Add QLDoc

atorralba · atorralba · commit baa1f71a5330 · 2022-01-21T16:55:43.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll
@@ -65,6 +65,11 @@ private class LocalDatabaseInputStoreMethod extends Method {
   }
 }
 
+/**
+ * Holds if `input` is a value being prepared for being stored into the SQLite dataabse `database`.
+ * This can be done using prepared statements, using the class `ContentValues`, or directly
+ * appending `input` to a SQL query.
+ */
 private predicate localDatabaseInput(DataFlow::Node database, Argument input) {
   exists(Method m | input.getCall().getCallee() = m |
     m instanceof LocalDatabaseInputStoreMethod and
@@ -81,6 +86,11 @@ private predicate localDatabaseInput(DataFlow::Node database, Argument input) {
   )
 }
 
+/**
+ * Holds if `store` is a method call for storing a previously appended input value,
+ * either through the use of prepared statements, via the `ContentValues` class, or
+ * directly executing a raw SQL query.
+ */
 private predicate localDatabaseStore(DataFlow::Node database, MethodAccess store) {
   exists(Method m | store.getMethod() = m |
     m instanceof LocalDatabaseInputStoreMethod and
@@ -110,6 +120,8 @@ private class LocalDatabaseFlowConfig extends DataFlow::Configuration {
   }
 
   override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    // Adds a step for tracking databases through field flow, that is, a database is opened and
+    // assigned to a field, and then an input or store method is called on that field elsewhere.
     exists(Field f |
       f.getType() instanceof TypeSQLiteDatabase and
       f.getAnAssignedValue() = n1.asExpr() and

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,11 @@ private class LocalDatabaseInputStoreMethod extends Method {`
`65`	`65`	`}`
`66`	`66`	`}`
`67`	`67`
	`68`	`+/**`
	`69`	+ * Holds if `input` is a value being prepared for being stored into the SQLite dataabse `database`.
	`70`	+ * This can be done using prepared statements, using the class `ContentValues`, or directly
	`71`	+ * appending `input` to a SQL query.
	`72`	`+ */`
`68`	`73`	`private predicate localDatabaseInput(DataFlow::Node database, Argument input) {`
`69`	`74`	`exists(Method m \| input.getCall().getCallee() = m \|`
`70`	`75`	`m instanceof LocalDatabaseInputStoreMethod and`
`@@ -81,6 +86,11 @@ private predicate localDatabaseInput(DataFlow::Node database, Argument input) {`
`81`	`86`	`)`
`82`	`87`	`}`
`83`	`88`
	`89`	`+/**`
	`90`	+ * Holds if `store` is a method call for storing a previously appended input value,
	`91`	+ * either through the use of prepared statements, via the `ContentValues` class, or
	`92`	`+ * directly executing a raw SQL query.`
	`93`	`+ */`
`84`	`94`	`private predicate localDatabaseStore(DataFlow::Node database, MethodAccess store) {`
`85`	`95`	`exists(Method m \| store.getMethod() = m \|`
`86`	`96`	`m instanceof LocalDatabaseInputStoreMethod and`
`@@ -110,6 +120,8 @@ private class LocalDatabaseFlowConfig extends DataFlow::Configuration {`
`110`	`120`	`}`
`111`	`121`
`112`	`122`	`override predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
	`123`	`+ // Adds a step for tracking databases through field flow, that is, a database is opened and`
	`124`	`+ // assigned to a field, and then an input or store method is called on that field elsewhere.`
`113`	`125`	`exists(Field f \|`
`114`	`126`	`f.getType() instanceof TypeSQLiteDatabase and`
`115`	`127`	`f.getAnAssignedValue() = n1.asExpr() and`