From 10fddc7b960879d188e58cdf02a9a532cd844cea Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 26 Mar 2026 11:40:11 +0000 Subject: [PATCH 01/10] Add barriers and barrier guards to MaD format explanations --- cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll | 10 +++++++++- .../code/csharp/dataflow/internal/ExternalFlow.qll | 11 +++++++++-- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 10 +++++++++- .../ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 11 +++++++++-- .../frameworks/data/internal/ApiGraphModels.qll | 7 ++++++- .../frameworks/data/internal/ApiGraphModels.qll | 7 ++++++- .../ruby/frameworks/data/internal/ApiGraphModels.qll | 7 ++++++- .../codeql/rust/dataflow/internal/ModelsAsData.qll | 11 +++++++++-- 8 files changed, 63 insertions(+), 11 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 7cf3b937ac51..1ec501a85dd6 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -10,6 +10,10 @@ * `namespace; type; subtypes; name; signature; ext; input; kind` * - Summaries: * `namespace; type; subtypes; name; signature; ext; input; output; kind` + * - Barriers: + * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `namespace; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * * The interpretation of a row is similar to API-graphs with a left-to-right * reading. @@ -86,7 +90,11 @@ * value, and * - flow from the _second_ indirection of the 0th argument to the first * indirection of the return value, etc. - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false". In the future "no-exception", "not-zero", "null", "not-null" may be + * supported. + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll index 024e9cf119d5..2b4264fc4329 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll @@ -11,6 +11,10 @@ * `namespace; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: * `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance` + * - Barriers: + * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `namespace; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * - Neutrals: * `namespace; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -69,14 +73,17 @@ * - "Field[f]": Selects the contents of field `f`. * - "Property[p]": Selects the contents of property `p`. * - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false", "no-exception", "not-zero", "null", "not-null". + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a * globally applicable value-preserving step. For neutrals the kind can be `summary`, * `source` or `sink` to indicate that the neutral is neutral with respect to * flow (no summary), source (is not a source) or sink (is not a sink). - * 9. The `provenance` column is a tag to indicate the origin and verification of a model. + * 10. The `provenance` column is a tag to indicate the origin and verification of a model. * The format is {origin}-{verification} or just "manual" where the origin describes * the origin of the model and verification describes how the model has been verified. * Some examples are: diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index e1170aeda244..3812b3df449f 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -11,6 +11,10 @@ * `package; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: * `package; type; subtypes; name; signature; ext; input; output; kind; provenance` + * - Barriers: + * `package; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `package; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * - Neutrals: * `package; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -78,7 +82,11 @@ * - "MapValue": Selects a value in a map. * - "Dereference": Selects the value referenced by a pointer. * - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false". In the future "no-exception", "not-zero", "null", "not-null" may be + * supported. + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 1536c81aa083..45db15897f7c 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -11,6 +11,10 @@ * `package; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: * `package; type; subtypes; name; signature; ext; input; output; kind; provenance` + * - Barriers: + * `package; type; subtypes; name; signature; ext; output; kind; provenance` + * - BarrierGuards: + * `package; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` * - Neutrals: * `package; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -69,14 +73,17 @@ * in the given range. The range is inclusive at both ends. * - "ReturnValue": Selects the return value of a call to the selected element. * - "Element": Selects the collection elements of the selected element. - * 8. The `kind` column is a tag that can be referenced from QL to determine to + * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * under which the guard accepts or blocks flow. It can be one of "true" or + * "false", "no-exception", "not-zero", "null", "not-null". + * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a * globally applicable value-preserving step. For neutrals the kind can be `summary`, * `source` or `sink` to indicate that the neutral is neutral with respect to * flow (no summary), source (is not a source) or sink (is not a sink). - * 9. The `provenance` column is a tag to indicate the origin and verification of a model. + * 10. The `provenance` column is a tag to indicate the origin and verification of a model. * The format is {origin}-{verification} or just "manual" where the origin describes * the origin of the model and verification describes how the model has been verified. * Some examples are: diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll index 60fe40e716d0..34bf32675221 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll @@ -10,6 +10,10 @@ * `type, path, kind` * - Summaries: * `type, path, input, output, kind` + * - Barriers: + * `type, path, kind` + * - BarrierGuards: + * `type, path, branch, kind` * - Types: * `type1, type2, path` * @@ -42,7 +46,8 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `kind` column is a tag that can be referenced from QL to determine to + * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll index 60fe40e716d0..34bf32675221 100644 --- a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll +++ b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll @@ -10,6 +10,10 @@ * `type, path, kind` * - Summaries: * `type, path, input, output, kind` + * - Barriers: + * `type, path, kind` + * - BarrierGuards: + * `type, path, branch, kind` * - Types: * `type1, type2, path` * @@ -42,7 +46,8 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `kind` column is a tag that can be referenced from QL to determine to + * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll index 60fe40e716d0..34bf32675221 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll @@ -10,6 +10,10 @@ * `type, path, kind` * - Summaries: * `type, path, input, output, kind` + * - Barriers: + * `type, path, kind` + * - BarrierGuards: + * `type, path, branch, kind` * - Types: * `type1, type2, path` * @@ -42,7 +46,8 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `kind` column is a tag that can be referenced from QL to determine to + * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll index 4d28dd8de812..a21d50ed8ad0 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll @@ -9,6 +9,10 @@ * `path; input; kind; provenance` * - Summaries: * `path; input; output; kind; provenance` + * - Barriers: + * `path; output; kind; provenance` + * - BarrierGuards: + * `path; input; branch; kind; provenance` * * The interpretation of a row is similar to API-graphs with a left-to-right * reading. @@ -34,12 +38,15 @@ * - `Field[i]`: the `i`th element of a tuple. * - `Reference`: the referenced value. * - `Future`: the value being computed asynchronously. - * 3. The `kind` column is a tag that can be referenced from QL to determine to + * 3. The `branch` column of barrier guard models specifies which branch of the + * guard is blocking flow. It can be "true" or "false". In the future + * "no-exception", "not-zero", "null", "not-null" may be supported. + * 4. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries * `"taint"` indicates a default additional taint step and `"value"` indicates a * globally applicable value-preserving step. - * 4. The `provenance` column is mainly used internally, and should be set to `"manual"` for + * 5. The `provenance` column is mainly used internally, and should be set to `"manual"` for * all custom models. */ From 61b13d570272fe63c193a1b6b2158cf20a959883 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 26 Mar 2026 11:40:42 +0000 Subject: [PATCH 02/10] C++: Add provenance to MaD format explanation --- cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 1ec501a85dd6..b36c37d81141 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -99,6 +99,15 @@ * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a * globally applicable value-preserving step. + * 10. The `provenance` column is a tag to indicate the origin and verification of a model. + * The format is {origin}-{verification} or just "manual" where the origin describes + * the origin of the model and verification describes how the model has been verified. + * Some examples are: + * - "df-generated": The model has been generated by the model generator tool. + * - "df-manual": The model has been generated by the model generator and verified by a human. + * - "manual": The model has been written by hand. + * This information is used in a heuristic for dataflow analysis to determine, if a + * model or source code should be used for determining flow. */ import cpp From 805d2ec46cbe4c5aae54c817f59811f1595b250b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 26 Mar 2026 11:41:59 +0000 Subject: [PATCH 03/10] Go: Add provenance to MaD format explanation --- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index 3812b3df449f..23e08ce5cbf5 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -91,6 +91,15 @@ * sources "remote" indicates a default remote flow source, and for summaries * "taint" indicates a default additional taint step and "value" indicates a * globally applicable value-preserving step. + * 10. The `provenance` column is a tag to indicate the origin and verification of a model. + * The format is {origin}-{verification} or just "manual" where the origin describes + * the origin of the model and verification describes how the model has been verified. + * Some examples are: + * - "df-generated": The model has been generated by the model generator tool. + * - "df-manual": The model has been generated by the model generator and verified by a human. + * - "manual": The model has been written by hand. + * This information is used in a heuristic for dataflow analysis to determine, if a + * model or source code should be used for determining flow. */ overlay[local?] module; From df842665b7156aa20de94972d39698a74326462b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 26 Mar 2026 11:42:13 +0000 Subject: [PATCH 04/10] Rust: Add neutrals to MaD format explanation --- rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll index a21d50ed8ad0..a43495ac7840 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll @@ -13,6 +13,9 @@ * `path; output; kind; provenance` * - BarrierGuards: * `path; input; branch; kind; provenance` + * - Neutrals: + * `package; type; name; signature; kind; provenance` + * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). * * The interpretation of a row is similar to API-graphs with a left-to-right * reading. From e680d49c93334f38134c1e7da000e0e18db42fc3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 26 Mar 2026 12:08:54 +0000 Subject: [PATCH 05/10] Shared: document extensible relations rather than CSV --- cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll | 2 +- .../lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll | 2 +- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 2 +- java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index b36c37d81141..df1765ec07ca 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -3,7 +3,7 @@ * * Provides classes and predicates for dealing with flow models specified in CSV format. * - * The CSV specification has the following columns: + * The extensible relations have the following columns: * - Sources: * `namespace; type; subtypes; name; signature; ext; output; kind` * - Sinks: diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll index 2b4264fc4329..95b9578e4f3b 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll @@ -4,7 +4,7 @@ * Provides classes and predicates for dealing with MaD flow models specified * in data extensions and CSV format. * - * The CSV specification has the following columns: + * The extensible relations have the following columns: * - Sources: * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` * - Sinks: diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index 23e08ce5cbf5..05379c620fbb 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -4,7 +4,7 @@ * Provides classes and predicates for dealing with flow models specified * in data extensions and CSV format. * - * The CSV specification has the following columns: + * The extensible relations have the following columns: * - Sources: * `package; type; subtypes; name; signature; ext; output; kind; provenance` * - Sinks: diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 45db15897f7c..8f6d1a7855a3 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -4,7 +4,7 @@ * Provides classes and predicates for dealing with flow models specified * in data extensions and CSV format. * - * The CSV specification has the following columns: + * The extensible relations have the following columns: * - Sources: * `package; type; subtypes; name; signature; ext; output; kind; provenance` * - Sinks: From 886a16bfad664c67da64f4136a3079009a38bd11 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 26 Mar 2026 12:09:11 +0000 Subject: [PATCH 06/10] C++: Add provenance column --- cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index df1765ec07ca..ed40d3919173 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -5,11 +5,11 @@ * * The extensible relations have the following columns: * - Sources: - * `namespace; type; subtypes; name; signature; ext; output; kind` + * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` * - Sinks: - * `namespace; type; subtypes; name; signature; ext; input; kind` + * `namespace; type; subtypes; name; signature; ext; input; kind; provenance` * - Summaries: - * `namespace; type; subtypes; name; signature; ext; input; output; kind` + * `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance` * - Barriers: * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` * - BarrierGuards: From 5451424e751d102f492d4f7298518afd20cdf6e6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 27 Mar 2026 09:46:20 +0000 Subject: [PATCH 07/10] Rust: Fix columns for neutrals --- rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll index a43495ac7840..cc7dd9963ea0 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll @@ -14,7 +14,7 @@ * - BarrierGuards: * `path; input; branch; kind; provenance` * - Neutrals: - * `package; type; name; signature; kind; provenance` + * `path; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). * * The interpretation of a row is similar to API-graphs with a left-to-right From b3285c6ae2274aaa456a2fe152945f38bd16f8af Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 27 Mar 2026 11:35:22 +0000 Subject: [PATCH 08/10] Make description of `acceptingvalue` column clearer --- cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll | 5 ++--- .../semmle/code/csharp/dataflow/internal/ExternalFlow.qll | 4 ++-- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 5 ++--- java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 4 ++-- 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index ed40d3919173..3fe9f6aaedfc 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -91,9 +91,8 @@ * - flow from the _second_ indirection of the 0th argument to the first * indirection of the return value, etc. * 8. The `acceptingvalue` column of barrier guard models specifies the condition - * under which the guard accepts or blocks flow. It can be one of "true" or - * "false". In the future "no-exception", "not-zero", "null", "not-null" may be - * supported. + * under which the guard blocks flow. It can be one of "true" or "false". In + * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll index 95b9578e4f3b..17cdcc1bf0b9 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll @@ -74,8 +74,8 @@ * - "Property[p]": Selects the contents of property `p`. * * 8. The `acceptingvalue` column of barrier guard models specifies the condition - * under which the guard accepts or blocks flow. It can be one of "true" or - * "false", "no-exception", "not-zero", "null", "not-null". + * under which the guard blocks flow. It can be one of "true" or "false". In + * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index 05379c620fbb..0ad28bac5332 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -83,9 +83,8 @@ * - "Dereference": Selects the value referenced by a pointer. * * 8. The `acceptingvalue` column of barrier guard models specifies the condition - * under which the guard accepts or blocks flow. It can be one of "true" or - * "false". In the future "no-exception", "not-zero", "null", "not-null" may be - * supported. + * under which the guard blocks flow. It can be one of "true" or "false". In + * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 8f6d1a7855a3..6ad4a5938a3b 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -74,8 +74,8 @@ * - "ReturnValue": Selects the return value of a call to the selected element. * - "Element": Selects the collection elements of the selected element. * 8. The `acceptingvalue` column of barrier guard models specifies the condition - * under which the guard accepts or blocks flow. It can be one of "true" or - * "false", "no-exception", "not-zero", "null", "not-null". + * under which the guard blocks flow. It can be one of "true" or "false". In + * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources "remote" indicates a default remote flow source, and for summaries From a7fdc4b5435e38cffb68fa425cbdec62939091bb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 27 Mar 2026 22:15:45 +0000 Subject: [PATCH 09/10] Replace `acceptingvalue` with `acceptingValue` --- .../semmle/code/cpp/dataflow/ExternalFlow.qll | 16 +++++++-------- .../internal/ExternalFlowExtensions.qll | 2 +- .../cpp/dataflow/internal/FlowSummaryImpl.qll | 4 ++-- .../csharp/dataflow/internal/ExternalFlow.qll | 18 ++++++++--------- .../internal/ExternalFlowExtensions.qll | 2 +- .../dataflow/internal/FlowSummaryImpl.qll | 4 ++-- go/ql/lib/semmle/go/dataflow/ExternalFlow.qll | 18 ++++++++--------- .../internal/ExternalFlowExtensions.qll | 2 +- .../go/dataflow/internal/FlowSummaryImpl.qll | 4 ++-- .../code/java/dataflow/ExternalFlow.qll | 18 ++++++++--------- .../internal/ExternalFlowExtensions.qll | 2 +- .../dataflow/internal/FlowSummaryImpl.qll | 4 ++-- .../rust/dataflow/internal/DataFlowImpl.qll | 6 +++--- .../dataflow/internal/FlowSummaryImpl.qll | 20 +++++++++---------- shared/mad/codeql/mad/static/ModelsAsData.qll | 12 +++++------ .../dataflow/internal/FlowSummaryImpl.qll | 2 +- 16 files changed, 67 insertions(+), 67 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 3fe9f6aaedfc..e97b6d044d72 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -13,7 +13,7 @@ * - Barriers: * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` * - BarrierGuards: - * `namespace; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` + * `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance` * * The interpretation of a row is similar to API-graphs with a left-to-right * reading. @@ -90,7 +90,7 @@ * value, and * - flow from the _second_ indirection of the 0th argument to the first * indirection of the return value, etc. - * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * 8. The `acceptingValue` column of barrier guard models specifies the condition * under which the guard blocks flow. It can be one of "true" or "false". In * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to @@ -1089,13 +1089,13 @@ private module Cached { private predicate barrierGuardChecks(IRGuardCondition g, Expr e, boolean gv, TKindModelPair kmp) { exists( - SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue, + SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue, string kind, string model | - isBarrierGuardNode(n, acceptingvalue, kind, model) and + isBarrierGuardNode(n, acceptingValue, kind, model) and n.asNode().asExpr() = e and kmp = TMkPair(kind, model) and - gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and + gv = convertAcceptingValue(acceptingValue).asBooleanValue() and n.asNode().(Private::ArgumentNode).getCall().asCallInstruction() = g ) } @@ -1112,14 +1112,14 @@ private module Cached { ) { exists( SourceSinkInterpretationInput::InterpretNode interpretNode, - Public::AcceptingValue acceptingvalue, string kind, string model, int indirectionIndex, + Public::AcceptingValue acceptingValue, string kind, string model, int indirectionIndex, Private::ArgumentNode arg | - isBarrierGuardNode(interpretNode, acceptingvalue, kind, model) and + isBarrierGuardNode(interpretNode, acceptingValue, kind, model) and arg = interpretNode.asNode() and arg.asIndirectExpr(indirectionIndex) = e and kmp = MkKindModelPairIntPair(TMkPair(kind, model), indirectionIndex) and - gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and + gv = convertAcceptingValue(acceptingValue).asBooleanValue() and arg.getCall().asCallInstruction() = g ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll index 1a572c221d9f..22c74c2aa714 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll @@ -33,7 +33,7 @@ extensible predicate barrierModel( */ extensible predicate barrierGuardModel( string namespace, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId + string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId ); /** diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll index cce1b80e7fcb..d91dc41febeb 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll @@ -162,13 +162,13 @@ module SourceSinkInterpretationInput implements } predicate barrierGuardElement( - Element e, string input, Public::AcceptingValue acceptingvalue, string kind, + Element e, string input, Public::AcceptingValue acceptingValue, string kind, Public::Provenance provenance, string model ) { exists( string package, string type, boolean subtypes, string name, string signature, string ext | - barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind, + barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind, provenance, model) and e = interpretElement(package, type, subtypes, name, signature, ext) ) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll index 17cdcc1bf0b9..f8cec8c4d9f6 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll @@ -14,7 +14,7 @@ * - Barriers: * `namespace; type; subtypes; name; signature; ext; output; kind; provenance` * - BarrierGuards: - * `namespace; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` + * `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance` * - Neutrals: * `namespace; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -73,7 +73,7 @@ * - "Field[f]": Selects the contents of field `f`. * - "Property[p]": Selects the contents of property `p`. * - * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * 8. The `acceptingValue` column of barrier guard models specifies the condition * under which the guard blocks flow. It can be one of "true" or "false". In * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to @@ -237,11 +237,11 @@ module ModelValidation { result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model." ) or - exists(string acceptingvalue | - barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and - invalidAcceptingValue(acceptingvalue) and + exists(string acceptingValue | + barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and + invalidAcceptingValue(acceptingValue) and result = - "Unrecognized accepting value description \"" + acceptingvalue + + "Unrecognized accepting value description \"" + acceptingValue + "\" in barrier guard model." ) } @@ -489,13 +489,13 @@ private module Cached { private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) { exists( - SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind, + SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind, string model | - isBarrierGuardNode(n, acceptingvalue, kind, model) and + isBarrierGuardNode(n, acceptingValue, kind, model) and n.asNode().asExpr() = e and kmp = TMkPair(kind, model) and - gv = convertAcceptingValue(acceptingvalue) + gv = convertAcceptingValue(acceptingValue) | g.(Call).getAnArgument() = e or g.(QualifiableExpr).getQualifier() = e ) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll index 3461f0a51863..cd438ece284d 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll @@ -33,7 +33,7 @@ extensible predicate barrierModel( */ extensible predicate barrierGuardModel( string namespace, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId + string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId ); /** diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll index 6f9b621ff404..4b79ed5feca6 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll @@ -253,13 +253,13 @@ module SourceSinkInterpretationInput implements } predicate barrierGuardElement( - Element e, string input, Public::AcceptingValue acceptingvalue, string kind, + Element e, string input, Public::AcceptingValue acceptingValue, string kind, Public::Provenance provenance, string model ) { exists( string namespace, string type, boolean subtypes, string name, string signature, string ext | - barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingvalue, + barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, acceptingValue, kind, provenance, model) and e = interpretElement(namespace, type, subtypes, name, signature, ext, _) ) diff --git a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll index 0ad28bac5332..f0dc0cf0ca2b 100644 --- a/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll +++ b/go/ql/lib/semmle/go/dataflow/ExternalFlow.qll @@ -14,7 +14,7 @@ * - Barriers: * `package; type; subtypes; name; signature; ext; output; kind; provenance` * - BarrierGuards: - * `package; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` + * `package; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance` * - Neutrals: * `package; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -82,7 +82,7 @@ * - "MapValue": Selects a value in a map. * - "Dereference": Selects the value referenced by a pointer. * - * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * 8. The `acceptingValue` column of barrier guard models specifies the condition * under which the guard blocks flow. It can be one of "true" or "false". In * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to @@ -266,11 +266,11 @@ module ModelValidation { result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model." ) or - exists(string acceptingvalue | - barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and - invalidAcceptingValue(acceptingvalue) and + exists(string acceptingValue | + barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and + invalidAcceptingValue(acceptingValue) and result = - "Unrecognized accepting value description \"" + acceptingvalue + + "Unrecognized accepting value description \"" + acceptingValue + "\" in barrier guard model." ) } @@ -478,13 +478,13 @@ private module Cached { private predicate barrierGuardChecks(DataFlow::Node g, Expr e, boolean gv, TKindModelPair kmp) { exists( - SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue, + SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue, string kind, string model | - isBarrierGuardNode(n, acceptingvalue, kind, model) and + isBarrierGuardNode(n, acceptingValue, kind, model) and n.asNode().asExpr() = e and kmp = TMkPair(kind, model) and - gv = convertAcceptingValue(acceptingvalue) + gv = convertAcceptingValue(acceptingValue) | g.asExpr().(CallExpr).getAnArgument() = e // TODO: qualifier? ) diff --git a/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll b/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll index 5d43cf674c1c..ab2a241e14a6 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/ExternalFlowExtensions.qll @@ -35,7 +35,7 @@ extensible predicate barrierModel( */ extensible predicate barrierGuardModel( string package, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId + string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId ); /** diff --git a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll index 240665bd492d..ff727286c3b4 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll @@ -174,13 +174,13 @@ module SourceSinkInterpretationInput implements } predicate barrierGuardElement( - Element e, string input, Public::AcceptingValue acceptingvalue, string kind, + Element e, string input, Public::AcceptingValue acceptingValue, string kind, Public::Provenance provenance, string model ) { exists( string package, string type, boolean subtypes, string name, string signature, string ext | - barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind, + barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind, provenance, model) and e = interpretElement(package, type, subtypes, name, signature, ext) ) diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll index 6ad4a5938a3b..a6a9347ca03a 100644 --- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll @@ -14,7 +14,7 @@ * - Barriers: * `package; type; subtypes; name; signature; ext; output; kind; provenance` * - BarrierGuards: - * `package; type; subtypes; name; signature; ext; input; acceptingvalue; kind; provenance` + * `package; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance` * - Neutrals: * `package; type; name; signature; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -73,7 +73,7 @@ * in the given range. The range is inclusive at both ends. * - "ReturnValue": Selects the return value of a call to the selected element. * - "Element": Selects the collection elements of the selected element. - * 8. The `acceptingvalue` column of barrier guard models specifies the condition + * 8. The `acceptingValue` column of barrier guard models specifies the condition * under which the guard blocks flow. It can be one of "true" or "false". In * the future "no-exception", "not-zero", "null", "not-null" may be supported. * 9. The `kind` column is a tag that can be referenced from QL to determine to @@ -365,11 +365,11 @@ module ModelValidation { result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model." ) or - exists(string acceptingvalue | - barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and - invalidAcceptingValue(acceptingvalue) and + exists(string acceptingValue | + barrierGuardModel(_, _, _, _, _, _, _, acceptingValue, _, _, _) and + invalidAcceptingValue(acceptingValue) and result = - "Unrecognized accepting value description \"" + acceptingvalue + + "Unrecognized accepting value description \"" + acceptingValue + "\" in barrier guard model." ) } @@ -590,13 +590,13 @@ private module Cached { private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) { exists( - SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind, + SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingValue, string kind, string model | - isBarrierGuardNode(n, acceptingvalue, kind, model) and + isBarrierGuardNode(n, acceptingValue, kind, model) and n.asNode().asExpr() = e and kmp = TMkPair(kind, model) and - gv = convertAcceptingValue(acceptingvalue) + gv = convertAcceptingValue(acceptingValue) | g.(Call).getAnArgument() = e or g.(MethodCall).getQualifier() = e ) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll index be474ad45352..3c6b003876de 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll @@ -35,7 +35,7 @@ extensible predicate barrierModel( */ extensible predicate barrierGuardModel( string package, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId + string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId ); /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll index 64fa30c7d914..453b7ccae11c 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll @@ -282,7 +282,7 @@ module SourceSinkInterpretationInput implements } predicate barrierGuardElement( - Element e, string input, Public::AcceptingValue acceptingvalue, string kind, + Element e, string input, Public::AcceptingValue acceptingValue, string kind, Public::Provenance provenance, string model ) { exists( @@ -290,7 +290,7 @@ module SourceSinkInterpretationInput implements SourceOrSinkElement baseBarrier, string originalInput | barrierGuardModel(namespace, type, subtypes, name, signature, ext, originalInput, - acceptingvalue, kind, provenance, model) and + acceptingValue, kind, provenance, model) and baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and ( e = baseBarrier and input = originalInput diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index 27773758fc46..7c1fdd8cf781 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -1183,12 +1183,12 @@ private module Cached { exists( FlowSummaryImpl::Public::BarrierGuardElement b, FlowSummaryImpl::Private::SummaryComponentStack stack, - FlowSummaryImpl::Public::AcceptingValue acceptingvalue, string kind, string model + FlowSummaryImpl::Public::AcceptingValue acceptingValue, string kind, string model | - FlowSummaryImpl::Private::barrierGuardSpec(b, stack, acceptingvalue, kind, model) and + FlowSummaryImpl::Private::barrierGuardSpec(b, stack, acceptingValue, kind, model) and e = FlowSummaryImpl::StepsInput::getSinkNode(b, stack.headOfSingleton()).asExpr() and kmp = TMkPair(kind, model) and - gv = convertAcceptingValue(acceptingvalue) and + gv = convertAcceptingValue(acceptingValue) and g = b.getCall() ) } diff --git a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll index 8b25c54bfa09..0c6e42d9066a 100644 --- a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll @@ -2189,10 +2189,10 @@ module Make< not exists(interpretComponent(c)) } - /** Holds if `acceptingvalue` is not a valid barrier guard accepting-value. */ - bindingset[acceptingvalue] - predicate invalidAcceptingValue(string acceptingvalue) { - not acceptingvalue instanceof AcceptingValue + /** Holds if `acceptingValue` is not a valid barrier guard accepting-value. */ + bindingset[acceptingValue] + predicate invalidAcceptingValue(string acceptingValue) { + not acceptingValue instanceof AcceptingValue } /** Holds if `provenance` is not a valid provenance value. */ @@ -2242,10 +2242,10 @@ module Make< /** * Holds if an external barrier guard specification exists for `n` with input - * specification `input`, accepting value `acceptingvalue`, and kind `kind`. + * specification `input`, accepting value `acceptingValue`, and kind `kind`. */ predicate barrierGuardElement( - Element n, string input, AcceptingValue acceptingvalue, string kind, + Element n, string input, AcceptingValue acceptingValue, string kind, Provenance provenance, string model ); @@ -2371,11 +2371,11 @@ module Make< } private predicate barrierGuardElementRef( - InterpretNode ref, SourceSinkAccessPath input, AcceptingValue acceptingvalue, string kind, + InterpretNode ref, SourceSinkAccessPath input, AcceptingValue acceptingValue, string kind, string model ) { exists(SourceOrSinkElement e | - barrierGuardElement(e, input, acceptingvalue, kind, _, model) and + barrierGuardElement(e, input, acceptingValue, kind, _, model) and if inputNeedsReferenceExt(input.getToken(0)) then e = ref.getCallTarget() else e = ref.asElement() @@ -2518,10 +2518,10 @@ module Make< * given kind in a MaD flow model. */ predicate isBarrierGuardNode( - InterpretNode node, AcceptingValue acceptingvalue, string kind, string model + InterpretNode node, AcceptingValue acceptingValue, string kind, string model ) { exists(InterpretNode ref, SourceSinkAccessPath input | - barrierGuardElementRef(ref, input, acceptingvalue, kind, model) and + barrierGuardElementRef(ref, input, acceptingValue, kind, model) and interpretInput(input, input.getNumToken(), ref, node) ) } diff --git a/shared/mad/codeql/mad/static/ModelsAsData.qll b/shared/mad/codeql/mad/static/ModelsAsData.qll index 84daaa9b6c86..4b58a23186ac 100644 --- a/shared/mad/codeql/mad/static/ModelsAsData.qll +++ b/shared/mad/codeql/mad/static/ModelsAsData.qll @@ -31,7 +31,7 @@ signature module ExtensionsSig { */ predicate barrierGuardModel( string namespace, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance, + string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId ); @@ -142,14 +142,14 @@ module ModelsAsData { or exists( string namespace, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance + string input, string acceptingValue, string kind, string provenance | Extensions::barrierGuardModel(namespace, type, subtypes, name, signature, ext, input, - acceptingvalue, kind, provenance, madId) + acceptingValue, kind, provenance, madId) | model = "Barrier Guard: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + - signature + "; " + ext + "; " + input + "; " + acceptingvalue + "; " + kind + "; " + + signature + "; " + ext + "; " + input + "; " + acceptingValue + "; " + kind + "; " + provenance ) or @@ -241,12 +241,12 @@ module ModelsAsData { /** Holds if a barrier guard model exists for the given parameters. */ predicate barrierGuardModel( string namespace, string type, boolean subtypes, string name, string signature, string ext, - string input, string acceptingvalue, string kind, string provenance, string model + string input, string acceptingValue, string kind, string provenance, string model ) { exists(string namespaceOrGroup, QlBuiltins::ExtensionId madId | namespace = getNamespace(namespaceOrGroup) and Extensions::barrierGuardModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, - acceptingvalue, kind, provenance, madId) and + acceptingValue, kind, provenance, madId) and model = "MaD:" + madId.toString() ) } diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll b/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll index c1ddb7f781f5..3a096fe3d576 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll @@ -168,7 +168,7 @@ module SourceSinkInterpretationInput implements } predicate barrierGuardElement( - Element n, string input, Public::AcceptingValue acceptingvalue, string kind, + Element n, string input, Public::AcceptingValue acceptingValue, string kind, Public::Provenance provenance, string model ) { none() From 37aac059640e804b4b7550279d5f2bfa1812c211 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 27 Mar 2026 22:39:10 +0000 Subject: [PATCH 10/10] Replace `branch` with `acceptingValue` --- .../data/internal/ApiGraphModels.qll | 26 +++++++++---------- .../internal/ApiGraphModelsExtensions.qll | 6 ++--- .../data/internal/ApiGraphModels.qll | 26 +++++++++---------- .../internal/ApiGraphModelsExtensions.qll | 6 ++--- .../data/internal/ApiGraphModels.qll | 26 +++++++++---------- .../internal/ApiGraphModelsExtensions.qll | 6 ++--- .../rust/dataflow/internal/ModelsAsData.qll | 21 ++++++++------- .../dataflow/internal/FlowSummaryImpl.qll | 16 ++++++------ 8 files changed, 67 insertions(+), 66 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll index 34bf32675221..155fb4b7c786 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll @@ -13,7 +13,7 @@ * - Barriers: * `type, path, kind` * - BarrierGuards: - * `type, path, branch, kind` + * `type, path, acceptingValue, kind` * - Types: * `type1, type2, path` * @@ -46,7 +46,7 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 4. The `acceptingValue` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries @@ -360,11 +360,11 @@ private predicate barrierModel(string type, string path, string kind, string mod /** Holds if a barrier guard model exists for the given parameters. */ private predicate barrierGuardModel( - string type, string path, string branch, string kind, string model + string type, string path, string acceptingValue, string kind, string model ) { // No deprecation adapter for barrier models, they were not around back then. exists(QlBuiltins::ExtensionId madId | - Extensions::barrierGuardModel(type, path, branch, kind, madId) and + Extensions::barrierGuardModel(type, path, acceptingValue, kind, madId) and model = "MaD:" + madId.toString() ) } @@ -788,16 +788,16 @@ module ModelOutput { } /** - * Holds if a barrier model contributed `barrier` with the given `kind` for the given `branch`. + * Holds if a barrier model contributed `barrier` with the given `kind` for the given `acceptingValue`. */ cached - API::Node getABarrierGuardNode(string kind, boolean branch, string model) { - exists(string type, string path, string branch_str | - branch = true and branch_str = "true" + API::Node getABarrierGuardNode(string kind, boolean acceptingValue, string model) { + exists(string type, string path, string acceptingValue_str | + acceptingValue = true and acceptingValue_str = "true" or - branch = false and branch_str = "false" + acceptingValue = false and acceptingValue_str = "false" | - barrierGuardModel(type, path, branch_str, kind, model) and + barrierGuardModel(type, path, acceptingValue_str, kind, model) and result = getNodeFromPath(type, path) ) } @@ -861,12 +861,12 @@ module ModelOutput { API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) } /** - * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`. + * Holds if an external model contributed `barrier-guard` with the given `kind` and `acceptingValue`. * * INTERNAL: Do not use. */ - API::Node getABarrierGuardNode(string kind, boolean branch) { - result = getABarrierGuardNode(kind, branch, _) + API::Node getABarrierGuardNode(string kind, boolean acceptingValue) { + result = getABarrierGuardNode(kind, acceptingValue, _) } /** diff --git a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll index 2a644aabb95d..8d8a4f5fd880 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll @@ -33,11 +33,11 @@ extensible predicate barrierModel( * of the given `kind` and `madId` is the data extension row number. * `path` is assumed to lead to a parameter of a call (possibly `self`), and * the call is guarding the parameter. - * `branch` is either `true` or `false`, indicating which branch of the guard - * is protecting the parameter. + * `acceptingValue` is either `true` or `false`, indicating which branch of + * the guard is protecting the parameter. */ extensible predicate barrierGuardModel( - string type, string path, string branch, string kind, QlBuiltins::ExtensionId madId + string type, string path, string acceptingValue, string kind, QlBuiltins::ExtensionId madId ); /** diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll index 34bf32675221..155fb4b7c786 100644 --- a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll +++ b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll @@ -13,7 +13,7 @@ * - Barriers: * `type, path, kind` * - BarrierGuards: - * `type, path, branch, kind` + * `type, path, acceptingValue, kind` * - Types: * `type1, type2, path` * @@ -46,7 +46,7 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 4. The `acceptingValue` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries @@ -360,11 +360,11 @@ private predicate barrierModel(string type, string path, string kind, string mod /** Holds if a barrier guard model exists for the given parameters. */ private predicate barrierGuardModel( - string type, string path, string branch, string kind, string model + string type, string path, string acceptingValue, string kind, string model ) { // No deprecation adapter for barrier models, they were not around back then. exists(QlBuiltins::ExtensionId madId | - Extensions::barrierGuardModel(type, path, branch, kind, madId) and + Extensions::barrierGuardModel(type, path, acceptingValue, kind, madId) and model = "MaD:" + madId.toString() ) } @@ -788,16 +788,16 @@ module ModelOutput { } /** - * Holds if a barrier model contributed `barrier` with the given `kind` for the given `branch`. + * Holds if a barrier model contributed `barrier` with the given `kind` for the given `acceptingValue`. */ cached - API::Node getABarrierGuardNode(string kind, boolean branch, string model) { - exists(string type, string path, string branch_str | - branch = true and branch_str = "true" + API::Node getABarrierGuardNode(string kind, boolean acceptingValue, string model) { + exists(string type, string path, string acceptingValue_str | + acceptingValue = true and acceptingValue_str = "true" or - branch = false and branch_str = "false" + acceptingValue = false and acceptingValue_str = "false" | - barrierGuardModel(type, path, branch_str, kind, model) and + barrierGuardModel(type, path, acceptingValue_str, kind, model) and result = getNodeFromPath(type, path) ) } @@ -861,12 +861,12 @@ module ModelOutput { API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) } /** - * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`. + * Holds if an external model contributed `barrier-guard` with the given `kind` and `acceptingValue`. * * INTERNAL: Do not use. */ - API::Node getABarrierGuardNode(string kind, boolean branch) { - result = getABarrierGuardNode(kind, branch, _) + API::Node getABarrierGuardNode(string kind, boolean acceptingValue) { + result = getABarrierGuardNode(kind, acceptingValue, _) } /** diff --git a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll index 2a644aabb95d..8d8a4f5fd880 100644 --- a/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll +++ b/python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll @@ -33,11 +33,11 @@ extensible predicate barrierModel( * of the given `kind` and `madId` is the data extension row number. * `path` is assumed to lead to a parameter of a call (possibly `self`), and * the call is guarding the parameter. - * `branch` is either `true` or `false`, indicating which branch of the guard - * is protecting the parameter. + * `acceptingValue` is either `true` or `false`, indicating which branch of + * the guard is protecting the parameter. */ extensible predicate barrierGuardModel( - string type, string path, string branch, string kind, QlBuiltins::ExtensionId madId + string type, string path, string acceptingValue, string kind, QlBuiltins::ExtensionId madId ); /** diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll index 34bf32675221..155fb4b7c786 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll @@ -13,7 +13,7 @@ * - Barriers: * `type, path, kind` * - BarrierGuards: - * `type, path, branch, kind` + * `type, path, acceptingValue, kind` * - Types: * `type1, type2, path` * @@ -46,7 +46,7 @@ * 3. The `input` and `output` columns specify how data enters and leaves the element selected by the * first `(type, path)` tuple. Both strings are `.`-separated access paths * of the same syntax as the `path` column. - * 4. The `branch` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". + * 4. The `acceptingValue` column of barrier guard models specifies which branch of the guard is blocking flow. It can be "true" or "false". * 5. The `kind` column is a tag that can be referenced from QL to determine to * which classes the interpreted elements should be added. For example, for * sources `"remote"` indicates a default remote flow source, and for summaries @@ -360,11 +360,11 @@ private predicate barrierModel(string type, string path, string kind, string mod /** Holds if a barrier guard model exists for the given parameters. */ private predicate barrierGuardModel( - string type, string path, string branch, string kind, string model + string type, string path, string acceptingValue, string kind, string model ) { // No deprecation adapter for barrier models, they were not around back then. exists(QlBuiltins::ExtensionId madId | - Extensions::barrierGuardModel(type, path, branch, kind, madId) and + Extensions::barrierGuardModel(type, path, acceptingValue, kind, madId) and model = "MaD:" + madId.toString() ) } @@ -788,16 +788,16 @@ module ModelOutput { } /** - * Holds if a barrier model contributed `barrier` with the given `kind` for the given `branch`. + * Holds if a barrier model contributed `barrier` with the given `kind` for the given `acceptingValue`. */ cached - API::Node getABarrierGuardNode(string kind, boolean branch, string model) { - exists(string type, string path, string branch_str | - branch = true and branch_str = "true" + API::Node getABarrierGuardNode(string kind, boolean acceptingValue, string model) { + exists(string type, string path, string acceptingValue_str | + acceptingValue = true and acceptingValue_str = "true" or - branch = false and branch_str = "false" + acceptingValue = false and acceptingValue_str = "false" | - barrierGuardModel(type, path, branch_str, kind, model) and + barrierGuardModel(type, path, acceptingValue_str, kind, model) and result = getNodeFromPath(type, path) ) } @@ -861,12 +861,12 @@ module ModelOutput { API::Node getABarrierNode(string kind) { result = getABarrierNode(kind, _) } /** - * Holds if an external model contributed `barrier-guard` with the given `kind` and `branch`. + * Holds if an external model contributed `barrier-guard` with the given `kind` and `acceptingValue`. * * INTERNAL: Do not use. */ - API::Node getABarrierGuardNode(string kind, boolean branch) { - result = getABarrierGuardNode(kind, branch, _) + API::Node getABarrierGuardNode(string kind, boolean acceptingValue) { + result = getABarrierGuardNode(kind, acceptingValue, _) } /** diff --git a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll index 2a644aabb95d..8d8a4f5fd880 100644 --- a/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll +++ b/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll @@ -33,11 +33,11 @@ extensible predicate barrierModel( * of the given `kind` and `madId` is the data extension row number. * `path` is assumed to lead to a parameter of a call (possibly `self`), and * the call is guarding the parameter. - * `branch` is either `true` or `false`, indicating which branch of the guard - * is protecting the parameter. + * `acceptingValue` is either `true` or `false`, indicating which branch of + * the guard is protecting the parameter. */ extensible predicate barrierGuardModel( - string type, string path, string branch, string kind, QlBuiltins::ExtensionId madId + string type, string path, string acceptingValue, string kind, QlBuiltins::ExtensionId madId ); /** diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll index cc7dd9963ea0..2b3ecf51fe40 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll @@ -12,7 +12,7 @@ * - Barriers: * `path; output; kind; provenance` * - BarrierGuards: - * `path; input; branch; kind; provenance` + * `path; input; acceptingValue; kind; provenance` * - Neutrals: * `path; kind; provenance` * A neutral is used to indicate that a callable is neutral with respect to flow (no summary), source (is not a source) or sink (is not a sink). @@ -41,7 +41,7 @@ * - `Field[i]`: the `i`th element of a tuple. * - `Reference`: the referenced value. * - `Future`: the value being computed asynchronously. - * 3. The `branch` column of barrier guard models specifies which branch of the + * 3. The `acceptingValue` column of barrier guard models specifies which branch of the * guard is blocking flow. It can be "true" or "false". In the future * "no-exception", "not-zero", "null", "not-null" may be supported. * 4. The `kind` column is a tag that can be referenced from QL to determine to @@ -124,11 +124,12 @@ extensible predicate barrierModel( * extension row number. * * The value referred to by `input` is assumed to lead to an argument of a call - * (possibly `self`), and the call is guarding the argument. `branch` is either `true` - * or `false`, indicating which branch of the guard is protecting the argument. + * (possibly `self`), and the call is guarding the argument. + * `acceptingValue` is either `true` or `false`, indicating which branch of + * the guard is protecting the parameter. */ extensible predicate barrierGuardModel( - string path, string input, string branch, string kind, string provenance, + string path, string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId ); @@ -163,9 +164,9 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) { model = "Barrier: " + path + "; " + output + "; " + kind ) or - exists(string path, string input, string branch, string kind | - barrierGuardModel(path, input, branch, kind, _, madId) and - model = "Barrier guard: " + path + "; " + input + "; " + branch + "; " + kind + exists(string path, string input, string acceptingValue, string kind | + barrierGuardModel(path, input, acceptingValue, kind, _, madId) and + model = "Barrier guard: " + path + "; " + input + "; " + acceptingValue + "; " + kind ) } @@ -275,10 +276,10 @@ private class FlowBarrierGuardFromModel extends FlowBarrierGuard::Range { } override predicate isBarrierGuard( - string input, string branch, string kind, Provenance provenance, string model + string input, string acceptingValue, string kind, Provenance provenance, string model ) { exists(QlBuiltins::ExtensionId madId | - barrierGuardModel(path, input, branch, kind, provenance, madId) and + barrierGuardModel(path, input, acceptingValue, kind, provenance, madId) and model = "MaD:" + madId.toString() ) } diff --git a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll index 0c6e42d9066a..ce980724778b 100644 --- a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll @@ -388,11 +388,11 @@ module Make< /** * Holds if this element is a flow barrier guard of kind `kind`, for data - * flowing in as described by `input`, when `this` evaluates to `branch`. + * flowing in as described by `input`, when `this` evaluates to `acceptingValue`. */ pragma[nomagic] abstract predicate isBarrierGuard( - string input, string branch, string kind, Provenance provenance, string model + string input, string acceptingValue, string kind, Provenance provenance, string model ); } @@ -764,10 +764,10 @@ module Make< } private predicate isRelevantBarrierGuard( - BarrierGuardElement e, string input, string branch, string kind, Provenance provenance, - string model + BarrierGuardElement e, string input, string acceptingValue, string kind, + Provenance provenance, string model ) { - e.isBarrierGuard(input, branch, kind, provenance, model) and + e.isBarrierGuard(input, acceptingValue, kind, provenance, model) and ( provenance.isManual() or @@ -1588,11 +1588,11 @@ module Make< * Holds if `barrierGuard` is a relevant barrier guard element with input specification `inSpec`. */ predicate barrierGuardSpec( - BarrierGuardElement barrierGuard, SummaryComponentStack inSpec, string branch, string kind, - string model + BarrierGuardElement barrierGuard, SummaryComponentStack inSpec, string acceptingValue, + string kind, string model ) { exists(string input | - isRelevantBarrierGuard(barrierGuard, input, branch, kind, _, model) and + isRelevantBarrierGuard(barrierGuard, input, acceptingValue, kind, _, model) and External::interpretSpec(input, inSpec) ) }