Java: convert sinks to CSV #5557
Conversation
tamasvajk
force-pushed
the
feature/java-sinks-csv
branch
3 times, most recently
from
deb60b6 to
ece8b5b
Compare
tamasvajk
force-pushed
the
feature/java-sinks-csv
branch
from
ece8b5b to
c096790
Compare
tamasvajk
force-pushed
the
feature/java-sinks-csv
branch
from
c096790 to
1df7db2
Compare
This reverts commit 87d42b0.
tamasvajk
force-pushed
the
feature/java-sinks-csv
branch
from
1df7db2 to
351f35d
Compare
aschackmull
left a comment
aschackmull
left a comment
There was a problem hiding this comment.
As an overall comment, we're getting a bunch of opaque sink identifiers, which really could use qldoc. The best way to add qldoc to these identifiers is probably to introduce the convention that all references to sinkNode(n, "some-sink-id") occur as charpreds of simple wrapper classes. E.g.:
class XssSink extends DataFlow::Node {
XssSink() { sinkNode(this, "xss") }
}
This allows us a place to introduce a nice QL class name and suitable qldoc that explains what the sink is.
java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
Outdated
Show resolved
Hide resolved
This reverts commit 3e53484.
| /** | ||
| * A sink that represents a URL opening method call, such as a call to `java.net.URL.openConnection()`. | ||
| */ | ||
| private class URLOpenSink extends DataFlow::Node { |
There was a problem hiding this comment.
| private class URLOpenSink extends DataFlow::Node { | |
| private class UrlOpenSink extends DataFlow::Node { |
There was a problem hiding this comment.
I don't mind changing this to UrlOpenSink, but a couple of lines above we already have HTTPStringToURLOpenMethodFlowConfig, so it would look a bit strange, wouldn't it?
There was a problem hiding this comment.
Right, that ought to be renamed to HttpStringToUrlOpenMethodFlowConfig.
2 participants
Differences jobDifferences jobDifferences job