C#: Make most module imports private.

Author: michaelnebel

csharp/ql/src/utils/model-generator/internal/CaptureModels.qll

@@ -3,14 +3,14 @@
  * and sink models of the Standard or a 3rd party library.
  */
 
-private import CaptureModelsSpecific
 private import ModelGeneratorUtils
+private import CaptureModelsSpecific
 
 /**
  * Gets the summary model of `api`, if it follows the `fluent` programming pattern (returns `this`).
  */
 string captureQualifierFlow(TargetApi api) {
-  exists(ReturnNodeExt ret |
+  exists(DataFlowImplCommon::ReturnNodeExt ret |
     api = returnNodeEnclosingCallable(ret) and
     isOwnInstanceAccessNode(ret)
   ) and
@@ -47,7 +47,7 @@ private class ThroughFlowConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    sink instanceof ReturnNodeExt and
+    sink instanceof DataFlowImplCommon::ReturnNodeExt and
     not isOwnInstanceAccessNode(sink) and
     not exists(captureQualifierFlow(sink.asExpr().getEnclosingCallable())) and
     (state instanceof TaintRead or state instanceof TaintStore)
@@ -57,15 +57,15 @@ private class ThroughFlowConfig extends TaintTracking::Configuration {
     DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
     DataFlow::FlowState state2
   ) {
-    exists(TypedContent tc |
-      store(node1, tc, node2, _) and
+    exists(DataFlowImplCommon::TypedContent tc |
+      DataFlowImplCommon::store(node1, tc, node2, _) and
       isRelevantContent(tc.getContent()) and
       (state1 instanceof TaintRead or state1 instanceof TaintStore) and
       state2 instanceof TaintStore
     )
     or
     exists(DataFlow::Content c |
-      readStep(node1, c, node2) and
+      DataFlowPrivate::readStep(node1, c, node2) and
       isRelevantContent(c) and
       state1 instanceof TaintRead and
       state2 instanceof TaintRead
@@ -86,8 +86,8 @@ private class ThroughFlowConfig extends TaintTracking::Configuration {
  */
 string captureThroughFlow(TargetApi api) {
   exists(
-    ThroughFlowConfig config, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input,
-    string output
+    ThroughFlowConfig config, DataFlow::ParameterNode p,
+    DataFlowImplCommon::ReturnNodeExt returnNodeExt, string input, string output
   |
     config.hasFlow(p, returnNodeExt) and
     returnNodeExt.getEnclosingCallable() = api and
@@ -108,11 +108,11 @@ string captureThroughFlow(TargetApi api) {
 private class FromSourceConfiguration extends TaintTracking::Configuration {
   FromSourceConfiguration() { this = "FromSourceConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
+  override predicate isSource(DataFlow::Node source) { ExternalFlow::sourceNode(source, _) }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(TargetApi c |
-      sink instanceof ReturnNodeExt and
+      sink instanceof DataFlowImplCommon::ReturnNodeExt and
       sink.getEnclosingCallable() = c
     )
   }
@@ -132,7 +132,7 @@ private class FromSourceConfiguration extends TaintTracking::Configuration {
 string captureSource(TargetApi api) {
   exists(DataFlow::Node source, DataFlow::Node sink, FromSourceConfiguration config, string kind |
     config.hasFlow(source, sink) and
-    sourceNode(source, kind) and
+    ExternalFlow::sourceNode(source, kind) and
     api = sink.getEnclosingCallable() and
     result = asSourceModel(api, returnNodeAsOutput(sink), kind)
   )
@@ -148,7 +148,7 @@ string captureSource(TargetApi api) {
 private class PropagateToSinkConfiguration extends PropagateToSinkConfigurationSpecific {
   PropagateToSinkConfiguration() { this = "parameters or fields flowing into sinks" }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+  override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
 
   override DataFlow::FlowFeature getAFeature() {
     result instanceof DataFlow::FeatureHasSourceCallContext
@@ -161,7 +161,7 @@ private class PropagateToSinkConfiguration extends PropagateToSinkConfigurationS
 string captureSink(TargetApi api) {
   exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
     config.hasFlow(src, sink) and
-    sinkNode(sink, kind) and
+    ExternalFlow::sinkNode(sink, kind) and
     api = src.getEnclosingCallable() and
     not kind = "logging" and
     result = asSinkModel(api, asInputArgument(src), kind)

csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll

@@ -3,16 +3,18 @@
  */
 
 import csharp
-import semmle.code.csharp.dataflow.ExternalFlow
-import semmle.code.csharp.dataflow.TaintTracking
-import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
-import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-import ModelGeneratorUtils
+private import semmle.code.csharp.dataflow.ExternalFlow as Ef
+private import semmle.code.csharp.dataflow.TaintTracking
+private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as Dfic
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import ModelGeneratorUtils
 
 /**
  * Gets the enclosing callable of `ret`.
  */
-Callable returnNodeEnclosingCallable(ReturnNodeExt ret) { result = getNodeEnclosingCallable(ret) }
+Callable returnNodeEnclosingCallable(Dfic::ReturnNodeExt ret) {
+  result = Dfic::getNodeEnclosingCallable(ret)
+}
 
 /**
  * Holds if `node` is an own instance access.
@@ -49,3 +51,17 @@ string asInputArgument(DataFlow::Node source) {
   source.asExpr() instanceof FieldAccess and
   result = qualifierString()
 }
+
+module DataFlowImplCommon {
+  predicate store = Dfic::store/4;
+
+  class ReturnNodeExt = Dfic::ReturnNodeExt;
+
+  class TypedContent = Dfic::TypedContent;
+}
+
+module ExternalFlow {
+  predicate sourceNode = Ef::sourceNode/2;
+
+  predicate sinkNode = Ef::sinkNode/2;
+}

csharp/ql/src/utils/model-generator/internal/ModelGeneratorUtils.qll

@@ -5,7 +5,7 @@ import ModelGeneratorUtilsSpecific
  */
 predicate isRelevantTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
   exists(DataFlow::Content f |
-    readStep(node1, f, node2) and
+    DataFlowPrivate::readStep(node1, f, node2) and
     if f instanceof DataFlow::FieldContent
     then isRelevantType(f.(DataFlow::FieldContent).getField().getType())
     else
@@ -14,7 +14,9 @@ predicate isRelevantTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
       else any()
   )
   or
-  exists(DataFlow::Content f | storeStep(node1, f, node2) | containerContent(f))
+  exists(DataFlow::Content f | DataFlowPrivate::storeStep(node1, f, node2) |
+    DataFlowPrivate::containerContent(f)
+  )
 }
 
 /**
@@ -24,7 +26,7 @@ predicate isRelevantTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
 predicate isRelevantContent(DataFlow::Content c) {
   isRelevantType(c.(DataFlow::FieldContent).getField().getType()) or
   isRelevantType(c.(DataFlow::SyntheticFieldContent).getField().getType()) or
-  containerContent(c)
+  DataFlowPrivate::containerContent(c)
 }
 
 /**

csharp/ql/src/utils/model-generator/internal/ModelGeneratorUtilsSpecific.qll

@@ -1,14 +1,14 @@
 import csharp
-import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-private import semmle.code.csharp.commons.Util
+private import semmle.code.csharp.dataflow.internal.DataFlowPrivate as Dfp
+private import semmle.code.csharp.commons.Util as Util
 private import semmle.code.csharp.commons.Collections
 private import semmle.code.csharp.dataflow.internal.DataFlowImplCommon
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 
 /**
  * Holds if it is relevant to generate models for `api`.
  */
-predicate isRelevantForModels(Callable api) { not api instanceof MainMethod }
+predicate isRelevantForModels(Callable api) { not api instanceof Util::MainMethod }
 
 /**
  * A class of callables that are relevant generating summary, source and sinks models for.
@@ -24,7 +24,7 @@ class TargetApi extends DataFlowCallable {
   }
 }
 
-predicate asPartialModel = Csv::asPartialModel/1;
+predicate asPartialModel = Dfp::Csv::asPartialModel/1;
 
 /**
  * Holds for type `t` for fields that are relevant as an intermediate
@@ -44,7 +44,7 @@ private string parameterAccess(Parameter p) {
 string parameterNodeAsInput(DataFlow::ParameterNode p) {
   result = parameterAccess(p.asParameter())
   or
-  result = "Argument[Qualifier]" and p instanceof InstanceParameterNode
+  result = "Argument[Qualifier]" and p instanceof Dfp::InstanceParameterNode
 }
 
 pragma[nomagic]
@@ -66,3 +66,11 @@ string returnNodeAsOutput(ReturnNodeExt node) {
       result = "Argument[Qualifier]"
     )
 }
+
+module DataFlowPrivate {
+  predicate containerContent = Dfp::containerContent/1;
+
+  predicate readStep = Dfp::readStep/3;
+
+  predicate storeStep = Dfp::storeStep/3;
+}

java/ql/src/utils/model-generator/internal/CaptureModels.qll

@@ -10,7 +10,7 @@ private import ModelGeneratorUtils
  * Gets the summary model of `api`, if it follows the `fluent` programming pattern (returns `this`).
  */
 string captureQualifierFlow(TargetApi api) {
-  exists(ReturnNodeExt ret |
+  exists(DataFlowImplCommon::ReturnNodeExt ret |
     api = returnNodeEnclosingCallable(ret) and
     isOwnInstanceAccessNode(ret)
   ) and
@@ -47,7 +47,7 @@ private class ThroughFlowConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
-    sink instanceof ReturnNodeExt and
+    sink instanceof DataFlowImplCommon::ReturnNodeExt and
     not isOwnInstanceAccessNode(sink) and
     not exists(captureQualifierFlow(sink.asExpr().getEnclosingCallable())) and
     (state instanceof TaintRead or state instanceof TaintStore)
@@ -57,8 +57,8 @@ private class ThroughFlowConfig extends TaintTracking::Configuration {
     DataFlow::Node node1, DataFlow::FlowState state1, DataFlow::Node node2,
     DataFlow::FlowState state2
   ) {
-    exists(TypedContent tc |
-      store(node1, tc, node2, _) and
+    exists(DataFlowImplCommon::TypedContent tc |
+      DataFlowImplCommon::store(node1, tc, node2, _) and
       isRelevantContent(tc.getContent()) and
       (state1 instanceof TaintRead or state1 instanceof TaintStore) and
       state2 instanceof TaintStore
@@ -86,8 +86,8 @@ private class ThroughFlowConfig extends TaintTracking::Configuration {
  */
 string captureThroughFlow(TargetApi api) {
   exists(
-    ThroughFlowConfig config, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input,
-    string output
+    ThroughFlowConfig config, DataFlow::ParameterNode p,
+    DataFlowImplCommon::ReturnNodeExt returnNodeExt, string input, string output
   |
     config.hasFlow(p, returnNodeExt) and
     returnNodeExt.getEnclosingCallable() = api and
@@ -108,11 +108,11 @@ string captureThroughFlow(TargetApi api) {
 private class FromSourceConfiguration extends TaintTracking::Configuration {
   FromSourceConfiguration() { this = "FromSourceConfiguration" }
 
-  override predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
+  override predicate isSource(DataFlow::Node source) { ExternalFlow::sourceNode(source, _) }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(TargetApi c |
-      sink instanceof ReturnNodeExt and
+      sink instanceof DataFlowImplCommon::ReturnNodeExt and
       sink.getEnclosingCallable() = c
     )
   }
@@ -132,7 +132,7 @@ private class FromSourceConfiguration extends TaintTracking::Configuration {
 string captureSource(TargetApi api) {
   exists(DataFlow::Node source, DataFlow::Node sink, FromSourceConfiguration config, string kind |
     config.hasFlow(source, sink) and
-    sourceNode(source, kind) and
+    ExternalFlow::sourceNode(source, kind) and
     api = sink.getEnclosingCallable() and
     result = asSourceModel(api, returnNodeAsOutput(sink), kind)
   )
@@ -148,7 +148,7 @@ string captureSource(TargetApi api) {
 private class PropagateToSinkConfiguration extends PropagateToSinkConfigurationSpecific {
   PropagateToSinkConfiguration() { this = "parameters or fields flowing into sinks" }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+  override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
 
   override DataFlow::FlowFeature getAFeature() {
     result instanceof DataFlow::FeatureHasSourceCallContext
@@ -161,7 +161,7 @@ private class PropagateToSinkConfiguration extends PropagateToSinkConfigurationS
 string captureSink(TargetApi api) {
   exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
     config.hasFlow(src, sink) and
-    sinkNode(sink, kind) and
+    ExternalFlow::sinkNode(sink, kind) and
     api = src.getEnclosingCallable() and
     not kind = "logging" and
     result = asSinkModel(api, asInputArgument(src), kind)

java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll

@@ -3,9 +3,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.ExternalFlow as Ef
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.internal.DataFlowImplCommon
+private import semmle.code.java.dataflow.internal.DataFlowImplCommon as Dfic
 import semmle.code.java.dataflow.internal.DataFlowNodes
 import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.InstanceAccess
@@ -14,8 +14,8 @@ import ModelGeneratorUtils
 /**
  * Gets the enclosing callable of `ret`.
  */
-Callable returnNodeEnclosingCallable(ReturnNodeExt ret) {
-  result = getNodeEnclosingCallable(ret).asCallable()
+Callable returnNodeEnclosingCallable(Dfic::ReturnNodeExt ret) {
+  result = Dfic::getNodeEnclosingCallable(ret).asCallable()
 }
 
 /**
@@ -60,3 +60,17 @@ string asInputArgument(DataFlow::Node source) {
   source.asExpr() instanceof FieldAccess and
   result = qualifierString()
 }
+
+module DataFlowImplCommon {
+  predicate store = Dfic::store/4;
+
+  class ReturnNodeExt = Dfic::ReturnNodeExt;
+
+  class TypedContent = Dfic::TypedContent;
+}
+
+module ExternalFlow {
+  predicate sourceNode = Ef::sourceNode/2;
+
+  predicate sinkNode = Ef::sinkNode/2;
+}