Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move FlowSummaryImpl.qll to dataflow pack #14573

Merged
merged 14 commits into from
Dec 14, 2023
Merged

Move FlowSummaryImpl.qll to dataflow pack #14573

merged 14 commits into from
Dec 14, 2023

Conversation

hvitved
Copy link
Contributor

@hvitved hvitved commented Oct 24, 2023
edited
Loading

This PR turns FlowSummaryImpl.qll (and AccessPathSyntax.qll) into a proper parameterized module, and moves it to the shared dataflow pack.

Previously, the exposed SummarizedCallable class would look like

abstract class SummarizedCallable extends SummarizedCallableBase {
  predicate propagatesFlow(
    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
  ) {
    none()
  }

  predicate propagatesFlowExt(
    string input, string output, boolean preservesValue
  ) {
    none()
  }
}

but after this PR it is simply

abstract class SummarizedCallable extends SummarizedCallableBase {
  abstract predicate propagatesFlow(
    string input, string output, boolean preservesValue
  );
}

That is, we now consider SummaryComponentStack an internal implementation detail, which is not exposed to the user (the user-facing aliases have been deprecated).

Commit-by-commit review is encouraged, and for each of the <LANG>: Use FlowSummaryImpl from dataflow pack commits, I recommend viewing the FlowSummaryImpl.qll in full, as the diff is not really meaningful (previously, it was the synced copy of share library, now it contains the inputs to the shared library).

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 24, 2023
View reviewed changes
shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll
Comment on lines +1597 to +1778
/**
* A query predicate for outputting flow summaries in semi-colon separated format in QL tests.
* The syntax is: "namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind;provenance",
* ext is hardcoded to empty.
*/

Check warning

Code scanning / CodeQL

Predicate QLDoc style. Warning

The QLDoc for a predicate without a result should start with 'Holds'.
shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll
sinkElement(_, spec, _, _)
}

private module AccessPath = AccessPathSyntax::AccessPath<sourceSinkSpec/1>;

Check warning

Code scanning / CodeQL

Dead code Warning

This code is never used, and it's not publicly exported.
@hvitved hvitved force-pushed the flow-summary-impl-param branch from 741725b to 45b59c1 Compare October 24, 2023 12:30
@hvitved hvitved force-pushed the flow-summary-impl-param branch from 45b59c1 to 6185feb Compare October 24, 2023 18:54
@github-actions github-actions bot added the C# label Oct 24, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 24, 2023
View reviewed changes
shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll Fixed Show fixed Hide fixed
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
module SourceSinkInterpretationInput implements
Impl::Private::External::SourceSinkInterpretationInputSig
{
private import csharp as Cs

Check warning

Code scanning / CodeQL

Names only differing by case Warning

Cs is only different by casing from CS that is used elsewhere for modules.
@hvitved hvitved force-pushed the flow-summary-impl-param branch from 6185feb to a047beb Compare October 30, 2023 08:33
@hvitved hvitved force-pushed the flow-summary-impl-param branch 7 times, most recently from 94cefa4 to b2ee1f0 Compare November 27, 2023 11:45
@github-actions github-actions bot added the Go label Nov 27, 2023
@hvitved hvitved force-pushed the flow-summary-impl-param branch from b2ee1f0 to 5f79e7c Compare November 27, 2023 13:31
@github-actions github-actions bot added the Swift label Nov 27, 2023
@hvitved hvitved force-pushed the flow-summary-impl-param branch from 5f79e7c to c656fba Compare November 27, 2023 14:45
@hvitved hvitved force-pushed the flow-summary-impl-param branch from c656fba to d73136b Compare December 7, 2023 10:43
@github-actions github-actions bot added the Java label Dec 7, 2023
@hvitved hvitved force-pushed the flow-summary-impl-param branch 2 times, most recently from ae7e347 to fcb6c19 Compare December 7, 2023 12:59
@hvitved hvitved force-pushed the flow-summary-impl-param branch from fb1102c to f9dbf67 Compare December 10, 2023 10:26
erik-krogh
erik-krogh previously approved these changes Dec 11, 2023
View reviewed changes
Copy link
Contributor

@erik-krogh erik-krogh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JS 👍

MathiasVP
MathiasVP previously approved these changes Dec 11, 2023
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Swift 👍

@hvitved hvitved dismissed stale reviews from MathiasVP and erik-krogh via cdf59e1 December 11, 2023 09:27
RasmusWL
RasmusWL requested changes Dec 12, 2023
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM, but there are 2 things I would like to get fixed for Python 🙏

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll Outdated Show resolved Hide resolved
python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll Outdated Show resolved Hide resolved
michaelnebel
michaelnebel reviewed Dec 12, 2023
View reviewed changes
csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
)
}

private class SummarizedCallableAdapter extends SummarizedCallable {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a comment that this is where the MaD rows are being used to create SummarizedCallable's (the same for neutrals as well).

michaelnebel
michaelnebel previously approved these changes Dec 12, 2023
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

C#: Looks good to me!
Thank you for doing this @hvitved !

RasmusWL
RasmusWL previously approved these changes Dec 13, 2023
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python 👍 (thanks for the updates)

yoff
yoff reviewed Dec 13, 2023
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see this has already been approved by Python. I can also see that I have a pending comment, but I do not remember what it is, so I will just submit the partial review now, to see if it is still relevant.

shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll Outdated Show resolved Hide resolved
@aschackmull
Copy link
Contributor

aschackmull commented Dec 13, 2023
edited
Loading

I think I might see a bug related to the MaD provenance column. Could you verify that the presence of both a manual and a generated model for the same callable yields only the manual summary? I believe this used to work, but I think it might be broken now. Alright, I no longer think there's a bug, instead I think that most of the logic in SummarizedCallableExternal can be deleted as it appears to be useless (and that's what threw me off in the first place).

@owen-mc
Copy link
Contributor

owen-mc commented Dec 13, 2023

@aschackmull Do we have a test for what happens when we have a manual model and a generated model?

@hvitved
Copy link
Contributor Author

hvitved commented Dec 13, 2023

Do we have a test for what happens when we have a manual model and a generated model?

There is at least https://github.com/github/codeql/blob/main/java/ql/src/Metrics/Summaries/GeneratedVsManualCoverage.ql.

@michaelnebel
Copy link
Contributor

michaelnebel commented Dec 14, 2023
edited
Loading

@aschackmull Do we have a test for what happens when we have a manual model and a generated model?

I don't think there exists such a test for Java.
But one can use the summary/1 predicate for creating such a test. (cc @owen-mc)

@hvitved hvitved dismissed stale reviews from RasmusWL and michaelnebel via 098afb9 December 14, 2023 08:49
aschackmull
aschackmull approved these changes Dec 14, 2023
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks for tackling this!

@hvitved hvitved merged commit c8b4a21 into github:main Dec 14, 2023
52 checks passed
@hvitved hvitved deleted the flow-summary-impl-param branch December 14, 2023 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yoff yoff yoff left review comments

@aschackmull aschackmull aschackmull approved these changes

@aibaars aibaars aibaars approved these changes

@erik-krogh erik-krogh erik-krogh left review comments

@michaelnebel michaelnebel michaelnebel left review comments

@MathiasVP MathiasVP MathiasVP left review comments

@RasmusWL RasmusWL RasmusWL left review comments

Assignees
No one assigned
Labels
C# DataFlow Library documentation Go Java JS no-change-note-required This PR does not need a change note Python Ruby Swift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@hvitved @aschackmull @owen-mc @michaelnebel @yoff @RasmusWL @MathiasVP @aibaars @erik-krogh