You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Java analysis can be customized by adding library models (summaries, sinks and sources) in data extension files.
12
+
A model is a definition of a behavior of a library element, such as a method, that is used to improve the data flow analysis precision by identifying more results.
13
+
Most of the security related queries are *taint tracking* queries that tries to find paths from a *source* of untrusted input to a *sink* that represents a vulnerability.
14
+
Furthermore, the taint tracking queries also need to know how data can flow through elements that are not included in the source code - these are named *summaries*.
12
15
16
+
That is
17
+
18
+
- **sources** are the starting points of a taint tracking data flow analysis.
19
+
- **sinks** are the end points of a taint tracking data flow analysis.
20
+
- **summaries** are models of elements that allows us to synthesize the elements flow behavior without having them in the source code. This is especially helpful when using a third party (or the standard) library.
21
+
22
+
The models are defined using data extensions where each tuple constitutes a model.
13
23
A data extension file for Java is a YAML file in the form:
14
24
15
25
.. code-block:: yaml
@@ -23,14 +33,14 @@ A data extension file for Java is a YAML file in the form:
23
33
- <tuple2>
24
34
- ...
25
35
26
-
Data extensions contribute to extensible predicates defined CodeQL libraries. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation.
36
+
Data extensions contribute to the extensible predicates defined in the CodeQL library. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation.
27
37
28
-
The CodeQL libraries for Java expose the following extensible predicates:
38
+
The CodeQL library for Java expose the following extensible predicates:
- **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance). This is used for **source** models.
41
+
- **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance). This is used for **sink** models.
42
+
- **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance). This is used for **summary** models.
43
+
- **neutralModel**\(package, type, name, signature, provenance). This is used for **neutral** models, which does not impact the data flow analysis, but it is included here for completeness.
34
44
35
45
The extensible predicates are populated using data extensions specified in YAML files.
36
46
@@ -52,7 +62,7 @@ Please note that this sink is already added to the CodeQL Java analysis.
52
62
stmt.execute(query); // The argument to this method is a SQL injection sink.
53
63
}
54
64
55
-
This can be achieved by adding the following row to a data extension file:
65
+
This means that we want to add a tuple to the **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance) extensible predicate, which can be achieved by adding the following to a data extension file:
56
66
57
67
.. code-block:: yaml
58
68
@@ -94,7 +104,7 @@ Please note that this source is already added to the CodeQL Java analysis.
94
104
...
95
105
}
96
106
97
-
This can be achieved by adding the following data extension.
107
+
This means that we want to add a tuple to the **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance) extensible predicate, which can be achieved by adding the following to a data extension file:
98
108
99
109
.. code-block:: yaml
100
110
@@ -136,8 +146,7 @@ Please note that the flow through the **concat** method is already added to the
136
146
...
137
147
}
138
148
139
-
This can be achieved by adding the following data extension.
140
-
These are widely known as summary models.
149
+
This means that we want to add tuples to the **summaryModel**\(package, type, subtypes, name, signature, ext, input, output, kind, provenance) extensible predicate, which can be achieved by adding the following to a data extension file:
141
150
142
151
.. code-block:: yaml
143
152
@@ -247,6 +256,8 @@ Please note that the neutral model for the **now** method is already added.
247
256
...
248
257
}
249
258
259
+
This means that we want to add a tuple to the **neutralModel**\(package, type, name, signature, provenance) extensible predicate, which can be achieved by adding the following to a data extension file:
0 commit comments