Dataflow: Deprecate FlowStateString.

[aschackmull]

Followup for #14983. I don't think we need a change note for this, as this was effectively part of the old api.

[jketema]

Fix for the coding standards tests: github/codeql-coding-standards#473

[owen-mc]

Go LGTM

[atorralba]

Java 👍

I don't think we need a change note for this, as this was effectively part of the old api.

Agree, everything affected by this seems to be under the internal directory.

[michaelnebel]

C# LGTM - but there are some tests failing for other languages.

[jketema]

@aschackmull The coding standards tests are now fixed.

[geoffw0]

👍 for Swift.

[geoffw0]

Oh, one of the test failures is in Swift. There was briefly a version of main with failing Swift tests (that I think looked like what we have here), it's possible this PR has got unlucky with it's base commit?

[aschackmull]

Oh, one of the test failures is in Swift. There was briefly a version of main with failing Swift tests (that I think looked like what we have here), it's possible this PR has got unlucky with it's base commit

Yes. I'm aware I need to rebase, and that should fix the swift test. But there's also a Java failure, so I was planning to fix that before rebasing. (No need to rerun CI twice).

[yoff]

Python 👍

[aschackmull]

@atorralba could you take a look at the last commit - I've fixed the 3 java queries that had accidental exposure of FlowStateString in their extension points.

[atorralba]

Ok, so the last commit mostly LGTM.

• ImplictPendingIntents 👍
• Turns out that we didn't even use FlowStates in TemplateInjection, and I made those extension points "just in case" 😅. Anyway, 👍.
• I think I followed your changes in InsufficientKeySize. AFAIU there aren't changes in the semantics (and the green tests probably confirm this), so we should be good. Still, I added a few minor comments/questions.

[atorralba]

Couldn't this break existing implementations of InsufficientKeySizeSink overriding hasState?

[aschackmull]

Yes.

[atorralba]

Couldn't this break existing implementations of InsufficientKeySizeSource that don't override hasState?

[aschackmull]

Yes, but such a hypothetical source wouldn't make much sense. Its default state would not match any sink, so it wouldn't work. Hence, I find it unlikely that this extension point has been used in the wild. Really, as the query is written, we need a key size state to be specified for the sources and the sinks, and with the way that I've reimplemented the logic I found it hard to provide a straight-forward deprecation path from the old interface.

I guess we could put in some work provide a better deprecation path by renaming the hasState predicate and providing a translation from the old to the new, but it's not going to be neither pretty nor simple, do you think that's worth it? I was leaning towards risking breakage here as my preferred option.

[atorralba]

I was just making sure this was a deliberate decision. I also favor the cleanest path forward (if we are allowed to break things when we believe it makes sense, which I didn't know 😄).

[aschackmull]

It's a calculated risk and one that we generally try hard to avoid. But adding a new abstract predicate isn't really possible to do without potential breakage.