diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll index bce5a3172d6c..814037837c15 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll @@ -73,22 +73,32 @@ abstract class AtmConfig extends string { not exists(this.getAReasonSinkExcluded(candidateSink)) } + /** + * Gets the list of characteristics that cause `candidateSink` to be excluded as an effective sink. + */ final EndpointCharacteristics::EndpointCharacteristic getAReasonSinkExcluded( JS::DataFlow::Node candidateSink ) { - // An endpoint is an effective sink if it has neither standard endpoint filter characteristics nor endpoint filter - // characteristics that are specific to this sink type. - // TODO: Experiment with excluding all endpoints that have a medium- or high-confidence characteristic that implies - // they're not sinks for this sink type (or not sinks for any sink type), not just the EndpointFilterCharacteristics. - exists(EndpointCharacteristics::StandardEndpointFilterCharacteristic standardFilter | - standardFilter.getEndpoints(candidateSink) and - result = standardFilter - ) - or - exists(EndpointCharacteristics::EndpointFilterCharacteristic specificFilter | - specificFilter.getEndpoints(candidateSink) and - specificFilter.getImplications(this.getASinkEndpointType(), false, _) and - result = specificFilter + // An endpoint is an effective sink (sink candidate) if none of its characteristics give much indication whether or + // not it is a sink. Historically, we used endpoint filters, and scored endpoints that are filtered out neither by + // a standard endpoint filter nor by an endpoint filter specific to this sink type. To replicate this behaviour, we + // have given the endpoint filter characteristics medium confidence, and we exclude endpoints that have a + // medium-confidence characteristic that indicates that they are not sinks, either in general or for this sink type. + exists(EndpointCharacteristics::EndpointCharacteristic filter, float confidence | + filter.getEndpoints(candidateSink) and + confidence >= filter.mediumConfidence() and + // TODO: Experiment with excluding all endpoints that have a medium- or high-confidence characteristic that + // implies they're not sinks, rather than using only medium-confidence characteristics, by deleting the following + // line. + confidence < filter.highConfidence() and + ( + // Exclude endpoints that have a characteristic that implies they're not sinks for _any_ sink type. + filter.getImplications(any(NegativeType negative), true, confidence) + or + // Exclude endpoints that have a characteristic that implies they're not sinks for _this particular_ sink type. + filter.getImplications(this.getASinkEndpointType(), false, confidence) + ) and + result = filter ) } diff --git a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll index 1b305fa0b113..7bd615df1392 100644 --- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll +++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointCharacteristics.qll @@ -462,7 +462,7 @@ abstract class EndpointFilterCharacteristic extends EndpointCharacteristic { * An EndpointFilterCharacteristic that indicates that an endpoint is unlikely to be a sink of any type. * Replaces https://github.com/github/codeql/blob/387e57546bf7352f7c1cfe781daa1a3799b7063e/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/StandardEndpointFilters.qll#LL15C24-L15C24 */ -abstract class StandardEndpointFilterCharacteristic extends EndpointFilterCharacteristic { +abstract private class StandardEndpointFilterCharacteristic extends EndpointFilterCharacteristic { bindingset[this] StandardEndpointFilterCharacteristic() { any() }