Java: Replace uses of deprecated variableTrack.

aschackmull · aschackmull · commit c8b93e091032 · 2022-09-13T13:30:40.000+02:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -4,6 +4,7 @@ private import DataFlowUtil
 private import semmle.code.java.dataflow.InstanceAccess
 private import semmle.code.java.dataflow.FlowSummary
 private import semmle.code.java.dispatch.VirtualDispatch as VirtualDispatch
+private import semmle.code.java.dataflow.TypeFlow
 private import semmle.code.java.dispatch.internal.Unification
 
 private module DispatchImpl {
@@ -63,15 +64,21 @@ private module DispatchImpl {
   private predicate contextArgHasType(Call ctx, int i, RefType t, boolean exact) {
     relevantContext(ctx, i) and
     exists(RefType srctype |
-      exists(Expr arg, Expr src |
+      exists(Expr arg |
         i = -1 and
         ctx.getQualifier() = arg
         or
         ctx.getArgument(i) = arg
       |
-        src = VirtualDispatch::variableTrack(arg) and
-        srctype = getPreciseType(src) and
-        if src instanceof ClassInstanceExpr then exact = true else exact = false
+        exprTypeFlow(arg, srctype, exact)
+        or
+        not exprTypeFlow(arg, _, _) and
+        exprUnionTypeFlow(arg, srctype, exact)
+        or
+        not exprTypeFlow(arg, _, _) and
+        not exprUnionTypeFlow(arg, _, _) and
+        srctype = getPreciseType(arg) and
+        if arg instanceof ClassInstanceExpr then exact = true else exact = false
       )
       or
       exists(Node arg |
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -38,7 +38,7 @@ predicate objectToString(MethodAccess ma) {
   exists(ToStringMethod m |
     m = ma.getMethod() and
     m.getDeclaringType() instanceof TypeObject and
-    variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject
+    exprNode(ma.getQualifier()).getTypeBound().getErasure() instanceof TypeObject
   )
 }
 

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ predicate objectToString(MethodAccess ma) {`
`38`	`38`	`exists(ToStringMethod m \|`
`39`	`39`	`m = ma.getMethod() and`
`40`	`40`	`m.getDeclaringType() instanceof TypeObject and`
`41`		`- variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject`
	`41`	`+ exprNode(ma.getQualifier()).getTypeBound().getErasure() instanceof TypeObject`
`42`	`42`	`)`
`43`	`43`	`}`
`44`	`44`