Binary: Stick to IR in the VulnerableCalls library.

Author: MathiasVP

binary/ql/lib/semmle/code/binary/cil/CilCallable.qll

@@ -4,7 +4,7 @@
  */
 
 private import binary
-import semmle.code.binary.cil.CilCallable
+private import semmle.code.binary.ast.ir.IR
 
 /**
  * Holds if any call identified by `(namespace, className, methodName)` should be flagged
@@ -19,21 +19,21 @@ extensible predicate vulnerableCallModel(
 /**
  * A method call that has been marked as vulnerable by a model.
  */
-class VulnerableMethodCall extends CilCallExt {
+class VulnerableMethodCall extends CallInstruction {
   string vulnerabilityId;
 
   VulnerableMethodCall() {
     exists(string namespace, string className, string methodName |
       vulnerableCallModel(namespace, className, methodName, vulnerabilityId) and
-      this.targetsMethod(namespace, className, methodName)
+      this.getTargetOperand()
+          .getAnyDef()
+          .(ExternalRefInstruction)
+          .hasFullyQualifiedName(namespace, className, methodName)
     )
   }
 
   /** Gets the vulnerability ID associated with this call. */
   string getVulnerabilityId() { result = vulnerabilityId }
-
-  /** Gets the enclosing method. */
-  CilMethodExt getEnclosingVulnerableMethod() { result = this.getEnclosingMethodExt() }
 }
 
 /**
@@ -44,30 +44,31 @@ VulnerableMethodCall getAVulnerableCallFromModel(string id) { result.getVulnerab
 /**
  * Gets a method that directly contains a vulnerable call.
  */
-CilMethodExt getADirectlyVulnerableMethod(string id) {
-  result = getAVulnerableCallFromModel(id).getEnclosingVulnerableMethod()
+Function getADirectlyVulnerableMethod(string id) {
+  result = getAVulnerableCallFromModel(id).getEnclosingFunction()
 }
 
 /**
  * Gets a method that transitively calls a vulnerable method.
  * This computes the transitive closure of the call graph.
  */
-CilMethodExt getAVulnerableMethod(string id) {
+Function getAVulnerableMethod(string id) {
   // Direct call to vulnerable method
   result = getADirectlyVulnerableMethod(id)
   or
   // Transitive: method calls another method that is vulnerable
-  exists(CilCallExt call, CilMethodExt callee |
-    call.getEnclosingMethodExt() = result and
+  exists(CallInstruction call, Function callee |
+    call.getEnclosingFunction() = result and
     callee = getAVulnerableMethod(id) and
-    call.getCallTargetFullyQualifiedName() = callee.getFullyQualifiedName()
+    call.getTargetOperand().getAnyDef().(ExternalRefInstruction).getFullyQualifiedName() =
+      callee.getFullyQualifiedName()
   )
 }
 
 /**
  * Gets a public method that transitively calls a vulnerable method.
  */
-CilMethodExt getAPublicVulnerableMethod(string id) {
+Function getAPublicVulnerableMethod(string id) {
   result = getAVulnerableMethod(id) and
   result.isPublic()
 }
@@ -81,10 +82,8 @@ module ExportedVulnerableCalls {
    * Holds if `(namespace, className, methodName)` identifies a method that
    * leads to a vulnerable call identified by `id`.
    */
-  predicate pathToVulnerableMethod(
-    string namespace, string className, string methodName, string id
-  ) {
-    exists(CilMethodExt m |
+  predicate pathToVulnerableMethod(string namespace, string className, string methodName, string id) {
+    exists(Function m |
       m = getAVulnerableMethod(id) and
       m.hasFullyQualifiedName(namespace, className, methodName)
     )
@@ -97,7 +96,7 @@ module ExportedVulnerableCalls {
   predicate publicPathToVulnerableMethod(
     string namespace, string className, string methodName, string id
   ) {
-    exists(CilMethodExt m |
+    exists(Function m |
       m = getAPublicVulnerableMethod(id) and
       m.hasFullyQualifiedName(namespace, className, methodName)
     )