Refactor and expand vulnerable call summarization

gfs · gfs · commit ee188ac9a0d7 · 2025-12-05T12:44:11.000-08:00
Replaces the previous query with three new predicates: vulnerableCallModel, publicVulnerableCallModel, and vulnerableCallLocations. These provide more granular exports for iterative model generation, API surface analysis, and direct call site listing, improving flexibility and clarity for downstream analysis.

Now outputs fully qualified method names for use in recursive models.
diff --git a/binary/ql/src/VulnerableCalls/VulnerableCallsSummarize.ql b/binary/ql/src/VulnerableCalls/VulnerableCallsSummarize.ql
@@ -1,19 +1,44 @@
 /**
- * @name Methods that call vulnerable code
- * @description Lists all methods that transitively call a vulnerable method,
- *              useful for generating models or understanding impact.
- * @kind problem
- * @problem.severity recommendation
- * @precision high
+ * @name Summarize calls to vulnerable methods
+ * @description Exports methods that transitively call vulnerable methods in a format
+ *              suitable for model generation and iterative dependency analysis.
+ * @kind table
  * @id binary/vulnerable-calls-summarize
  */
 
 import VulnerableCalls
 
-from CilMethodExt method, string id, string namespace, string className, string methodName
-where
-  method = getAVulnerableMethod(id) and
-  method.hasFullyQualifiedName(namespace, className, methodName)
-select method,
-  "Method " + namespace + "." + className + "." + methodName +
-    " transitively calls vulnerable code (" + id + ")"
+/**
+ * Exports all methods that can reach vulnerable calls.
+ * Output format matches the vulnerableCallModel extensible predicate for iterative analysis.
+ */
+query predicate vulnerableCallModel(
+  string namespace, string className, string methodName, string id
+) {
+  ExportedVulnerableCalls::pathToVulnerableMethod(namespace, className, methodName, id)
+}
+
+/**
+ * Exports only public methods that reach vulnerable calls (for API surface analysis).
+ */
+query predicate publicVulnerableCallModel(
+  string namespace, string className, string methodName, string id
+) {
+  ExportedVulnerableCalls::publicPathToVulnerableMethod(namespace, className, methodName, id)
+}
+
+/**
+ * Lists the direct vulnerable call sites with their enclosing method context.
+ */
+query predicate vulnerableCallLocations(
+  VulnerableMethodCall call,
+  string callerNamespace,
+  string callerClassName,
+  string callerMethodName,
+  string targetFqn,
+  string id
+) {
+  call.getVulnerabilityId() = id and
+  call.getEnclosingVulnerableMethod().hasFullyQualifiedName(callerNamespace, callerClassName, callerMethodName) and
+  targetFqn = call.getCallTargetFullyQualifiedName()
+}
