Java: mark functional expressions as likely not sinks

Stephan Brandauer · Stephan Brandauer · commit db77c6b9a34f · 2023-05-25T16:39:27.000+02:00
diff --git a/java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll b/java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll
@@ -328,6 +328,17 @@ private class OtherArgumentToModeledMethodCharacteristic extends Characteristics
   }
 }
 
+/**
+ * A characteristic that marks functional expression as likely not sinks.
+ *
+ * These expressions may well _contain_ sinks, but rarely are sinks themselves.
+ */
+private class FunctionValueCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic {
+  FunctionValueCharacteristic() { this = "function value" }
+
+  override predicate appliesToEndpoint(Endpoint e) { e.asExpr() instanceof FunctionalExpr }
+}
+
 /**
  * A negative characteristic that indicates that an endpoint is not a `to` node for any known taint step. Such a node
  * cannot be tainted, because taint can't flow into it.
