mirror of
https://github.com/github/codeql.git
synced 2025-12-20 10:46:30 +01:00
68 lines
2.4 KiB
Plaintext
68 lines
2.4 KiB
Plaintext
/**
|
|
* @name Debug result inclusion
|
|
* @description Use this query to understand why some alerts are included or excluded from the
|
|
* results of boosted queries. The results for this query are the union of the alerts
|
|
* generated by each boosted query. Each alert includes an explanation why it was
|
|
* included or excluded for each of the four security queries.
|
|
* @kind problem
|
|
* @problem.severity error
|
|
* @id adaptive-threat-modeling/js/debug-result-inclusion
|
|
*/
|
|
|
|
import javascript
|
|
import experimental.adaptivethreatmodeling.ATMConfig
|
|
import extraction.ExtractEndpointData
|
|
|
|
string getAReasonSinkExcluded(DataFlow::Node sinkCandidate, Query query) {
|
|
query instanceof NosqlInjectionQuery and
|
|
result = NosqlInjectionATM::SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate)
|
|
or
|
|
query instanceof SqlInjectionQuery and
|
|
result = SqlInjectionATM::SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate)
|
|
or
|
|
query instanceof TaintedPathQuery and
|
|
result = TaintedPathATM::SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate)
|
|
or
|
|
query instanceof XssQuery and
|
|
result = XssATM::SinkEndpointFilter::getAReasonSinkExcluded(sinkCandidate)
|
|
}
|
|
|
|
pragma[inline]
|
|
string getDescriptionForAlertCandidate(
|
|
DataFlow::Node sourceCandidate, DataFlow::Node sinkCandidate, Query query
|
|
) {
|
|
result = "excluded[reason=" + getAReasonSinkExcluded(sinkCandidate, query) + "]"
|
|
or
|
|
getATMCfg(query).isKnownSink(sinkCandidate) and
|
|
result = "excluded[reason=known-sink]"
|
|
or
|
|
not exists(getAReasonSinkExcluded(sinkCandidate, query)) and
|
|
not getDataFlowCfg(query).hasFlow(sourceCandidate, sinkCandidate) and
|
|
(
|
|
if
|
|
getDataFlowCfg(query).isSource(sourceCandidate) or
|
|
getDataFlowCfg(query).isSource(sourceCandidate, _)
|
|
then result = "no flow"
|
|
else result = "not a known source"
|
|
)
|
|
or
|
|
getDataFlowCfg(query).hasFlow(sourceCandidate, sinkCandidate) and
|
|
result = "included"
|
|
}
|
|
|
|
pragma[inline]
|
|
string getDescriptionForAlert(DataFlow::Node sourceCandidate, DataFlow::Node sinkCandidate) {
|
|
result =
|
|
concat(Query query |
|
|
|
|
|
query.getName() + ": " +
|
|
getDescriptionForAlertCandidate(sourceCandidate, sinkCandidate, query), ", "
|
|
)
|
|
}
|
|
|
|
from DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
|
where cfg.hasFlow(source, sink)
|
|
select sink,
|
|
"This is an ATM result that may depend on $@ [" + getDescriptionForAlert(source, sink) + "]",
|
|
source, "a user-provided value"
|