New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Identify more APIs as supported in the telemetry queries. #16297
Java: Identify more APIs as supported in the telemetry queries. #16297
Conversation
481e289
to
b8dd047
Compare
b8dd047
to
67d292c
Compare
67d292c
to
8f940fc
Compare
8f940fc
to
ac3f035
Compare
DCA looks. |
Will this need to be updated when a new query is added/promoted? If so, how will we remember to do that? |
Excellent question. The query doesn't have to be 100% accurate. We just need to at least have a best effort of incorporating QL sources and sinks. |
I have skimmed this, but not reviewed in great detail. Here is the approach that I thought you were taking, but then I saw you weren't: define an abstract class |
That is a fair point and I will look into it - thank you! The reason I picked the approach here was to avoid have bidirectional imports between the |
There are a couple of different design options: There needs to be a central qll file that imports all of the sink definitions in order for the telemetry queries to see them (so we can't just have query-specific files extend |
Thank you! I am already working on alternative B ;-) |
… defined sources).
79f54fb
to
5f660c4
Compare
fa4912f
to
fe654be
Compare
fe654be
to
8758dec
Compare
8758dec
to
f95b330
Compare
DCA looks good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good. Some minor nitpicks/questions. Also I had a quick look through and thought you might also want to include these sinks:
- CookieSink in java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll
- FileCreationSink in java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll
Outdated
Show resolved
Hide resolved
5245fd8
to
8def1c2
Compare
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
@owen-mc : Thank you for the feedback! You suggestion on incorporating |
In this PR we improve the telemetry queries such that sources- and sink APIs defined in QL will be taken into account when deciding whether an API is supported or not.
To this end a couple of new modules
ApiSinks
andApiSources
are introduced.In each of these modules a class of nodes are introduced where the intention is to add all sources and sinks pertaining to APIs.
Only source- and sink definitions that are sufficiently concrete have been added (that is, sources and sinks that just "guesses" based on string pattern matching on names are not included).
This is a best effort attempt to improve the telemetry reporting.