Merge pull request #9256 from michaelnebel/csharp/test-ranking

michaelnebel · web-flow · commit c82ab6813f41 · 2022-05-23T10:29:52.000+02:00
C#: Rank summaries and source code in dataflow callables.
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -83,13 +83,26 @@ newtype TReturnKind =
     )
   }
 
+/**
+ * Holds if the summary for `c` should be used for dataflow analysis.
+ */
+predicate useFlowSummary(FlowSummary::SummarizedCallable c) {
+  not c.fromSource()
+  or
+  c.fromSource() and not c.isAutoGenerated()
+}
+
 private module Cached {
+  /**
+   * The following heuristic is used to rank when to use source code or when to use summaries for DataFlowCallables.
+   * 1. Use hand written summaries.
+   * 2. Use source code.
+   * 3. Use auto generated summaries.
+   */
   cached
   newtype TDataFlowCallable =
-    TDotNetCallable(DotNet::Callable c) {
-      c.isUnboundDeclaration() and not c instanceof FlowSummary::SummarizedCallable
-    } or
-    TSummarizedCallable(FlowSummary::SummarizedCallable c)
+    TDotNetCallable(DotNet::Callable c) { c.isUnboundDeclaration() and not useFlowSummary(c) } or
+    TSummarizedCallable(FlowSummary::SummarizedCallable c) { useFlowSummary(c) }
 
   cached
   newtype TDataFlowCall =
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -743,9 +743,11 @@ private module Cached {
       FlowSummaryImpl::Public::SummarizedCallable c,
       FlowSummaryImpl::Private::SummaryNodeState state
     ) {
+      useFlowSummary(c) and
       FlowSummaryImpl::Private::summaryNodeRange(c, state)
     } or
     TSummaryParameterNode(FlowSummaryImpl::Public::SummarizedCallable c, ParameterPosition pos) {
+      useFlowSummary(c) and
       FlowSummaryImpl::Private::summaryParameterNodeRange(c, pos)
     } or
     TParamsArgumentNode(ControlFlow::Node callCfn) {
diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql
@@ -53,6 +53,14 @@ class Conf extends TaintTracking::Configuration {
   }
 }
 
+/**
+ * Simulate that methods with summaries are not included in the source code.
+ * This is relevant for dataflow analysis using summaries tagged as generated.
+ */
+private class MyMethod extends Method {
+  override predicate fromSource() { none() }
+}
+
 from DataFlow::PathNode source, DataFlow::PathNode sink, Conf conf
 where conf.hasFlowPath(source, sink)
 select sink, source, sink, "$@", source, source.toString()

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,14 @@ class Conf extends TaintTracking::Configuration {`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`
	`56`	`+/**`
	`57`	`+ * Simulate that methods with summaries are not included in the source code.`
	`58`	`+ * This is relevant for dataflow analysis using summaries tagged as generated.`
	`59`	`+ */`
	`60`	`+private class MyMethod extends Method {`
	`61`	`+ override predicate fromSource() { none() }`
	`62`	`+}`
	`63`	`+`
`56`	`64`	`from DataFlow::PathNode source, DataFlow::PathNode sink, Conf conf`
`57`	`65`	`where conf.hasFlowPath(source, sink)`
`58`	`66`	`select sink, source, sink, "$@", source, source.toString()`