From 9a975f3496bf7b0143d2be22973b42129d0bab05 Mon Sep 17 00:00:00 2001 From: Asger F Date: Fri, 20 Dec 2024 10:07:34 +0100 Subject: [PATCH] C#: mass enable diff-informed data flow --- .../lib/semmle/code/csharp/frameworks/Sql.qll | 6 ++ .../code/csharp/frameworks/system/Xml.qll | 6 ++ .../EncryptionKeyDataFlowQuery.qll | 2 + .../HardcodedSymmetricEncryptionKey.qll | 2 + .../dataflow/CleartextStorageQuery.qll | 2 + .../security/dataflow/CodeInjectionQuery.qll | 2 + .../dataflow/CommandInjectionQuery.qll | 2 + .../dataflow/ConditionalBypassQuery.qll | 2 + .../ExposureOfPrivateInformationQuery.qll | 2 + .../security/dataflow/ExternalAPIsQuery.qll | 7 +++ .../security/dataflow/LDAPInjectionQuery.qll | 2 + .../security/dataflow/LogForgingQuery.qll | 2 + .../dataflow/MissingXMLValidationQuery.qll | 2 + .../csharp/security/dataflow/ReDoSQuery.qll | 8 +++ .../security/dataflow/RegexInjectionQuery.qll | 2 + .../dataflow/ResourceInjectionQuery.qll | 2 + .../security/dataflow/SqlInjectionQuery.qll | 2 + .../security/dataflow/TaintedPathQuery.qll | 2 + .../dataflow/UnsafeDeserializationQuery.qll | 62 +++++++++++++++++++ .../security/dataflow/UrlRedirectQuery.qll | 2 + .../security/dataflow/XPathInjectionQuery.qll | 2 + .../csharp/security/dataflow/XSSQuery.qll | 6 ++ .../csharp/security/dataflow/ZipSlipQuery.qll | 2 + .../flowsinks/ExternalLocationSink.qll | 6 ++ .../csharp/security/xml/InsecureXMLQuery.qll | 7 +++ csharp/ql/src/API Abuse/FormatInvalid.ql | 8 +++ .../NoDisposeCallOnLocalIDisposable.ql | 6 ++ .../LeapYear/UnsafeYearConstruction.ql | 2 + .../ThreadUnsafeICryptoTransformLambda.ql | 7 +++ .../Security Features/CWE-091/XMLInjection.ql | 2 + .../CWE-114/AssemblyPathInjection.ql | 2 + .../CWE-134/UncontrolledFormatString.ql | 2 + .../CWE-201/ExposureInTransmittedData.ql | 2 + .../CWE-209/ExceptionInformationExposure.ql | 2 + .../CWE-327/DontInstallRootCert.ql | 2 + .../CWE-327/InsecureSQLConnection.ql | 2 + .../CWE-798/HardcodedConnectionString.ql | 2 + .../CWE-838/InappropriateEncoding.ql | 13 ++++ .../Security Features/InsecureRandomness.ql | 2 + .../CWE-099/TaintedWebClientLib.qll | 2 + .../experimental/CWE-918/RequestForgery.qll | 2 + .../CWE-759/HashWithoutSalt.ql | 2 + .../JsonWebTokenHandlerLib.qll | 2 + .../UnsafeTypeUsedDataContractSerializer.ql | 2 + .../backdoor/PotentialTimeBomb.ql | 18 ++++++ .../backdoor/ProcessNameToHashTaintFlow.ql | 2 + .../dataflow/flowsources/AuthCookie.qll | 17 +++++ 47 files changed, 243 insertions(+) diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll index 75f72352deb6..a182188c41fd 100644 --- a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll +++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll @@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con node.asExpr() = mc.getArgumentForName("command") ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause + none() + } } private module DapperCommandDefinitionMethodCallSql = diff --git a/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll b/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll index c0edf9e110e1..e60787cf0bdc 100644 --- a/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll +++ b/csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll @@ -167,6 +167,12 @@ private module SettingsDataFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr() instanceof XmlReaderSettingsCreation } predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof XmlReaderSettingsInstance } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll:190: Flow call outside 'select' clause + none() + } } private module SettingsDataFlow = DataFlow::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll index 82bd0d30cab5..61c036f031b1 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll @@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig { /** Holds if the node is a key sanitizer. */ predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll b/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll index 2e387cc2da67..37690c169c0b 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll @@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey { succ.asExpr() = mc ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll index cbb10146a6a1..3e4642411f0c 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll @@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll index 8ec9122864fb..20d5bbe10cab 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll @@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll index 84352389c419..9528676af8e6 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll @@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll index f92bb0d2f44a..a2d816a720a9 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll @@ -39,6 +39,8 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll index 0726acb05ed9..85782fe49369 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll @@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll index f1a64f6810b8..be1dd7089daf 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll @@ -78,6 +78,13 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:88: Flow call outside 'select' clause + // csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:91: Flow call outside 'select' clause + none() + } } /** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */ diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll index e2e96034c41e..c2e25f0e522d 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll @@ -45,6 +45,8 @@ module LdapInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll index 422b5dc717a5..e06e728514de 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll @@ -35,6 +35,8 @@ private module LogForgingConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll index 3401dab7ea24..3fcdc2b88ca7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll @@ -39,6 +39,8 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(sink.(Sink).getReason()) } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll index 94dbf1d4cdcc..73f3fee15bc7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll @@ -33,6 +33,8 @@ private module ReDoSConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -77,6 +79,12 @@ private module ExponentialRegexDataFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node s) { isExponentialRegex(s.asExpr()) } predicate isSink(DataFlow::Node s) { s.asExpr() = any(RegexOperation c).getPattern() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll:92: Flow call outside 'select' clause + none() + } } module ExponentialRegexDataFlow = DataFlow::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll index 620c07a9ea21..5cd232588296 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll @@ -33,6 +33,8 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll index 40814729e559..e1542986411f 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll @@ -32,6 +32,8 @@ private module ResourceInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll index cc7b61c31f21..510b03811432 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll @@ -43,6 +43,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll index bdc7245aeb2d..2f20eb6e3421 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll @@ -35,6 +35,8 @@ private module TaintedPathConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll index 5d9d18dcbac6..451c417a878c 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll @@ -59,6 +59,8 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -77,6 +79,15 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 55 + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 2 does not select a source or sink originating from the flow call on line 55 + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 3 does not select a source or sink originating from the flow call on line 55 + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 55 + none() + } } /** @@ -133,6 +144,15 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 56 + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 2 does not select a source or sink originating from the flow call on line 56 + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 3 does not select a source or sink originating from the flow call on line 56 + // csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 56 + none() + } } /** @@ -149,6 +169,8 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -186,6 +208,8 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig { oc.getObjectType() instanceof StrongTypeDeserializer ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -210,6 +234,8 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config sink.asExpr() = mc.getQualifier() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -342,6 +368,12 @@ private module DataContractJsonSafeConstructorTrackingConfig implements DataFlow mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:28: Flow call outside 'select' clause + none() + } } private module DataContractJsonSafeConstructorTracking = @@ -389,6 +421,12 @@ private module JavaScriptSerializerSafeConstructorTrackingConfig implements Data mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:29: Flow call outside 'select' clause + none() + } } private module JavaScriptSerializerSafeConstructorTracking = @@ -434,6 +472,12 @@ private module XmlObjectSerializerDerivedConstructorTrackingConfig implements Da mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:30: Flow call outside 'select' clause + none() + } } private module XmlObjectSerializerDerivedConstructorTracking = @@ -476,6 +520,12 @@ private module XmlSerializerSafeConstructorTrackingConfig implements DataFlow::C mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:31: Flow call outside 'select' clause + none() + } } private module XmlSerializerSafeConstructorTracking = @@ -522,6 +572,12 @@ private module DataContractSerializerSafeConstructorTrackingConfig implements Da mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:32: Flow call outside 'select' clause + none() + } } private module DataContractSerializerSafeConstructorTracking = @@ -564,6 +620,12 @@ private module XmlMessageFormatterSafeConstructorTrackingConfig implements DataF mc.getQualifier() = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:33: Flow call outside 'select' clause + none() + } } private module XmlMessageFormatterSafeConstructorTracking = diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll index 0838fe7be4b6..b095305742dd 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll @@ -37,6 +37,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll index 140870c70fae..5cf934ef43e7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll @@ -43,6 +43,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll index 2d687b51d67a..d3ff32314057 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll @@ -158,6 +158,12 @@ module XssTrackingConfig implements DataFlow::ConfigSig { * `node` from the data flow graph. */ predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll:22: Flow call outside 'select' clause + none() + } } module XssTracking = TaintTracking::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll index fad3917553dd..1639563e9640 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll @@ -30,6 +30,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll index 3bcfdde669a4..b1f784b09e26 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll @@ -111,6 +111,12 @@ private module LocalFileOutputStreamConfig implements DataFlow::ConfigSig { oc.getObjectType() instanceof SystemIOStreamWriterClass ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsinks/ExternalLocationSink.qll:124: Flow call outside 'select' clause + none() + } } private module LocalFileOutputStreamFlow = DataFlow::Global; diff --git a/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll index 1abeaf797b00..6e941110d7a7 100644 --- a/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll +++ b/csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll @@ -213,6 +213,13 @@ module XmlReader { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(InsecureXmlReaderCreate create).getSettings() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll:186: Flow call outside 'select' clause + // csharp/ql/lib/semmle/code/csharp/security/xml/InsecureXMLQuery.qll:194: Flow call outside 'select' clause + none() + } } private module SettingsDataFlow = DataFlow::Global; diff --git a/csharp/ql/src/API Abuse/FormatInvalid.ql b/csharp/ql/src/API Abuse/FormatInvalid.ql index 235daa1ecc25..d9b1a423c0e1 100644 --- a/csharp/ql/src/API Abuse/FormatInvalid.ql +++ b/csharp/ql/src/API Abuse/FormatInvalid.ql @@ -18,6 +18,14 @@ module FormatInvalidConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node n) { n.asExpr() instanceof StringLiteral } predicate isSink(DataFlow::Node n) { exists(FormatCall c | n.asExpr() = c.getFormatExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/API Abuse/FormatInvalid.ql:31: Flow call outside 'select' clause + // csharp/ql/src/API Abuse/FormatInvalid.ql:44: Flow call outside 'select' clause + // csharp/ql/src/API Abuse/FormatInvalid.ql:62: Flow call outside 'select' clause + none() + } } module FormatInvalid = DataFlow::Global; diff --git a/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql b/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql index 3072b154812f..30b7f580233f 100644 --- a/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql +++ b/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql @@ -87,6 +87,12 @@ module DisposeCallOnLocalIDisposableConfig implements DataFlow::ConfigSig { isSink(node) and not node instanceof ReturnNode } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql:100: Flow call outside 'select' clause + none() + } } module DisposeCallOnLocalIDisposable = DataFlow::Global; diff --git a/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql b/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql index c98f2bef8a2b..8da3a910b0da 100644 --- a/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql +++ b/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql @@ -26,6 +26,8 @@ module UnsafeYearCreationFromArithmeticConfig implements DataFlow::ConfigSig { oc.getObjectType().getABaseType*().hasFullyQualifiedName("System", "DateTime") ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module UnsafeYearCreationFromArithmetic = diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql index 9f70760ba602..ce526732a726 100644 --- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql +++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql @@ -24,6 +24,13 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con } predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34 + // csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql:37: Column 3 does not select a source or sink originating from the flow call on line 34 + none() + } } module NotThreadSafeCryptoUsageIntoParallelInvoke = diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql index 16eca675e6a1..2276b660f9f7 100644 --- a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql +++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql @@ -45,6 +45,8 @@ module XmlInjectionConfig implements DataFlow::ConfigSig { mc = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql index 118591f3f9ef..9cd6fc68b4ce 100644 --- a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql +++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql @@ -41,6 +41,8 @@ module AssemblyPathInjectionConfig implements DataFlow::ConfigSig { name = "UnsafeLoadFrom" and arg = 0 ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql index a027170dc372..e32b043b53f4 100644 --- a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql +++ b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql @@ -22,6 +22,8 @@ module FormatStringConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(FormatCall call | call.hasInsertions()).getFormatExpr() } + + predicate observeDiffInformedIncrementalMode() { any() } } module FormatString = TaintTracking::Global; diff --git a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql index 0d71a08fe97e..a29919fc09dc 100644 --- a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql +++ b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql @@ -41,6 +41,8 @@ module ExposureInTransmittedDataConfig implements DataFlow::ConfigSig { } predicate isSink(DataFlow::Node sink) { sink instanceof RemoteFlowSink } + + predicate observeDiffInformedIncrementalMode() { any() } } module ExposureInTransmittedData = TaintTracking::Global; diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql index 114bdf7ccea4..7ec34b7c3cce 100644 --- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql +++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql @@ -59,6 +59,8 @@ module ExceptionInformationExposureConfig implements DataFlow::ConfigSig { // Do not flow through Message sanitizer.asExpr().getType().(RefType).getABaseType*() instanceof SystemExceptionClass } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql index 15da9c2d8243..b48ddbf0f350 100644 --- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql +++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql @@ -37,6 +37,8 @@ module AddCertToRootStoreConfig implements DataFlow::ConfigSig { sink.asExpr() = mc.getQualifier() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module AddCertToRootStore = DataFlow::Global; diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql index adde1b948e4f..330ad1c1c329 100644 --- a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql +++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql @@ -40,6 +40,8 @@ module InsecureSqlConnectionConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql index 09f4bdca26bf..8b0bcc2d0e42 100644 --- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql +++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql @@ -38,6 +38,8 @@ module ConnectionStringConfig implements DataFlow::ConfigSig { } predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql index b35247634eae..9d981f6559cb 100644 --- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql +++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql @@ -50,6 +50,13 @@ module RequiresEncodingConfig implements DataF } int fieldFlowBranchLimit() { result = 0 } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql:146: Flow call outside 'select' clause + // csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql:149: Flow call outside 'select' clause + none() + } } /** An encoded value, for example through a call to `HttpServerUtility.HtmlEncode`. */ @@ -104,6 +111,12 @@ module EncodingConfigurations { predicate isBarrier = Super::isBarrier/1; int fieldFlowBranchLimit() { result = Super::fieldFlowBranchLimit() } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql:143: Flow call outside 'select' clause + none() + } } module SqlExpr = TaintTracking::Global; diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql index 504756e1db50..2c2df7010c67 100644 --- a/csharp/ql/src/Security Features/InsecureRandomness.ql +++ b/csharp/ql/src/Security Features/InsecureRandomness.ql @@ -49,6 +49,8 @@ module Random { // succ = array_or_indexer[pred] - use of random numbers in an index succ.asExpr().(ElementAccess).getAnIndex() = pred.asExpr() } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll b/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll index 716702ca008c..86a583b084cb 100644 --- a/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll +++ b/csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll @@ -46,6 +46,8 @@ private module TaintedWebClientConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof Sink } predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll index 6d06ca5fa445..1bdbb0f21e44 100644 --- a/csharp/ql/src/experimental/CWE-918/RequestForgery.qll +++ b/csharp/ql/src/experimental/CWE-918/RequestForgery.qll @@ -50,6 +50,8 @@ module RequestForgery { } predicate isBarrier(DataFlow::Node node) { node instanceof Barrier } + + predicate observeDiffInformedIncrementalMode() { any() } } /** diff --git a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql index f9c279e09bf0..fff6781690d8 100644 --- a/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql +++ b/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql @@ -188,6 +188,8 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig { mc.getArgument(0) = node.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } module HashWithoutSalt = TaintTracking::Global; diff --git a/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll b/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll index 476b17e4c695..d70fa48ac22e 100644 --- a/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll +++ b/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/JsonWebTokenHandlerLib.qll @@ -32,6 +32,8 @@ private module FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassVa predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(TokenValidationParametersPropertySensitiveValidation p).getAnAssignedValue() } + + predicate observeDiffInformedIncrementalMode() { any() } } module FalseValueFlowsToTokenValidationParametersPropertyWriteToBypassValidation = diff --git a/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql b/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql index 74eea14500d0..4774eb90c89b 100644 --- a/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql +++ b/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql @@ -35,6 +35,8 @@ module FlowToDataSerializerConstructorConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node node) { unsafeDataContractTypeCreation(node.asExpr()) } predicate isSink(DataFlow::Node node) { xmlSerializerConstructorArgument(node.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module FlowToDataSerializerConstructor = DataFlow::Global; diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql index 47b69d3e975d..87ec99794ec8 100644 --- a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql +++ b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql @@ -84,6 +84,12 @@ private module FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallableConfig call = dateTime.getATimeSpanArithmeticCallable().getACall() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql:162: Flow call outside 'select' clause + none() + } } /** @@ -110,6 +116,12 @@ private module FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig impleme call = dateTime.getAComparisonCallable().getACall() ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql:166: Flow call outside 'select' clause + none() + } } /** @@ -133,6 +145,12 @@ private module FlowsFromTimeComparisonCallableToSelectionStatementConditionConfi predicate isSink(DataFlow::Node sink) { exists(SelectionStmt sel | sel.getCondition().getAChild*() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql:170: Flow call outside 'select' clause + none() + } } /** diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql index 2835ac1974a0..4676e663654f 100644 --- a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql +++ b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql @@ -18,6 +18,8 @@ module DataFlowFromMethodToHashConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isSuspiciousPropertyName(source.asExpr()) } predicate isSink(DataFlow::Node sink) { isGetHash(sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module DataFlowFromMethodToHash = TaintTracking::Global; diff --git a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll b/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll index 401944adcc47..c34e96c835f0 100644 --- a/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll +++ b/csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll @@ -33,6 +33,12 @@ private module AuthCookieNameConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { isAuthVariable(source.asExpr()) } predicate isSink(DataFlow::Node sink) { exists(Call c | sink.asExpr() = c.getAnArgument()) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll:13: Flow call outside 'select' clause + none() + } } /** @@ -55,6 +61,8 @@ private module CookieOptionsTrackingConfig implements DataFlow::ConfigSig { mc.getArgument(2) = sink.asExpr() ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** @@ -166,6 +174,15 @@ private module OnAppendCookieTrackingConfig impl MicrosoftAspNetCoreCookiePolicyAppendCookieContext ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql:105: Column 1 does not select a source or sink originating from the flow call on line 39 + // csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql:105: Column 1 does not select a source or sink originating from the flow call on line 70 + // csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql:105: Column 1 does not select a source or sink originating from the flow call on line 33 + // csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql:105: Column 1 does not select a source or sink originating from the flow call on line 83 + none() + } } private string getPropertyNameSecure() { result = "Secure" }