Shared: Prefer source/sink models with manual provenance over generated #21020
+187
−217
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Java
Rust
hvitved
force-pushed
the
shared/source-sink-provenance-prio
branch
from
4d27a73 to
e393034
Compare
hvitved
force-pushed
the
shared/source-sink-provenance-prio
branch
from
e393034 to
0b00589
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses duplicate flow paths in dataflow analysis by prioritizing manual source/sink models over auto-generated models, and filtering away generated flow summaries when a static call target exists in source code for Rust.
Key Changes:
- Introduced filtering logic to prefer manual models over generated models for sources and sinks
- Added similar filtering for Rust flow summaries to match existing C# and Java behavior
- Corrected a minor comment formatting issue in Java
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll | Added isRelevantSource and isRelevantSink predicates to filter generated models when manual models exist for the same kind |
| rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll | Added logic to exclude generated flow summaries when static call target is in source code, aligning with Java/C# behavior |
| java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll | Added backticks around applyGeneratedModel in comment for consistency |
| rust/ql/test/query-tests/security/CWE-825/AccessInvalidPointer.expected | Removed duplicate flow path results as expected |
| rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected | Removed duplicate flow path results and renumbered model references |
| rust/ql/test/library-tests/dataflow/sources/file/TaintSources.expected | Removed duplicate source detections |
| rust/ql/test/library-tests/dataflow/sources/file/InlineFlow.expected | Removed duplicate flow edges and model references, renumbered remaining ones |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
paldepind
approved these changes
Dec 12, 2025
Contributor
paldepind
left a comment
paldepind
left a comment
There was a problem hiding this comment.
Thanks. Nice to get this right.
aschackmull
approved these changes
Dec 12, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I noticed on https://github.com/github/codeql/pull/20879/changes#diff-2dc9c76255b29ca51e9fe9d8861fe51534f0d72c032a32dbb2f554cbb7ffdf55 that we got some duplicate flow paths, which happens because
std::fs::readhas both a manual model and an auto-generated model. The fix is to always prioritize manual source/sink models over generated models, just like we do for flow summaries.This PR also filters away generated flow summaries when there is a static target in source code for Rust, similar to C# and Java.