add individual per-security-query counting queries

TomBolton · TomBolton · commit 33964383d738 · 2022-05-24T15:02:26.000+01:00
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountCodeInjection.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountCodeInjection.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `CodeInjection` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.CodeInjectionQuery as CodeInjection
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(CodeInjection::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(CodeInjection::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountNosqlInjection.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountNosqlInjection.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `NosqlInection` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(NosqlInjection::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(NosqlInjection::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountSqlInjection.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountSqlInjection.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `SqlInection` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(SqlInjection::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(SqlInjection::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountTaintedPath.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountTaintedPath.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `TaintedPath` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.TaintedPathQuery as TaintedPath
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(TaintedPath::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(TaintedPath::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXss.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXss.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `DomBasedXss` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(DomBasedXss::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(DomBasedXss::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXssThroughDom.ql b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/counting/CountXssThroughDom.ql
@@ -0,0 +1,22 @@
+/*
+ * For internal use only.
+ *
+ *
+ * Count the number of sinks and alerts for the `XssThroughDom` security query.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.XssThroughDomQuery as XssThroughDom
+import evaluation.EndToEndEvaluation
+
+int numAlerts(DataFlow::Configuration cfg) {
+  result =
+    count(DataFlow::Node source, DataFlow::Node sink |
+      cfg.hasFlow(source, sink) and not isFlowExcluded(source, sink)
+    )
+}
+
+select numAlerts(any(XssThroughDom::Configuration cfg)) as numAlerts,
+  count(DataFlow::Node sink |
+    exists(XssThroughDom::Configuration cfg | cfg.isSink(sink) or cfg.isSink(sink, _))
+  ) as numSinks
