From 473a1d377635b2b499a57c2453ad42284e163807 Mon Sep 17 00:00:00 2001 From: Asger F Date: Thu, 23 Jan 2025 10:19:06 +0100 Subject: [PATCH] C++: mass enable diff-informed data flow --- .../cryptography/modules/OpenSSL.qll | 30 +++++++++++++++++++ .../cpp/security/PrivateCleartextWrite.qll | 2 ++ .../cpp/dataflow/internal/DataFlowUtil.qll | 6 ++++ .../cpp/ir/dataflow/internal/ProductFlow.qll | 7 +++++ .../AllocationToInvalidPointer.qll | 14 +++++++++ .../InvalidPointerToDereference.qll | 6 ++++ .../cpp/security/boostorg/asio/protocols.qll | 6 ++++ cpp/ql/src/Critical/MissingCheckScanf.ql | 12 ++++++++ cpp/ql/src/Critical/OverflowDestination.ql | 6 ++++ .../Conversion/CastArrayPointerArithmetic.ql | 2 ++ .../Likely Bugs/Format/NonConstantFormat.ql | 6 ++++ cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll | 18 +++++++++++ .../Memory Management/NtohlArrayNoBound.qll | 2 ++ .../Protocols/TlsSettingsMisconfiguration.ql | 6 ++++ .../CWE/CWE-020/ExternalAPIsSpecific.qll | 7 +++++ .../CWE/CWE-020/ir/ExternalAPIsSpecific.qll | 7 +++++ .../src/Security/CWE/CWE-022/TaintedPath.ql | 6 ++++ .../src/Security/CWE/CWE-078/ExecTainted.ql | 13 ++++++++ cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql | 6 ++++ cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql | 6 ++++ .../CWE-114/UncontrolledProcessOperation.ql | 2 ++ .../CWE/CWE-119/OverrunWriteProductFlow.ql | 8 +++++ .../Security/CWE/CWE-120/UnboundedWrite.ql | 6 ++++ .../CWE-129/ImproperArrayIndexValidation.ql | 2 ++ .../CWE/CWE-134/UncontrolledFormatString.ql | 2 ++ .../CWE-170/ImproperNullTerminationTainted.ql | 6 ++++ .../Security/CWE/CWE-190/ArithmeticTainted.ql | 6 ++++ .../CWE/CWE-190/ArithmeticUncontrolled.ql | 6 ++++ .../CWE-190/ArithmeticWithExtremeValues.ql | 6 ++++ .../CWE/CWE-190/IntegerOverflowTainted.ql | 2 ++ .../CWE/CWE-190/TaintedAllocationSize.ql | 6 ++++ .../CWE/CWE-193/InvalidPointerDeref.ql | 6 ++++ .../CWE/CWE-290/AuthenticationBypass.ql | 6 ++++ .../CWE/CWE-295/SSLResultConflation.ql | 7 +++++ .../CWE/CWE-311/CleartextBufferWrite.ql | 6 ++++ .../CWE/CWE-311/CleartextFileWrite.ql | 7 +++++ .../CWE/CWE-311/CleartextTransmission.ql | 21 +++++++++++++ .../CWE/CWE-313/CleartextSqliteDatabase.ql | 7 +++++ cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql | 6 ++++ .../CWE/CWE-326/InsufficientKeySize.ql | 6 ++++ .../CWE/CWE-416/IteratorToExpiredContainer.ql | 12 ++++++++ .../CWE/CWE-428/UnsafeCreateProcessCall.ql | 12 ++++++++ .../Security/CWE/CWE-497/ExposedSystemData.ql | 2 ++ .../CWE-497/PotentiallyExposedSystemData.ql | 2 ++ cpp/ql/src/Security/CWE/CWE-611/XXE.ql | 2 ++ .../CWE-732/UnsafeDaclSecurityDescriptor.ql | 12 ++++++++ .../Security/CWE/CWE-807/TaintedCondition.ql | 6 ++++ .../src/Security/CWE/CWE-843/TypeConfusion.ql | 10 +++++++ .../Likely Bugs/ArrayAccessProductFlow.ql | 7 +++++ .../Security/CWE/CWE-078/WordexpTainted.ql | 2 ++ .../CWE-190/AllocMultiplicationOverflow.ql | 2 ++ .../CWE/CWE-193/ConstantSizeArrayOffByOne.ql | 15 ++++++++++ .../CWE/CWE-409/DecompressionBombs.ql | 6 ++++ 53 files changed, 382 insertions(+) diff --git a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll index c98967ed6357..3700c636d87e 100644 --- a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll +++ b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll @@ -127,6 +127,12 @@ module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig { c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"] ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:141: Flow call outside 'select' clause + none() + } } module LiteralAlgorithmTracer = DataFlow::Global; @@ -535,6 +541,12 @@ module KeyGeneration { c.getArgument(sizeInd) = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:557: Flow call outside 'select' clause + none() + } } module AsymExplicitAlgKeyLengthFlow = DataFlow::Global; @@ -574,6 +586,12 @@ module KeyGeneration { c.getArgument(3) = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:598: Flow call outside 'select' clause + none() + } } module Length_to_RSA_EVP_PKEY_Q_keygen_Flow = @@ -622,6 +640,12 @@ module KeyGeneration { isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:689: Flow call outside 'select' clause + none() + } } module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global; @@ -656,6 +680,12 @@ module KeyGeneration { predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) } predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/experimental/cryptography/modules/OpenSSL.qll:706: Flow call outside 'select' clause + none() + } } module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow = diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll index 99cd8bfb7fdb..e6495f9a2aa7 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll @@ -42,6 +42,8 @@ module PrivateCleartextWrite { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } module WriteFlow = TaintTracking::Global; diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll index 4a8ea4ebd43d..44c557584f1c 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll @@ -756,6 +756,12 @@ private module FieldFlow { or node.asExpr().getParent() instanceof ThrowExpr } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll:764: Flow call outside 'select' clause + none() + } } private module Flow = DataFlow::Global; diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll index ff5f3e46e648..3d07d001c5a6 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll @@ -387,6 +387,13 @@ module ProductFlow { predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) } int fieldFlowBranchLimit() { result = Config::fieldFlowBranchLimit1() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:400: Flow call outside 'select' clause + // ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:407: Flow call outside 'select' clause + none() + } } private module Flow1 = DataFlow::GlobalWithState; diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll index 83017aec3537..8e1c2374445e 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll @@ -142,6 +142,14 @@ private module SizeBarrier { } predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:151: Flow call outside 'select' clause + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:162: Flow call outside 'select' clause + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:211: Flow call outside 'select' clause + none() + } } module SizeBarrierFlow = DataFlow::Global; @@ -330,6 +338,12 @@ private module Config implements ProductFlow::StateConfigSig { predicate isBarrierOut2(DataFlow::Node node) { node = any(DataFlow::SsaPhiNode phi).getAnInput(true) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:377: Flow call outside 'select' clause + none() + } } private module AllocToInvalidPointerFlow = ProductFlow::GlobalWithState; diff --git a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll index 03369aacade3..3bf18019293a 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll @@ -110,6 +110,12 @@ private module InvalidPointerToDerefBarrier { predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) } int fieldFlowBranchLimit() { result = invalidPointerToDereferenceFieldFlowBranchLimit() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll:129: Flow call outside 'select' clause + none() + } } private module BarrierFlow = DataFlow::Global; diff --git a/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll b/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll index 559ebd444f32..0db3d17a159d 100644 --- a/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll +++ b/cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll @@ -503,6 +503,12 @@ module BoostorgAsio { not sink.getLocation().getFile().toString().matches("%/boost/asio/%") ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:48: Flow call outside 'select' clause + none() + } } module SslOptionFlow = DataFlow::Global; diff --git a/cpp/ql/src/Critical/MissingCheckScanf.ql b/cpp/ql/src/Critical/MissingCheckScanf.ql index 5d8ce9e88469..71fc45f5ea23 100644 --- a/cpp/ql/src/Critical/MissingCheckScanf.ql +++ b/cpp/ql/src/Critical/MissingCheckScanf.ql @@ -60,6 +60,12 @@ module UninitializedToScanfConfig implements ConfigSig { FlowFeature getAFeature() { result instanceof FeatureEqualSourceSinkCallContext } int accessPathLimit() { result = 0 } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Critical/MissingCheckScanf.ql:72: Flow call outside 'select' clause + none() + } } module UninitializedToScanfFlow = Global; @@ -111,6 +117,12 @@ module ScanfToUseConfig implements ConfigSig { // modified, and thus it's safe to later read the value. exists(n.asIndirectArgument()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Critical/MissingCheckScanf.ql:127: Flow call outside 'select' clause + none() + } } module ScanfToUseFlow = Global; diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql index 4cfaaf8981b3..f5c91229dfaf 100644 --- a/cpp/ql/src/Critical/OverflowDestination.ql +++ b/cpp/ql/src/Critical/OverflowDestination.ql @@ -82,6 +82,12 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig { nodeIsBarrierEqualityCandidate(node, access, checkedVar) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Critical/OverflowDestination.ql:93: Column 1 does not select a source or sink originating from the flow call on line 91 + none() + } } module OverflowDestination = TaintTracking::Global; diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql index 7dda356353ed..2a50d0a4f1f8 100644 --- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql +++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql @@ -44,6 +44,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig { ) and getFullyConvertedType(node) = state } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql index 62c3c98e197c..513fa247b936 100644 --- a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql +++ b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql @@ -168,6 +168,12 @@ module NonConstFlowConfig implements DataFlow::ConfigSig { cannotContainString(t) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Format/NonConstantFormat.ql:184: Column 5 does not select a source or sink originating from the flow call on line 181 + none() + } } module NonConstFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll index 3cff86412e49..8880c53ad101 100644 --- a/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll +++ b/cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll @@ -215,6 +215,17 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ChecksForLeapYearFunctionCall fc | sink.asExpr() = fc.getAnArgument()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:57: Column 1 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:57: Column 1 does not select a source or sink originating from the flow call on line 41 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 3 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 3 does not select a source or sink originating from the flow call on line 41 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 5 does not select a source or sink originating from the flow call on line 34 + // ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql:59: Column 5 does not select a source or sink originating from the flow call on line 41 + none() + } } module LeapYearCheckFlow = DataFlow::Global; @@ -285,6 +296,13 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C aexpr.getLValue() = fa ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql:21: Column 1 does not select a source or sink originating from the flow call on line 19 + // ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql:23: Column 3 does not select a source or sink originating from the flow call on line 19 + none() + } } module PossibleYearArithmeticOperationCheckFlow = diff --git a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll index ecb60d113d86..40c0f2173d90 100644 --- a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll +++ b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll @@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig { gc.controls(node.asExpr().getBasicBlock(), _) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module NetworkToBufferSizeFlow = DataFlow::Global; diff --git a/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql b/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql index f5d1a09d04e9..faac1ebdd9cf 100644 --- a/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql +++ b/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql @@ -28,6 +28,12 @@ module ExistsAnyFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) } predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:43: Flow call outside 'select' clause + none() + } } module ExistsAnyFlow = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll index f0876800874c..6927e5574688 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll @@ -51,6 +51,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-020/ExternalAPIs.qll:13: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-020/ExternalAPIs.qll:16: Flow call outside 'select' clause + none() + } } module UntrustedDataToExternalApiFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll index d094439951f2..0663981e88d2 100644 --- a/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll +++ b/cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIsSpecific.qll @@ -46,6 +46,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll:13: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll:16: Flow call outside 'select' clause + none() + } } module UntrustedDataToExternalApiFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql index 94a9cacf9f49..0110dd77f306 100644 --- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql +++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql @@ -93,6 +93,12 @@ module TaintedPathConfig implements DataFlow::ConfigSig { // make sinks barriers so that we only report the closest instance isSink(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-022/TaintedPath.ql:108: Column 1 selects sink.asIndirectArgument + none() + } } module TaintedPath = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql index f6dd3b6f2126..477aaf6eb34c 100644 --- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql @@ -106,6 +106,12 @@ module ExecStateConfig implements DataFlow::ConfigSig { predicate isBarrierOut(DataFlow::Node node) { isSink(node) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-078/ExecTainted.ql:78: Flow call outside 'select' clause + none() + } } module ExecState = TaintTracking::Global; @@ -136,6 +142,13 @@ module ExecTaintConfig implements DataFlow::StateConfigSig { predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) // Prevent duplicates along a call chain, since `shellCommand` will include wrappers } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-078/ExecTainted.ql:151: Column 1 does not select a source or sink originating from the flow call on line 147 + // ql/src/Security/CWE/CWE-078/ExecTainted.ql:153: Column 7 does not select a source or sink originating from the flow call on line 147 + none() + } } module ExecTaint = TaintTracking::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql index 812fe236f764..fdfaafde97a6 100644 --- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql +++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql @@ -39,6 +39,12 @@ module Config implements DataFlow::ConfigSig { or node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-079/CgiXss.ql:51: Column 5 selects source.asIndirectExpr + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 2ea1cb024658..c629d8c6777d 100644 --- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -51,6 +51,12 @@ module SqlTaintedConfig implements DataFlow::ConfigSig { sql.barrierSqlArgument(input, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-089/SqlTainted.ql:66: Column 1 does not select a source or sink originating from the flow call on line 63 + none() + } } module SqlTainted = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql index 9672a830ce06..a0689f7dbd22 100644 --- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql +++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql @@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig { or node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql b/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql index 1872234ead20..2c418ff90366 100644 --- a/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql +++ b/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql @@ -225,6 +225,14 @@ module StringSizeConfig implements ProductFlow::StateConfigSig { state1 = state2 + delta ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:251: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:271: Column 1 does not select a source or sink originating from the flow call on line 265 + // ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql:272: Column 5 does not select a source or sink originating from the flow call on line 265 + none() + } } module StringSizeFlow = ProductFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql index bbc58874c8ec..9c364c953165 100644 --- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql @@ -93,6 +93,12 @@ module Config implements DataFlow::ConfigSig { // Block flow if the node is guarded by any <, <= or = operations. node = DataFlow::BarrierGuard::getABarrierNode() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-120/UnboundedWrite.ql:121: Column 1 does not select a source or sink originating from the flow call on line 118 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql index b5dc4d893b21..17c1b09c3e68 100644 --- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql +++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql @@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig { not offsetIsAlwaysInBounds(arrayExpr, offsetExpr) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module ImproperArrayIndexValidation = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql index f4a716765b8a..007bbf2d53ef 100644 --- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql +++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql @@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig { or isArithmeticNonCharType(node.asInstruction().(StoreInstruction).getResultType()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql index e1e459c259f1..32ccbd8afb32 100644 --- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql @@ -43,6 +43,12 @@ private module Config implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql:55: Column 1 does not select a source or sink originating from the flow call on line 52 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql index 810039f4e1a4..6c9503dc95c2 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql @@ -104,6 +104,12 @@ module Config implements DataFlow::ConfigSig { not iTo instanceof PointerArithmeticInstruction ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql:118: Column 1 does not select a source or sink originating from the flow call on line 114 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql index 54c3b013471a..ce92414afae5 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql @@ -120,6 +120,12 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig { // block unintended flow to pointers node.asExpr().getUnspecifiedType() instanceof PointerType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql:139: Column 5 does not select a source or sink originating from the flow call on line 134 + none() + } } module UncontrolledArith = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql index 15fd2cbca15f..4c7efa462aea 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql @@ -113,6 +113,12 @@ module Config implements DataFlow::ConfigSig { not iTo instanceof PointerArithmeticInstruction ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql:126: Column 1 does not select a source or sink originating from the flow call on line 122 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql index 8e6bbefbaace..6ff06d355b9b 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql @@ -94,6 +94,8 @@ module Config implements DataFlow::ConfigSig { not iTo instanceof PointerArithmeticInstruction ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql index 93494987360d..8ebf380b08de 100644 --- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql +++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql @@ -85,6 +85,12 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig { // to duplicate results) any(HeuristicAllocationFunction f).getAParameter() = node.asParameter() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql:99: Column 1 does not select a source or sink originating from the flow call on line 97 + none() + } } module TaintedAllocationSize = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql b/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql index d53266424026..9fdd1aae3d9c 100644 --- a/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql +++ b/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql @@ -122,6 +122,12 @@ module FinalConfig implements DataFlow::StateConfigSig { operationIsOffBy(_, pai, _, node1, _, node2, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql:142: Flow call outside 'select' clause + none() + } } module FinalFlow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql index ada0180668e0..19ae8ec933ff 100644 --- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql +++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql @@ -72,6 +72,12 @@ module Config implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSource(source, _) } predicate isSink(DataFlow::Node sink) { isSink(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql:86: Column 1 does not select a source or sink originating from the flow call on line 84 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql index 8a3c2f3664d6..a23719a25fe7 100644 --- a/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql +++ b/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql @@ -31,6 +31,13 @@ module VerifyResultConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(GuardCondition guard | guard.getAChild*() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-295/SSLResultConflation.ql:48: Column 1 does not select a source or sink originating from the flow call on line 42 + // ql/src/Security/CWE/CWE-295/SSLResultConflation.ql:48: Column 1 does not select a source or sink originating from the flow call on line 43 + none() + } } module VerifyResult = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql index f2754c5811f0..b5ff3f01ceb2 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql @@ -47,6 +47,12 @@ module ToBufferConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql:65: Column 1 does not select a source or sink originating from the flow call on line 62 + none() + } } module ToBufferFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql index c04ceae7adad..72cf9b904be7 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql @@ -31,6 +31,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql:87: Column 1 does not select a source or sink originating from the flow call on line 84 + // ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql:88: Column 5 does not select a source or sink originating from the flow call on line 84 + none() + } } module FromSensitiveFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql index 09db3f216029..745a83605fe1 100644 --- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql +++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql @@ -245,6 +245,14 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { // sources to not get path duplication. isSource(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:256: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:279: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 1 does not select a source or sink originating from the flow call on line 293 + none() + } } module FromSensitiveFlow = TaintTracking::Global; @@ -266,6 +274,12 @@ module ToEncryptionConfig implements DataFlow::ConfigSig { // sources to not get path duplication. isSource(node) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 1 does not select a source or sink originating from the flow call on line 296 + none() + } } module ToEncryptionFlow = TaintTracking::Global; @@ -281,6 +295,13 @@ module FromEncryptionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 1 does not select a source or sink originating from the flow call on line 297 + // ql/src/Security/CWE/CWE-311/CleartextTransmission.ql:308: Column 5 does not select a source or sink originating from the flow call on line 297 + none() + } } module FromEncryptionFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql index 0c060befeff5..483ffc8e9e6a 100644 --- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql +++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql @@ -123,6 +123,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig { content.(DataFlow::FieldContent).getField() = getRecField(t.stripType()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql:137: Column 1 does not select a source or sink originating from the flow call on line 134 + // ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql:138: Column 5 does not select a source or sink originating from the flow call on line 134 + none() + } } module FromSensitiveFlow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql index 423ed57dd98f..8be587272152 100644 --- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql +++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql @@ -87,6 +87,12 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig { sink.asIndirectExpr() = fc.getArgument(3) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-319/UseOfHttp.ql:98: Column 1 selects source.asIndirectExpr + none() + } } module HttpStringToUrlOpen = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql index 3cc10b7ad19c..7efc0516446f 100644 --- a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql +++ b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql @@ -44,6 +44,12 @@ module KeyStrengthFlowConfig implements DataFlow::ConfigSig { exists(getMinimumKeyStrength(name, param)) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql:62: Column 1 does not select a source or sink originating from the flow call on line 55 + none() + } } module KeyStrengthFlow = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql b/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql index 11d628c1affa..a0076970b06d 100644 --- a/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql +++ b/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql @@ -90,6 +90,12 @@ module Config0 implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { qualifierToDestroyed(_, source) } predicate isSink(DataFlow::Node sink) { destroyedToBeginSink(sink) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql:113: Flow call outside 'select' clause + none() + } } module Flow0 = DataFlow::Global; @@ -145,6 +151,12 @@ module Config implements DataFlow::StateConfigSig { // ``` result instanceof DataFlow::FeatureHasSinkCallContext } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql:157: Column 1 does not select a source or sink originating from the flow call on line 154 + none() + } } module Flow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql index 2703f819b546..13f71306f1a3 100644 --- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql +++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql @@ -62,6 +62,12 @@ module NullAppNameCreateProcessFunctionConfig implements DataFlow::ConfigSig { val = call.getArgument(call.getApplicationNameArgumentId()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql:111: Column 1 does not select a source or sink originating from the flow call on line 101 + none() + } } module NullAppNameCreateProcessFunction = DataFlow::Global; @@ -82,6 +88,12 @@ module QuotedCommandInCreateProcessFunctionConfig implements DataFlow::ConfigSig val = call.getArgument(call.getCommandLineArgumentId()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql:111: Column 1 does not select a source or sink originating from the flow call on line 106 + none() + } } module QuotedCommandInCreateProcessFunction = diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql index 5a6b50675e80..121595e61b0b 100644 --- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql +++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql @@ -34,6 +34,8 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument() } + + predicate observeDiffInformedIncrementalMode() { any() } } module ExposedSystemData = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql index f3c9ca189b94..2a22f122ca51 100644 --- a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql +++ b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql @@ -54,6 +54,8 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument() } + + predicate observeDiffInformedIncrementalMode() { any() } } module PotentiallyExposedSystemData = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql index 56a74d2f70b5..ba09e797491b 100644 --- a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql +++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql @@ -45,6 +45,8 @@ module XxeConfig implements DataFlow::StateConfigSig { } predicate neverSkip(DataFlow::Node node) { none() } + + predicate observeDiffInformedIncrementalMode() { any() } } module XxeFlow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql index 5ed30e19bb32..a8d7ff111f9c 100644 --- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql +++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql @@ -37,6 +37,12 @@ module NullDaclConfig implements DataFlow::ConfigSig { val = call.getArgument(2) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql:94: Column 1 does not select a source or sink originating from the flow call on line 91 + none() + } } module NullDaclFlow = DataFlow::Global; @@ -68,6 +74,12 @@ module NonNullDaclConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(SetSecurityDescriptorDaclFunctionCall call | sink.asExpr() = call.getArgument(2)) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql:94: Column 1 does not select a source or sink originating from the flow call on line 92 + none() + } } module NonNullDaclFlow = DataFlow::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql index 7eaa5df849d4..d06bf91ac584 100644 --- a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql +++ b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql @@ -65,6 +65,12 @@ module Config implements DataFlow::ConfigSig { iFrom1 != iFrom2 ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-807/TaintedCondition.ql:88: Column 7 does not select a source or sink originating from the flow call on line 86 + none() + } } module Flow = TaintTracking::Global; diff --git a/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql b/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql index 18a331f9c321..26fdc4d769f0 100644 --- a/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql +++ b/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql @@ -220,6 +220,16 @@ module Config implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(UnsafeCast cast).getUnconverted() } int fieldFlowBranchLimit() { result = 0 } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:229: Flow call outside 'select' clause + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:262: Column 5 does not select a source or sink originating from the flow call on line 250 + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:262: Column 5 does not select a source or sink originating from the flow call on line 260 + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:263: Column 7 does not select a source or sink originating from the flow call on line 250 + // ql/src/Security/CWE/CWE-843/TypeConfusion.ql:263: Column 7 does not select a source or sink originating from the flow call on line 260 + none() + } } module Flow = DataFlow::Global; diff --git a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql index ffb9362417e1..5d3890605571 100644 --- a/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql +++ b/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql @@ -59,6 +59,13 @@ module ArraySizeConfig implements ProductFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql:83: Column 1 does not select a source or sink originating from the flow call on line 81 + // ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql:84: Column 7 does not select a source or sink originating from the flow call on line 81 + none() + } } module ArraySizeFlow = ProductFlow::Global; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql index d5b7b97c136f..cfe04ba23bfa 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql @@ -48,6 +48,8 @@ module WordexpTaintConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType } + + predicate observeDiffInformedIncrementalMode() { any() } } module WordexpTaint = TaintTracking::Global; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql index 00cf017297ff..397a0325d777 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql @@ -30,6 +30,8 @@ module MultToAllocConfig implements DataFlow::ConfigSig { // something that affects an allocation size node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*() } + + predicate observeDiffInformedIncrementalMode() { any() } } module MultToAlloc = DataFlow::Global; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql index c38a012b27bf..27d27b5e6af9 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql @@ -123,6 +123,13 @@ module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig { predicate isBarrierOut(DataFlow::Node node) { isSink(node) } predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink1(sink, _, _) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:132: Flow call outside 'select' clause + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:167: Flow call outside 'select' clause + none() + } } module PointerArithmeticToDerefFlow = DataFlow::Global; @@ -183,6 +190,14 @@ module ArrayAddressToDerefConfig implements DataFlow::StateConfigSig { pointerArithOverflow(pai, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:199: Column 1 does not select a source or sink originating from the flow call on line 194 + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:201: Column 5 does not select a source or sink originating from the flow call on line 194 + // ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql:201: Column 7 does not select a source or sink originating from the flow call on line 194 + none() + } } module ArrayAddressToDerefFlow = DataFlow::GlobalWithState; diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql index bfa11e65b067..96a69109b8e6 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql @@ -28,6 +28,12 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(DecompressionFlowStep s).isAdditionalFlowStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql:39: Column 5 does not select a source or sink originating from the flow call on line 38 + none() + } } module DecompressionTaint = TaintTracking::Global; pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy