PS: AST and control-flow additions required for MaD and Api graphs.

Author: MathiasVP

powershell/ql/lib/powershell.qll

@@ -81,4 +81,5 @@ import semmle.code.powershell.HashTable
 import semmle.code.powershell.SplitExpr
 import semmle.code.powershell.CommentEntity
 import semmle.code.powershell.Variable
-import semmle.code.powershell.internal.Internal::Public
+import semmle.code.powershell.internal.Internal::Public
+import semmle.code.powershell.ModuleManifest

powershell/ql/lib/semmle/code/powershell/Command.qll

@@ -1,11 +1,32 @@
 import powershell
+private predicate parseCommandName(Cmd cmd, string namespace, string name) {
+  exists(string qualified | command(cmd, qualified, _, _, _) |
+    namespace = qualified.regexpCapture("([^\\\\]+)\\\\([^\\\\]+)", 1) and
+    name = qualified.regexpCapture("([^\\\\]+)\\\\([^\\\\]+)", 2)
+    or
+    // Not a qualified name
+    not exists(qualified.indexOf("\\")) and
+    namespace = "" and
+    name = qualified
+  )
+}
 
 class Cmd extends @command, CmdBase {
-  override string toString() { result = this.getCommandName() }
+  override string toString() { result = this.getQualifiedCommandName() }
 
   override SourceLocation getLocation() { command_location(this, result) }
 
-  string getCommandName() { command(this, result, _, _, _) }
+  /** Gets the name of the command without any qualifiers. */
+  string getCommandName() { parseCommandName(this, _, result) }
+
+  /** Holds if the command is qualified. */
+  predicate isQualified() { parseCommandName(this, any(string s | s != ""), _) }
+
+  /** Gets the namespace qualifier of this command, if any. */
+  string getNamespaceQualifier() { parseCommandName(this, result, _) }
+
+  /** Gets the (possibly qualified) name of this command. */
+  string getQualifiedCommandName() { command(this, result, _, _, _) }
 
   int getKind() { command(this, _, result, _, _) }
 
@@ -15,8 +36,10 @@ class Cmd extends @command, CmdBase {
 
   CmdElement getElement(int i) { command_command_element(this, i, result) }
 
+  /** Gets the expression that determines the command to invoke. */
   Expr getCommand() { result = this.getElement(0) }
 
+  /** Gets the name of this command, if this is statically known. */
   StringConstExpr getCmdName() { result = this.getElement(0) }
 
   /** Gets any argument to this command. */

powershell/ql/lib/semmle/code/powershell/HashTable.qll

@@ -7,6 +7,10 @@ class HashTableExpr extends @hash_table, Expr {
 
   Stmt getElement(Expr key) { hash_table_key_value_pairs(this, _, key, result) } // TODO: Change @ast to @expr in db scheme
 
+  Stmt getElementFromConstant(string key) {
+    result = this.getElement(any(StringConstExpr sc | sc.getValue().getValue() = key))
+  }
+
   predicate hasKey(Expr key) { exists(this.getElement(key)) }
 
   Stmt getAnElement() { result = this.getElement(_) }

powershell/ql/lib/semmle/code/powershell/InvokeMemberExpression.qll

@@ -9,6 +9,8 @@ class InvokeMemberExpr extends @invoke_member_expression, MemberExprBase {
 
   CmdElement getMember() { invoke_member_expression(this, _, result) }
 
+  string getMemberName() { result = this.getMember().(StringConstExpr).getValue().getValue() }
+
   Expr getArgument(int i) { invoke_member_expression_argument(this, i, result) }
 
   Expr getAnArgument() { invoke_member_expression_argument(this, _, result) }

powershell/ql/lib/semmle/code/powershell/MemberExpr.qll

@@ -3,7 +3,7 @@ import powershell
 class MemberExpr extends @member_expression, MemberExprBase {
   final override Location getLocation() { member_expression_location(this, result) }
 
-  Expr getBase() { member_expression(this, result, _, _, _) }
+  Expr getQualifier() { member_expression(this, result, _, _, _) }
 
   CmdElement getMember() { member_expression(this, _, result, _, _) }
 

powershell/ql/lib/semmle/code/powershell/ModuleManifest.qll

@@ -0,0 +1,44 @@
+import powershell
+
+class ModuleManifestFile extends File {
+  ModuleManifestFile() { this.getExtension() = "psd1" }
+}
+
+private Expr getEntry(HashTableExpr ht, string key) {
+  result = ht.getElementFromConstant(key).(CmdExpr).getExpr() and
+  not result instanceof ArrayLiteral
+}
+
+private Expr getAnEntry(HashTableExpr ht, string key) {
+  exists(Expr e | e = ht.getElementFromConstant(key).(CmdExpr).getExpr() |
+    not e instanceof ArrayLiteral and result = e
+    or
+    result = e.(ArrayLiteral).getAnElement()
+  )
+}
+
+class ModuleManifest extends HashTableExpr {
+  string moduleVersion;
+
+  ModuleManifest() {
+    // The hash table is in a .psd1 file
+    this.getLocation().getFile() instanceof ModuleManifestFile and
+    // It's at the top level of the file
+    this.getParent().(CmdExpr).getParent().(NamedBlock).getParent() instanceof TopLevel and
+    // It has a `ModuleVersion` entry. The only required field is ModuleVersion.
+    // https://learn.microsoft.com/en-us/powershell/scripting/developer/module/how-to-write-a-powershell-module-manifest?view=powershell-7.4#to-create-and-use-a-module-manifest
+    moduleVersion = getEntry(this, "ModuleVersion").getValue().asString()
+  }
+
+  string getModuleVersion() { result = moduleVersion }
+
+  string getModuleName() {
+    result + ".psd1" = this.getLocation().getFile().getBaseName()
+  }
+
+  string getAFunctionToExport() {
+    result = getAnEntry(this, "FunctionsToExport").getValue().asString()
+  }
+
+  string getACmdLetToExport() { result = getAnEntry(this, "CmdletsToExport").getValue().asString() }
+}

powershell/ql/lib/semmle/code/powershell/UsingStmt.qll

@@ -4,4 +4,18 @@ class UsingStmt extends @using_statement, Stmt {
   override SourceLocation getLocation() { using_statement_location(this, result) }
 
   override string toString() { result = "using ..." }
+
+  string getName() {
+    exists(StringConstExpr const |
+      using_statement_name(this, const) and // TODO: Change dbscheme
+      result = const.getValue().getValue()
+    )
+  }
+
+  string getAlias() {
+    exists(StringConstExpr const |
+      using_statement_alias(this, const) and // TODO: Change dbscheme
+      result = const.getValue().getValue()
+    )
+  }
 }

powershell/ql/lib/semmle/code/powershell/controlflow/CfgNodes.qll

@@ -159,6 +159,8 @@ abstract private class AbstractCallCfgNode extends AstCfgNode {
    * Gets the expression that provides the call target of this call, if any.
    */
   abstract ExprCfgNode getCommand();
+
+  int getNumberOfArguments() { result = count(this.getAnArgument()) }
 }
 
 final class CallCfgNode = AbstractCallCfgNode;
@@ -371,7 +373,7 @@ module ExprNodes {
   }
 
   class MemberChildMapping extends ExprChildMapping, MemberExpr {
-    override predicate relevantChild(Ast n) { n = this.getBase() or n = this.getMember() }
+    override predicate relevantChild(Ast n) { n = this.getQualifier() or n = this.getMember() }
   }
 
   /** A control-flow node that wraps a `MemberExpr` expression. */
@@ -382,7 +384,7 @@ module ExprNodes {
 
     final override MemberExpr getExpr() { result = super.getExpr() }
 
-    final ExprCfgNode getBase() { e.hasCfgChild(e.getBase(), this, result) }
+    final ExprCfgNode getQualifier() { e.hasCfgChild(e.getQualifier(), this, result) }
 
     final string getMemberName() { result = e.getMemberName() }
 

powershell/ql/lib/semmle/code/powershell/controlflow/internal/ControlFlowGraphImpl.qll

@@ -468,7 +468,7 @@ module Trees {
 
   class MemberExprTree extends StandardPostOrderTree instanceof MemberExpr {
     override AstNode getChildNode(int i) {
-      i = 0 and result = super.getBase()
+      i = 0 and result = super.getQualifier()
       or
       i = 1 and result = super.getMember()
     }

powershell/ql/lib/semmle/code/powershell/dataflow/internal/DataFlowPrivate.qll

@@ -186,7 +186,7 @@ private module Cached {
       n instanceof CfgNodes::ExprNodes::QualifierCfgNode
       or
       exists(CfgNodes::ExprNodes::MemberCfgNode member |
-        n = member.getBase() and
+        n = member.getQualifier() and
         not member.isStatic()
       )
       or
@@ -769,7 +769,7 @@ predicate jumpStep(Node pred, Node succ) {
  */
 predicate storeStep(Node node1, ContentSet c, Node node2) {
   exists(CfgNodes::ExprNodes::MemberCfgWriteAccessNode var, Content::FieldContent fc |
-    node2.(PostUpdateNode).getPreUpdateNode().asExpr() = var.getBase() and
+    node2.(PostUpdateNode).getPreUpdateNode().asExpr() = var.getQualifier() and
     node1.asStmt() = var.getAssignStmt().getRightHandSide() and
     fc.getName() = var.getMemberName() and
     c.isSingleton(fc)
@@ -838,7 +838,7 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
 predicate readStep(Node node1, ContentSet c, Node node2) {
   exists(CfgNodes::ExprNodes::MemberCfgReadAccessNode var, Content::FieldContent fc |
     node2.asExpr() = var and
-    node1.asExpr() = var.getBase() and
+    node1.asExpr() = var.getQualifier() and
     fc.getName() = var.getMemberName() and
     c.isSingleton(fc)
   )