Improve and re-use UI5::inSameWebApp() predicate

Author: data-douser

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -113,15 +113,14 @@ abstract class UI5ExternalModel extends UI5Model, RemoteFlowSource {
 /** Default model which gains content from an SAP OData service (ie no model name is explicitly specified). */
 class DefaultODataServiceModel extends UI5ExternalModel {
   DefaultODataServiceModel() {
-    exists(ExternalModelManifest model, WebApp webapp |
-      //an OData default model exists
+    exists(ExternalModelManifest model |
+      // An OData default model exists.
       model.getName() = "" and
       model.getDataSource() instanceof ODataDataSourceManifest and
-      //therefore the bindElement calls that exist may be sources and also approximates the model itself
+      // A bindElement call bound to the default OData model represents a source of data.
       this.getCalleeName() = "bindElement" and
-      // The bindElement call must be in the same webapp as the manifest that declares the default model
-      webapp.getAResource() = this.getFile() and
-      webapp.getManifest() = model.getJsonFile()
+      // The bindElement call must be in the same webapp as the manifest that declares the default model.
+      inSameWebApp(this.getFile(), model.getJsonFile())
     )
   }
 

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -88,6 +88,10 @@ bindingset[f1, f2]
 pragma[inline_late]
 predicate inSameWebApp(File f1, File f2) {
   exists(WebApp webApp | webApp.getAResource() = f1 and webApp.getAResource() = f2)
+  or
+  exists(WebApp webApp | webApp.getManifest() = f1 and webApp.getAResource() = f2)
+  or
+  exists(WebApp webApp | webApp.getManifest() = f2 and webApp.getAResource() = f1)
 }
 
 /** A UI5 bootstrapped web application. */