From 473a1d377635b2b499a57c2453ad42284e163807 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 10:19:06 +0100 Subject: [PATCH] C++: mass enable diff-informed data flow --- .../cryptography/modules/OpenSSL.qll | 30 +++++++++++++++++++ .../cpp/security/PrivateCleartextWrite.qll | 2 ++ .../cpp/dataflow/internal/DataFlowUtil.qll | 6 ++++ .../cpp/ir/dataflow/internal/ProductFlow.qll | 7 +++++ .../AllocationToInvalidPointer.qll | 14 +++++++++ .../InvalidPointerToDereference.qll | 6 ++++ .../cpp/security/boostorg/asio/protocols.qll | 6 ++++ cpp/ql/src/Critical/MissingCheckScanf.ql | 12 ++++++++ cpp/ql/src/Critical/OverflowDestination.ql | 6 ++++ .../Conversion/CastArrayPointerArithmetic.ql | 2 ++ .../Likely Bugs/Format/NonConstantFormat.ql | 6 ++++ cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll | 18 +++++++++++ .../Memory Management/NtohlArrayNoBound.qll | 2 ++ .../Protocols/TlsSettingsMisconfiguration.ql | 6 ++++ .../CWE/CWE-020/ExternalAPIsSpecific.qll | 7 +++++ .../CWE/CWE-020/ir/ExternalAPIsSpecific.qll | 7 +++++ .../src/Security/CWE/CWE-022/TaintedPath.ql | 6 ++++ .../src/Security/CWE/CWE-078/ExecTainted.ql | 13 ++++++++ cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql | 6 ++++ cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql | 6 ++++ .../CWE-114/UncontrolledProcessOperation.ql | 2 ++ .../CWE/CWE-119/OverrunWriteProductFlow.ql | 8 +++++ .../Security/CWE/CWE-120/UnboundedWrite.ql | 6 ++++ .../CWE-129/ImproperArrayIndexValidation.ql | 2 ++ .../CWE/CWE-134/UncontrolledFormatString.ql | 2 ++ .../CWE-170/ImproperNullTerminationTainted.ql | 6 ++++ .../Security/CWE/CWE-190/ArithmeticTainted.ql | 6 ++++ .../CWE/CWE-190/ArithmeticUncontrolled.ql | 6 ++++ .../CWE-190/ArithmeticWithExtremeValues.ql | 6 ++++ .../CWE/CWE-190/IntegerOverflowTainted.ql | 2 ++ .../CWE/CWE-190/TaintedAllocationSize.ql | 6 ++++ .../CWE/CWE-193/InvalidPointerDeref.ql | 6 ++++ .../CWE/CWE-290/AuthenticationBypass.ql | 6 ++++ .../CWE/CWE-295/SSLResultConflation.ql | 7 +++++ .../CWE/CWE-311/CleartextBufferWrite.ql | 6 ++++ .../CWE/CWE-311/CleartextFileWrite.ql | 7 +++++ .../CWE/CWE-311/CleartextTransmission.ql | 21 +++++++++++++ .../CWE/CWE-313/CleartextSqliteDatabase.ql | 7 +++++ cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql | 6 ++++ .../CWE/CWE-326/InsufficientKeySize.ql | 6 ++++ .../CWE/CWE-416/IteratorToExpiredContainer.ql | 12 ++++++++ .../CWE/CWE-428/UnsafeCreateProcessCall.ql | 12 ++++++++ .../Security/CWE/CWE-497/ExposedSystemData.ql | 2 ++ .../CWE-497/PotentiallyExposedSystemData.ql | 2 ++ cpp/ql/src/Security/CWE/CWE-611/XXE.ql | 2 ++ .../CWE-732/UnsafeDaclSecurityDescriptor.ql | 12 ++++++++ .../Security/CWE/CWE-807/TaintedCondition.ql | 6 ++++ .../src/Security/CWE/CWE-843/TypeConfusion.ql | 10 +++++++ .../Likely Bugs/ArrayAccessProductFlow.ql | 7 +++++ .../Security/CWE/CWE-078/WordexpTainted.ql | 2 ++ .../CWE-190/AllocMultiplicationOverflow.ql | 2 ++ .../CWE/CWE-193/ConstantSizeArrayOffByOne.ql | 15 ++++++++++ .../CWE/CWE-409/DecompressionBombs.ql | 6 ++++ 53 files changed, 382 insertions(+) diff --git a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll index c98967ed6357..3700c636d87e 100644 --- a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll +++ b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll @@ -127,6 +127,12 @@ module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig { c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"] ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:141: Flow call outside 'select' clause + none() + } } module LiteralAlgorithmTracer = DataFlow::Global; @@ -535,6 +541,12 @@ module KeyGeneration { c.getArgument(sizeInd) = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:557: Flow call outside 'select' clause + none() + } } module AsymExplicitAlgKeyLengthFlow = DataFlow::Global; @@ -574,6 +586,12 @@ module KeyGeneration { c.getArgument(3) = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:598: Flow call outside 'select' clause + none() + } } module Length_to_RSA_EVP_PKEY_Q_keygen_Flow = @@ -622,6 +640,12 @@ module KeyGeneration { isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:689: Flow call outside 'select' clause + none() + } } module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global; @@ -656,6 +680,12 @@ module KeyGeneration { predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) } predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:706: Flow call outside 'select' clause + none() + } } module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow = diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll index 99cd8bfb7fdb..e6495f9a2aa7 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll @@ -42,6 +42,8 @@ module PrivateCleartextWrite { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } module WriteFlow = TaintTracking::Global; diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll index 4a8ea4ebd43d..44c557584f1c 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll @@ -756,6 +756,12 @@ private module FieldFlow { or node.asExpr().getParent() instanceof ThrowExpr } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll:764: Flow call outside 'select' clause + none() + } } private module Flow = DataFlow::Global; diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll index ff5f3e46e648..3d07d001c5a6 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll @@ -387,6 +387,13 @@ module ProductFlow { predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) } int fieldFlowBranchLimit() { result = Config::fieldFlowBranchLimit1() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:400: Flow call outside 'select' clause + // ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:407: Flow call outside 'select' clause + none() + } } private module Flow1 = DataFlow::GlobalWithState; diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll index 83017aec3537..8e1c2374445e 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll @@ -142,6 +142,14 @@ private module SizeBarrier { } predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:151: Flow call outside 'select' clause + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:162: Flow call outside 'select' clause + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:211: Flow call outside 'select' clause + none() + } } module SizeBarrierFlow = DataFlow::Global; @@ -330,6 +338,12 @@ private module Config implements ProductFlow::StateConfigSig { predicate isBarrierOut2(DataFlow::Node node) { node = any(DataFlow::SsaPhiNode phi).getAnInput(true) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:377: Flow call outside 'select' clause + none() + } } private module AllocToInvalidPointerFlow = ProductFlow::GlobalWithState; diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll index 03369aacade3..3bf18019293a 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll @@ -110,6 +110,12 @@ private module InvalidPointerToDerefBarrier { predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) } int fieldFlowBranchLimit() { result = invalidPointerToDereferenceFieldFlowBranchLimit() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll:129: Flow call outside 'select' clause + none() + } } private module BarrierFlow = DataFlow::Global; diff --git a/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll b/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll index 559ebd444f32..0db3d17a159d 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll @@ -503,6 +503,12 @@ module BoostorgAsio { not sink.getLocation().getFile().toString().matches("%/boost/asio/%") ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:48: Flow call outside 'select' clause + none() + } } module SslOptionFlow = DataFlow::Global; diff --git a/cpp/ql/src/Critical/MissingCheckScanf.ql b/cpp/ql/src/Critical/MissingCheckScanf.ql index 5d8ce9e88469..71fc45f5ea23 100644 --- a/cpp/ql/src/Critical/MissingCheckScanf.ql +++ b/cpp/ql/src/Critical/MissingCheckScanf.ql @@ -60,6 +60,12 @@ module UninitializedToScanfConfig implements ConfigSig { FlowFeature getAFeature() { result instanceof FeatureEqualSourceSinkCallContext } int accessPathLimit() { result = 0 } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Critical/MissingCheckScanf.ql:72: Flow call outside 'select' clause + none() + } } module UninitializedToScanfFlow = Global; @@ -111,6 +117,12 @@ module ScanfToUseConfig implements ConfigSig { // modified, and thus it's safe to later read the value. exists(n.asIndirectArgument()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Critical/MissingCheckScanf.ql:127: Flow call outside 'select' clause + none() + } } module ScanfToUseFlow = Global; diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql index 4cfaaf8981b3..f5c91229dfaf 100644 --- a/cpp/ql/src/Critical/OverflowDestination.ql +++ b/cpp/ql/src/Critical/OverflowDestination.ql @@ -82,6 +82,12 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig { nodeIsBarrierEqualityCandidate(node, access, checkedVar) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Critical/OverflowDestination.ql:93: Column 1 does not select a source or sink originating from the flow call on line 91 + none() + } } module OverflowDestination = TaintTracking::Global; diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql index 7dda356353ed..2a50d0a4f1f8 100644 --- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql +++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql @@ -44,6 +44,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig { ) and getFullyConvertedType(node) = state } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql index 62c3c98e197c..513fa247b936 100644 --- a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql +++ b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql @@ -168,6 +168,12 @@ module NonConstFlowConfig implements DataFlow::ConfigSig { cannotContainString(t) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Format/NonConstantFormat.ql:184: Column 5 does not select a source or sink originating from the flow call on line 181 + none() + } } module NonConstFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll index 3cff86412e49..8880c53ad101 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll +++ b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll @@ -215,6 +215,17 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:57: Column 1 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:57: Column 1 does not select a source or sink originating from the flow call on line 41 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 3 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 3 does not select a source or sink originating from the flow call on line 41 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 5 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 5 does not select a source or sink originating from the flow call on line 41 + none() + } } module LeapYearCheckFlow = DataFlow::Global; @@ -285,6 +296,13 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C aexpr.getLValue() = fa ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql:21: Column 1 does not select a source or sink originating from the flow call on line 19 + // ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql:23: Column 3 does not select a source or sink originating from the flow call on line 19 + none() + } } module PossibleYearArithmeticOperationCheckFlow = diff --git a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll index ecb60d113d86..40c0f2173d90 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll +++ b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll @@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig { gc.controls(node.asExpr().getBasicBlock(), _) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module NetworkToBufferSizeFlow = DataFlow::Global; diff --git a/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql b/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql index f5d1a09d04e9..faac1ebdd9cf 100644 --- a/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql +++ b/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql @@ -28,6 +28,12 @@ module ExistsAnyFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) } predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:43: Flow call outside 'select' clause + none() + } } module ExistsAnyFlow = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll index f0876800874c..6927e5574688 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll @@ -51,6 +51,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-020/ExternalAPIs.qll:13: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-020/ExternalAPIs.qll:16: Flow call outside 'select' clause + none() + } } module UntrustedDataToExternalApiFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll index d094439951f2..0663981e88d2 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll @@ -46,6 +46,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll:13: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll:16: Flow call outside 'select' clause + none() + } } module UntrustedDataToExternalApiFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql index 94a9cacf9f49..0110dd77f306 100644 --- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -93,6 +93,12 @@ module TaintedPathConfig implements DataFlow::ConfigSig { // make sinks barriers so that we only report the closest instance isSink(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-022/TaintedPath.ql:108: Column 1 selects sink.asIndirectArgument + none() + } } module TaintedPath = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql index f6dd3b6f2126..477aaf6eb34c 100644 --- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -106,6 +106,12 @@ module ExecStateConfig implements DataFlow::ConfigSig { predicate isBarrierOut(DataFlow::Node node) { isSink(node) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-078/ExecTainted.ql:78: Flow call outside 'select' clause + none() + } } module ExecState = TaintTracking::Global; @@ -136,6 +142,13 @@ module ExecTaintConfig implements DataFlow::StateConfigSig { predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-078/ExecTainted.ql:151: Column 1 does not select a source or sink originating from the flow call on line 147 + // ql/src/Security/CWE/CWE-078/ExecTainted.ql:153: Column 7 does not select a source or sink originating from the flow call on line 147 + none() + } } module ExecTaint = TaintTracking::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql index 812fe236f764..fdfaafde97a6 100644 --- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql +++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql @@ -39,6 +39,12 @@ module Config implements DataFlow::ConfigSig { or node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-079/CgiXss.ql:51: Column 5 selects source.asIndirectExpr + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 2ea1cb024658..c629d8c6777d 100644 --- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -51,6 +51,12 @@ module SqlTaintedConfig implements DataFlow::ConfigSig { sql.barrierSqlArgument(input, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-089/SqlTainted.ql:66: Column 1 does not select a source or sink originating from the flow call on line 63 + none() + } } module SqlTainted = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql index 9672a830ce06..a0689f7dbd22 100644 --- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql +++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql @@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig { or node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql b/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql index 1872234ead20..2c418ff90366 100644 --- a/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql +++ b/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql @@ -225,6 +225,14 @@ module StringSizeConfig implements ProductFlow::StateConfigSig { state1 = state2 + delta ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:251: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:271: Column 1 does not select a source or sink originating from the flow call on line 265 + // ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:272: Column 5 does not select a source or sink originating from the flow call on line 265 + none() + } } module StringSizeFlow = ProductFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql index bbc58874c8ec..9c364c953165 100644 --- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql @@ -93,6 +93,12 @@ module Config implements DataFlow::ConfigSig { // Block flow if the node is guarded by any <, <= or = operations. node = DataFlow::BarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-120/UnboundedWrite.ql:121: Column 1 does not select a source or sink originating from the flow call on line 118 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql index b5dc4d893b21..17c1b09c3e68 100644 --- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql +++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql @@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig { not offsetIsAlwaysInBounds(arrayExpr, offsetExpr) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module ImproperArrayIndexValidation = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql index f4a716765b8a..007bbf2d53ef 100644 --- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql +++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql @@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig { or isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql index e1e459c259f1..32ccbd8afb32 100644 --- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql @@ -43,6 +43,12 @@ private module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql:55: Column 1 does not select a source or sink originating from the flow call on line 52 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql index 810039f4e1a4..6c9503dc95c2 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql @@ -104,6 +104,12 @@ module Config implements DataFlow::ConfigSig { not iTo instanceof PointerArithmeticInstruction ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql:118: Column 1 does not select a source or sink originating from the flow call on line 114 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql index 54c3b013471a..ce92414afae5 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql @@ -120,6 +120,12 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig { // block unintended flow to pointers node.asExpr().getUnspecifiedType() instanceof PointerType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql:139: Column 5 does not select a source or sink originating from the flow call on line 134 + none() + } } module UncontrolledArith = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql index 15fd2cbca15f..4c7efa462aea 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql @@ -113,6 +113,12 @@ module Config implements DataFlow::ConfigSig { not iTo instanceof PointerArithmeticInstruction ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql:126: Column 1 does not select a source or sink originating from the flow call on line 122 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql index 8e6bbefbaace..6ff06d355b9b 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql @@ -94,6 +94,8 @@ module Config implements DataFlow::ConfigSig { not iTo instanceof PointerArithmeticInstruction ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql index 93494987360d..8ebf380b08de 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql @@ -85,6 +85,12 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig { // to duplicate results) any(HeuristicAllocationFunction f).getAParameter() = node.asParameter() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql:99: Column 1 does not select a source or sink originating from the flow call on line 97 + none() + } } module TaintedAllocationSize = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql index d53266424026..9fdd1aae3d9c 100644 --- a/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql +++ b/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql @@ -122,6 +122,12 @@ module FinalConfig implements DataFlow::StateConfigSig { operationIsOffBy(_, pai, _, node1, _, node2, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql:142: Flow call outside 'select' clause + none() + } } module FinalFlow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql index ada0180668e0..19ae8ec933ff 100644 --- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql +++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql @@ -72,6 +72,12 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSource(source, _) } predicate isSink(DataFlow::Node sink) { isSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql:86: Column 1 does not select a source or sink originating from the flow call on line 84 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql index 8a3c2f3664d6..a23719a25fe7 100644 --- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql +++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql @@ -31,6 +31,13 @@ module VerifyResultConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(GuardCondition guard | guard.getAChild*() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-295/SSLResultConflation.ql:48: Column 1 does not select a source or sink originating from the flow call on line 42 + // ql/src/Security/CWE/CWE-295/SSLResultConflation.ql:48: Column 1 does not select a source or sink originating from the flow call on line 43 + none() + } } module VerifyResult = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql index f2754c5811f0..b5ff3f01ceb2 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql @@ -47,6 +47,12 @@ module ToBufferConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql:65: Column 1 does not select a source or sink originating from the flow call on line 62 + none() + } } module ToBufferFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql index c04ceae7adad..72cf9b904be7 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql @@ -31,6 +31,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql:87: Column 1 does not select a source or sink originating from the flow call on line 84 + // ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql:88: Column 5 does not select a source or sink originating from the flow call on line 84 + none() + } } module FromSensitiveFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql index 09db3f216029..745a83605fe1 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql @@ -245,6 +245,14 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { // sources to not get path duplication. isSource(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:256: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:279: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 1 does not select a source or sink originating from the flow call on line 293 + none() + } } module FromSensitiveFlow = TaintTracking::Global; @@ -266,6 +274,12 @@ module ToEncryptionConfig implements DataFlow::ConfigSig { // sources to not get path duplication. isSource(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 1 does not select a source or sink originating from the flow call on line 296 + none() + } } module ToEncryptionFlow = TaintTracking::Global; @@ -281,6 +295,13 @@ module FromEncryptionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 1 does not select a source or sink originating from the flow call on line 297 + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 5 does not select a source or sink originating from the flow call on line 297 + none() + } } module FromEncryptionFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql index 0c060befeff5..483ffc8e9e6a 100644 --- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql +++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql @@ -123,6 +123,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { content.(DataFlow::FieldContent).getField() = getRecField(t.stripType()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql:137: Column 1 does not select a source or sink originating from the flow call on line 134 + // ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql:138: Column 5 does not select a source or sink originating from the flow call on line 134 + none() + } } module FromSensitiveFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql index 423ed57dd98f..8be587272152 100644 --- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql +++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql @@ -87,6 +87,12 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig { sink.asIndirectExpr() = fc.getArgument(3) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-319/UseOfHttp.ql:98: Column 1 selects source.asIndirectExpr + none() + } } module HttpStringToUrlOpen = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql index 3cc10b7ad19c..7efc0516446f 100644 --- a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql +++ b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql @@ -44,6 +44,12 @@ module KeyStrengthFlowConfig implements DataFlow::ConfigSig { exists(getMinimumKeyStrength(name, param)) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql:62: Column 1 does not select a source or sink originating from the flow call on line 55 + none() + } } module KeyStrengthFlow = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql b/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql index 11d628c1affa..a0076970b06d 100644 --- a/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql +++ b/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql @@ -90,6 +90,12 @@ module Config0 implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { qualifierToDestroyed(_, source) } predicate isSink(DataFlow::Node sink) { destroyedToBeginSink(sink) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql:113: Flow call outside 'select' clause + none() + } } module Flow0 = DataFlow::Global; @@ -145,6 +151,12 @@ module Config implements DataFlow::StateConfigSig { // ``` result instanceof DataFlow::FeatureHasSinkCallContext } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql:157: Column 1 does not select a source or sink originating from the flow call on line 154 + none() + } } module Flow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql index 2703f819b546..13f71306f1a3 100644 --- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql +++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql @@ -62,6 +62,12 @@ module NullAppNameCreateProcessFunctionConfig implements DataFlow::ConfigSig { val = call.getArgument(call.getApplicationNameArgumentId()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql:111: Column 1 does not select a source or sink originating from the flow call on line 101 + none() + } } module NullAppNameCreateProcessFunction = DataFlow::Global; @@ -82,6 +88,12 @@ module QuotedCommandInCreateProcessFunctionConfig implements DataFlow::ConfigSig val = call.getArgument(call.getCommandLineArgumentId()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql:111: Column 1 does not select a source or sink originating from the flow call on line 106 + none() + } } module QuotedCommandInCreateProcessFunction = diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql index 5a6b50675e80..121595e61b0b 100644 --- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql +++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql @@ -34,6 +34,8 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument() } + + predicate observeDiffInformedIncrementalMode() { any() } } module ExposedSystemData = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql index f3c9ca189b94..2a22f122ca51 100644 --- a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql +++ b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql @@ -54,6 +54,8 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument() } + + predicate observeDiffInformedIncrementalMode() { any() } } module PotentiallyExposedSystemData = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql index 56a74d2f70b5..ba09e797491b 100644 --- a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql +++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql @@ -45,6 +45,8 @@ module XxeConfig implements DataFlow::StateConfigSig { } predicate neverSkip(DataFlow::Node node) { none() } + + predicate observeDiffInformedIncrementalMode() { any() } } module XxeFlow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql index 5ed30e19bb32..a8d7ff111f9c 100644 --- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql +++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql @@ -37,6 +37,12 @@ module NullDaclConfig implements DataFlow::ConfigSig { val = call.getArgument(2) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql:94: Column 1 does not select a source or sink originating from the flow call on line 91 + none() + } } module NullDaclFlow = DataFlow::Global; @@ -68,6 +74,12 @@ module NonNullDaclConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(SetSecurityDescriptorDaclFunctionCall call | sink.asExpr() = call.getArgument(2)) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql:94: Column 1 does not select a source or sink originating from the flow call on line 92 + none() + } } module NonNullDaclFlow = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql index 7eaa5df849d4..d06bf91ac584 100644 --- a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql +++ b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql @@ -65,6 +65,12 @@ module Config implements DataFlow::ConfigSig { iFrom1 != iFrom2 ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-807/TaintedCondition.ql:88: Column 7 does not select a source or sink originating from the flow call on line 86 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql b/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql index 18a331f9c321..26fdc4d769f0 100644 --- a/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql +++ b/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql @@ -220,6 +220,16 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(UnsafeCast cast).getUnconverted() } int fieldFlowBranchLimit() { result = 0 } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:229: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:262: Column 5 does not select a source or sink originating from the flow call on line 250 + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:262: Column 5 does not select a source or sink originating from the flow call on line 260 + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:263: Column 7 does not select a source or sink originating from the flow call on line 250 + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:263: Column 7 does not select a source or sink originating from the flow call on line 260 + none() + } } module Flow = DataFlow::Global; diff --git a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql index ffb9362417e1..5d3890605571 100644 --- a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql +++ b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql @@ -59,6 +59,13 @@ module ArraySizeConfig implements ProductFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql:83: Column 1 does not select a source or sink originating from the flow call on line 81 + // ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql:84: Column 7 does not select a source or sink originating from the flow call on line 81 + none() + } } module ArraySizeFlow = ProductFlow::Global; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql index d5b7b97c136f..cfe04ba23bfa 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql @@ -48,6 +48,8 @@ module WordexpTaintConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType } + + predicate observeDiffInformedIncrementalMode() { any() } } module WordexpTaint = TaintTracking::Global; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql index 00cf017297ff..397a0325d777 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql @@ -30,6 +30,8 @@ module MultToAllocConfig implements DataFlow::ConfigSig { // something that affects an allocation size node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*() } + + predicate observeDiffInformedIncrementalMode() { any() } } module MultToAlloc = DataFlow::Global; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql index c38a012b27bf..27d27b5e6af9 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql @@ -123,6 +123,13 @@ module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig { predicate isBarrierOut(DataFlow::Node node) { isSink(node) } predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink1(sink, _, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:132: Flow call outside 'select' clause + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:167: Flow call outside 'select' clause + none() + } } module PointerArithmeticToDerefFlow = DataFlow::Global; @@ -183,6 +190,14 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig { pointerArithOverflow(pai, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:199: Column 1 does not select a source or sink originating from the flow call on line 194 + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:201: Column 5 does not select a source or sink originating from the flow call on line 194 + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:201: Column 7 does not select a source or sink originating from the flow call on line 194 + none() + } } module ArrayAddressToDerefFlow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql index bfa11e65b067..96a69109b8e6 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql @@ -28,6 +28,12 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(DecompressionFlowStep s).isAdditionalFlowStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql:39: Column 5 does not select a source or sink originating from the flow call on line 38 + none() + } } module DecompressionTaint = TaintTracking::Global;