Go: Move Go package-grouping support into shared lib.

Author: aschackmull

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -53,4 +53,6 @@ extensible predicate neutralModel(
 
 module Extensions implements SharedMaD::ExtensionsSig {
   import ExternalFlowExtensions
+
+  predicate packageGrouping(string group, string package) { none() }
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlowExtensions.qll

@@ -53,4 +53,6 @@ extensible predicate neutralModel(
 
 module Extensions implements SharedMaD::ExtensionsSig {
   import ExternalFlowExtensions
+
+  predicate packageGrouping(string group, string package) { none() }
 }

go/ql/lib/semmle/go/dataflow/ExternalFlow.qll

@@ -107,86 +107,6 @@ module FlowExtensions = Extensions;
 /** Gets the prefix for a group of packages. */
 private string groupPrefix() { result = "group:" }
 
-/**
- * Gets a package represented by `packageOrGroup`.
- *
- * If `packageOrGroup` is of the form `group:<groupname>` then `result` is a
- * package in the group `<groupname>`, as determined by `packageGrouping`.
- * Otherwise, `result` is `packageOrGroup`.
- */
-bindingset[packageOrGroup]
-private string getPackage(string packageOrGroup) {
-  not exists(string group | packageOrGroup = groupPrefix() + group) and result = packageOrGroup
-  or
-  exists(string group |
-    FlowExtensions::packageGrouping(group, result) and
-    packageOrGroup = groupPrefix() + group
-  )
-}
-
-/**
- * Holds if a source model exists for the given parameters.
- *
- * Note that `group:` references are expanded into one or more actual packages
- * by this predicate.
- */
-predicate sourceModel(
-  string package, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
-) {
-  exists(string packageOrGroup |
-    package = getPackage(packageOrGroup) and
-    FlowExtensions::sourceModel(packageOrGroup, type, subtypes, name, signature, ext, output, kind,
-      provenance, madId)
-  )
-}
-
-/**
- * Holds if a sink model exists for the given parameters.
- *
- * Note that `group:` references are expanded into one or more actual packages
- * by this predicate.
- */
-predicate sinkModel(
-  string package, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string kind, string provenance, QlBuiltins::ExtensionId madId
-) {
-  exists(string packageOrGroup | package = getPackage(packageOrGroup) |
-    FlowExtensions::sinkModel(packageOrGroup, type, subtypes, name, signature, ext, input, kind,
-      provenance, madId)
-  )
-}
-
-/**
- * Holds if a summary model exists for the given parameters.
- *
- * Note that `group:` references are expanded into one or more actual packages
- * by this predicate.
- */
-predicate summaryModel(
-  string package, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
-) {
-  exists(string packageOrGroup | package = getPackage(packageOrGroup) |
-    FlowExtensions::summaryModel(packageOrGroup, type, subtypes, name, signature, ext, input,
-      output, kind, provenance, madId)
-  )
-}
-
-/**
- * Holds if a neutral model exists for the given parameters.
- *
- * Note that `group:` references are expanded into one or more actual packages
- * by this predicate.
- */
-predicate neutralModel(
-  string package, string type, string name, string signature, string kind, string provenance
-) {
-  exists(string packageOrGroup | package = getPackage(packageOrGroup) |
-    FlowExtensions::neutralModel(packageOrGroup, type, name, signature, kind, provenance)
-  )
-}
-
 bindingset[p]
 private string cleanPackage(string p) {
   exists(string noPrefix |

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -137,11 +137,9 @@ module SourceSinkInterpretationInput implements
     SourceOrSinkElement e, string output, string kind, Public::Provenance provenance, string model
   ) {
     exists(
-      string package, string type, boolean subtypes, string name, string signature, string ext,
-      QlBuiltins::ExtensionId madId
+      string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId) and
-      model = "MaD:" + madId.toString() and
+      sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, model) and
       e = interpretElement(package, type, subtypes, name, signature, ext)
     )
   }
@@ -154,11 +152,9 @@ module SourceSinkInterpretationInput implements
     SourceOrSinkElement e, string input, string kind, Public::Provenance provenance, string model
   ) {
     exists(
-      string package, string type, boolean subtypes, string name, string signature, string ext,
-      QlBuiltins::ExtensionId madId
+      string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId) and
-      model = "MaD:" + madId.toString() and
+      sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, model) and
       e = interpretElement(package, type, subtypes, name, signature, ext)
     )
   }
@@ -504,12 +500,10 @@ module Private {
       string model
     ) {
       exists(
-        string namespace, string type, boolean subtypes, string name, string signature, string ext,
-        QlBuiltins::ExtensionId madId
+        string namespace, string type, boolean subtypes, string name, string signature, string ext
       |
         summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-          provenance, madId) and
-        model = "MaD:" + madId.toString() and
+          provenance, model) and
         c.asFunction() =
           interpretElement(namespace, type, subtypes, name, signature, ext).asEntity()
       )

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -192,24 +192,6 @@ abstract private class ActiveExperimentalModelsInternal extends string {
 
 deprecated class ActiveExperimentalModels = ActiveExperimentalModelsInternal;
 
-/** Holds if a barrier model exists for the given parameters. */
-predicate barrierModel(
-  string package, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
-) {
-  Extensions::barrierModel(package, type, subtypes, name, signature, ext, output, kind, provenance,
-    madId)
-}
-
-/** Holds if a barrier guard model exists for the given parameters. */
-predicate barrierGuardModel(
-  string package, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
-) {
-  Extensions::barrierGuardModel(package, type, subtypes, name, signature, ext, input,
-    acceptingvalue, kind, provenance, madId)
-}
-
 /**
  * Holds if the given extension tuple `madId` should pretty-print as `model`.
  *
@@ -255,9 +237,6 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
   )
 }
 
-/** Holds if a neutral model exists for the given parameters. */
-predicate neutralModel = Extensions::neutralModel/6;
-
 /** Provides a query predicate to check the MaD models for validation errors. */
 module ModelValidation {
   private import codeql.dataflow.internal.AccessPathSyntax as AccessPathSyntax

java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll

@@ -98,4 +98,6 @@ extensible predicate experimentalSummaryModel(
 
 module Extensions implements SharedMaD::ExtensionsSig {
   import ExternalFlowExtensions
+
+  predicate packageGrouping(string group, string package) { none() }
 }

java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll

@@ -264,11 +264,10 @@ module SourceSinkInterpretationInput implements
   ) {
     exists(
       string namespace, string type, boolean subtypes, string name, string signature, string ext,
-      SourceOrSinkElement baseBarrier, string originalOutput, QlBuiltins::ExtensionId madId
+      SourceOrSinkElement baseBarrier, string originalOutput
     |
       barrierModel(namespace, type, subtypes, name, signature, ext, originalOutput, kind,
-        provenance, madId) and
-      model = "MaD:" + madId.toString() and
+        provenance, model) and
       baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
       (
         e = baseBarrier and output = originalOutput
@@ -284,11 +283,10 @@ module SourceSinkInterpretationInput implements
   ) {
     exists(
       string namespace, string type, boolean subtypes, string name, string signature, string ext,
-      SourceOrSinkElement baseBarrier, string originalOutput, QlBuiltins::ExtensionId madId
+      SourceOrSinkElement baseBarrier, string originalOutput
     |
       barrierGuardModel(namespace, type, subtypes, name, signature, ext, originalOutput,
-        acceptingvalue, kind, provenance, madId) and
-      model = "MaD:" + madId.toString() and
+        acceptingvalue, kind, provenance, model) and
       baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
       (
         e = baseBarrier and output = originalOutput

shared/mad/codeql/mad/static/MaD.qll

@@ -46,6 +46,11 @@ signature module ExtensionsSig {
   predicate neutralModel(
     string namespace, string type, string name, string signature, string kind, string provenance
   );
+
+  /**
+   * Holds if the package `package` is part of the group `group`.
+   */
+  predicate packageGrouping(string group, string package);
 }
 
 signature module InputSig {
@@ -154,21 +159,44 @@ module ModelsAsData<ExtensionsSig Extensions, InputSig Input> {
     )
   }
 
+  /** Gets the prefix for a group of packages/namespaces. */
+  private string groupPrefix() { result = "group:" }
+
+  /**
+   * Gets a package/namespace represented by `packageOrGroup`.
+   *
+   * If `packageOrGroup` is of the form `group:<groupname>` then `result` is a
+   * package/namespace in the group `<groupname>`, as determined by `packageGrouping`.
+   * Otherwise, `result` is `packageOrGroup`.
+   */
+  bindingset[namespaceOrGroup]
+  private string getNamespace(string namespaceOrGroup) {
+    not exists(string group | namespaceOrGroup = groupPrefix() + group) and
+    result = namespaceOrGroup
+    or
+    exists(string group |
+      Extensions::packageGrouping(group, result) and
+      namespaceOrGroup = groupPrefix() + group
+    )
+  }
+
   /**
    * Holds if a source model exists for the given parameters.
    */
   predicate sourceModel(
     string namespace, string type, boolean subtypes, string name, string signature, string ext,
     string output, string kind, string provenance, string model
   ) {
-    exists(QlBuiltins::ExtensionId madId |
-      Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-        provenance, madId) and
-      model = "MaD:" + madId.toString()
+    exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) |
+      exists(QlBuiltins::ExtensionId madId |
+        Extensions::sourceModel(namespaceOrGroup, type, subtypes, name, signature, ext, output,
+          kind, provenance, madId) and
+        model = "MaD:" + madId.toString()
+      )
+      or
+      Input::additionalSourceModel(namespaceOrGroup, type, subtypes, name, signature, ext, output,
+        kind, provenance, model)
     )
-    or
-    Input::additionalSourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
-      provenance, model)
   }
 
   /**
@@ -178,14 +206,42 @@ module ModelsAsData<ExtensionsSig Extensions, InputSig Input> {
     string namespace, string type, boolean subtypes, string name, string signature, string ext,
     string input, string kind, string provenance, string model
   ) {
-    exists(QlBuiltins::ExtensionId madId |
-      Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind,
+    exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) |
+      exists(QlBuiltins::ExtensionId madId |
+        Extensions::sinkModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, kind,
+          provenance, madId) and
+        model = "MaD:" + madId.toString()
+      )
+      or
+      Input::additionalSinkModel(namespaceOrGroup, type, subtypes, name, signature, ext, input,
+        kind, provenance, model)
+    )
+  }
+
+  /** Holds if a barrier model exists for the given parameters. */
+  predicate barrierModel(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string output, string kind, string provenance, string model
+  ) {
+    exists(string namespaceOrGroup, QlBuiltins::ExtensionId madId |
+      namespace = getNamespace(namespaceOrGroup) and
+      Extensions::barrierModel(namespaceOrGroup, type, subtypes, name, signature, ext, output, kind,
         provenance, madId) and
       model = "MaD:" + madId.toString()
     )
-    or
-    Input::additionalSinkModel(namespace, type, subtypes, name, signature, ext, input, kind,
-      provenance, model)
+  }
+
+  /** Holds if a barrier guard model exists for the given parameters. */
+  predicate barrierGuardModel(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string acceptingvalue, string kind, string provenance, string model
+  ) {
+    exists(string namespaceOrGroup, QlBuiltins::ExtensionId madId |
+      namespace = getNamespace(namespaceOrGroup) and
+      Extensions::barrierGuardModel(namespaceOrGroup, type, subtypes, name, signature, ext, input,
+        acceptingvalue, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
   }
 
   /**
@@ -195,14 +251,27 @@ module ModelsAsData<ExtensionsSig Extensions, InputSig Input> {
     string namespace, string type, boolean subtypes, string name, string signature, string ext,
     string input, string output, string kind, string provenance, string model
   ) {
-    exists(QlBuiltins::ExtensionId madId |
-      Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
-        provenance, madId) and
-      model = "MaD:" + madId.toString()
+    exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) |
+      exists(QlBuiltins::ExtensionId madId |
+        Extensions::summaryModel(namespaceOrGroup, type, subtypes, name, signature, ext, input,
+          output, kind, provenance, madId) and
+        model = "MaD:" + madId.toString()
+      )
+      or
+      Input::additionalSummaryModel(namespaceOrGroup, type, subtypes, name, signature, ext, input,
+        output, kind, provenance, model)
+    )
+  }
+
+  /**
+   * Holds if a neutral model exists for the given parameters.
+   */
+  predicate neutralModel(
+    string namespace, string type, string name, string signature, string kind, string provenance
+  ) {
+    exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) |
+      Extensions::neutralModel(namespaceOrGroup, type, name, signature, kind, provenance)
     )
-    or
-    Input::additionalSummaryModel(namespace, type, subtypes, name, signature, ext, input, output,
-      kind, provenance, model)
   }
 
   private predicate relevantNamespace(string namespace) {