Revert "Remove Broken Rust Queries"

ropwareJB · web-flow · commit 00b556cc54d1 · 2024-12-19T16:39:08.000+11:00
diff --git a/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql b/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Data flow inconsistency counts
+ * @description Counts the number of data flow inconsistencies of each type.  This query is intended for internal use.
+ * @kind diagnostic
+ * @id rust/diagnostics/data-flow-consistency-counts
+ */
+
+import codeql.rust.dataflow.internal.DataFlowConsistency as Consistency
+
+// see also `rust/diagnostics/data-flow-consistency`, which lists the
+// individual inconsistency results.
+from string type, int num
+where num = Consistency::getInconsistencyCounts(type)
+select type, num
diff --git a/rust/ql/src/queries/security/CWE-089/SqlInjection.ql b/rust/ql/src/queries/security/CWE-089/SqlInjection.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Database query built from user-controlled sources
+ * @description Building a database query from user-controlled sources is vulnerable to insertion of malicious code by attackers.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id rust/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.SqlInjectionExtensions
+import SqlInjectionFlow::PathGraph
+
+/**
+ * A taint configuration for tainted data that reaches a SQL sink.
+ */
+module SqlInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof SqlInjection::Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof SqlInjection::Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof SqlInjection::Barrier }
+}
+
+module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
+
+from SqlInjectionFlow::PathNode sourceNode, SqlInjectionFlow::PathNode sinkNode
+where SqlInjectionFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This query depends on a $@.",
+  sourceNode.getNode(), "user-provided value"
diff --git a/rust/ql/src/queries/summary/LinesOfCode.ql b/rust/ql/src/queries/summary/LinesOfCode.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Total lines of Rust code in the database
+ * @description The total number of lines of Rust code across all files, including any libraries and auto-generated files that the extractor sees. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @id rust/summary/lines-of-code
+ * @tags summary
+ *       lines-of-code
+ *       telemetry
+ */
+
+import rust
+import Stats
+
+select getLinesOfCode()
diff --git a/rust/ql/src/queries/summary/LinesOfUserCode.ql b/rust/ql/src/queries/summary/LinesOfUserCode.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Total lines of user written Rust code in the database
+ * @description The total number of lines of Rust code from the source code directory. This query counts the lines of code, excluding whitespace or comments.
+ * @kind metric
+ * @id rust/summary/lines-of-user-code
+ * @tags summary
+ *       lines-of-code
+ *       debug
+ */
+
+import rust
+import Stats
+
+select getLinesOfUserCode()
diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql
@@ -0,0 +1,54 @@
+/**
+ * @name Summary Statistics
+ * @description A table of summary statistics about a database.
+ * @kind metric
+ * @id rust/summary/summary-statistics
+ * @tags summary
+ */
+
+import rust
+import codeql.rust.Concepts
+import codeql.rust.Diagnostics
+import Stats
+
+from string key, int value
+where
+  key = "Elements extracted" and value = count(Element e | not e instanceof Unextracted)
+  or
+  key = "Elements unextracted" and value = count(Unextracted e)
+  or
+  key = "Extraction errors" and value = count(ExtractionError e)
+  or
+  key = "Extraction warnings" and value = count(ExtractionWarning w)
+  or
+  key = "Files extracted - total" and value = count(ExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Files extracted - with errors" and
+  value =
+    count(ExtractedFile f |
+      exists(f.getRelativePath()) and not f instanceof SuccessfullyExtractedFile
+    )
+  or
+  key = "Files extracted - without errors" and
+  value = count(SuccessfullyExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Lines of code extracted" and value = getLinesOfCode()
+  or
+  key = "Lines of user code extracted" and value = getLinesOfUserCode()
+  or
+  key = "Inconsistencies - AST" and value = getTotalAstInconsistencies()
+  or
+  key = "Inconsistencies - CFG" and value = getTotalCfgInconsistencies()
+  or
+  key = "Inconsistencies - data flow" and value = getTotalDataFlowInconsistencies()
+  or
+  key = "Macro calls - total" and value = count(MacroCall mc)
+  or
+  key = "Macro calls - resolved" and value = count(MacroCall mc | mc.hasExpanded())
+  or
+  key = "Macro calls - unresolved" and value = count(MacroCall mc | not mc.hasExpanded())
+  or
+  key = "Taint sources - total" and value = count(ThreatModelSource s)
+  or
+  key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
+select key, value order by key
diff --git a/rust/ql/src/queries/summary/TaintSources.ql b/rust/ql/src/queries/summary/TaintSources.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Taint Sources
+ * @description List all sources of untrusted input that have been idenfitied
+ *              in the database.
+ * @kind problem
+ * @problem.severity info
+ * @id rust/summary/taint-sources
+ * @tags summary
+ */
+
+import rust
+import codeql.rust.Concepts
+
+from ThreatModelSource s, string defaultString
+where
+  if s instanceof ActiveThreatModelSource then defaultString = " (DEFAULT)" else defaultString = ""
+select s,
+  "Flow source '" + s.getSourceType() + "' of type " + s.getThreatModel() + defaultString + "."
