C#: Limit the defintion of database flow source and use summaries for better paths and reduced result multiplicity.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Stored.qll

@@ -39,22 +39,23 @@ class DbRawSqlStoredFlowSource extends DatabaseInputSource {
  * An expression that has a type of `DbDataReader` or a sub-class, representing the result of a
  * data command.
  */
-class DbDataReaderStoredFlowSource extends DatabaseInputSource {
-  DbDataReaderStoredFlowSource() {
-    this.asExpr().getType() = any(SystemDataCommon::DbDataReader dataReader).getASubType*()
+class DbDataReaderParameterStoredFlowSource extends DatabaseInputSource {
+  DbDataReaderParameterStoredFlowSource() {
+    [this.asParameter().getType(), this.asExpr().(MethodCall).getTarget().getReturnType()] =
+      any(SystemDataCommon::DbDataReader dataReader).getASubType*()
   }
 }
 
 /** An expression that accesses a method of `DbDataReader` or a sub-class. */
-class DbDataReaderMethodStoredFlowSource extends DatabaseInputSource {
+deprecated class DbDataReaderMethodStoredFlowSource extends DataFlow::Node {
   DbDataReaderMethodStoredFlowSource() {
     this.asExpr().(MethodCall).getTarget().getDeclaringType() =
       any(SystemDataCommon::DbDataReader dataReader).getASubType*()
   }
 }
 
 /** An expression that accesses a property of `DbDataReader` or a sub-class. */
-class DbDataReaderPropertyStoredFlowSource extends DatabaseInputSource {
+deprecated class DbDataReaderPropertyStoredFlowSource extends DataFlow::Node {
   DbDataReaderPropertyStoredFlowSource() {
     this.asExpr().(PropertyAccess).getTarget().getDeclaringType() =
       any(SystemDataCommon::DbDataReader dataReader).getASubType*()

csharp/ql/test/library-tests/frameworks/EntityFramework/StoredFlowSources.ql

@@ -2,4 +2,5 @@ import csharp
 import semmle.code.csharp.security.dataflow.flowsources.Stored
 
 from StoredFlowSource source
+where source.asExpr().fromSource()
 select source