Java: Extend neutrals with a kind column and introduce validation.

michaelnebel · michaelnebel · commit bcbda9046f6f · 2023-05-08T16:18:59.000+02:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -12,7 +12,7 @@
  * - Summaries:
  *   `package; type; subtypes; name; signature; ext; input; output; kind; provenance`
  * - Neutrals:
- *   `package; type; name; signature; provenance`
+ *   `package; type; name; signature; kind; provenance`
  *   A neutral is used to indicate that there is no flow via a callable.
  *
  * The interpretation of a row is similar to API-graphs with a left-to-right
@@ -65,7 +65,9 @@
  *    which classes the interpreted elements should be added. For example, for
  *    sources "remote" indicates a default remote flow source, and for summaries
  *    "taint" indicates a default additional taint step and "value" indicates a
- *    globally applicable value-preserving step.
+ *    globally applicable value-preserving step. For neutrals the kind can be `summary`,
+ *    `source` or `sink` to indicate that the neutral is neutral with respect to
+ *    flow (no summary), source (is not a source) or sink (is not a sink).
  * 9. The `provenance` column is a tag to indicate the origin and verification of a model.
  *    The format is {origin}-{verification} or just "manual" where the origin describes
  *    the origin of the model and verification describes how the model has been verified.
@@ -165,7 +167,7 @@ predicate summaryModel(
 }
 
 /** Holds if a neutral model exists indicating there is no flow for the given parameters. */
-predicate neutralModel = Extensions::neutralModel/5;
+predicate neutralModel = Extensions::neutralModel/6;
 
 private predicate relevantPackage(string package) {
   sourceModel(package, _, _, _, _, _, _, _, _) or
@@ -288,6 +290,11 @@ module ModelValidation {
       not kind.matches("qltest%") and
       result = "Invalid kind \"" + kind + "\" in source model."
     )
+    or
+    exists(string kind | neutralModel(_, _, _, _, kind, _) |
+      not kind = ["summary", "source", "sink"] and
+      result = "Invalid kind \"" + kind + "\" in neutral model."
+    )
   }
 
   private string getInvalidModelSignature() {
@@ -302,7 +309,7 @@ module ModelValidation {
       summaryModel(package, type, _, name, signature, ext, _, _, _, provenance) and
       pred = "summary"
       or
-      neutralModel(package, type, name, signature, provenance) and
+      neutralModel(package, type, name, signature, _, provenance) and
       ext = "" and
       pred = "neutral"
     |
@@ -346,7 +353,7 @@ private predicate elementSpec(
   or
   summaryModel(package, type, subtypes, name, signature, ext, _, _, _, _)
   or
-  neutralModel(package, type, name, signature, _) and ext = "" and subtypes = false
+  neutralModel(package, type, name, signature, _, _) and ext = "" and subtypes = false
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlowExtensions.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlowExtensions.qll
@@ -30,7 +30,7 @@ extensible predicate summaryModel(
  * Holds if a neutral model exists indicating there is no flow for the given parameters.
  */
 extensible predicate neutralModel(
-  string package, string type, string name, string signature, string provenance
+  string package, string type, string name, string signature, string kind, string provenance
 );
 
 /**
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -335,7 +335,7 @@ module Public {
   class NeutralCallable extends SummarizedCallableBase {
     private Provenance provenance;
 
-    NeutralCallable() { neutralElement(this, provenance) }
+    NeutralCallable() { neutralSummaryElement(this, provenance) }
 
     /**
      * Holds if the neutral is auto generated.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -154,12 +154,12 @@ predicate summaryElement(
 }
 
 /**
- * Holds if a neutral model exists for `c` with provenance `provenance`,
+ * Holds if a neutral summary model exists for `c` with provenance `provenance`,
  * which means that there is no flow through `c`.
  */
-predicate neutralElement(SummarizedCallableBase c, string provenance) {
+predicate neutralSummaryElement(SummarizedCallableBase c, string provenance) {
   exists(string namespace, string type, string name, string signature |
-    neutralModel(namespace, type, name, signature, provenance) and
+    neutralModel(namespace, type, name, signature, "summary", provenance) and
     c.asCallable() = interpretElement(namespace, type, false, name, signature, "")
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -154,12 +154,12 @@ predicate summaryElement(`
`154`	`154`	`}`
`155`	`155`
`156`	`156`	`/**`
`157`		- * Holds if a neutral model exists for `c` with provenance `provenance`,
	`157`	+ * Holds if a neutral summary model exists for `c` with provenance `provenance`,
`158`	`158`	* which means that there is no flow through `c`.
`159`	`159`	`*/`
`160`		`-predicate neutralElement(SummarizedCallableBase c, string provenance) {`
	`160`	`+predicate neutralSummaryElement(SummarizedCallableBase c, string provenance) {`
`161`	`161`	`exists(string namespace, string type, string name, string signature \|`
`162`		`- neutralModel(namespace, type, name, signature, provenance) and`
	`162`	`+ neutralModel(namespace, type, name, signature, "summary", provenance) and`
`163`	`163`	`c.asCallable() = interpretElement(namespace, type, false, name, signature, "")`
`164`	`164`	`)`
`165`	`165`	`}`