Merge pull request github#14197 from github/kaeluka/framework-mode-source-candidates

Java: Framework mode source candidates

Author: Stephan Brandauer

java/ql/automodel/src/AutomodelAlertSinkUtil.qll

@@ -96,7 +96,7 @@ class PotentialSinkModelExpr extends Expr {
         or
         this = call.getQualifier() and argIdx = -1
       ) and
-      input = getArgumentForIndex(argIdx) and
+      (if argIdx = -1 then input = "Argument[this]" else input = "Argument[" + argIdx + "]") and
       package = callable.getDeclaringType().getPackage().getName() and
       type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
       subtypes = considerSubtypes(callable) and

java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll

@@ -569,72 +569,3 @@ private class CannotBeTaintedCharacteristic extends CharacteristicsImpl::LikelyN
     FlowSummaryImpl::Private::Steps::summarySetterStep(_, _, e.asNode(), _)
   }
 }
-
-/**
- * Holds if the given endpoint has a self-contradictory combination of characteristics. Detects errors in our endpoint
- * characteristics. Lists the problematic characteristics and their implications for all such endpoints, together with
- * an error message indicating why this combination is problematic.
- *
- * Copied from
- *   javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/ContradictoryEndpointCharacteristics.ql
- */
-predicate erroneousEndpoints(
-  Endpoint endpoint, EndpointCharacteristic characteristic,
-  AutomodelEndpointTypes::EndpointType endpointType, float confidence, string errorMessage,
-  boolean ignoreKnownModelingErrors
-) {
-  // An endpoint's characteristics should not include positive indicators with medium/high confidence for more than one
-  // sink/source type (including the negative type).
-  exists(
-    EndpointCharacteristic characteristic2, AutomodelEndpointTypes::EndpointType endpointClass2,
-    float confidence2
-  |
-    endpointType != endpointClass2 and
-    (
-      endpointType instanceof AutomodelEndpointTypes::SinkType and
-      endpointClass2 instanceof AutomodelEndpointTypes::SinkType
-      or
-      endpointType instanceof AutomodelEndpointTypes::SourceType and
-      endpointClass2 instanceof AutomodelEndpointTypes::SourceType
-    ) and
-    characteristic.appliesToEndpoint(endpoint) and
-    characteristic2.appliesToEndpoint(endpoint) and
-    characteristic.hasImplications(endpointType, true, confidence) and
-    characteristic2.hasImplications(endpointClass2, true, confidence2) and
-    confidence > SharedCharacteristics::mediumConfidence() and
-    confidence2 > SharedCharacteristics::mediumConfidence() and
-    (
-      ignoreKnownModelingErrors = true and
-      not knownOverlappingCharacteristics(characteristic, characteristic2)
-      or
-      ignoreKnownModelingErrors = false
-    )
-  ) and
-  errorMessage = "Endpoint has high-confidence positive indicators for multiple classes"
-  or
-  // An endpoint's characteristics should not include positive indicators with medium/high confidence for some class and
-  // also include negative indicators with medium/high confidence for this same class.
-  exists(EndpointCharacteristic characteristic2, float confidence2 |
-    characteristic.appliesToEndpoint(endpoint) and
-    characteristic2.appliesToEndpoint(endpoint) and
-    characteristic.hasImplications(endpointType, true, confidence) and
-    characteristic2.hasImplications(endpointType, false, confidence2) and
-    confidence > SharedCharacteristics::mediumConfidence() and
-    confidence2 > SharedCharacteristics::mediumConfidence()
-  ) and
-  ignoreKnownModelingErrors = false and
-  errorMessage = "Endpoint has high-confidence positive and negative indicators for the same class"
-}
-
-/**
- * Holds if `characteristic1` and `characteristic2` are among the pairs of currently known positive characteristics that
- * have some overlap in their results. This indicates a problem with the underlying Java modeling. Specifically,
- * `PathCreation` is prone to FPs.
- */
-private predicate knownOverlappingCharacteristics(
-  EndpointCharacteristic characteristic1, EndpointCharacteristic characteristic2
-) {
-  characteristic1 != characteristic2 and
-  characteristic1 = ["mad taint step", "create path", "read file", "known non-sink"] and
-  characteristic2 = ["mad taint step", "create path", "read file", "known non-sink"]
-}

java/ql/automodel/src/AutomodelApplicationModeExtractCandidates.ql

@@ -55,14 +55,15 @@ private Endpoint getSampleForSignature(
 }
 
 from
-  Endpoint endpoint, string message, ApplicationModeMetadataExtractor meta, DollarAtString package,
+  Endpoint endpoint, ApplicationModeMetadataExtractor meta, DollarAtString package,
   DollarAtString type, DollarAtString subtypes, DollarAtString name, DollarAtString signature,
   DollarAtString input, DollarAtString output, DollarAtString isVarargsArray,
   DollarAtString alreadyAiModeled, DollarAtString extensibleType
 where
   not exists(CharacteristicsImpl::UninterestingToModelCharacteristic u |
     u.appliesToEndpoint(endpoint)
   ) and
+  CharacteristicsImpl::isSinkCandidate(endpoint, _) and
   endpoint =
     getSampleForSignature(9, package, type, subtypes, name, signature, input, output,
       isVarargsArray, extensibleType) and
@@ -78,19 +79,9 @@ where
     CharacteristicsImpl::isModeled(endpoint, _, _, alreadyAiModeled)
   ) and
   meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, isVarargsArray) and
-  includeAutomodelCandidate(package, type, name, signature) and
-  // The message is the concatenation of all sink types for which this endpoint is known neither to be a sink nor to be
-  // a non-sink, and we surface only endpoints that have at least one such sink type.
-  message =
-    strictconcat(AutomodelEndpointTypes::SinkType sinkType |
-      not CharacteristicsImpl::isKnownAs(endpoint, sinkType, _) and
-      CharacteristicsImpl::isSinkCandidate(endpoint, sinkType)
-    |
-      sinkType, ", "
-    )
+  includeAutomodelCandidate(package, type, name, signature)
 select endpoint.asNode(),
-  message + "\nrelated locations: $@, $@, $@." +
-    "\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@.", //
+  "Related locations: $@, $@, $@." + "\nmetadata: $@, $@, $@, $@, $@, $@, $@, $@, $@, $@.", //
   CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, CallContext()), "CallContext", //
   CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, MethodDoc()), "MethodDoc", //
   CharacteristicsImpl::getRelatedLocationOrCandidate(endpoint, ClassDoc()), "ClassDoc", //

java/ql/automodel/src/AutomodelApplicationModeExtractNegativeExamples.ql

@@ -50,9 +50,6 @@ where
   extensibleType = endpoint.getExtensibleType() and
   confidence >= SharedCharacteristics::highConfidence() and
   characteristic.hasImplications(any(NegativeSinkType negative), true, confidence) and
-  // Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
-  // certain about in the prompt.
-  not erroneousEndpoints(endpoint, _, _, _, _, false) and
   meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, isVarargsArray) and
   // It's valid for a node to satisfy the logic for both `isSink` and `isSanitizer`, but in that case it will be
   // treated by the actual query as a sanitizer, since the final logic is something like

java/ql/automodel/src/AutomodelApplicationModeExtractPositiveExamples.ql

@@ -18,9 +18,6 @@ from
   DollarAtString signature, DollarAtString input, DollarAtString output,
   DollarAtString isVarargsArray, DollarAtString extensibleType
 where
-  // Exclude endpoints that have contradictory endpoint characteristics, because we only want examples we're highly
-  // certain about in the prompt.
-  not erroneousEndpoints(endpoint, _, _, _, _, false) and
   extensibleType = endpoint.getExtensibleType() and
   meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, output, isVarargsArray) and
   // Extract positive examples of sinks belonging to the existing ATM query configurations.