Refactor UnsafeUsageOfClientSideEncryptionVersion

Author: egregius313

java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql

@@ -50,34 +50,31 @@ predicate isCreatingAzureClientSideEncryptionObjectNewVersion(Call call, Class c
 /**
  * A dataflow config that tracks `EncryptedBlobClientBuilder.version` argument initialization.
  */
-private class EncryptedBlobClientBuilderSafeEncryptionVersionConfig extends DataFlow::Configuration {
-  EncryptedBlobClientBuilderSafeEncryptionVersionConfig() {
-    this = "EncryptedBlobClientBuilderSafeEncryptionVersionConfig"
-  }
-
-  override predicate isSource(DataFlow::Node source) {
+private module EncryptedBlobClientBuilderSafeEncryptionVersionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
     exists(FieldRead fr, Field f | fr = source.asExpr() |
       f.getAnAccess() = fr and
       f.hasQualifiedName("com.azure.storage.blob.specialized.cryptography", "EncryptionVersion",
         "V2")
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     isCreatingAzureClientSideEncryptionObjectNewVersion(_, _, sink.asExpr())
   }
 }
 
+private module EncryptedBlobClientBuilderSafeEncryptionVersionFlow =
+  DataFlow::Global<EncryptedBlobClientBuilderSafeEncryptionVersionConfig>;
+
 /**
  * Holds if `call` is an object creation for a class `EncryptedBlobClientBuilder`
  * that takes `versionArg` as the argument specifying the encryption version, and that version is safe.
  */
 predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr versionArg) {
   isCreatingAzureClientSideEncryptionObjectNewVersion(call, c, versionArg) and
-  exists(EncryptedBlobClientBuilderSafeEncryptionVersionConfig config, DataFlow::Node sink |
-    sink.asExpr() = versionArg
-  |
-    config.hasFlow(_, sink)
+  exists(DataFlow::Node sink | sink.asExpr() = versionArg |
+    EncryptedBlobClientBuilderSafeEncryptionVersionFlow::flowTo(sink)
   )
 }