Java/Dataflow: Propagate MaD-id/model-id to PathGraph.

Author: aschackmull

java/ql/automodel/src/AutomodelAlertSinkUtil.qll

@@ -15,7 +15,8 @@ private newtype TSinkModel =
     string package, string type, boolean subtypes, string name, string signature, string ext,
     string input, string kind, string provenance
   ) {
-    ExternalFlow::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
+    ExternalFlow::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance,
+      _)
   }
 
 class SinkModel extends TSinkModel {

java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll

@@ -259,7 +259,7 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig
     |
       sinkSpec(e, package, type, subtypes, name, signature, ext, input) and
       ExternalFlow::sinkModel(package, type, subtypes, name, [signature, ""], ext, input, kind,
-        provenance)
+        provenance, _)
     )
     or
     isCustomSink(e, kind) and provenance = "custom-sink"
@@ -272,7 +272,7 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig
     |
       sourceSpec(e, package, type, subtypes, name, signature, ext, output) and
       ExternalFlow::sourceModel(package, type, subtypes, name, [signature, ""], ext, output, kind,
-        provenance)
+        provenance, _)
     )
   }
 

java/ql/automodel/src/AutomodelFrameworkModeCharacteristics.qll

@@ -215,7 +215,7 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
     |
       sinkSpec(e, package, type, subtypes, name, signature, ext, input) and
       ExternalFlow::sinkModel(package, type, subtypes, name, [signature, ""], ext, input, kind,
-        provenance)
+        provenance, _)
     )
   }
 
@@ -226,7 +226,7 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
     |
       sourceSpec(e, package, type, subtypes, name, signature, ext, output) and
       ExternalFlow::sourceModel(package, type, subtypes, name, [signature, ""], ext, output, kind,
-        provenance)
+        provenance, _)
     )
   }
 

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -113,76 +113,85 @@ abstract class ActiveExperimentalModels extends string {
    */
   predicate sourceModel(
     string package, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance
+    string output, string kind, string provenance, QlBuiltins::ExtensionId madId
   ) {
     Extensions::experimentalSourceModel(package, type, subtypes, name, signature, ext, output, kind,
-      provenance, this)
+      provenance, this, madId)
   }
 
   /**
    * Holds if an experimental sink model exists for the given parameters.
    */
   predicate sinkModel(
     string package, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance
+    string output, string kind, string provenance, QlBuiltins::ExtensionId madId
   ) {
     Extensions::experimentalSinkModel(package, type, subtypes, name, signature, ext, output, kind,
-      provenance, this)
+      provenance, this, madId)
   }
 
   /**
    * Holds if an experimental summary model exists for the given parameters.
    */
   predicate summaryModel(
     string package, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string output, string kind, string provenance
+    string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
   ) {
     Extensions::experimentalSummaryModel(package, type, subtypes, name, signature, ext, input,
-      output, kind, provenance, this)
+      output, kind, provenance, this, madId)
   }
 }
 
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string package, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance
+  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
 ) {
-  Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
-  or
-  any(ActiveExperimentalModels q)
-      .sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
+  (
+    Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance,
+      madId)
+    or
+    any(ActiveExperimentalModels q)
+        .sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId)
+  )
 }
 
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
   string package, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance
+  string input, string kind, string provenance, QlBuiltins::ExtensionId madId
 ) {
-  Extensions::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
-  or
-  any(ActiveExperimentalModels q)
-      .sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
+  (
+    Extensions::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance,
+      madId)
+    or
+    any(ActiveExperimentalModels q)
+        .sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId)
+  )
 }
 
 /** Holds if a summary model exists for the given parameters. */
 predicate summaryModel(
   string package, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance
+  string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
 ) {
-  Extensions::summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
-    provenance)
-  or
-  any(ActiveExperimentalModels q)
-      .summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)
+  (
+    Extensions::summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
+      provenance, madId)
+    or
+    any(ActiveExperimentalModels q)
+        .summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
+          provenance, madId)
+  )
 }
 
 /** Holds if a neutral model exists for the given parameters. */
 predicate neutralModel = Extensions::neutralModel/6;
 
 private predicate relevantPackage(string package) {
-  sourceModel(package, _, _, _, _, _, _, _, _) or
-  sinkModel(package, _, _, _, _, _, _, _, _) or
-  summaryModel(package, _, _, _, _, _, _, _, _, _)
+  sourceModel(package, _, _, _, _, _, _, _, _, _) or
+  sinkModel(package, _, _, _, _, _, _, _, _, _) or
+  summaryModel(package, _, _, _, _, _, _, _, _, _, _)
 }
 
 private predicate packageLink(string shortpkg, string longpkg) {
@@ -212,23 +221,24 @@ predicate modelCoverage(string package, int pkgs, string kind, string part, int
       strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
         string ext, string output, string provenance |
         canonicalPkgLink(package, subpkg) and
-        sourceModel(subpkg, type, subtypes, name, signature, ext, output, kind, provenance)
+        sourceModel(subpkg, type, subtypes, name, signature, ext, output, kind, provenance, _)
       )
     or
     part = "sink" and
     n =
       strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
         string ext, string input, string provenance |
         canonicalPkgLink(package, subpkg) and
-        sinkModel(subpkg, type, subtypes, name, signature, ext, input, kind, provenance)
+        sinkModel(subpkg, type, subtypes, name, signature, ext, input, kind, provenance, _)
       )
     or
     part = "summary" and
     n =
       strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
         string ext, string input, string output, string provenance |
         canonicalPkgLink(package, subpkg) and
-        summaryModel(subpkg, type, subtypes, name, signature, ext, input, output, kind, provenance)
+        summaryModel(subpkg, type, subtypes, name, signature, ext, input, output, kind, provenance,
+          _)
       )
   )
 }
@@ -238,10 +248,10 @@ module ModelValidation {
   private import codeql.dataflow.internal.AccessPathSyntax as AccessPathSyntax
 
   private predicate getRelevantAccessPath(string path) {
-    summaryModel(_, _, _, _, _, _, path, _, _, _) or
-    summaryModel(_, _, _, _, _, _, _, path, _, _) or
-    sinkModel(_, _, _, _, _, _, path, _, _) or
-    sourceModel(_, _, _, _, _, _, path, _, _)
+    summaryModel(_, _, _, _, _, _, path, _, _, _, _) or
+    summaryModel(_, _, _, _, _, _, _, path, _, _, _) or
+    sinkModel(_, _, _, _, _, _, path, _, _, _) or
+    sourceModel(_, _, _, _, _, _, path, _, _, _)
   }
 
   private module MkAccessPath = AccessPathSyntax::AccessPath<getRelevantAccessPath/1>;
@@ -252,9 +262,9 @@ module ModelValidation {
 
   private string getInvalidModelInput() {
     exists(string pred, AccessPath input, AccessPathToken part |
-      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
+      sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
       or
-      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, input, _, _, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(input, part) and
@@ -274,9 +284,9 @@ module ModelValidation {
 
   private string getInvalidModelOutput() {
     exists(string pred, AccessPath output, AccessPathToken part |
-      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
+      sourceModel(_, _, _, _, _, _, output, _, _, _) and pred = "source"
       or
-      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, _, output, _, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(output, part) and
@@ -291,11 +301,11 @@ module ModelValidation {
   }
 
   private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
-    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _, _) }
 
-    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _, _) }
 
-    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _, _) }
 
     predicate neutralKind(string kind) { neutralModel(_, _, _, _, kind, _) }
   }
@@ -307,11 +317,11 @@ module ModelValidation {
       string pred, string package, string type, string name, string signature, string ext,
       string provenance
     |
-      sourceModel(package, type, _, name, signature, ext, _, _, provenance) and pred = "source"
+      sourceModel(package, type, _, name, signature, ext, _, _, provenance, _) and pred = "source"
       or
-      sinkModel(package, type, _, name, signature, ext, _, _, provenance) and pred = "sink"
+      sinkModel(package, type, _, name, signature, ext, _, _, provenance, _) and pred = "sink"
       or
-      summaryModel(package, type, _, name, signature, ext, _, _, _, provenance) and
+      summaryModel(package, type, _, name, signature, ext, _, _, _, provenance, _) and
       pred = "summary"
       or
       neutralModel(package, type, name, signature, _, provenance) and
@@ -352,11 +362,11 @@ pragma[nomagic]
 private predicate elementSpec(
   string package, string type, boolean subtypes, string name, string signature, string ext
 ) {
-  sourceModel(package, type, subtypes, name, signature, ext, _, _, _)
+  sourceModel(package, type, subtypes, name, signature, ext, _, _, _, _)
   or
-  sinkModel(package, type, subtypes, name, signature, ext, _, _, _)
+  sinkModel(package, type, subtypes, name, signature, ext, _, _, _, _)
   or
-  summaryModel(package, type, subtypes, name, signature, ext, _, _, _, _)
+  summaryModel(package, type, subtypes, name, signature, ext, _, _, _, _, _)
   or
   neutralModel(package, type, name, signature, _, _) and ext = "" and subtypes = false
 }
@@ -494,9 +504,9 @@ private module Cached {
    * model.
    */
   cached
-  predicate sourceNode(Node node, string kind) {
+  predicate sourceNode(Node node, string kind, string model) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSourceNode(n, kind) and n.asNode() = node
+      isSourceNode(n, kind, model) and n.asNode() = node
     )
   }
 
@@ -505,29 +515,45 @@ private module Cached {
    * model.
    */
   cached
-  predicate sinkNode(Node node, string kind) {
+  predicate sinkNode(Node node, string kind, string model) {
     exists(SourceSinkInterpretationInput::InterpretNode n |
-      isSinkNode(n, kind) and n.asNode() = node
+      isSinkNode(n, kind, model) and n.asNode() = node
     )
   }
 }
 
 import Cached
 
+/**
+ * Holds if `node` is specified as a source with the given kind in a MaD flow
+ * model.
+ */
+predicate sourceNode(Node node, string kind) { sourceNode(node, kind, _) }
+
+/**
+ * Holds if `node` is specified as a sink with the given kind in a MaD flow
+ * model.
+ */
+predicate sinkNode(Node node, string kind) { sinkNode(node, kind, _) }
+
 // adapter class for converting Mad summaries to `SummarizedCallable`s
 private class SummarizedCallableAdapter extends SummarizedCallable {
-  SummarizedCallableAdapter() { summaryElement(this, _, _, _, _) }
+  SummarizedCallableAdapter() { summaryElement(this, _, _, _, _, _) }
 
-  private predicate relevantSummaryElementManual(string input, string output, string kind) {
+  private predicate relevantSummaryElementManual(
+    string input, string output, string kind, string model
+  ) {
     exists(Provenance provenance |
-      summaryElement(this, input, output, kind, provenance) and
+      summaryElement(this, input, output, kind, provenance, model) and
       provenance.isManual()
     )
   }
 
-  private predicate relevantSummaryElementGenerated(string input, string output, string kind) {
+  private predicate relevantSummaryElementGenerated(
+    string input, string output, string kind, string model
+  ) {
     exists(Provenance provenance |
-      summaryElement(this, input, output, kind, provenance) and
+      summaryElement(this, input, output, kind, provenance, model) and
       provenance.isGenerated()
     ) and
     not exists(Provenance provenance |
@@ -536,19 +562,21 @@ private class SummarizedCallableAdapter extends SummarizedCallable {
     )
   }
 
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
     exists(string kind |
-      this.relevantSummaryElementManual(input, output, kind)
+      this.relevantSummaryElementManual(input, output, kind, model)
       or
-      not this.relevantSummaryElementManual(_, _, _) and
-      this.relevantSummaryElementGenerated(input, output, kind)
+      not this.relevantSummaryElementManual(_, _, _, _) and
+      this.relevantSummaryElementGenerated(input, output, kind, model)
     |
       if kind = "value" then preservesValue = true else preservesValue = false
     )
   }
 
   override predicate hasProvenance(Provenance provenance) {
-    summaryElement(this, _, _, _, provenance)
+    summaryElement(this, _, _, _, provenance, _)
   }
 }
 

java/ql/lib/semmle/code/java/dataflow/FlowSummary.qll

@@ -126,8 +126,14 @@ class SummarizedCallable = Impl::Public::SummarizedCallable;
  * to `SummarizedCallable`.
  */
 private class SummarizedSyntheticCallableAdapter extends SummarizedCallable, TSyntheticCallable {
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    this.asSyntheticCallable().propagatesFlow(input, output, preservesValue)
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    exists(SyntheticCallable sc |
+      sc = this.asSyntheticCallable() and
+      sc.propagatesFlow(input, output, preservesValue) and
+      model = sc
+    )
   }
 }
 

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll

@@ -263,9 +263,10 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2) {
+  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2)
+    any(Configuration config).isAdditionalFlowStep(node1, node2) and
+    model = ""
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {