JS: Make API graphs use steps from summaries#19012
Merged
asgerf merged 8 commits intogithub:mainfrom Mar 18, 2025
Merged
Conversation
asgerf
force-pushed
the
js/api-graph-array-element
branch
4 times, most recently
from
b8f6522 to
aa11c0e
Compare
…ement() Although they mean slightly different things, every single call site of getUnknownMember() just used it as a way to get array elements. Since there is no known use-case for the original meaning of getUnknownMember() I am deprecating it for now.
asgerf
force-pushed
the
js/api-graph-array-element
branch
from
aa11c0e to
cd39092
Compare
The use of AnyMember was a workaround until the bugfix in this PR landed.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This pull request updates API graphs to use steps from summaries and refactors how array elements are handled in various test and configuration files.
- Updates the tests by adding an array source function to exercise new API graph handling.
- Changes the dynamic property read in the API graph to use ArrayElement.
- Modifies configuration files for test extensions and tanstack models to support the new array element representation.
Reviewed Changes
Copilot reviewed 5 out of 18 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| javascript/ql/test/library-tests/frameworks/data/test.js | Adds tests for array source function calls using testlib. |
| javascript/ql/test/ApiGraphs/dynamic-prop-read/index.js | Updates the dynamic call from getUnknownMember() to getArrayElement(). |
| javascript/ql/test/library-tests/frameworks/data/test.ext.yml | Extends test configuration with ArrayElement return for testlib. |
| javascript/ql/lib/ext/tanstack.model.yml | Adjusts tanstack API queries to return ArrayElement for useQueries. |
| javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/testUseQueries.vue | Updates comment markers to reflect correct source and alert tags. |
Files not reviewed (13)
- javascript/ql/lib/semmle/javascript/ApiGraphs.qll: Language not supported
- javascript/ql/lib/semmle/javascript/dataflow/internal/Contents.qll: Language not supported
- javascript/ql/lib/semmle/javascript/frameworks/D3.qll: Language not supported
- javascript/ql/lib/semmle/javascript/frameworks/Puppeteer.qll: Language not supported
- javascript/ql/lib/semmle/javascript/frameworks/Vuex.qll: Language not supported
- javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll: Language not supported
- javascript/ql/lib/semmle/javascript/internal/CachedStages.qll: Language not supported
- javascript/ql/lib/semmle/javascript/internal/flow_summaries/Arrays.qll: Language not supported
- javascript/ql/lib/semmle/javascript/security/dataflow/ExternalAPIUsedWithUntrustedDataCustomizations.qll: Language not supported
- javascript/ql/src/experimental/Security/CWE-347/JWT.qll: Language not supported
- javascript/ql/src/experimental/semmle/javascript/Execa.qll: Language not supported
- javascript/ql/test/library-tests/frameworks/data/test.expected: Language not supported
- javascript/ql/test/query-tests/Security/CWE-079/DomBasedXssWithResponseThreat/Xss.expected: Language not supported
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
erik-krogh
approved these changes
Mar 18, 2025
Contributor
erik-krogh
left a comment
erik-krogh
left a comment
There was a problem hiding this comment.
Nice 👍
Although I feel the latest DCA evaluation hints towards a minor performance regression?
I've started another evaluation to see whether that's just a spurious result.
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes API graphs use
Contentinternally and use steps from summaries.Steps from summaries are already converted into type-tracking steps, we just need to use them in API graphs.
The handling of
Content/ContentSetis the same as in Ruby: the graph is generated usinggetAStoreContent(both for use and def nodes) and queried usinggetAReadContent. We want to avoid materialising a graph based ongetAReadContent()because that set can be huge.Based on this we can now implement
getArrayElement()properly. This looks through things like.map()and.pop()based on the existing models for arrays. This in turn fixes some issues with theArrayElementMaD token, as shown in the new test case.