From afec8b3153c7b564c1e73a971ba3121ecd1c3688 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Tue, 3 Jun 2025 20:29:58 +0200 Subject: [PATCH 1/2] Swift: mass enable diff-informed data flow An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on https://github.com/github/codeql/pull/18343 and https://github.com/github/codeql-patch/pull/88 --- swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll | 2 ++ .../ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll | 2 ++ .../lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll | 2 ++ .../codeql/swift/security/InsufficientHashIterationsQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll | 2 ++ .../codeql/swift/security/StaticInitializationVectorQuery.qll | 2 ++ .../lib/codeql/swift/security/StringLengthConflationQuery.qll | 2 ++ .../lib/codeql/swift/security/UncontrolledFormatStringQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll | 2 ++ .../lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll | 2 ++ swift/ql/lib/codeql/swift/security/XXEQuery.qll | 2 ++ .../ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll | 2 ++ 21 files changed, 42 insertions(+) diff --git a/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll index 740fccefe974..40010eba649a 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll @@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(CleartextLoggingAdditionalFlowStep s).step(n1, n2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll index 3952d7a89b11..42e9b68328f5 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll @@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig { // make sources barriers so that we only report the closest instance isSource(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll index 10dbc1377260..ebeb9c4b6f46 100644 --- a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll @@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll index 7f6475a6ee49..91d46b764df5 100644 --- a/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll +++ b/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll @@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module ConstantPasswordFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll index e9b91d235700..68c1e6ef17a4 100644 --- a/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll +++ b/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll @@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module ConstantSaltFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll b/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll index 133e7d6c2cde..a9463937555e 100644 --- a/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll @@ -22,6 +22,8 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module EcbEncryptionFlow = DataFlow::Global; diff --git a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll index 9e0cb16b7c6e..5eb379f248a0 100644 --- a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll +++ b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll @@ -46,6 +46,8 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module HardcodedKeyFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll index 769c385d4d66..a5c857e573bc 100644 --- a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll +++ b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll @@ -21,6 +21,8 @@ module InsecureTlsConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module InsecureTlsFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll index 122d5b2b0d88..0a7fea3d3c53 100644 --- a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll +++ b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll @@ -34,6 +34,8 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(InsufficientHashIterationsAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module InsufficientHashIterationsFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll index c74dae787ed9..64cf208b878a 100644 --- a/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll @@ -23,6 +23,8 @@ module PathInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(PathInjectionAdditionalFlowStep s).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll index 86d043647741..97acbc074bd0 100644 --- a/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll @@ -22,6 +22,8 @@ module PredicateInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(PredicateInjectionAdditionalFlowStep s).step(n1, n2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll index 5b5a2c920fe8..8ee164a4c23a 100644 --- a/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll @@ -23,6 +23,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(SqlInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll index 5f281191d993..3c4359e02db0 100644 --- a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll +++ b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll @@ -40,6 +40,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(StaticInitializationVectorAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module StaticInitializationVectorFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll b/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll index 8e608776a20d..eb17306f22f0 100644 --- a/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll +++ b/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll @@ -39,6 +39,8 @@ module StringLengthConflationConfig implements DataFlow::StateConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(StringLengthConflationAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll index 37e40774bf9d..baee65773d65 100644 --- a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll @@ -23,6 +23,8 @@ module TaintedFormatConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(UncontrolledFormatStringAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll index b79219ab6339..92b061b2af40 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll @@ -22,6 +22,8 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(UnsafeJsEvalAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll index 59be3a7eb31e..e79bce5ba143 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll @@ -24,6 +24,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(UnsafeUnpackAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll index b2ad35c2bf89..6532d8a6a7fe 100644 --- a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll +++ b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll @@ -37,6 +37,8 @@ module WeakPasswordHashingConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(WeakPasswordHashingAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module WeakPasswordHashingFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll index ade9d9f1437d..d38e78a1ded5 100755 --- a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll +++ b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll @@ -38,6 +38,8 @@ module WeakSensitiveDataHashingConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(WeakSensitiveDataHashingAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } module WeakSensitiveDataHashingFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/XXEQuery.qll b/swift/ql/lib/codeql/swift/security/XXEQuery.qll index 0a16417bd724..afd6c0684524 100644 --- a/swift/ql/lib/codeql/swift/security/XXEQuery.qll +++ b/swift/ql/lib/codeql/swift/security/XXEQuery.qll @@ -22,6 +22,8 @@ module XxeConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(XxeAdditionalFlowStep s).step(n1, n2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll index 8fee12442d35..8b5929c40649 100644 --- a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll +++ b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll @@ -22,6 +22,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** From 2078a34763d2d6f5c518eb04336d6d4bec662edc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 4 Jun 2025 13:38:01 +0200 Subject: [PATCH 2/2] Disable diff-informed on InsecureTLSQuery due to DIFF-INFORMED test failures --- swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll index a5c857e573bc..769c385d4d66 100644 --- a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll +++ b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll @@ -21,8 +21,6 @@ module InsecureTlsConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo) } - - predicate observeDiffInformedIncrementalMode() { any() } } module InsecureTlsFlow = TaintTracking::Global;