Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propagate uncertainty information to Evaluators #886

Merged
merged 23 commits into from
Sep 17, 2024
Merged

Propagate uncertainty information to Evaluators #886

merged 23 commits into from
Sep 17, 2024

Conversation

CodingDepot
Copy link
Collaborator

In its current form, Evaluators rely on functions from ImplementationDsl.Kt to find relevant code locations.
However, these functions only respond with locations without considering false positives that may be detected internally.

With this PR a new return type is used that propagates the knowledge of OPEN analysis results as a context to the code locations delivered to the Evaluators.

Example:
Consider the Length Keyword from #876, The internally used sizeof() evaluator may return -1 when the size can not be determined, but the cpgFlowsTo function can only return true or false, which then now lead to false positives in either the Never- or Only-Evaluator.
With this new return type, the Only-Evaluator can check for each location whether the analysis was incomplete and can therefore correctly produce an OPEN SARIF Result.

CodingDepot added 17 commits June 17, 2024 11:52
@CodingDepot
introduce the Length Type to check the length of an argument
31acd51
@CodingDepot
Merge branch 'main' into rh/length-type
0369e26
@CodingDepot
Add Length related tests
d81132e
@CodingDepot
rewrite cpgGetNodes to return the associated Result with the Node
bb82ebd
@CodingDepot
move result to own file and rewrite cpgSignature to use results
46b86ea
@CodingDepot
have cpgGetNodes return a Map and adapt the Evaluators
1cb9af5
@CodingDepot
changes around new cpgGetNodes
aee5df3
@CodingDepot
fixes to the signatureTest
e2371a4
@CodingDepot
remove custom and implementation between Boolean and Result because o…
945768e 
…f missing lazy evaluation
@CodingDepot
add code documentation
3001542
@CodingDepot
fix code style issues
f9f02e9
@CodingDepot
Merge branch 'refs/heads/main' into rh/length-type
54f2d74
@CodingDepot
only add the result when the CallExpression is not invalid
9c03a5b
@CodingDepot
Merge branch 'refs/heads/main' into rh/length-type
893f827
@CodingDepot
disable tests that rely on missing CPG features
5985bf9
@CodingDepot
remove the Length type
44ef976
@CodingDepot
cleanup
64b0f21
@CodingDepot CodingDepot added the nicetohave Not urgent, just a nice add-on that is worth discussing label Jul 10, 2024
@CodingDepot CodingDepot requested a review from fwendland July 10, 2024 09:31
@CodingDepot CodingDepot self-assigned this Jul 10, 2024
@CodingDepot CodingDepot mentioned this pull request Jul 10, 2024
Draft
3 tasks
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 10, 2024
View reviewed changes
...ds/cpg/src/main/kotlin/de/fraunhofer/aisec/codyze/backends/cpg/coko/dsl/ImplementationDsl.kt
def.signatures.any { sig ->
// We consider a result when both the signature and the flow are not invalid
// However, if at least one of them is OPEN we propagate this information to the caller
val signature = cpgSignature(*sig.parameters.toTypedArray())

Check warning

Code scanning / detekt

In most cases using a spread operator causes a full copy of the array to be created before calling a method. This may result in a performance penalty. Warning

Used in this way a spread operator causes a full copy of the array to be created before calling a method. This may result in a performance penalty.
...ds/cpg/src/main/kotlin/de/fraunhofer/aisec/codyze/backends/cpg/coko/dsl/ImplementationDsl.kt
val results = mutableListOf<Result>()
val fqn = [email protected] { sig ->
[email protected]([email protected]) {
val signature = cpgSignature(*sig.parameters.toTypedArray())

Check warning

Code scanning / detekt

In most cases using a spread operator causes a full copy of the array to be created before calling a method. This may result in a performance penalty. Warning

Used in this way a spread operator causes a full copy of the array to be created before calling a method. This may result in a performance penalty.
@codecov Codecov
Copy link

codecov bot commented Jul 10, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 87.40741% with 17 lines in your changes missing coverage. Please review.

Project coverage is 77.59%. Comparing base (6377273) to head (7768611).
Report is 3 commits behind head on main.

Files Patch % Lines
.../codyze/backends/cpg/coko/dsl/ImplementationDsl.kt 68.75% 7 Missing and 8 partials ⚠️
...sec/codyze/backends/cpg/coko/dsl/DataItemCpgDsl.kt 50.00% 0 Missing and 1 partial ⚠️
...hofer/aisec/codyze/backends/cpg/coko/dsl/Result.kt 96.42% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main     #886      +/-   ##
============================================
+ Coverage     77.20%   77.59%   +0.38%     
- Complexity      250      256       +6     
============================================
  Files            59       60       +1     
  Lines          1882     1959      +77     
  Branches        265      281      +16     
============================================
+ Hits           1453     1520      +67     
- Misses          308      315       +7     
- Partials        121      124       +3
Flag Coverage Δ
unittests 77.59% <87.40%> (+0.38%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@CodingDepot
Copy link
Collaborator Author

This PR will create conflicts with #875 as it refactors the Never and Only Evaluator to be very similar, but does not directly combine them.

@fwendland fwendland merged commit 0f468e4 into main Sep 17, 2024
4 checks passed
@fwendland fwendland deleted the rh/open-result branch September 17, 2024 14:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fwendland fwendland fwendland approved these changes

Assignees

@CodingDepot CodingDepot

Labels
nicetohave Not urgent, just a nice add-on that is worth discussing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CodingDepot @fwendland