Docs: Update data flow documentation to the new API. #13743
Conversation
| class TaintedFormatConfig extends TaintTracking::Configuration { | ||
| TaintedFormatConfig() { this = "TaintedFormatConfig" } | ||
| module TaintedFormatConfig implements DataFlow::ConfigSig { | ||
| predicate isSource(DataFlow::Node source) { /* TBD */ } |
Check warning
Code scanning / CodeQL
Dead code Warning
| override predicate isSource(DataFlow::Node source) { /* TBD */ } | ||
|
|
||
| override predicate isSink(DataFlow::Node sink) { /* TBD */ } | ||
| predicate isSink(DataFlow::Node sink) { /* TBD */ } |
Check warning
Code scanning / CodeQL
Dead code Warning
| class TaintedOGNLConfig extends TaintTracking::Configuration { | ||
| TaintedOGNLConfig() { this = "TaintedOGNLConfig" } | ||
| module TaintedOGNLConfig implements DataFlow::ConfigSig { | ||
| predicate isSource(DataFlow::Node source) { /* TBD */ } |
Check warning
Code scanning / CodeQL
Dead code Warning
| override predicate isSource(DataFlow::Node source) { /* TBD */ } | ||
|
|
||
| override predicate isSink(DataFlow::Node sink) { /* TBD */ } | ||
| predicate isSink(DataFlow::Node sink) { /* TBD */ } |
Check warning
Code scanning / CodeQL
Dead code Warning
|
👋🏻 @felicitymay, I'll remove this from the Docs Content FR project as it's now in y'all's project for triage. Let me know if I should handle this differently. |
| Similar to global data flow, the characteristic predicate ``MyTaintTrackingConfiguration()`` defines the unique name of the configuration, so ``"MyTaintTrackingConfiguration"`` should be replaced by the name of your class. | ||
|
|
||
| The taint tracking analysis is performed using the predicate ``hasFlow(DataFlow::Node source, DataFlow::Node sink)``. | ||
| The resulting module is completely similar to the one obtained from ``DataFlow::Global<ConfigSig>``. |
There was a problem hiding this comment.
Is there an alternative way of expressing "completely similar", if that's not a technical term I'm unfamiliar with? Does this mean "exactly the same as" for example?
(There are six instances of "completely similar")
There was a problem hiding this comment.
It's not a technical term, so I'm open to suggestion for how to phrase this more clearly.
Details: When you apply either DataFlow::Global<..> or TaintTracking::Global<..> to your configuration then the result is a module containing a number of predicates, such as flow and flowPath. The key is that the predicates the resulting modules contain are the same in the two cases, in the sense that the output api is the same. So if you switch between DataFlow and TaintTracking then your subsequent references to the results need no changes.
There was a problem hiding this comment.
Thanks for the explanation! How about(?):
| The resulting module is completely similar to the one obtained from ``DataFlow::Global<ConfigSig>``. | |
| The resulting module is equivalent to the one obtained from ``DataFlow::Global<ConfigSig>``. |
I think this should imply that the modules are the same in the context in which they're intended to be used, but that the modules themselves are not necessarily identical.
There was a problem hiding this comment.
That doesn't sound right to me. To me "equivalent" is too strong. There's definitely a difference in the contents of the predicates in those modules as they are computing different flow graphs (taint tracking includes a lot more flow steps). It's just that the apis of the resulting modules are the same.
There was a problem hiding this comment.
Hmm, perhaps this?
The resulting module has an identical signature to the one obtained from ``DataFlow::Global<ConfigSig>``.
There was a problem hiding this comment.
How about identical interface?
There was a problem hiding this comment.
That could work as well, although I prefer "signature" as that's the proper technical term (QL modules implement signatures).
|
One high-level comment: internally we standardised the names of our configurations to end in |
This updates the pieces of documentation that I could find to the new data flow API.
I identified the places that needed updates, by grepping for the following list of words: