-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Go: mass enable diff-informed data flow #19660
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on github#18345 and github/codeql-patch#88
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
Enables diff-informed data flow tracking in Go QL security queries by adding the required predicate to each DataFlow configuration.
- Adds
observeDiffInformedIncrementalMode()
returningany()
to allDataFlow::ConfigSig
modules - Ensures incremental, diff-based analysis is enabled for each relevant security check
Reviewed Changes
Copilot reviewed 30 out of 30 changed files in this pull request and generated 1 comment.
Show a summary per file
File | Description |
---|---|
go/ql/src/Security/CWE-352/ConstantOauth2State.ql | Add observeDiffInformedIncrementalMode predicate |
go/ql/src/Security/CWE-326/InsufficientKeySize.ql | Add observeDiffInformedIncrementalMode predicate |
go/ql/src/Security/CWE-209/StackTraceExposure.ql | Add observeDiffInformedIncrementalMode predicate |
go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql | Add observeDiffInformedIncrementalMode predicate |
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql | Add observeDiffInformedIncrementalMode predicate |
go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/ZipSlip.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/XPathInjection.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/TaintedPath.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/StringBreak.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/StoredXss.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/StoredCommand.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/SqlInjection.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/OpenUrlRedirect.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/LogInjection.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/ExternalAPIs.qll | Add observeDiffInformedIncrementalMode predicate |
go/ql/lib/semmle/go/security/CleartextLogging.qll | Add observeDiffInformedIncrementalMode predicate |
Comments suppressed due to low confidence (1)
go/ql/src/Security/CWE-352/ConstantOauth2State.ql:44
- No tests were added to verify the new observeDiffInformedIncrementalMode predicate. Include tests to confirm that diff-informed incremental data flow is actually activated.
predicate observeDiffInformedIncrementalMode() { any() }
It turns out that some of the generated changes in the PRs were not correct, e.g. because they should have also generated a |
An auto-generated patch that enables diff-informed data flow in the obvious cases.
Builds on #18345 and https://github.com/github/codeql-patch/pull/88