You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst
+33-2Lines changed: 33 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,7 +32,8 @@ Are we going for extensions packs as the recommended default?
32
32
If yes, then we probably need to elaborate with a concrete example.
33
33
34
34
In the sections below, we will go through the different extension points using concrete examples.
35
-
The **Reference material** section will in more detail describe the *mini DSLs* that are used to comprise a model definition.
35
+
The extension points are used to customize and improve the existing dataflow queries, by providing sources, sinks and flow through for library methods.
36
+
The **Reference material** section will in more detail describe the *mini DSLs* that are used to comprise a model definition for each extension point.
36
37
37
38
Example: Taint sink in the **java.sql** package.
38
39
------------------------------------------------
@@ -224,10 +225,40 @@ That is, the first row models that there is value flow from the elements of qual
224
225
225
226
Example: Adding **neutral** methods.
226
227
------------------------------------
228
+
In this example we will see, how to define the **now** method as being neutral.
227
229
This is purely for consistency and has no impact on the analysis.
230
+
A neutral model is used to define that there is no flow through a method.
231
+
Please note that the neutral model for the **now** method is already added.
232
+
233
+
.. code-block:: java
234
+
235
+
publicstaticInstant taintflow() {
236
+
Instant t =Instant.now(); // There is no flow from now to t.
237
+
return t;
238
+
}
239
+
240
+
.. code-block:: yaml
241
+
242
+
extensions:
243
+
- addsTo:
244
+
pack: codeql/java-all
245
+
extensible: neutralModel
246
+
data:
247
+
- ["java.time", "Instant", "now", "()", "manual"]
248
+
249
+
Reasoning:
250
+
251
+
Since we are adding a neutral model, we need to add tuples to the **neutralModel** extension point.
252
+
The first four values are used to identify the method (callable) which we are defining as a neutral and the fifth value is the provenance (origin) of the neutral.
253
+
254
+
- The first value **java.time** is the package name.
255
+
- The second value **Instant** is the class (type) name.
256
+
- The third value **now** is the method name.
257
+
- The fourth value **()** is the method input type signature.
258
+
- The fifth value **manual** is the provenance of the neutral.
228
259
229
260
Reference material
230
261
------------------
231
262
232
263
The following sections provide reference material for extension points.
233
-
This includins descriptions of each of the arguments (eg. access paths, types, and kinds).
264
+
This includes descriptions of each of the arguments (eg. access paths, types, and kinds).
0 commit comments