Merge pull request #8628 from michaelnebel/csharp/generatedkind

C#: Introduce generated flag as a part of the kind column for flow summaries

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -162,10 +162,17 @@ private predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
 
 private predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 
+bindingset[input]
+private predicate getKind(string input, string kind, boolean generated) {
+  input.splitAt(":", 0) = "generated" and kind = input.splitAt(":", 1) and generated = true
+  or
+  not input.matches("%:%") and kind = input and generated = false
+}
+
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind
+  string output, string kind, boolean generated
 ) {
   exists(string row |
     sourceModel(row) and
@@ -177,14 +184,14 @@ predicate sourceModel(
     row.splitAt(";", 4) = signature and
     row.splitAt(";", 5) = ext and
     row.splitAt(";", 6) = output and
-    row.splitAt(";", 7) = kind
+    exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
   )
 }
 
 /** Holds if a sink model exists for the given parameters. */
 predicate sinkModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind
+  string input, string kind, boolean generated
 ) {
   exists(string row |
     sinkModel(row) and
@@ -196,14 +203,14 @@ predicate sinkModel(
     row.splitAt(";", 4) = signature and
     row.splitAt(";", 5) = ext and
     row.splitAt(";", 6) = input and
-    row.splitAt(";", 7) = kind
+    exists(string k | row.splitAt(";", 7) = k and getKind(k, kind, generated))
   )
 }
 
 /** Holds if a summary model exists for the given parameters. */
 predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind
+  string input, string output, string kind, boolean generated
 ) {
   exists(string row |
     summaryModel(row) and
@@ -216,14 +223,14 @@ predicate summaryModel(
     row.splitAt(";", 5) = ext and
     row.splitAt(";", 6) = input and
     row.splitAt(";", 7) = output and
-    row.splitAt(";", 8) = kind
+    exists(string k | row.splitAt(";", 8) = k and getKind(k, kind, generated))
   )
 }
 
 private predicate relevantNamespace(string namespace) {
-  sourceModel(namespace, _, _, _, _, _, _, _) or
-  sinkModel(namespace, _, _, _, _, _, _, _) or
-  summaryModel(namespace, _, _, _, _, _, _, _, _)
+  sourceModel(namespace, _, _, _, _, _, _, _, _) or
+  sinkModel(namespace, _, _, _, _, _, _, _, _) or
+  summaryModel(namespace, _, _, _, _, _, _, _, _, _)
 }
 
 private predicate namespaceLink(string shortns, string longns) {
@@ -251,25 +258,25 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
     part = "source" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string output |
+        string ext, string output, boolean generated |
         canonicalNamespaceLink(namespace, subns) and
-        sourceModel(subns, type, subtypes, name, signature, ext, output, kind)
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, generated)
       )
     or
     part = "sink" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input |
+        string ext, string input, boolean generated |
         canonicalNamespaceLink(namespace, subns) and
-        sinkModel(subns, type, subtypes, name, signature, ext, input, kind)
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, generated)
       )
     or
     part = "summary" and
     n =
       strictcount(string subns, string type, boolean subtypes, string name, string signature,
-        string ext, string input, string output |
+        string ext, string input, string output, boolean generated |
         canonicalNamespaceLink(namespace, subns) and
-        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind)
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, generated)
       )
   )
 }
@@ -279,11 +286,11 @@ module CsvValidation {
   /** Holds if some row in a CSV-based flow model appears to contain typos. */
   query predicate invalidModelRow(string msg) {
     exists(string pred, string namespace, string type, string name, string signature, string ext |
-      sourceModel(namespace, type, _, name, signature, ext, _, _) and pred = "source"
+      sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
       or
-      sinkModel(namespace, type, _, name, signature, ext, _, _) and pred = "sink"
+      sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
       or
-      summaryModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "summary"
+      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
     |
       not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
       msg = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -302,9 +309,9 @@ module CsvValidation {
     )
     or
     exists(string pred, AccessPath input, string part |
-      sinkModel(_, _, _, _, _, _, input, _) and pred = "sink"
+      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
       or
-      summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(input, part) and
@@ -319,9 +326,9 @@ module CsvValidation {
     )
     or
     exists(string pred, string output, string part |
-      sourceModel(_, _, _, _, _, _, output, _) and pred = "source"
+      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
       or
-      summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
+      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
     |
       invalidSpecComponent(output, part) and
       not part = "" and
@@ -351,20 +358,23 @@ module CsvValidation {
       )
     )
     or
-    exists(string row, string kind | summaryModel(row) |
-      kind = row.splitAt(";", 8) and
+    exists(string row, string k, string kind | summaryModel(row) |
+      k = row.splitAt(";", 8) and
+      getKind(k, kind, _) and
       not kind = ["taint", "value"] and
       msg = "Invalid kind \"" + kind + "\" in summary model."
     )
     or
-    exists(string row, string kind | sinkModel(row) |
-      kind = row.splitAt(";", 7) and
+    exists(string row, string k, string kind | sinkModel(row) |
+      k = row.splitAt(";", 7) and
+      getKind(k, kind, _) and
       not kind = ["code", "sql", "xss", "remote", "html"] and
       msg = "Invalid kind \"" + kind + "\" in sink model."
     )
     or
-    exists(string row, string kind | sourceModel(row) |
-      kind = row.splitAt(";", 7) and
+    exists(string row, string k, string kind | sourceModel(row) |
+      k = row.splitAt(";", 7) and
+      getKind(k, kind, _) and
       not kind = "local" and
       msg = "Invalid kind \"" + kind + "\" in source model."
     )
@@ -374,9 +384,9 @@ module CsvValidation {
 private predicate elementSpec(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {
-  sourceModel(namespace, type, subtypes, name, signature, ext, _, _) or
-  sinkModel(namespace, type, subtypes, name, signature, ext, _, _) or
-  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _)
+  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
 }
 
 private predicate elementSpec(
@@ -502,6 +512,13 @@ Element interpretElement(
   )
 }
 
+/**
+ * Holds if `c` has a `generated` summary.
+ */
+predicate hasSummary(DataFlowCallable c, boolean generated) {
+  summaryElement(c, _, _, _, generated)
+}
+
 cached
 private module Cached {
   /**

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -806,10 +806,10 @@ module Private {
   module External {
     /** Holds if `spec` is a relevant external specification. */
     private predicate relevantSpec(string spec) {
-      summaryElement(_, spec, _, _) or
-      summaryElement(_, _, spec, _) or
-      sourceElement(_, spec, _) or
-      sinkElement(_, spec, _)
+      summaryElement(_, spec, _, _, _) or
+      summaryElement(_, _, spec, _, _) or
+      sourceElement(_, spec, _, _) or
+      sinkElement(_, spec, _, _)
     }
 
     private class AccessPathRange extends AccessPath::Range {
@@ -875,13 +875,20 @@ module Private {
     }
 
     private class SummarizedCallableExternal extends SummarizedCallable {
-      SummarizedCallableExternal() { summaryElement(this, _, _, _) }
+      SummarizedCallableExternal() { summaryElement(this, _, _, _, _) }
+
+      private predicate relevantSummaryElement(AccessPath inSpec, AccessPath outSpec, string kind) {
+        summaryElement(this, inSpec, outSpec, kind, false)
+        or
+        summaryElement(this, inSpec, outSpec, kind, true) and
+        not summaryElement(this, _, _, _, false)
+      }
 
       override predicate propagatesFlow(
         SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
       ) {
         exists(AccessPath inSpec, AccessPath outSpec, string kind |
-          summaryElement(this, inSpec, outSpec, kind) and
+          this.relevantSummaryElement(inSpec, outSpec, kind) and
           interpretSpec(inSpec, input) and
           interpretSpec(outSpec, output)
         |
@@ -910,7 +917,7 @@ module Private {
 
     private predicate sourceElementRef(InterpretNode ref, AccessPath output, string kind) {
       exists(SourceOrSinkElement e |
-        sourceElement(e, output, kind) and
+        sourceElement(e, output, kind, _) and
         if outputNeedsReference(output.getToken(0))
         then e = ref.getCallTarget()
         else e = ref.asElement()
@@ -919,7 +926,7 @@ module Private {
 
     private predicate sinkElementRef(InterpretNode ref, AccessPath input, string kind) {
       exists(SourceOrSinkElement e |
-        sinkElement(e, input, kind) and
+        sinkElement(e, input, kind, _) and
         if inputNeedsReference(input.getToken(0))
         then e = ref.getCallTarget()
         else e = ref.asElement()

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -85,39 +85,44 @@ DataFlowType getCallbackReturnType(DataFlowType t, ReturnKind rk) {
 
 /**
  * Holds if an external flow summary exists for `c` with input specification
- * `input`, output specification `output`, and kind `kind`.
+ * `input`, output specification `output`, kind `kind`, and a flag `generated`
+ * stating whether the summary is autogenerated.
  */
-predicate summaryElement(DataFlowCallable c, string input, string output, string kind) {
+predicate summaryElement(
+  DataFlowCallable c, string input, string output, string kind, boolean generated
+) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
-    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind) and
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, generated) and
     c = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
 
 /**
  * Holds if an external source specification exists for `e` with output specification
- * `output` and kind `kind`.
+ * `output`, kind `kind`, and a flag `generated` stating whether the source specification is
+ * autogenerated.
  */
-predicate sourceElement(Element e, string output, string kind) {
+predicate sourceElement(Element e, string output, string kind, boolean generated) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
-    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind) and
+    sourceModel(namespace, type, subtypes, name, signature, ext, output, kind, generated) and
     e = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }
 
 /**
- * Holds if an external sink specification exists for `n` with input specification
- * `input` and kind `kind`.
+ * Holds if an external sink specification exists for `e` with input specification
+ * `input`, kind `kind` and a flag `generated` stating whether the sink specification is
+ * autogenerated.
  */
-predicate sinkElement(Element e, string input, string kind) {
+predicate sinkElement(Element e, string input, string kind, boolean generated) {
   exists(
     string namespace, string type, boolean subtypes, string name, string signature, string ext
   |
-    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind) and
+    sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, generated) and
     e = interpretElement(namespace, type, subtypes, name, signature, ext)
   )
 }

csharp/ql/src/utils/model-generator/CaptureDiscardedSummaryModels.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Capture discarded summary models.
+ * @description Finds summary models that are discarded as handwritten counterparts exist.
+ * @id csharp/utils/model-generator/discarded-summary-models
+ */
+
+private import semmle.code.csharp.dataflow.ExternalFlow
+private import internal.CaptureModels
+private import internal.CaptureFlow
+
+from TargetApi api, string flow
+where flow = captureFlow(api) and hasSummary(api, false)
+select flow order by flow