From a108b9c37d065381f0c3c4c043c252f9daa9c97b Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 27 Jun 2024 16:12:39 +0200
Subject: [PATCH 1/5] C#: Fix some bugs in the python script for the model
 generator.

---
 misc/scripts/models-as-data/generate_flow_model.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/misc/scripts/models-as-data/generate_flow_model.py b/misc/scripts/models-as-data/generate_flow_model.py
index 26dd961f4019..7654713d2804 100644
--- a/misc/scripts/models-as-data/generate_flow_model.py
+++ b/misc/scripts/models-as-data/generate_flow_model.py
@@ -193,7 +193,7 @@ def run(self):
             print("Models as data extensions generated, but not written to file.")
             sys.exit(0)
         
-        if self.generateSinks or self.generateSinks or self.generateSummaries:
+        if self.generateSinks or self.generateSources or self.generateSummaries or self.generateNeutrals:
             self.save(content, ".model.yml")
 
         if self.generateTypeBasedSummaries:

From 70494d339da989c501347ca2acb3a6fefe7c4c4e Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 27 Jun 2024 14:23:00 +0200
Subject: [PATCH 2/5] C#: Re-write some of the existing source model generation
 tests and introduce a new one for ToString.

---
 .../utils/modelgenerator/dataflow/Sources.cs  | 53 +++++++++++++++----
 1 file changed, 44 insertions(+), 9 deletions(-)

diff --git a/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs b/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs
index 855f70185572..e7fda0430806 100644
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs
@@ -52,25 +52,39 @@ public bool WrapConsoleReadLineGetBool()
         return s == "hello";
     }
 
-    public class MyConsoleReader
+    public abstract class ValueReader
     {
-        // source=Sources;NewSources+MyConsoleReader;false;ToString;();;ReturnValue;local;df-generated
-        // neutral=Sources;NewSources+MyConsoleReader;ToString;();summary;df-generated
-        public override string ToString()
+        // neutral=Sources;NewSources+ValueReader;GetValue;();summary;df-generated
+        public abstract string GetValue();
+    }
+
+    public class MyConsoleReader : ValueReader
+    {
+        // source=Sources;NewSources+MyConsoleReader;true;GetValue;();;ReturnValue;local;df-generated
+        // neutral=Sources;NewSources+MyConsoleReader;GetValue;();summary;df-generated
+        public override string GetValue()
         {
             return Console.ReadLine();
         }
     }
 
+    public class MyOtherReader : ValueReader
+    {
+        // neutral=Sources;NewSources+MyOtherReader;GetValue;();summary;df-generated
+        public override string GetValue()
+        {
+            return "";
+        }
+    }
 
-    public class MyContainer<T>
+    public class MyContainer<T> where T : ValueReader
     {
         public T Value { get; set; }
 
-        // summary=Sources;NewSources+MyContainer<T>;false;Read;();;Argument[this];ReturnValue;taint;df-generated
+        // neutral=Sources;NewSources+MyContainer<T>;Read;();summary;df-generated
         public string Read()
         {
-            return Value.ToString();
+            return Value.GetValue();
         }
     }
 
@@ -105,13 +119,34 @@ public override string Read()
         }
     }
 
-    public class DataReaderKind2 : DataReader
+    public sealed class DataReaderKind2 : DataReader
     {
-        // source=Sources;NewSources+DataReaderKind2;true;Read;();;ReturnValue;source-kind-2;df-generated
+        // source=Sources;NewSources+DataReaderKind2;false;Read;();;ReturnValue;source-kind-2;df-generated
         // neutral=Sources;NewSources+DataReaderKind2;Read;();summary;df-generated
         public override string Read()
         {
             return Source2();
         }
     }
+
+    public class C1
+    {
+        // source=Sources;NewSources+C1;false;ToString;();;ReturnValue;source-kind-1;df-generated
+        // neutral=Sources;NewSources+C1;ToString;();summary;df-generated
+        public override string ToString()
+        {
+            return Source1();
+        }
+    }
+
+    public sealed class C2
+    {
+        // source=Sources;NewSources+C2;false;ToString;();;ReturnValue;source-kind-1;df-generated
+        // neutral=Sources;NewSources+C2;ToString;();summary;df-generated
+        public override string ToString()
+        {
+            return Source1();
+        }
+    }
+
 }

From 5639ada3edacf9a149cb2fdaf2d3d341df62da4f Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 27 Jun 2024 14:28:59 +0200
Subject: [PATCH 3/5] C#: Do not generate source models for Overriable
 callables that overrides or implements something.

---
 .../modelgenerator/internal/CaptureModelsSpecific.qll    | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll b/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
index 36cb62e655fc..ac73d44aa5c7 100644
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
@@ -7,6 +7,7 @@ private import semmle.code.csharp.commons.Util as Util
 private import semmle.code.csharp.commons.Collections as Collections
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.csharp.dispatch.OverridableCallable
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 private import semmle.code.csharp.frameworks.System
 import semmle.code.csharp.dataflow.internal.ExternalFlow as ExternalFlow
@@ -130,7 +131,13 @@ class SinkTargetApi extends SourceOrSinkTargetApi {
  * A class of callables that are potentially relevant for generating source models.
  */
 class SourceTargetApi extends SourceOrSinkTargetApi {
-  SourceTargetApi() { not hasManualSourceModel(this) }
+  SourceTargetApi() {
+    not hasManualSourceModel(this) and
+    // Do not generate source models for overridable callables
+    // as virtual dispatch implies that too many methods
+    // will be considered sources.
+    not this.(Overridable).overridesOrImplements(_)
+  }
 }
 
 /**

From e05f83568361e9f087d749a4ed0bab64f57032cb Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Thu, 27 Jun 2024 14:29:34 +0200
Subject: [PATCH 4/5] C#: Update model generator expected output.

---
 csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs b/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs
index e7fda0430806..3165dfa2f904 100644
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Sources.cs
@@ -60,7 +60,6 @@ public abstract class ValueReader
 
     public class MyConsoleReader : ValueReader
     {
-        // source=Sources;NewSources+MyConsoleReader;true;GetValue;();;ReturnValue;local;df-generated
         // neutral=Sources;NewSources+MyConsoleReader;GetValue;();summary;df-generated
         public override string GetValue()
         {
@@ -111,7 +110,6 @@ public abstract class DataReader
 
     public class DataReaderKind1 : DataReader
     {
-        // source=Sources;NewSources+DataReaderKind1;true;Read;();;ReturnValue;source-kind-1;df-generated
         // neutral=Sources;NewSources+DataReaderKind1;Read;();summary;df-generated
         public override string Read()
         {
@@ -121,7 +119,6 @@ public override string Read()
 
     public sealed class DataReaderKind2 : DataReader
     {
-        // source=Sources;NewSources+DataReaderKind2;false;Read;();;ReturnValue;source-kind-2;df-generated
         // neutral=Sources;NewSources+DataReaderKind2;Read;();summary;df-generated
         public override string Read()
         {
@@ -131,7 +128,6 @@ public override string Read()
 
     public class C1
     {
-        // source=Sources;NewSources+C1;false;ToString;();;ReturnValue;source-kind-1;df-generated
         // neutral=Sources;NewSources+C1;ToString;();summary;df-generated
         public override string ToString()
         {
@@ -141,7 +137,6 @@ public override string ToString()
 
     public sealed class C2
     {
-        // source=Sources;NewSources+C2;false;ToString;();;ReturnValue;source-kind-1;df-generated
         // neutral=Sources;NewSources+C2;ToString;();summary;df-generated
         public override string ToString()
         {

From 8eba4a3e513fd87a64b7836b7436ec5bad723cb5 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Mon, 15 Jul 2024 08:05:13 +0200
Subject: [PATCH 5/5] C#: Code quality improvement.

---
 .../src/utils/modelgenerator/internal/CaptureModelsSpecific.qll  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll b/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
index ac73d44aa5c7..517531ecfbf7 100644
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll
@@ -7,7 +7,6 @@ private import semmle.code.csharp.commons.Util as Util
 private import semmle.code.csharp.commons.Collections as Collections
 private import semmle.code.csharp.dataflow.internal.DataFlowDispatch
 private import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
-private import semmle.code.csharp.dispatch.OverridableCallable
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 private import semmle.code.csharp.frameworks.System
 import semmle.code.csharp.dataflow.internal.ExternalFlow as ExternalFlow