C#/Java: Initial merge ModelGeneratorUtils into CaptureModels.

Author: michaelnebel

config/identical-files.json

@@ -75,10 +75,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll"
   ],
-  "Model as Data Generation Java/C# - Utils": [
-    "java/ql/src/utils/model-generator/internal/ModelGeneratorUtils.qll",
-    "csharp/ql/src/utils/model-generator/internal/ModelGeneratorUtils.qll"
-  ],
   "Model as Data Generation Java/C# - CaptureModels": [
     "java/ql/src/utils/model-generator/internal/CaptureModels.qll",
     "csharp/ql/src/utils/model-generator/internal/CaptureModels.qll"
@@ -549,4 +545,4 @@
     "javascript/ql/lib/semmle/javascript/security/dataflow/HttpToFileAccessCustomizations.qll",
     "ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll"
   ]
-}
+}

csharp/ql/src/utils/model-generator/CaptureSinkModels.ql

@@ -4,7 +4,6 @@
  * @id csharp/utils/model-generator/sink-models
  */
 
-private import internal.ModelGeneratorUtils
 private import internal.CaptureModels
 
 from TargetApi api, string sink

csharp/ql/src/utils/model-generator/CaptureSourceModels.ql

@@ -4,7 +4,6 @@
  * @id csharp/utils/model-generator/sink-models
  */
 
-private import internal.ModelGeneratorUtils
 private import internal.CaptureModels
 
 from TargetApi api, string source

csharp/ql/src/utils/model-generator/CaptureSummaryModels.ql

@@ -4,7 +4,6 @@
  * @id csharp/utils/model-generator/summary-models
  */
 
-private import internal.ModelGeneratorUtils
 private import internal.CaptureModels
 
 /**

csharp/ql/src/utils/model-generator/internal/CaptureModels.qll

@@ -3,9 +3,82 @@
  * and sink models of the Standard or a 3rd party library.
  */
 
-private import ModelGeneratorUtils
 private import CaptureModelsSpecific
 
+class TargetApi = TargetApiSpecific;
+
+/**
+ * Holds if data can flow from `node1` to `node2` either via a read or a write of an intermediate field `f`.
+ */
+private predicate isRelevantTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(DataFlow::Content f |
+    DataFlowPrivate::readStep(node1, f, node2) and
+    if f instanceof DataFlow::FieldContent
+    then isRelevantType(f.(DataFlow::FieldContent).getField().getType())
+    else
+      if f instanceof DataFlow::SyntheticFieldContent
+      then isRelevantType(f.(DataFlow::SyntheticFieldContent).getField().getType())
+      else any()
+  )
+  or
+  exists(DataFlow::Content f | DataFlowPrivate::storeStep(node1, f, node2) |
+    DataFlowPrivate::containerContent(f)
+  )
+}
+
+/**
+ * Holds if content `c` is either a field or synthetic field of a relevant type
+ * or a container like content.
+ */
+private predicate isRelevantContent(DataFlow::Content c) {
+  isRelevantType(c.(DataFlow::FieldContent).getField().getType()) or
+  isRelevantType(c.(DataFlow::SyntheticFieldContent).getField().getType()) or
+  DataFlowPrivate::containerContent(c)
+}
+
+/**
+ * Gets the summary model for `api` with `input`, `output` and `kind`.
+ */
+bindingset[input, output, kind]
+private string asSummaryModel(TargetApi api, string input, string output, string kind) {
+  result =
+    asPartialModel(api) + input + ";" //
+      + output + ";" //
+      + kind
+}
+
+/**
+ * Gets the value summary model for `api` with `input` and `output`.
+ */
+bindingset[input, output]
+private string asValueModel(TargetApi api, string input, string output) {
+  result = asSummaryModel(api, input, output, "value")
+}
+
+/**
+ * Gets the taint summary model for `api` with `input` and `output`.
+ */
+bindingset[input, output]
+private string asTaintModel(TargetApi api, string input, string output) {
+  result = asSummaryModel(api, input, output, "taint")
+}
+
+/**
+ * Gets the sink model for `api` with `input` and `kind`.
+ */
+bindingset[input, kind]
+private string asSinkModel(TargetApi api, string input, string kind) {
+  result = asPartialModel(api) + input + ";" + kind
+}
+
+/**
+ * Gets the source model for `api` with `output` and `kind`.
+ */
+bindingset[output, kind]
+private string asSourceModel(TargetApi api, string output, string kind) {
+  result = asPartialModel(api) + output + ";" + kind
+}
+
 /**
  * Gets the summary model of `api`, if it follows the `fluent` programming pattern (returns `this`).
  */

csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll

@@ -4,10 +4,78 @@
 
 import csharp
 private import semmle.code.csharp.dataflow.TaintTracking
-private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
-private import ModelGeneratorUtils
+private import semmle.code.csharp.commons.Util as Util
+private import semmle.code.csharp.commons.Collections
+private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 import semmle.code.csharp.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
+import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+
+/**
+ * Holds if it is relevant to generate models for `api`.
+ */
+private predicate isRelevantForModels(Callable api) {
+  [api.(Modifiable), api.(Accessor).getDeclaration()].isEffectivelyPublic() and
+  not api instanceof Util::MainMethod
+}
+
+/**
+ * A class of callables that are relevant generating summary, source and sinks models for.
+ *
+ * In the Standard library and 3rd party libraries it the callables that can be called
+ * from outside the library itself.
+ */
+class TargetApiSpecific extends DataFlowCallable {
+  TargetApiSpecific() {
+    this.fromSource() and
+    isRelevantForModels(this)
+  }
+}
+
+predicate asPartialModel = DataFlowPrivate::Csv::asPartialModel/1;
+
+/**
+ * Holds for type `t` for fields that are relevant as an intermediate
+ * read or write step in the data flow analysis.
+ */
+predicate isRelevantType(Type t) { not t instanceof Enum }
+
+private string parameterAccess(Parameter p) {
+  if isCollectionType(p.getType())
+  then result = "Argument[" + p.getPosition() + "].Element"
+  else result = "Argument[" + p.getPosition() + "]"
+}
+
+/**
+ * Gets the CSV string representation of the parameter node `p`.
+ */
+string parameterNodeAsInput(DataFlow::ParameterNode p) {
+  result = parameterAccess(p.asParameter())
+  or
+  result = "Argument[Qualifier]" and p instanceof DataFlowPrivate::InstanceParameterNode
+}
+
+pragma[nomagic]
+private Parameter getParameter(DataFlowImplCommon::ReturnNodeExt node, ParameterPosition pos) {
+  result = node.getEnclosingCallable().getParameter(pos.getPosition())
+}
+
+/**
+ * Gets the CSV string represention of the the return node `node`.
+ */
+string returnNodeAsOutput(DataFlowImplCommon::ReturnNodeExt node) {
+  if node.getKind() instanceof DataFlowImplCommon::ValueReturnKind
+  then result = "ReturnValue"
+  else
+    exists(ParameterPosition pos |
+      pos = node.getKind().(DataFlowImplCommon::ParamUpdateReturnKind).getPosition()
+    |
+      result = parameterAccess(getParameter(node, pos))
+      or
+      pos.isThisParameter() and
+      result = "Argument[Qualifier]"
+    )
+}
 
 /**
  * Gets the enclosing callable of `ret`.
@@ -19,7 +87,9 @@ Callable returnNodeEnclosingCallable(DataFlowImplCommon::ReturnNodeExt ret) {
 /**
  * Holds if `node` is an own instance access.
  */
-predicate isOwnInstanceAccessNode(ReturnNode node) { node.asExpr() instanceof ThisAccess }
+predicate isOwnInstanceAccessNode(DataFlowPrivate::ReturnNode node) {
+  node.asExpr() instanceof ThisAccess
+}
 
 /**
  * Gets the CSV string representation of the qualifier.
@@ -65,6 +135,6 @@ string asInputArgument(DataFlow::Node source) {
     result = "Argument[" + pos + "]"
   )
   or
-  source.asExpr() instanceof FieldOrPropertyAccess and
+  source.asExpr() instanceof DataFlowPrivate::FieldOrPropertyAccess and
   result = qualifierString()
 }

csharp/ql/src/utils/model-generator/internal/ModelGeneratorUtils.qll

@@ -4,7 +4,6 @@
  * @id java/utils/model-generator/sink-models
  */
 
-private import internal.ModelGeneratorUtils
 private import internal.CaptureModels
 
 from TargetApi api, string sink

csharp/ql/src/utils/model-generator/internal/ModelGeneratorUtilsSpecific.qll

@@ -4,7 +4,6 @@
  * @id java/utils/model-generator/sink-models
  */
 
-private import internal.ModelGeneratorUtils
 private import internal.CaptureModels
 
 from TargetApi api, string source