.getBaseName() else result = "rt.jar"
 }

+/** Holds if the given callable is not worth supporting. */
+private predicate isUninteresting(Callable c) {
+  c.getDeclaringType() instanceof TestLibrary or
+  c.(Constructor).isParameterless()
+}
+
 /**
 * An external API from either the Standard Library or a 3rd party library.
 */
 class ExternalApi extends Callable {
-  ExternalApi() { not this.fromSource() }
+  ExternalApi() { not this.fromSource() and not isUninteresting(this) }

  /**
   * Gets information about the external API in the form expected by the CSV modeling framework.
@@ -73,18 +79,6 @@ class ExternalApi extends Callable {
    TaintTracking::localAdditionalTaintStep(this.getAnInput(), _)
  }

-  /** Holds if this API is a constructor without parameters. */
-  private predicate isParameterlessConstructor() {
-    this instanceof Constructor and this.getNumberOfParameters() = 0
-  }
-
-  /** Holds if this API is part of a common testing library or framework. */
-  private predicate isTestLibrary() { this.getDeclaringType() instanceof TestLibrary }
-
-  /** Holds if this API is not worth supporting. */
-  predicate isUninteresting() { this.isTestLibrary() or this.isParameterlessConstructor() }
-
-  /** Holds if this API is a known source. */
  predicate isSource() {
    this.getAnOutput() instanceof RemoteFlowSource or sourceNode(this.getAnOutput(), _)
  }
--- a/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+++ b/java/ql/src/Telemetry/ExternalLibraryUsage.ql
@@ -14,8 +14,7 @@ private predicate getRelevantUsages(string jarname, int usages) {
    strictcount(Call c, ExternalApi a |
      c.getCallee().getSourceDeclaration() = a and
      not c.getFile() instanceof GeneratedFile and
-      a.jarContainer() = jarname and
-      not a.isUninteresting()
+      a.jarContainer() = jarname
    )
 }

--- a/java/ql/src/Telemetry/SupportedExternalApis.ql
+++ b/java/ql/src/Telemetry/SupportedExternalApis.ql
@@ -11,11 +11,8 @@ import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import ExternalApi

 private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  (
-    api.isSupported() or
-    api = any(FlowSummaryImpl::Public::NeutralCallable nsc).asCallable()
-  )
+  api.isSupported() or
+  api = any(FlowSummaryImpl::Public::NeutralCallable nsc).asCallable()
 }

 from string apiName, int usages
--- a/java/ql/src/Telemetry/SupportedExternalSinks.ql
+++ b/java/ql/src/Telemetry/SupportedExternalSinks.ql
@@ -9,10 +9,7 @@
 import java
 import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  api.isSink()
-}
+private predicate relevant(ExternalApi api) { api.isSink() }

 from string apiName, int usages
 where Results<relevant/1>::restrict(apiName, usages)
--- a/java/ql/src/Telemetry/SupportedExternalSources.ql
+++ b/java/ql/src/Telemetry/SupportedExternalSources.ql
@@ -9,10 +9,7 @@
 import java
 import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  api.isSource()
-}
+private predicate relevant(ExternalApi api) { api.isSource() }

 from string apiName, int usages
 where Results<relevant/1>::restrict(apiName, usages)
--- a/java/ql/src/Telemetry/SupportedExternalTaint.ql
+++ b/java/ql/src/Telemetry/SupportedExternalTaint.ql
@@ -9,10 +9,7 @@
 import java
 import ExternalApi

-private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
-  api.hasSummary()
-}
+private predicate relevant(ExternalApi api) { api.hasSummary() }

 from string apiName, int usages
 where Results<relevant/1>::restrict(apiName, usages)
--- a/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+++ b/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
@@ -11,7 +11,6 @@ import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import ExternalApi

 private predicate relevant(ExternalApi api) {
-  not api.isUninteresting() and
  not api.isSupported() and
  not api = any(FlowSummaryImpl::Public::NeutralCallable nsc).asCallable()
 }