Java: Adapt to changes in FlowSummaryImpl

Author: hvitved

java/ql/lib/semmle/code/java/ConflictingAccess.qll

@@ -23,7 +23,7 @@ module Modification {
   /** Holds if the call `c` modifies a shared resource. */
   predicate isModifyingCall(Call c) {
     exists(SummarizedCallable sc, string output | sc.getACall() = c |
-      sc.propagatesFlow(_, output, _, _) and
+      sc.propagatesFlow(_, output, _, _, _, _) and
       output.matches("Argument[this]%")
     )
   }

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -620,48 +620,25 @@ predicate barrierNode(Node node, string kind) { barrierNode(node, kind, _) }
 
 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { summaryElement(this, _, _, _, _, _, _) }
+  string input_;
+  string output_;
+  string kind;
+  Provenance p_;
+  boolean isExact_;
+  string model_;
 
-  private predicate relevantSummaryElementManual(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      summaryElement(this, input, output, kind, provenance, model, _) and
-      provenance.isManual()
-    )
-  }
-
-  private predicate relevantSummaryElementGenerated(
-    string input, string output, string kind, string model
-  ) {
-    exists(Provenance provenance |
-      summaryElement(this, input, output, kind, provenance, model, _) and
-      provenance.isGenerated()
-    ) and
-    not exists(Provenance provenance |
-      neutralElement(this, "summary", provenance, _) and
-      provenance.isManual()
-    )
-  }
+  SummarizedCallableAdapter() { summaryElement(this, input_, output_, kind, p_, model_, isExact_) }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
-    exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind, model)
-      or
-      not this.relevantSummaryElementManual(_, _, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind, model)
-    |
-      if kind = "value" then preservesValue = true else preservesValue = false
-    )
+    input = input_ and
+    output = output_ and
+    (if kind = "value" then preservesValue = true else preservesValue = false) and
+    p = p_ and
+    isExact = isExact_ and
+    model = model_
   }
-
-  override predicate hasProvenance(Provenance provenance) {
-    summaryElement(this, _, _, _, provenance, _, _)
-  }
-
-  override predicate hasExactModel() { summaryElement(this, _, _, _, _, _, true) }
 }
 
 final class SinkCallable = SinkModelCallable;

java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll

@@ -121,24 +121,31 @@ class SummarizedCallableBase extends TSummarizedCallableBase {
 
 class Provenance = Impl::Public::Provenance;
 
-class SummarizedCallable = Impl::Public::SummarizedCallable;
+/** Provides the `Range` class used to define the extent of `SummarizedCallable`. */
+module SummarizedCallable {
+  class Range = Impl::Public::SummarizedCallable;
+}
+
+final class SummarizedCallable = Impl::Public::RelevantSummarizedCallable;
 
 /**
  * An adapter class to add the flow summaries specified on `SyntheticCallable`
  * to `SummarizedCallable`.
  */
-private class SummarizedSyntheticCallableAdapter extends SummarizedCallable, TSyntheticCallable {
+private class SummarizedSyntheticCallableAdapter extends SummarizedCallable::Range,
+  TSyntheticCallable
+{
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
     exists(SyntheticCallable sc |
       sc = this.asSyntheticCallable() and
       sc.propagatesFlow(input, output, preservesValue) and
+      p = "manual" and
+      isExact = true and
       model = sc
     )
   }
-
-  override predicate hasExactModel() { any() }
 }
 
 deprecated class RequiredSummaryComponentStack = Impl::Private::RequiredSummaryComponentStack;

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll

@@ -12,7 +12,11 @@ private import semmle.code.java.dispatch.internal.Unification
 
 private module DispatchImpl {
   private predicate hasHighConfidenceTarget(Call c) {
-    exists(Impl::Public::SummarizedCallable sc | sc.getACall() = c and not sc.applyGeneratedModel())
+    exists(Impl::Public::SummarizedCallable sc, Impl::Public::Provenance p |
+      sc.getACall() = c and
+      sc.propagatesFlow(_, _, _, p, _, _) and
+      not p.isGenerated()
+    )
     or
     exists(Impl::Public::NeutralSummaryCallable nc | nc.getACall() = c and nc.hasManualModel())
     or
@@ -25,8 +29,10 @@ private module DispatchImpl {
   private predicate hasExactManualModel(Call c, Callable tgt) {
     tgt = c.getCallee().getSourceDeclaration() and
     (
-      exists(Impl::Public::SummarizedCallable sc |
-        sc.getACall() = c and sc.hasExactModel() and sc.hasManualModel()
+      exists(Impl::Public::SummarizedCallable sc, Impl::Public::Provenance p |
+        sc.getACall() = c and
+        sc.propagatesFlow(_, _, _, p, true, _) and
+        p.isManual()
       )
       or
       exists(Impl::Public::NeutralSummaryCallable nc |
@@ -57,16 +63,6 @@ private module DispatchImpl {
     exists(Call call | call = c.asCall() |
       result.asCallable() = sourceDispatch(call)
       or
-      not (
-        // Only use summarized callables with generated summaries in case
-        // the static call target is not in the source code.
-        // Note that if `applyGeneratedModel` holds it implies that there doesn't
-        // exist a manual model.
-        exists(Callable staticTarget | staticTarget = call.getCallee().getSourceDeclaration() |
-          staticTarget.fromSource() and not staticTarget.isStub()
-        ) and
-        result.asSummarizedCallable().applyGeneratedModel()
-      ) and
       result.asSummarizedCallable().getACall() = call
     )
   }

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -33,6 +33,10 @@ module Input implements InputSig<Location, DataFlowImplSpecific::JavaDataFlow> {
 
   class SummarizedCallableBase = FlowSummary::SummarizedCallableBase;
 
+  predicate callableFromSource(SummarizedCallableBase sc) {
+    sc.asCallable() = any(Callable c | c.fromSource() and not c.isStub())
+  }
+
   class SourceBase = Void;
 
   class SinkBase = Void;

java/ql/lib/semmle/code/java/dispatch/WrappedInvocation.qll

@@ -68,19 +68,19 @@ private predicate mayInvokeCallback(SrcMethod m, int n) {
   (not m.fromSource() or m.isNative() or m.getFile().getAbsolutePath().matches("%/test/stubs/%"))
 }
 
-private class SummarizedCallableWithCallback extends SummarizedCallable {
+private class SummarizedCallableWithCallback extends SummarizedCallable::Range {
   private int pos;
 
   SummarizedCallableWithCallback() { mayInvokeCallback(this.asCallable(), pos) }
 
   override predicate propagatesFlow(
-    string input, string output, boolean preservesValue, string model
+    string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model
   ) {
     input = "Argument[" + pos + "]" and
     output = "Argument[" + pos + "].Parameter[-1]" and
     preservesValue = true and
+    p = "hq-generated" and
+    isExact = true and
     model = "heuristic-callback"
   }
-
-  override predicate hasProvenance(Provenance provenance) { provenance = "hq-generated" }
 }

java/ql/src/Metrics/Summaries/GeneratedVsManualCoverageQuery.qll

@@ -17,12 +17,12 @@ private int getNumMadModeledApis(string package, string provenance, string apiSu
       (
         // "auto-only"
         not sc.hasManualModel() and
-        sc.hasGeneratedModel() and
+        any(Provenance p | sc.propagatesFlow(_, _, _, p, _, _)).isGenerated() and
         provenance = "generated"
         or
         sc.hasManualModel() and
         (
-          if sc.hasGeneratedModel()
+          if any(Provenance p | sc.propagatesFlow(_, _, _, p, _, _)).isGenerated()
           then
             // "both"
             provenance = "both"

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -187,7 +187,7 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
   }
 
   private predicate hasManualSummaryModel(Callable api) {
-    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()).asCallable() or
+    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.hasManualModel()).asCallable() or
     api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel()).asCallable()
   }
 

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected

@@ -18,19 +18,13 @@ edges
 | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | provenance | MaD:3 |
 | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
-| SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
-| SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance |  |
-| SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | provenance | MaD:4 |
-| SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | provenance | MaD:5 |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | provenance |  |
 | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | provenance |  |
 | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | provenance | Config |
@@ -40,7 +34,6 @@ models
 | 2 | Summary: java.lang; String; false; format; (String,Object[]); ; Argument[1].ArrayElement; ReturnValue; taint; manual |
 | 3 | Summary: java.net; URI; false; create; ; ; Argument[0]; ReturnValue; taint; manual |
 | 4 | Summary: org.springframework.http; HttpHeaders; true; add; (String,String); ; Argument[0..1]; Argument[this]; taint; manual |
-| 5 | Summary: org.springframework.util; MultiValueMap; true; add; ; ; Argument[1]; Argument[this].MapValue.Element; value; manual |
 nodes
 | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:19:19:19:29 | redirectUrl | semmle.label | redirectUrl |
@@ -71,17 +64,14 @@ nodes
 | SpringUrlRedirect.java:100:37:100:47 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | semmle.label | httpHeaders [post update] : HttpHeaders |
-| SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:108:68:108:78 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:112:39:112:56 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders | semmle.label | httpHeaders [post update] : HttpHeaders |
-| SpringUrlRedirect.java:114:9:114:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:114:37:114:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:116:37:116:47 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:120:33:120:50 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders | semmle.label | httpHeaders [post update] : HttpHeaders |
-| SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String | semmle.label | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | semmle.label | redirectUrl : String |

java/ql/test/library-tests/dataflow/capture/inlinetest.expected

@@ -98,9 +98,7 @@ edges
 | B.java:107:5:107:6 | l2 : ArrayList [<element>, <element>] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out1, <element>] : String | provenance | MaD:1 |
 | B.java:107:16:107:16 | l : List [<element>] : String | B.java:107:21:107:21 | l : List [<element>] : String | provenance |  |
 | B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out2, <element>] : String | provenance | MaD:1 |
-| B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out2, <element>] : String | provenance | heuristic-callback |
 | B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer<List<String>>(...) { ... } [String s] : String | provenance | MaD:1 |
-| B.java:107:16:111:6 | ...->... : new Consumer<List<String>>(...) { ... } [String s] : String | B.java:107:16:111:6 | parameter this : new Consumer<List<String>>(...) { ... } [String s] : String | provenance | heuristic-callback |
 | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out1, <element>] : String | B.java:107:16:111:6 | List<String> out1 : List [<element>] : String | provenance |  |
 | B.java:107:16:111:6 | ...->... [post update] : new Consumer<List<String>>(...) { ... } [List<String> out2, <element>] : String | B.java:107:16:111:6 | List<String> out2 : List [<element>] : String | provenance |  |
 | B.java:107:16:111:6 | List<String> out1 : List [<element>] : String | B.java:112:10:112:13 | out1 : List [<element>] : String | provenance |  |
@@ -111,9 +109,7 @@ edges
 | B.java:107:21:107:21 | l : List [<element>] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out1, <element>] : String | provenance | MaD:1 |
 | B.java:107:31:107:31 | x : String | B.java:109:16:109:16 | x : String | provenance |  |
 | B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out2, <element>] : String | provenance | MaD:1 |
-| B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out2, <element>] : String | provenance | heuristic-callback |
 | B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer<String>(...) { ... } [String s] : String | provenance | MaD:1 |
-| B.java:107:31:111:5 | ...->... : new Consumer<String>(...) { ... } [String s] : String | B.java:107:31:111:5 | parameter this : new Consumer<String>(...) { ... } [String s] : String | provenance | heuristic-callback |
 | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out1, <element>] : String | B.java:107:31:111:5 | List<String> out1 : List [<element>] : String | provenance |  |
 | B.java:107:31:111:5 | ...->... [post update] : new Consumer<String>(...) { ... } [List<String> out2, <element>] : String | B.java:107:31:111:5 | List<String> out2 : List [<element>] : String | provenance |  |
 | B.java:107:31:111:5 | List<String> out1 : List [<element>] : String | B.java:107:31:111:5 | this : new Consumer<List<String>>(...) { ... } [List<String> out1, <element>] : String | provenance |  |