Replies: 1 comment 1 reply
-
Thank you for your question! 🙂 There's currently no mechanism for ignoring the built-in summary models in favour of the source code being analysed. The current implementation uses various heuristics to figure out how to resolve the calls in cases like this, but these heuristics are not always perfect. However, there is definite room for improvement here, and the team responsible for the Java analysis will be looking into ways of improving the status quo. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Few days ago, apache commons text disclosed [CVE-2022-42889].
When I use codeql to query the project(https://github.com/apache/commons-text/tree/commons-text-1.8), it cann't find any vul in the project.
The ql file is
the codeql cann't resolve 'lookup' function, so cann't find the 'eval' sink.
when I use resolveCall in codeql to debug this problem, I found the 'lookup' resolve to a summary callable.
So I found the "org.apache.commons.text.lookup.StringLookup:lookup" has been defined in the Lang2Generated.qll as a SummaryModel.
When I noted the buildin external flow, I can use codel find the 'eval' sink.
So can codeql add a new feature, ignore the buildin source model in the anaylzed source?
Beta Was this translation helpful? Give feedback.
All reactions