Skip to content

Commit 72c62ac

Browse files
geoffw0geoffw0
committed
Rust: Add taint reach to rust/summary/summary-statistics.
1 parent 7904ed9 commit 72c62ac

File tree

3 files changed

+38
-0
lines changed

3 files changed

+38
-0
lines changed

rust/ql/src/queries/summary/SummaryStats.ql

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import codeql.rust.security.SensitiveData
1212
import codeql.rust.security.WeakSensitiveDataHashingExtensions
1313
import codeql.rust.Diagnostics
1414
import Stats
15+
import TaintReach
1516

1617
from string key, int value
1718
where
@@ -59,6 +60,10 @@ where
5960
or
6061
key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
6162
or
63+
key = "Taint reach - nodes tainted" and value = getTaintedNodesCount()
64+
or
65+
key = "Taint reach - per million nodes" and value = getTaintReach().floor()
66+
or
6267
key = "Sensitive data" and value = count(SensitiveData d)
6368
or
6469
key = "Taint sinks - query sinks" and value = getQuerySinksCount()

rust/ql/src/queries/summary/TaintReach.qll

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
/**
2+
* Taint reach computation. Taint reach is the proportion of all dataflow nodes that can be reached
3+
* via taint flow from any active thread model source. It's usually expressed per million nodes.
4+
*/
5+
6+
import rust
7+
private import codeql.rust.Concepts
8+
private import codeql.rust.dataflow.DataFlow
9+
private import codeql.rust.dataflow.TaintTracking
10+
11+
/**
12+
* A taint configuration for taint reach (flow to any node from any modelled source).
13+
*/
14+
private module TaintReachConfig implements DataFlow::ConfigSig {
15+
predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource }
16+
17+
predicate isSink(DataFlow::Node node) { any() }
18+
}
19+
20+
private module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
21+
22+
/**
23+
* Gets the total number of dataflow nodes that taint reaches (from any source).
24+
*/
25+
int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
26+
27+
/**
28+
* Gets the proportion of dataflow nodes that taint reaches (from any source),
29+
* expressed as a count per million nodes.
30+
*/
31+
float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }

rust/ql/test/query-tests/diagnostics/SummaryStats.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@
1515
| Macro calls - total | 9 |
1616
| Macro calls - unresolved | 1 |
1717
| Sensitive data | 0 |
18+
| Taint reach - nodes tainted | 0 |
19+
| Taint reach - per million nodes | 0 |
1820
| Taint sinks - cryptographic operations | 0 |
1921
| Taint sinks - query sinks | 0 |
2022
| Taint sources - active | 0 |

0 commit comments

Comments
 (0)