C#: Use api info string ordering and results to avoid multiplicity issues.

michaelnebel · michaelnebel · commit 2bbfdcf5985d · 2022-10-04T13:51:35.000+02:00
diff --git a/csharp/ql/src/Telemetry/ExternalApi.qll b/csharp/ql/src/Telemetry/ExternalApi.qll
@@ -114,29 +114,29 @@ class ExternalApi extends DotNet::Callable {
 int resultLimit() { result = 1000 }
 
 /**
- * Holds if the relevant usage count of `api` is `usages`.
+ * Holds if the relevant usage count of api with `apiInfo` is `usages`.
  */
-signature predicate relevantUsagesSig(ExternalApi api, int usages);
+signature predicate relevantUsagesSig(string apiInfo, int usages);
 
 /**
  * Given a predicate to count relevant API usages, this module provides a predicate
  * for restricting the number or returned results based on a certain limit.
  */
 module Results<relevantUsagesSig/2 getRelevantUsages> {
-  private int getOrder(ExternalApi api) {
-    api =
-      rank[result](ExternalApi a, int usages |
-        getRelevantUsages(a, usages)
+  private int getOrder(string apiInfo) {
+    apiInfo =
+      rank[result](string info, int usages |
+        getRelevantUsages(info, usages)
       |
-        a order by usages desc, a.getInfo()
+        info order by usages desc, info
       )
   }
 
   /**
-   * Holds if `api` is being used `usages` times and if it is
-   * in the top results (guarded by resultLimit).
+   * Holds if there exists an API with `apiInfo` that is being used `usages` times
+   * and if it is in the top results (guarded by resultLimit).
    */
-  predicate restrict(ExternalApi api, int usages) {
-    getRelevantUsages(api, usages) and getOrder(api) <= resultLimit()
+  predicate restrict(string apiInfo, int usages) {
+    getRelevantUsages(apiInfo, usages) and getOrder(apiInfo) <= resultLimit()
   }
 }
diff --git a/csharp/ql/src/Telemetry/SupportedExternalSinks.ql b/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
@@ -10,12 +10,16 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi
 
-private predicate getRelevantUsages(ExternalApi api, int usages) {
-  not api.isUninteresting() and
-  api.isSink() and
-  usages = strictcount(DispatchCall c | c = api.getACall())
+private predicate getRelevantUsages(string apiInfo, int usages) {
+  usages =
+    strictcount(DispatchCall c, ExternalApi api |
+      apiInfo = api.getInfo() and
+      c = api.getACall() and
+      not api.isUninteresting() and
+      api.isSink()
+    )
 }
 
-from ExternalApi api, int usages
-where Results<getRelevantUsages/2>::restrict(api, usages)
-select api.getInfo() as info, usages order by usages desc
+from string info, int usages
+where Results<getRelevantUsages/2>::restrict(info, usages)
+select info, usages order by usages desc
diff --git a/csharp/ql/src/Telemetry/SupportedExternalSources.ql b/csharp/ql/src/Telemetry/SupportedExternalSources.ql
@@ -10,12 +10,16 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi
 
-private predicate getRelevantUsages(ExternalApi api, int usages) {
-  not api.isUninteresting() and
-  api.isSource() and
-  usages = strictcount(DispatchCall c | c = api.getACall())
+private predicate getRelevantUsages(string apiInfo, int usages) {
+  usages =
+    strictcount(DispatchCall c, ExternalApi api |
+      c = api.getACall() and
+      apiInfo = api.getInfo() and
+      not api.isUninteresting() and
+      api.isSource()
+    )
 }
 
-from ExternalApi api, int usages
-where Results<getRelevantUsages/2>::restrict(api, usages)
-select api.getInfo() as info, usages order by usages desc
+from string info, int usages
+where Results<getRelevantUsages/2>::restrict(info, usages)
+select info, usages order by usages desc
diff --git a/csharp/ql/src/Telemetry/SupportedExternalTaint.ql b/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
@@ -10,12 +10,16 @@ private import csharp
 private import semmle.code.csharp.dispatch.Dispatch
 private import ExternalApi
 
-private predicate getRelevantUsages(ExternalApi api, int usages) {
-  not api.isUninteresting() and
-  api.hasSummary() and
-  usages = strictcount(DispatchCall c | c = api.getACall())
+private predicate getRelevantUsages(string apiInfo, int usages) {
+  usages =
+    strictcount(DispatchCall c, ExternalApi api |
+      apiInfo = api.getInfo() and
+      c = api.getACall() and
+      not api.isUninteresting() and
+      api.hasSummary()
+    )
 }
 
-from ExternalApi api, int usages
-where Results<getRelevantUsages/2>::restrict(api, usages)
-select api.getInfo() as info, usages order by usages desc
+from string info, int usages
+where Results<getRelevantUsages/2>::restrict(info, usages)
+select info, usages order by usages desc
diff --git a/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql b/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
@@ -12,13 +12,17 @@ private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSumma
 private import semmle.code.csharp.dataflow.internal.NegativeSummary
 private import ExternalApi
 
-private predicate getRelevantUsages(ExternalApi api, int usages) {
-  not api.isUninteresting() and
-  not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable and
-  usages = strictcount(DispatchCall c | c = api.getACall())
+private predicate getRelevantUsages(string apiInfo, int usages) {
+  usages =
+    strictcount(DispatchCall c, ExternalApi api |
+      apiInfo = api.getInfo() and
+      c = api.getACall() and
+      not api.isUninteresting() and
+      not api.isSupported() and
+      not api instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable
+    )
 }
 
-from ExternalApi api, int usages
-where Results<getRelevantUsages/2>::restrict(api, usages)
-select api.getInfo() as info, usages order by usages desc
+from string info, int usages
+where Results<getRelevantUsages/2>::restrict(info, usages)
+select info, usages order by usages desc
