From 364bff1cbce5911bf14b6d60de7cb31440eccc1d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 2 Jan 2026 06:27:03 +0000 Subject: [PATCH 1/5] Ignore the content of the subtypes column for MaD models and default it to true --- shared/mad/codeql/mad/static/ModelsAsData.qll | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/shared/mad/codeql/mad/static/ModelsAsData.qll b/shared/mad/codeql/mad/static/ModelsAsData.qll index 84daaa9b6c86..7d24b04745d1 100644 --- a/shared/mad/codeql/mad/static/ModelsAsData.qll +++ b/shared/mad/codeql/mad/static/ModelsAsData.qll @@ -194,15 +194,16 @@ module ModelsAsData { string namespace, string type, boolean subtypes, string name, string signature, string ext, string output, string kind, string provenance, string model ) { + subtypes = true and exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) | exists(QlBuiltins::ExtensionId madId | - Extensions::sourceModel(namespaceOrGroup, type, subtypes, name, signature, ext, output, - kind, provenance, madId) and + Extensions::sourceModel(namespaceOrGroup, type, _, name, signature, ext, output, kind, + provenance, madId) and model = "MaD:" + madId.toString() ) or - Input::additionalSourceModel(namespaceOrGroup, type, subtypes, name, signature, ext, output, - kind, provenance, model) + Input::additionalSourceModel(namespaceOrGroup, type, _, name, signature, ext, output, kind, + provenance, model) ) } @@ -213,15 +214,16 @@ module ModelsAsData { string namespace, string type, boolean subtypes, string name, string signature, string ext, string input, string kind, string provenance, string model ) { + subtypes = true and exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) | exists(QlBuiltins::ExtensionId madId | - Extensions::sinkModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, kind, + Extensions::sinkModel(namespaceOrGroup, type, _, name, signature, ext, input, kind, provenance, madId) and model = "MaD:" + madId.toString() ) or - Input::additionalSinkModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, - kind, provenance, model) + Input::additionalSinkModel(namespaceOrGroup, type, _, name, signature, ext, input, kind, + provenance, model) ) } @@ -230,9 +232,10 @@ module ModelsAsData { string namespace, string type, boolean subtypes, string name, string signature, string ext, string output, string kind, string provenance, string model ) { + subtypes = true and exists(string namespaceOrGroup, QlBuiltins::ExtensionId madId | namespace = getNamespace(namespaceOrGroup) and - Extensions::barrierModel(namespaceOrGroup, type, subtypes, name, signature, ext, output, kind, + Extensions::barrierModel(namespaceOrGroup, type, _, name, signature, ext, output, kind, provenance, madId) and model = "MaD:" + madId.toString() ) @@ -243,9 +246,10 @@ module ModelsAsData { string namespace, string type, boolean subtypes, string name, string signature, string ext, string input, string acceptingvalue, string kind, string provenance, string model ) { + subtypes = true and exists(string namespaceOrGroup, QlBuiltins::ExtensionId madId | namespace = getNamespace(namespaceOrGroup) and - Extensions::barrierGuardModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, + Extensions::barrierGuardModel(namespaceOrGroup, type, _, name, signature, ext, input, acceptingvalue, kind, provenance, madId) and model = "MaD:" + madId.toString() ) @@ -258,15 +262,16 @@ module ModelsAsData { string namespace, string type, boolean subtypes, string name, string signature, string ext, string input, string output, string kind, string provenance, string model ) { + subtypes = true and exists(string namespaceOrGroup | namespace = getNamespace(namespaceOrGroup) | exists(QlBuiltins::ExtensionId madId | - Extensions::summaryModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, - output, kind, provenance, madId) and + Extensions::summaryModel(namespaceOrGroup, type, _, name, signature, ext, input, output, + kind, provenance, madId) and model = "MaD:" + madId.toString() ) or - Input::additionalSummaryModel(namespaceOrGroup, type, subtypes, name, signature, ext, input, - output, kind, provenance, model) + Input::additionalSummaryModel(namespaceOrGroup, type, _, name, signature, ext, input, output, + kind, provenance, model) ) } From 9334e5ab770ef1980ba19577f79cd1c8ac7e70d1 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 13 Jan 2026 10:10:20 +0000 Subject: [PATCH 2/5] Cpp: do not require subtypes = false for any models --- cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll index 7232326f1b3d..474270e5a658 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll @@ -742,7 +742,7 @@ private Function getFunction(string namespace, string type, boolean subtypes, st elementSpec(namespace, type, subtypes, name, _, _) and ( funcHasQualifiedName(result, namespace, name) and - subtypes = false and + subtypes = [true, false] and type = "" or exists(Class namedClass, Class classWithMethod | @@ -990,7 +990,7 @@ private Element interpretElement0( elementSpec(namespace, type, subtypes, name, signature, _) and signature = "" and type = "" and - subtypes = false and + subtypes = [true, false] and result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name)) } From 9e781c27c12a8db129d63e606f723dec0f2e9dcc Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 2 Jan 2026 22:53:27 +0000 Subject: [PATCH 3/5] Accept go test result changes --- .../semmle/go/dataflow/ExternalTaintFlow/srcs.expected | 2 ++ .../semmle/go/dataflow/ExternalValueFlow/srcs.expected | 2 ++ 2 files changed, 4 insertions(+) diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected index f99ee92a4928..627f5d63b03f 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalTaintFlow/srcs.expected @@ -3,9 +3,11 @@ invalidModelRow | test.go:39:8:39:15 | call to Src1 | qltest | | test.go:40:8:40:15 | call to Src2 | qltest | | test.go:40:8:40:15 | call to Src2 | qltest-w-subtypes | +| test.go:41:8:41:16 | call to Src2 | qltest | | test.go:41:8:41:16 | call to Src2 | qltest-w-subtypes | | test.go:42:2:42:21 | ... = ...[0] | qltest | | test.go:42:2:42:21 | ... = ...[1] | qltest-w-subtypes | +| test.go:43:2:43:22 | ... = ...[0] | qltest | | test.go:43:2:43:22 | ... = ...[1] | qltest-w-subtypes | | test.go:44:11:44:13 | arg [postupdate] | qltest-arg | | test.go:59:9:59:16 | call to Src1 | qltest | diff --git a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected index 009238baa4d8..ad67c1440a38 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected +++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/srcs.expected @@ -3,9 +3,11 @@ invalidModelRow | test.go:39:8:39:15 | call to Src1 | qltest | | test.go:40:8:40:15 | call to Src2 | qltest | | test.go:40:8:40:15 | call to Src2 | qltest-w-subtypes | +| test.go:41:8:41:16 | call to Src2 | qltest | | test.go:41:8:41:16 | call to Src2 | qltest-w-subtypes | | test.go:42:2:42:21 | ... = ...[0] | qltest | | test.go:42:2:42:21 | ... = ...[1] | qltest-w-subtypes | +| test.go:43:2:43:22 | ... = ...[0] | qltest | | test.go:43:2:43:22 | ... = ...[1] | qltest-w-subtypes | | test.go:44:11:44:13 | arg [postupdate] | qltest-arg | | test.go:59:9:59:16 | call to Src1 | qltest | From 3b7b1a54f8fd985f9652e0061e23f5065c162a2d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 2 Jan 2026 22:53:42 +0000 Subject: [PATCH 4/5] Accept java test result changes --- .../ql/test/library-tests/dataflow/external-models/srcs.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/test/library-tests/dataflow/external-models/srcs.expected b/java/ql/test/library-tests/dataflow/external-models/srcs.expected index 637deb94fba7..b358414460a5 100644 --- a/java/ql/test/library-tests/dataflow/external-models/srcs.expected +++ b/java/ql/test/library-tests/dataflow/external-models/srcs.expected @@ -7,6 +7,7 @@ invalidModelRow | A.java:7:9:7:16 | src1(...) | qltest-alt | | A.java:10:9:10:18 | src2(...) | qltest | | A.java:10:9:10:18 | src2(...) | qltest-w-subtypes | +| A.java:11:9:11:18 | src3(...) | qltest | | A.java:11:9:11:18 | src3(...) | qltest-w-subtypes | | A.java:13:5:13:13 | this <.method> [post update] | qltest-argany | | A.java:13:12:13:12 | x [post update] | qltest-argany | From d61033945819ff0d0e9ebd320643234f0ea74351 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 2 Jan 2026 22:53:16 +0000 Subject: [PATCH 5/5] Accept cpp test result changes --- .../dataflow/models-as-data/interpretElement.expected | 1 + cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected | 1 + 2 files changed, 2 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected b/cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected index e69de29bb2d1..72e39d88868a 100644 --- a/cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected +++ b/cpp/ql/test/library-tests/dataflow/models-as-data/interpretElement.expected @@ -0,0 +1 @@ +| tests.cpp:296:6:296:21 | subtypeNonSource | Unexpected result: interpretElement | diff --git a/cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected b/cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected index e69de29bb2d1..6a4419f21ee2 100644 --- a/cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected +++ b/cpp/ql/test/library-tests/dataflow/models-as-data/taint.expected @@ -0,0 +1 @@ +| tests.cpp:340:11:340:26 | call to subtypeNonSource | Unexpected result: ir |