github · asgerf · Dec 20, 2024
@@ -231,6 +231,12 @@ module StringOps {
           call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])
         )
       }
+
+      predicate observeDiffInformedIncrementalMode() {
+        // TODO(diff-informed): Manually verify if config can be diff-informed.
+        // go/ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause
+        none()
+      }
     }
 
     /**

@@ -19,6 +19,12 @@ module AllocationSizeOverflow {
     predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }
 
     predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /**
@@ -56,6 +62,8 @@ module AllocationSizeOverflow {
         succ = c
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow to find allocation-size overflows. */

@@ -46,6 +46,8 @@ module CleartextLogging {
       // Also exclude protobuf field fetches, since they amount to single field reads.
       not any(Protobuf::GetMethod gm).taintStep(src, trg)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -24,6 +24,8 @@ module CommandInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
@@ -80,6 +82,8 @@ module CommandInjection {
       node instanceof Sanitizer or
       node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -186,6 +186,13 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/lib/semmle/go/security/ExternalAPIs.qll:210: Flow call outside 'select' clause
+    // go/ql/lib/semmle/go/security/ExternalAPIs.qll:213: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
@@ -197,6 +204,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module HardcodedCredentials {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about hardcoded credentials. */

@@ -440,6 +440,8 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
     state2 = node2.(FlowStateTransformer).transform(state1) and
     DataFlow::simpleLocalFlowStep(node1, node2, _)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -39,6 +39,8 @@ module InsecureRandomness {
         n2.getType() instanceof IntegerType
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -21,6 +21,13 @@ module LogInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:140: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /** Tracks taint flow for reasoning about log injection vulnerabilities. */

@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about JWT vulnerabilities. */
@@ -36,6 +38,12 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause
+      none()
+    }
   }
 
   private module SafeParse = TaintTracking::Global<SafeParseConfig>;

@@ -54,6 +54,8 @@ module OpenUrlRedirect {
       or
       hostnameSanitizingPrefixEdge(node, _)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from unvalidated, untrusted data to URL redirections. */

@@ -22,6 +22,8 @@ module ReflectedXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from untrusted data to XSS attack vectors. */

@@ -31,6 +31,8 @@ module RequestForgery {
         w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from untrusted data to request forgery attack vectors. */

@@ -36,6 +36,8 @@ module SafeUrlFlow {
       or
       node instanceof SanitizerEdge
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about safe URLs. */

@@ -23,6 +23,8 @@ module SqlInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */

@@ -26,6 +26,8 @@ module StoredCommand {
     predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about command-injection vulnerabilities. */

@@ -22,6 +22,8 @@ module StoredXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about XSS. */

@@ -26,6 +26,8 @@ module StringBreak {
     predicate isBarrier(DataFlow::Node node, FlowState state) {
       state = node.(Sanitizer).getQuote()
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -17,6 +17,8 @@ module TaintedPath {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about path-traversal vulnerabilities. */

@@ -27,6 +27,16 @@ module UncontrolledAllocationSize {
         node2 = cn.getResult(0)
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:114: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:139: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:140: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /** Tracks taint flow for reasoning about uncontrolled allocation size issues. */

@@ -20,6 +20,12 @@ module UnsafeUnzipSymlink {
     predicate isSink(DataFlow::Node sink) { sink instanceof EvalSymlinksSink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof EvalSymlinksInvalidator }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll:35: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /**
@@ -44,6 +50,8 @@ module UnsafeUnzipSymlink {
     predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -19,6 +19,8 @@ module XPathInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -17,6 +17,8 @@ module ZipSlip {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about zip-slip vulnerabilities. */

@@ -127,6 +127,8 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -103,6 +103,8 @@ module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     StringOps::Concatenation::taintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = DataFlow::Global<IncompleteHostNameRegexpConfig>;

@@ -72,6 +72,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = DataFlow::Global<Config>;

@@ -40,6 +40,8 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -62,6 +62,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
       cgn.dominates(node.getBasicBlock())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -68,6 +68,13 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:90: Flow call outside 'select' clause
+    // go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:96: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**

@@ -25,6 +25,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node = DataFlow::BarrierGuard<comparisonBarrierGuard/3>::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -71,6 +71,13 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { intIsSource(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/src/Security/CWE-327/InsecureTLS.ql:87: Flow call outside 'select' clause
+    // go/ql/src/Security/CWE-327/InsecureTLS.ql:128: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
@@ -201,6 +208,12 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
    * suites.
    */
   predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/src/Security/CWE-327/InsecureTLS.ql:221: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
-Original file line number
+Diff line change
@@ Expand Up / @@ -46,6 +46,8 @@ module CleartextLogging { @@
           // Also exclude protobuf field fetches, since they amount to single field reads.
           not any(Protobuf::GetMethod gm).taintStep(src, trg)
         }
+        predicate observeDiffInformedIncrementalMode() { any() }
       }
       /**
@@ Expand Down @@