From cd3fa64ee3f2427dc32a866e6b1541a5fb269bcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:44:41 +0200 Subject: [PATCH 1/4] [DIFF-INFORMED] Swift: CleartextStorageDatabase https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql#L33 --- .../swift/security/CleartextStorageDatabaseQuery.qll | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll index 0f2d28480cdb..989d928a8c71 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll @@ -48,6 +48,17 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig { node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1 } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() | + cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode() + or + not sink instanceof DataFlow::PostUpdateNode and + cleanSink = sink + ) + } } /** From 6dea73b08138c0464d5dbfd37f97f1da554dcef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:45:28 +0200 Subject: [PATCH 2/4] [DIFF-INFORMED] Swift: CleartextStoragePreferences https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql#L32 --- .../security/CleartextStoragePreferencesQuery.qll | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll index 2a7bec5dc47f..c3665589482a 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll @@ -30,6 +30,17 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig { // make sources barriers so that we only report the closest instance isSource(node) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() | + cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode() + or + not sink instanceof DataFlow::PostUpdateNode and + cleanSink = sink + ) + } } /** From b1e723991e52eb137279f9cf6eb9dea6839ff488 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:47:04 +0200 Subject: [PATCH 3/4] [DIFF-INFORMED] Swift: InsecureTLS https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql#L18 --- swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll index 769c385d4d66..53952f3e1d14 100644 --- a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll +++ b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll @@ -21,6 +21,10 @@ module InsecureTlsConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { + none() // query selects some Swift nodes (e.g. "[post] self") that have location file://:0:0:0:0, which always fall outside the diff range. + } } module InsecureTlsFlow = TaintTracking::Global; From 4342b2b799aa7877ee1131fe3f5b6db0045cc85e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 16:47:58 +0200 Subject: [PATCH 4/4] [DIFF-INFORMED] Swift: UnsafeWebViewFetch https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql#L24 --- .../ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll index ba24f63231f4..5aba75c18c26 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll @@ -28,6 +28,10 @@ module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(UnsafeWebViewFetchAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override location accurately because of secondary use in select. + } } /** pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy