C#: Let ExternalApi extend DataFlowCallable instead of Callable.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -2038,19 +2038,20 @@ abstract class SyntheticField extends string {
  */
 predicate containerContent(DataFlow::Content c) { c instanceof DataFlow::ElementContent }
 
+/** Gets the string representation of the parameters of `c`. */
+string parameterQualifiedTypeNamesToString(DataFlowCallable c) {
+  result =
+    concat(Parameter p, int i |
+      p = c.getParameter(i)
+    |
+      p.getType().getQualifiedName(), "," order by i
+    )
+}
+
 /**
  * A module containing predicates related to generating models as data.
  */
 module Csv {
-  private string parameterQualifiedTypeNamesToString(DataFlowCallable c) {
-    result =
-      concat(Parameter p, int i |
-        p = c.getParameter(i)
-      |
-        p.getType().getQualifiedName(), "," order by i
-      )
-  }
-
   /** Holds if the summary should apply for all overrides of `c`. */
   predicate isBaseCallableOrPrototype(DataFlowCallable c) {
     c.getDeclaringType() instanceof Interface

csharp/ql/src/Telemetry/ExternalApi.qll

@@ -5,6 +5,7 @@ private import semmle.code.csharp.dataflow.DataFlow
 private import semmle.code.csharp.dataflow.ExternalFlow
 private import semmle.code.csharp.dataflow.FlowSummary
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.DataFlowDispatch as DataFlowDispatch
 private import semmle.code.csharp.dataflow.TaintTracking
 private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
@@ -23,7 +24,7 @@ class TestLibrary extends RefType {
 /**
  * An external API from either the C# Standard Library or a 3rd party library.
  */
-class ExternalApi extends Callable {
+class ExternalApi extends DataFlowDispatch::DataFlowCallable {
   ExternalApi() { this.fromLibrary() }
 
   /**
@@ -32,13 +33,13 @@ class ExternalApi extends Callable {
   private string getSignature() {
     result =
       this.getDeclaringType().getUnboundDeclaration() + "." + this.getName() + "(" +
-        this.parameterTypesToString() + ")"
+        parameterQualifiedTypeNamesToString(this) + ")"
   }
 
   /**
    * Gets the namespace of this API.
    */
-  private string getNamespace() { result = this.getDeclaringType().getNamespace().toString() }
+  private string getNamespace() { this.getDeclaringType().hasQualifiedName(result, _) }
 
   /**
    * Gets the assembly file name containing this API.
@@ -74,7 +75,7 @@ class ExternalApi extends Callable {
 
   /** Holds if this API has a supported summary. */
   predicate hasSummary() {
-    this.getUnboundDeclaration() = any(SummarizedCallable sc) or
+    this instanceof SummarizedCallable or
     defaultAdditionalTaintStep(this.getAnInput(), _)
   }
 

csharp/ql/src/Telemetry/ExternalLibraryUsage.ql

@@ -13,7 +13,7 @@ from int usages, string info
 where
   usages =
     strictcount(Call c, ExternalApi api |
-      c.getTarget() = api and
+      c.getTarget().getUnboundDeclaration() = api and
       api.getInfoPrefix() = info and
       not api.isUninteresting()
     )

csharp/ql/src/Telemetry/SupportedExternalSinks.ql

@@ -13,5 +13,5 @@ from ExternalApi api, int usages
 where
   not api.isUninteresting() and
   api.isSink() and
-  usages = strictcount(Call c | c.getTarget() = api)
+  usages = strictcount(Call c | c.getTarget().getUnboundDeclaration() = api)
 select api.getInfo() as info, usages order by usages desc

csharp/ql/src/Telemetry/SupportedExternalSources.ql

@@ -13,5 +13,5 @@ from ExternalApi api, int usages
 where
   not api.isUninteresting() and
   api.isSource() and
-  usages = strictcount(Call c | c.getTarget() = api)
+  usages = strictcount(Call c | c.getTarget().getUnboundDeclaration() = api)
 select api.getInfo() as info, usages order by usages desc

csharp/ql/src/Telemetry/SupportedExternalTaint.ql

@@ -13,5 +13,5 @@ from ExternalApi api, int usages
 where
   not api.isUninteresting() and
   api.hasSummary() and
-  usages = strictcount(Call c | c.getTarget() = api)
+  usages = strictcount(Call c | c.getTarget().getUnboundDeclaration() = api)
 select api.getInfo() as info, usages order by usages desc

csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql

@@ -13,5 +13,5 @@ from ExternalApi api, int usages
 where
   not api.isUninteresting() and
   not api.isSupported() and
-  usages = strictcount(Call c | c.getTarget() = api)
+  usages = strictcount(Call c | c.getTarget().getUnboundDeclaration() = api)
 select api.getInfo() as info, usages order by usages desc

csharp/ql/test/query-tests/Telemetry/LibraryUsage/SupportedExternalTaint.expected

@@ -1 +1 @@
-| System.Private.CoreLib.dll#System.Collections.Generic#List<>.Add(object) | 2 |
+| System.Private.CoreLib.dll#System.Collections.Generic#List<>.Add(T) | 2 |

csharp/ql/test/query-tests/Telemetry/LibraryUsage/UnsupportedExternalAPIs.expected

@@ -1,4 +1,4 @@
-| System.Private.CoreLib.dll#System#DateTime.AddYears(int) | 2 |
-| System.Private.CoreLib.dll#System#DateTime.AddDays(double) | 1 |
-| System.Private.CoreLib.dll#System#DateTime.DateTime(int, int, int) | 1 |
-| System.Private.CoreLib.dll#System#Guid.Parse(string) | 1 |
+| System.Private.CoreLib.dll#System#DateTime.AddYears(System.Int32) | 2 |
+| System.Private.CoreLib.dll#System#DateTime.AddDays(System.Double) | 1 |
+| System.Private.CoreLib.dll#System#DateTime.DateTime(System.Int32,System.Int32,System.Int32) | 1 |
+| System.Private.CoreLib.dll#System#Guid.Parse(System.String) | 1 |

csharp/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected

@@ -1,2 +1,2 @@
-| System.Web.cs#System.Web#HttpResponse.Write(object) | 2 |
-| System.Web.cs#System.Web#HttpResponse.WriteFile(string) | 1 |
+| System.Web.cs#System.Web#HttpResponse.Write(System.Object) | 2 |
+| System.Web.cs#System.Web#HttpResponse.WriteFile(System.String) | 1 |