diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 359fa71744b4..ce964917e970 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 359fa71744b4..ce964917e970 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 359fa71744b4..ce964917e970 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 359fa71744b4..ce964917e970 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 359fa71744b4..ce964917e970 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 359fa71744b4..ce964917e970 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 359fa71744b4..ce964917e970 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 359fa71744b4..ce964917e970 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index b179a4f92e07..0943fe8feaf7 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -18,6 +18,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(IntentRedirectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks the flow of tainted Intents being used to start Android components. */ diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index 606e31a07cb7..4c8639010e2c 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -23,6 +23,8 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.getType() instanceof NumericType or node.getType() instanceof BooleanType } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index f625807470df..b2ab5464e235 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -17,6 +17,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(FragmentInjectionAdditionalTaintStep c).step(n1, n2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index 3af836cac97a..8151755f69fc 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -17,6 +17,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) { any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll index 0a8e0686549d..a57f643d8176 100644 --- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll @@ -48,6 +48,8 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig { node.getType().(Array).getElementType() instanceof TypeIntent and c instanceof DataFlow::ArrayContent } + + predicate observeDiffInformedIncrementalMode() { any() } } module ImplicitPendingIntentStartFlow = diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index 1ad0677ca615..be42e09a1cce 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -49,6 +49,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow from user input to the argument of a method that builds constraint error messages. */ diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll index 498a9401071a..94d80b9b37b0 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll @@ -22,6 +22,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig { succ.asExpr() = ma.getQualifier() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module InsecureLdapUrlFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll index 423046b6746e..77da25d35866 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll @@ -96,6 +96,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { n2.asExpr() = c ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index e08cd50cdb3f..876b2efd8409 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -16,6 +16,8 @@ module KeySizeConfig implements DataFlow::StateConfigSig { predicate isSink(DataFlow::Node sink, KeySizeState state) { sink.(InsufficientKeySizeSink).hasState(state) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks key sizes used in cryptographic algorithms. */ diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 740ce24bf62b..855694b299b6 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -23,6 +23,8 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index de49560e7792..bf87df361b3c 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -51,6 +51,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JexlInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index 3c1f4b8e68eb..167d56732cd3 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -23,6 +23,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JndiInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unvalidated user input that is used in JNDI lookup */ diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index 5c055c005167..b6daea4b4738 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -17,6 +17,8 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { any(LdapInjectionAdditionalTaintStep a).step(pred, succ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow from remote sources to LDAP injection vulnerabilities. */ diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll index eaa4c6320c1d..4f1f614dbc42 100644 --- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll @@ -16,6 +16,8 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } module MissingJwtSignatureCheckFlow = DataFlow::Global; diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index 4bf81804f827..da5bcb6931bc 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -19,6 +19,8 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(MvelInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */ diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index b6bd505c38b8..2dd3cf89add5 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -102,6 +102,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index 3acf18c453ce..a25b257574b6 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -18,6 +18,8 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(OgnlInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */ diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index c4c3e6b093cb..e4d2d60b92e9 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -17,6 +17,8 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */ diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index e8415cc19786..f929e97a8ff3 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -28,6 +28,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer } predicate isBarrierIn(DataFlow::Node node) { isSource(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } module RequestForgeryFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index 40e1ec1b4dbb..7c43d32a407e 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -31,6 +31,8 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll index 66e4a0537d2c..8fed05f2186b 100644 --- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll +++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll @@ -20,6 +20,8 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec()) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Flow for finding RSA ciphers initialized without using OAEP padding. */ diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index 848aae8da30a..55e8eb94f83f 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -18,6 +18,8 @@ module SpelInjectionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */ diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll index 9ba848d1e0df..282133ec5c67 100644 --- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll @@ -126,6 +126,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof StaticInitializationVectorSource } predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks the flow from a static initialization vector to the initialization of a cipher */ diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index c396b48a7b88..6be7b4dc83fb 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -72,6 +72,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(TaintedPathAdditionalTaintStep s).step(n1, n2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow from remote sources to the creation of a path. */ diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll index a9595b0f6f19..536c8f33dafb 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll @@ -16,6 +16,8 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks server-side template injection (SST) vulnerabilities */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index db629143d5ce..8c214d59b9eb 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -20,6 +20,8 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 739b2713780b..de9a920446d5 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -325,6 +325,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) } + + predicate observeDiffInformedIncrementalMode() { any() } } module UnsafeDeserializationFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll index 2ca38d695512..48c8e50bfaf4 100644 --- a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll @@ -195,6 +195,8 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof UrlForwardBarrier } DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index 675937985c48..fff546fc5030 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -13,6 +13,8 @@ module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink } predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index 8e5b177268df..90e47521bf04 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -44,6 +44,8 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { or node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index 38dc1ff993c4..6c541f66940e 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -12,6 +12,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index d437ca860d5f..304ec3327a17 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -20,6 +20,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XsltInjectionAdditionalTaintStep c).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index 6fec86a78dd6..dba80ecc1391 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -20,6 +20,8 @@ module XssConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XssAdditionalTaintStep s).step(node1, node2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow from remote sources to cross site scripting vulnerabilities. */ diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index 58b1e5bfed1a..da092d2e11f3 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -18,6 +18,8 @@ module XxeConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) { any(XxeAdditionalTaintStep s).step(n1, n2) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 0055670d895c..9e2e5e4a6c7e 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -43,6 +43,8 @@ module ZipSlipConfig implements DataFlow::ConfigSig { node instanceof SimpleTypeSanitizer or node instanceof PathInjectionSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow from archive entries to file creation. */ diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 887100618196..81246814dc21 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -14,6 +14,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink } predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 359fa71744b4..ce964917e970 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 359fa71744b4..ce964917e970 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll index 359fa71744b4..ce964917e970 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll index 6e4921521b1a..01bd0e5ea963 100644 --- a/shared/dataflow/codeql/dataflow/DataFlow.qll +++ b/shared/dataflow/codeql/dataflow/DataFlow.qll @@ -431,6 +431,17 @@ module Configs Lang> { * is not visualized (as it is in a `path-problem` query). */ default predicate includeHiddenNodes() { none() } + + /** + * Holds if sources and sinks should be filtered to only include those that + * may lead to a flow path with either a source or a sink in the location + * range given by `AlertFiltering`. This only has an effect when running + * in diff-informed incremental mode. + * + * This flag should only be applied to flow configurations whose results + * are used directly in a query result. + */ + default predicate observeDiffInformedIncrementalMode() { none() } } /** An input configuration for data flow using flow state. */ @@ -547,6 +558,17 @@ module Configs Lang> { * is not visualized (as it is in a `path-problem` query). */ default predicate includeHiddenNodes() { none() } + + /** + * Holds if sources and sinks should be filtered to only include those that + * may lead to a flow path with either a source or a sink in the location + * range given by `AlertFiltering`. This only has an effect when running + * in diff-informed incremental mode. + * + * This flag should only be applied to flow configurations whose results + * are used directly in a query result. + */ + default predicate observeDiffInformedIncrementalMode() { none() } } } diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index c8b56db0b343..de9974abda8d 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -124,6 +124,17 @@ module MakeImpl Lang> { * is not visualized (as it is in a `path-problem` query). */ predicate includeHiddenNodes(); + + /** + * Holds if sources and sinks should be filtered to only include those that + * may lead to a flow path with either a source or a sink in the location + * range given by `AlertFiltering`. This only has an effect when running + * in diff-informed incremental mode. + * + * This flag should only be applied to flow configurations whose results + * are used directly in a query result. + */ + predicate observeDiffInformedIncrementalMode(); } /** @@ -246,11 +257,75 @@ module MakeImpl Lang> { ReturnKindExt getKind() { result = pos.getKind() } } + private module SourceSinkFiltering { + private import codeql.util.AlertFiltering + + private module AlertFiltering = AlertFilteringImpl; + + pragma[nomagic] + private predicate isFilteredSource(Node source) { + Config::isSource(source, _) and + if Config::observeDiffInformedIncrementalMode() + then AlertFiltering::filterByLocation(source.getLocation()) + else any() + } + + pragma[nomagic] + private predicate isFilteredSink(Node sink) { + ( + Config::isSink(sink, _) or + Config::isSink(sink) + ) and + if Config::observeDiffInformedIncrementalMode() + then AlertFiltering::filterByLocation(sink.getLocation()) + else any() + } + + private predicate hasFilteredSource() { isFilteredSource(_) } + + private predicate hasFilteredSink() { isFilteredSink(_) } + + predicate isRelevantSource(Node source, FlowState state) { + // If there are filtered sinks, we need to pass through all sources to preserve all alerts + // with filtered sinks. Otherwise the only alerts of interest are those with filtered + // sources, so we can perform the source filtering right here. + Config::isSource(source, state) and + ( + isFilteredSource(source) or + hasFilteredSink() + ) + } + + predicate isRelevantSink(Node sink, FlowState state) { + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + Config::isSink(sink, state) and + ( + isFilteredSink(sink) or + hasFilteredSource() + ) + } + + predicate isRelevantSink(Node sink) { + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + Config::isSink(sink) and + ( + isFilteredSink(sink) or + hasFilteredSource() + ) + } + } + + private import SourceSinkFiltering + private predicate inBarrier(NodeEx node) { exists(Node n | node.asNode() = n and Config::isBarrierIn(n) and - Config::isSource(n, _) + isRelevantSource(n, _) ) } @@ -259,7 +334,7 @@ module MakeImpl Lang> { exists(Node n | node.asNode() = n and Config::isBarrierIn(n, state) and - Config::isSource(n, state) + isRelevantSource(n, state) ) } @@ -268,9 +343,9 @@ module MakeImpl Lang> { node.asNodeOrImplicitRead() = n and Config::isBarrierOut(n) | - Config::isSink(n, _) + isRelevantSink(n, _) or - Config::isSink(n) + isRelevantSink(n) ) } @@ -280,9 +355,9 @@ module MakeImpl Lang> { node.asNodeOrImplicitRead() = n and Config::isBarrierOut(n, state) | - Config::isSink(n, state) + isRelevantSink(n, state) or - Config::isSink(n) + isRelevantSink(n) ) } @@ -292,11 +367,11 @@ module MakeImpl Lang> { Config::isBarrier(n) or Config::isBarrierIn(n) and - not Config::isSource(n, _) + not isRelevantSource(n, _) or Config::isBarrierOut(n) and - not Config::isSink(n, _) and - not Config::isSink(n) + not isRelevantSink(n, _) and + not isRelevantSink(n) ) } @@ -306,24 +381,24 @@ module MakeImpl Lang> { Config::isBarrier(n, state) or Config::isBarrierIn(n, state) and - not Config::isSource(n, state) + not isRelevantSource(n, state) or Config::isBarrierOut(n, state) and - not Config::isSink(n, state) and - not Config::isSink(n) + not isRelevantSink(n, state) and + not isRelevantSink(n) ) } pragma[nomagic] private predicate sourceNode(NodeEx node, FlowState state) { - Config::isSource(node.asNode(), state) and + isRelevantSource(node.asNode(), state) and not fullBarrier(node) and not stateBarrier(node, state) } pragma[nomagic] private predicate sinkNodeWithState(NodeEx node, FlowState state) { - Config::isSink(node.asNodeOrImplicitRead(), state) and + isRelevantSink(node.asNodeOrImplicitRead(), state) and not fullBarrier(node) and not stateBarrier(node, state) } @@ -729,7 +804,7 @@ module MakeImpl Lang> { additional predicate sinkNode(NodeEx node, FlowState state) { fwdFlow(node) and fwdFlowState(state) and - Config::isSink(node.asNodeOrImplicitRead()) + isRelevantSink(node.asNodeOrImplicitRead()) or fwdFlow(node) and fwdFlowState(state) and @@ -2946,7 +3021,7 @@ module MakeImpl Lang> { NodeEx toNormalSinkNodeEx() { exists(Node n | pragma[only_bind_out](node.asNodeOrImplicitRead()) = n and - (Config::isSink(n) or Config::isSink(n, _)) and + (isRelevantSink(n) or isRelevantSink(n, _)) and result.asNode() = n ) } @@ -4792,15 +4867,15 @@ module MakeImpl Lang> { } private predicate interestingCallableSrc(DataFlowCallable c) { - exists(Node n | Config::isSource(n, _) and c = getNodeEnclosingCallable(n)) + exists(Node n | isRelevantSource(n, _) and c = getNodeEnclosingCallable(n)) or exists(DataFlowCallable mid | interestingCallableSrc(mid) and callableStep(mid, c)) } private predicate interestingCallableSink(DataFlowCallable c) { exists(Node n | c = getNodeEnclosingCallable(n) | - Config::isSink(n, _) or - Config::isSink(n) + isRelevantSink(n, _) or + isRelevantSink(n) ) or exists(DataFlowCallable mid | interestingCallableSink(mid) and callableStep(c, mid)) @@ -4827,7 +4902,7 @@ module MakeImpl Lang> { or exists(Node n | ce1 = TCallableSrc() and - Config::isSource(n, _) and + isRelevantSource(n, _) and ce2 = TCallable(getNodeEnclosingCallable(n)) ) or @@ -4835,8 +4910,8 @@ module MakeImpl Lang> { ce2 = TCallableSink() and ce1 = TCallable(getNodeEnclosingCallable(n)) | - Config::isSink(n, _) or - Config::isSink(n) + isRelevantSink(n, _) or + isRelevantSink(n) ) } @@ -4900,7 +4975,7 @@ module MakeImpl Lang> { private predicate revSinkNode(NodeEx node, FlowState state) { sinkNodeWithState(node, state) or - Config::isSink(node.asNodeOrImplicitRead()) and + isRelevantSink(node.asNodeOrImplicitRead()) and relevantState(state) and not fullBarrier(node) and not stateBarrier(node, state) diff --git a/shared/util/codeql/util/AlertFiltering.qll b/shared/util/codeql/util/AlertFiltering.qll new file mode 100644 index 000000000000..d1778304b733 --- /dev/null +++ b/shared/util/codeql/util/AlertFiltering.qll @@ -0,0 +1,40 @@ +/** + * Provides the `restrictAlertsTo` extensible predicate to restrict alerts to specific source + * locations, and the `AlertFilteringImpl` parameterized module to apply the filtering. + */ + +private import codeql.util.Location + +/** + * Restricts alerts to a specific location in specific files. + * + * If this predicate is empty, accept all alerts. Otherwise, accept alerts only at the specified + * locations. Note that alert restrictions apply only to the start line of an alert (even if the + * alert location spans multiple lines) because alerts are displayed on their start lines. + * + * - filePath: Absolute path of the file to restrict alerts to. + * - startLine: Start line number (starting with 1, inclusive) to restrict alerts to. + * - endLine: End line number (starting with 1, inclusive) to restrict alerts to. + * + * If startLine and endLine are both 0, accept alerts anywhere in the file. + */ +extensible predicate restrictAlertsTo(string filePath, int startLine, int endLine); + +/** Module for applying alert location filtering. */ +module AlertFilteringImpl { + /** Applies alert filtering to the given location. */ + bindingset[location] + predicate filterByLocation(Location location) { + not restrictAlertsTo(_, _, _) + or + exists(string filePath, int startLine, int endLine | + restrictAlertsTo(filePath, startLine, endLine) + | + startLine = 0 and + endLine = 0 and + location.hasLocationInfo(filePath, _, _, _, _) + or + location.hasLocationInfo(filePath, [startLine .. endLine], _, _, _) + ) + } +} diff --git a/shared/util/ext/default-alert-filter.yml b/shared/util/ext/default-alert-filter.yml new file mode 100644 index 000000000000..0ae5a2f4eb5b --- /dev/null +++ b/shared/util/ext/default-alert-filter.yml @@ -0,0 +1,7 @@ +extensions: + + - addsTo: + pack: codeql/util + extensible: restrictAlertsTo + # Empty predicate means no restrictions on alert locations + data: [] diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml index 5914dae35752..adb3ab85951e 100644 --- a/shared/util/qlpack.yml +++ b/shared/util/qlpack.yml @@ -3,4 +3,6 @@ version: 1.0.7-dev groups: shared library: true dependencies: null +dataExtensions: + - ext/*.yml warnOnImplicitThis: true diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll index 359fa71744b4..ce964917e970 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll @@ -283,6 +283,8 @@ deprecated private module Config implements FullStateConfigSig { FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } + + predicate observeDiffInformedIncrementalMode() { none() } } deprecated private import Impl as I