use ModelApi to define parameters worth modeling

Author: Stephan Brandauer

java/ql/src/Telemetry/AutomodelEndpointCharacteristics.qll

@@ -12,6 +12,7 @@ private import semmle.code.java.security.ExternalAPIs as ExternalAPIs
 private import semmle.code.java.Expr as Expr
 private import semmle.code.java.security.QueryInjection
 private import semmle.code.java.security.RequestForgery
+private import semmle.code.java.dataflow.internal.ModelExclusions as ModelExclusions
 import AutomodelSharedCharacteristics as SharedCharacteristics
 import AutomodelEndpointTypes as AutomodelEndpointTypes
 
@@ -239,6 +240,18 @@ private class UndocumentedMethodCharacteristic extends CharacteristicsImpl::Unin
   }
 }
 
+/**
+ * A characteristic that limits candidates to parameters of methods that are recognized as `ModelApi`, iow., APIs that
+ * are considered worth modelling.
+ */
+private class NotAModelApiParameter extends CharacteristicsImpl::UninterestingToModelCharacteristic {
+  NotAModelApiParameter() { this = "not a model API parameter" }
+
+  override predicate appliesToEndpoint(Endpoint e) {
+    not exists(ModelExclusions::ModelApi api | api.getParameter(_) = e.asParameter())
+  }
+}
+
 /**
  * A negative characteristic that filters out non-public methods. Non-public methods are not interesting to include in
  * the standard Java modeling, because they cannot be called from outside the package.