Skip to content

Java: mass enable diff-informed data flow + none() overrides #19795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −0
Open

Java: mass enable diff-informed data flow + none() overrides #19795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ module ApkInstallationConfig implements DataFlow::ConfigSig {
)
)
}

predicate observeDiffInformedIncrementalMode() { any() }

Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
}

module ApkInstallationFlow = DataFlow::Global<ApkInstallationConfig>;
Expand Down
2 changes: 2 additions & 0 deletions java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ module HardcodedCredentialApiCallConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node n) {
n.asExpr().(MethodCall).getMethod() instanceof MethodSystemGetenv
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ module HardcodedCredentialSourceCallConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }

predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
}

predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ module BasicAuthFlowConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(HttpUrlsAdditionalTaintStep c).step(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
Copy link
Preview

Copilot AI Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] For consistency with surrounding modules, ensure there’s a blank line after this predicate and before the closing brace, matching the established file style.

Suggested change
predicate observeDiffInformedIncrementalMode() { any() }
predicate observeDiffInformedIncrementalMode() { any() }

Copilot uses AI. Check for mistakes.

}

/**
Expand Down
4 changes: 4 additions & 0 deletions java/ql/lib/semmle/code/java/security/SensitiveUiQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ private module NotificationTrackingConfig implements DataFlow::ConfigSig {
}

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Taint tracking flow for sensitive data flowing to system notifications. */
Expand Down Expand Up @@ -75,6 +77,8 @@ private module TextFieldTrackingConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }

predicate isBarrierIn(DataFlow::Node node) { isSource(node) }

predicate observeDiffInformedIncrementalMode() { any() }
}

/** A local flow step that also flows through access to fields containing `View`s */
Expand Down
2 changes: 2 additions & 0 deletions java/ql/lib/semmle/code/java/security/UnsafeAndroidAccessQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ module FetchUntrustedResourceConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }

predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof RequestForgerySanitizer }

predicate observeDiffInformedIncrementalMode() { any() }
Copy link
Preview

Copilot AI Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This observeDiffInformedIncrementalMode() override is duplicated across many config modules. Consider providing a default implementation in DataFlow::ConfigSig to reduce boilerplate.

Copilot uses AI. Check for mistakes.

}

/**
Expand Down