Swift: Break the 'taint reach' metric off into its own query (it's expensive to compute).

Author: geoffw0

swift/ql/src/queries/Summary/SummaryStats.ql

@@ -9,32 +9,8 @@
 import swift
 import codeql.swift.dataflow.FlowSources
 import codeql.swift.security.SensitiveExprs
-import codeql.swift.dataflow.DataFlow
-import codeql.swift.dataflow.TaintTracking
 import codeql.swift.regex.Regex
 
-/**
- * A taint configuration for tainted data reaching any node.
- */
-module TaintReachConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
-
-  predicate isSink(DataFlow::Node node) { any() }
-}
-
-module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
-
-/**
- * Gets the total number of dataflow nodes that taint reaches (from any source).
- */
-int taintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
-
-/**
- * Gets the proportion of dataflow nodes that taint reaches (from any source),
- * expressed as a count per million nodes.
- */
-float taintReach() { result = (taintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }
-
 predicate statistic(string what, string value) {
   what = "Files" and value = count(File f).toString()
   or
@@ -52,12 +28,6 @@ predicate statistic(string what, string value) {
   or
   what = "Sensitive expressions" and value = count(SensitiveExpr e).toString()
   or
-  what = "Dataflow nodes (total)" and value = count(DataFlow::Node n).toString()
-  or
-  what = "Dataflow nodes (tainted)" and value = taintedNodesCount().toString()
-  or
-  what = "Taint reach (per million nodes)" and value = taintReach().toString()
-  or
   what = "Regular expression evals" and value = count(RegexEval e).toString()
   or
   what = "Regular expression evals with associated regex" and

swift/ql/src/queries/Summary/TaintReach.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Taint Reach
+ * @description Calculates 'taint reach', a measure of how much of a database
+ *              is reached from flow sources, via taint flow. This can be
+ *              expensive to compute on large databases.
+ * @kind table
+ * @id swift/summary/taint-reach
+ * @tags summary
+ */
+
+import swift
+import codeql.swift.dataflow.FlowSources
+import codeql.swift.dataflow.DataFlow
+import codeql.swift.dataflow.TaintTracking
+
+/**
+ * A taint configuration for tainted data reaching any node.
+ */
+module TaintReachConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
+
+  predicate isSink(DataFlow::Node node) { any() }
+}
+
+module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
+
+/**
+ * Gets the total number of dataflow nodes that taint reaches (from any source).
+ */
+int taintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
+
+/**
+ * Gets the proportion of dataflow nodes that taint reaches (from any source),
+ * expressed as a count per million nodes.
+ */
+float taintReach() { result = (taintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }
+
+predicate statistic(string what, string value) {
+  what = "Dataflow nodes (total)" and value = count(DataFlow::Node n).toString()
+  or
+  what = "Dataflow nodes (tainted)" and value = taintedNodesCount().toString()
+  or
+  what = "Taint reach (per million nodes)" and value = taintReach().toString()
+}
+
+from string what, string value
+where statistic(what, value)
+select what, value