Rust: Reduce CI noise from the SummaryStats query

rust/ql/integration-tests/hello-project/summary.expected

@@ -1,5 +1,3 @@
-| Elements extracted | 67 |
-| Elements unextracted | 0 |
 | Extraction errors | 0 |
 | Extraction warnings | 1 |
 | Files extracted - total | 5 |
@@ -15,11 +13,3 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1691 |
-| Taint reach - nodes tainted | 0 |
-| Taint reach - per million nodes | 0 |
-| Taint sinks - cryptographic operations | 0 |
-| Taint sinks - query sinks | 1 |
-| Taint sources - active | 0 |
-| Taint sources - disabled | 0 |
-| Taint sources - sensitive data | 0 |

rust/ql/integration-tests/hello-project/summary.qlref

@@ -1 +1 @@
-queries/summary/SummaryStats.ql
+queries/summary/SummaryStatsReduced.ql

rust/ql/integration-tests/hello-workspace/summary.cargo.expected

@@ -1,5 +1,3 @@
-| Elements extracted | 90 |
-| Elements unextracted | 0 |
 | Extraction errors | 0 |
 | Extraction warnings | 0 |
 | Files extracted - total | 4 |
@@ -15,11 +13,3 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1691 |
-| Taint reach - nodes tainted | 0 |
-| Taint reach - per million nodes | 0 |
-| Taint sinks - cryptographic operations | 0 |
-| Taint sinks - query sinks | 1 |
-| Taint sources - active | 0 |
-| Taint sources - disabled | 0 |
-| Taint sources - sensitive data | 0 |

rust/ql/integration-tests/hello-workspace/summary.qlref

@@ -1 +1 @@
-queries/summary/SummaryStats.ql
+queries/summary/SummaryStatsReduced.ql

rust/ql/integration-tests/hello-workspace/summary.rust-project.expected

@@ -1,5 +1,3 @@
-| Elements extracted | 90 |
-| Elements unextracted | 0 |
 | Extraction errors | 0 |
 | Extraction warnings | 0 |
 | Files extracted - total | 4 |
@@ -15,11 +13,3 @@
 | Macro calls - resolved | 2 |
 | Macro calls - total | 2 |
 | Macro calls - unresolved | 0 |
-| Taint edges - number of edges | 1691 |
-| Taint reach - nodes tainted | 0 |
-| Taint reach - per million nodes | 0 |
-| Taint sinks - cryptographic operations | 0 |
-| Taint sinks - query sinks | 1 |
-| Taint sources - active | 0 |
-| Taint sources - disabled | 0 |
-| Taint sources - sensitive data | 0 |

rust/ql/src/queries/summary/Stats.qll

@@ -11,6 +11,9 @@ private import codeql.rust.internal.PathResolutionConsistency as PathResolutionC
 private import codeql.rust.controlflow.internal.CfgConsistency as CfgConsistency
 private import codeql.rust.dataflow.internal.DataFlowConsistency as DataFlowConsistency
 private import codeql.rust.Concepts
+private import codeql.rust.Diagnostics
+private import codeql.rust.security.SensitiveData
+private import TaintReach
 // import all query extensions files, so that all extensions of `QuerySink` are found
 private import codeql.rust.security.CleartextLoggingExtensions
 private import codeql.rust.security.SqlInjectionExtensions
@@ -72,3 +75,92 @@ int getTaintEdgesCount() {
  * Gets a count of the total number of query sinks in the database.
  */
 int getQuerySinksCount() { result = count(QuerySink s) }
+
+class CrateElement extends Element {
+  CrateElement() {
+    this instanceof Crate or
+    this instanceof NamedCrate or
+    this.(AstNode).getParentNode*() = any(Crate c).getModule()
+  }
+}
+
+/**
+ * Gets summary statistics about individual elements in the database.
+ */
+predicate elementStats(string key, int value) {
+  key = "Elements extracted" and
+  value = count(Element e | not e instanceof Unextracted and not e instanceof CrateElement)
+  or
+  key = "Elements unextracted" and value = count(Unextracted e)
+}
+
+/**
+ * Gets summary statistics about extraction.
+ */
+predicate extractionStats(string key, int value) {
+  key = "Extraction errors" and value = count(ExtractionError e)
+  or
+  key = "Extraction warnings" and value = count(ExtractionWarning w)
+  or
+  key = "Files extracted - total" and value = count(ExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Files extracted - with errors" and
+  value =
+    count(ExtractedFile f |
+      exists(f.getRelativePath()) and not f instanceof SuccessfullyExtractedFile
+    )
+  or
+  key = "Files extracted - without errors" and
+  value = count(SuccessfullyExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Files extracted - without errors %" and
+  value =
+    (count(SuccessfullyExtractedFile f | exists(f.getRelativePath())) * 100) /
+      count(ExtractedFile f | exists(f.getRelativePath()))
+  or
+  key = "Lines of code extracted" and value = getLinesOfCode()
+  or
+  key = "Lines of user code extracted" and value = getLinesOfUserCode()
+  or
+  key = "Macro calls - total" and value = count(MacroCall mc)
+  or
+  key = "Macro calls - resolved" and value = count(MacroCall mc | mc.hasExpanded())
+  or
+  key = "Macro calls - unresolved" and value = count(MacroCall mc | not mc.hasExpanded())
+}
+
+/**
+ * Gets summary statistics about inconsistencies.
+ */
+predicate inconsistencyStats(string key, int value) {
+  key = "Inconsistencies - AST" and value = getTotalAstInconsistencies()
+  or
+  key = "Inconsistencies - Path resolution" and value = getTotalPathResolutionInconsistencies()
+  or
+  key = "Inconsistencies - CFG" and value = getTotalCfgInconsistencies()
+  or
+  key = "Inconsistencies - data flow" and value = getTotalDataFlowInconsistencies()
+}
+
+/**
+ * Gets summary statistics about taint.
+ */
+predicate taintStats(string key, int value) {
+  key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
+  or
+  key = "Taint sources - disabled" and
+  value = count(ThreatModelSource s | not s instanceof ActiveThreatModelSource)
+  or
+  key = "Taint sources - sensitive data" and value = count(SensitiveData d)
+  or
+  key = "Taint edges - number of edges" and value = getTaintEdgesCount()
+  or
+  key = "Taint reach - nodes tainted" and value = getTaintedNodesCount()
+  or
+  key = "Taint reach - per million nodes" and value = getTaintReach().floor()
+  or
+  key = "Taint sinks - query sinks" and value = getQuerySinksCount()
+  or
+  key = "Taint sinks - cryptographic operations" and
+  value = count(Cryptography::CryptographicOperation o)
+}

rust/ql/src/queries/summary/SummaryStats.ql

@@ -7,81 +7,15 @@
  */
 
 import rust
-import codeql.rust.Concepts
-import codeql.rust.security.SensitiveData
-import codeql.rust.security.WeakSensitiveDataHashingExtensions
-import codeql.rust.Diagnostics
 import Stats
-import TaintReach
-
-class CrateElement extends Element {
-  CrateElement() {
-    this instanceof Crate or
-    this instanceof NamedCrate or
-    this.(AstNode).getParentNode*() = any(Crate c).getModule()
-  }
-}
 
 from string key, int value
 where
-  key = "Elements extracted" and
-  value = count(Element e | not e instanceof Unextracted and not e instanceof CrateElement)
-  or
-  key = "Elements unextracted" and value = count(Unextracted e)
-  or
-  key = "Extraction errors" and value = count(ExtractionError e)
-  or
-  key = "Extraction warnings" and value = count(ExtractionWarning w)
-  or
-  key = "Files extracted - total" and value = count(ExtractedFile f | exists(f.getRelativePath()))
-  or
-  key = "Files extracted - with errors" and
-  value =
-    count(ExtractedFile f |
-      exists(f.getRelativePath()) and not f instanceof SuccessfullyExtractedFile
-    )
-  or
-  key = "Files extracted - without errors" and
-  value = count(SuccessfullyExtractedFile f | exists(f.getRelativePath()))
-  or
-  key = "Files extracted - without errors %" and
-  value =
-    (count(SuccessfullyExtractedFile f | exists(f.getRelativePath())) * 100) /
-      count(ExtractedFile f | exists(f.getRelativePath()))
-  or
-  key = "Lines of code extracted" and value = getLinesOfCode()
-  or
-  key = "Lines of user code extracted" and value = getLinesOfUserCode()
-  or
-  key = "Inconsistencies - AST" and value = getTotalAstInconsistencies()
-  or
-  key = "Inconsistencies - Path resolution" and value = getTotalPathResolutionInconsistencies()
-  or
-  key = "Inconsistencies - CFG" and value = getTotalCfgInconsistencies()
-  or
-  key = "Inconsistencies - data flow" and value = getTotalDataFlowInconsistencies()
-  or
-  key = "Macro calls - total" and value = count(MacroCall mc)
-  or
-  key = "Macro calls - resolved" and value = count(MacroCall mc | mc.hasExpanded())
-  or
-  key = "Macro calls - unresolved" and value = count(MacroCall mc | not mc.hasExpanded())
-  or
-  key = "Taint sources - active" and value = count(ActiveThreatModelSource s)
-  or
-  key = "Taint sources - disabled" and
-  value = count(ThreatModelSource s | not s instanceof ActiveThreatModelSource)
-  or
-  key = "Taint sources - sensitive data" and value = count(SensitiveData d)
-  or
-  key = "Taint edges - number of edges" and value = getTaintEdgesCount()
-  or
-  key = "Taint reach - nodes tainted" and value = getTaintedNodesCount()
+  elementStats(key, value)
   or
-  key = "Taint reach - per million nodes" and value = getTaintReach().floor()
+  extractionStats(key, value)
   or
-  key = "Taint sinks - query sinks" and value = getQuerySinksCount()
+  inconsistencyStats(key, value)
   or
-  key = "Taint sinks - cryptographic operations" and
-  value = count(Cryptography::CryptographicOperation o)
+  taintStats(key, value)
 select key, value order by key

rust/ql/src/queries/summary/SummaryStatsReduced.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Summary Statistics Reduced
+ * @description A table of summary statistics about a database, with data that
+ *              has been found to be noisy on tests removed.
+ * @kind metric
+ * @id rust/summary/reduced-summary-statistics
+ * @tags summary
+ */
+
+import rust
+import Stats
+
+from string key, int value
+where
+  extractionStats(key, value)
+  or
+  inconsistencyStats(key, value)
+select key, value order by key

rust/ql/test/query-tests/diagnostics/SummaryStats.expected → rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.expected

@@ -1,5 +1,3 @@
-| Elements extracted | 406 |
-| Elements unextracted | 0 |
 | Extraction errors | 0 |
 | Extraction warnings | 7 |
 | Files extracted - total | 7 |
@@ -15,11 +13,3 @@
 | Macro calls - resolved | 8 |
 | Macro calls - total | 9 |
 | Macro calls - unresolved | 1 |
-| Taint edges - number of edges | 1691 |
-| Taint reach - nodes tainted | 0 |
-| Taint reach - per million nodes | 0 |
-| Taint sinks - cryptographic operations | 0 |
-| Taint sinks - query sinks | 3 |
-| Taint sources - active | 0 |
-| Taint sources - disabled | 0 |
-| Taint sources - sensitive data | 0 |

rust/ql/test/query-tests/diagnostics/SummaryStatsReduced.qlref

@@ -0,0 +1 @@
+queries/summary/SummaryStatsReduced.ql