JS: Add more metric queries #3779
Conversation
|
|
||
| /** A file we ignore because it is a test file or compiled/generated/bundled code. */ | ||
| class IgnoredFile extends File { | ||
| IgnoredFile() { |
There was a problem hiding this comment.
How about using ClassifyFiles::classify/2 here?
(or in a different PR, since this PR just moves the class)
There was a problem hiding this comment.
My worry was that changes to classification would make metrics incomparable over time so I'd rather have something that excludes the most obviously uninteresting code but otherwise is fixed.
This was something that bit me when I tried to classify external calls in order measure the relative call graph completeness more accurately. It meant the goal posts kept moving and the results were much harder to interpret.
But now is definitely a good time to review this class so please suggest improvements if you think of any.
There was a problem hiding this comment.
I see. Lets keep it simple then.
Perhaps we should measure the size of classify/2 as a metric as well. If we see that it is stable in practice, then there's little harm in focusing our results with it.
(Hmm. We will even have problems without classify/2 moving goal posts. js/meta/tainted-nodes will decrease when js/meta/sanitizers-reachable-from-source increases...)
There was a problem hiding this comment.
If js/meta/tainted-nodes decreases due to the addition of more sanitizers, isn't that just the case of some of the old ones being FPs? All the metrics can decrease when removing FPs.
There was a problem hiding this comment.
Right. Never mind that latter comment.
|
|
||
| predicate relevantStep(DataFlow::Node pred, DataFlow::Node succ) { | ||
| any(BasicTaintConfiguration cfg).isAdditionalFlowStep(pred, succ) and | ||
| not pred.getFile() instanceof IgnoredFile and |
There was a problem hiding this comment.
I think we should count it if we step into a file that we do not ignore.
Ideally, we can track taint flow through a minimised library into the ordinary client code.
There was a problem hiding this comment.
Hm, one of the issues I wanted to avoid is having to triage results involving minified files. That's also something that can be solved at the UI level, like the dist-compare reports currently do for ordinary alerts, and if we do that maybe we won't need IgnoredFile at all. Even as I write this it seems obvious that that's what we should do, but maybe we can keep it like this until that's ready?
Adds some of the metrics described in https://github.com/github/codeql-javascript-team/issues/191 and cherry-picks the TypedExprs metric from #3731.
Example run, unfortunately with a buggy version of TaintedSink, and a shorter run with that bug fixed.