Skip to content

Go: mass enable diff-informed data flow #19660

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Go: mass enable diff-informed data flow #19660

wants to merge 1 commit into from

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Jun 3, 2025

An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on #18345 and https://github.com/github/codeql-patch/pull/88

@github-actions github-actions bot added the Go label Jun 3, 2025
@d10c d10c marked this pull request as ready for review June 4, 2025 11:32
@Copilot Copilot AI review requested due to automatic review settings June 4, 2025 11:32
@d10c d10c requested a review from a team as a code owner June 4, 2025 11:32
Copilot
Copilot AI reviewed Jun 4, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Enables diff-informed data flow tracking in Go QL security queries by adding the required predicate to each DataFlow configuration.

  • Adds observeDiffInformedIncrementalMode() returning any() to all DataFlow::ConfigSig modules
  • Ensures incremental, diff-based analysis is enabled for each relevant security check

Reviewed Changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
go/ql/src/Security/CWE-352/ConstantOauth2State.ql Add observeDiffInformedIncrementalMode predicate
go/ql/src/Security/CWE-326/InsufficientKeySize.ql Add observeDiffInformedIncrementalMode predicate
go/ql/src/Security/CWE-209/StackTraceExposure.ql Add observeDiffInformedIncrementalMode predicate
go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql Add observeDiffInformedIncrementalMode predicate
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql Add observeDiffInformedIncrementalMode predicate
go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/ZipSlip.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/XPathInjection.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/TaintedPath.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/StringBreak.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/StoredXss.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/StoredCommand.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/SqlInjection.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/OpenUrlRedirect.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/LogInjection.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/ExternalAPIs.qll Add observeDiffInformedIncrementalMode predicate
go/ql/lib/semmle/go/security/CleartextLogging.qll Add observeDiffInformedIncrementalMode predicate
Comments suppressed due to low confidence (1)

go/ql/src/Security/CWE-352/ConstantOauth2State.ql:44

  • No tests were added to verify the new observeDiffInformedIncrementalMode predicate. Include tests to confirm that diff-informed incremental data flow is actually activated.
predicate observeDiffInformedIncrementalMode() { any() }

@d10c
Copy link
Contributor Author

d10c commented Jun 5, 2025

It turns out that some of the generated changes in the PRs were not correct, e.g. because they should have also generated a getASelected{Source,Sink}Location() override but didn't (see Chuan-kai's comment here). So for now I'm putting them back in Draft until I make sure (via the patch script) that we are correctly handling all 3 documented query patterns, starting with the simplest one (both source and sink are used as location sources). If you have already started reviewing the PRs, thank you (also for your patience) and stay tuned for an update as to what has changed in the meantime!

@d10c d10c marked this pull request as draft June 5, 2025 15:59
@d10c
Copy link
Contributor Author

d10c commented Jun 10, 2025

Update: no changes since last time I opened the PR. It turns out that it's sound (but not optimally performant) to leave getASelected{Source,Sink}Location() un-overridden, specifically in case of a select clause containing only one of source or sink but not both. The patch script currently does not differentiate between that case and the one in which both source and sink are present in the select clause. So I will re-open these PRs as they are, and generate an appropriate getASelected{Source,Sink}Location() override in a follow-up round of PRs.

@d10c d10c marked this pull request as ready for review June 11, 2025 09:35
@d10c d10c added the no-change-note-required This PR does not need a change note label Jun 11, 2025
@d10c
Go: mass enable diff-informed data flow
e233501 
An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on github#18345 and github/codeql-patch#88
@d10c d10c force-pushed the d10c/go/diff-informed branch from 16f38ff to e233501 Compare June 11, 2025 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Go no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@d10c
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy