C++: mass enable diff-informed data flow

d10c · d10c · commit 52ce0ef299cb · 2025-06-03T20:39:31.000+02:00
An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on #18342 and github/codeql-patch#88
diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
@@ -42,6 +42,8 @@ module PrivateCleartextWrite {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   module WriteFlow = TaintTracking::Global<WriteConfig>;
diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
@@ -48,6 +48,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
 
   predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll
@@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
       gc.controls(node.asExpr().getBasicBlock(), _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NetworkToBufferSizeFlow = DataFlow::Global<NetworkToBufferSizeConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig {
     or
     node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
       not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ImproperArrayIndexValidation = TaintTracking::Global<ImproperArrayIndexValidationConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig {
     or
     isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -94,6 +94,8 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -34,6 +34,8 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
@@ -54,6 +54,8 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -45,6 +45,8 @@ module XxeConfig implements DataFlow::StateConfigSig {
   }
 
   predicate neverSkip(DataFlow::Node node) { none() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module XxeFlow = DataFlow::GlobalWithState<XxeConfig>;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
@@ -48,6 +48,8 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -30,6 +30,8 @@ module MultToAllocConfig implements DataFlow::ConfigSig {
     // something that affects an allocation size
     node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MultToAlloc = DataFlow::Global<MultToAllocConfig>;

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ module PrivateCleartextWrite {`
`42`	`42`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`43`	`43`
`44`	`44`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`45`	`+`
	`46`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`module WriteFlow = TaintTracking::Global<WriteConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {`
`48`	`48`	`predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }`
`49`	`49`
`50`	`50`	`predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }`
	`51`	`+`
	`52`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`51`	`53`	`}`
`52`	`54`
`53`	`55`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {`
`141`	`141`	`gc.controls(node.asExpr().getBasicBlock(), _)`
`142`	`142`	`)`
`143`	`143`	`}`
	`144`	`+`
	`145`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`144`	`146`	`}`
`145`	`147`
`146`	`148`	`module NetworkToBufferSizeFlow = DataFlow::Global<NetworkToBufferSizeConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig {`
`39`	`39`	`or`
`40`	`40`	`node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`module Flow = TaintTracking::Global<Config>;`
Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {`
`66`	`66`	`not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)`
`67`	`67`	`)`
`68`	`68`	`}`
	`69`	`+`
	`70`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`69`	`71`	`}`
`70`	`72`
`71`	`73`	`module ImproperArrayIndexValidation = TaintTracking::Global<ImproperArrayIndexValidationConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig {`
`44`	`44`	`or`
`45`	`45`	`isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`47`	`49`	`}`
`48`	`50`
`49`	`51`	`module Flow = TaintTracking::Global<Config>;`
Original file line number	Diff line number	Diff line change
`@@ -94,6 +94,8 @@ module Config implements DataFlow::ConfigSig {`
`94`	`94`	`not iTo instanceof PointerArithmeticInstruction`
`95`	`95`	`)`
`96`	`96`	`}`
	`97`	`+`
	`98`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`97`	`99`	`}`
`98`	`100`
`99`	`101`	`module Flow = TaintTracking::Global<Config>;`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {`
`34`	`34`	`predicate isBarrier(DataFlow::Node node) {`
`35`	`35`	`node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`37`	`39`	`}`
`38`	`40`
`39`	`41`	`module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,8 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {`
`54`	`54`	`predicate isBarrier(DataFlow::Node node) {`
`55`	`55`	`node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()`
`56`	`56`	`}`
	`57`	`+`
	`58`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`57`	`59`	`}`
`58`	`60`
`59`	`61`	`module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ module XxeConfig implements DataFlow::StateConfigSig {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`predicate neverSkip(DataFlow::Node node) { none() }`
	`48`	`+`
	`49`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`module XxeFlow = DataFlow::GlobalWithState<XxeConfig>;`