C++: Recommended way for adding custom taint sources

[artem-smotrakov]

Hey team! I have custom remote taint sources for my codebase which I currently enable like this

import semmle.code.cpp.security.Security

class MySecurityOptions extends SecurityOptions {

  override predicate isUserInput(Expr expr, string cause) {
    SecurityOptions.super.isUserInput(expr, cause)
    or
    exists(MyTaintSource source | source.isUserInput(expr, cause))
  }
}

Then, I import it in cpp.qll like this

[...]
import MySecurityOptions

When I upgraded to the latest CodeQL, I see a deprecation warning for isUserInput(). If I understand correctly, this API was deprecated in 2.18.1. Unfortunately, the release notes didn't mention this deprecation and what should be used instead.

Going forward, what is the recommended way for adding custom taint sources and other security customizations for C++?

Thank you!

[jketema]

This was deprecated in CodeQL 2.16.0. For the change note see: https://github.com/github/codeql/blob/59e22f6cd93968492d15ad5bf6d1a8529cf1015b/cpp/ql/lib/change-notes/released/0.12.3.md?plain=1#L5

An alternative, and more recent, way of modelling is described here: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/

[artem-smotrakov]

Thanks!

Do I understand correctly, that the extension mechanism does not allow plugging in custom CodeQL code to the standard lib? I guess the only way to do that is to create a model pack with

extensionTargets:
  codeql/cpp-all: ...

but model packs are not currently supported by C++.

https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack

Is that correct?

[jketema]

That's correct.

[artem-smotrakov]

Cool. Hope model packs will be available for C++ soon. This feature looks quite nice. Thanks!