ML: add defensive check to ensure Unknown endpoints cannot also be NotASink

[jhelie]

As discussed with @henrymercer this PR adds a defensive check in the getAnUnknown() predicate in ExtractEndpointData.qll. This should now ensure that the label of an endpoint has a unique value in {NotASink, Sink, Unkknown} for a given query.

The root problem should be fixed upstream by improving the endpoint filters, see https://github.com/github/ml-ql-adaptive-threat-modeling/issues/1818.

PR checks:

• ✅ here is the dev pipeline triggered using the proposed change in the QL library
• ✅ here is the model trained on the output of the above dev pipeline and here is its end-to-end evaluation

I therefore propose this PR is good to merge.

Relates to https://github.com/github/ml-ql-adaptive-threat-modeling/issues/1757

[jhelie]

(thanks for the rename @owen-mc , will do so next time 👍 )

[jhelie]

Thanks for the review @henrymercer . I agree it's a good idea to add a regression test but I will need your help to implement it. I don't think you have any more office hours this week and then you are on holidays, so do you think we can schedule something this week? I think it'd be good for this PR to be merged now rather than in 2 weeks.

[jhelie]

Here is an example of a sink that is currently labelled as both Unknown and NotASink (there are 8 others that can be found in sudheeshshetty-chat when running the test pipeline).

cc @annarailton

[jhelie]

@henrymercer : thanks to @annarailton's help I could update the tests. I've added 2 commits: one pre and post fix so that we can easily verify that the change in getAnUnknown modified the outcome of that new regression test (by removing the Unknown label).

I think this addresses all your comments.

[henrymercer]

Looks great, thanks for implementing that regression test and ✨ to @annarailton for 🍐ing on it!