Skip to content

Java: Update models for commons-io and add negative models. #10170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 31, 2022
Merged

Java: Update models for commons-io and add negative models. #10170

merged 8 commits into from
Aug 31, 2022

Conversation

michaelnebel
Copy link
Contributor

@michaelnebel michaelnebel commented Aug 25, 2022
edited
Loading

This this PR

  • Update existing models for commons-io.
  • Generate Negative models for commons-io.
  • The non-supported external api telemetry query no will no longer report any APIs with negative summaries.
  • Models are not produced for static initializers.

The output was produced by:

  1. Delete the models content from IOGenerated.qll
  2. Run our generation script
    time python3 GenerateFlowModel.py --with-sinks --with-summaries --with-negative-summaries ~/Work/databases/java/commons-io "apache/IOGenerated.qll"

@github-actions github-actions bot added the Java label Aug 25, 2022
@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,561,104,89,,,,,,15
+    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
-    Totals,,217,6438,1474,117,6,10,107,33,1,84
+    Totals,,217,6433,1476,119,6,10,107,33,1,84
  • Changes to framework-coverage-java.csv:
- org.apache.commons.io,104,,561,,89,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,547,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,542,14

@github-actions github-actions bot added the C# label Aug 26, 2022
@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,561,104,89,,,,,,15
+    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
-    Totals,,217,6438,1474,117,6,10,107,33,1,84
+    Totals,,217,6433,1476,119,6,10,107,33,1,84
  • Changes to framework-coverage-java.csv:
- org.apache.commons.io,104,,561,,89,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,547,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,542,14

@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,561,104,89,,,,,,15
+    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
-    Totals,,217,6438,1474,117,6,10,107,33,1,84
+    Totals,,217,6433,1476,119,6,10,107,33,1,84
  • Changes to framework-coverage-java.csv:
- org.apache.commons.io,104,,561,,89,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,547,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,542,14

@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,561,104,89,,,,,,15
+    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
-    Totals,,217,6438,1474,117,6,10,107,33,1,84
+    Totals,,217,6433,1476,119,6,10,107,33,1,84
  • Changes to framework-coverage-java.csv:
- org.apache.commons.io,104,,561,,89,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,547,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,542,14

@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,561,104,89,,,,,,15
+    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
-    Totals,,217,6438,1474,117,6,10,107,33,1,84
+    Totals,,217,6433,1476,119,6,10,107,33,1,84
  • Changes to framework-coverage-java.csv:
- org.apache.commons.io,104,,561,,89,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,547,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,542,14

@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,561,104,89,,,,,,15
+    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,556,106,91,,,,,,15
-    Totals,,217,6438,1474,117,6,10,107,33,1,84
+    Totals,,217,6433,1476,119,6,10,107,33,1,84
  • Changes to framework-coverage-java.csv:
- org.apache.commons.io,104,,561,,89,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,547,14
+ org.apache.commons.io,106,,556,,91,,,,,,,,,,,,15,,,,,,,,,,,,,,,,,,,,542,14

@michaelnebel michaelnebel marked this pull request as ready for review August 29, 2022 14:26
@michaelnebel michaelnebel requested review from a team as code owners August 29, 2022 14:26
@michaelnebel michaelnebel added the no-change-note-required This PR does not need a change note label Aug 29, 2022
@michaelnebel michaelnebel mentioned this pull request Aug 30, 2022
Merged
tamasvajk
tamasvajk reviewed Aug 30, 2022
View reviewed changes
Copy link
Contributor

@tamasvajk tamasvajk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks plausible to me. It would be great to understand why there are changes in the generated models.

java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
@@ -55,7 +55,8 @@ private predicate isJdkInternal(J::CompilationUnit cu) {
private predicate isRelevantForModels(J::Callable api) {
not isInTestFile(api.getCompilationUnit().getFile()) and
not isJdkInternal(api.getCompilationUnit()) and
not api instanceof J::MainMethod
not api instanceof J::MainMethod and
not api instanceof J::StaticInitializer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are static initializers not relevant for model generation?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They showed up in the negative generated summary models and I don't think it makes sense to include them for positive models either as the static initializers are not explicitly called.

@michaelnebel
Copy link
Contributor Author

Looks plausible to me. It would be great to understand why there are changes in the generated models.

Yes, but I think that needs to be a separate project where we need to improve the tooling such that we can "see" what changes causes the models to change.

@michaelnebel michaelnebel requested a review from tamasvajk August 31, 2022 08:42
@michaelnebel michaelnebel merged commit 1cb6d78 into github:main Aug 31, 2022
intrigus-lgtm
intrigus-lgtm reviewed Aug 31, 2022
View reviewed changes
java/ql/lib/semmle/code/java/frameworks/apache/NegativeIOGenerated.qll
"org.apache.commons.io.output;BrokenWriter;BrokenWriter;(IOException);generated",
"org.apache.commons.io.output;ByteArrayOutputStream;ByteArrayOutputStream;();generated",
"org.apache.commons.io.output;ByteArrayOutputStream;ByteArrayOutputStream;(int);generated",
"org.apache.commons.io.output;ByteArrayOutputStream;toBufferedInputStream;(InputStream);generated",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be that I'm misunderstanding negative models, but why should there be no flow here?

public static InputStream toBufferedInputStream(InputStream input)
throws IOException

Fetches entire contents of an InputStream and represent same data as result InputStream.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that would seem reasonable. The negative models are generated in the following way:
If the model generator does not discover flow, then we generate a negative model (stating there is no flow). The model generator is far from perfect and this is probably a case, where "positive" flow is missing.
In any case, the negative models are only used for telemetry purposes at the moment, so they don't interfere with dataflow analysis as such.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't know that they are only for telemetry.
Thank you for the explanation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@intrigus-lgtm intrigus-lgtm intrigus-lgtm left review comments

@tamasvajk tamasvajk tamasvajk approved these changes

Assignees
No one assigned
Labels
C# Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@michaelnebel @tamasvajk @intrigus-lgtm