Java: automodel application mode: only extract the first argument corresponding to a varargs array

java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll

@@ -31,9 +31,9 @@ newtype TApplicationModeEndpoint =
   TImplicitVarargsArray(Call call, DataFlow::Node arg, int idx) {
     exists(Argument argExpr |
       arg.asExpr() = argExpr and
-      call = argExpr.getCall() and
+      call.getArgument(idx) = argExpr and
       argExpr.isVararg() and
-      idx = min(int n | argExpr = call.getArgument(n) and argExpr.isVararg() | n)
+      not exists(int i | i < idx and call.getArgument(i).(Argument).isVararg())
     )
   }
 

java/ql/test/query-tests/Telemetry/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractCandidates.expected

@@ -1,3 +1,3 @@
 | Test.java:16:3:16:11 | reference | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:16:3:16:11 | reference | CallContext | file://java.util.concurrent.atomic:1:1:1:1 | java.util.concurrent.atomic | package | file://AtomicReference:1:1:1:1 | AtomicReference | type | file://false:1:1:1:1 | false | subtypes | file://set:1:1:1:1 | set | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://false:1:1:1:1 | false | isVarargsArray |
 | Test.java:21:3:21:10 | supplier | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:21:3:21:10 | supplier | CallContext | file://java.util.function:1:1:1:1 | java.util.function | package | file://Supplier:1:1:1:1 | Supplier | type | file://true:1:1:1:1 | true | subtypes | file://get:1:1:1:1 | get | name | file://():1:1:1:1 | () | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://false:1:1:1:1 | false | isVarargsArray |
-| Test.java:53:4:53:4 | o | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:51:3:54:3 | walk(...) | CallContext | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://walk:1:1:1:1 | walk | name | file://(Path,FileVisitOption[]):1:1:1:1 | (Path,FileVisitOption[]) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://true:1:1:1:1 | true | isVarargsArray |
+| Test.java:53:4:53:4 | o | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:51:3:56:3 | walk(...) | CallContext | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://walk:1:1:1:1 | walk | name | file://(Path,FileVisitOption[]):1:1:1:1 | (Path,FileVisitOption[]) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://true:1:1:1:1 | true | isVarargsArray |

java/ql/test/query-tests/Telemetry/AutomodelApplicationModeExtraction/Test.java

@@ -50,7 +50,9 @@ class Test {
 	public static void FilesWalkExample(Path p, FileVisitOption o) throws Exception {
 		Files.walk(
 			p, // negative example (modeled as a taint step)
-			o // the implicit varargs array is a candidate
+			o, // the implicit varargs array is a candidate
+			o // not a candidate (only the first arg corresponding to a varargs array
+			  // is extracted)
 		);
 	}
 }