From 4dd07f475b7c7ecfba42ea4d7f3a1003f166b69f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Tue, 3 Jun 2025 20:39:31 +0200
Subject: [PATCH] C++: mass enable diff-informed data flow

An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on https://github.com/github/codeql/pull/18342 and https://github.com/github/codeql-patch/pull/88
---
 .../semmle/code/cpp/security/PrivateCleartextWrite.qll          | 2 ++
 cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql | 2 ++
 cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll  | 2 ++
 cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql | 2 ++
 cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql | 2 ++
 cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql     | 2 ++
 cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql       | 2 ++
 cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql            | 2 ++
 cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql | 2 ++
 cpp/ql/src/Security/CWE/CWE-611/XXE.ql                          | 2 ++
 cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql  | 2 ++
 .../Security/CWE/CWE-190/AllocMultiplicationOverflow.ql         | 2 ++
 12 files changed, 24 insertions(+)

diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
index 99cd8bfb7fdb..e6495f9a2aa7 100644
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
@@ -42,6 +42,8 @@ module PrivateCleartextWrite {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   module WriteFlow = TaintTracking::Global<WriteConfig>;
diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
index d1645007a321..23240d385adc 100644
--- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
+++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
@@ -48,6 +48,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
 
   predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll
index ecb60d113d86..40c0f2173d90 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll	
@@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
       gc.controls(node.asExpr().getBasicBlock(), _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NetworkToBufferSizeFlow = DataFlow::Global<NetworkToBufferSizeConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
index e5fd1a94f181..aedb21da5167 100644
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig {
     or
     node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
index b5dc4d893b21..17c1b09c3e68 100644
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
       not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ImproperArrayIndexValidation = TaintTracking::Global<ImproperArrayIndexValidationConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
index 04b4fe45fcfa..37e3fa0c49f8 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig {
     or
     isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
index 8e6bbefbaace..6ff06d355b9b 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -94,6 +94,8 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
index 5a6b50675e80..121595e61b0b 100644
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -34,6 +34,8 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
index f3c9ca189b94..2a22f122ca51 100644
--- a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
@@ -54,6 +54,8 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
index 56a74d2f70b5..ba09e797491b 100644
--- a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -45,6 +45,8 @@ module XxeConfig implements DataFlow::StateConfigSig {
   }
 
   predicate neverSkip(DataFlow::Node node) { none() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module XxeFlow = DataFlow::GlobalWithState<XxeConfig>;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
index d5b7b97c136f..cfe04ba23bfa 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
@@ -48,6 +48,8 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
index 00cf017297ff..397a0325d777 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -30,6 +30,8 @@ module MultToAllocConfig implements DataFlow::ConfigSig {
     // something that affects an allocation size
     node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MultToAlloc = DataFlow::Global<MultToAllocConfig>;

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19663.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19663.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19663.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/19663.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>