C#: Make the model predicates emmit the provenance directly to enable testing.

michaelnebel · michaelnebel · commit 5e3bb8297af3 · 2022-06-20T16:20:01.000+02:00
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll
@@ -69,6 +69,12 @@
  *    sources "remote" indicates a default remote flow source, and for summaries
  *    "taint" indicates a default additional taint step and "value" indicates a
  *    globally applicable value-preserving step.
+ * 9. The `provenance` column is tag to indicate the origin of the summary.
+ *    There are two supported values: "generated" and "manual". "generated" means that
+ *    the model has been emitted by the model generator tool and "manual" means
+ *    that the model has been written by hand. This information is used in a heuristic
+ *    for dataflow analysis to determine, if a model or source code should be used for
+ *    determining flow.
  */
 
 import csharp
@@ -163,17 +169,10 @@ private predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
 
 private predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 
-bindingset[provenance]
-private boolean isGenerated(string provenance) {
-  provenance = "generated" and result = true
-  or
-  provenance != "generated" and result = false
-}
-
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, boolean generated
+  string output, string kind, string provenance
 ) {
   exists(string row |
     sourceModel(row) and
@@ -186,16 +185,14 @@ predicate sourceModel(
     row.splitAt(";", 5) = ext and
     row.splitAt(";", 6) = output and
     row.splitAt(";", 7) = kind and
-    exists(string provenance |
-      row.splitAt(";", 8) = provenance and generated = isGenerated(provenance)
-    )
+    row.splitAt(";", 8) = provenance
   )
 }
 
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, boolean generated
+  string input, string kind, string provenance
 ) {
   exists(string row |
     sinkModel(row) and
@@ -208,16 +205,14 @@ predicate sinkModel(
     row.splitAt(";", 5) = ext and
     row.splitAt(";", 6) = input and
     row.splitAt(";", 7) = kind and
-    exists(string provenance |
-      row.splitAt(";", 8) = provenance and generated = isGenerated(provenance)
-    )
+    row.splitAt(";", 8) = provenance
   )
 }
 
 /** Holds if a summary model exists for the given parameters. */
 predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, boolean generated
+  string input, string output, string kind, string provenance
 ) {
   exists(string row |
     summaryModel(row) and
@@ -231,9 +226,7 @@ predicate summaryModel(
     row.splitAt(";", 6) = input and
     row.splitAt(";", 7) = output and
     row.splitAt(";", 8) = kind and
-    exists(string provenance |
-      row.splitAt(";", 9) = provenance and generated = isGenerated(provenance)
-    )
+    row.splitAt(";", 9) = provenance
   )
 }
 
@@ -268,25 +261,25 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
     part = "source" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output, boolean generated |
+        string ext, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, generated)
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance)
       )
     or
     part = "sink" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, boolean generated |
+        string ext, string input, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, generated)
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance)
       )
     or
     part = "summary" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string output, boolean generated |
+        string ext, string input, string output, string provenance |
         canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, generated)
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance)
       )
   )
 }
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -91,16 +91,25 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
   )
 }
 
+bindingset[provenance]
+private boolean isGenerated(string provenance) {
+  provenance = "generated" and result = true
+  or
+  provenance != "generated" and result = false
+}
+
 /**
  * Holds if an external flow summary exists for `c` with input specification
  * `input`, output specification `output`, kind `kind`, and a flag `generated`
  * stating whether the summary is autogenerated.
  */
 predicate summaryElement(Callable c, string input, string output, string kind, boolean generated) {
   exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string provenance
   |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, generated) and
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
+    generated = isGenerated(provenance) and
     c = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
@@ -112,9 +121,11 @@ predicate summaryElement(Callable c, string input, string output, string kind, b
  */
 predicate sourceElement(Element e, string output, string kind, boolean generated) {
   exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string provenance
   |
-    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, generated) and
+    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and
+    generated = isGenerated(provenance) and
     e = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
@@ -126,9 +137,11 @@ predicate sourceElement(Element e, string output, string kind, boolean generated
  */
 predicate sinkElement(Element e, string input, string kind, boolean generated) {
   exists(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string provenance
   |
-    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, generated) and
+    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance) and
+    generated = isGenerated(provenance) and
     e = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -91,16 +91,25 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {`
`91`	`91`	`)`
`92`	`92`	`}`
`93`	`93`
	`94`	`+bindingset[provenance]`
	`95`	`+private boolean isGenerated(string provenance) {`
	`96`	`+ provenance = "generated" and result = true`
	`97`	`+ or`
	`98`	`+ provenance != "generated" and result = false`
	`99`	`+}`
	`100`	`+`
`94`	`101`	`/**`
`95`	`102`	* Holds if an external flow summary exists for `c` with input specification
`96`	`103`	* `input`, output specification `output`, kind `kind`, and a flag `generated`
`97`	`104`	`* stating whether the summary is autogenerated.`
`98`	`105`	`*/`
`99`	`106`	`predicate summaryElement(Callable c, string input, string output, string kind, boolean generated) {`
`100`	`107`	`exists(`
`101`		`- string namespace, string type, boolean subtypes, string name, string signature, string ext`
	`108`	`+ string namespace, string type, boolean subtypes, string name, string signature, string ext,`
	`109`	`+ string provenance`
`102`	`110`	`\|`
`103`		`- summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, generated) and`
	`111`	`+ summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and`
	`112`	`+ generated = isGenerated(provenance) and`
`104`	`113`	`c = interpretElement(namespace, type, subtypes, name, signature, ext)`
`105`	`114`	`)`
`106`	`115`	`}`
`@@ -112,9 +121,11 @@ predicate summaryElement(Callable c, string input, string output, string kind, b`
`112`	`121`	`*/`
`113`	`122`	`predicate sourceElement(Element e, string output, string kind, boolean generated) {`
`114`	`123`	`exists(`
`115`		`- string namespace, string type, boolean subtypes, string name, string signature, string ext`
	`124`	`+ string namespace, string type, boolean subtypes, string name, string signature, string ext,`
	`125`	`+ string provenance`
`116`	`126`	`\|`
`117`		`- sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, generated) and`
	`127`	`+ sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, provenance) and`
	`128`	`+ generated = isGenerated(provenance) and`
`118`	`129`	`e = interpretElement(namespace, type, subtypes, name, signature, ext)`
`119`	`130`	`)`
`120`	`131`	`}`
`@@ -126,9 +137,11 @@ predicate sourceElement(Element e, string output, string kind, boolean generated`
`126`	`137`	`*/`
`127`	`138`	`predicate sinkElement(Element e, string input, string kind, boolean generated) {`
`128`	`139`	`exists(`
`129`		`- string namespace, string type, boolean subtypes, string name, string signature, string ext`
	`140`	`+ string namespace, string type, boolean subtypes, string name, string signature, string ext,`
	`141`	`+ string provenance`
`130`	`142`	`\|`
`131`		`- sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, generated) and`
	`143`	`+ sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance) and`
	`144`	`+ generated = isGenerated(provenance) and`
`132`	`145`	`e = interpretElement(namespace, type, subtypes, name, signature, ext)`
`133`	`146`	`)`
`134`	`147`	`}`