JS: Add helper library for call graph exploration

[asgerf]

Exploring the call graph leading to or from a given function should be easier out-of-the-box than it currently is.

This adds a library semmle.javascript.explore.CallGraph which can be imported to help define a path query that looks for specific call paths. For example:

/**
 * @kind path-problem
 */

import javascript
import semmle.javascript.explore.CallGraph
import DataFlow

from InvokeNode invoke, FunctionNode target
where callEdge*(invoke, target)
  and isStartOfCallPath(invoke)
  and target.getName() = "myFunction"
select invoke, invoke, target, "Call path to myFunction"

There are two other work items I'd like to do, but first I'd like hear what people think of the idea:

• Move semmle.javascript.dataflow.ForwardExploration and semmle.javascript.dataflow.BackwardExploration into semmle.javascript.explore
• Add a help page about exploratory queries, explaining how to use these libraries.

[max-schaefer]

That last bit is interesting; why do we want those edges?

[asgerf]

To handle callbacks passed to forEach where we don't see the exact call site.

So in a sense, a call edge A -> B can be read as A causes B to be called.

Even when it's not technically called in the same stack frame (e.g. through addEventListener) I still found this to be useful.

[max-schaefer]

OK, that makes sense. Could you expand the documentation slightly to explain this?

Also, I wonder whether it would make sense to distinguish the two kinds of edges by giving them different labels?

[esbena]

LGTM.

The move-proposal also sounds good.

Other content for .explore (lets track this elsewhere when this PR gets merged):

• the heuristics module
• a similar one-liner for getting a graph for type/configuration tracking to/from a specific node
• a one liner for seeing the most important Configuration member predicate nodes. I.e. an alert at each sink, source, sanitizer...

[esbena]

Suggested change

	* Holds if `invoke` should be used as the starting point of a call path.
	* Holds if `fun` should be used as the ending point of a call path.

[asgerf]

Rebased and moved the change note to 1.25. I found myself needing this the other day so I'd like it if we can try and get it merged. Writing the help page turned out to be more time-consuming than expected, so I'd like to merge without that.

[erik-krogh]

Could we remove the aliases to forward/backwards exploration in seemle.javascript.dataflow?
I know it is a breaking change, but the files explicitly states that they were only meant for debugging.

The rest LGTM, so I'm approving, and leaving it to you if you want to keep the aliases.

(I tried out GitHub's online conflict resolution, that's how I made a merge commit on your branch).

[asgerf]

Could we remove the aliases to forward/backwards exploration in seemle.javascript.dataflow

It's usually a good idea to have a grace period where both solutions are usable, so I'd like to have both for one release.

[asgerf]

@esbena you're still requesting changes. Any more requests?