Merge pull request github#11572 from jcogs33/jcogs33/model-top-jdk-apis

Java: model top 100 JDK APIs

Author: jcogs33

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -260,6 +260,12 @@ module Public {
      *  Holds if the neutral is auto generated.
      */
     predicate isAutoGenerated() { neutralElement(this, true) }
+
+    /**
+     * Holds if the neutral has the given provenance where `true` is
+     * `generated` and `false` is `manual`.
+     */
+    predicate hasProvenance(boolean generated) { neutralElement(this, generated) }
   }
 }
 

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -260,6 +260,12 @@ module Public {
      *  Holds if the neutral is auto generated.
      */
     predicate isAutoGenerated() { neutralElement(this, true) }
+
+    /**
+     * Holds if the neutral has the given provenance where `true` is
+     * `generated` and `false` is `manual`.
+     */
+    predicate hasProvenance(boolean generated) { neutralElement(this, generated) }
   }
 }
 

java/ql/lib/change-notes/2022-12-16-add-top-jdk-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models for frequently-used JDK APIs.

java/ql/lib/ext/java.lang.model.yml

@@ -37,12 +37,17 @@ extensions:
       - ["java.lang", "CharSequence", True, "charAt", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "CharSequence", True, "subSequence", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "CharSequence", True, "toString", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["java.lang", "IllegalArgumentException", False, "IllegalArgumentException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "IllegalStateException", False, "IllegalStateException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "Integer", False, "parseInt", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "Iterable", True, "forEach", "(Consumer)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]
       - ["java.lang", "Iterable", True, "iterator", "()", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.lang", "Iterable", True, "spliterator", "()", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.lang", "Object", True, "clone", "", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.lang", "Object", True, "clone", "", "", "Argument[-1].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["java.lang", "Object", True, "clone", "", "", "Argument[-1].MapValue", "ReturnValue.MapValue", "value", "manual"]
+      - ["java.lang", "RuntimeException", False, "RuntimeException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "RuntimeException", False, "RuntimeException", "(Throwable)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.lang", "String", False, "String", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "String", False, "concat", "(String)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
@@ -82,7 +87,34 @@ extensions:
       - ["java.lang", "String", False, "valueOf", "(char)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["java.lang", "String", False, "valueOf", "(int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(CharSequence)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(String)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "StringBuilder", True, "StringBuilder", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "System", False, "arraycopy", "", "", "Argument[0]", "Argument[2]", "taint", "manual"]
+      - ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
+      - ["java.lang", "Throwable", False, "getCause", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
+      - ["java.lang", "Throwable", False, "getMessage", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.lang", "Class", "getName", "()", "manual"]
+      - ["java.lang", "Class", "getSimpleName", "()", "manual"]
+      - ["java.lang", "Enum", "Enum", "(String,int)", "manual"]
+      - ["java.lang", "Enum", "equals", "(Object)", "manual"]
+      - ["java.lang", "Enum", "name", "()", "manual"]
+      - ["java.lang", "Enum", "toString", "()", "manual"]
+      - ["java.lang", "Object", "equals", "(Object)", "manual"]
+      - ["java.lang", "Object", "getClass", "()", "manual"]
+      - ["java.lang", "Object", "hashCode", "()", "manual"]
+      - ["java.lang", "Object", "toString", "()", "manual"]
+      - ["java.lang", "String", "contains", "(CharSequence)", "manual"]
+      - ["java.lang", "String", "equals", "(Object)", "manual"]
+      - ["java.lang", "String", "equalsIgnoreCase", "(String)", "manual"]
+      - ["java.lang", "String", "hashCode", "()", "manual"]
+      - ["java.lang", "String", "isEmpty", "()", "manual"]
+      - ["java.lang", "String", "length", "()", "manual"]
+      - ["java.lang", "String", "startsWith", "(String)", "manual"]
+      - ["java.lang", "System", "currentTimeMillis", "()", "manual"]

java/ql/lib/ext/java.math.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["java.math", "BigDecimal", False, "BigDecimal", "(String)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]

java/ql/lib/ext/java.sql.model.yml

@@ -14,3 +14,9 @@ extensions:
       - ["java.sql", "Statement", True, "executeLargeUpdate", "", "", "Argument[0]", "sql", "manual"]
       - ["java.sql", "Statement", True, "executeQuery", "", "", "Argument[0]", "sql", "manual"]
       - ["java.sql", "Statement", True, "executeUpdate", "", "", "Argument[0]", "sql", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/java.util.model.yml

@@ -355,3 +355,26 @@ extensions:
       - ["java.util", "Vector", True, "setElementAt", "(Object,int)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
       - ["java.util", "WeakHashMap", False, "WeakHashMap", "(Map)", "", "Argument[0].MapKey", "Argument[-1].MapKey", "value", "manual"]
       - ["java.util", "WeakHashMap", False, "WeakHashMap", "(Map)", "", "Argument[0].MapValue", "Argument[-1].MapValue", "value", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.util", "Collections", "emptyList", "()", "manual"]
+      - ["java.util", "Collection", "size", "()", "manual"]
+      - ["java.util", "Iterator", "hasNext", "()", "manual"]
+      - ["java.util", "List", "contains", "(Object)", "manual"]
+      - ["java.util", "List", "isEmpty", "()", "manual"]
+      - ["java.util", "List", "size", "()", "manual"]
+      - ["java.util", "Map", "containsKey", "(Object)", "manual"]
+      - ["java.util", "Map", "isEmpty", "()", "manual"]
+      - ["java.util", "Map", "size", "()", "manual"]
+      - ["java.util", "Objects", "equals", "(Object,Object)", "manual"]
+      - ["java.util", "Objects", "hash", "(Object[])", "manual"]
+      - ["java.util", "Optional", "empty", "()", "manual"]
+      - ["java.util", "Optional", "isPresent", "()", "manual"]
+      - ["java.util", "Set", "contains", "(Object)", "manual"]
+      - ["java.util", "Set", "isEmpty", "()", "manual"]
+      - ["java.util", "Set", "size", "()", "manual"]
+      - ["java.util", "UUID", "randomUUID", "()", "manual"]
+      - ["java.util", "UUID", "toString", "()", "manual"]

java/ql/lib/ext/java.util.stream.model.yml

@@ -87,3 +87,9 @@ extensions:
       - ["java.util.stream", "Stream", True, "takeWhile", "(Predicate)", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.util.stream", "Stream", True, "toArray", "", "", "Argument[-1].Element", "ReturnValue.ArrayElement", "value", "manual"]
       - ["java.util.stream", "Stream", True, "toList", "()", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.util.stream", "Collectors", "toList", "()", "manual"]

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -260,6 +260,12 @@ module Public {
      *  Holds if the neutral is auto generated.
      */
     predicate isAutoGenerated() { neutralElement(this, true) }
+
+    /**
+     * Holds if the neutral has the given provenance where `true` is
+     * `generated` and `false` is `manual`.
+     */
+    predicate hasProvenance(boolean generated) { neutralElement(this, generated) }
   }
 }
 

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected

@@ -12,8 +12,14 @@ edges
 | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
 | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime |
+| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:173:37:173:42 | header : String |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter |
+| ThreadResourceAbuse.java:173:20:173:43 | parseInt(...) : Number | ThreadResourceAbuse.java:176:17:176:26 | retryAfter |
+| ThreadResourceAbuse.java:173:37:173:42 | header : String | ThreadResourceAbuse.java:173:20:173:43 | parseInt(...) : Number |
+| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | ThreadResourceAbuse.java:207:39:207:52 | uploadDelayStr : String |
 | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number |
+| ThreadResourceAbuse.java:207:22:207:53 | parseInt(...) : Number | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number |
+| ThreadResourceAbuse.java:207:39:207:52 | uploadDelayStr : String | ThreadResourceAbuse.java:207:22:207:53 | parseInt(...) : Number |
 | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number | UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number |
 | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number |
 | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number |
@@ -42,8 +48,12 @@ nodes
 | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | semmle.label | getValue(...) : String |
 | ThreadResourceAbuse.java:144:34:144:42 | delayTime | semmle.label | delayTime |
 | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| ThreadResourceAbuse.java:173:20:173:43 | parseInt(...) : Number | semmle.label | parseInt(...) : Number |
+| ThreadResourceAbuse.java:173:37:173:42 | header : String | semmle.label | header : String |
 | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | semmle.label | retryAfter |
 | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:207:22:207:53 | parseInt(...) : Number | semmle.label | parseInt(...) : Number |
+| ThreadResourceAbuse.java:207:39:207:52 | uploadDelayStr : String | semmle.label | uploadDelayStr : String |
 | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number | semmle.label | new UploadListener(...) [slowUploads] : Number |
 | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | semmle.label | uploadDelay : Number |
 | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |