diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 359fa71744b..1db3402b746 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 359fa71744b..1db3402b746 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 359fa71744b..1db3402b746 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 359fa71744b..1db3402b746 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 359fa71744b..1db3402b746 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 359fa71744b..1db3402b746 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 359fa71744b..1db3402b746 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 359fa71744b..1db3402b746 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 359fa71744b..1db3402b746 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 359fa71744b..1db3402b746 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll index 359fa71744b..1db3402b746 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll index 6e4921521b1..a9ff849d3cc 100644 --- a/shared/dataflow/codeql/dataflow/DataFlow.qll +++ b/shared/dataflow/codeql/dataflow/DataFlow.qll @@ -431,6 +431,12 @@ module Configs Lang> { * is not visualized (as it is in a `path-problem` query). */ default predicate includeHiddenNodes() { none() } + + /** + * Holds to filter out data flows whose source and sink are both not in the + * `AlertFiltering` location range. + */ + default predicate filterForSourceOrSinkAlerts() { none() } } /** An input configuration for data flow using flow state. */ @@ -547,6 +553,12 @@ module Configs Lang> { * is not visualized (as it is in a `path-problem` query). */ default predicate includeHiddenNodes() { none() } + + /** + * Holds to filter out data flows whose source and sink are both not in the + * `AlertFiltering` location range. + */ + default predicate filterForSourceOrSinkAlerts() { none() } } } @@ -625,6 +637,7 @@ module DataFlowMake Lang> { module Global implements GlobalFlowSig { private module C implements FullStateConfigSig { import DefaultState + import FilteredSourceSink import Config predicate accessPathLimit = Config::accessPathLimit/0; @@ -647,6 +660,7 @@ module DataFlowMake Lang> { */ module GlobalWithState implements GlobalFlowSig { private module C implements FullStateConfigSig { + import FilteredStateSourceSink import Config predicate accessPathLimit = Config::accessPathLimit/0; diff --git a/shared/dataflow/codeql/dataflow/TaintTracking.qll b/shared/dataflow/codeql/dataflow/TaintTracking.qll index 343f8be041f..3e4de6c6218 100644 --- a/shared/dataflow/codeql/dataflow/TaintTracking.qll +++ b/shared/dataflow/codeql/dataflow/TaintTracking.qll @@ -60,8 +60,8 @@ module TaintFlowMake< Config::allowImplicitRead(node, c) or ( - Config::isSink(node) or - Config::isSink(node, _) or + Config::isFilteredSink(node) or + Config::isFilteredSink(node, _) or Config::isAdditionalFlowStep(node, _, _) or Config::isAdditionalFlowStep(node, _, _, _) ) and @@ -75,6 +75,7 @@ module TaintFlowMake< module Global implements DataFlow::GlobalFlowSig { private module Config0 implements DataFlowInternal::FullStateConfigSig { import DataFlowInternal::DefaultState + import DataFlowInternal::FilteredSourceSink import Config predicate isAdditionalFlowStep( @@ -101,6 +102,7 @@ module TaintFlowMake< */ module GlobalWithState implements DataFlow::GlobalFlowSig { private module Config0 implements DataFlowInternal::FullStateConfigSig { + import DataFlowInternal::FilteredStateSourceSink import Config predicate isAdditionalFlowStep( diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index c8b56db0b34..c4da42ebf97 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -124,6 +124,30 @@ module MakeImpl Lang> { * is not visualized (as it is in a `path-problem` query). */ predicate includeHiddenNodes(); + + /** + * Holds to filter out data flows whose source and sink are both not in the + * `AlertFiltering` location range. + */ + predicate filterForSourceOrSinkAlerts(); + + /** + * Holds if `source` is a relevant data flow source with the given initial + * `state` and passes filtering per `filterForSourceOrSinkAlerts`. + */ + predicate isFilteredSource(Node source, FlowState state); + + /** + * Holds if `sink` is a relevant data flow sink accepting `state` and passes + * filtering per `filterForSourceOrSinkAlerts`. + */ + predicate isFilteredSink(Node sink, FlowState state); + + /** + * Holds if `sink` is a relevant data flow sink for any state and passes + * filtering per `filterForSourceOrSinkAlerts`. + */ + predicate isFilteredSink(Node sink); } /** @@ -147,6 +171,112 @@ module MakeImpl Lang> { } } + /** + * Provide `isFilteredSource` and `isFilteredSink` implementations given a `ConfigSig`. + */ + module FilteredSourceSink { + private import codeql.util.AlertFiltering + + private module AlertFiltering = AlertFilteringImpl; + + private class FlowState = Unit; + + pragma[noinline] + private predicate hasFilteredSource() { + exists(Node n | Config::isSource(n) | AlertFiltering::filterByLocation(n.getLocation())) + } + + pragma[noinline] + private predicate hasFilteredSink() { + exists(Node n | Config::isSink(n) | AlertFiltering::filterByLocation(n.getLocation())) + } + + predicate isFilteredSource(Node source, FlowState state) { + Config::isSource(source) and + exists(state) and + ( + not Config::filterForSourceOrSinkAlerts() or + // If there are filtered sinks, we need to pass through all sources to preserve all alerts + // with filtered sinks. Otherwise the only alerts of interest are those with filtered + // sources, so we can perform the source filtering right here. + hasFilteredSink() or + AlertFiltering::filterByLocation(source.getLocation()) + ) + } + + predicate isFilteredSink(Node sink, FlowState state) { isFilteredSink(sink) and exists(state) } + + predicate isFilteredSink(Node sink) { + Config::isSink(sink) and + ( + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + hasFilteredSource() or + AlertFiltering::filterByLocation(sink.getLocation()) + ) + } + } + + /** + * Provide `isFilteredSource` and `isFilteredSink` implementations given a `StateConfigSig`. + */ + module FilteredStateSourceSink { + private import codeql.util.AlertFiltering + + private module AlertFiltering = AlertFilteringImpl; + + private class FlowState = Config::FlowState; + + pragma[noinline] + private predicate hasFilteredSource() { + exists(Node n | Config::isSource(n, _) | AlertFiltering::filterByLocation(n.getLocation())) + } + + pragma[noinline] + private predicate hasFilteredSink() { + exists(Node n | + Config::isSink(n, _) or + Config::isSink(n) + | + AlertFiltering::filterByLocation(n.getLocation()) + ) + } + + predicate isFilteredSource(Node source, FlowState state) { + Config::isSource(source, state) and + ( + // If there are filtered sinks, we need to pass through all sources to preserve all alerts + // with filtered sinks. Otherwise the only alerts of interest are those with filtered + // sources, so we can perform the source filtering right here. + hasFilteredSink() or + AlertFiltering::filterByLocation(source.getLocation()) + ) + } + + predicate isFilteredSink(Node sink, FlowState state) { + Config::isSink(sink, state) and + ( + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + hasFilteredSource() or + AlertFiltering::filterByLocation(sink.getLocation()) + ) + } + + predicate isFilteredSink(Node sink) { + Config::isSink(sink) and + ( + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + hasFilteredSource() or + AlertFiltering::filterByLocation(sink.getLocation()) + ) + } + } + /** * Constructs a data flow computation given a full input configuration. */ @@ -250,7 +380,7 @@ module MakeImpl Lang> { exists(Node n | node.asNode() = n and Config::isBarrierIn(n) and - Config::isSource(n, _) + Config::isFilteredSource(n, _) ) } @@ -259,7 +389,7 @@ module MakeImpl Lang> { exists(Node n | node.asNode() = n and Config::isBarrierIn(n, state) and - Config::isSource(n, state) + Config::isFilteredSource(n, state) ) } @@ -268,9 +398,9 @@ module MakeImpl Lang> { node.asNodeOrImplicitRead() = n and Config::isBarrierOut(n) | - Config::isSink(n, _) + Config::isFilteredSink(n, _) or - Config::isSink(n) + Config::isFilteredSink(n) ) } @@ -280,9 +410,9 @@ module MakeImpl Lang> { node.asNodeOrImplicitRead() = n and Config::isBarrierOut(n, state) | - Config::isSink(n, state) + Config::isFilteredSink(n, state) or - Config::isSink(n) + Config::isFilteredSink(n) ) } @@ -292,11 +422,11 @@ module MakeImpl Lang> { Config::isBarrier(n) or Config::isBarrierIn(n) and - not Config::isSource(n, _) + not Config::isFilteredSource(n, _) or Config::isBarrierOut(n) and - not Config::isSink(n, _) and - not Config::isSink(n) + not Config::isFilteredSink(n, _) and + not Config::isFilteredSink(n) ) } @@ -306,24 +436,24 @@ module MakeImpl Lang> { Config::isBarrier(n, state) or Config::isBarrierIn(n, state) and - not Config::isSource(n, state) + not Config::isFilteredSource(n, state) or Config::isBarrierOut(n, state) and - not Config::isSink(n, state) and - not Config::isSink(n) + not Config::isFilteredSink(n, state) and + not Config::isFilteredSink(n) ) } pragma[nomagic] private predicate sourceNode(NodeEx node, FlowState state) { - Config::isSource(node.asNode(), state) and + Config::isFilteredSource(node.asNode(), state) and not fullBarrier(node) and not stateBarrier(node, state) } pragma[nomagic] private predicate sinkNodeWithState(NodeEx node, FlowState state) { - Config::isSink(node.asNodeOrImplicitRead(), state) and + Config::isFilteredSink(node.asNodeOrImplicitRead(), state) and not fullBarrier(node) and not stateBarrier(node, state) } @@ -729,7 +859,7 @@ module MakeImpl Lang> { additional predicate sinkNode(NodeEx node, FlowState state) { fwdFlow(node) and fwdFlowState(state) and - Config::isSink(node.asNodeOrImplicitRead()) + Config::isFilteredSink(node.asNodeOrImplicitRead()) or fwdFlow(node) and fwdFlowState(state) and @@ -2946,7 +3076,7 @@ module MakeImpl Lang> { NodeEx toNormalSinkNodeEx() { exists(Node n | pragma[only_bind_out](node.asNodeOrImplicitRead()) = n and - (Config::isSink(n) or Config::isSink(n, _)) and + (Config::isFilteredSink(n) or Config::isFilteredSink(n, _)) and result.asNode() = n ) } @@ -4792,15 +4922,15 @@ module MakeImpl Lang> { } private predicate interestingCallableSrc(DataFlowCallable c) { - exists(Node n | Config::isSource(n, _) and c = getNodeEnclosingCallable(n)) + exists(Node n | Config::isFilteredSource(n, _) and c = getNodeEnclosingCallable(n)) or exists(DataFlowCallable mid | interestingCallableSrc(mid) and callableStep(mid, c)) } private predicate interestingCallableSink(DataFlowCallable c) { exists(Node n | c = getNodeEnclosingCallable(n) | - Config::isSink(n, _) or - Config::isSink(n) + Config::isFilteredSink(n, _) or + Config::isFilteredSink(n) ) or exists(DataFlowCallable mid | interestingCallableSink(mid) and callableStep(c, mid)) @@ -4827,7 +4957,7 @@ module MakeImpl Lang> { or exists(Node n | ce1 = TCallableSrc() and - Config::isSource(n, _) and + Config::isFilteredSource(n, _) and ce2 = TCallable(getNodeEnclosingCallable(n)) ) or @@ -4835,8 +4965,8 @@ module MakeImpl Lang> { ce2 = TCallableSink() and ce1 = TCallable(getNodeEnclosingCallable(n)) | - Config::isSink(n, _) or - Config::isSink(n) + Config::isFilteredSink(n, _) or + Config::isFilteredSink(n) ) } @@ -4900,7 +5030,7 @@ module MakeImpl Lang> { private predicate revSinkNode(NodeEx node, FlowState state) { sinkNodeWithState(node, state) or - Config::isSink(node.asNodeOrImplicitRead()) and + Config::isFilteredSink(node.asNodeOrImplicitRead()) and relevantState(state) and not fullBarrier(node) and not stateBarrier(node, state) diff --git a/shared/util/codeql/util/AlertFiltering.qll b/shared/util/codeql/util/AlertFiltering.qll new file mode 100644 index 00000000000..d1778304b73 --- /dev/null +++ b/shared/util/codeql/util/AlertFiltering.qll @@ -0,0 +1,40 @@ +/** + * Provides the `restrictAlertsTo` extensible predicate to restrict alerts to specific source + * locations, and the `AlertFilteringImpl` parameterized module to apply the filtering. + */ + +private import codeql.util.Location + +/** + * Restricts alerts to a specific location in specific files. + * + * If this predicate is empty, accept all alerts. Otherwise, accept alerts only at the specified + * locations. Note that alert restrictions apply only to the start line of an alert (even if the + * alert location spans multiple lines) because alerts are displayed on their start lines. + * + * - filePath: Absolute path of the file to restrict alerts to. + * - startLine: Start line number (starting with 1, inclusive) to restrict alerts to. + * - endLine: End line number (starting with 1, inclusive) to restrict alerts to. + * + * If startLine and endLine are both 0, accept alerts anywhere in the file. + */ +extensible predicate restrictAlertsTo(string filePath, int startLine, int endLine); + +/** Module for applying alert location filtering. */ +module AlertFilteringImpl { + /** Applies alert filtering to the given location. */ + bindingset[location] + predicate filterByLocation(Location location) { + not restrictAlertsTo(_, _, _) + or + exists(string filePath, int startLine, int endLine | + restrictAlertsTo(filePath, startLine, endLine) + | + startLine = 0 and + endLine = 0 and + location.hasLocationInfo(filePath, _, _, _, _) + or + location.hasLocationInfo(filePath, [startLine .. endLine], _, _, _) + ) + } +} diff --git a/shared/util/ext/default-alert-filter.yml b/shared/util/ext/default-alert-filter.yml new file mode 100644 index 00000000000..0ae5a2f4eb5 --- /dev/null +++ b/shared/util/ext/default-alert-filter.yml @@ -0,0 +1,7 @@ +extensions: + + - addsTo: + pack: codeql/util + extensible: restrictAlertsTo + # Empty predicate means no restrictions on alert locations + data: [] diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 5914dae3575..adb3ab85951 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -3,4 +3,6 @@ version: 1.0.7-dev groups: shared library: true dependencies: null +dataExtensions: + - ext/*.yml warnOnImplicitThis: true diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll index 359fa71744b..1db3402b746 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate filterForSourceOrSinkAlerts() { none() } + + predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } + + predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } + + predicate isFilteredSink(Node sink) { isSink(sink) } } deprecated private import Impl as I