Skip to content

Commit bd21a03

Browse files
geoffw0geoffw0
authored
Merge pull request #19718 from geoffw0/taintreach
Rust: Adjust the taint reach metric for better stability.
2 parents 31770ed + e64d083 commit bd21a03

File tree

2 files changed

+21
-2
lines changed

2 files changed

+21
-2
lines changed

rust/ql/src/queries/summary/Stats.qll

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,8 @@ predicate taintStats(string key, int value) {
189189
or
190190
key = "Taint reach - nodes tainted" and value = getTaintedNodesCount()
191191
or
192+
key = "Taint reach - total non-summary nodes" and value = getTotalNodesCount()
193+
or
192194
key = "Taint reach - per million nodes" and value = getTaintReach().floor()
193195
or
194196
key = "Taint sinks - query sinks" and value = getQuerySinksCount()

rust/ql/src/queries/summary/TaintReach.qll

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import rust
77
private import codeql.rust.Concepts
88
private import codeql.rust.dataflow.DataFlow
99
private import codeql.rust.dataflow.TaintTracking
10+
private import codeql.rust.dataflow.internal.Node
1011

1112
/**
1213
* A taint configuration for taint reach (flow to any node from any modeled source).
@@ -21,11 +22,27 @@ private module TaintReachFlow = TaintTracking::Global<TaintReachConfig>;
2122

2223
/**
2324
* Gets the total number of data flow nodes that taint reaches (from any source).
25+
*
26+
* We don't include flow summary nodes, as their number is unstable (varies when models
27+
* are added).
2428
*/
25-
int getTaintedNodesCount() { result = count(DataFlow::Node n | TaintReachFlow::flowTo(n)) }
29+
int getTaintedNodesCount() {
30+
result = count(DataFlow::Node n | TaintReachFlow::flowTo(n) and not n instanceof FlowSummaryNode)
31+
}
32+
33+
/**
34+
* Gets the total number of data flow nodes.
35+
*
36+
* We don't include flow summary nodes, as their number is unstable (varies when models
37+
* are added).
38+
*/
39+
int getTotalNodesCount() { result = count(DataFlow::Node n | not n instanceof FlowSummaryNode) }
2640

2741
/**
2842
* Gets the proportion of data flow nodes that taint reaches (from any source),
2943
* expressed as a count per million nodes.
44+
*
45+
* We don't include flow summary nodes, as their number is unstable (varies when models
46+
* are added).
3047
*/
31-
float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / count(DataFlow::Node n) }
48+
float getTaintReach() { result = (getTaintedNodesCount() * 1000000.0) / getTotalNodesCount() }

0 commit comments

Comments
 (0)