Update vulnerable call location query logic

gfs · gfs · commit 668950ac6e23 · 2025-12-08T15:10:47.000-08:00
Replaces usage of getEnclosingVulnerableMethod and getCallTargetFullyQualifiedName with getEnclosingFunction and a more precise extraction of the target operand's fully qualified name using IR. Also adds import for IR module to support new logic.
diff --git a/binary/ql/src/VulnerableCalls/VulnerableCallsSummarize.ql b/binary/ql/src/VulnerableCalls/VulnerableCallsSummarize.ql
@@ -7,6 +7,7 @@
  */
 
 import VulnerableCalls
+import semmle.code.binary.ast.ir.IR
 
 /**
  * Exports all methods that can reach vulnerable calls.
@@ -39,6 +40,6 @@ query predicate vulnerableCallLocations(
   string id
 ) {
   call.getVulnerabilityId() = id and
-  call.getEnclosingVulnerableMethod().hasFullyQualifiedName(callerNamespace, callerClassName, callerMethodName) and
-  targetFqn = call.getCallTargetFullyQualifiedName()
+  call.getEnclosingFunction().hasFullyQualifiedName(callerNamespace, callerClassName, callerMethodName) and
+  targetFqn = call.getTargetOperand().getAnyDef().(ExternalRefInstruction).getFullyQualifiedName()
 }
