From 961911c1747b971b2255418837e6b93c386260ba Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Sat, 11 Apr 2026 08:23:04 +0300 Subject: [PATCH 01/31] chore(docs): Source mathcing enrichment --- ...04-11-source-matching-enrichment-design.md | 289 ++++++++++++++++++ 1 file changed, 289 insertions(+) create mode 100644 docs/specs/2026-04-11-source-matching-enrichment-design.md diff --git a/docs/specs/2026-04-11-source-matching-enrichment-design.md b/docs/specs/2026-04-11-source-matching-enrichment-design.md new file mode 100644 index 00000000..d71fb9dd --- /dev/null +++ b/docs/specs/2026-04-11-source-matching-enrichment-design.md @@ -0,0 +1,289 @@ +# Source-Matching Enrichment for Semgrep Pattern Language Support + +**Date:** 2026-04-11 +**Status:** Draft +**Branch:** misonijnik/source-matching + +## Problem Statement + +OpenTaint translates Semgrep pattern-rules (source-level patterns) into taint configs (bytecode-level configurations). There is a gap in three areas of the Semgrep pattern language for Java: + +1. **Type arguments/generics** — Currently ignored (`TypeArgumentsIgnored`). Pattern `Map` becomes just `Map`. +2. **Array return types** — Not supported in method declarations (`MethodDeclarationReturnTypeIsArray`). The return type constraint is skipped. +3. **Concrete return types** — Only metavariable return types supported (`MethodDeclarationReturnTypeIsNotMetaVar`). Pattern `String foo(...)` can't constrain on the `String` return type. + +The root cause: JVM bytecode uses type erasure — `Map` and `Map` are both `java.util.Map` in bytecode descriptors. The existing pipeline tries to translate source-level patterns directly to bytecode-level matchers, losing generic type information in the process. + +## Proposed Solution: Source Pre-Resolution Enrichment + +Instead of trying to match generics at the bytecode level, use the project's source code (which has full generic information) to pre-resolve patterns and generate precise bytecode-level taint rules. + +### Key Insight + +Semgrep patterns always match against **user project source code**, not library source code. The project source is always available during analysis (the tool already resolves source files via `JIRSourceFileResolver`). This means source-level matching is feasible for all patterns. + +Example: `(Map $M).get(...)` — this matches a call site in the user's code where a variable declared as `Map` has `.get()` called on it. The library source for `java.util.Map` is never needed. + +### Architecture + +``` +Semgrep YAML Rule + | + v +Parse patterns (existing pipeline) + | + v +[NEW] Source pre-resolution phase: + - Scan project .java files using existing ANTLR Java parser + - Match Semgrep patterns against source ASTs + - Extract: exact class, method, line, erased types, + variable bindings with full generic type info + | + v +Generate enriched taint rules: + - Produce precise rules targeting exact matched locations + - Use extracted erased types for bytecode-level matching + - Generic type info used to filter matches (not stored in taint rules) + | + v +Existing bytecode IFDS analysis (unchanged) +``` + +### Why Not Bytecode-Only? + +Three alternative approaches were considered and rejected: + +**Approach A: Extend automata `MethodSignature` with return type.** +- Would add a `returnType` field to the automata predicate, flowing through to `SerializedSignatureMatcher.Partial`. +- Pros: Uses purpose-built `signature.return` field; fast matching at runtime (pre-filters before condition resolution). +- Cons: Larger change surface in automata model; risks breaking determinization/edge merging; doesn't solve generics at all. + +**Approach B: Use `SerializedCondition.IsType` on `PositionBase.Result`.** +- Would add return type as a condition using the existing constraint system. +- Pros: Minimal automata change; reuses existing `IsType` → `resolveIsType()` plumbing. +- Cons: Doesn't solve generics; condition-based matching evaluates later than signature filtering. + +**Both A and B fail on generics** because `JIRMethod.returnType.typeName` is the erased bytecode type (from `MethodInfo.returnClass` which uses `Type.getReturnType(desc).className`). The `JIRTypedMethod` has full generic info, but the matching infrastructure uses `JIRMethod`. + +**Approach C (this design): Source pre-resolution enrichment.** +- Matches patterns against source ASTs where full type information (generics, arrays, concrete types) is available. +- Generates precise taint rules from the matched information. +- Solves all three gaps uniformly. + +## Existing Infrastructure + +### What Already Exists + +| Component | Location | Relevance | +|---|---|---| +| ANTLR Java grammar | `opentaint-java-querylang` (`JavaLexer.g4`, `JavaParser.g4`) | Parse project source files | +| Java AST parsing | `JavaAstSpanResolver` | Already parses `.java` into ANTLR parse trees | +| Semgrep pattern parser | `SemgrepJavaPatternParser` | Produces `SemgrepJavaPattern` AST from pattern strings | +| Source file resolver | `JIRSourceFileResolver` | Locates `.java` files from bytecode classes | +| Project source root | `Project.sourceRoot`, `Module.moduleSourceRoot` | Root paths for source files | +| Pattern AST types | `SemgrepJavaPattern.kt` | Full pattern representation including `TypeName.SimpleTypeName.typeArgs` and `TypeName.ArrayTypeName` | +| Type name patterns | `TypeNamePattern` in `ParamCondition.kt` | Already has `ArrayType`, `ClassName`, `FullyQualified`, `MetaVar`, `AnyType` | +| Serialized type matchers | `SerializedTypeNameMatcher` | `ClassPattern`, `Array` variants for bytecode matching | +| Serialized signature matchers | `SerializedSignatureMatcher.Partial` | Already has `return: SerializedTypeNameMatcher?` and `params` fields | +| Runtime signature matching | `TaintConfiguration.kt:281-307` | `matchFunctionSignature()` already evaluates `return` on `Partial` matchers | + +### What's New (Needs Implementation) + +1. **Source pattern matcher** — Matches `SemgrepJavaPattern` nodes against ANTLR `JavaParser` parse tree nodes. Must support: + - Method invocations with typed receiver (`(Type $X).method(...)`) + - Method declarations with return types (concrete, array, generic) + - Object creation with type arguments (`new Type(...)`) + - Variable declarations with full type info + - Metavariable binding and ellipsis handling + - `pattern-inside` / `pattern-not-inside` structural constraints + +2. **Match-to-taint-rule converter** — Takes source match results and produces `SerializedRule` instances with precise function matchers and signatures. + +3. **Integration into analysis pipeline** — A new phase between rule loading and bytecode analysis that scans source files and enriches taint rules. + +## Key Data Flow Details + +### Pattern Parsing (existing) + +The `SemgrepJavaPattern` AST already correctly represents all three gap features: + +```kotlin +// TypeName already supports generics and arrays: +sealed interface TypeName { + data class SimpleTypeName( + val dotSeparatedParts: List, + val typeArgs: List = emptyList() // <-- generics preserved + ) : TypeName + + data class ArrayTypeName(val elementType: TypeName) : TypeName // <-- arrays preserved +} + +// MethodDeclaration already carries return type: +data class MethodDeclaration( + val name: Name, + val returnType: TypeName?, // <-- concrete return types preserved + val args: MethodArguments, + val body: SemgrepJavaPattern, + val modifiers: List, +) +``` + +The information is parsed correctly — it's only discarded during the `PatternToActionListConverter` step (lines 229-231, 559-571). + +### Where the Gaps Are Triggered + +In `PatternToActionListConverter.transformMethodDeclaration()` (lines 547-573): + +```kotlin +// Return type handling — currently discards everything except metavar: +val retType = pattern.returnType +if (retType != null) { + run { + if (retType !is TypeName.SimpleTypeName) { + semgrepTrace?.error(MethodDeclarationReturnTypeIsArray()) // Gap 2: array skipped + return@run + } + val retTypeMetaVar = retType.dotSeparatedParts.singleOrNull() as? MetavarName + if (retTypeMetaVar == null) { + semgrepTrace?.error(MethodDeclarationReturnTypeIsNotMetaVar()) // Gap 3: concrete skipped + } + if (retType.typeArgs.isNotEmpty()) { + semgrepTrace?.error(MethodDeclarationReturnTypeHasTypeArgs()) // Gap 1 (return-specific) + } + } +} +``` + +In `PatternToActionListConverter.transformSimpleTypeName()` (lines 228-231): + +```kotlin +// Type arguments — currently discarded everywhere: +if (typeName.typeArgs.isNotEmpty()) { + semgrepTrace?.error(TypeArgumentsIgnored()) // Gap 1: generics dropped +} +``` + +### Taint Rule Generation (existing, to be leveraged) + +Generated rules currently always pass `signature = null`: +```kotlin +SerializedRule.Source(function, signature = null, overrides = true, cond, actions, info) +``` + +After source matching, we can populate `signature` with precise matchers: +```kotlin +SerializedRule.Source( + function = SerializedFunctionNameMatcher.Complex(package, class, method), + signature = SerializedSignatureMatcher.Partial( + params = listOf(SerializedArgMatcher(0, Simple("java.util.Map"))), + `return` = Simple("java.util.List") + ), + overrides = true, + condition = cond, + taint = actions, + info = info +) +``` + +### Runtime Matching (existing, already works) + +`TaintConfiguration.matchFunctionSignature()` already handles `Partial` signatures: +```kotlin +is SerializedSignatureMatcher.Partial -> { + val ret = `return` + if (ret != null && !ret.match(method.returnType.typeName)) return false + // params matching... + return true +} +``` + +This uses `method.returnType.typeName` (erased type), which is correct — the source matching phase already filtered by full generic types and only the erased type needs to be verified at bytecode level. + +## Open Design Questions + +### 1. Enrichment Granularity + +**Method-level:** Source matching identifies which methods match the pattern. Generated taint rules target those methods by class + name + descriptor. + +**Call-site-level:** Source matching identifies specific call sites (class + method + bytecode instruction). Can distinguish two `Map` variables with different type args in the same method. + +The `(Map $M).get(...)` example motivates call-site-level: two `Map` variables in the same method with different type arguments should be distinguishable. This may require taint rules to reference specific program points, which is an extension to the current rule model. + +**Decision needed:** What level of granularity is required? + +### 2. Fallback Behavior + +When source files are unavailable (e.g., analyzing a JAR without sources), should the system: +- Fall back to current bytecode-only matching (with the existing warnings)? +- Refuse to apply rules that require source matching? +- Apply best-effort bytecode matching (ignoring generics)? + +**Decision needed:** Fallback strategy. + +### 3. Incremental vs. Full Scan + +Should source matching: +- Scan all source files for every rule? +- Build an index of declarations/invocations and query it per-rule? +- Use the existing class index to narrow which files to scan? + +**Decision needed:** Performance strategy. + +### 4. Pattern Language Scope + +This design focuses on three specific gaps. Should the source matching engine also handle other currently-unsupported features? +- `pattern-regex` (matching raw source text) — natural fit for source matching +- `metavariable-comparison` — could extract constant values from source +- Complex `metavariable-pattern` — nested source-level constraints + +**Decision needed:** Initial scope vs. extensibility plan. + +## Test Strategy + +### Unit Tests + +- Source pattern matcher: test each pattern construct (invocations, declarations, generics, arrays) against known Java source snippets +- Match-to-rule converter: test that extracted source info produces correct `SerializedRule` instances +- Type resolution: test that generic types are correctly extracted and erased types derived + +### Integration Tests + +- End-to-end: YAML rule + Java source file -> enriched taint rules -> correct findings +- Regression: existing rules continue to work (no behavioral changes for rules that don't use generics/arrays/concrete return types) + +### E2E Tests (Rules Test System) + +The existing rules test infrastructure (`@PositiveRuleSample` / `@NegativeRuleSample` annotations, `checkRulesCoverage` task) should be extended with: + +- Test samples using generic types (e.g., `Map`, `List`) +- Test samples with array return types +- Test samples with concrete return types +- Negative samples verifying that `Map` does NOT match a pattern for `Map` + +These tests exercise the full pipeline: YAML rule -> source matching -> taint rule -> bytecode analysis -> SARIF output. + +## File Impact Summary + +### New Files (Estimated) + +| File | Purpose | +|---|---| +| `SourcePatternMatcher.kt` | Matches `SemgrepJavaPattern` against ANTLR parse trees | +| `SourceMatchResult.kt` | Data classes for match results (class, method, types, positions) | +| `SourceMatchToTaintRuleConverter.kt` | Converts match results to `SerializedRule` instances | +| `SourcePreResolutionPhase.kt` | Orchestrates source scanning and rule enrichment | + +### Modified Files (Estimated) + +| File | Change | +|---|---| +| `PatternToActionListConverter.kt` | Route patterns needing source matching to the new phase instead of emitting warnings | +| `SemgrepRuleAutomataBuilder.kt` | Integrate source pre-resolution before automata build | +| `ProjectAnalyzerRunner.kt` | Add source pre-resolution phase to analysis pipeline | + +### Unchanged + +- `TaintCondition.kt` — No new condition types needed +- `SerializedSignatureMatcher.kt` — `Partial` already supports `return` and `params` +- `TaintConfiguration.kt` — Runtime matching already handles populated signatures +- IFDS dataflow engine — Unchanged From 3a24e324290e690e8fface8c083e9fdd4f0faa2e Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Sun, 12 Apr 2026 03:12:52 +0300 Subject: [PATCH 02/31] docs: Type-aware pattern matching design spec Replace source pre-resolution approach with simpler plumbing fix: preserve generic type args through the existing pipeline and match against JIRTypedMethod at runtime. Covers method-level signatures and call-site receiver generics via LocalVariableTypeTable. --- .../2026-04-11-symbolic-sequence-alignment.md | 224 +++++++++++ ...4-12-type-aware-pattern-matching-design.md | 352 ++++++++++++++++++ 2 files changed, 576 insertions(+) create mode 100644 docs/specs/2026-04-11-symbolic-sequence-alignment.md create mode 100644 docs/specs/2026-04-12-type-aware-pattern-matching-design.md diff --git a/docs/specs/2026-04-11-symbolic-sequence-alignment.md b/docs/specs/2026-04-11-symbolic-sequence-alignment.md new file mode 100644 index 00000000..2b5ee9b0 --- /dev/null +++ b/docs/specs/2026-04-11-symbolic-sequence-alignment.md @@ -0,0 +1,224 @@ +# Symbolic Sequence Alignment: Source-to-Bytecode Linking Without Debug Info + +**Date:** 2026-04-11 +**Status:** Research Note +**Context:** Multi-level IR design for Semgrep pattern language support + +## Problem + +Given a Java source file (parsed into an ANTLR AST) and the corresponding `.class` file (parsed into JIR bytecode instructions), establish a reliable mapping between specific source-level constructs (method calls, field accesses, object creations) and their corresponding bytecode instructions — **without relying on debug information** (`LineNumberTable`, `LocalVariableTable`). + +Debug info is unreliable because: +- It can be stripped (`-g:none`) +- It provides only line-level granularity (multiple statements per line are ambiguous) +- It's compiler-specific in format details +- It doesn't exist for generated/synthetic code + +## Core Insight: JLS-Mandated Evaluation Order + +The Java Language Specification mandates **left-to-right evaluation order** for: +- Operands of binary operators (JLS 15.7) +- Arguments in method invocations (JLS 15.12.4.2) +- Array dimensions in array creation (JLS 15.10.1) + +This means the sequence of symbolic references (method calls, field accesses) in bytecode is **specification-mandated**, not a compiler implementation detail. Any conforming compiler (javac, ECJ, Kotlin compiler targeting Java interop) must produce them in the same evaluation order. + +## Algorithm + +### Overview + +``` +Source AST (ANTLR) Bytecode (ASM/JIR) + | | + [Walk in evaluation order] [Walk instruction sequence] + | | + [Extract symbolic refs: [Extract symbolic refs: + method calls, field invoke*, getfield, + accesses, object putfield, new + + creations, constants] invokespecial , + | ldc constants] + | | + | [Filter synthetic refs + | using pattern catalog] + | | + +------> SEQUENCE ALIGN <---------+ + | + [Matched pairs: + AST node <-> bytecode offset] +``` + +### Step 1: Extract Symbolic Reference Sequence from Bytecode + +Walk all instructions in a method body. For each instruction that references a symbolic name, record a `BytecodeRef`: + +```kotlin +data class BytecodeRef( + val offset: Int, // bytecode offset + val kind: RefKind, // INVOKE, FIELD_GET, FIELD_PUT, NEW, CONSTANT + val owner: String, // owning class (internal name) + val name: String, // method/field name + val descriptor: String, // JVM descriptor + val isSynthetic: Boolean, // identified as compiler-generated +) + +enum class RefKind { INVOKE, FIELD_GET, FIELD_PUT, NEW, CONSTANT } +``` + +Instructions that produce refs: +- `invokevirtual`, `invokeinterface`, `invokestatic`, `invokespecial` -> `INVOKE` +- `getfield`, `getstatic` -> `FIELD_GET` +- `putfield`, `putstatic` -> `FIELD_PUT` +- `new` (paired with `invokespecial `) -> `NEW` +- `ldc`, `ldc_w`, `ldc2_w` -> `CONSTANT` + +### Step 2: Extract Symbolic Reference Sequence from Source AST + +Walk the AST in **evaluation order** (left-to-right, depth-first — matching JLS semantics). For each method call, field access, object creation, or constant, record a `SourceRef`: + +```kotlin +data class SourceRef( + val node: ParserRuleContext, // ANTLR AST node + val kind: RefKind, + val name: String, // method/field name as written in source + val argCount: Int?, // for method calls, number of arguments +) +``` + +The evaluation-order walk must handle: +- Nested expressions: `a.foo(b.bar())` produces `[bar, foo]` (callee args evaluated before the call) +- Chained calls: `a.foo().bar()` produces `[foo, bar]` +- Binary operators: `a.x() + b.y()` produces `[x, y]` (left before right) +- Short-circuit: `a.x() && b.y()` produces `[x, y]` but `y` is conditional (still in order) + +### Step 3: Filter Synthetic Bytecode References + +Java compilation introduces bytecode instructions with no corresponding source construct. These must be identified and tagged before alignment. + +#### Synthetic Pattern Catalog + +| Source Pattern | Synthetic Bytecode (pre-Java 9) | Synthetic Bytecode (Java 9+) | +|---|---|---| +| String `+` | `new StringBuilder`, `.append()` chain, `.toString()` | `invokedynamic makeConcatWithConstants` | +| Enhanced for (Iterable) | `.iterator()`, `.hasNext()`, `.next()` | same | +| Enhanced for (array) | `arraylength` | same | +| Autoboxing | `Integer.valueOf()`, `Long.valueOf()`, etc. | same | +| Unboxing | `.intValue()`, `.longValue()`, etc. | same | +| Try-with-resources | `.close()`, `addSuppressed()` | same | +| Assert | `getstatic $assertionsDisabled`, `new AssertionError` | same | +| Enum switch | synthetic `$SwitchMap$...` array access | same | +| Lambda | `invokedynamic` (LambdaMetafactory) | same | +| String switch | `.hashCode()`, `.equals()` on switch expression | same | +| Instanceof pattern (16+) | `checkcast` after `instanceof` | same | +| Record accessors | synthetic accessor methods | same | + +Detection heuristics: +- **Bridge methods**: `ACC_BRIDGE` flag in method access flags +- **Synthetic methods**: `ACC_SYNTHETIC` flag +- **Lambda bodies**: Method name matches `lambda$$` pattern +- **String concat**: `makeConcatWithConstants` bootstrap method +- **Boxing/unboxing**: Calls to `.valueOf()` or `.Value()` that don't appear in source +- **Iterator protocol**: Sequence `iterator() -> hasNext() -> next()` within a loop structure + +### Step 4: Sequence Alignment + +Align the filtered bytecode refs with the source refs using a variant of the Longest Common Subsequence (LCS) algorithm with domain-specific scoring: + +**Strong match** (high score): +- Same method/field name AND compatible descriptor AND same ref kind +- Example: source `obj.parse(x)` <-> bytecode `invokevirtual Foo.parse:(Ljava/lang/String;)I` + +**Partial match** (medium score): +- Same method/field name AND same ref kind, but descriptor can't be verified (no type resolution on source side) +- Example: source `obj.process(x)` <-> bytecode `invokevirtual Foo.process:(I)V` (we know the name matches but can't verify arg types from source alone) + +**No match** (skip): +- Unmatched bytecode refs -> synthetic (compiler-generated) +- Unmatched source refs -> inlined constants or optimized away + +For most methods, alignment is trivial: after filtering synthetics, the sequences are the same length and in the same order, giving 1:1 correspondence. + +## Reliability Assessment + +| Construct | Reliability | Notes | +|---|---|---| +| Simple method calls | **Excellent** | Name + descriptor + order = unambiguous | +| Field accesses | **Excellent** | Name + owner class + order | +| Object creation (`new`) | **Excellent** | `new` + `invokespecial ` pattern is invariant | +| String concatenation | **Good** | Need version-aware synthetic detection | +| Enhanced for-loops | **Good** | Well-defined iterator/array patterns | +| Lambdas | **Good** | `invokedynamic` is recognizable; body in synthetic method | +| Try-with-resources | **Moderate** | Complex synthetic code, well-defined pattern | +| Inlined constants | **Moderate** | Match by value (`ldc` value = source literal value) | +| Overloaded methods | **Depends** | Without type resolution, arg count disambiguates many cases | +| Compiler independence | **Good** | Symbolic sequence is JLS-mandated; only synthetic catalog varies | + +## Edge Cases and Mitigations + +### Overloaded Methods + +When source has `obj.foo(x)` and the class has multiple `foo` methods, the bytecode descriptor disambiguates but the source ref may not carry type info. + +**Mitigation**: Use argument count as a discriminator. If ambiguity remains, the alignment algorithm can use positional context (surrounding matched refs) to resolve. + +### Conditional Evaluation (Short-Circuit, Ternary) + +`a.x() && b.y()` — both calls appear in bytecode but `y()` is behind a branch. The symbolic sequence still has both refs in source order; they just appear in different basic blocks in bytecode. + +**Mitigation**: Flatten the bytecode control flow for alignment purposes — walk all basic blocks in a linearized order that respects source evaluation order. + +### Nested Lambdas + +Lambda bodies are compiled to separate synthetic methods. The lambda *creation* (invokedynamic) appears in the enclosing method's bytecode. + +**Mitigation**: Align the lambda creation point in the enclosing method. Lambda body matching is a separate alignment pass on the synthetic method vs. the lambda expression's AST subtree. + +### Compiler-Specific Optimizations + +Some compilers may perform limited optimizations (constant folding, dead code elimination). + +**Mitigation**: The alignment algorithm tolerates gaps (unmatched refs on either side). Gaps are expected and handled gracefully. + +## Complexity Estimate + +| Component | Lines (est.) | Complexity | +|---|---|---| +| Bytecode symbolic ref extraction | ~200 | Low (ASM visitor) | +| AST evaluation-order walk | ~500-800 | Medium (handle all expression types) | +| Synthetic pattern catalog | ~300-500 | Medium (version-aware, needs maintenance) | +| Sequence alignment | ~100-200 | Low (LCS variant) | +| **Total** | **~1100-1700** | **Medium** | + +## Relationship to Existing Infrastructure + +### What Already Exists in OpenTaint + +| Component | Used By | Can Reuse? | +|---|---|---| +| `JavaAstSpanResolver` | SARIF reporting | **Yes** — already walks AST + matches by instruction kind + method name. Currently uses line numbers as primary filter; could be extended with symbolic alignment as primary strategy. | +| `JIRSourceFileResolver` | Class-to-file mapping | **Yes** — narrows which source file to parse for a given bytecode class. | +| `JIRTypedMethod` | Type resolution | **Yes** — provides full generic types from Signature attribute. For method-level matching, this may suffice without source alignment. | +| `RawInstListBuilder` | Bytecode loading | **Yes** — already walks all instructions. Symbolic ref extraction can piggyback. | +| `JIRCallExpr` | Instruction metadata | **Yes** — already carries callee name, descriptor, owner class. This IS the bytecode symbolic ref. | + +### Key Difference from Current Approach + +Current `JavaAstSpanResolver` strategy: +1. Get line number from bytecode instruction +2. Find AST nodes on that line +3. Filter by instruction kind + name + +Proposed symbolic alignment strategy: +1. Extract full symbolic ref sequence from bytecode method +2. Extract full symbolic ref sequence from source AST method +3. Align sequences (line numbers used as optional tiebreaker, not primary signal) +4. Each match links an AST node to a specific bytecode offset + +The symbolic approach is **more reliable** (works without debug info) and **more precise** (disambiguates multiple calls on the same line). + +## Open Questions + +1. **Type resolution scope**: Should source-side type resolution be attempted (using classpath) to improve matching precision for overloaded methods? Or is name + arg count + position sufficient? + +2. **Incremental alignment**: When source changes but bytecode hasn't been recompiled, the alignment will fail. How should staleness be detected and handled? + +3. **Multi-language**: For Kotlin, the compilation model differs (extension functions, coroutines, companion objects). The synthetic pattern catalog needs a Kotlin-specific section. The core alignment algorithm (JLS evaluation order) doesn't directly apply — Kotlin has its own specification. diff --git a/docs/specs/2026-04-12-type-aware-pattern-matching-design.md b/docs/specs/2026-04-12-type-aware-pattern-matching-design.md new file mode 100644 index 00000000..2a0526df --- /dev/null +++ b/docs/specs/2026-04-12-type-aware-pattern-matching-design.md @@ -0,0 +1,352 @@ +# Type-Aware Pattern Matching for Semgrep Pattern Language + +**Date:** 2026-04-12 +**Status:** Approved +**Branch:** misonijnik/source-matching +**Supersedes:** `2026-04-11-source-matching-enrichment-design.md` (the "source pre-resolution" approach is replaced by this simpler plumbing fix) + +## Problem Statement + +OpenTaint translates Semgrep pattern-rules (source-level patterns) into taint configs (bytecode-level configurations). Three Semgrep pattern language features for Java are currently broken: + +1. **Type arguments/generics** — Pattern `Map` becomes just `Map` (`TypeArgumentsIgnored` warning at `PatternToActionListConverter.kt:229`) +2. **Array return types** — Pattern `String[] foo(...)` loses the return type constraint (`MethodDeclarationReturnTypeIsArray` at line 559) +3. **Concrete return types** — Pattern `String foo(...)` loses the return type constraint (`MethodDeclarationReturnTypeIsNotMetaVar` at line 565) + +Two matching scenarios are affected: + +- **Scenario 1 (method declarations):** `String[] foo(Map $M, ...)` — constraining the declared method's return type and parameter types +- **Scenario 2 (call-site receivers):** `(Map $M).get(...)` — constraining the generic type of the receiver variable at the call site + +## Key Insight: Bytecode Already Has the Type Information + +The JVM preserves generic type signatures in bytecode through two mechanisms: + +1. **Signature attribute** on classes, methods, and fields — preserves full generic signatures (e.g., `Ljava/util/List;`). Already parsed by `JIRTypedMethod` via `MethodSignature.kt` / `FieldSignature.kt`. + +2. **LocalVariableTypeTable attribute** — preserves generic signatures for local variables. Already accessible via `JIRTypedMethod.typeOf(LocalVariableNode)` at `JIRTypedMethodImpl.kt:119`. + +**No source parsing, no new IR levels, no multi-level architecture needed.** The fix is plumbing: stop discarding type information in the conversion pipeline and use the typed method infrastructure that already exists in the IR. + +## Design + +### Architecture Overview + +The change flows through the existing pipeline without introducing new stages: + +``` +Semgrep YAML Rule + │ + ▼ +SemgrepJavaPattern (pattern AST — already preserves type args, arrays, concrete types) + │ + ▼ +PatternToActionListConverter ──► SemgrepPatternAction with TypeNamePattern + │ NOW PRESERVES: typeArgs, array returns, concrete returns + ▼ +ActionListToAutomata ──► SemgrepRuleAutomata (TypeNamePattern passes through unchanged) + │ + ▼ +AutomataToTaintRuleConversion.typeMatcher() ──► SerializedRule with SerializedTypeNameMatcher + │ NOW CARRIES: typeArgs on ClassPattern + ▼ +TaintConfiguration.matchFunctionSignature() ──► matches against JIRTypedMethod (generic types) + │ INSTEAD OF: JIRMethod (erased types) + ▼ +JIRBasicAtomEvaluator.typeMatchesPattern() ──► resolves receiver local var generic type + via LocalVariableTypeTable +``` + +### Change 1: Preserve Type Args in TypeNamePattern + +**File:** `core/opentaint-java-querylang/.../conversion/SemgrepPatternAction.kt` + +Add `typeArgs` field to `ClassName` and `FullyQualified`: + +```kotlin +sealed interface TypeNamePattern { + data class ClassName( + val name: String, + val typeArgs: List = emptyList() // NEW + ) : TypeNamePattern + + data class FullyQualified( + val name: String, + val typeArgs: List = emptyList() // NEW + ) : TypeNamePattern + + // ArrayType, PrimitiveName, MetaVar, AnyType — unchanged +} +``` + +**File:** `core/opentaint-java-querylang/.../conversion/PatternToActionListConverter.kt` + +Three changes: + +1. **`transformSimpleTypeName()` (line 228-231):** Remove the `TypeArgumentsIgnored` warning. Map `typeName.typeArgs` to `TypeNamePattern` recursively: + ```kotlin + private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { + val typeArgs = typeName.typeArgs.map { transformTypeName(it) } + // ... existing name resolution logic ... + return TypeNamePattern.ClassName(className, typeArgs) + } + ``` + +2. **`transformMethodDeclaration()` (lines 559-571):** Remove the three return-type guards. Flow the return type through: + ```kotlin + val retType = pattern.returnType + if (retType != null) { + val retTypePattern = transformTypeName(retType) + // Use retTypePattern in method signature action + } + ``` + +3. **Populate signature on emitted actions:** The `MethodSignature` action already has a `methodName` and `params` — add a `returnType: TypeNamePattern?` field to carry the return type pattern. The downstream `evaluateFormulaSignature()` in `AutomataToTaintRuleConversion.kt` will convert this to `SerializedSignatureMatcher.Partial(return = ...)` using the existing `typeMatcher()` function. + +### Change 2: Carry Type Args Through Serialization + +**File:** `core/opentaint-configuration-rules/.../serialized/SerializedNameMatcher.kt` + +Add `typeArgs` to `ClassPattern`: + +```kotlin +sealed interface SerializedTypeNameMatcher { + data class ClassPattern( + val `package`: SerializedSimpleNameMatcher, + val `class`: SerializedSimpleNameMatcher, + val typeArgs: List = emptyList() // NEW + ) : SerializedTypeNameMatcher + + data class Array(val element: SerializedTypeNameMatcher) : SerializedTypeNameMatcher + // rest unchanged +} +``` + +**File:** `core/opentaint-java-querylang/.../taint/AutomataToTaintRuleConversion.kt` + +In `typeMatcher()` (line 802-892), propagate type args: + +```kotlin +is TypeNamePattern.ClassName -> MetaVarConstraintFormula.Constraint( + SerializedTypeNameMatcher.ClassPattern( + `package` = anyName(), + `class` = Simple(typeName.name), + typeArgs = typeName.typeArgs.mapNotNull { typeMatcher(it, semgrepRuleTrace)?.constraint } + ) +) +``` + +### Change 3: Match Against JIRTypedMethod at Runtime (Scenario 1) + +**File:** `core/opentaint-jvm-sast-dataflow/.../rules/TaintConfiguration.kt` + +**`matchFunctionSignature()` (lines 281-308):** Change parameter from `JIRMethod` to `JIRTypedMethod` (or accept both, resolving typed from erased via classpath lookup): + +```kotlin +private fun SerializedSignatureMatcher.matchFunctionSignature(typedMethod: JIRTypedMethod): Boolean { + when (this) { + is SerializedSignatureMatcher.Partial -> { + val ret = `return` + if (ret != null && !ret.matchType(typedMethod.returnType)) return false + val params = params + if (params != null) { + for (param in params) { + val methodParam = typedMethod.parameters.getOrNull(param.index) ?: return false + if (!param.type.matchType(methodParam.type)) return false + } + } + return true + } + // Simple matcher handling similar + } +} +``` + +New `matchType()` overload on `SerializedTypeNameMatcher`: + +```kotlin +private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { + // No type args → fall back to erased name matching (backward compat) + this is ClassPattern && typeArgs.isEmpty() -> match(type.erasedName) + + // Has type args → structural comparison against JIRClassType + this is ClassPattern && type is JIRClassType -> { + match(type.erasedName) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } + } + + // Array matching + this is Array && type is JIRArrayType -> element.matchType(type.elementType) + + // Default: erased matching + else -> match(type.erasedName) +} +``` + +**Resolving `JIRTypedMethod` from `JIRMethod`:** The call sites that invoke `matchFunctionSignature()` need to resolve the typed method. `JIRClassType.lookup` or `JIRClassType.declaredMethods` provide `JIRTypedMethod` instances. The classpath is already available in `TaintConfiguration`. + +### Change 4: Call-Site Receiver Generic Matching (Scenario 2) + +**File:** `core/opentaint-configuration-rules/.../TaintCondition.kt` + +Extend `TypeMatchesPattern` to carry type args: + +```kotlin +data class TypeMatchesPattern( + val position: Position, + val pattern: ConditionNameMatcher, + val typeArgs: List = emptyList() // NEW +) : Condition +``` + +**File:** `core/opentaint-jvm-sast-dataflow/.../rules/TaintConfiguration.kt` + +In `resolveIsType()` (lines 674-708), when the `IsType` matcher has `typeArgs` and position is `This`: + +```kotlin +is This -> { + // Erased class check (existing) + if (!normalizedTypeIs.match(method.enclosingClass.name)) { + // ... existing super-hierarchy check ... + } + // When type args present, defer to instruction-level evaluation + if (normalizedTypeIs.hasTypeArgs()) { + return TypeMatchesPattern(This, matcher, normalizedTypeIs.typeArgs) + } + // Otherwise: existing eager resolution +} +``` + +**File:** `core/opentaint-jvm-sast-dataflow/.../JIRBasicAtomEvaluator.kt` + +In `typeMatchesPattern()` (lines 328-347), when `typeArgs` is non-empty: + +```kotlin +override fun visit(condition: TypeMatchesPattern): Condition { + // Existing erased type check first + val value = positionResolver.resolve(condition.position) ?: return condition + val type = value.type as? JIRRefType ?: return mkFalse() + if (!condition.pattern.matches(type.typeName)) return mkFalse() + + // NEW: Generic type args check + if (condition.typeArgs.isNotEmpty()) { + val genericType = resolveGenericType(value) + if (genericType is JIRClassType) { + if (genericType.typeArguments.size != condition.typeArgs.size) return mkFalse() + val allMatch = condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> + matcher.matchType(arg) + } + return allMatch.asCondition() + } + // Can't resolve generics → fall back to erased match (true, already passed above) + return mkTrue() + } + // ... existing logic +} + +private fun resolveGenericType(value: JIRValue): JIRType? { + // 1. Get the local variable index from the JIRValue + val localVarIndex = (value as? JIRLocalVar)?.index ?: return null + + // 2. Find the LocalVariableNode for this index at the current instruction + val localVarNode = findLocalVariable(localVarIndex) ?: return null + + // 3. Resolve generic type via JIRTypedMethod + return typedMethod.typeOf(localVarNode) +} +``` + +**Context requirements:** `JIRBasicAtomEvaluator` needs access to: +- The enclosing `JIRTypedMethod` (for `typeOf()`) +- The ASM `MethodNode.localVariables` list (for `LocalVariableNode` lookup) +- The current instruction (for scoping the `LocalVariableNode` to the right range) + +These are available through the `analysisContext` and the `statement` already passed to the evaluator. + +### Graceful Degradation + +| Scenario | Behavior | +|---|---| +| `typeArgs` empty on matcher | Erased matching — identical to current behavior | +| Bytecode has no Signature attribute | `JIRTypedMethod` falls back to erased types → type args comparison skipped | +| `LocalVariableTypeTable` absent | `LocalVariableNode.signature` is null → `typeOf()` returns erased type → type args check skipped | +| Receiver is not a local variable | `resolveGenericType()` returns null → falls back to erased matching | +| Existing rules without generics | All `typeArgs` fields default to empty → zero behavior change | + +### Backward Compatibility + +All changes are additive: +- `TypeNamePattern.ClassName.typeArgs` defaults to `emptyList()` +- `SerializedTypeNameMatcher.ClassPattern.typeArgs` defaults to `emptyList()` +- `TypeMatchesPattern.typeArgs` defaults to `emptyList()` +- When empty, every code path follows the existing logic exactly +- Serialization format: `typeArgs` is a new optional field — existing serialized configs deserialize with empty list + +## Files Changed + +### Modified Files + +| File | Module | Change | +|---|---|---| +| `SemgrepPatternAction.kt` | opentaint-java-querylang | Add `typeArgs` to `TypeNamePattern.ClassName`, `FullyQualified` | +| `PatternToActionListConverter.kt` | opentaint-java-querylang | Stop discarding type args (line 229), array returns (line 559), concrete returns (line 565); flow type info through | +| `AutomataToTaintRuleConversion.kt` | opentaint-java-querylang | `typeMatcher()`: propagate `typeArgs` to `ClassPattern` | +| `SerializedNameMatcher.kt` | opentaint-configuration-rules | Add `typeArgs` to `ClassPattern` | +| `TaintCondition.kt` | opentaint-configuration-rules | Add `typeArgs` to `TypeMatchesPattern` | +| `TaintConfiguration.kt` | opentaint-jvm-sast-dataflow | `matchFunctionSignature()`: use `JIRTypedMethod`; `resolveIsType()`: defer generic checks | +| `JIRBasicAtomEvaluator.kt` | opentaint-jvm-sast-dataflow | `typeMatchesPattern()`: resolve local var generic types when `typeArgs` present | + +### No New Files + +This is a plumbing fix across the existing pipeline — no new modules, classes, or architectural layers. + +### Unchanged + +| Component | Why Unchanged | +|---|---| +| `SemgrepJavaPattern.kt` | Already preserves type args and array types correctly | +| `ActionListToAutomata.kt` | `TypeNamePattern` passes through untransformed | +| `SerializedSignatureMatcher.kt` | `Partial` already has `return` and `params` fields | +| `JIRTypedMethod` / `JIRTypedMethodImpl` | Already resolves generics from Signature attribute | +| IFDS dataflow engine | Unchanged — condition evaluation is extended, not the engine | +| SARIF reporting | Unchanged | + +## Test Strategy + +### Unit Tests + +- **TypeNamePattern with type args:** Verify `transformSimpleTypeName()` preserves `typeArgs` from pattern AST +- **typeMatcher() propagation:** Verify `TypeNamePattern.ClassName(name, typeArgs)` → `ClassPattern(pkg, cls, typeArgs)` +- **matchType() with generics:** `ClassPattern("Map", typeArgs=[Simple("String"), Simple("Object")])` matches `JIRClassType(Map, typeArgs=[String, Object])` but not `JIRClassType(Map, typeArgs=[String, String])` +- **matchType() without generics:** `ClassPattern("Map", typeArgs=[])` matches any `Map` regardless of type args (backward compat) +- **matchFunctionSignature() with JIRTypedMethod:** Return type and parameter type generic matching +- **resolveGenericType():** Local variable index → `LocalVariableNode` → `typeOf()` → correct generic type +- **Graceful degradation:** Missing Signature attribute, missing LocalVariableTypeTable, non-local-variable receiver + +### Integration Tests + +- End-to-end: YAML rule with `Map` pattern → correct taint findings +- End-to-end: `String[] foo(...)` pattern → correct return type matching +- End-to-end: `(List $L).get(...)` → matches only `List` receivers, not `List` +- Regression: all existing rules produce identical results + +### E2E Test Samples + +Extend existing `@PositiveRuleSample` / `@NegativeRuleSample` annotations: + +- Positive: `Map m = ...; m.get(key)` with pattern `(Map $M).get(...)` +- Negative: `Map m = ...; m.get(key)` with same pattern (should NOT match) +- Positive: `String[] foo()` with pattern `String[] foo(...)` +- Positive: `List bar()` with pattern `List bar(...)` +- Negative: `List bar()` with same pattern + +## Open Questions Resolved + +| Question (from previous spec) | Resolution | +|---|---| +| Enrichment granularity? | Method-level for signatures, instruction-level for call-site receivers | +| Fallback when sources unavailable? | Not applicable — all type info comes from bytecode, not source | +| Incremental vs. full scan? | Not applicable — no source scanning | +| Pattern language scope? | Scoped to type args, array returns, concrete returns. Other features (`pattern-regex`, `metavariable-comparison`) are separate work | +| Multi-level IR needed? | No — plumbing fix on existing pipeline | From 513c2203f2af59492b1cb4adebf5c934cd3d8ad7 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:03:20 +0300 Subject: [PATCH 03/31] feat: add typeArgs field to TypeNamePattern.ClassName and FullyQualified --- .../semgrep/pattern/conversion/ParamCondition.kt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt index cfc719f0..a3b1409e 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt @@ -6,13 +6,13 @@ import org.opentaint.semgrep.pattern.conversion.SemgrepPatternAction.SignatureMo @Serializable sealed interface TypeNamePattern { @Serializable - data class FullyQualified(val name: String) : TypeNamePattern { - override fun toString(): String = name + data class FullyQualified(val name: String, val typeArgs: List = emptyList()) : TypeNamePattern { + override fun toString(): String = if (typeArgs.isEmpty()) name else "$name<${typeArgs.joinToString(", ")}>" } @Serializable - data class ClassName(val name: String) : TypeNamePattern { - override fun toString(): String = "*.$name" + data class ClassName(val name: String, val typeArgs: List = emptyList()) : TypeNamePattern { + override fun toString(): String = if (typeArgs.isEmpty()) "*.$name" else "*.$name<${typeArgs.joinToString(", ")}>" } @Serializable From cb14b7db2094b7f3e1b0c3b589f94944f2775750 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:04:52 +0300 Subject: [PATCH 04/31] feat: add returnType field to MethodSignature action and predicate --- .../opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt | 1 + .../opentaint/semgrep/pattern/conversion/automata/Predicate.kt | 1 + 2 files changed, 2 insertions(+) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt index d9d7b264..5bc22259 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt @@ -103,6 +103,7 @@ sealed interface SemgrepPatternAction { data class MethodSignature( val methodName: SignatureName, val params: ParamConstraint.Partial, + val returnType: TypeNamePattern? = null, val modifiers: List, val enclosingClassMetavar: String?, val enclosingClassConstraints: List, diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt index b0202cfc..d13c5642 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt @@ -19,6 +19,7 @@ data class Predicate( data class MethodSignature( val methodName: MethodName, val enclosingClassName: MethodEnclosingClassName, + val returnType: TypeNamePattern? = null, ) @Serializable From 95f08fa3ef1b728b07b363a06f6b8f4bc34b6fa2 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:07:08 +0300 Subject: [PATCH 05/31] feat: stop discarding type args, array returns, concrete returns in pattern converter --- .../pattern/SemgrepRuleLoadErrorMessage.kt | 15 --------- .../PatternToActionListConverter.kt | 32 +++---------------- 2 files changed, 5 insertions(+), 42 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt index 5d98bb68..2a6634de 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt @@ -146,21 +146,6 @@ class FailedTransformationToActionList(causeMessage: String?) : RuleIssueBlockin override val message: String = "Failed to transform pattern into an action list: ${causeMessage ?: "unknown error"}" } -class TypeArgumentsIgnored : UnsupportedFeatureNonBlockingMessage() { - override val message: String = "Type arguments in the pattern are not supported and will be ignored during matching" -} - -class MethodDeclarationReturnTypeIsArray : UnsupportedFeatureNonBlockingMessage() { - override val message: String = "Method declaration pattern with array return type is not supported; the return type constraint will be ignored" -} - -class MethodDeclarationReturnTypeIsNotMetaVar : UnsupportedFeatureNonBlockingMessage() { - override val message: String = "Method declaration pattern with a concrete return type is not supported; only metavariable return types are handled" -} - -class MethodDeclarationReturnTypeHasTypeArgs : UnsupportedFeatureNonBlockingMessage() { - override val message: String = "Method declaration pattern with a generic return type is not supported; type arguments on return types will be ignored" -} class EmptyPatternsAfterConvertToRawRule(times: Int) : InternalWarningNonBlockingMessage() { override val message: String = "$times pattern variant(s) were dropped during normalization because they produced no positive patterns" diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt index 1a4fb128..e0ca3ade 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt @@ -23,9 +23,6 @@ import org.opentaint.semgrep.pattern.Metavar import org.opentaint.semgrep.pattern.MetavarName import org.opentaint.semgrep.pattern.MethodArguments import org.opentaint.semgrep.pattern.MethodDeclaration -import org.opentaint.semgrep.pattern.MethodDeclarationReturnTypeHasTypeArgs -import org.opentaint.semgrep.pattern.MethodDeclarationReturnTypeIsArray -import org.opentaint.semgrep.pattern.MethodDeclarationReturnTypeIsNotMetaVar import org.opentaint.semgrep.pattern.MethodInvocation import org.opentaint.semgrep.pattern.Modifier import org.opentaint.semgrep.pattern.NamedValue @@ -39,7 +36,6 @@ import org.opentaint.semgrep.pattern.StaticFieldAccess import org.opentaint.semgrep.pattern.StringEllipsis import org.opentaint.semgrep.pattern.StringLiteral import org.opentaint.semgrep.pattern.ThisExpr -import org.opentaint.semgrep.pattern.TypeArgumentsIgnored import org.opentaint.semgrep.pattern.TypeName import org.opentaint.semgrep.pattern.TypedMetavar import org.opentaint.semgrep.pattern.VariableAssignment @@ -226,9 +222,7 @@ class PatternToActionListConverter: ActionListBuilder { } private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { - if (typeName.typeArgs.isNotEmpty()) { - semgrepTrace?.error(TypeArgumentsIgnored()) - } + val typeArgs = typeName.typeArgs.map { transformTypeName(it) } if (typeName.dotSeparatedParts.size == 1) { val name = typeName.dotSeparatedParts.single() @@ -240,7 +234,7 @@ class PatternToActionListConverter: ActionListBuilder { if (concreteNames.size == 1) { val className = concreteNames.single().name if (className.first().isUpperCase()) { - return TypeNamePattern.ClassName(className) + return TypeNamePattern.ClassName(className, typeArgs) } if (className in primitiveTypeNames) { @@ -251,7 +245,7 @@ class PatternToActionListConverter: ActionListBuilder { } val fqn = concreteNames.joinToString(".") { it.name } - return TypeNamePattern.FullyQualified(fqn) + return TypeNamePattern.FullyQualified(fqn, typeArgs) } transformationFailed("TypeName_non_concrete_unsupported") @@ -553,24 +547,7 @@ class PatternToActionListConverter: ActionListBuilder { is MetavarName -> SignatureName.MetaVar(name.metavarName) } - val retType = pattern.returnType - if (retType != null) { - run { - if (retType !is TypeName.SimpleTypeName) { - semgrepTrace?.error(MethodDeclarationReturnTypeIsArray()) - return@run - } - - val retTypeMetaVar = retType.dotSeparatedParts.singleOrNull() as? MetavarName - if (retTypeMetaVar == null) { - semgrepTrace?.error(MethodDeclarationReturnTypeIsNotMetaVar()) - } - - if (retType.typeArgs.isNotEmpty()) { - semgrepTrace?.error(MethodDeclarationReturnTypeHasTypeArgs()) - } - } - } + val returnTypePattern: TypeNamePattern? = pattern.returnType?.let { transformTypeName(it) } val paramConditions = mutableListOf() @@ -613,6 +590,7 @@ class PatternToActionListConverter: ActionListBuilder { val signature = SemgrepPatternAction.MethodSignature( methodName, ParamConstraint.Partial(paramConditions), + returnType = returnTypePattern, modifiers = modifiers, enclosingClassMetavar = null, enclosingClassConstraints = emptyList(), From b571c5c82f5e10d8731786bb21ac89d3c4d82e5f Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:08:53 +0300 Subject: [PATCH 06/31] feat: handle typeArgs in unifyTypeName for generic type unification --- .../taint/MethodFormulaSimplifier.kt | 35 ++++++++++++++++--- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt index e2ea527b..8a3567b3 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt @@ -766,6 +766,18 @@ private fun MethodEnclosingClassName.unify( unifyTypeName(this.name, other.name, metaVarInfo) ?.let { MethodEnclosingClassName(it) } +private fun unifyTypeArgs( + left: List, + right: List, + metaVarInfo: ResolvedMetaVarInfo +): List? { + if (left.isEmpty()) return right + if (right.isEmpty()) return left + if (left.size != right.size) return null + val unified = left.zip(right).map { (l, r) -> unifyTypeName(l, r, metaVarInfo) ?: return null } + return unified +} + private fun unifyTypeName( left: TypeNamePattern, right: TypeNamePattern, @@ -782,11 +794,19 @@ private fun unifyTypeName( TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.ClassName, is TypeNamePattern.PrimitiveName -> return null + is TypeNamePattern.ClassName -> { + if (left.name != right.name) return null + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.ClassName(left.name, args) + } + is TypeNamePattern.FullyQualified -> { - if (right.name.endsWith(left.name)) return right + if (right.name.endsWith(left.name)) { + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.FullyQualified(right.name, args) + } return null } @@ -803,11 +823,18 @@ private fun unifyTypeName( is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> { - if (left.name.endsWith(right.name)) return left + if (left.name.endsWith(right.name)) { + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.FullyQualified(left.name, args) + } return null } - is TypeNamePattern.FullyQualified -> return null + is TypeNamePattern.FullyQualified -> { + if (left.name != right.name) return null + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.FullyQualified(left.name, args) + } is TypeNamePattern.MetaVar -> { if (left.name == generatedMethodClassName) return null From 6a71939178ce510578a2806015311bb4a2de7076 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:09:45 +0300 Subject: [PATCH 07/31] feat: recurse into typeArgs for metavar extraction in typeNameMetaVars --- .../pattern/conversion/taint/TaintEdgesGeneration.kt | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt index 287afb4a..b71c42fa 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt @@ -363,10 +363,16 @@ private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: Bit } TypeNamePattern.AnyType, - is TypeNamePattern.ClassName, - is TypeNamePattern.PrimitiveName, - is TypeNamePattern.FullyQualified -> { + is TypeNamePattern.PrimitiveName -> { // no metavars } + + is TypeNamePattern.ClassName -> { + typeName.typeArgs.forEach { typeNameMetaVars(it, metaVars) } + } + + is TypeNamePattern.FullyQualified -> { + typeName.typeArgs.forEach { typeNameMetaVars(it, metaVars) } + } } } From a28d6d2fa26972c12b64a39fb90c1da7d53d0c05 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:10:31 +0300 Subject: [PATCH 08/31] feat: add typeArgs field to SerializedTypeNameMatcher.ClassPattern --- .../configuration/jvm/serialized/SerializedNameMatcher.kt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt index e5d397ea..b2ae7dcf 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt @@ -18,7 +18,8 @@ sealed interface SerializedTypeNameMatcher { @Serializable data class ClassPattern( val `package`: SerializedSimpleNameMatcher, - val `class`: SerializedSimpleNameMatcher + val `class`: SerializedSimpleNameMatcher, + val typeArgs: List = emptyList() ) : SerializedTypeNameMatcher @Serializable From 6cc4c73074897adb9b59f0744fb19e6ad575a59f Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:18:43 +0300 Subject: [PATCH 09/31] feat: propagate typeArgs and returnType through automata-to-taint conversion --- .../taint/AutomataToTaintRuleConversion.kt | 82 ++++++++++++++----- 1 file changed, 63 insertions(+), 19 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt index d18c3765..efaaead0 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt @@ -14,6 +14,7 @@ import org.opentaint.dataflow.configuration.jvm.serialized.SerializedItem import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedRule +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSignatureMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher.Pattern import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher.Simple import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTaintAssignAction @@ -140,6 +141,7 @@ private data class RuleCondition( val enclosingClassName: SerializedSimpleNameMatcher, val name: SerializedSimpleNameMatcher, val condition: SerializedCondition, + val signature: SerializedSignatureMatcher? = null, ) private data class EvaluatedEdgeCondition( @@ -258,17 +260,17 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List + rules += generateRules(condition.ruleCondition) { function, signature, cond -> when (ruleEdge.edgeKind) { TaintRuleEdge.Kind.MethodCall -> listOf( SerializedRule.Source( - function, signature = null, overrides = true, cond, actions, info = info, + function, signature = signature, overrides = true, cond, actions, info = info, ) ) TaintRuleEdge.Kind.MethodEnter -> listOf( SerializedRule.EntryPoint( - function, signature = null, overrides = false, cond, actions, info = info, + function, signature = signature, overrides = false, cond, actions, info = info, ) ) @@ -286,13 +288,13 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List + rules += generateRules(condition.ruleCondition) { function, signature, cond -> val afterSinkActions = buildStateAssignAction(ruleEdge.stateTo, condition) when (ruleEdge.edgeKind) { TaintRuleEdge.Kind.MethodEnter -> listOf( SerializedRule.MethodEntrySink( - function, signature = null, overrides = false, cond, + function, signature = signature, overrides = false, cond, trackFactsReachAnalysisEnd = afterSinkActions, ctx.ruleId, meta = ctx.meta ) @@ -300,7 +302,7 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List listOf( SerializedRule.Sink( - function, signature = null, overrides = true, cond, + function, signature = signature, overrides = true, cond, trackFactsReachAnalysisEnd = afterSinkActions, ctx.ruleId, meta = ctx.meta ) @@ -330,10 +332,10 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List { - rules += generateRules(condition.ruleCondition) { function, cond -> + rules += generateRules(condition.ruleCondition) { function, signature, cond -> listOf( SerializedRule.Cleaner( - function, signature = null, overrides = true, cond, actions, + function, signature = signature, overrides = true, cond, actions, info = edgeRuleInfo(ruleEdge) ) ) @@ -410,7 +412,7 @@ private fun EvaluatedEdgeCondition.addStateCheck( private inline fun generateRules( condition: RuleCondition, - body: (SerializedFunctionNameMatcher, SerializedCondition) -> T + body: (SerializedFunctionNameMatcher, SerializedSignatureMatcher?, SerializedCondition) -> T ): T { val functionMatcher = SerializedFunctionNameMatcher.Complex( condition.enclosingClassPackage, @@ -418,13 +420,14 @@ private inline fun generateRules( condition.name ) - return body(functionMatcher, condition.condition) + return body(functionMatcher, condition.signature, condition.condition) } private class RuleConditionBuilder { var enclosingClassPackage: SerializedSimpleNameMatcher? = null var enclosingClassName: SerializedSimpleNameMatcher? = null var methodName: SerializedSimpleNameMatcher? = null + var signature: SerializedSignatureMatcher? = null val conditions = hashSetOf() @@ -432,6 +435,7 @@ private class RuleConditionBuilder { n.enclosingClassPackage = this.enclosingClassPackage n.enclosingClassName = this.enclosingClassName n.methodName = this.methodName + n.signature = this.signature n.conditions.addAll(conditions) } @@ -439,7 +443,8 @@ private class RuleConditionBuilder { enclosingClassPackage ?: anyName(), enclosingClassName ?: anyName(), methodName ?: anyName(), - SerializedCondition.and(conditions.toList()) + SerializedCondition.and(conditions.toList()), + signature ) } @@ -609,6 +614,25 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( } } + // Convert return type to signature matcher + val returnType = signature.returnType + if (returnType != null) { + val returnTypeFormula = typeMatcher(returnType, semgrepRuleTrace) + val returnTypeMatcher = when (returnTypeFormula) { + null -> null + is MetaVarConstraintFormula.Constraint -> returnTypeFormula.constraint + else -> null + } + if (returnTypeMatcher != null) { + for (builder in buildersWithClass) { + builder.signature = SerializedSignatureMatcher.Partial( + params = null, + `return` = returnTypeMatcher + ) + } + } + } + return signature to buildersWithClass } @@ -804,17 +828,37 @@ private fun TaintRuleGenerationCtx.typeMatcher( semgrepRuleTrace: SemgrepRuleLoadStepTrace ): MetaVarConstraintFormula? { return when (typeName) { - is TypeNamePattern.ClassName -> MetaVarConstraintFormula.Constraint( - SerializedTypeNameMatcher.ClassPattern( - `package` = anyName(), - `class` = Simple(typeName.name) + is TypeNamePattern.ClassName -> { + val serializedTypeArgs = typeName.typeArgs.mapNotNull { + (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint + } + MetaVarConstraintFormula.Constraint( + SerializedTypeNameMatcher.ClassPattern( + `package` = anyName(), + `class` = Simple(typeName.name), + typeArgs = serializedTypeArgs + ) ) - ) + } is TypeNamePattern.FullyQualified -> { - MetaVarConstraintFormula.Constraint( - Simple(typeName.name) - ) + if (typeName.typeArgs.isEmpty()) { + MetaVarConstraintFormula.Constraint( + Simple(typeName.name) + ) + } else { + val serializedTypeArgs = typeName.typeArgs.mapNotNull { + (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint + } + val (pkg, cls) = classNamePartsFromConcreteString(typeName.name) + MetaVarConstraintFormula.Constraint( + SerializedTypeNameMatcher.ClassPattern( + `package` = pkg, + `class` = cls, + typeArgs = serializedTypeArgs + ) + ) + } } is TypeNamePattern.PrimitiveName -> { From df6bd0a6144356d0a5219b2ca30e2e56e6480df0 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:20:03 +0300 Subject: [PATCH 10/31] feat: add typeArgs to TypeMatchesPattern for deferred generic matching --- .../org/opentaint/dataflow/configuration/jvm/TaintCondition.kt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt index 125cbb2b..742db7bf 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt @@ -1,5 +1,6 @@ package org.opentaint.dataflow.configuration.jvm +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.ir.api.jvm.JIRType import java.util.Objects @@ -119,6 +120,7 @@ sealed interface ConditionNameMatcher { data class TypeMatchesPattern( val position: Position, val pattern: ConditionNameMatcher, + val typeArgs: List = emptyList(), ) : Condition { override fun accept(conditionVisitor: ConditionVisitor): R = conditionVisitor.visit(this) } From 1d89709589dbe9cff46d6585268f38dbd9c1d7c9 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:22:42 +0300 Subject: [PATCH 11/31] feat: add matchType(JIRType) and pass typeArgs through resolveIsType() - Add private matchType(JIRType) extension on SerializedTypeNameMatcher that performs structural generic comparison (ClassPattern with typeArgs vs JIRClassType) and array matching (Array vs JIRArrayType), falling back to erased name matching for backward compatibility - Update resolveIsType() to extract typeArgs from ClassPattern normalizedTypeIs and pass them to TypeMatchesPattern for deferred evaluation at instruction level - Add imports: JIRArrayType, JIRClassType, JIRType from org.opentaint.ir.api.jvm --- .../sast/dataflow/rules/TaintConfiguration.kt | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index a59802d8..cddb2b2f 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -76,9 +76,12 @@ import org.opentaint.dataflow.configuration.jvm.simplify import org.opentaint.dataflow.jvm.util.JIRHierarchyInfo import org.opentaint.ir.api.jvm.JIRAnnotated import org.opentaint.ir.api.jvm.JIRAnnotation +import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClasspath +import org.opentaint.ir.api.jvm.JIRClassType import org.opentaint.ir.api.jvm.JIRField import org.opentaint.ir.api.jvm.JIRMethod +import org.opentaint.ir.api.jvm.JIRType import org.opentaint.ir.api.jvm.PredefinedPrimitives import org.opentaint.ir.api.jvm.TypeName import org.opentaint.ir.api.jvm.ext.allSuperHierarchySequence @@ -256,6 +259,24 @@ class TaintConfiguration(cp: JIRClasspath) { } } + private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { + // No type args on matcher → fall back to erased name matching (backward compat) + this is ClassPattern && typeArgs.isEmpty() -> match(type.typeName) + + // Has type args → structural comparison against JIRClassType + this is ClassPattern && type is JIRClassType -> { + match(type.typeName) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } + } + + // Array matching + this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) + + // Default: erased matching + else -> match(type.typeName) + } + private fun SerializedSimpleNameMatcher.match(name: String): Boolean = when (this) { is Simple -> if (value == "*") true else value == name is Pattern -> isAny() || patternManager.matchPattern(pattern, name) @@ -704,7 +725,11 @@ class TaintConfiguration(cp: JIRClasspath) { ?: return mkTrue() val nonFalsePositions = position.filter { it !in falsePositions } - return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher) }) + val typeArgs = when (val typeIs = normalizedTypeIs) { + is ClassPattern -> typeIs.typeArgs + else -> emptyList() + } + return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher, typeArgs) }) } private fun SerializedTaintAssignAction.resolveWithArray(method: JIRMethod, ctx: AnyArgSpecializationCtx): List = From 324f7c75f3eeccdce669d767d1cc42fd48609e9e Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:27:57 +0300 Subject: [PATCH 12/31] feat: resolve generic types in JIRBasicAtomEvaluator for call-site receiver matching - Fix resolveIsType() short-circuit: when typeArgs are present, skip mkTrue() early return and defer to TypeMatchesPattern deferred evaluation - Add typedMethod: JIRTypedMethod? parameter to JIRBasicAtomEvaluator and JIRMarkAwareConditionRewriter (optional, backward-compatible) - Extend typeMatchesPattern() to check generic type args via JIRTypedMethod.typeOf(LocalVariableNode) resolved from LocalVariableTypeTable - Add matchType() and matchErasedName() helpers for SerializedTypeNameMatcher recursive matching against JIRType (class, array, wildcards) --- .../ap/ifds/JIRMarkAwareConditionRewriter.kt | 6 +- .../ap/ifds/taint/JIRBasicAtomEvaluator.kt | 84 +++++++++++++++++-- .../sast/dataflow/rules/TaintConfiguration.kt | 11 ++- 3 files changed, 88 insertions(+), 13 deletions(-) diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt index 48851e59..c89dbfed 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt @@ -11,15 +11,17 @@ import org.opentaint.dataflow.jvm.ap.ifds.analysis.JIRMethodAnalysisContext import org.opentaint.dataflow.jvm.ap.ifds.taint.ContainsMarkOnAnyField import org.opentaint.dataflow.jvm.ap.ifds.taint.JIRBasicAtomEvaluator import org.opentaint.ir.api.common.cfg.CommonInst +import org.opentaint.ir.api.jvm.JIRTypedMethod class JIRMarkAwareConditionRewriter( positionResolver: PositionResolver, factTypeChecker: JIRFactTypeChecker, aliasAnalysis: JIRLocalAliasAnalysis?, statement: CommonInst, + typedMethod: JIRTypedMethod? = null, ) { - private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement) - private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement) + private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement, typedMethod) + private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement, typedMethod) constructor( positionResolver: PositionResolver, diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt index 1eb0bc8c..b4104128 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt @@ -29,9 +29,15 @@ import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasAllocInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasApInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasInfo +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.ir.api.common.cfg.CommonInst import org.opentaint.ir.api.common.cfg.CommonValue +import org.opentaint.ir.api.jvm.JIRArrayType +import org.opentaint.ir.api.jvm.JIRClassType import org.opentaint.ir.api.jvm.JIRRefType +import org.opentaint.ir.api.jvm.JIRType +import org.opentaint.ir.api.jvm.JIRTypedMethod import org.opentaint.ir.api.jvm.cfg.JIRBool import org.opentaint.ir.api.jvm.cfg.JIRCallExpr import org.opentaint.ir.api.jvm.cfg.JIRConstant @@ -51,6 +57,7 @@ class JIRBasicAtomEvaluator( private val typeChecker: JIRFactTypeChecker, private val aliasAnalysis: JIRLocalAliasAnalysis?, private val statement: CommonInst, + private val typedMethod: JIRTypedMethod? = null, ) : ConditionVisitor { override fun visit(condition: Not): Boolean = error("Non-atomic condition") override fun visit(condition: And): Boolean = error("Non-atomic condition") @@ -329,21 +336,80 @@ class JIRBasicAtomEvaluator( val type = value.type as? JIRRefType ?: return false val pattern = condition.pattern - if (pattern.match(type.typeName)) return true + val erasedMatch = pattern.match(type.typeName) - if (pattern !is ConditionNameMatcher.Concrete) { - // todo: check super classes? - return false + if (!erasedMatch) { + if (pattern !is ConditionNameMatcher.Concrete) { + // todo: check super classes? + return false + } + + if (negated) return false + + if (type.typeName == "java.lang.Object") { + // todo: hack to avoid explosion + return false + } + + if (!typeChecker.typeMayHaveSubtypeOf(type.typeName, pattern.name)) { + return false + } + } + + // Generic type args check + if (condition.typeArgs.isNotEmpty()) { + val genericType = resolveGenericType(value) + if (genericType is JIRClassType) { + if (genericType.typeArguments.size != condition.typeArgs.size) return false + return condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> + matcher.matchType(arg) + } + } + // Can't resolve generics — erased match already passed above + return true } - if (negated) return false + return true + } - if (type.typeName == "java.lang.Object") { - // todo: hack to avoid explosion - return false + private fun resolveGenericType(value: JIRValue): JIRType? { + val localVar = value as? JIRLocalVar ?: return null + val typedMethod = typedMethod ?: return null + val method = (statement as? JIRInst)?.location?.method ?: return null + val localVarNode = method.withAsmNode { methodNode -> + methodNode.localVariables?.find { lvn -> lvn.index == localVar.index } + } ?: return null + return try { + typedMethod.typeOf(localVarNode) + } catch (_: Exception) { + null } + } - return typeChecker.typeMayHaveSubtypeOf(type.typeName, pattern.name) + private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { + this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() -> matchErasedName(type.typeName) + this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> { + matchErasedName(type.typeName) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } + } + this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) + else -> matchErasedName(type.typeName) + } + + private fun SerializedTypeNameMatcher.matchErasedName(name: String): Boolean = when (this) { + is SerializedSimpleNameMatcher.Simple -> value == name || name.endsWith(".$value") + is SerializedSimpleNameMatcher.Pattern -> Regex(pattern).containsMatchIn(name) + is SerializedTypeNameMatcher.ClassPattern -> { + val lastDot = name.lastIndexOf('.') + val pkgName = if (lastDot >= 0) name.substring(0, lastDot) else "" + val clsName = if (lastDot >= 0) name.substring(lastDot + 1) else name + `package`.matchErasedName(pkgName) && `class`.matchErasedName(clsName) + } + is SerializedTypeNameMatcher.Array -> { + val nameWithout = name.removeSuffix("[]") + name != nameWithout && element.matchErasedName(nameWithout) + } } private fun ConditionNameMatcher.match(name: String): Boolean = when (this) { diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index cddb2b2f..ed0572a4 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -699,6 +699,8 @@ class TaintConfiguration(cp: JIRClasspath) { val falsePositions = hashSetOf() val normalizedTypeIs = typeIs.normalizeAnyName() + val hasTypeArgs = normalizedTypeIs is ClassPattern && normalizedTypeIs.typeArgs.isNotEmpty() + for (pos in position) { val posTypeName = when (pos) { is Argument -> method.parameters[pos.index].type.typeName @@ -708,11 +710,16 @@ class TaintConfiguration(cp: JIRClasspath) { is ClassStatic -> continue } - if (normalizedTypeIs.match(posTypeName)) return mkTrue() + if (normalizedTypeIs.match(posTypeName)) { + if (!hasTypeArgs) return mkTrue() + // Has type args: don't short-circuit, fall through to deferred evaluation + continue + } if (pos is This) { if (method.enclosingClass.allSuperHierarchySequence.any { normalizedTypeIs.match(it.name) }) { - return mkTrue() + if (!hasTypeArgs) return mkTrue() + continue } if (method.isConstructor || method.isFinal) { From 55440d4549205046247d74ac0c4e825f8d30ca5f Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:29:18 +0300 Subject: [PATCH 13/31] test: add E2E samples for generic type args, array returns, concrete returns --- .../java/example/RuleWithArrayReturnType.java | 49 +++++++++++++++++++ .../example/RuleWithConcreteReturnType.java | 48 ++++++++++++++++++ .../java/example/RuleWithGenericTypeArgs.java | 37 ++++++++++++++ .../example/RuleWithArrayReturnType.yaml | 15 ++++++ .../example/RuleWithConcreteReturnType.yaml | 15 ++++++ .../example/RuleWithGenericTypeArgs.yaml | 15 ++++++ 6 files changed, 179 insertions(+) create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java new file mode 100644 index 00000000..63e7e132 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java @@ -0,0 +1,49 @@ +package example; + +import base.RuleSample; +import base.RuleSet; + +@RuleSet("example/RuleWithArrayReturnType.yaml") +public abstract class RuleWithArrayReturnType implements RuleSample { + + void sink(String data) {} + + String[] methodReturningStringArray(String data) { + sink(data); + return new String[] { data }; + } + + int[] methodReturningIntArray(String data) { + sink(data); + return new int[] { 1 }; + } + + String methodReturningString(String data) { + sink(data); + return data; + } + + final static class PositiveStringArrayReturn extends RuleWithArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningStringArray(data); + } + } + + final static class NegativeIntArrayReturn extends RuleWithArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningIntArray(data); + } + } + + final static class NegativeStringReturn extends RuleWithArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningString(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java new file mode 100644 index 00000000..010d82ec --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java @@ -0,0 +1,48 @@ +package example; + +import base.RuleSample; +import base.RuleSet; + +@RuleSet("example/RuleWithConcreteReturnType.yaml") +public abstract class RuleWithConcreteReturnType implements RuleSample { + + void sink(String data) {} + + String methodReturningString(String data) { + sink(data); + return data; + } + + int methodReturningInt(String data) { + sink(data); + return 0; + } + + void methodReturningVoid(String data) { + sink(data); + } + + final static class PositiveStringReturn extends RuleWithConcreteReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningString(data); + } + } + + final static class NegativeIntReturn extends RuleWithConcreteReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningInt(data); + } + } + + final static class NegativeVoidReturn extends RuleWithConcreteReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningVoid(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java new file mode 100644 index 00000000..68a6cd9f --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java @@ -0,0 +1,37 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.Map; + +@RuleSet("example/RuleWithGenericTypeArgs.yaml") +public abstract class RuleWithGenericTypeArgs implements RuleSample { + + void sink(String data) {} + + void methodWithGenericParam(Map m, String data) { + sink(data); + } + + void methodWithDifferentGenericParam(Map m, String data) { + sink(data); + } + + final static class PositiveMatchingGenericParam extends RuleWithGenericTypeArgs { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithGenericParam(m, data); + } + } + + final static class NegativeDifferentGenericParam extends RuleWithGenericTypeArgs { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithDifferentGenericParam(m, data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml new file mode 100644 index 00000000..cabc45ff --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithArrayReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithArrayReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + String[] $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml new file mode 100644 index 00000000..a5d120f5 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithConcreteReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithConcreteReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + String $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml new file mode 100644 index 00000000..90425f1b --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithGenericTypeArgs + languages: + - java + severity: ERROR + message: match example/RuleWithGenericTypeArgs + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + $RET $METHOD(Map $M, ...) { + ... + } From 91571e3eeafc639f17ac159f79afc3277d97a8ed Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:30:46 +0300 Subject: [PATCH 14/31] test: add E2E tests for type-aware pattern matching --- .../opentaint/semgrep/TypeAwarePatternTest.kt | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt new file mode 100644 index 00000000..1759809b --- /dev/null +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -0,0 +1,24 @@ +package org.opentaint.semgrep + +import org.junit.jupiter.api.AfterAll +import org.junit.jupiter.api.TestInstance +import org.junit.jupiter.api.TestInstance.Lifecycle.PER_CLASS +import org.opentaint.semgrep.util.SampleBasedTest +import kotlin.test.Test + +@TestInstance(PER_CLASS) +class TypeAwarePatternTest : SampleBasedTest() { + @Test + fun `test generic type args in method parameter`() = runTest() + + @Test + fun `test array return type matching`() = runTest() + + @Test + fun `test concrete return type matching`() = runTest() + + @AfterAll + fun close() { + closeRunner() + } +} From 2936ef68b8ed7e1da95c54aef404b26e47595922 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 00:50:54 +0300 Subject: [PATCH 15/31] fix: thread returnType through pipeline and fix generic type matching - Pass returnType from SemgrepPatternAction.MethodSignature to automata MethodSignature in ActionListToAutomata.constructSignatureFormula() - Unify returnType in MethodFormulaSimplifier.unify() - Preserve returnType in notEvaluatedSignature() - Move return type processing before early return in evaluateFormulaSignature() - Fix normalizeAnyName() in ClassNameUtils to preserve typeArgs - Store cp in TaintConfiguration for typed method resolution - Add resolveTypedMethod() for eager generic type checking on Argument/Result - Use erased class name (jIRClass.name) instead of typeName in matchType() to avoid matching against generic-param-decorated names - Fix TypeAwarePatternTest to pass EXPECT_STATE_VAR for generic test --- .../automata/ActionListToAutomata.kt | 1 + .../taint/AutomataToTaintRuleConversion.kt | 43 +++++++------ .../taint/MethodFormulaSimplifier.kt | 6 ++ .../opentaint/semgrep/TypeAwarePatternTest.kt | 2 +- .../jvm/sast/dataflow/rules/ClassNameUtils.kt | 2 +- .../sast/dataflow/rules/TaintConfiguration.kt | 63 ++++++++++++++----- 6 files changed, 81 insertions(+), 36 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/ActionListToAutomata.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/ActionListToAutomata.kt index aac0331e..1a44cf42 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/ActionListToAutomata.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/ActionListToAutomata.kt @@ -284,6 +284,7 @@ private fun constructSignatureFormula( val signature = MethodSignature( methodName = methodName, enclosingClassName = MethodEnclosingClassName.anyClassName, + returnType = action.returnType, ) builder.addSignature(signature) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt index efaaead0..72395a25 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt @@ -502,6 +502,11 @@ private fun MethodSignature.notEvaluatedSignature(evaluated: MethodSignature): M MethodEnclosingClassName.anyClassName } else { enclosingClassName + }, + returnType = if (returnType == evaluated.returnType) { + null + } else { + returnType } ) } @@ -561,6 +566,25 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( } } + // Convert return type to signature matcher (must apply to all builder paths) + val returnType = signature.returnType + if (returnType != null) { + val returnTypeFormula = typeMatcher(returnType, semgrepRuleTrace) + val returnTypeMatcher = when (returnTypeFormula) { + null -> null + is MetaVarConstraintFormula.Constraint -> returnTypeFormula.constraint + else -> null + } + if (returnTypeMatcher != null) { + for (builder in buildersWithMethodName) { + builder.signature = SerializedSignatureMatcher.Partial( + params = null, + `return` = returnTypeMatcher + ) + } + } + } + val classSignatureMatcherFormula = typeMatcher(signature.enclosingClassName.name, semgrepRuleTrace) if (classSignatureMatcherFormula == null) return signature to buildersWithMethodName @@ -614,25 +638,6 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( } } - // Convert return type to signature matcher - val returnType = signature.returnType - if (returnType != null) { - val returnTypeFormula = typeMatcher(returnType, semgrepRuleTrace) - val returnTypeMatcher = when (returnTypeFormula) { - null -> null - is MetaVarConstraintFormula.Constraint -> returnTypeFormula.constraint - else -> null - } - if (returnTypeMatcher != null) { - for (builder in buildersWithClass) { - builder.signature = SerializedSignatureMatcher.Partial( - params = null, - `return` = returnTypeMatcher - ) - } - } - } - return signature to buildersWithClass } diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt index 8a3567b3..a28c596b 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt @@ -709,9 +709,15 @@ private fun MethodSignature?.unify( metaVarInfo: ResolvedMetaVarInfo, ): MethodSignature? { if (this == null) return other + val unifiedReturnType = when { + this.returnType == null -> other.returnType + other.returnType == null -> this.returnType + else -> unifyTypeName(this.returnType, other.returnType, metaVarInfo) + } return MethodSignature( methodName.unify(other.methodName, metaVarInfo) ?: return null, enclosingClassName.unify(other.enclosingClassName, metaVarInfo) ?: return null, + returnType = unifiedReturnType, ) } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index 1759809b..51e2cb01 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -9,7 +9,7 @@ import kotlin.test.Test @TestInstance(PER_CLASS) class TypeAwarePatternTest : SampleBasedTest() { @Test - fun `test generic type args in method parameter`() = runTest() + fun `test generic type args in method parameter`() = runTest(EXPECT_STATE_VAR) @Test fun `test array return type matching`() = runTest() diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt index 882278bb..f80a2522 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt @@ -14,7 +14,7 @@ fun Pattern.isAny(): Boolean = pattern == ".*" fun SerializedTypeNameMatcher.normalizeAnyName(): SerializedTypeNameMatcher = when (this) { is SerializedSimpleNameMatcher -> normalizeAnyName() - is ClassPattern -> ClassPattern(`package`.normalizeAnyName(), `class`.normalizeAnyName()) + is ClassPattern -> ClassPattern(`package`.normalizeAnyName(), `class`.normalizeAnyName(), typeArgs.map { it.normalizeAnyName() }) is SerializedTypeNameMatcher.Array -> SerializedTypeNameMatcher.Array(element.normalizeAnyName()) } diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index ed0572a4..784f9922 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -79,6 +79,7 @@ import org.opentaint.ir.api.jvm.JIRAnnotation import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClasspath import org.opentaint.ir.api.jvm.JIRClassType +import org.opentaint.ir.api.jvm.JIRTypedMethod import org.opentaint.ir.api.jvm.JIRField import org.opentaint.ir.api.jvm.JIRMethod import org.opentaint.ir.api.jvm.JIRType @@ -92,7 +93,7 @@ import org.opentaint.jvm.sast.dataflow.matchedAnnotations import org.opentaint.jvm.util.typename import java.util.concurrent.atomic.AtomicInteger -class TaintConfiguration(cp: JIRClasspath) { +class TaintConfiguration(private val cp: JIRClasspath) { private val patternManager = PatternManager() private val hierarchyInfo = JIRHierarchyInfo(cp) private val objectTypeName = cp.objectClass.typename @@ -259,22 +260,33 @@ class TaintConfiguration(cp: JIRClasspath) { } } - private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { - // No type args on matcher → fall back to erased name matching (backward compat) - this is ClassPattern && typeArgs.isEmpty() -> match(type.typeName) - - // Has type args → structural comparison against JIRClassType - this is ClassPattern && type is JIRClassType -> { - match(type.typeName) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } + private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean { + // Use erased class name for matching (typeName may include generic params like "Map") + val erasedName = when (type) { + is JIRClassType -> type.jIRClass.name + is JIRArrayType -> type.elementType.let { el -> + if (el is JIRClassType) el.jIRClass.name + "[]" else type.typeName + } + else -> type.typeName } - // Array matching - this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) + return when { + // No type args on matcher → fall back to erased name matching (backward compat) + this is ClassPattern && typeArgs.isEmpty() -> match(erasedName) + + // Has type args → structural comparison against JIRClassType + this is ClassPattern && type is JIRClassType -> { + match(erasedName) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } + } + + // Array matching + this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) - // Default: erased matching - else -> match(type.typeName) + // Default: erased matching + else -> match(erasedName) + } } private fun SerializedSimpleNameMatcher.match(name: String): Boolean = when (this) { @@ -712,7 +724,23 @@ class TaintConfiguration(cp: JIRClasspath) { if (normalizedTypeIs.match(posTypeName)) { if (!hasTypeArgs) return mkTrue() - // Has type args: don't short-circuit, fall through to deferred evaluation + // Has type args: try eager generic check for Argument/Result positions + if (pos is Argument || pos is Result) { + val typedMethod = resolveTypedMethod(method) + if (typedMethod != null) { + val typedType = when (pos) { + is Argument -> typedMethod.parameters.getOrNull(pos.index)?.type + Result -> typedMethod.returnType + else -> null + } + if (typedType != null) { + if (normalizedTypeIs.matchType(typedType)) return mkTrue() + falsePositions.add(pos) + continue + } + } + } + // For This or when typed method unavailable: defer to evaluator continue } @@ -739,6 +767,11 @@ class TaintConfiguration(cp: JIRClasspath) { return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher, typeArgs) }) } + private fun resolveTypedMethod(method: JIRMethod): JIRTypedMethod? { + val classType = cp.typeOf(method.enclosingClass) as? JIRClassType ?: return null + return classType.declaredMethods.find { it.method == method } + } + private fun SerializedTaintAssignAction.resolveWithArray(method: JIRMethod, ctx: AnyArgSpecializationCtx): List = pos.resolvePositionWithAnnotationConstraint(method, ctx, annotatedWith?.asAnnotationConstraint()) .flatMap { it.resolveArrayPosition(method) } From 77bc679a7398d26833b99773b0c5a1c32d2f4172 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 10:01:35 +0300 Subject: [PATCH 16/31] test: add ResponseEntity<$T> generic return type with metavar type arg test --- .../example/RuleWithGenericReturnType.java | 50 +++++++++++++++++++ .../example/RuleWithGenericReturnType.yaml | 15 ++++++ .../opentaint/semgrep/TypeAwarePatternTest.kt | 3 ++ 3 files changed, 68 insertions(+) create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericReturnType.java create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericReturnType.yaml diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericReturnType.java new file mode 100644 index 00000000..fb80832b --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericReturnType.java @@ -0,0 +1,50 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import org.springframework.http.ResponseEntity; + +@RuleSet("example/RuleWithGenericReturnType.yaml") +public abstract class RuleWithGenericReturnType implements RuleSample { + + void sink(String data) {} + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityObject(String data) { + sink(data); + return null; + } + + String methodReturningString(String data) { + sink(data); + return data; + } + + final static class PositiveResponseEntityString extends RuleWithGenericReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } + + final static class PositiveResponseEntityObject extends RuleWithGenericReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityObject(data); + } + } + + final static class NegativeStringReturn extends RuleWithGenericReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningString(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericReturnType.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericReturnType.yaml new file mode 100644 index 00000000..8a0db9d9 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericReturnType.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithGenericReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithGenericReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity<$T> $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index 51e2cb01..e3b1f62a 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -17,6 +17,9 @@ class TypeAwarePatternTest : SampleBasedTest() { @Test fun `test concrete return type matching`() = runTest() + @Test + fun `test generic return type with metavar type arg`() = runTest() + @AfterAll fun close() { closeRunner() From 3ac520093fbab91c9d728780c9ba796e5a965ad4 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 13 Apr 2026 11:30:05 +0300 Subject: [PATCH 17/31] docs: add type pattern mathching plan --- .../2026-04-12-type-aware-pattern-matching.md | 1250 +++++++++++++++++ 1 file changed, 1250 insertions(+) create mode 100644 docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md diff --git a/docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md b/docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md new file mode 100644 index 00000000..9e9d9ccf --- /dev/null +++ b/docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md @@ -0,0 +1,1250 @@ +# Type-Aware Pattern Matching Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Fix three broken Semgrep pattern language features for Java — generic type arguments, array return types, and concrete return types — by threading type information through the existing pipeline instead of discarding it. + +**Architecture:** The fix is a plumbing change across 7 existing files in 3 modules. Type arguments are added as a new field (`typeArgs: List`) to `TypeNamePattern.ClassName` and `FullyQualified`, then propagated through `SerializedTypeNameMatcher.ClassPattern` to the runtime matchers. Return types are added to `SemgrepPatternAction.MethodSignature` and flow through to `SerializedSignatureMatcher.Partial`. All new fields default to `emptyList()` / `null` for backward compatibility. + +**Tech Stack:** Kotlin, JUnit 5 / kotlin.test, Gradle, kotlinx.serialization + +**Spec:** `docs/specs/2026-04-12-type-aware-pattern-matching-design.md` + +--- + +## File Structure + +| File | Module | Responsibility | +|---|---|---| +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt` | querylang | `TypeNamePattern` sealed interface — add `typeArgs` to `ClassName` and `FullyQualified` | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt` | querylang | `MethodSignature` action — add `returnType: TypeNamePattern?` field | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt` | querylang | Stop discarding type args (line 229), array returns (line 559), concrete returns (line 565) | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt` | querylang | `unifyTypeName()` — handle `typeArgs` in unification logic | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt` | querylang | `typeNameMetaVars()` — recurse into `typeArgs` for metavar extraction | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt` | querylang | `MethodSignature` predicate — add optional `returnType` | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt` | querylang | `typeMatcher()` — propagate `typeArgs`; `evaluateFormulaSignature()` — emit return type to `SerializedSignatureMatcher.Partial` | +| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt` | querylang | Remove 4 now-obsolete warning classes | +| `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt` | config-rules | `ClassPattern` — add `typeArgs` field | +| `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt` | config-rules | `TypeMatchesPattern` — add `typeArgs` field for deferred generic matching | +| `core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt` | jvm-sast | `matchFunctionSignature()` — add `matchType(JIRType)` overload; `resolveIsType()` — defer generic checks via `typeArgs` | +| `core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt` | jvm-dataflow | `typeMatchesPattern()` — resolve local var generic types when `typeArgs` present | + +### Test Files + +| File | Module | Tests | +|---|---|---| +| `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java` | querylang/samples | E2E sample: generic type arg matching (positive + negative) | +| `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml` | querylang/samples | Semgrep rule for generic type arg test | +| `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java` | querylang/samples | E2E sample: array return type matching | +| `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml` | querylang/samples | Semgrep rule for array return type test | +| `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java` | querylang/samples | E2E sample: concrete return type matching | +| `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml` | querylang/samples | Semgrep rule for concrete return type test | +| `core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt` | querylang/test | E2E test class exercising all three scenarios | + +--- + +## Task 1: Add `typeArgs` to `TypeNamePattern.ClassName` and `FullyQualified` + +**Files:** +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt:14` (ClassName), `:9` (FullyQualified) + +- [ ] **Step 1: Add `typeArgs` field to `ClassName`** + +In `ParamCondition.kt`, change `ClassName`: + +```kotlin +@Serializable +data class ClassName(val name: String, val typeArgs: List = emptyList()) : TypeNamePattern { + override fun toString(): String = if (typeArgs.isEmpty()) "*.$name" else "*.$name<${typeArgs.joinToString(", ")}>" +} +``` + +- [ ] **Step 2: Add `typeArgs` field to `FullyQualified`** + +In `ParamCondition.kt`, change `FullyQualified`: + +```kotlin +@Serializable +data class FullyQualified(val name: String, val typeArgs: List = emptyList()) : TypeNamePattern { + override fun toString(): String = if (typeArgs.isEmpty()) name else "$name<${typeArgs.joinToString(", ")}>" +} +``` + +- [ ] **Step 3: Verify compilation** + +Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` +Expected: BUILD SUCCESSFUL (default empty lists mean all existing call sites remain valid) + +- [ ] **Step 4: Commit** + +```bash +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt +git commit -m "feat: add typeArgs field to TypeNamePattern.ClassName and FullyQualified" +``` + +--- + +## Task 2: Add `returnType` to `MethodSignature` action and `MethodSignature` predicate + +**Files:** +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt:103-122` +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt:19-22` + +- [ ] **Step 1: Add `returnType` to `SemgrepPatternAction.MethodSignature`** + +In `SemgrepPatternAction.kt`, change the `MethodSignature` data class: + +```kotlin +data class MethodSignature( + val methodName: SignatureName, + val params: ParamConstraint.Partial, + val returnType: TypeNamePattern? = null, // NEW + val modifiers: List, + val enclosingClassMetavar: String?, + val enclosingClassConstraints: List, +): SemgrepPatternAction { + override val metavars: List + get() { + val metavars = mutableSetOf() + params.conditions.forEach { it.collectMetavarTo(metavars) } + return metavars.toList() + } + + override val result: ParamCondition? = null + + override fun setResultCondition(condition: ParamCondition): SemgrepPatternAction { + error("Unsupported operation?") + } +} +``` + +- [ ] **Step 2: Add `returnType` to automata `MethodSignature` predicate** + +In `Predicate.kt`, change: + +```kotlin +@Serializable +data class MethodSignature( + val methodName: MethodName, + val enclosingClassName: MethodEnclosingClassName, + val returnType: TypeNamePattern? = null, // NEW +) +``` + +- [ ] **Step 3: Verify compilation** + +Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` +Expected: BUILD SUCCESSFUL (default `null` keeps existing call sites valid) + +- [ ] **Step 4: Commit** + +```bash +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt +git commit -m "feat: add returnType field to MethodSignature action and predicate" +``` + +--- + +## Task 3: Stop discarding type info in `PatternToActionListConverter` + +**Files:** +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt:228-231` (transformSimpleTypeName), `:547-626` (transformMethodDeclaration) +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt:149-163` (remove warnings) + +- [ ] **Step 1: Preserve type args in `transformSimpleTypeName()`** + +In `PatternToActionListConverter.kt`, replace lines 228-258: + +```kotlin +private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { + val typeArgs = typeName.typeArgs.map { transformTypeName(it) } + + if (typeName.dotSeparatedParts.size == 1) { + val name = typeName.dotSeparatedParts.single() + if (name is MetavarName) return TypeNamePattern.MetaVar(name.metavarName) + } + + val concreteNames = typeName.dotSeparatedParts.filterIsInstance() + if (concreteNames.size == typeName.dotSeparatedParts.size) { + if (concreteNames.size == 1) { + val className = concreteNames.single().name + if (className.first().isUpperCase()) { + return TypeNamePattern.ClassName(className, typeArgs) + } + + if (className in primitiveTypeNames) { + return TypeNamePattern.PrimitiveName(className) + } + + transformationFailed("TypeName_concrete_unexpected") + } + + val fqn = concreteNames.joinToString(".") { it.name } + return TypeNamePattern.FullyQualified(fqn, typeArgs) + } + + transformationFailed("TypeName_non_concrete_unsupported") +} +``` + +Key changes: +- Removed `TypeArgumentsIgnored` warning emission (was line 229-231) +- Added `val typeArgs = typeName.typeArgs.map { transformTypeName(it) }` at the top +- Passed `typeArgs` to `ClassName(className, typeArgs)` and `FullyQualified(fqn, typeArgs)` + +- [ ] **Step 2: Preserve return types in `transformMethodDeclaration()`** + +In `PatternToActionListConverter.kt`, replace the return type handling block (lines 556-573) and the signature construction (line 614-619): + +```kotlin +private fun transformMethodDeclaration(pattern: MethodDeclaration): SemgrepPatternActionList { + val bodyPattern = transformPatternToActionList(pattern.body) + val params = methodArgumentsToPatternList(pattern.args) + + val methodName = when (val name = pattern.name) { + is ConcreteName -> SignatureName.Concrete(name.name) + is MetavarName -> SignatureName.MetaVar(name.metavarName) + } + + val returnTypePattern: TypeNamePattern? = pattern.returnType?.let { transformTypeName(it) } + + val paramConditions = mutableListOf() + + var idxIsConcrete = true + for ((i, param) in params.withIndex()) { + when (param) { + is FormalArgument -> { + val paramName = (param.name as? MetavarName)?.metavarName + ?: transformationFailed("MethodDeclaration_param_name_not_metavar") + + val position = if (idxIsConcrete) { + ParamPosition.Concrete(i) + } else { + ParamPosition.Any(paramClassifier = paramName) + } + + val paramModifiers = param.modifiers.map { transformModifier(it) } + paramModifiers.mapTo(paramConditions) { modifier -> + ParamPattern(position, ParamCondition.ParamModifier(modifier)) + } + + paramConditions += ParamPattern(position, IsMetavar(MetavarAtom.create(paramName))) + + val paramType = transformTypeName(param.type) + paramConditions += ParamPattern(position, ParamCondition.TypeIs(paramType)) + } + + is EllipsisArgumentPrefix -> { + idxIsConcrete = false + continue + } + + else -> { + transformationFailed("MethodDeclaration_parameters_not_extracted") + } + } + } + + val modifiers = pattern.modifiers.map { transformModifier(it) } + + val signature = SemgrepPatternAction.MethodSignature( + methodName, ParamConstraint.Partial(paramConditions), + returnType = returnTypePattern, + modifiers = modifiers, + enclosingClassMetavar = null, + enclosingClassConstraints = emptyList(), + ) + + return SemgrepPatternActionList( + listOf(signature) + bodyPattern.actions, + hasEllipsisInTheEnd = bodyPattern.hasEllipsisInTheEnd, + hasEllipsisInTheBeginning = false + ) +} +``` + +Key changes: +- Replaced the entire return type guard block (lines 556-573) with a single line: `val returnTypePattern: TypeNamePattern? = pattern.returnType?.let { transformTypeName(it) }` +- Removed `MethodDeclarationReturnTypeIsArray`, `MethodDeclarationReturnTypeIsNotMetaVar`, `MethodDeclarationReturnTypeHasTypeArgs` warning emissions +- Passed `returnType = returnTypePattern` to the `MethodSignature` constructor + +- [ ] **Step 3: Remove obsolete warning classes** + +In `SemgrepRuleLoadErrorMessage.kt`, delete the four classes (lines 149-163): + +- `TypeArgumentsIgnored` +- `MethodDeclarationReturnTypeIsArray` +- `MethodDeclarationReturnTypeIsNotMetaVar` +- `MethodDeclarationReturnTypeHasTypeArgs` + +- [ ] **Step 4: Verify compilation** + +Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` +Expected: BUILD SUCCESSFUL. If any code references the deleted warning classes, fix those references (they should only be in the lines we already changed). + +- [ ] **Step 5: Commit** + +```bash +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt +git commit -m "feat: stop discarding type args, array returns, concrete returns in pattern converter" +``` + +--- + +## Task 4: Update `unifyTypeName` in `MethodFormulaSimplifier` for `typeArgs` + +**Files:** +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt:769-858` + +- [ ] **Step 1: Add `typeArgs` unification logic** + +The `unifyTypeName` function (lines 769-858) has a pattern-match on `left` and `right`. We need to handle `typeArgs` when both sides are `ClassName` or `FullyQualified`. Add a helper and update the relevant match arms. + +Add a private helper above `unifyTypeName`: + +```kotlin +private fun unifyTypeArgs( + left: List, + right: List, + metaVarInfo: ResolvedMetaVarInfo +): List? { + if (left.isEmpty()) return right + if (right.isEmpty()) return left + if (left.size != right.size) return null + val unified = left.zip(right).map { (l, r) -> unifyTypeName(l, r, metaVarInfo) ?: return null } + return unified +} +``` + +Update the `ClassName`-to-`ClassName` case inside `unifyTypeName`. Currently at line 785 the match arm is: + +```kotlin +is TypeNamePattern.ClassName -> when (right) { + TypeNamePattern.AnyType -> return left + + is TypeNamePattern.ArrayType, + is TypeNamePattern.ClassName, + is TypeNamePattern.PrimitiveName -> return null + // ... +``` + +Change the `is TypeNamePattern.ClassName` sub-case to unify names and typeArgs: + +```kotlin +is TypeNamePattern.ClassName -> when (right) { + TypeNamePattern.AnyType -> return left + + is TypeNamePattern.ArrayType, + is TypeNamePattern.PrimitiveName -> return null + + is TypeNamePattern.ClassName -> { + if (left.name != right.name) return null + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.ClassName(left.name, args) + } + + is TypeNamePattern.FullyQualified -> { + if (right.name.endsWith(left.name)) { + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.FullyQualified(right.name, args) + } + return null + } + + is TypeNamePattern.MetaVar -> { + if (!stringMatches(left.name, metaVarInfo.metaVarConstraints[right.metaVar])) return null + return left + } +} +``` + +Similarly update the `FullyQualified`-to-`FullyQualified` and `FullyQualified`-to-`ClassName` sub-cases: + +```kotlin +is TypeNamePattern.FullyQualified -> when (right) { + TypeNamePattern.AnyType -> return left + + is TypeNamePattern.ArrayType, + is TypeNamePattern.PrimitiveName -> return null + + is TypeNamePattern.ClassName -> { + if (left.name.endsWith(right.name)) { + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.FullyQualified(left.name, args) + } + return null + } + + is TypeNamePattern.FullyQualified -> { + if (left.name != right.name) return null + val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null + return TypeNamePattern.FullyQualified(left.name, args) + } + + is TypeNamePattern.MetaVar -> { + if (left.name == generatedMethodClassName) return null + if (!stringMatches(left.name, metaVarInfo.metaVarConstraints[right.metaVar])) return null + return left + } +} +``` + +- [ ] **Step 2: Verify compilation** + +Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` +Expected: BUILD SUCCESSFUL + +- [ ] **Step 3: Commit** + +```bash +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt +git commit -m "feat: handle typeArgs in unifyTypeName for generic type unification" +``` + +--- + +## Task 5: Update `typeNameMetaVars` in `TaintEdgesGeneration` to recurse into `typeArgs` + +**Files:** +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt:355-372` + +- [ ] **Step 1: Recurse into `typeArgs` for metavar extraction** + +Replace the `typeNameMetaVars` function: + +```kotlin +private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: BitSet) { + when (typeName) { + is TypeNamePattern.MetaVar -> { + metaVars.set(typeName.metaVar.idx()) + } + + is TypeNamePattern.ArrayType -> { + typeNameMetaVars(typeName.element, metaVars) + } + + TypeNamePattern.AnyType, + is TypeNamePattern.PrimitiveName -> { + // no metavars + } + + is TypeNamePattern.ClassName -> { + typeName.typeArgs.forEach { typeNameMetaVars(it, metaVars) } + } + + is TypeNamePattern.FullyQualified -> { + typeName.typeArgs.forEach { typeNameMetaVars(it, metaVars) } + } + } +} +``` + +Key change: `ClassName` and `FullyQualified` now recurse into their `typeArgs` to extract any embedded metavariables. + +- [ ] **Step 2: Verify compilation** + +Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` +Expected: BUILD SUCCESSFUL + +- [ ] **Step 3: Commit** + +```bash +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt +git commit -m "feat: recurse into typeArgs for metavar extraction in typeNameMetaVars" +``` + +--- + +## Task 6: Add `typeArgs` to `SerializedTypeNameMatcher.ClassPattern` + +**Files:** +- Modify: `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt:19-22` + +- [ ] **Step 1: Add `typeArgs` field to `ClassPattern`** + +```kotlin +@Serializable +data class ClassPattern( + val `package`: SerializedSimpleNameMatcher, + val `class`: SerializedSimpleNameMatcher, + val typeArgs: List = emptyList() // NEW +) : SerializedTypeNameMatcher +``` + +- [ ] **Step 2: Verify compilation across all modules** + +Run: `./gradlew compileKotlin` +Expected: BUILD SUCCESSFUL (empty default means all existing `ClassPattern(...)` call sites remain valid) + +- [ ] **Step 3: Commit** + +```bash +git add core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt +git commit -m "feat: add typeArgs field to SerializedTypeNameMatcher.ClassPattern" +``` + +--- + +## Task 7: Propagate `typeArgs` and `returnType` in `AutomataToTaintRuleConversion` + +**Files:** +- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt:802-812` (typeMatcher), `:531-613` (evaluateFormulaSignature) + +- [ ] **Step 1: Propagate `typeArgs` in `typeMatcher()` for `ClassName`** + +In `AutomataToTaintRuleConversion.kt`, change the `ClassName` branch (lines 807-812): + +```kotlin +is TypeNamePattern.ClassName -> { + val serializedTypeArgs = typeName.typeArgs.mapNotNull { typeMatcher(it, semgrepRuleTrace)?.constraint } + MetaVarConstraintFormula.Constraint( + SerializedTypeNameMatcher.ClassPattern( + `package` = anyName(), + `class` = Simple(typeName.name), + typeArgs = serializedTypeArgs + ) + ) +} +``` + +- [ ] **Step 2: Propagate `typeArgs` in `typeMatcher()` for `FullyQualified`** + +For `FullyQualified` (lines 814-818), if `typeArgs` is non-empty we need a `ClassPattern` rather than `Simple`: + +```kotlin +is TypeNamePattern.FullyQualified -> { + if (typeName.typeArgs.isEmpty()) { + MetaVarConstraintFormula.Constraint( + Simple(typeName.name) + ) + } else { + val serializedTypeArgs = typeName.typeArgs.mapNotNull { typeMatcher(it, semgrepRuleTrace)?.constraint } + val (pkg, cls) = classNamePartsFromConcreteString(typeName.name) + MetaVarConstraintFormula.Constraint( + SerializedTypeNameMatcher.ClassPattern( + `package` = pkg, + `class` = cls, + typeArgs = serializedTypeArgs + ) + ) + } +} +``` + +- [ ] **Step 3: Propagate `returnType` in `evaluateFormulaSignature()`** + +In `evaluateFormulaSignature()` (around lines 531-613), after the method name and class are evaluated, add return type handling. The function returns `Pair>`. The `RuleConditionBuilder` is what eventually gets converted to serialized rules. + +Find the `RuleConditionBuilder` class definition and check if it has a `signature` or `returnType` field. If `RuleConditionBuilder` already builds `SerializedSignatureMatcher.Partial`, add the return type there. + +Locate where the `MethodSignature` predicate's `returnType` should be converted: + +```kotlin +// After line 560 (after buildersWithClass is populated) +// Add return type conversion +val returnTypeFormula = signature.returnType?.let { typeMatcher(it, semgrepRuleTrace) } +if (returnTypeFormula != null) { + val returnTypeDnf = returnTypeFormula.toDNF() + for (builder in buildersWithClass) { + for (cube in returnTypeDnf) { + if (cube.positive.isNotEmpty()) { + builder.returnType = cube.positive.first().constraint + } + } + } +} +``` + +**Note:** The exact integration depends on how `RuleConditionBuilder` manages the signature. Read the `RuleConditionBuilder` class to determine where `returnType` should be set. The builder should populate `SerializedSignatureMatcher.Partial(return = returnTypeMatcher)` when a return type is specified. + +- [ ] **Step 4: Verify compilation** + +Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` +Expected: BUILD SUCCESSFUL + +- [ ] **Step 5: Commit** + +```bash +git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +git commit -m "feat: propagate typeArgs and returnType through automata-to-taint conversion" +``` + +--- + +## Task 8: Add `typeArgs` to `TypeMatchesPattern` in `TaintCondition` + +**Files:** +- Modify: `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt:119-124` + +- [ ] **Step 1: Add `typeArgs` field to `TypeMatchesPattern`** + +```kotlin +data class TypeMatchesPattern( + val position: Position, + val pattern: ConditionNameMatcher, + val typeArgs: List = emptyList(), // NEW +) : Condition { + override fun accept(conditionVisitor: ConditionVisitor): R = conditionVisitor.visit(this) +} +``` + +This requires adding the import: + +```kotlin +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher +``` + +- [ ] **Step 2: Verify compilation** + +Run: `./gradlew compileKotlin` +Expected: BUILD SUCCESSFUL (empty default = backward compatible) + +- [ ] **Step 3: Commit** + +```bash +git add core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt +git commit -m "feat: add typeArgs to TypeMatchesPattern for deferred generic matching" +``` + +--- + +## Task 9: Add `matchType(JIRType)` to `TaintConfiguration` and update `resolveIsType()` + +**Files:** +- Modify: `core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt:236-255` (matchType), `:281-308` (matchFunctionSignature), `:674-708` (resolveIsType) + +- [ ] **Step 1: Add `matchType(JIRType)` extension function** + +Add a new private extension function near the existing `match(String)` function (after line 255): + +```kotlin +private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { + // No type args on matcher → fall back to erased name matching (backward compat) + this is ClassPattern && typeArgs.isEmpty() -> match(type.typeName) + + // Has type args → structural comparison against JIRClassType + this is ClassPattern && type is JIRClassType -> { + match(type.typeName) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } + } + + // Array matching + this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) + + // Default: erased matching + else -> match(type.typeName) +} +``` + +Add necessary imports at the top of the file: + +```kotlin +import org.opentaint.ir.api.jvm.JIRClassType +import org.opentaint.ir.api.jvm.JIRArrayType +import org.opentaint.ir.api.jvm.JIRType +import org.opentaint.ir.api.jvm.JIRTypedMethod +``` + +- [ ] **Step 2: Update `matchFunctionSignature()` to use typed matching when `typeArgs` present** + +The existing `matchFunctionSignature` (lines 281-308) operates on `JIRMethod` which only has erased type names. We need to add a typed overload that accepts `JIRTypedMethod` and delegates to `matchType(JIRType)` when type args are present. + +Add a new overload: + +```kotlin +private fun SerializedSignatureMatcher.matchFunctionSignatureTyped(typedMethod: JIRTypedMethod): Boolean { + when (this) { + is SerializedSignatureMatcher.Simple -> { + if (typedMethod.parameters.size != args.size) return false + if (!`return`.matchType(typedMethod.returnType)) return false + return args.zip(typedMethod.parameters).all { (matcher, param) -> + matcher.matchType(param.type) + } + } + + is SerializedSignatureMatcher.Partial -> { + val ret = `return` + if (ret != null && !ret.matchType(typedMethod.returnType)) return false + + val params = params + if (params != null) { + for (param in params) { + val methodParam = typedMethod.parameters.getOrNull(param.index) ?: return false + if (!param.type.matchType(methodParam.type)) return false + } + } + + return true + } + } +} +``` + +Then update the call site that invokes `matchFunctionSignature`. Find where `matchFunctionSignature(method)` is called (line 230) and check if we can resolve `JIRTypedMethod`. The call is: + +```kotlin +rules.removeAll { it.signature?.matchFunctionSignature(method) == false } +``` + +We need to check if a `SerializedSignatureMatcher` has any `ClassPattern` with non-empty `typeArgs`. If so, we need the typed method. Add a helper: + +```kotlin +private fun SerializedSignatureMatcher.hasTypeArgs(): Boolean = when (this) { + is SerializedSignatureMatcher.Simple -> false + is SerializedSignatureMatcher.Partial -> { + (`return` as? ClassPattern)?.typeArgs?.isNotEmpty() == true || + params?.any { (it.type as? ClassPattern)?.typeArgs?.isNotEmpty() == true } == true + } +} +``` + +Update the call site to resolve the typed method when needed: + +```kotlin +rules.removeAll { rule -> + val sig = rule.signature ?: return@removeAll false + if (sig.hasTypeArgs()) { + val typedMethod = cp.findTypeOrNull(method.enclosingClass.name) + ?.let { it as? JIRClassType } + ?.declaredMethods + ?.find { it.method == method } + if (typedMethod != null) { + !sig.matchFunctionSignatureTyped(typedMethod) + } else { + !sig.matchFunctionSignature(method) + } + } else { + !sig.matchFunctionSignature(method) + } +} +``` + +**Note:** The exact implementation depends on how `cp` (classpath) is accessed within `TaintConfiguration`. Read the class constructor and fields to find the classpath reference. It's already available — `TaintConfiguration(cp)` takes it as a constructor parameter. + +- [ ] **Step 3: Update `resolveIsType()` to pass `typeArgs` through to `TypeMatchesPattern`** + +In `resolveIsType()` (line 707), when the `IsType` condition's `typeIs` matcher has non-empty `typeArgs`, pass them to `TypeMatchesPattern`: + +```kotlin +// Replace line 707: +// return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher) }) +// With: +val typeArgs = when (val typeIs = normalizedTypeIs) { + is ClassPattern -> typeIs.typeArgs + else -> emptyList() +} +return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher, typeArgs) }) +``` + +- [ ] **Step 4: Verify compilation** + +Run: `./gradlew :core:opentaint-jvm-sast-dataflow:compileKotlin` +Expected: BUILD SUCCESSFUL + +- [ ] **Step 5: Commit** + +```bash +git add core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +git commit -m "feat: add typed matching with JIRType for generic type args in TaintConfiguration" +``` + +--- + +## Task 10: Resolve generic types in `JIRBasicAtomEvaluator.typeMatchesPattern()` + +**Files:** +- Modify: `core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt:328-347` + +- [ ] **Step 1: Extend `typeMatchesPattern()` to check generic type args** + +The current method (lines 328-347) checks erased type names. When `condition.typeArgs` is non-empty, we need to resolve the generic type of the value and compare. + +First, check what context is available. The constructor takes: +- `negated: Boolean` +- `positionResolver: PositionResolver` +- `typeChecker: JIRFactTypeChecker` +- `aliasAnalysis: JIRLocalAliasAnalysis?` +- `statement: CommonInst` + +We need to add a `typedMethod: JIRTypedMethod?` parameter (or access it through the analysis context). Check how `JIRBasicAtomEvaluator` is instantiated to determine the best way to thread this through. + +Add `typedMethod: JIRTypedMethod?` as a constructor parameter: + +```kotlin +class JIRBasicAtomEvaluator( + private val negated: Boolean, + private val positionResolver: PositionResolver, + private val typeChecker: JIRFactTypeChecker, + private val aliasAnalysis: JIRLocalAliasAnalysis?, + private val statement: CommonInst, + private val typedMethod: JIRTypedMethod? = null, // NEW +) : ConditionVisitor +``` + +Then extend `typeMatchesPattern`: + +```kotlin +private fun typeMatchesPattern(value: JIRValue, condition: TypeMatchesPattern): Boolean { + val type = value.type as? JIRRefType ?: return false + + val pattern = condition.pattern + if (!pattern.match(type.typeName)) { + if (pattern is ConditionNameMatcher.Concrete) { + if (!negated && type.typeName != "java.lang.Object") { + if (!typeChecker.typeMayHaveSubtypeOf(type.typeName, pattern.name)) return false + } else { + return false + } + } else { + return false + } + } + + // Generic type args check + if (condition.typeArgs.isNotEmpty()) { + val genericType = resolveGenericType(value) + if (genericType is JIRClassType) { + if (genericType.typeArguments.size != condition.typeArgs.size) return false + return condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> + matcher.matchType(arg) + } + } + // Can't resolve generics → fall back to erased match (already passed above) + return true + } + + return true +} +``` + +Add the `resolveGenericType` helper and `matchType`: + +```kotlin +private fun resolveGenericType(value: JIRValue): JIRType? { + val localVar = value as? JIRLocalVar ?: return null + val typedMethod = typedMethod ?: return null + + // Find the LocalVariableNode for this local variable at the current instruction + val methodNode = typedMethod.method.methodNode ?: return null + val localVarNode = methodNode.localVariables?.find { lvn -> + lvn.index == localVar.index + } ?: return null + + return typedMethod.typeOf(localVarNode) +} + +private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { + this is ClassPattern && typeArgs.isEmpty() -> matchErasedName(type.typeName) + this is ClassPattern && type is JIRClassType -> { + matchErasedName(type.typeName) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } + } + this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) + else -> matchErasedName(type.typeName) +} + +private fun SerializedTypeNameMatcher.matchErasedName(name: String): Boolean = when (this) { + is SerializedSimpleNameMatcher.Simple -> value == name + is SerializedSimpleNameMatcher.Pattern -> Regex(pattern).containsMatchIn(name) + is ClassPattern -> { + val (pkgName, clsName) = splitClassName(name) + `package`.matchErasedName(pkgName) && `class`.matchErasedName(clsName) + } + is SerializedTypeNameMatcher.Array -> { + val nameWithout = name.removeSuffix("[]") + name != nameWithout && element.matchErasedName(nameWithout) + } +} +``` + +Add necessary imports: + +```kotlin +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher.ClassPattern +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher +import org.opentaint.ir.api.jvm.JIRClassType +import org.opentaint.ir.api.jvm.JIRArrayType +import org.opentaint.ir.api.jvm.JIRType +import org.opentaint.ir.api.jvm.JIRTypedMethod +``` + +**Note:** The `matchType` logic here mirrors what was added to `TaintConfiguration`. If the logic is identical, consider extracting to a shared utility. However, `TaintConfiguration` lives in a different module (`jvm-sast-dataflow`) than `JIRBasicAtomEvaluator` (`jvm-dataflow`). Check module dependencies before sharing — it may be simpler to keep the two copies aligned rather than creating a new shared module. + +- [ ] **Step 2: Update all call sites that create `JIRBasicAtomEvaluator`** + +Search for all instantiation sites of `JIRBasicAtomEvaluator(...)` and add the `typedMethod` parameter. Use `null` where the typed method is unavailable — this preserves backward compatibility (generic checks are skipped). + +Run: `grep -r "JIRBasicAtomEvaluator(" --include="*.kt"` to find all sites. + +- [ ] **Step 3: Verify compilation** + +Run: `./gradlew compileKotlin` +Expected: BUILD SUCCESSFUL + +- [ ] **Step 4: Commit** + +```bash +git add core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt +git add -u # any files that instantiate JIRBasicAtomEvaluator +git commit -m "feat: resolve generic types in JIRBasicAtomEvaluator for call-site receiver matching" +``` + +--- + +## Task 11: Add E2E test samples and rules for generic type args + +**Files:** +- Create: `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java` +- Create: `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml` + +- [ ] **Step 1: Write the YAML rule** + +Create `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml`: + +```yaml +rules: + - id: example-RuleWithGenericTypeArgs + languages: + - java + severity: ERROR + message: match example/RuleWithGenericTypeArgs + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + $RET $METHOD(Map $M, ...) { + ... + } +``` + +- [ ] **Step 2: Write the Java sample** + +Create `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java`: + +```java +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.Map; + +@RuleSet("example/RuleWithGenericTypeArgs.yaml") +public abstract class RuleWithGenericTypeArgs implements RuleSample { + + void sink(String data) {} + + void methodWithGenericParam(Map m, String data) { + sink(data); + } + + void methodWithDifferentGenericParam(Map m, String data) { + sink(data); + } + + void methodWithRawMapParam(Map m, String data) { + sink(data); + } + + final static class PositiveMatchingGenericParam extends RuleWithGenericTypeArgs { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithGenericParam(m, data); + } + } + + final static class NegativeDifferentGenericParam extends RuleWithGenericTypeArgs { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithDifferentGenericParam(m, data); + } + } + + final static class NegativeRawMapParam extends RuleWithGenericTypeArgs { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithRawMapParam(m, data); + } + } +} +``` + +- [ ] **Step 3: Commit** + +```bash +git add core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java +git add core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml +git commit -m "test: add E2E samples for generic type arg pattern matching" +``` + +--- + +## Task 12: Add E2E test samples for array and concrete return types + +**Files:** +- Create: `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java` +- Create: `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml` +- Create: `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java` +- Create: `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml` + +- [ ] **Step 1: Write the array return type YAML rule** + +Create `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml`: + +```yaml +rules: + - id: example-RuleWithArrayReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithArrayReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + String[] $METHOD(..., String $A, ...) { + ... + } +``` + +- [ ] **Step 2: Write the array return type Java sample** + +Create `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java`: + +```java +package example; + +import base.RuleSample; +import base.RuleSet; + +@RuleSet("example/RuleWithArrayReturnType.yaml") +public abstract class RuleWithArrayReturnType implements RuleSample { + + void sink(String data) {} + + String[] methodReturningStringArray(String data) { + sink(data); + return new String[] { data }; + } + + int[] methodReturningIntArray(String data) { + sink(data); + return new int[] { 1 }; + } + + String methodReturningString(String data) { + sink(data); + return data; + } + + final static class PositiveStringArrayReturn extends RuleWithArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningStringArray(data); + } + } + + final static class NegativeIntArrayReturn extends RuleWithArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningIntArray(data); + } + } + + final static class NegativeStringReturn extends RuleWithArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningString(data); + } + } +} +``` + +- [ ] **Step 3: Write the concrete return type YAML rule** + +Create `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml`: + +```yaml +rules: + - id: example-RuleWithConcreteReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithConcreteReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + String $METHOD(..., String $A, ...) { + ... + } +``` + +- [ ] **Step 4: Write the concrete return type Java sample** + +Create `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java`: + +```java +package example; + +import base.RuleSample; +import base.RuleSet; + +@RuleSet("example/RuleWithConcreteReturnType.yaml") +public abstract class RuleWithConcreteReturnType implements RuleSample { + + void sink(String data) {} + + String methodReturningString(String data) { + sink(data); + return data; + } + + int methodReturningInt(String data) { + sink(data); + return 0; + } + + void methodReturningVoid(String data) { + sink(data); + } + + final static class PositiveStringReturn extends RuleWithConcreteReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningString(data); + } + } + + final static class NegativeIntReturn extends RuleWithConcreteReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningInt(data); + } + } + + final static class NegativeVoidReturn extends RuleWithConcreteReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningVoid(data); + } + } +} +``` + +- [ ] **Step 5: Commit** + +```bash +git add core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java +git add core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml +git add core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java +git add core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml +git commit -m "test: add E2E samples for array and concrete return type matching" +``` + +--- + +## Task 13: Add E2E test class and run all tests + +**Files:** +- Create: `core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt` + +- [ ] **Step 1: Write the test class** + +Create `core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt`: + +```kotlin +package org.opentaint.semgrep + +import org.junit.jupiter.api.AfterAll +import org.junit.jupiter.api.TestInstance +import org.junit.jupiter.api.TestInstance.Lifecycle.PER_CLASS +import org.opentaint.semgrep.util.SampleBasedTest +import kotlin.test.Test + +@TestInstance(PER_CLASS) +class TypeAwarePatternTest : SampleBasedTest() { + @Test + fun `test generic type args in method parameter`() = runTest() + + @Test + fun `test array return type matching`() = runTest() + + @Test + fun `test concrete return type matching`() = runTest() + + @AfterAll + fun close() { + closeRunner() + } +} +``` + +- [ ] **Step 2: Build the samples JAR** + +Run the appropriate Gradle task to compile and package the samples JAR (needed by `SamplesDb`): + +Run: `./gradlew :core:opentaint-java-querylang:samples:jar` +Expected: BUILD SUCCESSFUL + +- [ ] **Step 3: Run the new tests** + +Run: `./gradlew :core:opentaint-java-querylang:test --tests "org.opentaint.semgrep.TypeAwarePatternTest"` +Expected: All 3 tests PASS + +- [ ] **Step 4: Run the full test suite to verify no regressions** + +Run: `./gradlew :core:opentaint-java-querylang:test` +Expected: All existing tests still PASS (backward compatibility via empty defaults) + +- [ ] **Step 5: Commit** + +```bash +git add core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +git commit -m "test: add E2E tests for type-aware pattern matching" +``` + +--- + +## Task 14: Run full project build and verify + +- [ ] **Step 1: Run full build** + +Run: `./gradlew build` +Expected: BUILD SUCCESSFUL with no test failures + +- [ ] **Step 2: Check for any remaining references to deleted warning classes** + +Run: `grep -r "TypeArgumentsIgnored\|MethodDeclarationReturnTypeIsArray\|MethodDeclarationReturnTypeIsNotMetaVar\|MethodDeclarationReturnTypeHasTypeArgs" --include="*.kt"` +Expected: No matches (all references removed) + +- [ ] **Step 3: Final commit if any fixes were needed** + +If any fixes were required during the full build, commit them: + +```bash +git add -u +git commit -m "fix: address build issues from type-aware pattern matching" +``` From 2427e19f266cf44c7f20626bfa1d643117d8b5ba Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 20 Apr 2026 15:07:44 +0200 Subject: [PATCH 18/31] test(engine): cover type-aware feature matrix (A1-A6) Adds six pattern-inside return-type / param-type matching sample rules that exercise generic, array, nested-generic, wildcard and raw-type forms introduced on this branch. Tests also pin current engine behavior where the method-decl return-type specificity is effectively ignored (A1/A3/A6 show ResponseEntity rules match other parameterized and raw forms of ResponseEntity). --- .../RuleWithGenericByteArrayReturnType.java | 54 ++++++++++++++++ .../RuleWithGenericMetavarArrayArg.java | 61 +++++++++++++++++++ .../RuleWithNestedGenericReturnType.java | 49 +++++++++++++++ .../example/RuleWithRawResponseEntity.java | 57 +++++++++++++++++ .../java/example/RuleWithTwoArgGeneric.java | 51 ++++++++++++++++ .../java/example/RuleWithWildcardGeneric.java | 46 ++++++++++++++ .../RuleWithGenericByteArrayReturnType.yaml | 15 +++++ .../RuleWithGenericMetavarArrayArg.yaml | 15 +++++ .../RuleWithNestedGenericReturnType.yaml | 15 +++++ .../example/RuleWithRawResponseEntity.yaml | 15 +++++ .../example/RuleWithTwoArgGeneric.yaml | 15 +++++ .../example/RuleWithWildcardGeneric.yaml | 15 +++++ .../opentaint/semgrep/TypeAwarePatternTest.kt | 33 ++++++++++ 13 files changed, 441 insertions(+) create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericMetavarArrayArg.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoArgGeneric.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericByteArrayReturnType.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericMetavarArrayArg.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedGenericReturnType.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoArgGeneric.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithWildcardGeneric.yaml diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java new file mode 100644 index 00000000..4c944064 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java @@ -0,0 +1,54 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import org.springframework.http.ResponseEntity; + +/** + * A1. Rule pattern-inside declares return type {@code ResponseEntity}. + * Surprise from the matrix run: even the concrete-generic case does not + * discriminate ResponseEntity<String> away — the method-decl pattern's + * return-type specificity is effectively ignored at generic level today. + * + * Both inner classes are therefore Positive and the test pins that behavior. + * The "Negative" angle (specificity discriminates byte[] from String at + * method-decl-return level) is covered by the @Disabled gap test in + * EngineGapsTest. + */ +@RuleSet("example/RuleWithGenericByteArrayReturnType.yaml") +public abstract class RuleWithGenericByteArrayReturnType implements RuleSample { + + void sink(String data) {} + + ResponseEntity methodReturningResponseEntityByteArray(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + final static class PositiveResponseEntityByteArray extends RuleWithGenericByteArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityByteArray(data); + } + } + + /** + * Pinned as Positive because the engine does not discriminate by the + * specific concrete type argument at method-decl return position today. + * See {@code EngineGapsTest.`B11 ...`} for the @Disabled expectation that + * this SHOULD be Negative. + */ + final static class PositiveResponseEntityStringPinsOverMatch extends RuleWithGenericByteArrayReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericMetavarArrayArg.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericMetavarArrayArg.java new file mode 100644 index 00000000..bf29a93a --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericMetavarArrayArg.java @@ -0,0 +1,61 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import base.TaintRuleFalsePositive; +import org.springframework.http.ResponseEntity; + +@RuleSet("example/RuleWithGenericMetavarArrayArg.yaml") +public abstract class RuleWithGenericMetavarArrayArg implements RuleSample { + + void sink(String data) {} + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityByteArray(String data) { + sink(data); + return null; + } + + /** + * Raw ResponseEntity. Note: pattern is ResponseEntity<$T>, so whether this fires + * depends on whether the engine considers raw as unifiable with a type-arg metavar. + */ + @SuppressWarnings("rawtypes") + ResponseEntity methodReturningRawResponseEntity(String data) { + sink(data); + return null; + } + + final static class PositiveResponseEntityString extends RuleWithGenericMetavarArrayArg { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } + + final static class PositiveResponseEntityByteArray extends RuleWithGenericMetavarArrayArg { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityByteArray(data); + } + } + + /** + * In opentaint the method-decl pattern's return-type check is effectively ignored + * on raw vs. parameterized, so raw ResponseEntity DOES get matched by + * ResponseEntity<$T>. We treat this as a Positive to pin the current behavior. + */ + final static class PositiveRawResponseEntity extends RuleWithGenericMetavarArrayArg { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningRawResponseEntity(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java new file mode 100644 index 00000000..c555acd1 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java @@ -0,0 +1,49 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; +import org.springframework.http.ResponseEntity; + +/** + * A3. Rule pattern-inside declares return type {@code ResponseEntity>}. + * Surprise from the matrix run: engine does not discriminate the nested-generic + * form either — a method returning plain {@code ResponseEntity} also + * matches. Pin both as Positive here; the should-be-Negative angle is the + * @Disabled gap test {@code `B11 ...`} in EngineGapsTest. + */ +@RuleSet("example/RuleWithNestedGenericReturnType.yaml") +public abstract class RuleWithNestedGenericReturnType implements RuleSample { + + void sink(String data) {} + + ResponseEntity> methodReturningResponseEntityListString(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + final static class PositiveNestedGeneric extends RuleWithNestedGenericReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityListString(data); + } + } + + /** + * Pinned as Positive: the engine over-matches because the method-decl + * return-type's generic specificity is effectively ignored today. + */ + final static class PositiveFlatGenericPinsOverMatch extends RuleWithNestedGenericReturnType { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java new file mode 100644 index 00000000..31e48ce2 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java @@ -0,0 +1,57 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import org.springframework.http.ResponseEntity; + +/** + * The pattern-inside declares return type {@code ResponseEntity} (raw, unparameterized). + * From the Task-5 probe we know opentaint's method-decl pattern ignores generic + * specificity on the return type: the three method-decl forms (raw, parameterized + * concrete, parameterized with array) all match. Each class below is Positive. + */ +@RuleSet("example/RuleWithRawResponseEntity.yaml") +public abstract class RuleWithRawResponseEntity implements RuleSample { + + void sink(String data) {} + + @SuppressWarnings("rawtypes") + ResponseEntity methodReturningRawResponseEntity(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityByteArray(String data) { + sink(data); + return null; + } + + final static class PositiveRaw extends RuleWithRawResponseEntity { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningRawResponseEntity(data); + } + } + + final static class PositiveParameterizedString extends RuleWithRawResponseEntity { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } + + final static class PositiveParameterizedByteArray extends RuleWithRawResponseEntity { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityByteArray(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoArgGeneric.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoArgGeneric.java new file mode 100644 index 00000000..17020a8e --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoArgGeneric.java @@ -0,0 +1,51 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; +import java.util.Map; + +@RuleSet("example/RuleWithTwoArgGeneric.yaml") +public abstract class RuleWithTwoArgGeneric implements RuleSample { + + void sink(String data) {} + + void methodWithStringObjectMap(Map m, String data) { + sink(data); + } + + void methodWithStringStringMap(Map m, String data) { + sink(data); + } + + void methodWithList(List m, String data) { + sink(data); + } + + final static class PositiveStringObjectMap extends RuleWithTwoArgGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithStringObjectMap(m, data); + } + } + + final static class PositiveStringStringMap extends RuleWithTwoArgGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithStringStringMap(m, data); + } + } + + final static class NegativeListNotMap extends RuleWithTwoArgGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + List m = null; + methodWithList(m, data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java new file mode 100644 index 00000000..1eeb9606 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java @@ -0,0 +1,46 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import org.springframework.http.ResponseEntity; + +@RuleSet("example/RuleWithWildcardGeneric.yaml") +public abstract class RuleWithWildcardGeneric implements RuleSample { + + void sink(String data) {} + + ResponseEntity methodReturningResponseEntityWildcard(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + /** + * Wildcard ResponseEntity<?> is a valid Java construct that the rule + * pattern also expresses. Keeping it as a Positive to pin the current behavior. + */ + final static class PositiveWildcard extends RuleWithWildcardGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityWildcard(data); + } + } + + /** + * ResponseEntity<String> is a concrete parameterized form. In many + * semgrep engines a wildcard is considered to match any concrete + * type; keeping this as a Positive documents current engine behavior. + */ + final static class PositiveConcreteAlsoMatches extends RuleWithWildcardGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericByteArrayReturnType.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericByteArrayReturnType.yaml new file mode 100644 index 00000000..f1194e74 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericByteArrayReturnType.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithGenericByteArrayReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithGenericByteArrayReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericMetavarArrayArg.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericMetavarArrayArg.yaml new file mode 100644 index 00000000..5878107a --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericMetavarArrayArg.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithGenericMetavarArrayArg + languages: + - java + severity: ERROR + message: match example/RuleWithGenericMetavarArrayArg + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity<$T> $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedGenericReturnType.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedGenericReturnType.yaml new file mode 100644 index 00000000..b6cab41c --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedGenericReturnType.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithNestedGenericReturnType + languages: + - java + severity: ERROR + message: match example/RuleWithNestedGenericReturnType + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity> $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml new file mode 100644 index 00000000..34016704 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithRawResponseEntity + languages: + - java + severity: ERROR + message: match example/RuleWithRawResponseEntity + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoArgGeneric.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoArgGeneric.yaml new file mode 100644 index 00000000..489c02cb --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoArgGeneric.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithTwoArgGeneric + languages: + - java + severity: ERROR + message: match example/RuleWithTwoArgGeneric + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + $RET $METHOD(Map<$K, $V> $M, ..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithWildcardGeneric.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithWildcardGeneric.yaml new file mode 100644 index 00000000..5d9af718 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithWildcardGeneric.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithWildcardGeneric + languages: + - java + severity: ERROR + message: match example/RuleWithWildcardGeneric + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index e3b1f62a..1989d040 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -1,6 +1,7 @@ package org.opentaint.semgrep import org.junit.jupiter.api.AfterAll +import org.junit.jupiter.api.Disabled import org.junit.jupiter.api.TestInstance import org.junit.jupiter.api.TestInstance.Lifecycle.PER_CLASS import org.opentaint.semgrep.util.SampleBasedTest @@ -20,6 +21,38 @@ class TypeAwarePatternTest : SampleBasedTest() { @Test fun `test generic return type with metavar type arg`() = runTest() + // A1. ResponseEntity — array type as a concrete type argument. + @Test + fun `A1 - ResponseEntity of byte array return type`() = runTest() + + // A2. ResponseEntity<$T> — metavar type arg resolving to any concrete type, + // including arrays and the raw form. All three method-decl forms are expected + // to match. + @Test + fun `A2 - ResponseEntity metavar matches parameterized string, byte array, and raw`() = + runTest() + + // A3. Nested generic: ResponseEntity>. + @Test + fun `A3 - nested generic ResponseEntity of List of String return type`() = + runTest() + + // A4. Two-arg generic: Map<$K, $V>. + @Test + fun `A4 - two-arg generic Map of K V in parameter`() = runTest() + + // A5. Wildcard type argument: ResponseEntity. Documents current engine + // behavior; both concrete and wildcard-typed methods match today. + @Test + fun `A5 - wildcard type argument ResponseEntity of question mark`() = + runTest() + + // A6. Raw ResponseEntity in method-decl pattern matches raw, parameterized, + // and parameterized-with-array — documented current engine behavior. + @Test + fun `A6 - raw ResponseEntity method-decl pattern matches raw and parameterized forms`() = + runTest() + @AfterAll fun close() { closeRunner() From a1b3d97d8c934a27aada2807aecca9fc28ea5943 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 20 Apr 2026 16:09:53 +0200 Subject: [PATCH 19/31] test(engine): convert A1/A3/A6 pins to honest Negatives MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The three samples previously pinned over-matching behavior as Positive with explanatory comments. That made TypeAwarePatternTest report "10/10 passing" while silently hiding the gap that this branch's type-matching feature does not discriminate by concrete type argument at method-decl return position. Rename the pins: - RuleWithGenericByteArrayReturnType: PositiveResponseEntityStringPinsOverMatch → NegativeResponseEntityString (rule asks for ResponseEntity, sample method returns ResponseEntity) - RuleWithNestedGenericReturnType: PositiveFlatGenericPinsOverMatch → NegativeFlatGeneric (rule asks for ResponseEntity>, sample method returns ResponseEntity) - RuleWithRawResponseEntity: PositiveParameterizedString and PositiveParameterizedByteArray → NegativeParameterizedString and NegativeParameterizedByteArray (rule uses raw ResponseEntity, sample methods return parameterized forms) With honest labels, TypeAwarePatternTest reports 7 passing / 3 failing, the three failures surfacing the actual engine behavior on this branch. The @Disabled B11 in EngineGapsTest remains as a second witness to the same gap on origin/main. --- .../RuleWithGenericByteArrayReturnType.java | 25 +++++++------- .../RuleWithNestedGenericReturnType.java | 19 +++++++---- .../example/RuleWithRawResponseEntity.java | 33 +++++++++++++++---- 3 files changed, 52 insertions(+), 25 deletions(-) diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java index 4c944064..ce21dc31 100644 --- a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericByteArrayReturnType.java @@ -6,14 +6,15 @@ /** * A1. Rule pattern-inside declares return type {@code ResponseEntity}. - * Surprise from the matrix run: even the concrete-generic case does not - * discriminate ResponseEntity<String> away — the method-decl pattern's - * return-type specificity is effectively ignored at generic level today. * - * Both inner classes are therefore Positive and the test pins that behavior. - * The "Negative" angle (specificity discriminates byte[] from String at - * method-decl-return level) is covered by the @Disabled gap test in - * EngineGapsTest. + * Expected behavior: only the byte-array-returning method matches; the + * String-returning method should NOT match (specificity on concrete type arg). + * + * Current engine behavior: the method-decl return-type generic specificity + * is ignored at the concrete-type-argument level — both methods match. This + * test is EXPECTED TO FAIL today with an FP on NegativeResponseEntityString; + * the failure honestly documents a gap introduced by this branch's + * type-matching feature. */ @RuleSet("example/RuleWithGenericByteArrayReturnType.yaml") public abstract class RuleWithGenericByteArrayReturnType implements RuleSample { @@ -39,12 +40,12 @@ public void entrypoint() { } /** - * Pinned as Positive because the engine does not discriminate by the - * specific concrete type argument at method-decl return position today. - * See {@code EngineGapsTest.`B11 ...`} for the @Disabled expectation that - * this SHOULD be Negative. + * Honest Negative: rule requires {@code ResponseEntity} but the + * method returns {@code ResponseEntity}. The engine currently + * reports this as a match (FP); fixing this requires deeper concrete + * type-arg discrimination on method-decl return types. */ - final static class PositiveResponseEntityStringPinsOverMatch extends RuleWithGenericByteArrayReturnType { + final static class NegativeResponseEntityString extends RuleWithGenericByteArrayReturnType { @Override public void entrypoint() { String data = "tainted"; diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java index c555acd1..641a110a 100644 --- a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedGenericReturnType.java @@ -7,10 +7,14 @@ /** * A3. Rule pattern-inside declares return type {@code ResponseEntity>}. - * Surprise from the matrix run: engine does not discriminate the nested-generic - * form either — a method returning plain {@code ResponseEntity} also - * matches. Pin both as Positive here; the should-be-Negative angle is the - * @Disabled gap test {@code `B11 ...`} in EngineGapsTest. + * + * Expected behavior: only the {@code ResponseEntity>}-returning + * method matches; a method returning plain {@code ResponseEntity} + * should NOT match (the nested type arg differs). + * + * Current engine behavior: the generic specificity at the nested type-arg + * level is ignored — both methods match. This test is EXPECTED TO FAIL + * today with an FP on NegativeFlatGeneric. */ @RuleSet("example/RuleWithNestedGenericReturnType.yaml") public abstract class RuleWithNestedGenericReturnType implements RuleSample { @@ -36,10 +40,11 @@ public void entrypoint() { } /** - * Pinned as Positive: the engine over-matches because the method-decl - * return-type's generic specificity is effectively ignored today. + * Honest Negative: rule requires {@code ResponseEntity>} + * but method returns {@code ResponseEntity}. The engine currently + * reports this as a match (FP). */ - final static class PositiveFlatGenericPinsOverMatch extends RuleWithNestedGenericReturnType { + final static class NegativeFlatGeneric extends RuleWithNestedGenericReturnType { @Override public void entrypoint() { String data = "tainted"; diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java index 31e48ce2..723666ba 100644 --- a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java @@ -5,10 +5,20 @@ import org.springframework.http.ResponseEntity; /** - * The pattern-inside declares return type {@code ResponseEntity} (raw, unparameterized). - * From the Task-5 probe we know opentaint's method-decl pattern ignores generic - * specificity on the return type: the three method-decl forms (raw, parameterized - * concrete, parameterized with array) all match. Each class below is Positive. + * A6. Rule pattern-inside declares raw return type {@code ResponseEntity}. + * + * Expected behavior: only methods with a raw (unparameterized) + * {@code ResponseEntity} return type match; parameterized forms + * ({@code ResponseEntity}, {@code ResponseEntity}) should + * NOT match. + * + * Current engine behavior: the method-decl return type in the pattern is + * compared via erased class name, so raw and parameterized forms collapse + * to the same thing — all three method-decl forms match. This test is + * EXPECTED TO FAIL today with FPs on both NegativeParameterizedString and + * NegativeParameterizedByteArray. The Task-5 probe surfaced this; the + * failure here pins the expectation that raw vs parameterized should be + * distinguishable at the method-decl return type position. */ @RuleSet("example/RuleWithRawResponseEntity.yaml") public abstract class RuleWithRawResponseEntity implements RuleSample { @@ -39,7 +49,13 @@ public void entrypoint() { } } - final static class PositiveParameterizedString extends RuleWithRawResponseEntity { + /** + * Honest Negative: rule requires raw {@code ResponseEntity} but method + * returns {@code ResponseEntity}. The engine currently reports + * this as a match (FP) because raw and parameterized forms share an + * erased class name. + */ + final static class NegativeParameterizedString extends RuleWithRawResponseEntity { @Override public void entrypoint() { String data = "tainted"; @@ -47,7 +63,12 @@ public void entrypoint() { } } - final static class PositiveParameterizedByteArray extends RuleWithRawResponseEntity { + /** + * Honest Negative: rule requires raw {@code ResponseEntity} but method + * returns {@code ResponseEntity}. The engine currently reports + * this as a match (FP). + */ + final static class NegativeParameterizedByteArray extends RuleWithRawResponseEntity { @Override public void entrypoint() { String data = "tainted"; From 55668633662953bcd4099c041736a1e9ca93e0ea Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 20 Apr 2026 17:08:44 +0200 Subject: [PATCH 20/31] fix: discriminate concrete type arguments at method-decl return position MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before this change TypeAwarePatternTest's A1, A3, and A6 failed by over-matching: - A1 (rule `ResponseEntity`) matched `ResponseEntity` methods — concrete type-arg specificity on the return type was ignored. - A3 (rule `ResponseEntity>`) matched `ResponseEntity` methods — nested generic specificity was ignored. - A6 (rule raw `ResponseEntity`) matched parameterized `ResponseEntity` and `ResponseEntity` methods — raw vs parameterized collapsed to erased name. The fix has four pieces: 1. SerializedSignatureMatcher.matchFunctionSignature now resolves the method via cp.typeOf(...).declaredMethods (JIRTypedMethod) so the structural `matchType(JIRType)` sees real generic type arguments. When typed resolution fails, it falls back to the pre-existing erased-name match on TypeName.typeName. 2. matchType's "no typeArgs on matcher" branch now requires the class type to be raw-like (no concrete type arguments) — otherwise a pattern like `ResponseEntity` would silently match `ResponseEntity`. Raw-like means either no type arguments at all or only declared type variables / unbound wildcards (so a raw method whose resolved type surfaces its class's own type variable — `ResponseEntity` — still matches the raw rule). 3. typeMatcher preserves the arity of a class-pattern's typeArgs list even when an inner metavariable / AnyType resolves to a null constraint. Previously `mapNotNull` silently dropped such entries, collapsing `ResponseEntity<$T>` into the raw form. Empty slots now become an `anyClassPattern()` matcher. 4. The wildcard `?` in pattern type arguments is now a first-class TypeName.WildcardTypeName instead of a dropped null, so `ResponseEntity` keeps its arity through parsing and rewriting and gets converted to TypeNamePattern.AnyType by the pattern converter. TypeAwarePatternTest now reports 10/10 passing (was 7/10 after the honest-label conversion). Full :opentaint-java-querylang:test suite stays green (no regressions elsewhere). --- .../semgrep/pattern/SemgrepJavaPattern.kt | 3 + .../pattern/SemgrepJavaPatternParser.kt | 5 +- .../pattern/conversion/PatternRewriter.kt | 1 + .../PatternToActionListConverter.kt | 1 + .../taint/AutomataToTaintRuleConversion.kt | 23 ++++++- .../sast/dataflow/rules/TaintConfiguration.kt | 61 +++++++++++++++++-- 6 files changed, 82 insertions(+), 12 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPattern.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPattern.kt index 40050dc1..b466775b 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPattern.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPattern.kt @@ -194,6 +194,9 @@ sealed interface TypeName { ) : TypeName data class ArrayTypeName(val elementType: TypeName) : TypeName + + /** Unbounded wildcard `?` occurring as a type argument. */ + data object WildcardTypeName : TypeName } sealed interface Modifier diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPatternParser.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPatternParser.kt index da522b67..c1bd0389 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPatternParser.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepJavaPatternParser.kt @@ -214,9 +214,6 @@ private class TypenameParserVisitor : JavaParserBaseVisitor() { val parsedTypes = parsed.filterNotNull() if (parsedTypes.size == parsed.size) return parsedTypes - // T - if (parsed.size == 1 && parsedTypes.isEmpty()) return emptyList() - ctx.todo() } @@ -228,7 +225,7 @@ private class TypenameParserVisitor : JavaParserBaseVisitor() { it.todo() } - return null + return TypeName.WildcardTypeName } unreachable() diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternRewriter.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternRewriter.kt index 40180b8a..66922137 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternRewriter.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternRewriter.kt @@ -262,6 +262,7 @@ interface PatternRewriter { fun TypeName.rewriteTypeName(): TypeName = when (this) { is TypeName.SimpleTypeName -> rewriteSimpleTypeName() is TypeName.ArrayTypeName -> rewriteArrayTypeName() + is TypeName.WildcardTypeName -> this } fun TypeName.SimpleTypeName.rewriteSimpleTypeName(): TypeName.SimpleTypeName = diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt index e0ca3ade..6b9d413f 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt @@ -219,6 +219,7 @@ class PatternToActionListConverter: ActionListBuilder { val elementTypePattern = transformTypeName(typeName.elementType) TypeNamePattern.ArrayType(elementTypePattern) } + is TypeName.WildcardTypeName -> TypeNamePattern.AnyType } private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt index 72395a25..6ebddb76 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt @@ -708,6 +708,19 @@ private fun classNameMatcherFromConcreteString(name: String): SerializedTypeName return SerializedTypeNameMatcher.ClassPattern(pkg, cls) } +/** + * A ClassPattern that accepts any class name. Used as a placeholder for a + * type-argument slot whose inner pattern resolved to null (e.g. an + * unconstrained metavariable or AnyType). Keeps the arity of a pattern like + * `ResponseEntity<$T>` intact so it remains distinguishable from a raw + * `ResponseEntity` at the matcher level. + */ +private fun anyClassPattern(): SerializedTypeNameMatcher.ClassPattern = + SerializedTypeNameMatcher.ClassPattern( + `package` = anyName(), + `class` = anyName() + ) + private fun TaintRuleGenerationCtx.evaluateEdgePredicateConstraint( edgeKind: TaintEdgeKind, state: State, @@ -834,8 +847,13 @@ private fun TaintRuleGenerationCtx.typeMatcher( ): MetaVarConstraintFormula? { return when (typeName) { is TypeNamePattern.ClassName -> { - val serializedTypeArgs = typeName.typeArgs.mapNotNull { + // Preserve arity of typeArgs: a metavar like $T or AnyType that + // produces null still takes a slot in the type-arg list with an + // "any" matcher, so the outer matcher remains distinguishable + // from a raw (zero-type-arg) form. + val serializedTypeArgs = typeName.typeArgs.map { (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint + ?: anyClassPattern() } MetaVarConstraintFormula.Constraint( SerializedTypeNameMatcher.ClassPattern( @@ -852,8 +870,9 @@ private fun TaintRuleGenerationCtx.typeMatcher( Simple(typeName.name) ) } else { - val serializedTypeArgs = typeName.typeArgs.mapNotNull { + val serializedTypeArgs = typeName.typeArgs.map { (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint + ?: anyClassPattern() } val (pkg, cls) = classNamePartsFromConcreteString(typeName.name) MetaVarConstraintFormula.Constraint( diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index 784f9922..37f7599c 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -79,6 +79,8 @@ import org.opentaint.ir.api.jvm.JIRAnnotation import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClasspath import org.opentaint.ir.api.jvm.JIRClassType +import org.opentaint.ir.api.jvm.JIRTypeVariable +import org.opentaint.ir.api.jvm.JIRUnboundWildcard import org.opentaint.ir.api.jvm.JIRTypedMethod import org.opentaint.ir.api.jvm.JIRField import org.opentaint.ir.api.jvm.JIRMethod @@ -260,6 +262,18 @@ class TaintConfiguration(private val cp: JIRClasspath) { } } + /** + * True when [this] is a raw type or structurally equivalent: either it + * has no type arguments at all, or its type arguments are entirely the + * class's own declared type variables / unbound wildcards (i.e. + * `ResponseEntity` resolved against declared `ResponseEntity` ends up + * with typeArguments = [T] — still raw-like, no concrete substitution). + */ + private fun JIRClassType.isRawLike(): Boolean { + if (typeArguments.isEmpty()) return true + return typeArguments.all { it is JIRTypeVariable || it is JIRUnboundWildcard } + } + private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean { // Use erased class name for matching (typeName may include generic params like "Map") val erasedName = when (type) { @@ -271,7 +285,15 @@ class TaintConfiguration(private val cp: JIRClasspath) { } return when { - // No type args on matcher → fall back to erased name matching (backward compat) + // No type args on matcher + parameterized class type → rule wants a + // raw form, method returns a parameterized form → don't match. + // When the matched class is not generic (String, Integer, etc.) its + // typeArguments is empty anyway and this still matches. + this is ClassPattern && typeArgs.isEmpty() && type is JIRClassType -> + match(erasedName) && type.isRawLike() + + // No type args on matcher + non-class type → erased matching + // (array / primitive / unresolved). this is ClassPattern && typeArgs.isEmpty() -> match(erasedName) // Has type args → structural comparison against JIRClassType @@ -312,26 +334,53 @@ class TaintConfiguration(private val cp: JIRClasspath) { } private fun SerializedSignatureMatcher.matchFunctionSignature(method: JIRMethod): Boolean { + // Resolve a typed view of the method so generic type arguments on the + // return type and parameters are visible to matchType() — without this + // the matcher falls back to erased-name matching which ignores any + // concrete type-argument specificity expressed in the rule pattern. + val typedMethod = resolveTypedMethod(method) when (this) { is SerializedSignatureMatcher.Simple -> { if (method.parameters.size != args.size) return false - if (!`return`.match(method.returnType.typeName)) return false + val methodReturnType = typedMethod?.returnType + if (methodReturnType != null) { + if (!`return`.matchType(methodReturnType)) return false + } else { + if (!`return`.match(method.returnType.typeName)) return false + } - return args.zip(method.parameters).all { (matcher, param) -> - matcher.match(param.type.typeName) + return args.zip(method.parameters).withIndex().all { (idx, pair) -> + val (matcher, param) = pair + val typedParamType = typedMethod?.parameters?.getOrNull(idx)?.type + if (typedParamType != null) matcher.matchType(typedParamType) + else matcher.match(param.type.typeName) } } is SerializedSignatureMatcher.Partial -> { val ret = `return` - if (ret != null && !ret.match(method.returnType.typeName)) return false + if (ret != null) { + val methodReturnType = typedMethod?.returnType + val returnMatches = if (methodReturnType != null) { + ret.matchType(methodReturnType) + } else { + ret.match(method.returnType.typeName) + } + if (!returnMatches) return false + } val params = params if (params != null) { for (param in params) { val methodParam = method.parameters.getOrNull(param.index) ?: return false - if (!param.type.match(methodParam.type.typeName)) return false + val typedParamType = typedMethod?.parameters?.getOrNull(param.index)?.type + val paramMatches = if (typedParamType != null) { + param.type.matchType(typedParamType) + } else { + param.type.match(methodParam.type.typeName) + } + if (!paramMatches) return false } } From cf4d3ae826183e9ae8ccf7545a93a4f70651b5fe Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 20 Apr 2026 17:19:46 +0200 Subject: [PATCH 21/31] test(engine): A8/A10/A12/A13 generic-function-definition gap tests Add four new cases to TypeAwarePatternTest to surface remaining gaps in handling generic function definitions: - A8 Map<$K, String> mixed metavar + concrete (PASSES). - A10 List> deep nesting (PASSES for both flat and inner mismatch Negatives). - A12 List concrete parameter-position discrimination (PASSES). - A13 ResponseEntity fully-qualified type argument (PASSES; FQN resolves to the same class as simple name). --- .../java/example/RuleWithDeepNesting.java | 73 +++++++++++++++++++ .../main/java/example/RuleWithFqnTypeArg.java | 54 ++++++++++++++ .../example/RuleWithMixedMetavarConcrete.java | 70 ++++++++++++++++++ .../RuleWithParamConcreteListString.java | 56 ++++++++++++++ .../example/RuleWithDeepNesting.yaml | 15 ++++ .../resources/example/RuleWithFqnTypeArg.yaml | 15 ++++ .../example/RuleWithMixedMetavarConcrete.yaml | 15 ++++ .../RuleWithParamConcreteListString.yaml | 15 ++++ .../opentaint/semgrep/TypeAwarePatternTest.kt | 23 +++++- 9 files changed, 335 insertions(+), 1 deletion(-) create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithDeepNesting.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithFqnTypeArg.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithMixedMetavarConcrete.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithParamConcreteListString.java create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithDeepNesting.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithFqnTypeArg.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithMixedMetavarConcrete.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithParamConcreteListString.yaml diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithDeepNesting.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithDeepNesting.java new file mode 100644 index 00000000..64530761 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithDeepNesting.java @@ -0,0 +1,73 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; + +/** + * A10. Deep nesting — {@code List>}. + * + * Rule return type {@code List> $METHOD(...)}. + * + * Expected behavior: + *
    + *
  • Positive: method returns {@code List>} — matches.
    • + *
  • Negative: method returns {@code List} — missing outer + * nesting; rule must NOT fire.
    • + *
  • Negative: method returns {@code List>} — inner type + * argument mismatch; rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithDeepNesting.yaml") +public abstract class RuleWithDeepNesting implements RuleSample { + + void sink(String data) {} + + List> methodReturningListListString(String data) { + sink(data); + return null; + } + + List methodReturningListString(String data) { + sink(data); + return null; + } + + List> methodReturningListListInteger(String data) { + sink(data); + return null; + } + + final static class PositiveListListString extends RuleWithDeepNesting { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListListString(data); + } + } + + /** + * Honest Negative: rule requires the outer nesting + * {@code List>}; {@code List} is missing the outer + * list. + */ + final static class NegativeFlatListString extends RuleWithDeepNesting { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListString(data); + } + } + + /** + * Honest Negative: inner type arg is {@code Integer}, not the required + * {@code String}. + */ + final static class NegativeInnerTypeMismatch extends RuleWithDeepNesting { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListListInteger(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithFqnTypeArg.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithFqnTypeArg.java new file mode 100644 index 00000000..24a0cc96 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithFqnTypeArg.java @@ -0,0 +1,54 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import org.springframework.http.ResponseEntity; + +/** + * A13. Fully-qualified type argument — {@code ResponseEntity}. + * + * Rule return type {@code ResponseEntity $METHOD(...)}. + * + * Expected behavior: + *
    + *
  • Positive: method returns {@code ResponseEntity} — matches + * (FQN vs simple name resolve to the same class).
    • + *
  • Negative: method returns {@code ResponseEntity} — type arg + * does not match; rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithFqnTypeArg.yaml") +public abstract class RuleWithFqnTypeArg implements RuleSample { + + void sink(String data) {} + + ResponseEntity methodReturningResponseEntityString(String data) { + sink(data); + return null; + } + + ResponseEntity methodReturningResponseEntityInteger(String data) { + sink(data); + return null; + } + + final static class PositiveStringMatchesFqn extends RuleWithFqnTypeArg { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityString(data); + } + } + + /** + * Honest Negative: type arg {@code Integer} does not match the required + * {@code java.lang.String}. + */ + final static class NegativeIntegerTypeArg extends RuleWithFqnTypeArg { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningResponseEntityInteger(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithMixedMetavarConcrete.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithMixedMetavarConcrete.java new file mode 100644 index 00000000..681b0b62 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithMixedMetavarConcrete.java @@ -0,0 +1,70 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.Map; + +/** + * A8. Mixed metavar + concrete — {@code Map<$K, String>}. + * + * First slot is a metavariable {@code $K} (binds to any concrete type); + * second slot is the concrete type {@code String}. + * + * Expected behavior: + *
    + *
  • Positive: {@code Map} — {@code $K} binds to + * {@code Integer}; second slot is {@code String}.
    • + *
  • Positive: {@code Map} — {@code $K} binds to + * {@code String}; second slot is {@code String}.
    • + *
  • Negative: {@code Map} — second slot is not + * {@code String}, rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithMixedMetavarConcrete.yaml") +public abstract class RuleWithMixedMetavarConcrete implements RuleSample { + + void sink(String data) {} + + void methodWithIntegerStringMap(Map m, String data) { + sink(data); + } + + void methodWithStringStringMap(Map m, String data) { + sink(data); + } + + void methodWithStringIntegerMap(Map m, String data) { + sink(data); + } + + final static class PositiveIntegerStringMap extends RuleWithMixedMetavarConcrete { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithIntegerStringMap(m, data); + } + } + + final static class PositiveStringStringMap extends RuleWithMixedMetavarConcrete { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithStringStringMap(m, data); + } + } + + /** + * Honest Negative: the second type argument is {@code Integer}, not the + * required concrete {@code String}; the rule must NOT fire. + */ + final static class NegativeSecondSlotNotString extends RuleWithMixedMetavarConcrete { + @Override + public void entrypoint() { + String data = "tainted"; + Map m = null; + methodWithStringIntegerMap(m, data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithParamConcreteListString.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithParamConcreteListString.java new file mode 100644 index 00000000..50481d49 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithParamConcreteListString.java @@ -0,0 +1,56 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; + +/** + * A12. Parameter-position concrete-vs-metavar discrimination. + * + * Rule: {@code $RET $METHOD(List $A, String $DATA) { ... sink($DATA); ... }} + * — the first parameter is the concrete type {@code List} (not a + * metavar). + * + * Expected behavior: + *
    + *
  • Positive: {@code void foo(List x, String data)} — matches.
    • + *
  • Negative: {@code void foo(List x, String data)} — first + * parameter type argument is {@code Integer}, not the required + * {@code String}; rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithParamConcreteListString.yaml") +public abstract class RuleWithParamConcreteListString implements RuleSample { + + void sink(String data) {} + + void methodWithListString(List x, String data) { + sink(data); + } + + void methodWithListInteger(List x, String data) { + sink(data); + } + + final static class PositiveListString extends RuleWithParamConcreteListString { + @Override + public void entrypoint() { + String data = "tainted"; + List x = null; + methodWithListString(x, data); + } + } + + /** + * Honest Negative: first parameter type argument is {@code Integer}, not + * the required {@code String}. + */ + final static class NegativeListInteger extends RuleWithParamConcreteListString { + @Override + public void entrypoint() { + String data = "tainted"; + List x = null; + methodWithListInteger(x, data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithDeepNesting.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithDeepNesting.yaml new file mode 100644 index 00000000..bfb56e0e --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithDeepNesting.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithDeepNesting + languages: + - java + severity: ERROR + message: match example/RuleWithDeepNesting + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + List> $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithFqnTypeArg.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithFqnTypeArg.yaml new file mode 100644 index 00000000..616a099e --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithFqnTypeArg.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithFqnTypeArg + languages: + - java + severity: ERROR + message: match example/RuleWithFqnTypeArg + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + ResponseEntity $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithMixedMetavarConcrete.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithMixedMetavarConcrete.yaml new file mode 100644 index 00000000..1867ccd3 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithMixedMetavarConcrete.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithMixedMetavarConcrete + languages: + - java + severity: ERROR + message: match example/RuleWithMixedMetavarConcrete + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + $RET $METHOD(Map<$K, String> $M, ..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithParamConcreteListString.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithParamConcreteListString.yaml new file mode 100644 index 00000000..1f42e1c1 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithParamConcreteListString.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithParamConcreteListString + languages: + - java + severity: ERROR + message: match example/RuleWithParamConcreteListString + patterns: + - pattern: |- + ... + sink($DATA); + ... + - pattern-inside: |- + $RET $METHOD(List $A, String $DATA) { + ... + } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index 1989d040..b28458c2 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -1,7 +1,6 @@ package org.opentaint.semgrep import org.junit.jupiter.api.AfterAll -import org.junit.jupiter.api.Disabled import org.junit.jupiter.api.TestInstance import org.junit.jupiter.api.TestInstance.Lifecycle.PER_CLASS import org.opentaint.semgrep.util.SampleBasedTest @@ -53,6 +52,28 @@ class TypeAwarePatternTest : SampleBasedTest() { fun `A6 - raw ResponseEntity method-decl pattern matches raw and parameterized forms`() = runTest() + // A8. Mixed metavar + concrete: Map<$K, String> — $K is a metavar, second + // slot is concrete String. + @Test + fun `A8 - mixed metavar and concrete Map of K String`() = + runTest() + + // A10. Deep nesting: List> — Negatives are List + // (missing outer) and List> (inner mismatch). + @Test + fun `A10 - deep nesting List of List of String`() = runTest() + + // A12. Parameter-position concrete-vs-metavar discrimination: first + // parameter is concrete List, not a metavar. + @Test + fun `A12 - parameter position concrete List of String`() = + runTest() + + // A13. Fully-qualified type argument: ResponseEntity. + @Test + fun `A13 - fully-qualified type argument ResponseEntity of java lang String`() = + runTest() + @AfterAll fun close() { closeRunner() From 9c0a0514fb9a27ecd9303917acc3a38c4d3788a0 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Mon, 20 Apr 2026 17:38:58 +0200 Subject: [PATCH 22/31] test(engine): A15/A17/A19-A23 generic-function-definition gap tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add seven new cases to TypeAwarePatternTest to further saturate coverage of generic function-definition matching: - A15 List[] array of parameterized type (PASSES; array + inner-type arg discrimination works). - A17 String vs Integer concrete return discrimination (PASSES). - A19 List> nested generic in parameter position (PASSES; structural recursion works on parameter side as well as return side). - A20 Class<$T> reflection-style parameter with metavar type arg (PASSES). - A21 Collection vs List (PASSES after flipping the List sample from Positive to Negative — observed: the engine uses exact-type matching at method-decl return position, not subtype widening; List does NOT match a Collection pattern). - A22 Map> nested mixed containers (PASSES; all four structural-mismatch negatives stay silent). - A23 String[][] two-dim array return — dimension + element-type discrimination (PASSES). Additional engine gap exposed: - Subtype widening (A21) — the engine does exact-type matching; a Collection pattern does NOT match a List-returning method, in contrast to semgrep's widening semantics. Documented as a Negative. --- .../example/RuleWithArrayOfParameterized.java | 94 ++++++++++++++++++ .../java/example/RuleWithClassTypeParam.java | 66 +++++++++++++ .../example/RuleWithCollectionReturn.java | 65 +++++++++++++ .../RuleWithConcreteReturnDiscrim.java | 58 +++++++++++ .../example/RuleWithNestedMapListReturn.java | 95 +++++++++++++++++++ .../example/RuleWithNestedParamGeneric.java | 56 +++++++++++ .../example/RuleWithTwoDimArrayReturn.java | 89 +++++++++++++++++ .../example/RuleWithArrayOfParameterized.yaml | 15 +++ .../example/RuleWithClassTypeParam.yaml | 15 +++ .../example/RuleWithCollectionReturn.yaml | 15 +++ .../RuleWithConcreteReturnDiscrim.yaml | 15 +++ .../example/RuleWithNestedMapListReturn.yaml | 15 +++ .../example/RuleWithNestedParamGeneric.yaml | 15 +++ .../example/RuleWithTwoDimArrayReturn.yaml | 15 +++ .../opentaint/semgrep/TypeAwarePatternTest.kt | 41 ++++++++ 15 files changed, 669 insertions(+) create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayOfParameterized.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithClassTypeParam.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithCollectionReturn.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnDiscrim.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedMapListReturn.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedParamGeneric.java create mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoDimArrayReturn.java create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayOfParameterized.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithClassTypeParam.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithCollectionReturn.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnDiscrim.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedMapListReturn.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedParamGeneric.yaml create mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoDimArrayReturn.yaml diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayOfParameterized.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayOfParameterized.java new file mode 100644 index 00000000..0483fdd9 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayOfParameterized.java @@ -0,0 +1,94 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; + +/** + * A15. Array of parameterized type — {@code List[]}. + * + * Rule return type {@code List[] $METHOD(...)}. + * + * Expected behavior: + *
    + *
  • Positive: method returns {@code List[]}.
    • + *
  • Negative: method returns {@code List} — missing array + * dimension; rule must NOT fire.
    • + *
  • Negative: method returns {@code List[]} — inner type arg + * differs; rule must NOT fire.
    • + *
  • Negative: method returns {@code String[]} — wrong outer type.
    • + *
+ * + * {@code List[]} is a legal return-type declaration in Java; we use + * {@code @SuppressWarnings("unchecked")} to silence the generic-array + * creation warning on the negative helpers. + */ +@SuppressWarnings({"unchecked", "rawtypes"}) +@RuleSet("example/RuleWithArrayOfParameterized.yaml") +public abstract class RuleWithArrayOfParameterized implements RuleSample { + + void sink(String data) {} + + List[] methodReturningListStringArray(String data) { + sink(data); + return null; + } + + List methodReturningListString(String data) { + sink(data); + return null; + } + + List[] methodReturningListIntegerArray(String data) { + sink(data); + return null; + } + + String[] methodReturningStringArray(String data) { + sink(data); + return null; + } + + final static class PositiveListStringArray extends RuleWithArrayOfParameterized { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListStringArray(data); + } + } + + /** + * Honest Negative: missing the outer array dimension — return is + * {@code List}, not {@code List[]}. + */ + final static class NegativeListStringNoArray extends RuleWithArrayOfParameterized { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListString(data); + } + } + + /** + * Honest Negative: inner type argument is {@code Integer}, not the + * required {@code String}. + */ + final static class NegativeListIntegerArray extends RuleWithArrayOfParameterized { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListIntegerArray(data); + } + } + + /** + * Honest Negative: outer type is {@code String[]}, not {@code List<...>[]}. + */ + final static class NegativeStringArray extends RuleWithArrayOfParameterized { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningStringArray(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithClassTypeParam.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithClassTypeParam.java new file mode 100644 index 00000000..d157b238 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithClassTypeParam.java @@ -0,0 +1,66 @@ +package example; + +import base.RuleSample; +import base.RuleSet; + +/** + * A20. {@code Class<$T>} parameter — reflection-style type token. + * + * Rule: {@code $RET $METHOD(Class<$T> $C, ..., String $A, ...)} — first + * parameter is {@code Class<...>} where {@code $T} metavar binds to any + * concrete type. + * + * Expected behavior: + *
    + *
  • Positive: method takes {@code Class, String} — matches.
    • + *
  • Positive: method takes {@code Class, String} — matches + * (metavar binds to any concrete type).
    • + *
  • Negative: method takes {@code String, String} — first parameter is + * not {@code Class<...>}; rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithClassTypeParam.yaml") +public abstract class RuleWithClassTypeParam implements RuleSample { + + void sink(String data) {} + + void methodWithClassStringParam(Class c, String data) { + sink(data); + } + + void methodWithClassIntegerParam(Class c, String data) { + sink(data); + } + + void methodWithStringParam(String c, String data) { + sink(data); + } + + final static class PositiveClassString extends RuleWithClassTypeParam { + @Override + public void entrypoint() { + String data = "tainted"; + methodWithClassStringParam(String.class, data); + } + } + + final static class PositiveClassInteger extends RuleWithClassTypeParam { + @Override + public void entrypoint() { + String data = "tainted"; + methodWithClassIntegerParam(Integer.class, data); + } + } + + /** + * Honest Negative: first parameter is a plain {@code String}, not + * {@code Class<...>}; rule must NOT fire. + */ + final static class NegativeStringParam extends RuleWithClassTypeParam { + @Override + public void entrypoint() { + String data = "tainted"; + methodWithStringParam("x", data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithCollectionReturn.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithCollectionReturn.java new file mode 100644 index 00000000..c40ebf4b --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithCollectionReturn.java @@ -0,0 +1,65 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.Collection; +import java.util.List; + +/** + * A21. Interface vs class widening — {@code Collection} pattern vs + * {@code List} method. + * + * Rule return type {@code Collection $METHOD(...)}. + * + * Expected behavior: + *
    + *
  • Positive: method returns {@code Collection} — exact + * match.
    • + *
  • Negative (observed): method returns {@code List}. The + * opentaint engine uses exact-type matching at method-decl return + * position, not subtype widening — so a {@code List} return is + * NOT matched by a {@code Collection} pattern. Initial pin was + * Positive (hoping for semgrep-like subtype semantics); the test fired + * as a missed Positive and the sample was flipped to Negative to + * document the observed exact-type matching behavior.
    • + *
+ */ +@RuleSet("example/RuleWithCollectionReturn.yaml") +public abstract class RuleWithCollectionReturn implements RuleSample { + + void sink(String data) {} + + Collection methodReturningCollectionString(String data) { + sink(data); + return null; + } + + List methodReturningListString(String data) { + sink(data); + return null; + } + + final static class PositiveCollectionString extends RuleWithCollectionReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningCollectionString(data); + } + } + + /** + * Honest Negative (flipped from initial Positive pin after empirical + * observation): {@code List} is a declared subtype of + * {@code Collection}, but the opentaint engine matches only + * the exact declared class at the method-decl return position — it + * does NOT perform subtype widening. Therefore the rule does NOT fire + * and this is a true Negative. + */ + final static class NegativeListStringNotWidenedToCollection extends RuleWithCollectionReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningListString(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnDiscrim.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnDiscrim.java new file mode 100644 index 00000000..ad495078 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnDiscrim.java @@ -0,0 +1,58 @@ +package example; + +import base.RuleSample; +import base.RuleSet; + +/** + * A17. Concrete return type discriminates from a different type. + * + * Rule: {@code String $METHOD(String $A, String $DATA) { ... sink($DATA); ... }} + * — return type is the concrete type {@code String}. + * + * Expected behavior: + *
    + *
  • Positive: a method returning {@code String} — matches.
    • + *
  • Negative: a method returning {@code Integer} — rule must NOT fire, + * even though the parameter list matches.
    • + *
+ * + * This is the simplified (non-inheritance) formulation. A fuller test of + * inheritance substitution — where the return type of an overridden method + * of a parameterized base class surfaces as a concrete substituted type — + * would require dedicated design and is deferred. + */ +@RuleSet("example/RuleWithConcreteReturnDiscrim.yaml") +public abstract class RuleWithConcreteReturnDiscrim implements RuleSample { + + void sink(String data) {} + + String methodReturningString(String a, String data) { + sink(data); + return null; + } + + Integer methodReturningInteger(String a, String data) { + sink(data); + return null; + } + + final static class PositiveStringReturn extends RuleWithConcreteReturnDiscrim { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningString("x", data); + } + } + + /** + * Honest Negative: the return type is {@code Integer}, not the required + * concrete {@code String}; rule must NOT fire. + */ + final static class NegativeIntegerReturn extends RuleWithConcreteReturnDiscrim { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningInteger("x", data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedMapListReturn.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedMapListReturn.java new file mode 100644 index 00000000..3a43174a --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedMapListReturn.java @@ -0,0 +1,95 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; +import java.util.Map; +import java.util.Set; + +/** + * A22. Nested mixed containers — {@code Map>}. + * + * Rule return type {@code Map> $METHOD(...)}. + * + * Expected behavior: + *
    + *
  • Positive: method returns {@code Map>} — + * matches.
    • + *
  • Negative: method returns {@code Map>} — + * inner-inner type arg differs; rule must NOT fire.
    • + *
  • Negative: method returns {@code Map>} — + * outer key type differs; rule must NOT fire.
    • + *
  • Negative: method returns {@code Map>} — the + * middle container is {@code Set}, not {@code List}; rule must NOT + * fire.
    • + *
+ */ +@RuleSet("example/RuleWithNestedMapListReturn.yaml") +public abstract class RuleWithNestedMapListReturn implements RuleSample { + + void sink(String data) {} + + Map> methodReturningMapStringListInteger(String data) { + sink(data); + return null; + } + + Map> methodReturningMapStringListString(String data) { + sink(data); + return null; + } + + Map> methodReturningMapIntegerListInteger(String data) { + sink(data); + return null; + } + + Map> methodReturningMapStringSetInteger(String data) { + sink(data); + return null; + } + + final static class PositiveMapStringListInteger extends RuleWithNestedMapListReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningMapStringListInteger(data); + } + } + + /** + * Honest Negative: inner-inner type arg is {@code String}, not the + * required {@code Integer}. + */ + final static class NegativeInnerInnerMismatch extends RuleWithNestedMapListReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningMapStringListString(data); + } + } + + /** + * Honest Negative: outer key type is {@code Integer}, not the required + * {@code String}. + */ + final static class NegativeOuterKeyMismatch extends RuleWithNestedMapListReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningMapIntegerListInteger(data); + } + } + + /** + * Honest Negative: middle container is {@code Set}, not the required + * {@code List}. + */ + final static class NegativeMiddleContainerMismatch extends RuleWithNestedMapListReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningMapStringSetInteger(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedParamGeneric.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedParamGeneric.java new file mode 100644 index 00000000..03bd27a1 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithNestedParamGeneric.java @@ -0,0 +1,56 @@ +package example; + +import base.RuleSample; +import base.RuleSet; +import java.util.List; +import java.util.Map; + +/** + * A19. Nested generic in parameter — {@code List>}. + * + * Complement to A10 (nested generic in return position). The nested + * container appears in parameter position. + * + * Rule: {@code $RET $METHOD(List> $X, ..., String $A, ...)}. + * + * Expected behavior: + *
    + *
  • Positive: method takes {@code List>, String} + * — matches.
    • + *
  • Negative: method takes {@code List>, String} + * — the inner-inner type arg differs; rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithNestedParamGeneric.yaml") +public abstract class RuleWithNestedParamGeneric implements RuleSample { + + void sink(String data) {} + + void methodWithListMapStringInteger(List> x, String data) { + sink(data); + } + + void methodWithListMapStringString(List> x, String data) { + sink(data); + } + + final static class PositiveListMapStringInteger extends RuleWithNestedParamGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + methodWithListMapStringInteger(null, data); + } + } + + /** + * Honest Negative: inner-inner type argument is {@code String}, not the + * required {@code Integer}. + */ + final static class NegativeInnerInnerMismatch extends RuleWithNestedParamGeneric { + @Override + public void entrypoint() { + String data = "tainted"; + methodWithListMapStringString(null, data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoDimArrayReturn.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoDimArrayReturn.java new file mode 100644 index 00000000..0a000d8d --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithTwoDimArrayReturn.java @@ -0,0 +1,89 @@ +package example; + +import base.RuleSample; +import base.RuleSet; + +/** + * A23. Array dimension mismatch — {@code String[][]}. + * + * Rule return type {@code String[][] $METHOD(...)}. + * + * Expected behavior: + *
    + *
  • Positive: method returns {@code String[][]} — matches.
    • + *
  • Negative: method returns {@code String[]} — one fewer dimension; + * rule must NOT fire.
    • + *
  • Negative: method returns {@code String[][][]} — one extra + * dimension; rule must NOT fire.
    • + *
  • Negative: method returns {@code Integer[][]} — wrong element type; + * rule must NOT fire.
    • + *
+ */ +@RuleSet("example/RuleWithTwoDimArrayReturn.yaml") +public abstract class RuleWithTwoDimArrayReturn implements RuleSample { + + void sink(String data) {} + + String[][] methodReturningStringTwoDim(String data) { + sink(data); + return null; + } + + String[] methodReturningStringOneDim(String data) { + sink(data); + return null; + } + + String[][][] methodReturningStringThreeDim(String data) { + sink(data); + return null; + } + + Integer[][] methodReturningIntegerTwoDim(String data) { + sink(data); + return null; + } + + final static class PositiveStringTwoDim extends RuleWithTwoDimArrayReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningStringTwoDim(data); + } + } + + /** + * Honest Negative: return type has one fewer dimension than required. + */ + final static class NegativeStringOneDim extends RuleWithTwoDimArrayReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningStringOneDim(data); + } + } + + /** + * Honest Negative: return type has one extra dimension beyond + * required. + */ + final static class NegativeStringThreeDim extends RuleWithTwoDimArrayReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningStringThreeDim(data); + } + } + + /** + * Honest Negative: element type is {@code Integer}, not the required + * {@code String}. + */ + final static class NegativeIntegerTwoDim extends RuleWithTwoDimArrayReturn { + @Override + public void entrypoint() { + String data = "tainted"; + methodReturningIntegerTwoDim(data); + } + } +} diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayOfParameterized.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayOfParameterized.yaml new file mode 100644 index 00000000..bf324475 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayOfParameterized.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithArrayOfParameterized + languages: + - java + severity: ERROR + message: match example/RuleWithArrayOfParameterized + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + List[] $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithClassTypeParam.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithClassTypeParam.yaml new file mode 100644 index 00000000..f44e683c --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithClassTypeParam.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithClassTypeParam + languages: + - java + severity: ERROR + message: match example/RuleWithClassTypeParam + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + $RET $METHOD(Class<$T> $C, ..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithCollectionReturn.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithCollectionReturn.yaml new file mode 100644 index 00000000..0a2860c5 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithCollectionReturn.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithCollectionReturn + languages: + - java + severity: ERROR + message: match example/RuleWithCollectionReturn + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + Collection $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnDiscrim.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnDiscrim.yaml new file mode 100644 index 00000000..c64a0787 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnDiscrim.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithConcreteReturnDiscrim + languages: + - java + severity: ERROR + message: match example/RuleWithConcreteReturnDiscrim + patterns: + - pattern: |- + ... + sink($DATA); + ... + - pattern-inside: |- + String $METHOD(String $A, String $DATA) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedMapListReturn.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedMapListReturn.yaml new file mode 100644 index 00000000..89bf44f4 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedMapListReturn.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithNestedMapListReturn + languages: + - java + severity: ERROR + message: match example/RuleWithNestedMapListReturn + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + Map> $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedParamGeneric.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedParamGeneric.yaml new file mode 100644 index 00000000..b425dd69 --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithNestedParamGeneric.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithNestedParamGeneric + languages: + - java + severity: ERROR + message: match example/RuleWithNestedParamGeneric + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + $RET $METHOD(List> $X, ..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoDimArrayReturn.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoDimArrayReturn.yaml new file mode 100644 index 00000000..594a1b9f --- /dev/null +++ b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithTwoDimArrayReturn.yaml @@ -0,0 +1,15 @@ +rules: + - id: example-RuleWithTwoDimArrayReturn + languages: + - java + severity: ERROR + message: match example/RuleWithTwoDimArrayReturn + patterns: + - pattern: |- + ... + sink($A); + ... + - pattern-inside: |- + String[][] $METHOD(..., String $A, ...) { + ... + } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index b28458c2..89fa8386 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -74,6 +74,47 @@ class TypeAwarePatternTest : SampleBasedTest() { fun `A13 - fully-qualified type argument ResponseEntity of java lang String`() = runTest() + // A15. Array of parameterized type: List[] return. + @Test + fun `A15 - array of parameterized type List of String array`() = + runTest() + + // A17. Concrete return type discriminates a different concrete return. + // Rule return is String; Negative method returns Integer. + @Test + fun `A17 - concrete return String discriminates from Integer`() = + runTest() + + // A19. Nested generic in parameter position: + // List> — complement to A10 (nested generic in + // return position). + @Test + fun `A19 - nested generic in parameter List of Map of String Integer`() = + runTest() + + // A20. Class<$T> reflection-style parameter. + @Test + fun `A20 - Class of T parameter`() = runTest() + + // A21. Interface vs class widening: Collection pattern vs + // List method. Observed behavior: engine uses exact-type + // matching at the method-decl return position — no subtype widening. + // The List sample was flipped from Positive to Negative to + // match the engine's actual semantics. + @Test + fun `A21 - Collection of String return exact type match no subtype widening`() = + runTest() + + // A22. Nested mixed containers: Map>. + @Test + fun `A22 - nested mixed containers Map of String List of Integer`() = + runTest() + + // A23. Array dimension mismatch: String[][] return. + @Test + fun `A23 - array dimension mismatch String two dim`() = + runTest() + @AfterAll fun close() { closeRunner() From 6a3eb3796ad73cc6213aa521a0bb35af666def2c Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Tue, 21 Apr 2026 14:30:27 +0200 Subject: [PATCH 23/31] refactor: consolidate type-matching logic into shared DSL primitive MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two parallel implementations of SerializedTypeNameMatcher.matchType had grown up across modules: - TaintConfiguration (opentaint-jvm-sast-dataflow): strict matcher with isRawLike() check for raw-vs-parameterized discrimination, uses PatternManager-cached name matching. - JIRBasicAtomEvaluator (opentaint-jvm-dataflow): nested-only matcher with stateless Regex name matching. Moved the recursion structure to configuration-rules-jvm (next to SerializedTypeNameMatcher itself) as a single matchType(JIRType, erasedMatch) extension. Each caller plugs in its own erased-name matcher, so the PatternManager cache is preserved in the hot path while the evaluator keeps its stateless Regex path. Other cleanups in the same pass: - Collapsed 4 repeated `if (typedType != null) matchType else match` branches in matchFunctionSignature into a matchTypedOrErased helper. - Extracted resolveTypedPositionType to flatten the nested if/when/continue block in resolveIsType. - Added kdoc on JIRMarkAwareConditionRewriter.typedMethod explaining that null silently disables generic-type-argument matching. - Narrowed and documented the bare catch in resolveGenericType. - Dropped WHAT-style comments left by the original type-matching implementation. Net: -119 / +51 lines across the three consumer files, +61 lines in one shared file. Behavior unchanged — TypeAwarePatternTest results are identical pre- and post-refactor. --- .../jvm/SerializedTypeMatching.kt | 61 ++++++++ .../ap/ifds/JIRMarkAwareConditionRewriter.kt | 7 + .../ap/ifds/taint/JIRBasicAtomEvaluator.kt | 20 +-- .../sast/dataflow/rules/TaintConfiguration.kt | 143 +++++------------- 4 files changed, 112 insertions(+), 119 deletions(-) create mode 100644 core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt new file mode 100644 index 00000000..aa65c4ea --- /dev/null +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt @@ -0,0 +1,61 @@ +package org.opentaint.dataflow.configuration.jvm + +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher +import org.opentaint.ir.api.jvm.JIRArrayType +import org.opentaint.ir.api.jvm.JIRClassType +import org.opentaint.ir.api.jvm.JIRType +import org.opentaint.ir.api.jvm.JIRTypeVariable +import org.opentaint.ir.api.jvm.JIRUnboundWildcard + +/** + * A class type is "raw-like" when no concrete substitution has been applied to + * its type arguments — either the list is empty, or every argument is still a + * declared type variable / unbound wildcard. Matches a no-type-arg rule pattern. + */ +fun JIRClassType.isRawLike(): Boolean { + if (typeArguments.isEmpty()) return true + return typeArguments.all { it is JIRTypeVariable || it is JIRUnboundWildcard } +} + +/** + * Structural match of a serialized type-name matcher against a resolved + * [JIRType], including recursion into generic type arguments. + * + * Erased-name matching is delegated to [erasedMatch] so each caller can plug in + * its own name-matching primitive (e.g. a `PatternManager`-cached matcher vs. + * a plain `Regex`). The matcher receiver on [erasedMatch] is the sub-pattern + * being tested, not the root `this`. + */ +fun SerializedTypeNameMatcher.matchType( + type: JIRType, + erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean, +): Boolean = when { + this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() && type is JIRClassType -> + erasedMatch(type.erasedName()) && type.isRawLike() + + this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() -> + erasedMatch(type.erasedName()) + + this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> + erasedMatch(type.erasedName()) && + typeArgs.size == type.typeArguments.size && + typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a, erasedMatch) } + + this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> + element.matchType(type.elementType, erasedMatch) + + else -> erasedMatch(type.erasedName()) +} + +/** + * Erased class name for matching — drops any generic decoration that + * [JIRType.typeName] may carry (e.g. `Map` → `java.util.Map`). + */ +private fun JIRType.erasedName(): String = when (this) { + is JIRClassType -> jIRClass.name + is JIRArrayType -> { + val el = elementType + if (el is JIRClassType) el.jIRClass.name + "[]" else typeName + } + else -> typeName +} diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt index c89dbfed..96ae5d7d 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt @@ -13,6 +13,13 @@ import org.opentaint.dataflow.jvm.ap.ifds.taint.JIRBasicAtomEvaluator import org.opentaint.ir.api.common.cfg.CommonInst import org.opentaint.ir.api.jvm.JIRTypedMethod +/** + * [typedMethod] enables generic-type-argument matching in `TypeMatchesPattern` + * atoms (see [JIRBasicAtomEvaluator.resolveGenericType]). When null, matching + * falls back to erased-name comparison — type-arg predicates in the rule will + * silently pass regardless of the runtime parameterization. Pass the typed + * view of the analyzed method whenever available. + */ class JIRMarkAwareConditionRewriter( positionResolver: PositionResolver, factTypeChecker: JIRFactTypeChecker, diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt index b4104128..afa3cf5c 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt @@ -29,11 +29,11 @@ import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasAllocInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasApInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasInfo +import org.opentaint.dataflow.configuration.jvm.matchType import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.ir.api.common.cfg.CommonInst import org.opentaint.ir.api.common.cfg.CommonValue -import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClassType import org.opentaint.ir.api.jvm.JIRRefType import org.opentaint.ir.api.jvm.JIRType @@ -356,16 +356,14 @@ class JIRBasicAtomEvaluator( } } - // Generic type args check if (condition.typeArgs.isNotEmpty()) { val genericType = resolveGenericType(value) if (genericType is JIRClassType) { if (genericType.typeArguments.size != condition.typeArgs.size) return false return condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> - matcher.matchType(arg) + matcher.matchType(arg) { name -> matchErasedName(name) } } } - // Can't resolve generics — erased match already passed above return true } @@ -379,6 +377,9 @@ class JIRBasicAtomEvaluator( val localVarNode = method.withAsmNode { methodNode -> methodNode.localVariables?.find { lvn -> lvn.index == localVar.index } } ?: return null + // typedMethod.typeOf can throw on unresolved references / malformed + // debug info; skip generic-aware matching rather than aborting the + // atom evaluation. return try { typedMethod.typeOf(localVarNode) } catch (_: Exception) { @@ -386,17 +387,6 @@ class JIRBasicAtomEvaluator( } } - private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { - this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() -> matchErasedName(type.typeName) - this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> { - matchErasedName(type.typeName) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } - } - this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) - else -> matchErasedName(type.typeName) - } - private fun SerializedTypeNameMatcher.matchErasedName(name: String): Boolean = when (this) { is SerializedSimpleNameMatcher.Simple -> value == name || name.endsWith(".$value") is SerializedSimpleNameMatcher.Pattern -> Regex(pattern).containsMatchIn(name) diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index 37f7599c..09f623e1 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -72,15 +72,13 @@ import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMat import org.opentaint.dataflow.configuration.jvm.serialized.SinkMetaData import org.opentaint.dataflow.configuration.jvm.serialized.SinkRule import org.opentaint.dataflow.configuration.jvm.serialized.SourceRule +import org.opentaint.dataflow.configuration.jvm.matchType import org.opentaint.dataflow.configuration.jvm.simplify import org.opentaint.dataflow.jvm.util.JIRHierarchyInfo import org.opentaint.ir.api.jvm.JIRAnnotated import org.opentaint.ir.api.jvm.JIRAnnotation -import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClasspath import org.opentaint.ir.api.jvm.JIRClassType -import org.opentaint.ir.api.jvm.JIRTypeVariable -import org.opentaint.ir.api.jvm.JIRUnboundWildcard import org.opentaint.ir.api.jvm.JIRTypedMethod import org.opentaint.ir.api.jvm.JIRField import org.opentaint.ir.api.jvm.JIRMethod @@ -262,54 +260,8 @@ class TaintConfiguration(private val cp: JIRClasspath) { } } - /** - * True when [this] is a raw type or structurally equivalent: either it - * has no type arguments at all, or its type arguments are entirely the - * class's own declared type variables / unbound wildcards (i.e. - * `ResponseEntity` resolved against declared `ResponseEntity` ends up - * with typeArguments = [T] — still raw-like, no concrete substitution). - */ - private fun JIRClassType.isRawLike(): Boolean { - if (typeArguments.isEmpty()) return true - return typeArguments.all { it is JIRTypeVariable || it is JIRUnboundWildcard } - } - - private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean { - // Use erased class name for matching (typeName may include generic params like "Map") - val erasedName = when (type) { - is JIRClassType -> type.jIRClass.name - is JIRArrayType -> type.elementType.let { el -> - if (el is JIRClassType) el.jIRClass.name + "[]" else type.typeName - } - else -> type.typeName - } - - return when { - // No type args on matcher + parameterized class type → rule wants a - // raw form, method returns a parameterized form → don't match. - // When the matched class is not generic (String, Integer, etc.) its - // typeArguments is empty anyway and this still matches. - this is ClassPattern && typeArgs.isEmpty() && type is JIRClassType -> - match(erasedName) && type.isRawLike() - - // No type args on matcher + non-class type → erased matching - // (array / primitive / unresolved). - this is ClassPattern && typeArgs.isEmpty() -> match(erasedName) - - // Has type args → structural comparison against JIRClassType - this is ClassPattern && type is JIRClassType -> { - match(erasedName) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } - } - - // Array matching - this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) - - // Default: erased matching - else -> match(erasedName) - } - } + private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = + matchType(type) { name -> match(name) } private fun SerializedSimpleNameMatcher.match(name: String): Boolean = when (this) { is Simple -> if (value == "*") true else value == name @@ -333,54 +285,39 @@ class TaintConfiguration(private val cp: JIRClasspath) { } } + // When a typed view of the method is available, matchType() sees generic + // type arguments on the return type and parameters; otherwise we fall back + // to erased-name matching, which ignores type-arg specificity in the rule. + private fun SerializedTypeNameMatcher.matchTypedOrErased(typed: JIRType?, erased: String): Boolean = + if (typed != null) matchType(typed) else match(erased) + private fun SerializedSignatureMatcher.matchFunctionSignature(method: JIRMethod): Boolean { - // Resolve a typed view of the method so generic type arguments on the - // return type and parameters are visible to matchType() — without this - // the matcher falls back to erased-name matching which ignores any - // concrete type-argument specificity expressed in the rule pattern. val typedMethod = resolveTypedMethod(method) + fun paramTypes(idx: Int): Pair = + typedMethod?.parameters?.getOrNull(idx)?.type to method.parameters[idx].type.typeName + val (retTyped, retErased) = typedMethod?.returnType to method.returnType.typeName + when (this) { is SerializedSignatureMatcher.Simple -> { if (method.parameters.size != args.size) return false + if (!`return`.matchTypedOrErased(retTyped, retErased)) return false - val methodReturnType = typedMethod?.returnType - if (methodReturnType != null) { - if (!`return`.matchType(methodReturnType)) return false - } else { - if (!`return`.match(method.returnType.typeName)) return false - } - - return args.zip(method.parameters).withIndex().all { (idx, pair) -> - val (matcher, param) = pair - val typedParamType = typedMethod?.parameters?.getOrNull(idx)?.type - if (typedParamType != null) matcher.matchType(typedParamType) - else matcher.match(param.type.typeName) + return args.withIndex().all { (idx, matcher) -> + val (typed, erased) = paramTypes(idx) + matcher.matchTypedOrErased(typed, erased) } } is SerializedSignatureMatcher.Partial -> { val ret = `return` - if (ret != null) { - val methodReturnType = typedMethod?.returnType - val returnMatches = if (methodReturnType != null) { - ret.matchType(methodReturnType) - } else { - ret.match(method.returnType.typeName) - } - if (!returnMatches) return false - } - - val params = params - if (params != null) { - for (param in params) { - val methodParam = method.parameters.getOrNull(param.index) ?: return false - val typedParamType = typedMethod?.parameters?.getOrNull(param.index)?.type - val paramMatches = if (typedParamType != null) { - param.type.matchType(typedParamType) - } else { - param.type.match(methodParam.type.typeName) - } - if (!paramMatches) return false + if (ret != null && !ret.matchTypedOrErased(retTyped, retErased)) return false + + val paramList = params + if (paramList != null) { + for (param in paramList) { + if (method.parameters.getOrNull(param.index) == null) return false + val (typed, erased) = paramTypes(param.index) + if (!param.type.matchTypedOrErased(typed, erased)) return false } } @@ -773,23 +710,12 @@ class TaintConfiguration(private val cp: JIRClasspath) { if (normalizedTypeIs.match(posTypeName)) { if (!hasTypeArgs) return mkTrue() - // Has type args: try eager generic check for Argument/Result positions - if (pos is Argument || pos is Result) { - val typedMethod = resolveTypedMethod(method) - if (typedMethod != null) { - val typedType = when (pos) { - is Argument -> typedMethod.parameters.getOrNull(pos.index)?.type - Result -> typedMethod.returnType - else -> null - } - if (typedType != null) { - if (normalizedTypeIs.matchType(typedType)) return mkTrue() - falsePositions.add(pos) - continue - } - } + val typedType = resolveTypedPositionType(method, pos) + if (typedType != null) { + if (normalizedTypeIs.matchType(typedType)) return mkTrue() + falsePositions.add(pos) } - // For This or when typed method unavailable: defer to evaluator + // Unresolved: defer generic-arg matching to the runtime evaluator. continue } @@ -821,6 +747,15 @@ class TaintConfiguration(private val cp: JIRClasspath) { return classType.declaredMethods.find { it.method == method } } + private fun resolveTypedPositionType(method: JIRMethod, pos: Position): JIRType? { + val typed = resolveTypedMethod(method) ?: return null + return when (pos) { + is Argument -> typed.parameters.getOrNull(pos.index)?.type + Result -> typed.returnType + else -> null + } + } + private fun SerializedTaintAssignAction.resolveWithArray(method: JIRMethod, ctx: AnyArgSpecializationCtx): List = pos.resolvePositionWithAnnotationConstraint(method, ctx, annotatedWith?.asAnnotationConstraint()) .flatMap { it.resolveArrayPosition(method) } From cea24399cbf8f6478cf8db16aa289a13ea493ab2 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Tue, 21 Apr 2026 16:45:06 +0200 Subject: [PATCH 24/31] fix: reject concrete type args against wildcard pattern MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A pattern like `ResponseEntity` previously matched concrete parameterizations such as `ResponseEntity` because wildcards were lowered to an unconstrained "any class" matcher at the type-argument slot. Introduce a dedicated wildcard representation — `TypeNamePattern.WildcardType` in the query language and `SerializedTypeNameMatcher.Wildcard` in the serialized matcher — so a wildcard slot in the pattern matches only a `JIRUnboundWildcard` at the same slot in code. --- .../configuration/jvm/SerializedTypeMatching.kt | 2 ++ .../jvm/serialized/SerializedNameMatcher.kt | 8 ++++++++ .../jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt | 3 +++ .../java/example/RuleWithWildcardGeneric.java | 7 +++---- .../semgrep/pattern/conversion/ParamCondition.kt | 10 ++++++++++ .../conversion/PatternToActionListConverter.kt | 2 +- .../taint/AutomataToTaintRuleConversion.kt | 8 ++++++++ .../conversion/taint/MethodFormulaSimplifier.kt | 16 ++++++++++++---- .../conversion/taint/TaintAutomataGeneration.kt | 3 ++- .../conversion/taint/TaintEdgesGeneration.kt | 1 + .../opentaint/semgrep/TypeAwarePatternTest.kt | 4 ++-- .../jvm/sast/dataflow/rules/ClassNameUtils.kt | 1 + .../sast/dataflow/rules/TaintConfiguration.kt | 4 ++++ .../sast/dataflow/rules/TypeMatcherCondition.kt | 4 ++++ 14 files changed, 61 insertions(+), 12 deletions(-) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt index aa65c4ea..b689fc55 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt @@ -30,6 +30,8 @@ fun SerializedTypeNameMatcher.matchType( type: JIRType, erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean, ): Boolean = when { + this is SerializedTypeNameMatcher.Wildcard -> type is JIRUnboundWildcard + this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() && type is JIRClassType -> erasedMatch(type.erasedName()) && type.isRawLike() diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt index b2ae7dcf..a13df534 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt @@ -24,6 +24,14 @@ sealed interface SerializedTypeNameMatcher { @Serializable data class Array(val element: SerializedTypeNameMatcher) : SerializedTypeNameMatcher + + /** + * Matches only an unbounded Java wildcard (`?`) at a type-argument slot. + * Distinct from an "any" [ClassPattern] so a pattern like `Foo` does not + * match a concrete parameterization like `Foo`. + */ + @Serializable + data object Wildcard : SerializedTypeNameMatcher } @Serializable(with = SimpleNameMatcherSerializer::class) diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt index afa3cf5c..7e33872c 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt @@ -400,6 +400,9 @@ class JIRBasicAtomEvaluator( val nameWithout = name.removeSuffix("[]") name != nameWithout && element.matchErasedName(nameWithout) } + // A wildcard matcher is only meaningful at a type-argument slot; it has + // no erased-name projection to compare against a string. + is SerializedTypeNameMatcher.Wildcard -> false } private fun ConditionNameMatcher.match(name: String): Boolean = when (this) { diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java index 1eeb9606..b265d13c 100644 --- a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java @@ -32,11 +32,10 @@ public void entrypoint() { } /** - * ResponseEntity<String> is a concrete parameterized form. In many - * semgrep engines a wildcard is considered to match any concrete - * type; keeping this as a Positive documents current engine behavior. + * ResponseEntity<String> is a concrete parameterized form and must not + * match a wildcard <?> type argument in the rule pattern. */ - final static class PositiveConcreteAlsoMatches extends RuleWithWildcardGeneric { + final static class NegativeConcreteDoesNotMatch extends RuleWithWildcardGeneric { @Override public void entrypoint() { String data = "tainted"; diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt index a3b1409e..b3ab70d0 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt @@ -30,6 +30,16 @@ sealed interface TypeNamePattern { override fun toString(): String = "*" } + /** + * Java unbounded wildcard `?` as a type argument. Unlike [AnyType], which + * is an unconstrained matcher that subsumes any type, [WildcardType] only + * matches an unbounded wildcard at the corresponding type-argument slot. + */ + @Serializable + data object WildcardType : TypeNamePattern { + override fun toString(): String = "?" + } + @Serializable data class ArrayType(val element: TypeNamePattern) : TypeNamePattern { override fun toString(): String = "${element}[]" diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt index 6b9d413f..906e9287 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt @@ -219,7 +219,7 @@ class PatternToActionListConverter: ActionListBuilder { val elementTypePattern = transformTypeName(typeName.elementType) TypeNamePattern.ArrayType(elementTypePattern) } - is TypeName.WildcardTypeName -> TypeNamePattern.AnyType + is TypeName.WildcardTypeName -> TypeNamePattern.WildcardType } private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt index 6ebddb76..21b78b44 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt @@ -628,6 +628,10 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( is Pattern -> { TODO("Signature class name pattern") } + + is SerializedTypeNameMatcher.Wildcard -> { + TODO("Signature class is a wildcard") + } } builders.mapTo(buildersWithClass) { builder -> @@ -899,6 +903,10 @@ private fun TaintRuleGenerationCtx.typeMatcher( is TypeNamePattern.AnyType -> null + is TypeNamePattern.WildcardType -> MetaVarConstraintFormula.Constraint( + SerializedTypeNameMatcher.Wildcard + ) + is TypeNamePattern.MetaVar -> { val constraints = metaVarInfo.constraints[typeName.metaVar] val constraint = when (constraints) { diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt index a28c596b..72da09c0 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt @@ -794,13 +794,18 @@ private fun unifyTypeName( when (left) { TypeNamePattern.AnyType -> return right + // WildcardType only unifies with itself (already handled by the + // `left == right` short-circuit above). Anything else is incompatible. + TypeNamePattern.WildcardType -> return null + is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> when (right) { TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName -> return null + is TypeNamePattern.PrimitiveName, + TypeNamePattern.WildcardType -> return null is TypeNamePattern.ClassName -> { if (left.name != right.name) return null @@ -826,7 +831,8 @@ private fun unifyTypeName( TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName -> return null + is TypeNamePattern.PrimitiveName, + TypeNamePattern.WildcardType -> return null is TypeNamePattern.ClassName -> { if (left.name.endsWith(right.name)) { @@ -853,7 +859,8 @@ private fun unifyTypeName( TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName -> return null + is TypeNamePattern.PrimitiveName, + TypeNamePattern.WildcardType -> return null is TypeNamePattern.ClassName -> { if (!stringMatches(right.name, metaVarInfo.metaVarConstraints[left.metaVar])) return null @@ -885,7 +892,8 @@ private fun unifyTypeName( is TypeNamePattern.ClassName, is TypeNamePattern.FullyQualified, is TypeNamePattern.MetaVar, - is TypeNamePattern.PrimitiveName -> return null + is TypeNamePattern.PrimitiveName, + TypeNamePattern.WildcardType -> return null } } } diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt index ccef13fe..cd2d2447 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt @@ -995,7 +995,8 @@ private fun EdgeCondition.isDummyCondition(metaVarInfo: ResolvedMetaVarInfo): Bo is TypeNamePattern.ArrayType, is TypeNamePattern.ClassName, is TypeNamePattern.FullyQualified, - is TypeNamePattern.PrimitiveName -> return false + is TypeNamePattern.PrimitiveName, + TypeNamePattern.WildcardType -> return false } } diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt index b71c42fa..a613101a 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt @@ -363,6 +363,7 @@ private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: Bit } TypeNamePattern.AnyType, + TypeNamePattern.WildcardType, is TypeNamePattern.PrimitiveName -> { // no metavars } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index 89fa8386..04fbe20c 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -40,8 +40,8 @@ class TypeAwarePatternTest : SampleBasedTest() { @Test fun `A4 - two-arg generic Map of K V in parameter`() = runTest() - // A5. Wildcard type argument: ResponseEntity. Documents current engine - // behavior; both concrete and wildcard-typed methods match today. + // A5. Wildcard type argument: ResponseEntity. A concrete type argument + // (ResponseEntity) must not match a wildcard pattern. @Test fun `A5 - wildcard type argument ResponseEntity of question mark`() = runTest() diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt index f80a2522..2b7f9d44 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt @@ -16,6 +16,7 @@ fun SerializedTypeNameMatcher.normalizeAnyName(): SerializedTypeNameMatcher = wh is SerializedSimpleNameMatcher -> normalizeAnyName() is ClassPattern -> ClassPattern(`package`.normalizeAnyName(), `class`.normalizeAnyName(), typeArgs.map { it.normalizeAnyName() }) is SerializedTypeNameMatcher.Array -> SerializedTypeNameMatcher.Array(element.normalizeAnyName()) + is SerializedTypeNameMatcher.Wildcard -> this } fun SerializedSimpleNameMatcher.normalizeAnyName(): SerializedSimpleNameMatcher = when (this) { diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index 09f623e1..f04c9dcc 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -258,6 +258,10 @@ class TaintConfiguration(private val cp: JIRClasspath) { val nameWithoutArrayModifier = name.removeSuffix("[]") name != nameWithoutArrayModifier && element.matchNormalizedTypeName(nameWithoutArrayModifier) } + + // A wildcard matcher is only meaningful at a type-argument position + // and is never compared against a class-name string. + is SerializedTypeNameMatcher.Wildcard -> false } private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt index 03782e6c..eb73c156 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt @@ -37,6 +37,10 @@ fun SerializedTypeNameMatcher.toConditionNameMatcher(patternManager: PatternMana is SerializedTypeNameMatcher.Array -> { element.toConditionNameMatcher(patternManager)?.addSuffix("[]", patternManager) } + + // A wildcard matcher has no erased-name projection; there is no + // meaningful class-name `ConditionNameMatcher` to produce. + is SerializedTypeNameMatcher.Wildcard -> null } } From a420e9d60de4c4e30ef9e95cc595bc2c7e0eba5f Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Tue, 21 Apr 2026 16:58:43 +0200 Subject: [PATCH 25/31] fix: use declared erasure for type variables and wildcards Pass-through rules like `java.util.List#get` returning `java.lang.Object` were no longer matching since typed method resolution via `cp.typeOf(method.enclosingClass)` surfaces declared return/parameter types as `JIRTypeVariable` (e.g. `E`) rather than the erased class. `erasedName()` fell through to `typeName`, producing the type-variable symbol `"E"` instead of `"java.lang.Object"`, so every string-based matcher missed. Map type variables and unbound wildcards to their declared erasure via `jIRClass.name`, and extend the same lookup to array element types. --- .../configuration/jvm/SerializedTypeMatching.kt | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt index b689fc55..997d7883 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt @@ -51,13 +51,24 @@ fun SerializedTypeNameMatcher.matchType( /** * Erased class name for matching — drops any generic decoration that - * [JIRType.typeName] may carry (e.g. `Map` → `java.util.Map`). + * [JIRType.typeName] may carry (e.g. `Map` → `java.util.Map`) + * and reduces a type variable / unbound wildcard to its declared erasure + * (e.g. `E` → `java.lang.Object`) so string-based matchers can match against + * pass-through rules whose return/parameter types show up as type variables + * when resolved via the declaring class (e.g. `List.get` returns `E`). */ private fun JIRType.erasedName(): String = when (this) { is JIRClassType -> jIRClass.name + is JIRTypeVariable -> jIRClass.name + is JIRUnboundWildcard -> jIRClass.name is JIRArrayType -> { val el = elementType - if (el is JIRClassType) el.jIRClass.name + "[]" else typeName + when (el) { + is JIRClassType -> el.jIRClass.name + "[]" + is JIRTypeVariable -> el.jIRClass.name + "[]" + is JIRUnboundWildcard -> el.jIRClass.name + "[]" + else -> typeName + } } else -> typeName } From fa76ba5c933c93e313bc8fedf988fe83d8540974 Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Tue, 21 Apr 2026 14:57:09 +0200 Subject: [PATCH 26/31] docs: Clean --- ...04-11-source-matching-enrichment-design.md | 289 ---- .../2026-04-11-symbolic-sequence-alignment.md | 224 --- ...4-12-type-aware-pattern-matching-design.md | 352 ----- .../2026-04-12-type-aware-pattern-matching.md | 1250 ----------------- 4 files changed, 2115 deletions(-) delete mode 100644 docs/specs/2026-04-11-source-matching-enrichment-design.md delete mode 100644 docs/specs/2026-04-11-symbolic-sequence-alignment.md delete mode 100644 docs/specs/2026-04-12-type-aware-pattern-matching-design.md delete mode 100644 docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md diff --git a/docs/specs/2026-04-11-source-matching-enrichment-design.md b/docs/specs/2026-04-11-source-matching-enrichment-design.md deleted file mode 100644 index d71fb9dd..00000000 --- a/docs/specs/2026-04-11-source-matching-enrichment-design.md +++ /dev/null @@ -1,289 +0,0 @@ -# Source-Matching Enrichment for Semgrep Pattern Language Support - -**Date:** 2026-04-11 -**Status:** Draft -**Branch:** misonijnik/source-matching - -## Problem Statement - -OpenTaint translates Semgrep pattern-rules (source-level patterns) into taint configs (bytecode-level configurations). There is a gap in three areas of the Semgrep pattern language for Java: - -1. **Type arguments/generics** — Currently ignored (`TypeArgumentsIgnored`). Pattern `Map` becomes just `Map`. -2. **Array return types** — Not supported in method declarations (`MethodDeclarationReturnTypeIsArray`). The return type constraint is skipped. -3. **Concrete return types** — Only metavariable return types supported (`MethodDeclarationReturnTypeIsNotMetaVar`). Pattern `String foo(...)` can't constrain on the `String` return type. - -The root cause: JVM bytecode uses type erasure — `Map` and `Map` are both `java.util.Map` in bytecode descriptors. The existing pipeline tries to translate source-level patterns directly to bytecode-level matchers, losing generic type information in the process. - -## Proposed Solution: Source Pre-Resolution Enrichment - -Instead of trying to match generics at the bytecode level, use the project's source code (which has full generic information) to pre-resolve patterns and generate precise bytecode-level taint rules. - -### Key Insight - -Semgrep patterns always match against **user project source code**, not library source code. The project source is always available during analysis (the tool already resolves source files via `JIRSourceFileResolver`). This means source-level matching is feasible for all patterns. - -Example: `(Map $M).get(...)` — this matches a call site in the user's code where a variable declared as `Map` has `.get()` called on it. The library source for `java.util.Map` is never needed. - -### Architecture - -``` -Semgrep YAML Rule - | - v -Parse patterns (existing pipeline) - | - v -[NEW] Source pre-resolution phase: - - Scan project .java files using existing ANTLR Java parser - - Match Semgrep patterns against source ASTs - - Extract: exact class, method, line, erased types, - variable bindings with full generic type info - | - v -Generate enriched taint rules: - - Produce precise rules targeting exact matched locations - - Use extracted erased types for bytecode-level matching - - Generic type info used to filter matches (not stored in taint rules) - | - v -Existing bytecode IFDS analysis (unchanged) -``` - -### Why Not Bytecode-Only? - -Three alternative approaches were considered and rejected: - -**Approach A: Extend automata `MethodSignature` with return type.** -- Would add a `returnType` field to the automata predicate, flowing through to `SerializedSignatureMatcher.Partial`. -- Pros: Uses purpose-built `signature.return` field; fast matching at runtime (pre-filters before condition resolution). -- Cons: Larger change surface in automata model; risks breaking determinization/edge merging; doesn't solve generics at all. - -**Approach B: Use `SerializedCondition.IsType` on `PositionBase.Result`.** -- Would add return type as a condition using the existing constraint system. -- Pros: Minimal automata change; reuses existing `IsType` → `resolveIsType()` plumbing. -- Cons: Doesn't solve generics; condition-based matching evaluates later than signature filtering. - -**Both A and B fail on generics** because `JIRMethod.returnType.typeName` is the erased bytecode type (from `MethodInfo.returnClass` which uses `Type.getReturnType(desc).className`). The `JIRTypedMethod` has full generic info, but the matching infrastructure uses `JIRMethod`. - -**Approach C (this design): Source pre-resolution enrichment.** -- Matches patterns against source ASTs where full type information (generics, arrays, concrete types) is available. -- Generates precise taint rules from the matched information. -- Solves all three gaps uniformly. - -## Existing Infrastructure - -### What Already Exists - -| Component | Location | Relevance | -|---|---|---| -| ANTLR Java grammar | `opentaint-java-querylang` (`JavaLexer.g4`, `JavaParser.g4`) | Parse project source files | -| Java AST parsing | `JavaAstSpanResolver` | Already parses `.java` into ANTLR parse trees | -| Semgrep pattern parser | `SemgrepJavaPatternParser` | Produces `SemgrepJavaPattern` AST from pattern strings | -| Source file resolver | `JIRSourceFileResolver` | Locates `.java` files from bytecode classes | -| Project source root | `Project.sourceRoot`, `Module.moduleSourceRoot` | Root paths for source files | -| Pattern AST types | `SemgrepJavaPattern.kt` | Full pattern representation including `TypeName.SimpleTypeName.typeArgs` and `TypeName.ArrayTypeName` | -| Type name patterns | `TypeNamePattern` in `ParamCondition.kt` | Already has `ArrayType`, `ClassName`, `FullyQualified`, `MetaVar`, `AnyType` | -| Serialized type matchers | `SerializedTypeNameMatcher` | `ClassPattern`, `Array` variants for bytecode matching | -| Serialized signature matchers | `SerializedSignatureMatcher.Partial` | Already has `return: SerializedTypeNameMatcher?` and `params` fields | -| Runtime signature matching | `TaintConfiguration.kt:281-307` | `matchFunctionSignature()` already evaluates `return` on `Partial` matchers | - -### What's New (Needs Implementation) - -1. **Source pattern matcher** — Matches `SemgrepJavaPattern` nodes against ANTLR `JavaParser` parse tree nodes. Must support: - - Method invocations with typed receiver (`(Type $X).method(...)`) - - Method declarations with return types (concrete, array, generic) - - Object creation with type arguments (`new Type(...)`) - - Variable declarations with full type info - - Metavariable binding and ellipsis handling - - `pattern-inside` / `pattern-not-inside` structural constraints - -2. **Match-to-taint-rule converter** — Takes source match results and produces `SerializedRule` instances with precise function matchers and signatures. - -3. **Integration into analysis pipeline** — A new phase between rule loading and bytecode analysis that scans source files and enriches taint rules. - -## Key Data Flow Details - -### Pattern Parsing (existing) - -The `SemgrepJavaPattern` AST already correctly represents all three gap features: - -```kotlin -// TypeName already supports generics and arrays: -sealed interface TypeName { - data class SimpleTypeName( - val dotSeparatedParts: List, - val typeArgs: List = emptyList() // <-- generics preserved - ) : TypeName - - data class ArrayTypeName(val elementType: TypeName) : TypeName // <-- arrays preserved -} - -// MethodDeclaration already carries return type: -data class MethodDeclaration( - val name: Name, - val returnType: TypeName?, // <-- concrete return types preserved - val args: MethodArguments, - val body: SemgrepJavaPattern, - val modifiers: List, -) -``` - -The information is parsed correctly — it's only discarded during the `PatternToActionListConverter` step (lines 229-231, 559-571). - -### Where the Gaps Are Triggered - -In `PatternToActionListConverter.transformMethodDeclaration()` (lines 547-573): - -```kotlin -// Return type handling — currently discards everything except metavar: -val retType = pattern.returnType -if (retType != null) { - run { - if (retType !is TypeName.SimpleTypeName) { - semgrepTrace?.error(MethodDeclarationReturnTypeIsArray()) // Gap 2: array skipped - return@run - } - val retTypeMetaVar = retType.dotSeparatedParts.singleOrNull() as? MetavarName - if (retTypeMetaVar == null) { - semgrepTrace?.error(MethodDeclarationReturnTypeIsNotMetaVar()) // Gap 3: concrete skipped - } - if (retType.typeArgs.isNotEmpty()) { - semgrepTrace?.error(MethodDeclarationReturnTypeHasTypeArgs()) // Gap 1 (return-specific) - } - } -} -``` - -In `PatternToActionListConverter.transformSimpleTypeName()` (lines 228-231): - -```kotlin -// Type arguments — currently discarded everywhere: -if (typeName.typeArgs.isNotEmpty()) { - semgrepTrace?.error(TypeArgumentsIgnored()) // Gap 1: generics dropped -} -``` - -### Taint Rule Generation (existing, to be leveraged) - -Generated rules currently always pass `signature = null`: -```kotlin -SerializedRule.Source(function, signature = null, overrides = true, cond, actions, info) -``` - -After source matching, we can populate `signature` with precise matchers: -```kotlin -SerializedRule.Source( - function = SerializedFunctionNameMatcher.Complex(package, class, method), - signature = SerializedSignatureMatcher.Partial( - params = listOf(SerializedArgMatcher(0, Simple("java.util.Map"))), - `return` = Simple("java.util.List") - ), - overrides = true, - condition = cond, - taint = actions, - info = info -) -``` - -### Runtime Matching (existing, already works) - -`TaintConfiguration.matchFunctionSignature()` already handles `Partial` signatures: -```kotlin -is SerializedSignatureMatcher.Partial -> { - val ret = `return` - if (ret != null && !ret.match(method.returnType.typeName)) return false - // params matching... - return true -} -``` - -This uses `method.returnType.typeName` (erased type), which is correct — the source matching phase already filtered by full generic types and only the erased type needs to be verified at bytecode level. - -## Open Design Questions - -### 1. Enrichment Granularity - -**Method-level:** Source matching identifies which methods match the pattern. Generated taint rules target those methods by class + name + descriptor. - -**Call-site-level:** Source matching identifies specific call sites (class + method + bytecode instruction). Can distinguish two `Map` variables with different type args in the same method. - -The `(Map $M).get(...)` example motivates call-site-level: two `Map` variables in the same method with different type arguments should be distinguishable. This may require taint rules to reference specific program points, which is an extension to the current rule model. - -**Decision needed:** What level of granularity is required? - -### 2. Fallback Behavior - -When source files are unavailable (e.g., analyzing a JAR without sources), should the system: -- Fall back to current bytecode-only matching (with the existing warnings)? -- Refuse to apply rules that require source matching? -- Apply best-effort bytecode matching (ignoring generics)? - -**Decision needed:** Fallback strategy. - -### 3. Incremental vs. Full Scan - -Should source matching: -- Scan all source files for every rule? -- Build an index of declarations/invocations and query it per-rule? -- Use the existing class index to narrow which files to scan? - -**Decision needed:** Performance strategy. - -### 4. Pattern Language Scope - -This design focuses on three specific gaps. Should the source matching engine also handle other currently-unsupported features? -- `pattern-regex` (matching raw source text) — natural fit for source matching -- `metavariable-comparison` — could extract constant values from source -- Complex `metavariable-pattern` — nested source-level constraints - -**Decision needed:** Initial scope vs. extensibility plan. - -## Test Strategy - -### Unit Tests - -- Source pattern matcher: test each pattern construct (invocations, declarations, generics, arrays) against known Java source snippets -- Match-to-rule converter: test that extracted source info produces correct `SerializedRule` instances -- Type resolution: test that generic types are correctly extracted and erased types derived - -### Integration Tests - -- End-to-end: YAML rule + Java source file -> enriched taint rules -> correct findings -- Regression: existing rules continue to work (no behavioral changes for rules that don't use generics/arrays/concrete return types) - -### E2E Tests (Rules Test System) - -The existing rules test infrastructure (`@PositiveRuleSample` / `@NegativeRuleSample` annotations, `checkRulesCoverage` task) should be extended with: - -- Test samples using generic types (e.g., `Map`, `List`) -- Test samples with array return types -- Test samples with concrete return types -- Negative samples verifying that `Map` does NOT match a pattern for `Map` - -These tests exercise the full pipeline: YAML rule -> source matching -> taint rule -> bytecode analysis -> SARIF output. - -## File Impact Summary - -### New Files (Estimated) - -| File | Purpose | -|---|---| -| `SourcePatternMatcher.kt` | Matches `SemgrepJavaPattern` against ANTLR parse trees | -| `SourceMatchResult.kt` | Data classes for match results (class, method, types, positions) | -| `SourceMatchToTaintRuleConverter.kt` | Converts match results to `SerializedRule` instances | -| `SourcePreResolutionPhase.kt` | Orchestrates source scanning and rule enrichment | - -### Modified Files (Estimated) - -| File | Change | -|---|---| -| `PatternToActionListConverter.kt` | Route patterns needing source matching to the new phase instead of emitting warnings | -| `SemgrepRuleAutomataBuilder.kt` | Integrate source pre-resolution before automata build | -| `ProjectAnalyzerRunner.kt` | Add source pre-resolution phase to analysis pipeline | - -### Unchanged - -- `TaintCondition.kt` — No new condition types needed -- `SerializedSignatureMatcher.kt` — `Partial` already supports `return` and `params` -- `TaintConfiguration.kt` — Runtime matching already handles populated signatures -- IFDS dataflow engine — Unchanged diff --git a/docs/specs/2026-04-11-symbolic-sequence-alignment.md b/docs/specs/2026-04-11-symbolic-sequence-alignment.md deleted file mode 100644 index 2b5ee9b0..00000000 --- a/docs/specs/2026-04-11-symbolic-sequence-alignment.md +++ /dev/null @@ -1,224 +0,0 @@ -# Symbolic Sequence Alignment: Source-to-Bytecode Linking Without Debug Info - -**Date:** 2026-04-11 -**Status:** Research Note -**Context:** Multi-level IR design for Semgrep pattern language support - -## Problem - -Given a Java source file (parsed into an ANTLR AST) and the corresponding `.class` file (parsed into JIR bytecode instructions), establish a reliable mapping between specific source-level constructs (method calls, field accesses, object creations) and their corresponding bytecode instructions — **without relying on debug information** (`LineNumberTable`, `LocalVariableTable`). - -Debug info is unreliable because: -- It can be stripped (`-g:none`) -- It provides only line-level granularity (multiple statements per line are ambiguous) -- It's compiler-specific in format details -- It doesn't exist for generated/synthetic code - -## Core Insight: JLS-Mandated Evaluation Order - -The Java Language Specification mandates **left-to-right evaluation order** for: -- Operands of binary operators (JLS 15.7) -- Arguments in method invocations (JLS 15.12.4.2) -- Array dimensions in array creation (JLS 15.10.1) - -This means the sequence of symbolic references (method calls, field accesses) in bytecode is **specification-mandated**, not a compiler implementation detail. Any conforming compiler (javac, ECJ, Kotlin compiler targeting Java interop) must produce them in the same evaluation order. - -## Algorithm - -### Overview - -``` -Source AST (ANTLR) Bytecode (ASM/JIR) - | | - [Walk in evaluation order] [Walk instruction sequence] - | | - [Extract symbolic refs: [Extract symbolic refs: - method calls, field invoke*, getfield, - accesses, object putfield, new + - creations, constants] invokespecial , - | ldc constants] - | | - | [Filter synthetic refs - | using pattern catalog] - | | - +------> SEQUENCE ALIGN <---------+ - | - [Matched pairs: - AST node <-> bytecode offset] -``` - -### Step 1: Extract Symbolic Reference Sequence from Bytecode - -Walk all instructions in a method body. For each instruction that references a symbolic name, record a `BytecodeRef`: - -```kotlin -data class BytecodeRef( - val offset: Int, // bytecode offset - val kind: RefKind, // INVOKE, FIELD_GET, FIELD_PUT, NEW, CONSTANT - val owner: String, // owning class (internal name) - val name: String, // method/field name - val descriptor: String, // JVM descriptor - val isSynthetic: Boolean, // identified as compiler-generated -) - -enum class RefKind { INVOKE, FIELD_GET, FIELD_PUT, NEW, CONSTANT } -``` - -Instructions that produce refs: -- `invokevirtual`, `invokeinterface`, `invokestatic`, `invokespecial` -> `INVOKE` -- `getfield`, `getstatic` -> `FIELD_GET` -- `putfield`, `putstatic` -> `FIELD_PUT` -- `new` (paired with `invokespecial `) -> `NEW` -- `ldc`, `ldc_w`, `ldc2_w` -> `CONSTANT` - -### Step 2: Extract Symbolic Reference Sequence from Source AST - -Walk the AST in **evaluation order** (left-to-right, depth-first — matching JLS semantics). For each method call, field access, object creation, or constant, record a `SourceRef`: - -```kotlin -data class SourceRef( - val node: ParserRuleContext, // ANTLR AST node - val kind: RefKind, - val name: String, // method/field name as written in source - val argCount: Int?, // for method calls, number of arguments -) -``` - -The evaluation-order walk must handle: -- Nested expressions: `a.foo(b.bar())` produces `[bar, foo]` (callee args evaluated before the call) -- Chained calls: `a.foo().bar()` produces `[foo, bar]` -- Binary operators: `a.x() + b.y()` produces `[x, y]` (left before right) -- Short-circuit: `a.x() && b.y()` produces `[x, y]` but `y` is conditional (still in order) - -### Step 3: Filter Synthetic Bytecode References - -Java compilation introduces bytecode instructions with no corresponding source construct. These must be identified and tagged before alignment. - -#### Synthetic Pattern Catalog - -| Source Pattern | Synthetic Bytecode (pre-Java 9) | Synthetic Bytecode (Java 9+) | -|---|---|---| -| String `+` | `new StringBuilder`, `.append()` chain, `.toString()` | `invokedynamic makeConcatWithConstants` | -| Enhanced for (Iterable) | `.iterator()`, `.hasNext()`, `.next()` | same | -| Enhanced for (array) | `arraylength` | same | -| Autoboxing | `Integer.valueOf()`, `Long.valueOf()`, etc. | same | -| Unboxing | `.intValue()`, `.longValue()`, etc. | same | -| Try-with-resources | `.close()`, `addSuppressed()` | same | -| Assert | `getstatic $assertionsDisabled`, `new AssertionError` | same | -| Enum switch | synthetic `$SwitchMap$...` array access | same | -| Lambda | `invokedynamic` (LambdaMetafactory) | same | -| String switch | `.hashCode()`, `.equals()` on switch expression | same | -| Instanceof pattern (16+) | `checkcast` after `instanceof` | same | -| Record accessors | synthetic accessor methods | same | - -Detection heuristics: -- **Bridge methods**: `ACC_BRIDGE` flag in method access flags -- **Synthetic methods**: `ACC_SYNTHETIC` flag -- **Lambda bodies**: Method name matches `lambda$$` pattern -- **String concat**: `makeConcatWithConstants` bootstrap method -- **Boxing/unboxing**: Calls to `.valueOf()` or `.Value()` that don't appear in source -- **Iterator protocol**: Sequence `iterator() -> hasNext() -> next()` within a loop structure - -### Step 4: Sequence Alignment - -Align the filtered bytecode refs with the source refs using a variant of the Longest Common Subsequence (LCS) algorithm with domain-specific scoring: - -**Strong match** (high score): -- Same method/field name AND compatible descriptor AND same ref kind -- Example: source `obj.parse(x)` <-> bytecode `invokevirtual Foo.parse:(Ljava/lang/String;)I` - -**Partial match** (medium score): -- Same method/field name AND same ref kind, but descriptor can't be verified (no type resolution on source side) -- Example: source `obj.process(x)` <-> bytecode `invokevirtual Foo.process:(I)V` (we know the name matches but can't verify arg types from source alone) - -**No match** (skip): -- Unmatched bytecode refs -> synthetic (compiler-generated) -- Unmatched source refs -> inlined constants or optimized away - -For most methods, alignment is trivial: after filtering synthetics, the sequences are the same length and in the same order, giving 1:1 correspondence. - -## Reliability Assessment - -| Construct | Reliability | Notes | -|---|---|---| -| Simple method calls | **Excellent** | Name + descriptor + order = unambiguous | -| Field accesses | **Excellent** | Name + owner class + order | -| Object creation (`new`) | **Excellent** | `new` + `invokespecial ` pattern is invariant | -| String concatenation | **Good** | Need version-aware synthetic detection | -| Enhanced for-loops | **Good** | Well-defined iterator/array patterns | -| Lambdas | **Good** | `invokedynamic` is recognizable; body in synthetic method | -| Try-with-resources | **Moderate** | Complex synthetic code, well-defined pattern | -| Inlined constants | **Moderate** | Match by value (`ldc` value = source literal value) | -| Overloaded methods | **Depends** | Without type resolution, arg count disambiguates many cases | -| Compiler independence | **Good** | Symbolic sequence is JLS-mandated; only synthetic catalog varies | - -## Edge Cases and Mitigations - -### Overloaded Methods - -When source has `obj.foo(x)` and the class has multiple `foo` methods, the bytecode descriptor disambiguates but the source ref may not carry type info. - -**Mitigation**: Use argument count as a discriminator. If ambiguity remains, the alignment algorithm can use positional context (surrounding matched refs) to resolve. - -### Conditional Evaluation (Short-Circuit, Ternary) - -`a.x() && b.y()` — both calls appear in bytecode but `y()` is behind a branch. The symbolic sequence still has both refs in source order; they just appear in different basic blocks in bytecode. - -**Mitigation**: Flatten the bytecode control flow for alignment purposes — walk all basic blocks in a linearized order that respects source evaluation order. - -### Nested Lambdas - -Lambda bodies are compiled to separate synthetic methods. The lambda *creation* (invokedynamic) appears in the enclosing method's bytecode. - -**Mitigation**: Align the lambda creation point in the enclosing method. Lambda body matching is a separate alignment pass on the synthetic method vs. the lambda expression's AST subtree. - -### Compiler-Specific Optimizations - -Some compilers may perform limited optimizations (constant folding, dead code elimination). - -**Mitigation**: The alignment algorithm tolerates gaps (unmatched refs on either side). Gaps are expected and handled gracefully. - -## Complexity Estimate - -| Component | Lines (est.) | Complexity | -|---|---|---| -| Bytecode symbolic ref extraction | ~200 | Low (ASM visitor) | -| AST evaluation-order walk | ~500-800 | Medium (handle all expression types) | -| Synthetic pattern catalog | ~300-500 | Medium (version-aware, needs maintenance) | -| Sequence alignment | ~100-200 | Low (LCS variant) | -| **Total** | **~1100-1700** | **Medium** | - -## Relationship to Existing Infrastructure - -### What Already Exists in OpenTaint - -| Component | Used By | Can Reuse? | -|---|---|---| -| `JavaAstSpanResolver` | SARIF reporting | **Yes** — already walks AST + matches by instruction kind + method name. Currently uses line numbers as primary filter; could be extended with symbolic alignment as primary strategy. | -| `JIRSourceFileResolver` | Class-to-file mapping | **Yes** — narrows which source file to parse for a given bytecode class. | -| `JIRTypedMethod` | Type resolution | **Yes** — provides full generic types from Signature attribute. For method-level matching, this may suffice without source alignment. | -| `RawInstListBuilder` | Bytecode loading | **Yes** — already walks all instructions. Symbolic ref extraction can piggyback. | -| `JIRCallExpr` | Instruction metadata | **Yes** — already carries callee name, descriptor, owner class. This IS the bytecode symbolic ref. | - -### Key Difference from Current Approach - -Current `JavaAstSpanResolver` strategy: -1. Get line number from bytecode instruction -2. Find AST nodes on that line -3. Filter by instruction kind + name - -Proposed symbolic alignment strategy: -1. Extract full symbolic ref sequence from bytecode method -2. Extract full symbolic ref sequence from source AST method -3. Align sequences (line numbers used as optional tiebreaker, not primary signal) -4. Each match links an AST node to a specific bytecode offset - -The symbolic approach is **more reliable** (works without debug info) and **more precise** (disambiguates multiple calls on the same line). - -## Open Questions - -1. **Type resolution scope**: Should source-side type resolution be attempted (using classpath) to improve matching precision for overloaded methods? Or is name + arg count + position sufficient? - -2. **Incremental alignment**: When source changes but bytecode hasn't been recompiled, the alignment will fail. How should staleness be detected and handled? - -3. **Multi-language**: For Kotlin, the compilation model differs (extension functions, coroutines, companion objects). The synthetic pattern catalog needs a Kotlin-specific section. The core alignment algorithm (JLS evaluation order) doesn't directly apply — Kotlin has its own specification. diff --git a/docs/specs/2026-04-12-type-aware-pattern-matching-design.md b/docs/specs/2026-04-12-type-aware-pattern-matching-design.md deleted file mode 100644 index 2a0526df..00000000 --- a/docs/specs/2026-04-12-type-aware-pattern-matching-design.md +++ /dev/null @@ -1,352 +0,0 @@ -# Type-Aware Pattern Matching for Semgrep Pattern Language - -**Date:** 2026-04-12 -**Status:** Approved -**Branch:** misonijnik/source-matching -**Supersedes:** `2026-04-11-source-matching-enrichment-design.md` (the "source pre-resolution" approach is replaced by this simpler plumbing fix) - -## Problem Statement - -OpenTaint translates Semgrep pattern-rules (source-level patterns) into taint configs (bytecode-level configurations). Three Semgrep pattern language features for Java are currently broken: - -1. **Type arguments/generics** — Pattern `Map` becomes just `Map` (`TypeArgumentsIgnored` warning at `PatternToActionListConverter.kt:229`) -2. **Array return types** — Pattern `String[] foo(...)` loses the return type constraint (`MethodDeclarationReturnTypeIsArray` at line 559) -3. **Concrete return types** — Pattern `String foo(...)` loses the return type constraint (`MethodDeclarationReturnTypeIsNotMetaVar` at line 565) - -Two matching scenarios are affected: - -- **Scenario 1 (method declarations):** `String[] foo(Map $M, ...)` — constraining the declared method's return type and parameter types -- **Scenario 2 (call-site receivers):** `(Map $M).get(...)` — constraining the generic type of the receiver variable at the call site - -## Key Insight: Bytecode Already Has the Type Information - -The JVM preserves generic type signatures in bytecode through two mechanisms: - -1. **Signature attribute** on classes, methods, and fields — preserves full generic signatures (e.g., `Ljava/util/List;`). Already parsed by `JIRTypedMethod` via `MethodSignature.kt` / `FieldSignature.kt`. - -2. **LocalVariableTypeTable attribute** — preserves generic signatures for local variables. Already accessible via `JIRTypedMethod.typeOf(LocalVariableNode)` at `JIRTypedMethodImpl.kt:119`. - -**No source parsing, no new IR levels, no multi-level architecture needed.** The fix is plumbing: stop discarding type information in the conversion pipeline and use the typed method infrastructure that already exists in the IR. - -## Design - -### Architecture Overview - -The change flows through the existing pipeline without introducing new stages: - -``` -Semgrep YAML Rule - │ - ▼ -SemgrepJavaPattern (pattern AST — already preserves type args, arrays, concrete types) - │ - ▼ -PatternToActionListConverter ──► SemgrepPatternAction with TypeNamePattern - │ NOW PRESERVES: typeArgs, array returns, concrete returns - ▼ -ActionListToAutomata ──► SemgrepRuleAutomata (TypeNamePattern passes through unchanged) - │ - ▼ -AutomataToTaintRuleConversion.typeMatcher() ──► SerializedRule with SerializedTypeNameMatcher - │ NOW CARRIES: typeArgs on ClassPattern - ▼ -TaintConfiguration.matchFunctionSignature() ──► matches against JIRTypedMethod (generic types) - │ INSTEAD OF: JIRMethod (erased types) - ▼ -JIRBasicAtomEvaluator.typeMatchesPattern() ──► resolves receiver local var generic type - via LocalVariableTypeTable -``` - -### Change 1: Preserve Type Args in TypeNamePattern - -**File:** `core/opentaint-java-querylang/.../conversion/SemgrepPatternAction.kt` - -Add `typeArgs` field to `ClassName` and `FullyQualified`: - -```kotlin -sealed interface TypeNamePattern { - data class ClassName( - val name: String, - val typeArgs: List = emptyList() // NEW - ) : TypeNamePattern - - data class FullyQualified( - val name: String, - val typeArgs: List = emptyList() // NEW - ) : TypeNamePattern - - // ArrayType, PrimitiveName, MetaVar, AnyType — unchanged -} -``` - -**File:** `core/opentaint-java-querylang/.../conversion/PatternToActionListConverter.kt` - -Three changes: - -1. **`transformSimpleTypeName()` (line 228-231):** Remove the `TypeArgumentsIgnored` warning. Map `typeName.typeArgs` to `TypeNamePattern` recursively: - ```kotlin - private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { - val typeArgs = typeName.typeArgs.map { transformTypeName(it) } - // ... existing name resolution logic ... - return TypeNamePattern.ClassName(className, typeArgs) - } - ``` - -2. **`transformMethodDeclaration()` (lines 559-571):** Remove the three return-type guards. Flow the return type through: - ```kotlin - val retType = pattern.returnType - if (retType != null) { - val retTypePattern = transformTypeName(retType) - // Use retTypePattern in method signature action - } - ``` - -3. **Populate signature on emitted actions:** The `MethodSignature` action already has a `methodName` and `params` — add a `returnType: TypeNamePattern?` field to carry the return type pattern. The downstream `evaluateFormulaSignature()` in `AutomataToTaintRuleConversion.kt` will convert this to `SerializedSignatureMatcher.Partial(return = ...)` using the existing `typeMatcher()` function. - -### Change 2: Carry Type Args Through Serialization - -**File:** `core/opentaint-configuration-rules/.../serialized/SerializedNameMatcher.kt` - -Add `typeArgs` to `ClassPattern`: - -```kotlin -sealed interface SerializedTypeNameMatcher { - data class ClassPattern( - val `package`: SerializedSimpleNameMatcher, - val `class`: SerializedSimpleNameMatcher, - val typeArgs: List = emptyList() // NEW - ) : SerializedTypeNameMatcher - - data class Array(val element: SerializedTypeNameMatcher) : SerializedTypeNameMatcher - // rest unchanged -} -``` - -**File:** `core/opentaint-java-querylang/.../taint/AutomataToTaintRuleConversion.kt` - -In `typeMatcher()` (line 802-892), propagate type args: - -```kotlin -is TypeNamePattern.ClassName -> MetaVarConstraintFormula.Constraint( - SerializedTypeNameMatcher.ClassPattern( - `package` = anyName(), - `class` = Simple(typeName.name), - typeArgs = typeName.typeArgs.mapNotNull { typeMatcher(it, semgrepRuleTrace)?.constraint } - ) -) -``` - -### Change 3: Match Against JIRTypedMethod at Runtime (Scenario 1) - -**File:** `core/opentaint-jvm-sast-dataflow/.../rules/TaintConfiguration.kt` - -**`matchFunctionSignature()` (lines 281-308):** Change parameter from `JIRMethod` to `JIRTypedMethod` (or accept both, resolving typed from erased via classpath lookup): - -```kotlin -private fun SerializedSignatureMatcher.matchFunctionSignature(typedMethod: JIRTypedMethod): Boolean { - when (this) { - is SerializedSignatureMatcher.Partial -> { - val ret = `return` - if (ret != null && !ret.matchType(typedMethod.returnType)) return false - val params = params - if (params != null) { - for (param in params) { - val methodParam = typedMethod.parameters.getOrNull(param.index) ?: return false - if (!param.type.matchType(methodParam.type)) return false - } - } - return true - } - // Simple matcher handling similar - } -} -``` - -New `matchType()` overload on `SerializedTypeNameMatcher`: - -```kotlin -private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { - // No type args → fall back to erased name matching (backward compat) - this is ClassPattern && typeArgs.isEmpty() -> match(type.erasedName) - - // Has type args → structural comparison against JIRClassType - this is ClassPattern && type is JIRClassType -> { - match(type.erasedName) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } - } - - // Array matching - this is Array && type is JIRArrayType -> element.matchType(type.elementType) - - // Default: erased matching - else -> match(type.erasedName) -} -``` - -**Resolving `JIRTypedMethod` from `JIRMethod`:** The call sites that invoke `matchFunctionSignature()` need to resolve the typed method. `JIRClassType.lookup` or `JIRClassType.declaredMethods` provide `JIRTypedMethod` instances. The classpath is already available in `TaintConfiguration`. - -### Change 4: Call-Site Receiver Generic Matching (Scenario 2) - -**File:** `core/opentaint-configuration-rules/.../TaintCondition.kt` - -Extend `TypeMatchesPattern` to carry type args: - -```kotlin -data class TypeMatchesPattern( - val position: Position, - val pattern: ConditionNameMatcher, - val typeArgs: List = emptyList() // NEW -) : Condition -``` - -**File:** `core/opentaint-jvm-sast-dataflow/.../rules/TaintConfiguration.kt` - -In `resolveIsType()` (lines 674-708), when the `IsType` matcher has `typeArgs` and position is `This`: - -```kotlin -is This -> { - // Erased class check (existing) - if (!normalizedTypeIs.match(method.enclosingClass.name)) { - // ... existing super-hierarchy check ... - } - // When type args present, defer to instruction-level evaluation - if (normalizedTypeIs.hasTypeArgs()) { - return TypeMatchesPattern(This, matcher, normalizedTypeIs.typeArgs) - } - // Otherwise: existing eager resolution -} -``` - -**File:** `core/opentaint-jvm-sast-dataflow/.../JIRBasicAtomEvaluator.kt` - -In `typeMatchesPattern()` (lines 328-347), when `typeArgs` is non-empty: - -```kotlin -override fun visit(condition: TypeMatchesPattern): Condition { - // Existing erased type check first - val value = positionResolver.resolve(condition.position) ?: return condition - val type = value.type as? JIRRefType ?: return mkFalse() - if (!condition.pattern.matches(type.typeName)) return mkFalse() - - // NEW: Generic type args check - if (condition.typeArgs.isNotEmpty()) { - val genericType = resolveGenericType(value) - if (genericType is JIRClassType) { - if (genericType.typeArguments.size != condition.typeArgs.size) return mkFalse() - val allMatch = condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> - matcher.matchType(arg) - } - return allMatch.asCondition() - } - // Can't resolve generics → fall back to erased match (true, already passed above) - return mkTrue() - } - // ... existing logic -} - -private fun resolveGenericType(value: JIRValue): JIRType? { - // 1. Get the local variable index from the JIRValue - val localVarIndex = (value as? JIRLocalVar)?.index ?: return null - - // 2. Find the LocalVariableNode for this index at the current instruction - val localVarNode = findLocalVariable(localVarIndex) ?: return null - - // 3. Resolve generic type via JIRTypedMethod - return typedMethod.typeOf(localVarNode) -} -``` - -**Context requirements:** `JIRBasicAtomEvaluator` needs access to: -- The enclosing `JIRTypedMethod` (for `typeOf()`) -- The ASM `MethodNode.localVariables` list (for `LocalVariableNode` lookup) -- The current instruction (for scoping the `LocalVariableNode` to the right range) - -These are available through the `analysisContext` and the `statement` already passed to the evaluator. - -### Graceful Degradation - -| Scenario | Behavior | -|---|---| -| `typeArgs` empty on matcher | Erased matching — identical to current behavior | -| Bytecode has no Signature attribute | `JIRTypedMethod` falls back to erased types → type args comparison skipped | -| `LocalVariableTypeTable` absent | `LocalVariableNode.signature` is null → `typeOf()` returns erased type → type args check skipped | -| Receiver is not a local variable | `resolveGenericType()` returns null → falls back to erased matching | -| Existing rules without generics | All `typeArgs` fields default to empty → zero behavior change | - -### Backward Compatibility - -All changes are additive: -- `TypeNamePattern.ClassName.typeArgs` defaults to `emptyList()` -- `SerializedTypeNameMatcher.ClassPattern.typeArgs` defaults to `emptyList()` -- `TypeMatchesPattern.typeArgs` defaults to `emptyList()` -- When empty, every code path follows the existing logic exactly -- Serialization format: `typeArgs` is a new optional field — existing serialized configs deserialize with empty list - -## Files Changed - -### Modified Files - -| File | Module | Change | -|---|---|---| -| `SemgrepPatternAction.kt` | opentaint-java-querylang | Add `typeArgs` to `TypeNamePattern.ClassName`, `FullyQualified` | -| `PatternToActionListConverter.kt` | opentaint-java-querylang | Stop discarding type args (line 229), array returns (line 559), concrete returns (line 565); flow type info through | -| `AutomataToTaintRuleConversion.kt` | opentaint-java-querylang | `typeMatcher()`: propagate `typeArgs` to `ClassPattern` | -| `SerializedNameMatcher.kt` | opentaint-configuration-rules | Add `typeArgs` to `ClassPattern` | -| `TaintCondition.kt` | opentaint-configuration-rules | Add `typeArgs` to `TypeMatchesPattern` | -| `TaintConfiguration.kt` | opentaint-jvm-sast-dataflow | `matchFunctionSignature()`: use `JIRTypedMethod`; `resolveIsType()`: defer generic checks | -| `JIRBasicAtomEvaluator.kt` | opentaint-jvm-sast-dataflow | `typeMatchesPattern()`: resolve local var generic types when `typeArgs` present | - -### No New Files - -This is a plumbing fix across the existing pipeline — no new modules, classes, or architectural layers. - -### Unchanged - -| Component | Why Unchanged | -|---|---| -| `SemgrepJavaPattern.kt` | Already preserves type args and array types correctly | -| `ActionListToAutomata.kt` | `TypeNamePattern` passes through untransformed | -| `SerializedSignatureMatcher.kt` | `Partial` already has `return` and `params` fields | -| `JIRTypedMethod` / `JIRTypedMethodImpl` | Already resolves generics from Signature attribute | -| IFDS dataflow engine | Unchanged — condition evaluation is extended, not the engine | -| SARIF reporting | Unchanged | - -## Test Strategy - -### Unit Tests - -- **TypeNamePattern with type args:** Verify `transformSimpleTypeName()` preserves `typeArgs` from pattern AST -- **typeMatcher() propagation:** Verify `TypeNamePattern.ClassName(name, typeArgs)` → `ClassPattern(pkg, cls, typeArgs)` -- **matchType() with generics:** `ClassPattern("Map", typeArgs=[Simple("String"), Simple("Object")])` matches `JIRClassType(Map, typeArgs=[String, Object])` but not `JIRClassType(Map, typeArgs=[String, String])` -- **matchType() without generics:** `ClassPattern("Map", typeArgs=[])` matches any `Map` regardless of type args (backward compat) -- **matchFunctionSignature() with JIRTypedMethod:** Return type and parameter type generic matching -- **resolveGenericType():** Local variable index → `LocalVariableNode` → `typeOf()` → correct generic type -- **Graceful degradation:** Missing Signature attribute, missing LocalVariableTypeTable, non-local-variable receiver - -### Integration Tests - -- End-to-end: YAML rule with `Map` pattern → correct taint findings -- End-to-end: `String[] foo(...)` pattern → correct return type matching -- End-to-end: `(List $L).get(...)` → matches only `List` receivers, not `List` -- Regression: all existing rules produce identical results - -### E2E Test Samples - -Extend existing `@PositiveRuleSample` / `@NegativeRuleSample` annotations: - -- Positive: `Map m = ...; m.get(key)` with pattern `(Map $M).get(...)` -- Negative: `Map m = ...; m.get(key)` with same pattern (should NOT match) -- Positive: `String[] foo()` with pattern `String[] foo(...)` -- Positive: `List bar()` with pattern `List bar(...)` -- Negative: `List bar()` with same pattern - -## Open Questions Resolved - -| Question (from previous spec) | Resolution | -|---|---| -| Enrichment granularity? | Method-level for signatures, instruction-level for call-site receivers | -| Fallback when sources unavailable? | Not applicable — all type info comes from bytecode, not source | -| Incremental vs. full scan? | Not applicable — no source scanning | -| Pattern language scope? | Scoped to type args, array returns, concrete returns. Other features (`pattern-regex`, `metavariable-comparison`) are separate work | -| Multi-level IR needed? | No — plumbing fix on existing pipeline | diff --git a/docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md b/docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md deleted file mode 100644 index 9e9d9ccf..00000000 --- a/docs/superpowers/plans/2026-04-12-type-aware-pattern-matching.md +++ /dev/null @@ -1,1250 +0,0 @@ -# Type-Aware Pattern Matching Implementation Plan - -> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. - -**Goal:** Fix three broken Semgrep pattern language features for Java — generic type arguments, array return types, and concrete return types — by threading type information through the existing pipeline instead of discarding it. - -**Architecture:** The fix is a plumbing change across 7 existing files in 3 modules. Type arguments are added as a new field (`typeArgs: List`) to `TypeNamePattern.ClassName` and `FullyQualified`, then propagated through `SerializedTypeNameMatcher.ClassPattern` to the runtime matchers. Return types are added to `SemgrepPatternAction.MethodSignature` and flow through to `SerializedSignatureMatcher.Partial`. All new fields default to `emptyList()` / `null` for backward compatibility. - -**Tech Stack:** Kotlin, JUnit 5 / kotlin.test, Gradle, kotlinx.serialization - -**Spec:** `docs/specs/2026-04-12-type-aware-pattern-matching-design.md` - ---- - -## File Structure - -| File | Module | Responsibility | -|---|---|---| -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt` | querylang | `TypeNamePattern` sealed interface — add `typeArgs` to `ClassName` and `FullyQualified` | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt` | querylang | `MethodSignature` action — add `returnType: TypeNamePattern?` field | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt` | querylang | Stop discarding type args (line 229), array returns (line 559), concrete returns (line 565) | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt` | querylang | `unifyTypeName()` — handle `typeArgs` in unification logic | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt` | querylang | `typeNameMetaVars()` — recurse into `typeArgs` for metavar extraction | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt` | querylang | `MethodSignature` predicate — add optional `returnType` | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt` | querylang | `typeMatcher()` — propagate `typeArgs`; `evaluateFormulaSignature()` — emit return type to `SerializedSignatureMatcher.Partial` | -| `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt` | querylang | Remove 4 now-obsolete warning classes | -| `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt` | config-rules | `ClassPattern` — add `typeArgs` field | -| `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt` | config-rules | `TypeMatchesPattern` — add `typeArgs` field for deferred generic matching | -| `core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt` | jvm-sast | `matchFunctionSignature()` — add `matchType(JIRType)` overload; `resolveIsType()` — defer generic checks via `typeArgs` | -| `core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt` | jvm-dataflow | `typeMatchesPattern()` — resolve local var generic types when `typeArgs` present | - -### Test Files - -| File | Module | Tests | -|---|---|---| -| `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java` | querylang/samples | E2E sample: generic type arg matching (positive + negative) | -| `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml` | querylang/samples | Semgrep rule for generic type arg test | -| `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java` | querylang/samples | E2E sample: array return type matching | -| `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml` | querylang/samples | Semgrep rule for array return type test | -| `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java` | querylang/samples | E2E sample: concrete return type matching | -| `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml` | querylang/samples | Semgrep rule for concrete return type test | -| `core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt` | querylang/test | E2E test class exercising all three scenarios | - ---- - -## Task 1: Add `typeArgs` to `TypeNamePattern.ClassName` and `FullyQualified` - -**Files:** -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt:14` (ClassName), `:9` (FullyQualified) - -- [ ] **Step 1: Add `typeArgs` field to `ClassName`** - -In `ParamCondition.kt`, change `ClassName`: - -```kotlin -@Serializable -data class ClassName(val name: String, val typeArgs: List = emptyList()) : TypeNamePattern { - override fun toString(): String = if (typeArgs.isEmpty()) "*.$name" else "*.$name<${typeArgs.joinToString(", ")}>" -} -``` - -- [ ] **Step 2: Add `typeArgs` field to `FullyQualified`** - -In `ParamCondition.kt`, change `FullyQualified`: - -```kotlin -@Serializable -data class FullyQualified(val name: String, val typeArgs: List = emptyList()) : TypeNamePattern { - override fun toString(): String = if (typeArgs.isEmpty()) name else "$name<${typeArgs.joinToString(", ")}>" -} -``` - -- [ ] **Step 3: Verify compilation** - -Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` -Expected: BUILD SUCCESSFUL (default empty lists mean all existing call sites remain valid) - -- [ ] **Step 4: Commit** - -```bash -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt -git commit -m "feat: add typeArgs field to TypeNamePattern.ClassName and FullyQualified" -``` - ---- - -## Task 2: Add `returnType` to `MethodSignature` action and `MethodSignature` predicate - -**Files:** -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt:103-122` -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt:19-22` - -- [ ] **Step 1: Add `returnType` to `SemgrepPatternAction.MethodSignature`** - -In `SemgrepPatternAction.kt`, change the `MethodSignature` data class: - -```kotlin -data class MethodSignature( - val methodName: SignatureName, - val params: ParamConstraint.Partial, - val returnType: TypeNamePattern? = null, // NEW - val modifiers: List, - val enclosingClassMetavar: String?, - val enclosingClassConstraints: List, -): SemgrepPatternAction { - override val metavars: List - get() { - val metavars = mutableSetOf() - params.conditions.forEach { it.collectMetavarTo(metavars) } - return metavars.toList() - } - - override val result: ParamCondition? = null - - override fun setResultCondition(condition: ParamCondition): SemgrepPatternAction { - error("Unsupported operation?") - } -} -``` - -- [ ] **Step 2: Add `returnType` to automata `MethodSignature` predicate** - -In `Predicate.kt`, change: - -```kotlin -@Serializable -data class MethodSignature( - val methodName: MethodName, - val enclosingClassName: MethodEnclosingClassName, - val returnType: TypeNamePattern? = null, // NEW -) -``` - -- [ ] **Step 3: Verify compilation** - -Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` -Expected: BUILD SUCCESSFUL (default `null` keeps existing call sites valid) - -- [ ] **Step 4: Commit** - -```bash -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/SemgrepPatternAction.kt -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/automata/Predicate.kt -git commit -m "feat: add returnType field to MethodSignature action and predicate" -``` - ---- - -## Task 3: Stop discarding type info in `PatternToActionListConverter` - -**Files:** -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt:228-231` (transformSimpleTypeName), `:547-626` (transformMethodDeclaration) -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt:149-163` (remove warnings) - -- [ ] **Step 1: Preserve type args in `transformSimpleTypeName()`** - -In `PatternToActionListConverter.kt`, replace lines 228-258: - -```kotlin -private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { - val typeArgs = typeName.typeArgs.map { transformTypeName(it) } - - if (typeName.dotSeparatedParts.size == 1) { - val name = typeName.dotSeparatedParts.single() - if (name is MetavarName) return TypeNamePattern.MetaVar(name.metavarName) - } - - val concreteNames = typeName.dotSeparatedParts.filterIsInstance() - if (concreteNames.size == typeName.dotSeparatedParts.size) { - if (concreteNames.size == 1) { - val className = concreteNames.single().name - if (className.first().isUpperCase()) { - return TypeNamePattern.ClassName(className, typeArgs) - } - - if (className in primitiveTypeNames) { - return TypeNamePattern.PrimitiveName(className) - } - - transformationFailed("TypeName_concrete_unexpected") - } - - val fqn = concreteNames.joinToString(".") { it.name } - return TypeNamePattern.FullyQualified(fqn, typeArgs) - } - - transformationFailed("TypeName_non_concrete_unsupported") -} -``` - -Key changes: -- Removed `TypeArgumentsIgnored` warning emission (was line 229-231) -- Added `val typeArgs = typeName.typeArgs.map { transformTypeName(it) }` at the top -- Passed `typeArgs` to `ClassName(className, typeArgs)` and `FullyQualified(fqn, typeArgs)` - -- [ ] **Step 2: Preserve return types in `transformMethodDeclaration()`** - -In `PatternToActionListConverter.kt`, replace the return type handling block (lines 556-573) and the signature construction (line 614-619): - -```kotlin -private fun transformMethodDeclaration(pattern: MethodDeclaration): SemgrepPatternActionList { - val bodyPattern = transformPatternToActionList(pattern.body) - val params = methodArgumentsToPatternList(pattern.args) - - val methodName = when (val name = pattern.name) { - is ConcreteName -> SignatureName.Concrete(name.name) - is MetavarName -> SignatureName.MetaVar(name.metavarName) - } - - val returnTypePattern: TypeNamePattern? = pattern.returnType?.let { transformTypeName(it) } - - val paramConditions = mutableListOf() - - var idxIsConcrete = true - for ((i, param) in params.withIndex()) { - when (param) { - is FormalArgument -> { - val paramName = (param.name as? MetavarName)?.metavarName - ?: transformationFailed("MethodDeclaration_param_name_not_metavar") - - val position = if (idxIsConcrete) { - ParamPosition.Concrete(i) - } else { - ParamPosition.Any(paramClassifier = paramName) - } - - val paramModifiers = param.modifiers.map { transformModifier(it) } - paramModifiers.mapTo(paramConditions) { modifier -> - ParamPattern(position, ParamCondition.ParamModifier(modifier)) - } - - paramConditions += ParamPattern(position, IsMetavar(MetavarAtom.create(paramName))) - - val paramType = transformTypeName(param.type) - paramConditions += ParamPattern(position, ParamCondition.TypeIs(paramType)) - } - - is EllipsisArgumentPrefix -> { - idxIsConcrete = false - continue - } - - else -> { - transformationFailed("MethodDeclaration_parameters_not_extracted") - } - } - } - - val modifiers = pattern.modifiers.map { transformModifier(it) } - - val signature = SemgrepPatternAction.MethodSignature( - methodName, ParamConstraint.Partial(paramConditions), - returnType = returnTypePattern, - modifiers = modifiers, - enclosingClassMetavar = null, - enclosingClassConstraints = emptyList(), - ) - - return SemgrepPatternActionList( - listOf(signature) + bodyPattern.actions, - hasEllipsisInTheEnd = bodyPattern.hasEllipsisInTheEnd, - hasEllipsisInTheBeginning = false - ) -} -``` - -Key changes: -- Replaced the entire return type guard block (lines 556-573) with a single line: `val returnTypePattern: TypeNamePattern? = pattern.returnType?.let { transformTypeName(it) }` -- Removed `MethodDeclarationReturnTypeIsArray`, `MethodDeclarationReturnTypeIsNotMetaVar`, `MethodDeclarationReturnTypeHasTypeArgs` warning emissions -- Passed `returnType = returnTypePattern` to the `MethodSignature` constructor - -- [ ] **Step 3: Remove obsolete warning classes** - -In `SemgrepRuleLoadErrorMessage.kt`, delete the four classes (lines 149-163): - -- `TypeArgumentsIgnored` -- `MethodDeclarationReturnTypeIsArray` -- `MethodDeclarationReturnTypeIsNotMetaVar` -- `MethodDeclarationReturnTypeHasTypeArgs` - -- [ ] **Step 4: Verify compilation** - -Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` -Expected: BUILD SUCCESSFUL. If any code references the deleted warning classes, fix those references (they should only be in the lines we already changed). - -- [ ] **Step 5: Commit** - -```bash -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/SemgrepRuleLoadErrorMessage.kt -git commit -m "feat: stop discarding type args, array returns, concrete returns in pattern converter" -``` - ---- - -## Task 4: Update `unifyTypeName` in `MethodFormulaSimplifier` for `typeArgs` - -**Files:** -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt:769-858` - -- [ ] **Step 1: Add `typeArgs` unification logic** - -The `unifyTypeName` function (lines 769-858) has a pattern-match on `left` and `right`. We need to handle `typeArgs` when both sides are `ClassName` or `FullyQualified`. Add a helper and update the relevant match arms. - -Add a private helper above `unifyTypeName`: - -```kotlin -private fun unifyTypeArgs( - left: List, - right: List, - metaVarInfo: ResolvedMetaVarInfo -): List? { - if (left.isEmpty()) return right - if (right.isEmpty()) return left - if (left.size != right.size) return null - val unified = left.zip(right).map { (l, r) -> unifyTypeName(l, r, metaVarInfo) ?: return null } - return unified -} -``` - -Update the `ClassName`-to-`ClassName` case inside `unifyTypeName`. Currently at line 785 the match arm is: - -```kotlin -is TypeNamePattern.ClassName -> when (right) { - TypeNamePattern.AnyType -> return left - - is TypeNamePattern.ArrayType, - is TypeNamePattern.ClassName, - is TypeNamePattern.PrimitiveName -> return null - // ... -``` - -Change the `is TypeNamePattern.ClassName` sub-case to unify names and typeArgs: - -```kotlin -is TypeNamePattern.ClassName -> when (right) { - TypeNamePattern.AnyType -> return left - - is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName -> return null - - is TypeNamePattern.ClassName -> { - if (left.name != right.name) return null - val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null - return TypeNamePattern.ClassName(left.name, args) - } - - is TypeNamePattern.FullyQualified -> { - if (right.name.endsWith(left.name)) { - val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null - return TypeNamePattern.FullyQualified(right.name, args) - } - return null - } - - is TypeNamePattern.MetaVar -> { - if (!stringMatches(left.name, metaVarInfo.metaVarConstraints[right.metaVar])) return null - return left - } -} -``` - -Similarly update the `FullyQualified`-to-`FullyQualified` and `FullyQualified`-to-`ClassName` sub-cases: - -```kotlin -is TypeNamePattern.FullyQualified -> when (right) { - TypeNamePattern.AnyType -> return left - - is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName -> return null - - is TypeNamePattern.ClassName -> { - if (left.name.endsWith(right.name)) { - val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null - return TypeNamePattern.FullyQualified(left.name, args) - } - return null - } - - is TypeNamePattern.FullyQualified -> { - if (left.name != right.name) return null - val args = unifyTypeArgs(left.typeArgs, right.typeArgs, metaVarInfo) ?: return null - return TypeNamePattern.FullyQualified(left.name, args) - } - - is TypeNamePattern.MetaVar -> { - if (left.name == generatedMethodClassName) return null - if (!stringMatches(left.name, metaVarInfo.metaVarConstraints[right.metaVar])) return null - return left - } -} -``` - -- [ ] **Step 2: Verify compilation** - -Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` -Expected: BUILD SUCCESSFUL - -- [ ] **Step 3: Commit** - -```bash -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt -git commit -m "feat: handle typeArgs in unifyTypeName for generic type unification" -``` - ---- - -## Task 5: Update `typeNameMetaVars` in `TaintEdgesGeneration` to recurse into `typeArgs` - -**Files:** -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt:355-372` - -- [ ] **Step 1: Recurse into `typeArgs` for metavar extraction** - -Replace the `typeNameMetaVars` function: - -```kotlin -private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: BitSet) { - when (typeName) { - is TypeNamePattern.MetaVar -> { - metaVars.set(typeName.metaVar.idx()) - } - - is TypeNamePattern.ArrayType -> { - typeNameMetaVars(typeName.element, metaVars) - } - - TypeNamePattern.AnyType, - is TypeNamePattern.PrimitiveName -> { - // no metavars - } - - is TypeNamePattern.ClassName -> { - typeName.typeArgs.forEach { typeNameMetaVars(it, metaVars) } - } - - is TypeNamePattern.FullyQualified -> { - typeName.typeArgs.forEach { typeNameMetaVars(it, metaVars) } - } - } -} -``` - -Key change: `ClassName` and `FullyQualified` now recurse into their `typeArgs` to extract any embedded metavariables. - -- [ ] **Step 2: Verify compilation** - -Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` -Expected: BUILD SUCCESSFUL - -- [ ] **Step 3: Commit** - -```bash -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt -git commit -m "feat: recurse into typeArgs for metavar extraction in typeNameMetaVars" -``` - ---- - -## Task 6: Add `typeArgs` to `SerializedTypeNameMatcher.ClassPattern` - -**Files:** -- Modify: `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt:19-22` - -- [ ] **Step 1: Add `typeArgs` field to `ClassPattern`** - -```kotlin -@Serializable -data class ClassPattern( - val `package`: SerializedSimpleNameMatcher, - val `class`: SerializedSimpleNameMatcher, - val typeArgs: List = emptyList() // NEW -) : SerializedTypeNameMatcher -``` - -- [ ] **Step 2: Verify compilation across all modules** - -Run: `./gradlew compileKotlin` -Expected: BUILD SUCCESSFUL (empty default means all existing `ClassPattern(...)` call sites remain valid) - -- [ ] **Step 3: Commit** - -```bash -git add core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt -git commit -m "feat: add typeArgs field to SerializedTypeNameMatcher.ClassPattern" -``` - ---- - -## Task 7: Propagate `typeArgs` and `returnType` in `AutomataToTaintRuleConversion` - -**Files:** -- Modify: `core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt:802-812` (typeMatcher), `:531-613` (evaluateFormulaSignature) - -- [ ] **Step 1: Propagate `typeArgs` in `typeMatcher()` for `ClassName`** - -In `AutomataToTaintRuleConversion.kt`, change the `ClassName` branch (lines 807-812): - -```kotlin -is TypeNamePattern.ClassName -> { - val serializedTypeArgs = typeName.typeArgs.mapNotNull { typeMatcher(it, semgrepRuleTrace)?.constraint } - MetaVarConstraintFormula.Constraint( - SerializedTypeNameMatcher.ClassPattern( - `package` = anyName(), - `class` = Simple(typeName.name), - typeArgs = serializedTypeArgs - ) - ) -} -``` - -- [ ] **Step 2: Propagate `typeArgs` in `typeMatcher()` for `FullyQualified`** - -For `FullyQualified` (lines 814-818), if `typeArgs` is non-empty we need a `ClassPattern` rather than `Simple`: - -```kotlin -is TypeNamePattern.FullyQualified -> { - if (typeName.typeArgs.isEmpty()) { - MetaVarConstraintFormula.Constraint( - Simple(typeName.name) - ) - } else { - val serializedTypeArgs = typeName.typeArgs.mapNotNull { typeMatcher(it, semgrepRuleTrace)?.constraint } - val (pkg, cls) = classNamePartsFromConcreteString(typeName.name) - MetaVarConstraintFormula.Constraint( - SerializedTypeNameMatcher.ClassPattern( - `package` = pkg, - `class` = cls, - typeArgs = serializedTypeArgs - ) - ) - } -} -``` - -- [ ] **Step 3: Propagate `returnType` in `evaluateFormulaSignature()`** - -In `evaluateFormulaSignature()` (around lines 531-613), after the method name and class are evaluated, add return type handling. The function returns `Pair>`. The `RuleConditionBuilder` is what eventually gets converted to serialized rules. - -Find the `RuleConditionBuilder` class definition and check if it has a `signature` or `returnType` field. If `RuleConditionBuilder` already builds `SerializedSignatureMatcher.Partial`, add the return type there. - -Locate where the `MethodSignature` predicate's `returnType` should be converted: - -```kotlin -// After line 560 (after buildersWithClass is populated) -// Add return type conversion -val returnTypeFormula = signature.returnType?.let { typeMatcher(it, semgrepRuleTrace) } -if (returnTypeFormula != null) { - val returnTypeDnf = returnTypeFormula.toDNF() - for (builder in buildersWithClass) { - for (cube in returnTypeDnf) { - if (cube.positive.isNotEmpty()) { - builder.returnType = cube.positive.first().constraint - } - } - } -} -``` - -**Note:** The exact integration depends on how `RuleConditionBuilder` manages the signature. Read the `RuleConditionBuilder` class to determine where `returnType` should be set. The builder should populate `SerializedSignatureMatcher.Partial(return = returnTypeMatcher)` when a return type is specified. - -- [ ] **Step 4: Verify compilation** - -Run: `./gradlew :core:opentaint-java-querylang:compileKotlin` -Expected: BUILD SUCCESSFUL - -- [ ] **Step 5: Commit** - -```bash -git add core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt -git commit -m "feat: propagate typeArgs and returnType through automata-to-taint conversion" -``` - ---- - -## Task 8: Add `typeArgs` to `TypeMatchesPattern` in `TaintCondition` - -**Files:** -- Modify: `core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt:119-124` - -- [ ] **Step 1: Add `typeArgs` field to `TypeMatchesPattern`** - -```kotlin -data class TypeMatchesPattern( - val position: Position, - val pattern: ConditionNameMatcher, - val typeArgs: List = emptyList(), // NEW -) : Condition { - override fun accept(conditionVisitor: ConditionVisitor): R = conditionVisitor.visit(this) -} -``` - -This requires adding the import: - -```kotlin -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher -``` - -- [ ] **Step 2: Verify compilation** - -Run: `./gradlew compileKotlin` -Expected: BUILD SUCCESSFUL (empty default = backward compatible) - -- [ ] **Step 3: Commit** - -```bash -git add core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt -git commit -m "feat: add typeArgs to TypeMatchesPattern for deferred generic matching" -``` - ---- - -## Task 9: Add `matchType(JIRType)` to `TaintConfiguration` and update `resolveIsType()` - -**Files:** -- Modify: `core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt:236-255` (matchType), `:281-308` (matchFunctionSignature), `:674-708` (resolveIsType) - -- [ ] **Step 1: Add `matchType(JIRType)` extension function** - -Add a new private extension function near the existing `match(String)` function (after line 255): - -```kotlin -private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { - // No type args on matcher → fall back to erased name matching (backward compat) - this is ClassPattern && typeArgs.isEmpty() -> match(type.typeName) - - // Has type args → structural comparison against JIRClassType - this is ClassPattern && type is JIRClassType -> { - match(type.typeName) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (matcher, arg) -> matcher.matchType(arg) } - } - - // Array matching - this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) - - // Default: erased matching - else -> match(type.typeName) -} -``` - -Add necessary imports at the top of the file: - -```kotlin -import org.opentaint.ir.api.jvm.JIRClassType -import org.opentaint.ir.api.jvm.JIRArrayType -import org.opentaint.ir.api.jvm.JIRType -import org.opentaint.ir.api.jvm.JIRTypedMethod -``` - -- [ ] **Step 2: Update `matchFunctionSignature()` to use typed matching when `typeArgs` present** - -The existing `matchFunctionSignature` (lines 281-308) operates on `JIRMethod` which only has erased type names. We need to add a typed overload that accepts `JIRTypedMethod` and delegates to `matchType(JIRType)` when type args are present. - -Add a new overload: - -```kotlin -private fun SerializedSignatureMatcher.matchFunctionSignatureTyped(typedMethod: JIRTypedMethod): Boolean { - when (this) { - is SerializedSignatureMatcher.Simple -> { - if (typedMethod.parameters.size != args.size) return false - if (!`return`.matchType(typedMethod.returnType)) return false - return args.zip(typedMethod.parameters).all { (matcher, param) -> - matcher.matchType(param.type) - } - } - - is SerializedSignatureMatcher.Partial -> { - val ret = `return` - if (ret != null && !ret.matchType(typedMethod.returnType)) return false - - val params = params - if (params != null) { - for (param in params) { - val methodParam = typedMethod.parameters.getOrNull(param.index) ?: return false - if (!param.type.matchType(methodParam.type)) return false - } - } - - return true - } - } -} -``` - -Then update the call site that invokes `matchFunctionSignature`. Find where `matchFunctionSignature(method)` is called (line 230) and check if we can resolve `JIRTypedMethod`. The call is: - -```kotlin -rules.removeAll { it.signature?.matchFunctionSignature(method) == false } -``` - -We need to check if a `SerializedSignatureMatcher` has any `ClassPattern` with non-empty `typeArgs`. If so, we need the typed method. Add a helper: - -```kotlin -private fun SerializedSignatureMatcher.hasTypeArgs(): Boolean = when (this) { - is SerializedSignatureMatcher.Simple -> false - is SerializedSignatureMatcher.Partial -> { - (`return` as? ClassPattern)?.typeArgs?.isNotEmpty() == true || - params?.any { (it.type as? ClassPattern)?.typeArgs?.isNotEmpty() == true } == true - } -} -``` - -Update the call site to resolve the typed method when needed: - -```kotlin -rules.removeAll { rule -> - val sig = rule.signature ?: return@removeAll false - if (sig.hasTypeArgs()) { - val typedMethod = cp.findTypeOrNull(method.enclosingClass.name) - ?.let { it as? JIRClassType } - ?.declaredMethods - ?.find { it.method == method } - if (typedMethod != null) { - !sig.matchFunctionSignatureTyped(typedMethod) - } else { - !sig.matchFunctionSignature(method) - } - } else { - !sig.matchFunctionSignature(method) - } -} -``` - -**Note:** The exact implementation depends on how `cp` (classpath) is accessed within `TaintConfiguration`. Read the class constructor and fields to find the classpath reference. It's already available — `TaintConfiguration(cp)` takes it as a constructor parameter. - -- [ ] **Step 3: Update `resolveIsType()` to pass `typeArgs` through to `TypeMatchesPattern`** - -In `resolveIsType()` (line 707), when the `IsType` condition's `typeIs` matcher has non-empty `typeArgs`, pass them to `TypeMatchesPattern`: - -```kotlin -// Replace line 707: -// return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher) }) -// With: -val typeArgs = when (val typeIs = normalizedTypeIs) { - is ClassPattern -> typeIs.typeArgs - else -> emptyList() -} -return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher, typeArgs) }) -``` - -- [ ] **Step 4: Verify compilation** - -Run: `./gradlew :core:opentaint-jvm-sast-dataflow:compileKotlin` -Expected: BUILD SUCCESSFUL - -- [ ] **Step 5: Commit** - -```bash -git add core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt -git commit -m "feat: add typed matching with JIRType for generic type args in TaintConfiguration" -``` - ---- - -## Task 10: Resolve generic types in `JIRBasicAtomEvaluator.typeMatchesPattern()` - -**Files:** -- Modify: `core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt:328-347` - -- [ ] **Step 1: Extend `typeMatchesPattern()` to check generic type args** - -The current method (lines 328-347) checks erased type names. When `condition.typeArgs` is non-empty, we need to resolve the generic type of the value and compare. - -First, check what context is available. The constructor takes: -- `negated: Boolean` -- `positionResolver: PositionResolver` -- `typeChecker: JIRFactTypeChecker` -- `aliasAnalysis: JIRLocalAliasAnalysis?` -- `statement: CommonInst` - -We need to add a `typedMethod: JIRTypedMethod?` parameter (or access it through the analysis context). Check how `JIRBasicAtomEvaluator` is instantiated to determine the best way to thread this through. - -Add `typedMethod: JIRTypedMethod?` as a constructor parameter: - -```kotlin -class JIRBasicAtomEvaluator( - private val negated: Boolean, - private val positionResolver: PositionResolver, - private val typeChecker: JIRFactTypeChecker, - private val aliasAnalysis: JIRLocalAliasAnalysis?, - private val statement: CommonInst, - private val typedMethod: JIRTypedMethod? = null, // NEW -) : ConditionVisitor -``` - -Then extend `typeMatchesPattern`: - -```kotlin -private fun typeMatchesPattern(value: JIRValue, condition: TypeMatchesPattern): Boolean { - val type = value.type as? JIRRefType ?: return false - - val pattern = condition.pattern - if (!pattern.match(type.typeName)) { - if (pattern is ConditionNameMatcher.Concrete) { - if (!negated && type.typeName != "java.lang.Object") { - if (!typeChecker.typeMayHaveSubtypeOf(type.typeName, pattern.name)) return false - } else { - return false - } - } else { - return false - } - } - - // Generic type args check - if (condition.typeArgs.isNotEmpty()) { - val genericType = resolveGenericType(value) - if (genericType is JIRClassType) { - if (genericType.typeArguments.size != condition.typeArgs.size) return false - return condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> - matcher.matchType(arg) - } - } - // Can't resolve generics → fall back to erased match (already passed above) - return true - } - - return true -} -``` - -Add the `resolveGenericType` helper and `matchType`: - -```kotlin -private fun resolveGenericType(value: JIRValue): JIRType? { - val localVar = value as? JIRLocalVar ?: return null - val typedMethod = typedMethod ?: return null - - // Find the LocalVariableNode for this local variable at the current instruction - val methodNode = typedMethod.method.methodNode ?: return null - val localVarNode = methodNode.localVariables?.find { lvn -> - lvn.index == localVar.index - } ?: return null - - return typedMethod.typeOf(localVarNode) -} - -private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = when { - this is ClassPattern && typeArgs.isEmpty() -> matchErasedName(type.typeName) - this is ClassPattern && type is JIRClassType -> { - matchErasedName(type.typeName) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } - } - this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType) - else -> matchErasedName(type.typeName) -} - -private fun SerializedTypeNameMatcher.matchErasedName(name: String): Boolean = when (this) { - is SerializedSimpleNameMatcher.Simple -> value == name - is SerializedSimpleNameMatcher.Pattern -> Regex(pattern).containsMatchIn(name) - is ClassPattern -> { - val (pkgName, clsName) = splitClassName(name) - `package`.matchErasedName(pkgName) && `class`.matchErasedName(clsName) - } - is SerializedTypeNameMatcher.Array -> { - val nameWithout = name.removeSuffix("[]") - name != nameWithout && element.matchErasedName(nameWithout) - } -} -``` - -Add necessary imports: - -```kotlin -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher.ClassPattern -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher -import org.opentaint.ir.api.jvm.JIRClassType -import org.opentaint.ir.api.jvm.JIRArrayType -import org.opentaint.ir.api.jvm.JIRType -import org.opentaint.ir.api.jvm.JIRTypedMethod -``` - -**Note:** The `matchType` logic here mirrors what was added to `TaintConfiguration`. If the logic is identical, consider extracting to a shared utility. However, `TaintConfiguration` lives in a different module (`jvm-sast-dataflow`) than `JIRBasicAtomEvaluator` (`jvm-dataflow`). Check module dependencies before sharing — it may be simpler to keep the two copies aligned rather than creating a new shared module. - -- [ ] **Step 2: Update all call sites that create `JIRBasicAtomEvaluator`** - -Search for all instantiation sites of `JIRBasicAtomEvaluator(...)` and add the `typedMethod` parameter. Use `null` where the typed method is unavailable — this preserves backward compatibility (generic checks are skipped). - -Run: `grep -r "JIRBasicAtomEvaluator(" --include="*.kt"` to find all sites. - -- [ ] **Step 3: Verify compilation** - -Run: `./gradlew compileKotlin` -Expected: BUILD SUCCESSFUL - -- [ ] **Step 4: Commit** - -```bash -git add core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt -git add -u # any files that instantiate JIRBasicAtomEvaluator -git commit -m "feat: resolve generic types in JIRBasicAtomEvaluator for call-site receiver matching" -``` - ---- - -## Task 11: Add E2E test samples and rules for generic type args - -**Files:** -- Create: `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java` -- Create: `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml` - -- [ ] **Step 1: Write the YAML rule** - -Create `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml`: - -```yaml -rules: - - id: example-RuleWithGenericTypeArgs - languages: - - java - severity: ERROR - message: match example/RuleWithGenericTypeArgs - patterns: - - pattern: |- - ... - sink($A); - ... - - pattern-inside: |- - $RET $METHOD(Map $M, ...) { - ... - } -``` - -- [ ] **Step 2: Write the Java sample** - -Create `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java`: - -```java -package example; - -import base.RuleSample; -import base.RuleSet; -import java.util.Map; - -@RuleSet("example/RuleWithGenericTypeArgs.yaml") -public abstract class RuleWithGenericTypeArgs implements RuleSample { - - void sink(String data) {} - - void methodWithGenericParam(Map m, String data) { - sink(data); - } - - void methodWithDifferentGenericParam(Map m, String data) { - sink(data); - } - - void methodWithRawMapParam(Map m, String data) { - sink(data); - } - - final static class PositiveMatchingGenericParam extends RuleWithGenericTypeArgs { - @Override - public void entrypoint() { - String data = "tainted"; - Map m = null; - methodWithGenericParam(m, data); - } - } - - final static class NegativeDifferentGenericParam extends RuleWithGenericTypeArgs { - @Override - public void entrypoint() { - String data = "tainted"; - Map m = null; - methodWithDifferentGenericParam(m, data); - } - } - - final static class NegativeRawMapParam extends RuleWithGenericTypeArgs { - @Override - public void entrypoint() { - String data = "tainted"; - Map m = null; - methodWithRawMapParam(m, data); - } - } -} -``` - -- [ ] **Step 3: Commit** - -```bash -git add core/opentaint-java-querylang/samples/src/main/java/example/RuleWithGenericTypeArgs.java -git add core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithGenericTypeArgs.yaml -git commit -m "test: add E2E samples for generic type arg pattern matching" -``` - ---- - -## Task 12: Add E2E test samples for array and concrete return types - -**Files:** -- Create: `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java` -- Create: `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml` -- Create: `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java` -- Create: `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml` - -- [ ] **Step 1: Write the array return type YAML rule** - -Create `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml`: - -```yaml -rules: - - id: example-RuleWithArrayReturnType - languages: - - java - severity: ERROR - message: match example/RuleWithArrayReturnType - patterns: - - pattern: |- - ... - sink($A); - ... - - pattern-inside: |- - String[] $METHOD(..., String $A, ...) { - ... - } -``` - -- [ ] **Step 2: Write the array return type Java sample** - -Create `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java`: - -```java -package example; - -import base.RuleSample; -import base.RuleSet; - -@RuleSet("example/RuleWithArrayReturnType.yaml") -public abstract class RuleWithArrayReturnType implements RuleSample { - - void sink(String data) {} - - String[] methodReturningStringArray(String data) { - sink(data); - return new String[] { data }; - } - - int[] methodReturningIntArray(String data) { - sink(data); - return new int[] { 1 }; - } - - String methodReturningString(String data) { - sink(data); - return data; - } - - final static class PositiveStringArrayReturn extends RuleWithArrayReturnType { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningStringArray(data); - } - } - - final static class NegativeIntArrayReturn extends RuleWithArrayReturnType { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningIntArray(data); - } - } - - final static class NegativeStringReturn extends RuleWithArrayReturnType { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningString(data); - } - } -} -``` - -- [ ] **Step 3: Write the concrete return type YAML rule** - -Create `core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml`: - -```yaml -rules: - - id: example-RuleWithConcreteReturnType - languages: - - java - severity: ERROR - message: match example/RuleWithConcreteReturnType - patterns: - - pattern: |- - ... - sink($A); - ... - - pattern-inside: |- - String $METHOD(..., String $A, ...) { - ... - } -``` - -- [ ] **Step 4: Write the concrete return type Java sample** - -Create `core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java`: - -```java -package example; - -import base.RuleSample; -import base.RuleSet; - -@RuleSet("example/RuleWithConcreteReturnType.yaml") -public abstract class RuleWithConcreteReturnType implements RuleSample { - - void sink(String data) {} - - String methodReturningString(String data) { - sink(data); - return data; - } - - int methodReturningInt(String data) { - sink(data); - return 0; - } - - void methodReturningVoid(String data) { - sink(data); - } - - final static class PositiveStringReturn extends RuleWithConcreteReturnType { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningString(data); - } - } - - final static class NegativeIntReturn extends RuleWithConcreteReturnType { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningInt(data); - } - } - - final static class NegativeVoidReturn extends RuleWithConcreteReturnType { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningVoid(data); - } - } -} -``` - -- [ ] **Step 5: Commit** - -```bash -git add core/opentaint-java-querylang/samples/src/main/java/example/RuleWithArrayReturnType.java -git add core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithArrayReturnType.yaml -git add core/opentaint-java-querylang/samples/src/main/java/example/RuleWithConcreteReturnType.java -git add core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithConcreteReturnType.yaml -git commit -m "test: add E2E samples for array and concrete return type matching" -``` - ---- - -## Task 13: Add E2E test class and run all tests - -**Files:** -- Create: `core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt` - -- [ ] **Step 1: Write the test class** - -Create `core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt`: - -```kotlin -package org.opentaint.semgrep - -import org.junit.jupiter.api.AfterAll -import org.junit.jupiter.api.TestInstance -import org.junit.jupiter.api.TestInstance.Lifecycle.PER_CLASS -import org.opentaint.semgrep.util.SampleBasedTest -import kotlin.test.Test - -@TestInstance(PER_CLASS) -class TypeAwarePatternTest : SampleBasedTest() { - @Test - fun `test generic type args in method parameter`() = runTest() - - @Test - fun `test array return type matching`() = runTest() - - @Test - fun `test concrete return type matching`() = runTest() - - @AfterAll - fun close() { - closeRunner() - } -} -``` - -- [ ] **Step 2: Build the samples JAR** - -Run the appropriate Gradle task to compile and package the samples JAR (needed by `SamplesDb`): - -Run: `./gradlew :core:opentaint-java-querylang:samples:jar` -Expected: BUILD SUCCESSFUL - -- [ ] **Step 3: Run the new tests** - -Run: `./gradlew :core:opentaint-java-querylang:test --tests "org.opentaint.semgrep.TypeAwarePatternTest"` -Expected: All 3 tests PASS - -- [ ] **Step 4: Run the full test suite to verify no regressions** - -Run: `./gradlew :core:opentaint-java-querylang:test` -Expected: All existing tests still PASS (backward compatibility via empty defaults) - -- [ ] **Step 5: Commit** - -```bash -git add core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt -git commit -m "test: add E2E tests for type-aware pattern matching" -``` - ---- - -## Task 14: Run full project build and verify - -- [ ] **Step 1: Run full build** - -Run: `./gradlew build` -Expected: BUILD SUCCESSFUL with no test failures - -- [ ] **Step 2: Check for any remaining references to deleted warning classes** - -Run: `grep -r "TypeArgumentsIgnored\|MethodDeclarationReturnTypeIsArray\|MethodDeclarationReturnTypeIsNotMetaVar\|MethodDeclarationReturnTypeHasTypeArgs" --include="*.kt"` -Expected: No matches (all references removed) - -- [ ] **Step 3: Final commit if any fixes were needed** - -If any fixes were required during the full build, commit them: - -```bash -git add -u -git commit -m "fix: address build issues from type-aware pattern matching" -``` From 8baa50c5d9eb7241fab396d9884027319899418f Mon Sep 17 00:00:00 2001 From: Aleksandr Misonizhnik Date: Fri, 1 May 2026 00:24:15 +0200 Subject: [PATCH 27/31] refactor: simplify type-arg matching with specialized matcher and condition-on-Result - Encode return-type constraints as IsType conditions on PositionBase.Result rather than via SerializedSignatureMatcher.Partial.return; drop the now-unused return field on Partial. - Make ClassPattern.typeArgs nullable (null = no type-args / raw match). - Specialize SerializedTypeNameMatcher into TypeArgMatcher during rule resolution: name matchers are pre-compiled into ConditionNameMatcher, so the runtime evaluator dispatches on a small structural shape instead of running matchErasedName on a serialized matcher. - Replace JIRBasicAtomEvaluator's typedMethod+ASM-debug-info path with a PositionResolver for resolving the typed view at a position. - Treat WildcardType as AnyType: collapse it at action translation, then drop the now-dead SerializedTypeNameMatcher.Wildcard / TypeArgMatcher.Wildcard variants. Java's is the supertype of any concrete parameterization, so ResponseEntity accepts any ResponseEntity; A5 sample updated to flip the parameterized form from Negative to Positive. - resolveIsType now forces a typed-view check for ClassPattern/Array (instead of returning mkTrue early on erased-name match) so a raw pattern correctly rejects parameterized forms when the typed view is available. --- .../jvm/SerializedTypeMatching.kt | 16 ++--- .../configuration/jvm/TaintCondition.kt | 15 ++++- .../configuration/jvm/TypeArgMatcher.kt | 37 +++++++++++ .../jvm/serialized/SerializedNameMatcher.kt | 12 +--- .../serialized/SerializedSignatureMatcher.kt | 1 - .../ap/ifds/JIRMarkAwareConditionRewriter.kt | 18 ++--- .../ap/ifds/taint/JIRBasicAtomEvaluator.kt | 65 +++---------------- .../java/example/RuleWithWildcardGeneric.java | 12 ++-- .../pattern/conversion/ParamCondition.kt | 7 +- .../taint/AutomataToTaintRuleConversion.kt | 35 ++++------ .../taint/MethodFormulaSimplifier.kt | 31 ++++----- .../opentaint/semgrep/TypeAwarePatternTest.kt | 5 +- .../jvm/sast/dataflow/rules/ClassNameUtils.kt | 3 +- .../sast/dataflow/rules/TaintConfiguration.kt | 24 ++++--- .../dataflow/rules/TypeMatcherCondition.kt | 17 +++-- 15 files changed, 144 insertions(+), 154 deletions(-) create mode 100644 core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt index 997d7883..48692952 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt @@ -30,18 +30,18 @@ fun SerializedTypeNameMatcher.matchType( type: JIRType, erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean, ): Boolean = when { - this is SerializedTypeNameMatcher.Wildcard -> type is JIRUnboundWildcard - - this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() && type is JIRClassType -> + this is SerializedTypeNameMatcher.ClassPattern && typeArgs == null && type is JIRClassType -> erasedMatch(type.erasedName()) && type.isRawLike() - this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() -> + this is SerializedTypeNameMatcher.ClassPattern && typeArgs == null -> erasedMatch(type.erasedName()) - this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> + this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> { + val args = typeArgs!! erasedMatch(type.erasedName()) && - typeArgs.size == type.typeArguments.size && - typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a, erasedMatch) } + args.size == type.typeArguments.size && + args.zip(type.typeArguments).all { (m, a) -> m.matchType(a, erasedMatch) } + } this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> element.matchType(type.elementType, erasedMatch) @@ -57,7 +57,7 @@ fun SerializedTypeNameMatcher.matchType( * pass-through rules whose return/parameter types show up as type variables * when resolved via the declaring class (e.g. `List.get` returns `E`). */ -private fun JIRType.erasedName(): String = when (this) { +fun JIRType.erasedName(): String = when (this) { is JIRClassType -> jIRClass.name is JIRTypeVariable -> jIRClass.name is JIRUnboundWildcard -> jIRClass.name diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt index 742db7bf..bd5c6382 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt @@ -1,6 +1,5 @@ package org.opentaint.dataflow.configuration.jvm -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.ir.api.jvm.JIRType import java.util.Objects @@ -117,10 +116,22 @@ sealed interface ConditionNameMatcher { data class PatternStartsWith(val prefix: String) : ConditionNameMatcher } +fun ConditionNameMatcher.match(name: String): Boolean = when (this) { + is ConditionNameMatcher.PatternEndsWith -> name.endsWith(suffix) + is ConditionNameMatcher.PatternStartsWith -> name.startsWith(prefix) + is ConditionNameMatcher.Simple -> match(name) +} + +fun ConditionNameMatcher.Simple.match(name: String): Boolean = when (this) { + is ConditionNameMatcher.Pattern -> pattern.containsMatchIn(name) + is ConditionNameMatcher.Concrete -> this.name == name + is ConditionNameMatcher.AnyName -> true +} + data class TypeMatchesPattern( val position: Position, val pattern: ConditionNameMatcher, - val typeArgs: List = emptyList(), + val typeArgs: List? = null, ) : Condition { override fun accept(conditionVisitor: ConditionVisitor): R = conditionVisitor.visit(this) } diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt new file mode 100644 index 00000000..334511cc --- /dev/null +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt @@ -0,0 +1,37 @@ +package org.opentaint.dataflow.configuration.jvm + +import org.opentaint.ir.api.jvm.JIRArrayType +import org.opentaint.ir.api.jvm.JIRClassType +import org.opentaint.ir.api.jvm.JIRType + +/** + * A type-argument matcher that has been pre-resolved during rule resolution: + * the erased-name matchers are already compiled to [ConditionNameMatcher], + * so runtime evaluation only needs to dispatch on the structure. + */ +sealed interface TypeArgMatcher { + fun matchType(type: JIRType): Boolean + + data class Class( + val name: ConditionNameMatcher, + // null = no type-args constraint (matches raw / declared erasure). + val typeArgs: List?, + ) : TypeArgMatcher { + override fun matchType(type: JIRType): Boolean { + if (!name.match(type.erasedName())) return false + + if (typeArgs == null) { + return if (type is JIRClassType) type.isRawLike() else true + } + + if (type !is JIRClassType) return true + if (typeArgs.size != type.typeArguments.size) return false + return typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } + } + } + + data class Array(val element: TypeArgMatcher) : TypeArgMatcher { + override fun matchType(type: JIRType): Boolean = + type is JIRArrayType && element.matchType(type.elementType) + } +} diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt index a13df534..e9d85191 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt @@ -19,19 +19,13 @@ sealed interface SerializedTypeNameMatcher { data class ClassPattern( val `package`: SerializedSimpleNameMatcher, val `class`: SerializedSimpleNameMatcher, - val typeArgs: List = emptyList() + // null = no type-args constraint (matches raw / declared erasure). + // empty list is reserved for an explicit zero-arg parameterization. + val typeArgs: List? = null ) : SerializedTypeNameMatcher @Serializable data class Array(val element: SerializedTypeNameMatcher) : SerializedTypeNameMatcher - - /** - * Matches only an unbounded Java wildcard (`?`) at a type-argument slot. - * Distinct from an "any" [ClassPattern] so a pattern like `Foo` does not - * match a concrete parameterization like `Foo`. - */ - @Serializable - data object Wildcard : SerializedTypeNameMatcher } @Serializable(with = SimpleNameMatcherSerializer::class) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt index 84d3de20..28ffe102 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt @@ -27,7 +27,6 @@ sealed interface SerializedSignatureMatcher { @Serializable data class Partial( val params: List? = null, - val `return`: SerializedTypeNameMatcher? = null ) : SerializedSignatureMatcher } diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt index 96ae5d7d..f3acf5c7 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt @@ -11,24 +11,24 @@ import org.opentaint.dataflow.jvm.ap.ifds.analysis.JIRMethodAnalysisContext import org.opentaint.dataflow.jvm.ap.ifds.taint.ContainsMarkOnAnyField import org.opentaint.dataflow.jvm.ap.ifds.taint.JIRBasicAtomEvaluator import org.opentaint.ir.api.common.cfg.CommonInst -import org.opentaint.ir.api.jvm.JIRTypedMethod +import org.opentaint.ir.api.jvm.JIRType /** - * [typedMethod] enables generic-type-argument matching in `TypeMatchesPattern` - * atoms (see [JIRBasicAtomEvaluator.resolveGenericType]). When null, matching - * falls back to erased-name comparison — type-arg predicates in the rule will - * silently pass regardless of the runtime parameterization. Pass the typed - * view of the analyzed method whenever available. + * [positionTypeResolver] enables generic-type-argument matching in + * `TypeMatchesPattern` atoms by resolving each position to a typed + * [JIRType]. When null, matching falls back to erased-name comparison — + * type-arg predicates in the rule will silently pass regardless of the + * runtime parameterization. */ class JIRMarkAwareConditionRewriter( positionResolver: PositionResolver, factTypeChecker: JIRFactTypeChecker, aliasAnalysis: JIRLocalAliasAnalysis?, statement: CommonInst, - typedMethod: JIRTypedMethod? = null, + positionTypeResolver: PositionResolver? = null, ) { - private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement, typedMethod) - private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement, typedMethod) + private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement, positionTypeResolver) + private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement, positionTypeResolver) constructor( positionResolver: PositionResolver, diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt index 7e33872c..6a1904bd 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt @@ -29,15 +29,12 @@ import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasAllocInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasApInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasInfo -import org.opentaint.dataflow.configuration.jvm.matchType -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher +import org.opentaint.dataflow.configuration.jvm.match import org.opentaint.ir.api.common.cfg.CommonInst import org.opentaint.ir.api.common.cfg.CommonValue import org.opentaint.ir.api.jvm.JIRClassType import org.opentaint.ir.api.jvm.JIRRefType import org.opentaint.ir.api.jvm.JIRType -import org.opentaint.ir.api.jvm.JIRTypedMethod import org.opentaint.ir.api.jvm.cfg.JIRBool import org.opentaint.ir.api.jvm.cfg.JIRCallExpr import org.opentaint.ir.api.jvm.cfg.JIRConstant @@ -57,7 +54,7 @@ class JIRBasicAtomEvaluator( private val typeChecker: JIRFactTypeChecker, private val aliasAnalysis: JIRLocalAliasAnalysis?, private val statement: CommonInst, - private val typedMethod: JIRTypedMethod? = null, + private val positionTypeResolver: PositionResolver? = null, ) : ConditionVisitor { override fun visit(condition: Not): Boolean = error("Non-atomic condition") override fun visit(condition: And): Boolean = error("Non-atomic condition") @@ -356,12 +353,13 @@ class JIRBasicAtomEvaluator( } } - if (condition.typeArgs.isNotEmpty()) { - val genericType = resolveGenericType(value) + val typeArgs = condition.typeArgs + if (typeArgs != null) { + val genericType = positionTypeResolver?.resolve(condition.position) if (genericType is JIRClassType) { - if (genericType.typeArguments.size != condition.typeArgs.size) return false - return condition.typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> - matcher.matchType(arg) { name -> matchErasedName(name) } + if (genericType.typeArguments.size != typeArgs.size) return false + return typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> + matcher.matchType(arg) } } return true @@ -370,53 +368,6 @@ class JIRBasicAtomEvaluator( return true } - private fun resolveGenericType(value: JIRValue): JIRType? { - val localVar = value as? JIRLocalVar ?: return null - val typedMethod = typedMethod ?: return null - val method = (statement as? JIRInst)?.location?.method ?: return null - val localVarNode = method.withAsmNode { methodNode -> - methodNode.localVariables?.find { lvn -> lvn.index == localVar.index } - } ?: return null - // typedMethod.typeOf can throw on unresolved references / malformed - // debug info; skip generic-aware matching rather than aborting the - // atom evaluation. - return try { - typedMethod.typeOf(localVarNode) - } catch (_: Exception) { - null - } - } - - private fun SerializedTypeNameMatcher.matchErasedName(name: String): Boolean = when (this) { - is SerializedSimpleNameMatcher.Simple -> value == name || name.endsWith(".$value") - is SerializedSimpleNameMatcher.Pattern -> Regex(pattern).containsMatchIn(name) - is SerializedTypeNameMatcher.ClassPattern -> { - val lastDot = name.lastIndexOf('.') - val pkgName = if (lastDot >= 0) name.substring(0, lastDot) else "" - val clsName = if (lastDot >= 0) name.substring(lastDot + 1) else name - `package`.matchErasedName(pkgName) && `class`.matchErasedName(clsName) - } - is SerializedTypeNameMatcher.Array -> { - val nameWithout = name.removeSuffix("[]") - name != nameWithout && element.matchErasedName(nameWithout) - } - // A wildcard matcher is only meaningful at a type-argument slot; it has - // no erased-name projection to compare against a string. - is SerializedTypeNameMatcher.Wildcard -> false - } - - private fun ConditionNameMatcher.match(name: String): Boolean = when (this) { - is ConditionNameMatcher.PatternEndsWith -> name.endsWith(suffix) - is ConditionNameMatcher.PatternStartsWith -> name.startsWith(prefix) - is ConditionNameMatcher.Simple -> match(name) - } - - private fun ConditionNameMatcher.Simple.match(name: String): Boolean = when (this) { - is ConditionNameMatcher.Pattern -> pattern.containsMatchIn(name) - is ConditionNameMatcher.Concrete -> this.name == name - is ConditionNameMatcher.AnyName -> true - } - private fun Position.eval( none: Boolean = false, value: (value: JIRValue) -> Boolean, diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java index b265d13c..8eaefb0d 100644 --- a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java +++ b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java @@ -20,8 +20,8 @@ ResponseEntity methodReturningResponseEntityString(String data) { } /** - * Wildcard ResponseEntity<?> is a valid Java construct that the rule - * pattern also expresses. Keeping it as a Positive to pin the current behavior. + * Wildcard ResponseEntity<?> trivially matches the <?> rule + * pattern. */ final static class PositiveWildcard extends RuleWithWildcardGeneric { @Override @@ -32,10 +32,12 @@ public void entrypoint() { } /** - * ResponseEntity<String> is a concrete parameterized form and must not - * match a wildcard <?> type argument in the rule pattern. + * ResponseEntity<String> is a concrete parameterization. Java's + * unbounded wildcard `?` is the supertype of any `X`, so `<?>` + * accepts any concrete type argument — `ResponseEntity<String>` + * matches. */ - final static class NegativeConcreteDoesNotMatch extends RuleWithWildcardGeneric { + final static class PositiveConcreteMatchesWildcard extends RuleWithWildcardGeneric { @Override public void entrypoint() { String data = "tainted"; diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt index b3ab70d0..bdaae539 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt @@ -31,9 +31,10 @@ sealed interface TypeNamePattern { } /** - * Java unbounded wildcard `?` as a type argument. Unlike [AnyType], which - * is an unconstrained matcher that subsumes any type, [WildcardType] only - * matches an unbounded wildcard at the corresponding type-argument slot. + * Java unbounded wildcard `?` as a type argument. Java's `?` is the + * supertype of any concrete parameterization, so a `Foo` pattern + * accepts any `Foo` — semantically equivalent to [AnyType] at a + * type-argument slot. */ @Serializable data object WildcardType : TypeNamePattern { diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt index 21b78b44..2b6afa2e 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt @@ -566,21 +566,16 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( } } - // Convert return type to signature matcher (must apply to all builder paths) + // Encode the return-type constraint as an IsType condition on the Result + // position rather than on the signature matcher. val returnType = signature.returnType if (returnType != null) { val returnTypeFormula = typeMatcher(returnType, semgrepRuleTrace) - val returnTypeMatcher = when (returnTypeFormula) { - null -> null - is MetaVarConstraintFormula.Constraint -> returnTypeFormula.constraint - else -> null - } - if (returnTypeMatcher != null) { + if (returnTypeFormula != null) { for (builder in buildersWithMethodName) { - builder.signature = SerializedSignatureMatcher.Partial( - params = null, - `return` = returnTypeMatcher - ) + builder.conditions += returnTypeFormula.toSerializedCondition { typeNameMatcher -> + SerializedCondition.IsType(typeNameMatcher, PositionBase.Result) + } } } } @@ -628,10 +623,6 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( is Pattern -> { TODO("Signature class name pattern") } - - is SerializedTypeNameMatcher.Wildcard -> { - TODO("Signature class is a wildcard") - } } builders.mapTo(buildersWithClass) { builder -> @@ -854,8 +845,8 @@ private fun TaintRuleGenerationCtx.typeMatcher( // Preserve arity of typeArgs: a metavar like $T or AnyType that // produces null still takes a slot in the type-arg list with an // "any" matcher, so the outer matcher remains distinguishable - // from a raw (zero-type-arg) form. - val serializedTypeArgs = typeName.typeArgs.map { + // from a raw (no-type-arg) form. + val serializedTypeArgs = typeName.typeArgs.takeIf { it.isNotEmpty() }?.map { (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint ?: anyClassPattern() } @@ -901,11 +892,11 @@ private fun TaintRuleGenerationCtx.typeMatcher( } } - is TypeNamePattern.AnyType -> null - - is TypeNamePattern.WildcardType -> MetaVarConstraintFormula.Constraint( - SerializedTypeNameMatcher.Wildcard - ) + // `` is the supertype of any concrete parameterization, so a + // wildcard slot has the same matching semantics as an unconstrained + // matcher — collapse it into [AnyType] at translation time. + is TypeNamePattern.AnyType, + is TypeNamePattern.WildcardType -> null is TypeNamePattern.MetaVar -> { val constraints = metaVarInfo.constraints[typeName.metaVar] diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt index 72da09c0..4e0cf6e2 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt @@ -792,20 +792,17 @@ private fun unifyTypeName( if (left == right) return left when (left) { - TypeNamePattern.AnyType -> return right - - // WildcardType only unifies with itself (already handled by the - // `left == right` short-circuit above). Anything else is incompatible. - TypeNamePattern.WildcardType -> return null + TypeNamePattern.AnyType, + TypeNamePattern.WildcardType -> return right is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> when (right) { - TypeNamePattern.AnyType -> return left + TypeNamePattern.AnyType, + TypeNamePattern.WildcardType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName, - TypeNamePattern.WildcardType -> return null + is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> { if (left.name != right.name) return null @@ -828,11 +825,11 @@ private fun unifyTypeName( } is TypeNamePattern.FullyQualified -> when (right) { - TypeNamePattern.AnyType -> return left + TypeNamePattern.AnyType, + TypeNamePattern.WildcardType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName, - TypeNamePattern.WildcardType -> return null + is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> { if (left.name.endsWith(right.name)) { @@ -856,11 +853,11 @@ private fun unifyTypeName( } is TypeNamePattern.MetaVar -> when (right) { - TypeNamePattern.AnyType -> return left + TypeNamePattern.AnyType, + TypeNamePattern.WildcardType -> return left is TypeNamePattern.ArrayType, - is TypeNamePattern.PrimitiveName, - TypeNamePattern.WildcardType -> return null + is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> { if (!stringMatches(right.name, metaVarInfo.metaVarConstraints[left.metaVar])) return null @@ -881,7 +878,8 @@ private fun unifyTypeName( } is TypeNamePattern.ArrayType -> when (right) { - is TypeNamePattern.AnyType -> return left + TypeNamePattern.AnyType, + TypeNamePattern.WildcardType -> return left is TypeNamePattern.ArrayType -> { val unifiedElement = unifyTypeName(left.element, right.element, metaVarInfo) @@ -892,8 +890,7 @@ private fun unifyTypeName( is TypeNamePattern.ClassName, is TypeNamePattern.FullyQualified, is TypeNamePattern.MetaVar, - is TypeNamePattern.PrimitiveName, - TypeNamePattern.WildcardType -> return null + is TypeNamePattern.PrimitiveName -> return null } } } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index 04fbe20c..6f877211 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -40,8 +40,9 @@ class TypeAwarePatternTest : SampleBasedTest() { @Test fun `A4 - two-arg generic Map of K V in parameter`() = runTest() - // A5. Wildcard type argument: ResponseEntity. A concrete type argument - // (ResponseEntity) must not match a wildcard pattern. + // A5. Wildcard type argument: ResponseEntity. Java's `?` is the + // supertype of any concrete parameterization, so `` accepts both + // ResponseEntity and ResponseEntity. @Test fun `A5 - wildcard type argument ResponseEntity of question mark`() = runTest() diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt index 2b7f9d44..f3b8633a 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt @@ -14,9 +14,8 @@ fun Pattern.isAny(): Boolean = pattern == ".*" fun SerializedTypeNameMatcher.normalizeAnyName(): SerializedTypeNameMatcher = when (this) { is SerializedSimpleNameMatcher -> normalizeAnyName() - is ClassPattern -> ClassPattern(`package`.normalizeAnyName(), `class`.normalizeAnyName(), typeArgs.map { it.normalizeAnyName() }) + is ClassPattern -> ClassPattern(`package`.normalizeAnyName(), `class`.normalizeAnyName(), typeArgs?.map { it.normalizeAnyName() }) is SerializedTypeNameMatcher.Array -> SerializedTypeNameMatcher.Array(element.normalizeAnyName()) - is SerializedTypeNameMatcher.Wildcard -> this } fun SerializedSimpleNameMatcher.normalizeAnyName(): SerializedSimpleNameMatcher = when (this) { diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index f04c9dcc..923bb054 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -43,6 +43,7 @@ import org.opentaint.dataflow.configuration.jvm.TaintPassThrough import org.opentaint.dataflow.configuration.jvm.TaintSinkMeta import org.opentaint.dataflow.configuration.jvm.TaintStaticFieldSource import org.opentaint.dataflow.configuration.jvm.This +import org.opentaint.dataflow.configuration.jvm.TypeArgMatcher import org.opentaint.dataflow.configuration.jvm.TypeMatchesPattern import org.opentaint.dataflow.configuration.jvm.isFalse import org.opentaint.dataflow.configuration.jvm.mkAnd @@ -258,10 +259,6 @@ class TaintConfiguration(private val cp: JIRClasspath) { val nameWithoutArrayModifier = name.removeSuffix("[]") name != nameWithoutArrayModifier && element.matchNormalizedTypeName(nameWithoutArrayModifier) } - - // A wildcard matcher is only meaningful at a type-argument position - // and is never compared against a class-name string. - is SerializedTypeNameMatcher.Wildcard -> false } private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = @@ -313,9 +310,6 @@ class TaintConfiguration(private val cp: JIRClasspath) { } is SerializedSignatureMatcher.Partial -> { - val ret = `return` - if (ret != null && !ret.matchTypedOrErased(retTyped, retErased)) return false - val paramList = params if (paramList != null) { for (param in paramList) { @@ -701,7 +695,7 @@ class TaintConfiguration(private val cp: JIRClasspath) { val falsePositions = hashSetOf() val normalizedTypeIs = typeIs.normalizeAnyName() - val hasTypeArgs = normalizedTypeIs is ClassPattern && normalizedTypeIs.typeArgs.isNotEmpty() + val hasTypeArgs = normalizedTypeIs is ClassPattern && normalizedTypeIs.typeArgs != null for (pos in position) { val posTypeName = when (pos) { @@ -713,7 +707,13 @@ class TaintConfiguration(private val cp: JIRClasspath) { } if (normalizedTypeIs.match(posTypeName)) { - if (!hasTypeArgs) return mkTrue() + // For Simple / Pattern matchers there is no parameterization + // to discriminate — erased-name match is sufficient. + if (normalizedTypeIs is SerializedSimpleNameMatcher) return mkTrue() + + // ClassPattern / Array may carry type-arg constraints (or be a + // raw pattern that must reject parameterized forms). Use the + // typed view to verify before accepting. val typedType = resolveTypedPositionType(method, pos) if (typedType != null) { if (normalizedTypeIs.matchType(typedType)) return mkTrue() @@ -739,10 +739,8 @@ class TaintConfiguration(private val cp: JIRClasspath) { ?: return mkTrue() val nonFalsePositions = position.filter { it !in falsePositions } - val typeArgs = when (val typeIs = normalizedTypeIs) { - is ClassPattern -> typeIs.typeArgs - else -> emptyList() - } + val typeArgs = (normalizedTypeIs as? ClassPattern)?.typeArgs + ?.map { it.toTypeArgMatcher(patternManager) } return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher, typeArgs) }) } diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt index eb73c156..b11319b6 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt @@ -1,6 +1,7 @@ package org.opentaint.jvm.sast.dataflow.rules import org.opentaint.dataflow.configuration.jvm.ConditionNameMatcher +import org.opentaint.dataflow.configuration.jvm.TypeArgMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher.ClassPattern @@ -19,6 +20,18 @@ fun SerializedSimpleNameMatcher.toConditionNameMatcher(patternManager: PatternMa } } +fun SerializedTypeNameMatcher.toTypeArgMatcher(patternManager: PatternManager): TypeArgMatcher = when (this) { + is SerializedTypeNameMatcher.Array -> TypeArgMatcher.Array(element.toTypeArgMatcher(patternManager)) + is ClassPattern -> { + val name = toConditionNameMatcher(patternManager) ?: ConditionNameMatcher.AnyName + TypeArgMatcher.Class(name, typeArgs?.map { it.toTypeArgMatcher(patternManager) }) + } + is SerializedSimpleNameMatcher -> { + val name = toConditionNameMatcher(patternManager) ?: ConditionNameMatcher.AnyName + TypeArgMatcher.Class(name, typeArgs = null) + } +} + fun SerializedTypeNameMatcher.toConditionNameMatcher(patternManager: PatternManager): ConditionNameMatcher? { return when (this) { is Simple -> ConditionNameMatcher.Concrete(value) @@ -37,10 +50,6 @@ fun SerializedTypeNameMatcher.toConditionNameMatcher(patternManager: PatternMana is SerializedTypeNameMatcher.Array -> { element.toConditionNameMatcher(patternManager)?.addSuffix("[]", patternManager) } - - // A wildcard matcher has no erased-name projection; there is no - // meaningful class-name `ConditionNameMatcher` to produce. - is SerializedTypeNameMatcher.Wildcard -> null } } From 562a987566850a34ff33b8cd8312c61c9a693f55 Mon Sep 17 00:00:00 2001 From: Valentyn Sobol <8640896+Saloed@users.noreply.github.com> Date: Mon, 4 May 2026 12:34:55 +0300 Subject: [PATCH 28/31] Cleanup type matcher --- .../configuration/jvm/TaintCondition.kt | 12 ----- .../configuration/jvm/TypeArgMatcher.kt | 24 +-------- .../jvm/serialized/SerializedNameMatcher.kt | 2 +- .../serialized/SerializedSignatureMatcher.kt | 1 + .../ap/ifds/JIRMarkAwareConditionRewriter.kt | 15 ++---- .../ap/ifds/taint/JIRBasicAtomEvaluator.kt | 53 ++++++++++++++----- 6 files changed, 48 insertions(+), 59 deletions(-) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt index bd5c6382..06a25724 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TaintCondition.kt @@ -116,18 +116,6 @@ sealed interface ConditionNameMatcher { data class PatternStartsWith(val prefix: String) : ConditionNameMatcher } -fun ConditionNameMatcher.match(name: String): Boolean = when (this) { - is ConditionNameMatcher.PatternEndsWith -> name.endsWith(suffix) - is ConditionNameMatcher.PatternStartsWith -> name.startsWith(prefix) - is ConditionNameMatcher.Simple -> match(name) -} - -fun ConditionNameMatcher.Simple.match(name: String): Boolean = when (this) { - is ConditionNameMatcher.Pattern -> pattern.containsMatchIn(name) - is ConditionNameMatcher.Concrete -> this.name == name - is ConditionNameMatcher.AnyName -> true -} - data class TypeMatchesPattern( val position: Position, val pattern: ConditionNameMatcher, diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt index 334511cc..da0a7d2d 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/TypeArgMatcher.kt @@ -1,37 +1,17 @@ package org.opentaint.dataflow.configuration.jvm -import org.opentaint.ir.api.jvm.JIRArrayType -import org.opentaint.ir.api.jvm.JIRClassType -import org.opentaint.ir.api.jvm.JIRType - /** * A type-argument matcher that has been pre-resolved during rule resolution: * the erased-name matchers are already compiled to [ConditionNameMatcher], * so runtime evaluation only needs to dispatch on the structure. */ sealed interface TypeArgMatcher { - fun matchType(type: JIRType): Boolean data class Class( val name: ConditionNameMatcher, // null = no type-args constraint (matches raw / declared erasure). val typeArgs: List?, - ) : TypeArgMatcher { - override fun matchType(type: JIRType): Boolean { - if (!name.match(type.erasedName())) return false - - if (typeArgs == null) { - return if (type is JIRClassType) type.isRawLike() else true - } - - if (type !is JIRClassType) return true - if (typeArgs.size != type.typeArguments.size) return false - return typeArgs.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } - } - } + ) : TypeArgMatcher - data class Array(val element: TypeArgMatcher) : TypeArgMatcher { - override fun matchType(type: JIRType): Boolean = - type is JIRArrayType && element.matchType(type.elementType) - } + data class Array(val element: TypeArgMatcher) : TypeArgMatcher } diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt index e9d85191..7b9c9fbf 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt @@ -21,7 +21,7 @@ sealed interface SerializedTypeNameMatcher { val `class`: SerializedSimpleNameMatcher, // null = no type-args constraint (matches raw / declared erasure). // empty list is reserved for an explicit zero-arg parameterization. - val typeArgs: List? = null + val typeArgs: List? = null, ) : SerializedTypeNameMatcher @Serializable diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt index 28ffe102..84d3de20 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedSignatureMatcher.kt @@ -27,6 +27,7 @@ sealed interface SerializedSignatureMatcher { @Serializable data class Partial( val params: List? = null, + val `return`: SerializedTypeNameMatcher? = null ) : SerializedSignatureMatcher } diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt index f3acf5c7..48851e59 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/JIRMarkAwareConditionRewriter.kt @@ -11,24 +11,15 @@ import org.opentaint.dataflow.jvm.ap.ifds.analysis.JIRMethodAnalysisContext import org.opentaint.dataflow.jvm.ap.ifds.taint.ContainsMarkOnAnyField import org.opentaint.dataflow.jvm.ap.ifds.taint.JIRBasicAtomEvaluator import org.opentaint.ir.api.common.cfg.CommonInst -import org.opentaint.ir.api.jvm.JIRType - -/** - * [positionTypeResolver] enables generic-type-argument matching in - * `TypeMatchesPattern` atoms by resolving each position to a typed - * [JIRType]. When null, matching falls back to erased-name comparison — - * type-arg predicates in the rule will silently pass regardless of the - * runtime parameterization. - */ + class JIRMarkAwareConditionRewriter( positionResolver: PositionResolver, factTypeChecker: JIRFactTypeChecker, aliasAnalysis: JIRLocalAliasAnalysis?, statement: CommonInst, - positionTypeResolver: PositionResolver? = null, ) { - private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement, positionTypeResolver) - private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement, positionTypeResolver) + private val positiveAtomEvaluator = JIRBasicAtomEvaluator(negated = false, positionResolver, factTypeChecker, aliasAnalysis, statement) + private val negativeAtomEvaluator = JIRBasicAtomEvaluator(negated = true, positionResolver, factTypeChecker, aliasAnalysis, statement) constructor( positionResolver: PositionResolver, diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt index 6a1904bd..70fd33e3 100644 --- a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt +++ b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt @@ -21,17 +21,19 @@ import org.opentaint.dataflow.configuration.jvm.Not import org.opentaint.dataflow.configuration.jvm.Or import org.opentaint.dataflow.configuration.jvm.Position import org.opentaint.dataflow.configuration.jvm.PositionResolver +import org.opentaint.dataflow.configuration.jvm.TypeArgMatcher import org.opentaint.dataflow.configuration.jvm.TypeMatches import org.opentaint.dataflow.configuration.jvm.TypeMatchesPattern +import org.opentaint.dataflow.configuration.jvm.erasedName import org.opentaint.dataflow.jvm.ap.ifds.CallPositionValue import org.opentaint.dataflow.jvm.ap.ifds.JIRFactTypeChecker import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasAllocInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasApInfo import org.opentaint.dataflow.jvm.ap.ifds.JIRLocalAliasAnalysis.AliasInfo -import org.opentaint.dataflow.configuration.jvm.match import org.opentaint.ir.api.common.cfg.CommonInst import org.opentaint.ir.api.common.cfg.CommonValue +import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClassType import org.opentaint.ir.api.jvm.JIRRefType import org.opentaint.ir.api.jvm.JIRType @@ -54,7 +56,6 @@ class JIRBasicAtomEvaluator( private val typeChecker: JIRFactTypeChecker, private val aliasAnalysis: JIRLocalAliasAnalysis?, private val statement: CommonInst, - private val positionTypeResolver: PositionResolver? = null, ) : ConditionVisitor { override fun visit(condition: Not): Boolean = error("Non-atomic condition") override fun visit(condition: And): Boolean = error("Non-atomic condition") @@ -354,18 +355,26 @@ class JIRBasicAtomEvaluator( } val typeArgs = condition.typeArgs - if (typeArgs != null) { - val genericType = positionTypeResolver?.resolve(condition.position) - if (genericType is JIRClassType) { - if (genericType.typeArguments.size != typeArgs.size) return false - return typeArgs.zip(genericType.typeArguments).all { (matcher, arg) -> - matcher.matchType(arg) - } - } - return true + ?: return true + + if (type !is JIRClassType) return true + + if (type.typeArguments.size != typeArgs.size) return false + return typeArgs.zip(type.typeArguments).all { (matcher, arg) -> + matcher.matchType(arg) } + } - return true + private fun ConditionNameMatcher.match(name: String): Boolean = when (this) { + is ConditionNameMatcher.PatternEndsWith -> name.endsWith(suffix) + is ConditionNameMatcher.PatternStartsWith -> name.startsWith(prefix) + is ConditionNameMatcher.Simple -> match(name) + } + + private fun ConditionNameMatcher.Simple.match(name: String): Boolean = when (this) { + is ConditionNameMatcher.Pattern -> pattern.containsMatchIn(name) + is ConditionNameMatcher.Concrete -> this.name == name + is ConditionNameMatcher.AnyName -> true } private fun Position.eval( @@ -377,4 +386,24 @@ class JIRBasicAtomEvaluator( is CallPositionValue.Value -> value(res.value) is CallPositionValue.VarArgValue -> callVarArgValue(res.value) } + + private fun TypeArgMatcher.matchType(type: JIRType): Boolean = when (this) { + is TypeArgMatcher.Class -> matchType(type) + is TypeArgMatcher.Array -> matchType(type) + } + + private fun TypeArgMatcher.Class.matchType(type: JIRType): Boolean { + if (!name.match(type.erasedName())) return false + + val args = typeArgs + if (args == null || type !is JIRClassType) { + return true + } + + if (args.size != type.typeArguments.size) return false + return args.zip(type.typeArguments).all { (m, a) -> m.matchType(a) } + } + + private fun TypeArgMatcher.Array.matchType(type: JIRType): Boolean = + type is JIRArrayType && element.matchType(type.elementType) } From 510be7d8aa01231ac8b07455767b766bbfe5233b Mon Sep 17 00:00:00 2001 From: Valentyn Sobol <8640896+Saloed@users.noreply.github.com> Date: Mon, 4 May 2026 13:48:51 +0300 Subject: [PATCH 29/31] Cleanup type matcher in config loader --- .../jvm/SerializedTypeMatching.kt | 61 +++++----- .../sast/dataflow/rules/TaintConfiguration.kt | 104 +++++++++--------- 2 files changed, 79 insertions(+), 86 deletions(-) diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt index 48692952..bb584123 100644 --- a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt +++ b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt @@ -1,5 +1,6 @@ package org.opentaint.dataflow.configuration.jvm +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.ir.api.jvm.JIRArrayType import org.opentaint.ir.api.jvm.JIRClassType @@ -7,46 +8,40 @@ import org.opentaint.ir.api.jvm.JIRType import org.opentaint.ir.api.jvm.JIRTypeVariable import org.opentaint.ir.api.jvm.JIRUnboundWildcard -/** - * A class type is "raw-like" when no concrete substitution has been applied to - * its type arguments — either the list is empty, or every argument is still a - * declared type variable / unbound wildcard. Matches a no-type-arg rule pattern. - */ -fun JIRClassType.isRawLike(): Boolean { - if (typeArguments.isEmpty()) return true - return typeArguments.all { it is JIRTypeVariable || it is JIRUnboundWildcard } +fun SerializedTypeNameMatcher.matchType( + erasedTypeName: String, + resolveType: () -> JIRType, + erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean, +): Boolean { + if (!erasedMatch(erasedTypeName)) return false + return matchTypeArgs(resolveType, erasedMatch) } -/** - * Structural match of a serialized type-name matcher against a resolved - * [JIRType], including recursion into generic type arguments. - * - * Erased-name matching is delegated to [erasedMatch] so each caller can plug in - * its own name-matching primitive (e.g. a `PatternManager`-cached matcher vs. - * a plain `Regex`). The matcher receiver on [erasedMatch] is the sub-pattern - * being tested, not the root `this`. - */ -fun SerializedTypeNameMatcher.matchType( - type: JIRType, +private fun SerializedTypeNameMatcher.matchTypeArgs( + resolveType: () -> JIRType?, erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean, -): Boolean = when { - this is SerializedTypeNameMatcher.ClassPattern && typeArgs == null && type is JIRClassType -> - erasedMatch(type.erasedName()) && type.isRawLike() +): Boolean { + return when (this) { + is SerializedSimpleNameMatcher -> true // no type args - this is SerializedTypeNameMatcher.ClassPattern && typeArgs == null -> - erasedMatch(type.erasedName()) + is SerializedTypeNameMatcher.ClassPattern -> { + val args = typeArgs ?: return true - this is SerializedTypeNameMatcher.ClassPattern && type is JIRClassType -> { - val args = typeArgs!! - erasedMatch(type.erasedName()) && - args.size == type.typeArguments.size && - args.zip(type.typeArguments).all { (m, a) -> m.matchType(a, erasedMatch) } - } + val type = resolveType() + if (type !is JIRClassType) return false - this is SerializedTypeNameMatcher.Array && type is JIRArrayType -> - element.matchType(type.elementType, erasedMatch) + if (args.size != type.typeArguments.size) return false - else -> erasedMatch(type.erasedName()) + args.zip(type.typeArguments).all { (m, a) -> + m.matchType(a.erasedName(), resolveType = { a }, erasedMatch) + } + } + + is SerializedTypeNameMatcher.Array -> element.matchTypeArgs( + resolveType = { (resolveType() as? JIRArrayType)?.elementType }, + erasedMatch + ) + } } /** diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt index 923bb054..7427fdc7 100644 --- a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt +++ b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt @@ -43,9 +43,9 @@ import org.opentaint.dataflow.configuration.jvm.TaintPassThrough import org.opentaint.dataflow.configuration.jvm.TaintSinkMeta import org.opentaint.dataflow.configuration.jvm.TaintStaticFieldSource import org.opentaint.dataflow.configuration.jvm.This -import org.opentaint.dataflow.configuration.jvm.TypeArgMatcher import org.opentaint.dataflow.configuration.jvm.TypeMatchesPattern import org.opentaint.dataflow.configuration.jvm.isFalse +import org.opentaint.dataflow.configuration.jvm.matchType import org.opentaint.dataflow.configuration.jvm.mkAnd import org.opentaint.dataflow.configuration.jvm.mkFalse import org.opentaint.dataflow.configuration.jvm.mkOr @@ -73,17 +73,16 @@ import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMat import org.opentaint.dataflow.configuration.jvm.serialized.SinkMetaData import org.opentaint.dataflow.configuration.jvm.serialized.SinkRule import org.opentaint.dataflow.configuration.jvm.serialized.SourceRule -import org.opentaint.dataflow.configuration.jvm.matchType import org.opentaint.dataflow.configuration.jvm.simplify import org.opentaint.dataflow.jvm.util.JIRHierarchyInfo import org.opentaint.ir.api.jvm.JIRAnnotated import org.opentaint.ir.api.jvm.JIRAnnotation -import org.opentaint.ir.api.jvm.JIRClasspath import org.opentaint.ir.api.jvm.JIRClassType -import org.opentaint.ir.api.jvm.JIRTypedMethod +import org.opentaint.ir.api.jvm.JIRClasspath import org.opentaint.ir.api.jvm.JIRField import org.opentaint.ir.api.jvm.JIRMethod import org.opentaint.ir.api.jvm.JIRType +import org.opentaint.ir.api.jvm.JIRTypedMethod import org.opentaint.ir.api.jvm.PredefinedPrimitives import org.opentaint.ir.api.jvm.TypeName import org.opentaint.ir.api.jvm.ext.allSuperHierarchySequence @@ -261,9 +260,6 @@ class TaintConfiguration(private val cp: JIRClasspath) { } } - private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean = - matchType(type) { name -> match(name) } - private fun SerializedSimpleNameMatcher.match(name: String): Boolean = when (this) { is Simple -> if (value == "*") true else value == name is Pattern -> isAny() || patternManager.matchPattern(pattern, name) @@ -286,36 +282,35 @@ class TaintConfiguration(private val cp: JIRClasspath) { } } - // When a typed view of the method is available, matchType() sees generic - // type arguments on the return type and parameters; otherwise we fall back - // to erased-name matching, which ignores type-arg specificity in the rule. - private fun SerializedTypeNameMatcher.matchTypedOrErased(typed: JIRType?, erased: String): Boolean = - if (typed != null) matchType(typed) else match(erased) - private fun SerializedSignatureMatcher.matchFunctionSignature(method: JIRMethod): Boolean { - val typedMethod = resolveTypedMethod(method) - fun paramTypes(idx: Int): Pair = - typedMethod?.parameters?.getOrNull(idx)?.type to method.parameters[idx].type.typeName - val (retTyped, retErased) = typedMethod?.returnType to method.returnType.typeName + val typedMethod by lazy { resolveTypedMethod(method) } when (this) { is SerializedSignatureMatcher.Simple -> { if (method.parameters.size != args.size) return false - if (!`return`.matchTypedOrErased(retTyped, retErased)) return false + if (!`return`.matchTypedOrErased(method.returnType.typeName) { typedMethod?.returnType }) return false return args.withIndex().all { (idx, matcher) -> - val (typed, erased) = paramTypes(idx) - matcher.matchTypedOrErased(typed, erased) + matcher.matchTypedOrErased(method.parameters[idx].type.typeName) { + typedMethod?.parameters?.getOrNull(idx)?.type + } } } is SerializedSignatureMatcher.Partial -> { + val ret = `return` + if (ret != null) { + if (!ret.matchTypedOrErased(method.returnType.typeName) { typedMethod?.returnType }) return false + } + val paramList = params if (paramList != null) { for (param in paramList) { - if (method.parameters.getOrNull(param.index) == null) return false - val (typed, erased) = paramTypes(param.index) - if (!param.type.matchTypedOrErased(typed, erased)) return false + val methodParam = method.parameters.getOrNull(param.index) ?: return false + val paramTypeMatched = param.type.matchTypedOrErased(methodParam.type.typeName) { + typedMethod?.parameters?.getOrNull(param.index)?.type + } + if (!paramTypeMatched) return false } } @@ -324,6 +319,22 @@ class TaintConfiguration(private val cp: JIRClasspath) { } } + private fun SerializedTypeNameMatcher.matchTypedOrErased(erased: String, resolveType: () -> JIRType?): Boolean { + return withTypeResolutionFailureHandling(onFailure = { true }) { + matchType(erased, { resolveType() ?: throw TypeResolutionFailed() }, { name -> match(name) }) + } + } + + private inline fun withTypeResolutionFailureHandling(onFailure: () -> T, body: () -> T): T = try { + body() + } catch (e: TypeResolutionFailed) { + onFailure() + } + + private class TypeResolutionFailed : Exception() { + override fun fillInStackTrace(): Throwable = this + } + private fun SerializedFieldRule.resolveFieldRule(field: JIRField): List { when (this) { is SerializedFieldRule.SerializedStaticFieldSource -> { @@ -695,39 +706,27 @@ class TaintConfiguration(private val cp: JIRClasspath) { val falsePositions = hashSetOf() val normalizedTypeIs = typeIs.normalizeAnyName() - val hasTypeArgs = normalizedTypeIs is ClassPattern && normalizedTypeIs.typeArgs != null + + val typedMethod by lazy { resolveTypedMethod(method) } for (pos in position) { val posTypeName = when (pos) { is Argument -> method.parameters[pos.index].type.typeName - Result -> method.returnType.typeName - This -> method.enclosingClass.name + is Result -> method.returnType.typeName + is This -> method.enclosingClass.name is PositionWithAccess, is ClassStatic -> continue } - if (normalizedTypeIs.match(posTypeName)) { - // For Simple / Pattern matchers there is no parameterization - // to discriminate — erased-name match is sufficient. - if (normalizedTypeIs is SerializedSimpleNameMatcher) return mkTrue() - - // ClassPattern / Array may carry type-arg constraints (or be a - // raw pattern that must reject parameterized forms). Use the - // typed view to verify before accepting. - val typedType = resolveTypedPositionType(method, pos) - if (typedType != null) { - if (normalizedTypeIs.matchType(typedType)) return mkTrue() - falsePositions.add(pos) - } - // Unresolved: defer generic-arg matching to the runtime evaluator. - continue + if (normalizedTypeIs.matchTypedOrErased(posTypeName) { typedMethod?.positionType(pos) }) { + return mkTrue() } if (pos is This) { - if (method.enclosingClass.allSuperHierarchySequence.any { normalizedTypeIs.match(it.name) }) { - if (!hasTypeArgs) return mkTrue() - continue + val anySuperTypeMatch = method.enclosingClass.allSuperHierarchySequence.any { + normalizedTypeIs.matchTypedOrErased(it.name) { typedMethod?.positionType(This) } } + if (anySuperTypeMatch) return mkTrue() if (method.isConstructor || method.isFinal) { falsePositions.add(pos) @@ -741,23 +740,22 @@ class TaintConfiguration(private val cp: JIRClasspath) { val nonFalsePositions = position.filter { it !in falsePositions } val typeArgs = (normalizedTypeIs as? ClassPattern)?.typeArgs ?.map { it.toTypeArgMatcher(patternManager) } + return mkOr(nonFalsePositions.map { TypeMatchesPattern(it, matcher, typeArgs) }) } + private fun JIRTypedMethod.positionType(pos: Position): JIRType? = when (pos) { + is Argument -> parameters.getOrNull(pos.index)?.type + is Result -> returnType + is This -> enclosingType + else -> null + } + private fun resolveTypedMethod(method: JIRMethod): JIRTypedMethod? { val classType = cp.typeOf(method.enclosingClass) as? JIRClassType ?: return null return classType.declaredMethods.find { it.method == method } } - private fun resolveTypedPositionType(method: JIRMethod, pos: Position): JIRType? { - val typed = resolveTypedMethod(method) ?: return null - return when (pos) { - is Argument -> typed.parameters.getOrNull(pos.index)?.type - Result -> typed.returnType - else -> null - } - } - private fun SerializedTaintAssignAction.resolveWithArray(method: JIRMethod, ctx: AnyArgSpecializationCtx): List = pos.resolvePositionWithAnnotationConstraint(method, ctx, annotatedWith?.asAnnotationConstraint()) .flatMap { it.resolveArrayPosition(method) } From c730906be1b64837097ab384b9bf3f6caef266c0 Mon Sep 17 00:00:00 2001 From: Valentyn Sobol <8640896+Saloed@users.noreply.github.com> Date: Mon, 4 May 2026 13:49:55 +0300 Subject: [PATCH 30/31] Remove incorrect test example --- .../example/RuleWithRawResponseEntity.java | 78 ------------------- .../example/RuleWithRawResponseEntity.yaml | 15 ---- .../opentaint/semgrep/TypeAwarePatternTest.kt | 6 -- 3 files changed, 99 deletions(-) delete mode 100644 core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java delete mode 100644 core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java deleted file mode 100644 index 723666ba..00000000 --- a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithRawResponseEntity.java +++ /dev/null @@ -1,78 +0,0 @@ -package example; - -import base.RuleSample; -import base.RuleSet; -import org.springframework.http.ResponseEntity; - -/** - * A6. Rule pattern-inside declares raw return type {@code ResponseEntity}. - * - * Expected behavior: only methods with a raw (unparameterized) - * {@code ResponseEntity} return type match; parameterized forms - * ({@code ResponseEntity}, {@code ResponseEntity}) should - * NOT match. - * - * Current engine behavior: the method-decl return type in the pattern is - * compared via erased class name, so raw and parameterized forms collapse - * to the same thing — all three method-decl forms match. This test is - * EXPECTED TO FAIL today with FPs on both NegativeParameterizedString and - * NegativeParameterizedByteArray. The Task-5 probe surfaced this; the - * failure here pins the expectation that raw vs parameterized should be - * distinguishable at the method-decl return type position. - */ -@RuleSet("example/RuleWithRawResponseEntity.yaml") -public abstract class RuleWithRawResponseEntity implements RuleSample { - - void sink(String data) {} - - @SuppressWarnings("rawtypes") - ResponseEntity methodReturningRawResponseEntity(String data) { - sink(data); - return null; - } - - ResponseEntity methodReturningResponseEntityString(String data) { - sink(data); - return null; - } - - ResponseEntity methodReturningResponseEntityByteArray(String data) { - sink(data); - return null; - } - - final static class PositiveRaw extends RuleWithRawResponseEntity { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningRawResponseEntity(data); - } - } - - /** - * Honest Negative: rule requires raw {@code ResponseEntity} but method - * returns {@code ResponseEntity}. The engine currently reports - * this as a match (FP) because raw and parameterized forms share an - * erased class name. - */ - final static class NegativeParameterizedString extends RuleWithRawResponseEntity { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningResponseEntityString(data); - } - } - - /** - * Honest Negative: rule requires raw {@code ResponseEntity} but method - * returns {@code ResponseEntity}. The engine currently reports - * this as a match (FP). - */ - final static class NegativeParameterizedByteArray extends RuleWithRawResponseEntity { - @Override - public void entrypoint() { - String data = "tainted"; - methodReturningResponseEntityByteArray(data); - } - } -} diff --git a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml b/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml deleted file mode 100644 index 34016704..00000000 --- a/core/opentaint-java-querylang/samples/src/main/resources/example/RuleWithRawResponseEntity.yaml +++ /dev/null @@ -1,15 +0,0 @@ -rules: - - id: example-RuleWithRawResponseEntity - languages: - - java - severity: ERROR - message: match example/RuleWithRawResponseEntity - patterns: - - pattern: |- - ... - sink($A); - ... - - pattern-inside: |- - ResponseEntity $METHOD(..., String $A, ...) { - ... - } diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt index 6f877211..8eb7e0d8 100644 --- a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt +++ b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt @@ -47,12 +47,6 @@ class TypeAwarePatternTest : SampleBasedTest() { fun `A5 - wildcard type argument ResponseEntity of question mark`() = runTest() - // A6. Raw ResponseEntity in method-decl pattern matches raw, parameterized, - // and parameterized-with-array — documented current engine behavior. - @Test - fun `A6 - raw ResponseEntity method-decl pattern matches raw and parameterized forms`() = - runTest() - // A8. Mixed metavar + concrete: Map<$K, String> — $K is a metavar, second // slot is concrete String. @Test From 13d37219a6bd572404af77165a59fa1aa5a6abee Mon Sep 17 00:00:00 2001 From: Valentyn Sobol <8640896+Saloed@users.noreply.github.com> Date: Mon, 4 May 2026 14:19:50 +0300 Subject: [PATCH 31/31] Cleanup rule builder --- .../pattern/conversion/ParamCondition.kt | 11 --- .../PatternToActionListConverter.kt | 2 +- .../taint/AutomataToTaintRuleConversion.kt | 80 +++++++------------ .../taint/MethodFormulaSimplifier.kt | 19 ++--- .../taint/TaintAutomataGeneration.kt | 3 +- .../conversion/taint/TaintEdgesGeneration.kt | 3 - 6 files changed, 39 insertions(+), 79 deletions(-) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt index bdaae539..a3b1409e 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt @@ -30,17 +30,6 @@ sealed interface TypeNamePattern { override fun toString(): String = "*" } - /** - * Java unbounded wildcard `?` as a type argument. Java's `?` is the - * supertype of any concrete parameterization, so a `Foo` pattern - * accepts any `Foo` — semantically equivalent to [AnyType] at a - * type-argument slot. - */ - @Serializable - data object WildcardType : TypeNamePattern { - override fun toString(): String = "?" - } - @Serializable data class ArrayType(val element: TypeNamePattern) : TypeNamePattern { override fun toString(): String = "${element}[]" diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt index 906e9287..6b9d413f 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt @@ -219,7 +219,7 @@ class PatternToActionListConverter: ActionListBuilder { val elementTypePattern = transformTypeName(typeName.elementType) TypeNamePattern.ArrayType(elementTypePattern) } - is TypeName.WildcardTypeName -> TypeNamePattern.WildcardType + is TypeName.WildcardTypeName -> TypeNamePattern.AnyType } private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern { diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt index 2b6afa2e..20243990 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt @@ -11,34 +11,33 @@ import org.opentaint.dataflow.configuration.jvm.serialized.SerializedCondition.C import org.opentaint.dataflow.configuration.jvm.serialized.SerializedFieldRule import org.opentaint.dataflow.configuration.jvm.serialized.SerializedFunctionNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedItem -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedRule -import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSignatureMatcher +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher.Pattern import org.opentaint.dataflow.configuration.jvm.serialized.SerializedSimpleNameMatcher.Simple import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTaintAssignAction import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTaintCleanAction +import org.opentaint.dataflow.configuration.jvm.serialized.SerializedTypeNameMatcher import org.opentaint.dataflow.configuration.jvm.serialized.SinkMetaData import org.opentaint.dataflow.configuration.jvm.serialized.SinkRule +import org.opentaint.semgrep.pattern.FailedToConvertToTaintRule +import org.opentaint.semgrep.pattern.IgnoredMetavarConstraint import org.opentaint.semgrep.pattern.Mark.RuleUniqueMarkPrefix import org.opentaint.semgrep.pattern.MetaVarConstraint import org.opentaint.semgrep.pattern.MetaVarConstraintFormula -import org.opentaint.semgrep.pattern.ResolvedMetaVarInfo -import org.opentaint.semgrep.pattern.RuleWithMetaVars -import org.opentaint.semgrep.pattern.FailedToConvertToTaintRule -import org.opentaint.semgrep.pattern.IgnoredMetavarConstraint import org.opentaint.semgrep.pattern.NonMethodCallCleaner import org.opentaint.semgrep.pattern.PlaceholderAnnotation import org.opentaint.semgrep.pattern.PlaceholderMethodName import org.opentaint.semgrep.pattern.PlaceholderStringValue import org.opentaint.semgrep.pattern.PlaceholderTypeName -import org.opentaint.semgrep.pattern.TaintRuleMatchAnything +import org.opentaint.semgrep.pattern.ResolvedMetaVarInfo +import org.opentaint.semgrep.pattern.RuleWithMetaVars import org.opentaint.semgrep.pattern.SemgrepMatchingRule import org.opentaint.semgrep.pattern.SemgrepRule import org.opentaint.semgrep.pattern.SemgrepRuleLoadStepTrace import org.opentaint.semgrep.pattern.SemgrepTaintRule import org.opentaint.semgrep.pattern.TaintRuleFromSemgrep +import org.opentaint.semgrep.pattern.TaintRuleMatchAnything import org.opentaint.semgrep.pattern.UserRuleFromSemgrepInfo import org.opentaint.semgrep.pattern.conversion.IsMetavar import org.opentaint.semgrep.pattern.conversion.MetavarAtom @@ -141,7 +140,6 @@ private data class RuleCondition( val enclosingClassName: SerializedSimpleNameMatcher, val name: SerializedSimpleNameMatcher, val condition: SerializedCondition, - val signature: SerializedSignatureMatcher? = null, ) private data class EvaluatedEdgeCondition( @@ -260,17 +258,17 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List + rules += generateRules(condition.ruleCondition) { function, cond -> when (ruleEdge.edgeKind) { TaintRuleEdge.Kind.MethodCall -> listOf( SerializedRule.Source( - function, signature = signature, overrides = true, cond, actions, info = info, + function, signature = null, overrides = true, cond, actions, info = info, ) ) TaintRuleEdge.Kind.MethodEnter -> listOf( SerializedRule.EntryPoint( - function, signature = signature, overrides = false, cond, actions, info = info, + function, signature = null, overrides = false, cond, actions, info = info, ) ) @@ -288,13 +286,13 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List + rules += generateRules(condition.ruleCondition) { function, cond -> val afterSinkActions = buildStateAssignAction(ruleEdge.stateTo, condition) when (ruleEdge.edgeKind) { TaintRuleEdge.Kind.MethodEnter -> listOf( SerializedRule.MethodEntrySink( - function, signature = signature, overrides = false, cond, + function, signature = null, overrides = false, cond, trackFactsReachAnalysisEnd = afterSinkActions, ctx.ruleId, meta = ctx.meta ) @@ -302,7 +300,7 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List listOf( SerializedRule.Sink( - function, signature = signature, overrides = true, cond, + function, signature = null, overrides = true, cond, trackFactsReachAnalysisEnd = afterSinkActions, ctx.ruleId, meta = ctx.meta ) @@ -332,10 +330,10 @@ fun TaintRuleGenerationCtx.generateTaintRules(ctx: RuleConversionCtx): List { - rules += generateRules(condition.ruleCondition) { function, signature, cond -> + rules += generateRules(condition.ruleCondition) { function, cond -> listOf( SerializedRule.Cleaner( - function, signature = signature, overrides = true, cond, actions, + function, signature = null, overrides = true, cond, actions, info = edgeRuleInfo(ruleEdge) ) ) @@ -412,7 +410,7 @@ private fun EvaluatedEdgeCondition.addStateCheck( private inline fun generateRules( condition: RuleCondition, - body: (SerializedFunctionNameMatcher, SerializedSignatureMatcher?, SerializedCondition) -> T + body: (SerializedFunctionNameMatcher, SerializedCondition) -> T ): T { val functionMatcher = SerializedFunctionNameMatcher.Complex( condition.enclosingClassPackage, @@ -420,14 +418,13 @@ private inline fun generateRules( condition.name ) - return body(functionMatcher, condition.signature, condition.condition) + return body(functionMatcher, condition.condition) } private class RuleConditionBuilder { var enclosingClassPackage: SerializedSimpleNameMatcher? = null var enclosingClassName: SerializedSimpleNameMatcher? = null var methodName: SerializedSimpleNameMatcher? = null - var signature: SerializedSignatureMatcher? = null val conditions = hashSetOf() @@ -435,7 +432,6 @@ private class RuleConditionBuilder { n.enclosingClassPackage = this.enclosingClassPackage n.enclosingClassName = this.enclosingClassName n.methodName = this.methodName - n.signature = this.signature n.conditions.addAll(conditions) } @@ -443,8 +439,7 @@ private class RuleConditionBuilder { enclosingClassPackage ?: anyName(), enclosingClassName ?: anyName(), methodName ?: anyName(), - SerializedCondition.and(conditions.toList()), - signature + SerializedCondition.and(conditions.toList()) ) } @@ -566,8 +561,6 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature( } } - // Encode the return-type constraint as an IsType condition on the Result - // position rather than on the signature matcher. val returnType = signature.returnType if (returnType != null) { val returnTypeFormula = typeMatcher(returnType, semgrepRuleTrace) @@ -703,13 +696,6 @@ private fun classNameMatcherFromConcreteString(name: String): SerializedTypeName return SerializedTypeNameMatcher.ClassPattern(pkg, cls) } -/** - * A ClassPattern that accepts any class name. Used as a placeholder for a - * type-argument slot whose inner pattern resolved to null (e.g. an - * unconstrained metavariable or AnyType). Keeps the arity of a pattern like - * `ResponseEntity<$T>` intact so it remains distinguishable from a raw - * `ResponseEntity` at the matcher level. - */ private fun anyClassPattern(): SerializedTypeNameMatcher.ClassPattern = SerializedTypeNameMatcher.ClassPattern( `package` = anyName(), @@ -842,14 +828,7 @@ private fun TaintRuleGenerationCtx.typeMatcher( ): MetaVarConstraintFormula? { return when (typeName) { is TypeNamePattern.ClassName -> { - // Preserve arity of typeArgs: a metavar like $T or AnyType that - // produces null still takes a slot in the type-arg list with an - // "any" matcher, so the outer matcher remains distinguishable - // from a raw (no-type-arg) form. - val serializedTypeArgs = typeName.typeArgs.takeIf { it.isNotEmpty() }?.map { - (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint - ?: anyClassPattern() - } + val serializedTypeArgs = typeArgsMatcher(typeName.typeArgs, semgrepRuleTrace) MetaVarConstraintFormula.Constraint( SerializedTypeNameMatcher.ClassPattern( `package` = anyName(), @@ -860,15 +839,12 @@ private fun TaintRuleGenerationCtx.typeMatcher( } is TypeNamePattern.FullyQualified -> { - if (typeName.typeArgs.isEmpty()) { + val serializedTypeArgs = typeArgsMatcher(typeName.typeArgs, semgrepRuleTrace) + if (serializedTypeArgs == null) { MetaVarConstraintFormula.Constraint( Simple(typeName.name) ) } else { - val serializedTypeArgs = typeName.typeArgs.map { - (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint - ?: anyClassPattern() - } val (pkg, cls) = classNamePartsFromConcreteString(typeName.name) MetaVarConstraintFormula.Constraint( SerializedTypeNameMatcher.ClassPattern( @@ -892,11 +868,7 @@ private fun TaintRuleGenerationCtx.typeMatcher( } } - // `` is the supertype of any concrete parameterization, so a - // wildcard slot has the same matching semantics as an unconstrained - // matcher — collapse it into [AnyType] at translation time. - is TypeNamePattern.AnyType, - is TypeNamePattern.WildcardType -> null + is TypeNamePattern.AnyType -> null is TypeNamePattern.MetaVar -> { val constraints = metaVarInfo.constraints[typeName.metaVar] @@ -958,6 +930,14 @@ private fun TaintRuleGenerationCtx.typeMatcher( } } +private fun TaintRuleGenerationCtx.typeArgsMatcher( + typeArgs: List, + semgrepRuleTrace: SemgrepRuleLoadStepTrace +): List? = typeArgs.takeIf { it.isNotEmpty() }?.map { + (typeMatcher(it, semgrepRuleTrace) as? MetaVarConstraintFormula.Constraint)?.constraint + ?: anyClassPattern() +} + private fun String.patternCanMatchDot(): Boolean = '.' in this || '-' in this // [A-Z] diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt index 4e0cf6e2..25c76c1a 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt @@ -5,8 +5,6 @@ import org.opentaint.dataflow.util.filter import org.opentaint.dataflow.util.forEach import org.opentaint.dataflow.util.map import org.opentaint.dataflow.util.toSet -import org.opentaint.semgrep.pattern.conversion.automata.OperationCancelation -import org.opentaint.semgrep.pattern.conversion.generatedMethodClassName import org.opentaint.semgrep.pattern.MetaVarConstraint import org.opentaint.semgrep.pattern.MetaVarConstraintFormula import org.opentaint.semgrep.pattern.MetaVarConstraints @@ -27,10 +25,12 @@ import org.opentaint.semgrep.pattern.conversion.automata.MethodModifierConstrain import org.opentaint.semgrep.pattern.conversion.automata.MethodName import org.opentaint.semgrep.pattern.conversion.automata.MethodSignature import org.opentaint.semgrep.pattern.conversion.automata.NumberOfArgsConstraint +import org.opentaint.semgrep.pattern.conversion.automata.OperationCancelation import org.opentaint.semgrep.pattern.conversion.automata.ParamConstraint import org.opentaint.semgrep.pattern.conversion.automata.Position import org.opentaint.semgrep.pattern.conversion.automata.Predicate import org.opentaint.semgrep.pattern.conversion.generatedAnyValueGeneratorMethodName +import org.opentaint.semgrep.pattern.conversion.generatedMethodClassName import org.opentaint.semgrep.pattern.conversion.generatedStringConcatMethodName import java.util.BitSet @@ -792,14 +792,12 @@ private fun unifyTypeName( if (left == right) return left when (left) { - TypeNamePattern.AnyType, - TypeNamePattern.WildcardType -> return right + TypeNamePattern.AnyType -> return right is TypeNamePattern.PrimitiveName -> return null is TypeNamePattern.ClassName -> when (right) { - TypeNamePattern.AnyType, - TypeNamePattern.WildcardType -> return left + TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, is TypeNamePattern.PrimitiveName -> return null @@ -825,8 +823,7 @@ private fun unifyTypeName( } is TypeNamePattern.FullyQualified -> when (right) { - TypeNamePattern.AnyType, - TypeNamePattern.WildcardType -> return left + TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, is TypeNamePattern.PrimitiveName -> return null @@ -853,8 +850,7 @@ private fun unifyTypeName( } is TypeNamePattern.MetaVar -> when (right) { - TypeNamePattern.AnyType, - TypeNamePattern.WildcardType -> return left + TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType, is TypeNamePattern.PrimitiveName -> return null @@ -878,8 +874,7 @@ private fun unifyTypeName( } is TypeNamePattern.ArrayType -> when (right) { - TypeNamePattern.AnyType, - TypeNamePattern.WildcardType -> return left + is TypeNamePattern.AnyType -> return left is TypeNamePattern.ArrayType -> { val unifiedElement = unifyTypeName(left.element, right.element, metaVarInfo) diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt index cd2d2447..ccef13fe 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt @@ -995,8 +995,7 @@ private fun EdgeCondition.isDummyCondition(metaVarInfo: ResolvedMetaVarInfo): Bo is TypeNamePattern.ArrayType, is TypeNamePattern.ClassName, is TypeNamePattern.FullyQualified, - is TypeNamePattern.PrimitiveName, - TypeNamePattern.WildcardType -> return false + is TypeNamePattern.PrimitiveName -> return false } } diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt index a613101a..25c463ea 100644 --- a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt +++ b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt @@ -12,9 +12,7 @@ import org.opentaint.semgrep.pattern.conversion.SemgrepPatternAction.ClassConstr import org.opentaint.semgrep.pattern.conversion.SemgrepPatternAction.SignatureModifier import org.opentaint.semgrep.pattern.conversion.SemgrepPatternAction.SignatureModifierValue import org.opentaint.semgrep.pattern.conversion.SemgrepPatternAction.SignatureName -import org.opentaint.semgrep.pattern.conversion.SpecificBoolValue import org.opentaint.semgrep.pattern.conversion.SpecificConstantValue -import org.opentaint.semgrep.pattern.conversion.SpecificStringValue import org.opentaint.semgrep.pattern.conversion.TypeNamePattern import org.opentaint.semgrep.pattern.conversion.automata.ClassModifierConstraint import org.opentaint.semgrep.pattern.conversion.automata.MethodConstraint @@ -363,7 +361,6 @@ private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: Bit } TypeNamePattern.AnyType, - TypeNamePattern.WildcardType, is TypeNamePattern.PrimitiveName -> { // no metavars }