From 4ed4f6878f4f726bada29c634aa4f054716333b1 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 14 Jan 2025 16:40:20 +0000 Subject: [PATCH 01/12] Rust: Add summary query rust/summary/cryptographic-ops. --- .../summary/CryptographicOperations.ql | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rust/ql/src/queries/summary/CryptographicOperations.ql diff --git a/rust/ql/src/queries/summary/CryptographicOperations.ql b/rust/ql/src/queries/summary/CryptographicOperations.ql new file mode 100644 index 000000000000..3b8b3342c2c7 --- /dev/null +++ b/rust/ql/src/queries/summary/CryptographicOperations.ql @@ -0,0 +1,59 @@ +/** + * @name Cryptographic Operations + * @description List all cryptographic operations found in the database. + * @kind problem + * @problem.severity info + * @id rust/summary/cryptographic-operations + * @tags summary + */ + +import rust +import codeql.rust.Concepts +import codeql.rust.security.WeakSensitiveDataHashingExtensions + +/** + * Gets the type of cryptographic algorithm `alg`. + */ +string getAlgorithmType(Cryptography::CryptographicAlgorithm alg) { + alg instanceof Cryptography::EncryptionAlgorithm and result = "EncryptionAlgorithm" + or + alg instanceof Cryptography::HashingAlgorithm and result = "HashingAlgorithm" + or + alg instanceof Cryptography::PasswordHashingAlgorithm and result = "PasswordHashingAlgorithm" +} + +/** + * Gets a feature of cryptographic algorithm `alg`. + */ +string getAlgorithmFeature(Cryptography::CryptographicAlgorithm alg) { + alg.isWeak() and result = "WEAK" +} + +/** + * Gets a description of cryptographic algorithm `alg`. + */ +string describeAlgorithm(Cryptography::CryptographicAlgorithm alg) { + result = + getAlgorithmType(alg) + " " + alg.getName() + " " + concat(getAlgorithmFeature(alg), ", ") +} + +/** + * Gets a feature of cryptographic operation `operation`. + */ +string getOperationFeature(Cryptography::CryptographicOperation op) { + result = "inputs:" + strictcount(op.getAnInput()).toString() or + result = "blockmodes:" + strictcount(op.getBlockMode()).toString() +} + +/** + * Gets a description of cryptographic operation `operation`. + */ +string describeOperation(Cryptography::CryptographicOperation op) { + result = describeAlgorithm(op.getAlgorithm()) + " " + concat(getOperationFeature(op), ", ") + or + not exists(op.getAlgorithm()) and + result = "(unknown) " + concat(getOperationFeature(op), ", ") +} + +from Cryptography::CryptographicOperation operation +select operation, describeOperation(operation) From 75f0a7f529d33e9d00ad0182aedc2ddcf7fa2d30 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 14 Jan 2025 16:40:36 +0000 Subject: [PATCH 02/12] Rust: Add summary query rust/summary/query-sinks. --- rust/ql/src/queries/summary/QuerySinks.ql | 25 +++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rust/ql/src/queries/summary/QuerySinks.ql diff --git a/rust/ql/src/queries/summary/QuerySinks.ql b/rust/ql/src/queries/summary/QuerySinks.ql new file mode 100644 index 000000000000..befc200f186c --- /dev/null +++ b/rust/ql/src/queries/summary/QuerySinks.ql @@ -0,0 +1,25 @@ +/** + * @name Query Sinks + * @description Lists query sinks that are found in the database. Query sinks are flow sinks that + * are used as possible locations for query results. Cryptographic operations are + * excluded (see `rust/summary/cryptographic-operations` instead). + * @kind problem + * @problem.severity info + * @id rust/summary/query-sinks + * @tags summary + */ + +import rust +import codeql.rust.dataflow.DataFlow +import codeql.rust.security.SqlInjectionExtensions +import Stats + +/** + * Gets a kind of query for which `n` is a sink (if any). + */ +string getAQuerySinkKind(DataFlow::Node n) { + (n instanceof SqlInjection::Sink and result = "SqlInjection") +} + +from DataFlow::Node n +select n, "sink for " + strictconcat(getAQuerySinkKind(n), ", ") From c6a7be671b6cacd9e13334cc2db035ad7d661b8f Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 14 Jan 2025 17:28:23 +0000 Subject: [PATCH 03/12] Rust: Add both totals to rust/summary/summary-statistics. --- rust/ql/src/queries/summary/QuerySinks.ql | 8 -------- rust/ql/src/queries/summary/Stats.qll | 14 ++++++++++++++ rust/ql/src/queries/summary/SummaryStats.ql | 6 ++++++ .../query-tests/diagnostics/SummaryStats.expected | 2 ++ 4 files changed, 22 insertions(+), 8 deletions(-) diff --git a/rust/ql/src/queries/summary/QuerySinks.ql b/rust/ql/src/queries/summary/QuerySinks.ql index befc200f186c..33234fe5f9f7 100644 --- a/rust/ql/src/queries/summary/QuerySinks.ql +++ b/rust/ql/src/queries/summary/QuerySinks.ql @@ -11,15 +11,7 @@ import rust import codeql.rust.dataflow.DataFlow -import codeql.rust.security.SqlInjectionExtensions import Stats -/** - * Gets a kind of query for which `n` is a sink (if any). - */ -string getAQuerySinkKind(DataFlow::Node n) { - (n instanceof SqlInjection::Sink and result = "SqlInjection") -} - from DataFlow::Node n select n, "sink for " + strictconcat(getAQuerySinkKind(n), ", ") diff --git a/rust/ql/src/queries/summary/Stats.qll b/rust/ql/src/queries/summary/Stats.qll index c2993b47899f..42001080ad86 100644 --- a/rust/ql/src/queries/summary/Stats.qll +++ b/rust/ql/src/queries/summary/Stats.qll @@ -3,11 +3,13 @@ */ import rust +private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.internal.DataFlowImpl private import codeql.rust.dataflow.internal.TaintTrackingImpl private import codeql.rust.AstConsistency as AstConsistency private import codeql.rust.controlflow.internal.CfgConsistency as CfgConsistency private import codeql.rust.dataflow.internal.DataFlowConsistency as DataFlowConsistency +private import codeql.rust.security.SqlInjectionExtensions /** * Gets a count of the total number of lines of code in the database. @@ -41,3 +43,15 @@ int getTotalCfgInconsistencies() { int getTotalDataFlowInconsistencies() { result = sum(string type | | DataFlowConsistency::getInconsistencyCounts(type)) } + +/** + * Gets a kind of query for which `n` is a sink (if any). + */ +string getAQuerySinkKind(DataFlow::Node n) { + (n instanceof SqlInjection::Sink and result = "SqlInjection") +} + +/** + * Gets a count of the total number of query sinks in the database. + */ +int getQuerySinksCount() { result = count(DataFlow::Node n | exists(getAQuerySinkKind(n)) | n) } diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql index 005233f87cf3..ee4818a9ff33 100644 --- a/rust/ql/src/queries/summary/SummaryStats.ql +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -9,6 +9,7 @@ import rust import codeql.rust.Concepts import codeql.rust.security.SensitiveData +import codeql.rust.security.WeakSensitiveDataHashingExtensions import codeql.rust.Diagnostics import Stats @@ -59,4 +60,9 @@ where key = "Taint sources - active" and value = count(ActiveThreatModelSource s) or key = "Sensitive data" and value = count(SensitiveData d) + or + key = "Taint sinks - query sinks" and value = getQuerySinksCount() + or + key = "Taint sinks - cryptographic operations" and + value = count(Cryptography::CryptographicOperation o) select key, value order by key diff --git a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected index c8c0fe398aaf..48915680692a 100644 --- a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected +++ b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected @@ -15,5 +15,7 @@ | Macro calls - total | 9 | | Macro calls - unresolved | 1 | | Sensitive data | 0 | +| Taint sinks - cryptographic operations | 0 | +| Taint sinks - query sinks | 0 | | Taint sources - active | 0 | | Taint sources - total | 0 | From 7904ed965b1b6c96968bfbe3515369aa90ffdab3 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 15 Jan 2025 08:55:56 +0000 Subject: [PATCH 04/12] Rust: Add query sink counts query for getting a breakdown. --- rust/ql/src/queries/summary/QuerySinkCounts.ql | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 rust/ql/src/queries/summary/QuerySinkCounts.ql diff --git a/rust/ql/src/queries/summary/QuerySinkCounts.ql b/rust/ql/src/queries/summary/QuerySinkCounts.ql new file mode 100644 index 000000000000..6525c3263a11 --- /dev/null +++ b/rust/ql/src/queries/summary/QuerySinkCounts.ql @@ -0,0 +1,17 @@ +/** + * @name Query Sink Counts + * @description Lists the number of query sinks of each type found in the database. Query sinks are + * flow sinks that are used as possible locations for query results. Cryptographic + * operations are excluded. + * @kind metric + * @id rust/summary/query-sink-counts + * @tags summary + */ + +import rust +import codeql.rust.dataflow.DataFlow +import Stats + +from string kind, int num +where num = strictcount(DataFlow::Node n | getAQuerySinkKind(n) = kind) +select kind, num From 72c62ac192d9e1a9576fc9b088665a72fdd764cc Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Tue, 14 Jan 2025 17:57:16 +0000 Subject: [PATCH 05/12] Rust: Add taint reach to rust/summary/summary-statistics. --- rust/ql/src/queries/summary/SummaryStats.ql | 5 +++ rust/ql/src/queries/summary/TaintReach.qll | 31 +++++++++++++++++++ .../diagnostics/SummaryStats.expected | 2 ++ 3 files changed, 38 insertions(+) create mode 100644 rust/ql/src/queries/summary/TaintReach.qll diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql index ee4818a9ff33..9f7106bf1352 100644 --- a/rust/ql/src/queries/summary/SummaryStats.ql +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -12,6 +12,7 @@ import codeql.rust.security.SensitiveData import codeql.rust.security.WeakSensitiveDataHashingExtensions import codeql.rust.Diagnostics import Stats +import TaintReach from string key, int value where @@ -59,6 +60,10 @@ where or key = "Taint sources - active" and value = count(ActiveThreatModelSource s) or + key = "Taint reach - nodes tainted" and value = getTaintedNodesCount() + or + key = "Taint reach - per million nodes" and value = getTaintReach().floor() + or key = "Sensitive data" and value = count(SensitiveData d) or key = "Taint sinks - query sinks" and value = getQuerySinksCount() diff --git a/rust/ql/src/queries/summary/TaintReach.qll b/rust/ql/src/queries/summary/TaintReach.qll new file mode 100644 index 000000000000..281cbe6461e9 --- /dev/null +++ b/rust/ql/src/queries/summary/TaintReach.qll @@ -0,0 +1,31 @@ +/** + * Taint reach computation. Taint reach is the proportion of all dataflow nodes that can be reached + * via taint flow from any active thread model source. It's usually expressed per million nodes. + */ + +import rust +private import codeql.rust.Concepts +private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.TaintTracking + +/** + * A taint configuration for taint reach (flow to any node from any modelled source). + */ +private module TaintReachConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } + + predicate isSink(DataFlow::Node node) { any() } +} + +private module TaintReachFlow = TaintTracking::Global; + +/** + * Gets the total number of dataflow nodes that taint reaches (from any source). + */ +int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) } + +/** + * Gets the proportion of dataflow nodes that taint reaches (from any source), + * expressed as a count per million nodes. + */ +float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) } diff --git a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected index 48915680692a..b026674dd5ce 100644 --- a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected +++ b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected @@ -15,6 +15,8 @@ | Macro calls - total | 9 | | Macro calls - unresolved | 1 | | Sensitive data | 0 | +| Taint reach - nodes tainted | 0 | +| Taint reach - per million nodes | 0 | | Taint sinks - cryptographic operations | 0 | | Taint sinks - query sinks | 0 | | Taint sources - active | 0 | From 5a037bcbc45fb082fb3391d36149fcf2c2012722 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 15 Jan 2025 12:43:38 +0000 Subject: [PATCH 06/12] Rust: Count taint edges as well. --- rust/ql/src/queries/summary/Stats.qll | 10 ++++++++++ rust/ql/src/queries/summary/SummaryStats.ql | 2 ++ .../test/query-tests/diagnostics/SummaryStats.expected | 1 + 3 files changed, 13 insertions(+) diff --git a/rust/ql/src/queries/summary/Stats.qll b/rust/ql/src/queries/summary/Stats.qll index 42001080ad86..05057fe8209b 100644 --- a/rust/ql/src/queries/summary/Stats.qll +++ b/rust/ql/src/queries/summary/Stats.qll @@ -44,6 +44,16 @@ int getTotalDataFlowInconsistencies() { result = sum(string type | | DataFlowConsistency::getInconsistencyCounts(type)) } +/** + * Gets the total number of taint edges in the database. + */ +int getTaintEdgesCount() { + result = + count(DataFlow::Node a, DataFlow::Node b | + RustTaintTracking::defaultAdditionalTaintStep(a, b, _) + ) +} + /** * Gets a kind of query for which `n` is a sink (if any). */ diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql index 9f7106bf1352..01440f5ee1f1 100644 --- a/rust/ql/src/queries/summary/SummaryStats.ql +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -60,6 +60,8 @@ where or key = "Taint sources - active" and value = count(ActiveThreatModelSource s) or + key = "Taint edges - number of edges" and value = getTaintEdgesCount() + or key = "Taint reach - nodes tainted" and value = getTaintedNodesCount() or key = "Taint reach - per million nodes" and value = getTaintReach().floor() diff --git a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected index b026674dd5ce..6d1c9a51ad28 100644 --- a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected +++ b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected @@ -15,6 +15,7 @@ | Macro calls - total | 9 | | Macro calls - unresolved | 1 | | Sensitive data | 0 | +| Taint edges - number of edges | 2 | | Taint reach - nodes tainted | 0 | | Taint reach - per million nodes | 0 | | Taint sinks - cryptographic operations | 0 | From 65b33f3f96db440bb43b28d3507429d443d4a77e Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 15 Jan 2025 16:14:03 +0000 Subject: [PATCH 07/12] Rust: Improve rust/summary/summary-statistics organization. --- rust/ql/src/queries/summary/SummaryStats.ql | 8 ++++---- .../ql/test/query-tests/diagnostics/SummaryStats.expected | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql index 01440f5ee1f1..46cf678b69fd 100644 --- a/rust/ql/src/queries/summary/SummaryStats.ql +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -56,18 +56,18 @@ where or key = "Macro calls - unresolved" and value = count(MacroCall mc | not mc.hasExpanded()) or - key = "Taint sources - total" and value = count(ThreatModelSource s) - or key = "Taint sources - active" and value = count(ActiveThreatModelSource s) or + key = "Taint sources - disabled" and value = count(ThreatModelSource s | not s instanceof ActiveThreatModelSource) + or + key = "Taint sources - sensitive data" and value = count(SensitiveData d) + or key = "Taint edges - number of edges" and value = getTaintEdgesCount() or key = "Taint reach - nodes tainted" and value = getTaintedNodesCount() or key = "Taint reach - per million nodes" and value = getTaintReach().floor() or - key = "Sensitive data" and value = count(SensitiveData d) - or key = "Taint sinks - query sinks" and value = getQuerySinksCount() or key = "Taint sinks - cryptographic operations" and diff --git a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected index 6d1c9a51ad28..917bf92efbe8 100644 --- a/rust/ql/test/query-tests/diagnostics/SummaryStats.expected +++ b/rust/ql/test/query-tests/diagnostics/SummaryStats.expected @@ -14,11 +14,11 @@ | Macro calls - resolved | 8 | | Macro calls - total | 9 | | Macro calls - unresolved | 1 | -| Sensitive data | 0 | | Taint edges - number of edges | 2 | | Taint reach - nodes tainted | 0 | | Taint reach - per million nodes | 0 | | Taint sinks - cryptographic operations | 0 | | Taint sinks - query sinks | 0 | | Taint sources - active | 0 | -| Taint sources - total | 0 | +| Taint sources - disabled | 0 | +| Taint sources - sensitive data | 0 | From 787a6d11a3d530af1cbf4b503ccb5db08e58458e Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 15 Jan 2025 17:25:44 +0000 Subject: [PATCH 08/12] Rust: Autoformat. --- rust/ql/src/queries/summary/SummaryStats.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql index 46cf678b69fd..4e14045428f2 100644 --- a/rust/ql/src/queries/summary/SummaryStats.ql +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -58,7 +58,8 @@ where or key = "Taint sources - active" and value = count(ActiveThreatModelSource s) or - key = "Taint sources - disabled" and value = count(ThreatModelSource s | not s instanceof ActiveThreatModelSource) + key = "Taint sources - disabled" and + value = count(ThreatModelSource s | not s instanceof ActiveThreatModelSource) or key = "Taint sources - sensitive data" and value = count(SensitiveData d) or From 98e0b642663109ec1015f511d5bf2a7def7428ed Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 15 Jan 2025 17:51:49 +0000 Subject: [PATCH 09/12] Rust: Make QL-for-QL happy. --- rust/ql/src/queries/summary/CryptographicOperations.ql | 4 ++-- rust/ql/src/queries/summary/QuerySinks.ql | 2 +- rust/ql/src/queries/summary/TaintReach.qll | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rust/ql/src/queries/summary/CryptographicOperations.ql b/rust/ql/src/queries/summary/CryptographicOperations.ql index 3b8b3342c2c7..3b4c03c40fd2 100644 --- a/rust/ql/src/queries/summary/CryptographicOperations.ql +++ b/rust/ql/src/queries/summary/CryptographicOperations.ql @@ -38,7 +38,7 @@ string describeAlgorithm(Cryptography::CryptographicAlgorithm alg) { } /** - * Gets a feature of cryptographic operation `operation`. + * Gets a feature of cryptographic operation `op`. */ string getOperationFeature(Cryptography::CryptographicOperation op) { result = "inputs:" + strictcount(op.getAnInput()).toString() or @@ -46,7 +46,7 @@ string getOperationFeature(Cryptography::CryptographicOperation op) { } /** - * Gets a description of cryptographic operation `operation`. + * Gets a description of cryptographic operation `op`. */ string describeOperation(Cryptography::CryptographicOperation op) { result = describeAlgorithm(op.getAlgorithm()) + " " + concat(getOperationFeature(op), ", ") diff --git a/rust/ql/src/queries/summary/QuerySinks.ql b/rust/ql/src/queries/summary/QuerySinks.ql index 33234fe5f9f7..bc89f801f715 100644 --- a/rust/ql/src/queries/summary/QuerySinks.ql +++ b/rust/ql/src/queries/summary/QuerySinks.ql @@ -14,4 +14,4 @@ import codeql.rust.dataflow.DataFlow import Stats from DataFlow::Node n -select n, "sink for " + strictconcat(getAQuerySinkKind(n), ", ") +select n, "Sink for " + strictconcat(getAQuerySinkKind(n), ", ") diff --git a/rust/ql/src/queries/summary/TaintReach.qll b/rust/ql/src/queries/summary/TaintReach.qll index 281cbe6461e9..f2463b204f4a 100644 --- a/rust/ql/src/queries/summary/TaintReach.qll +++ b/rust/ql/src/queries/summary/TaintReach.qll @@ -9,7 +9,7 @@ private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.TaintTracking /** - * A taint configuration for taint reach (flow to any node from any modelled source). + * A taint configuration for taint reach (flow to any node from any modeled source). */ private module TaintReachConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { node instanceof ActiveThreatModelSource } From bec01daa452ebbb953d49d0d4fec6857b13b91be Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 15 Jan 2025 17:55:08 +0000 Subject: [PATCH 10/12] Rust: Update integration tests. --- rust/ql/integration-tests/hello-project/summary.expected | 9 +++++++-- .../hello-workspace/summary.cargo.expected | 9 +++++++-- .../hello-workspace/summary.rust-project.expected | 9 +++++++-- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/rust/ql/integration-tests/hello-project/summary.expected b/rust/ql/integration-tests/hello-project/summary.expected index 07c48c7a5b75..533262ac6862 100644 --- a/rust/ql/integration-tests/hello-project/summary.expected +++ b/rust/ql/integration-tests/hello-project/summary.expected @@ -14,6 +14,11 @@ | Macro calls - resolved | 2 | | Macro calls - total | 2 | | Macro calls - unresolved | 0 | -| Sensitive data | 0 | +| Taint edges - number of edges | 2 | +| Taint reach - nodes tainted | 0 | +| Taint reach - per million nodes | 0 | +| Taint sinks - cryptographic operations | 0 | +| Taint sinks - query sinks | 0 | | Taint sources - active | 0 | -| Taint sources - total | 0 | +| Taint sources - disabled | 0 | +| Taint sources - sensitive data | 0 | diff --git a/rust/ql/integration-tests/hello-workspace/summary.cargo.expected b/rust/ql/integration-tests/hello-workspace/summary.cargo.expected index eb8f861f9358..e0d5ce240a39 100644 --- a/rust/ql/integration-tests/hello-workspace/summary.cargo.expected +++ b/rust/ql/integration-tests/hello-workspace/summary.cargo.expected @@ -14,6 +14,11 @@ | Macro calls - resolved | 2 | | Macro calls - total | 2 | | Macro calls - unresolved | 0 | -| Sensitive data | 0 | +| Taint edges - number of edges | 2 | +| Taint reach - nodes tainted | 0 | +| Taint reach - per million nodes | 0 | +| Taint sinks - cryptographic operations | 0 | +| Taint sinks - query sinks | 0 | | Taint sources - active | 0 | -| Taint sources - total | 0 | +| Taint sources - disabled | 0 | +| Taint sources - sensitive data | 0 | diff --git a/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected b/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected index 5c57c488fda0..a8c511ebf70d 100644 --- a/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected +++ b/rust/ql/integration-tests/hello-workspace/summary.rust-project.expected @@ -14,6 +14,11 @@ | Macro calls - resolved | 2 | | Macro calls - total | 2 | | Macro calls - unresolved | 0 | -| Sensitive data | 0 | +| Taint edges - number of edges | 2 | +| Taint reach - nodes tainted | 0 | +| Taint reach - per million nodes | 0 | +| Taint sinks - cryptographic operations | 0 | +| Taint sinks - query sinks | 0 | | Taint sources - active | 0 | -| Taint sources - total | 0 | +| Taint sources - disabled | 0 | +| Taint sources - sensitive data | 0 | From 5f9e1c37885bed399a19cf98d89d4a29f6b02427 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:14:33 +0000 Subject: [PATCH 11/12] Apply suggestions from code review Co-authored-by: Simon Friis Vindum --- rust/ql/src/queries/summary/Stats.qll | 2 +- rust/ql/src/queries/summary/TaintReach.qll | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rust/ql/src/queries/summary/Stats.qll b/rust/ql/src/queries/summary/Stats.qll index 05057fe8209b..8bdb25381bc6 100644 --- a/rust/ql/src/queries/summary/Stats.qll +++ b/rust/ql/src/queries/summary/Stats.qll @@ -64,4 +64,4 @@ string getAQuerySinkKind(DataFlow::Node n) { /** * Gets a count of the total number of query sinks in the database. */ -int getQuerySinksCount() { result = count(DataFlow::Node n | exists(getAQuerySinkKind(n)) | n) } +int getQuerySinksCount() { result = count(DataFlow::Node n | exists(getAQuerySinkKind(n))) } diff --git a/rust/ql/src/queries/summary/TaintReach.qll b/rust/ql/src/queries/summary/TaintReach.qll index f2463b204f4a..0f00fe6f7c6e 100644 --- a/rust/ql/src/queries/summary/TaintReach.qll +++ b/rust/ql/src/queries/summary/TaintReach.qll @@ -20,12 +20,12 @@ private module TaintReachConfig implements DataFlow::ConfigSig { private module TaintReachFlow = TaintTracking::Global; /** - * Gets the total number of dataflow nodes that taint reaches (from any source). + * Gets the total number of data flow nodes that taint reaches (from any source). */ int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) } /** - * Gets the proportion of dataflow nodes that taint reaches (from any source), + * Gets the proportion of data flow nodes that taint reaches (from any source), * expressed as a count per million nodes. */ float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) } From e5faf92babaa163f79d348300c3c4a3210859c16 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:16:02 +0000 Subject: [PATCH 12/12] Rust: Make QL-for-QL happy (part 2). --- rust/ql/src/queries/summary/QuerySinks.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rust/ql/src/queries/summary/QuerySinks.ql b/rust/ql/src/queries/summary/QuerySinks.ql index bc89f801f715..09cd7fcb2991 100644 --- a/rust/ql/src/queries/summary/QuerySinks.ql +++ b/rust/ql/src/queries/summary/QuerySinks.ql @@ -14,4 +14,4 @@ import codeql.rust.dataflow.DataFlow import Stats from DataFlow::Node n -select n, "Sink for " + strictconcat(getAQuerySinkKind(n), ", ") +select n, "Sink for " + strictconcat(getAQuerySinkKind(n), ", ") + "."