Java: Add some model generator sink examples.

Author: michaelnebel

java/ql/test/utils/modelgenerator/dataflow/CaptureSinkModels.ext.yml

@@ -0,0 +1,13 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - [ "p", "Sinks", False, "sink", "(Object)", "", "Argument[0]", "test-sink", "manual" ]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - [ "p", "Sinks", "hasManualSinkNeutral", "(Object)", "sink", "manual"]

java/ql/test/utils/modelgenerator/dataflow/p/Sinks.java

@@ -11,6 +11,12 @@
 
 public class Sinks {
 
+  public Object tainted;
+
+  // Defined as a sink in the model file next to the test.
+  // neutral=p;Sinks;sink;(Object);summary;df-generated
+  public void sink(Object o) {}
+
   // sink=p;Sinks;true;copyFileToDirectory;(Path,Path,CopyOption[]);;Argument[0];path-injection;df-generated
   // sink=p;Sinks;true;copyFileToDirectory;(Path,Path,CopyOption[]);;Argument[1];path-injection;df-generated
   // neutral=p;Sinks;copyFileToDirectory;(Path,Path,CopyOption[]);summary;df-generated
@@ -38,4 +44,24 @@ public void propagate(String s) {
     Logger logger = Logger.getLogger(Sinks.class.getSimpleName());
     logger.warning(s);
   }
+
+  // New sink as the value of a public field is propagated to a sink.
+  // sink=p;Sinks;true;fieldSink;();;Argument[this];test-sink;df-generated
+  // neutral=p;Sinks;fieldSink;();summary;df-generated
+  public void fieldSink() {
+    sink(tainted);
+  }
+
+  // Not a new sink as this method is already defined as a manual
+  // sink neutral.
+  // neutral=p;Sinks;hasManualSinkNeutral;(Object);summary;df-generated
+  public void hasManualSinkNeutral(Object o) {
+    sink(o);
+  }
+
+  // MISSING SINK
+  // neutral=p;Sinks;compoundPropgate;(Sinks);summary;df-generated
+  public void compoundPropgate(Sinks s) {
+    s.fieldSink();
+  }
 }