Skip to content

Java: Convert existing Commons Lang models to CSV #5372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Mar 26, 2021
Merged

Java: Convert existing Commons Lang models to CSV #5372

merged 6 commits into from
Mar 26, 2021

Conversation

smowton
Copy link
Contributor

@smowton smowton commented Mar 10, 2021
edited
Loading

This also adds tests for ArrayUtils and amends the existing models, which weren't quite right. Some void-returning methods were dropped, some additional parameters that can incorporate taint were added, and the stringifying methods were dropped on grounds that we don't usually consider toString taint-propagating AFAIK (though particular queries may differ in this respect)

@smowton smowton requested a review from a team as a code owner March 10, 2021 12:58
@github-actions github-actions bot added the Java label Mar 10, 2021
@smowton smowton added the no-change-note-required This PR does not need a change note label Mar 10, 2021
@aschackmull aschackmull changed the title Convert existing Commons Lang models to CSV Java: Convert existing Commons Lang models to CSV Mar 10, 2021
@smowton smowton mentioned this pull request Mar 11, 2021
Merged
aschackmull
aschackmull reviewed Mar 24, 2021
View reviewed changes
java/ql/src/semmle/code/java/frameworks/apache/Lang.qll Outdated
override predicate row(string row) {
row =
[
"org.apache.commons.lang3.text;StrBuilder;false;StrBuilder;(java.lang.String);;Argument;ReturnValue;taint",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Constructors should use Argument[-1] instead of ReturnValue to represent the constructed value. That way extending classes will also get proper flow through calls to super, which isn't an expression and therefore doesn't work with ReturnValue. The fact that ReturnValue currently mostly works is essentially a bug that will be fixed soon.

@aschackmull
Copy link
Contributor

The adjustment for constructors should be an easy fix, so I think we should at least include that. Switching from Argument to Argument[n1..n2] will also be necessary, but it's also fine to postpone that to a follow-up PR if you prefer that.

@smowton
Copy link
Contributor Author

smowton commented Mar 25, 2021
edited
Loading

@aschackmull both conversions applied (and rebased on latest main to bring in support for argument ranges)

@smowton smowton force-pushed the smowton/feature/commons-lang-models-to-csv branch from 4640935 to eaa2d4d Compare March 25, 2021 16:08
@aschackmull aschackmull merged commit 506c95d into github:main Mar 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull aschackmull approved these changes

Assignees
No one assigned
Labels
Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smowton @aschackmull