Shared: Provenance-based filtering of flow summaries #21051
Conversation
github-actions
bot
added
C#
C++
Java
Python
Go
Ruby
Rust
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
3 times, most recently
from
a3e585d to
eb48820
Compare
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
from
1e946f8 to
30a0791
Compare
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
3 times, most recently
from
0fbea88 to
5a2881d
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
from
5a2881d to
a941f4a
Compare
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
2 times, most recently
from
bf632b3 to
c6383ff
Compare
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
2 times, most recently
from
9f81377 to
0057ae3
Compare
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
2 times, most recently
from
1933d1c to
72dfe9c
Compare
owen-mc
left a comment
owen-mc
left a comment
There was a problem hiding this comment.
Go LGTM. It's great to get this logic shared - it was a bit worrying that different implementations were drifting apart. And it's one less thing to have to think about when supporting a new language.
| if p.isGenerated() or isExact = false | ||
| then | ||
| // Only apply generated models to functions in library code | ||
| not (p.isGenerated() and callableFromSource(c)) and | ||
| // Only apply generated or inexact models when no strictly better model exists | ||
| not exists(Provenance other, boolean isExactOther | | ||
| c.propagatesFlow(_, _, _, other, isExactOther, _) | ||
| or | ||
| neutralElement(c, "summary", other, isExactOther) | ||
| | | ||
| p.isGenerated() and other.isManual() | ||
| or | ||
| p.getVerification() = other.getVerification() and | ||
| isExact = false and | ||
| isExactOther = true | ||
| ) | ||
| else any() |
There was a problem hiding this comment.
Maybe consider something like:
p.isManual() and isExact = true
or
// Only apply generated models to functions in library code
not (p.isGenerated() and callableFromSource(c)) and
// Only apply generated or inexact models when no strictly better model exists
not exists(Provenance other, boolean isExactOther |
c.propagatesFlow(_, _, _, other, isExactOther, _)
or
neutralElement(c, "summary", other, isExactOther)
|
p.isGenerated() and other.isManual()
or
p.getVerification() = other.getVerification() and
isExact = false and
isExactOther = true
)There was a problem hiding this comment.
Or if the above suggestion doesn't perform, then invert the condition (then it is more aligned with the comment explaining the logic).
if p.isManual() and isExact = true
then any()
else
...
|
@hvitved : This appears to break the model generator idempotency (at least for C#). I tried generating C# Runtime models from scratch (by first deleting the existing generated models) and then re-generate the model after this (which further changed the models). This is a very nice change! |
geoffw0
left a comment
geoffw0
left a comment
There was a problem hiding this comment.
Rust, Swift changes and DCA LGTM.
Oh no... Thanks for checking. |
yoff
left a comment
yoff
left a comment
There was a problem hiding this comment.
One question, otherwise both the code changes and DCA run looks good for Python.
| string model | ||
| ) { | ||
| this.propagatesFlow(input, output, preservesValue) and | ||
| p = "manual" and |
There was a problem hiding this comment.
Should only manual summaries propagate flow? (Or am I misunderstanding the code?)
I think we only have manual summaries so far, but if we ever get to generate some, I think we will not see their effect?
There was a problem hiding this comment.
It means that one can implement propagatesFlow(string input, string output, boolean preservesValue) instead of propagatesFlow(string input, string output, boolean preservesValue, Provenance p, boolean isExact, string model), and then get the default values here.
Missing manual models were added using the following code added to `FlowSummaryImpl.qll`:
```ql
private predicate testsummaryElement(
Input::SummarizedCallableBase c, string namespace, string type, boolean subtypes, string name,
string signature, string ext, string originalInput, string originalOutput, string kind,
string provenance, string model, boolean isExact
) {
exists(string input, string output, Callable baseCallable |
summaryModel(namespace, type, subtypes, name, signature, ext, originalInput, originalOutput,
kind, provenance, model) and
baseCallable = interpretElement(namespace, type, subtypes, name, signature, ext, isExact) and
(
c.asCallable() = baseCallable and input = originalInput and output = originalOutput
or
correspondingKotlinParameterDefaultsArgSpec(baseCallable, c.asCallable(), originalInput,
input) and
correspondingKotlinParameterDefaultsArgSpec(baseCallable, c.asCallable(), originalOutput,
output)
)
)
}
private predicate testsummaryElement2(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string originalInput, string originalOutput, string kind, string provenance, string model
) {
exists(Input::SummarizedCallableBase c |
testsummaryElement(c, _, _, _, _, _, _, originalInput, originalOutput, kind, provenance,
model, false) and
testsummaryElement(c, namespace, type, subtypes, name, signature, ext, _, _, _, provenance,
_, true) and
not testsummaryElement(c, _, _, _, _, _, _, originalInput, originalOutput, kind, provenance,
_, true)
)
}
private string getAMissingManualModel() {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string originalInput, string originalOutput, string kind, string provenance, string model
|
testsummaryElement2(namespace, type, subtypes, name, signature, ext, originalInput,
originalOutput, kind, provenance, model) and
result =
"- [\"" + namespace + "\", \"" + type + "\", True, \"" + name + "\", \"" + signature +
"\", \"\", \"" + originalInput + "\", \"" + originalOutput + "\", \"" + kind + "\", \"" +
provenance + "\"]"
)
}
```
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
from
117690f to
4a90f84
Compare
@michaelnebel : I have pushed a revert change that appears to fix this: When I run |
hvitved
force-pushed
the
shared/flow-summary-provenance-filtering
branch
from
5d74edd to
27c102a
Compare
| c.fromSource() and | ||
| not c.getFile().isStub() and | ||
| not ( | ||
| c.getFile().extractedQlTest() and |
There was a problem hiding this comment.
Maybe this deserves a comment (that ql test files where the body is just a throw are considered stub like and thus not a part of the source code).
michaelnebel
left a comment
michaelnebel
left a comment
There was a problem hiding this comment.
Really nice work @hvitved !
Only a couple of minor questions/remarks.
5 participants
This PR aligns the logic across languages for how flow summaries are prioritized based on provenance and exactness (that is, whether a model is defined directly for a function or for a function that is implemented/overridden).
A flow summary is considered relevant if:
Note that for dynamic languages we currently pretend that no source code is available for functions with flow summaries, so 3.(a) holds vacuously.
Points 2 and 3.c represent a change for e.g. Java, where we would previously union exact and inexact models, which meant that it was not possible to overrule inexact models. As a consequence, some inexact manual have been replicated. DCA for Java reports some lost
java/sensitive-logresults onapache_solr, but looking at those results, they all have flow paths of length > 150, so they are almost certainly false positives, and most likely a consequence of 3.c.In order for the logic to be defined in the shared flow summary library, I had to move provenance and exactness information into the
propagatesFlowpredicate, which is a breaking change.Lastly, I have applied the
::Rangepattern to theSummarizedCallableclass for all languages except C++, which currently does not expose this class. This means thatSummarizedCallable::Rangewill contain all flow summaries, whereasSummarizedCallablewill only contain relevant summaries.