Skip to content

Update diff-informed testing to always treat sources and sinks as alert locations #20607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 77 commits into
base: main
Choose a base branch
from
Open

Update diff-informed testing to always treat sources and sinks as alert locations #20607

wants to merge 77 commits into from
+134 −152

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Oct 8, 2025
edited
Loading

Now that sources/sinks are always added to the Sarif related locations, this PR updates location overrides of diff-informed queries to match that behaviour.

Methodology

$ git grep -P 'getASelectedSourceLocation|getASelectedSinkLocation'
Actions (9)
  • OutputClobberingQuery.qll
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll=185=private module OutputClobberingConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll:220:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • RequestForgeryQuery.qll
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll=15=private module RequestForgeryConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll:22:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • SecretExfiltrationQuery.qll
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll=14=private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll:21:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSinks.ql
actions/ql/src/Models/CompositeActionsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSources.ql
actions/ql/src/Models/CompositeActionsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSummaries.ql
actions/ql/src/Models/CompositeActionsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSinks.ql
actions/ql/src/Models/ReusableWorkflowsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSources.ql
actions/ql/src/Models/ReusableWorkflowsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSummaries.ql
actions/ql/src/Models/ReusableWorkflowsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
C++ (1)
  • WordexpTainted.ql
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql=38=module WordexpTaintConfig implements DataFlow::ConfigSig {
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql:54:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
C# (1)
  • DontInstallRootCert.ql
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql=17=module AddCertToRootStoreConfig implements DataFlow::ConfigSig {
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql:43:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Go (4)
  • MissingRegexpAnchor.ql: nothing to do (not a path-problem)
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql=63=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql:78:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • InsufficientKeySize.ql
go/ql/src/Security/CWE-326/InsufficientKeySize.ql=15=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-326/InsufficientKeySize.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • PamAuthBypass.ql: shouldn't be diff-informed; uses secondary config.
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=37=module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:48:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=54=module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:65:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • DivideByZero.ql
go/ql/src/experimental/CWE-369/DivideByZero.ql=30=module Config implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-369/DivideByZero.ql:51:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Java (23)
  • ArbitraryApkInstallationQuery.qll
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll=12=module ApkInstallationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll:29:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ArithmeticTaintedQuery.qll
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=8=module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:21:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=32=module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ArithmeticUncontrolledQuery.qll
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=16=module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=37=module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:48:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • BrokenCryptoAlgorithmQuery.qll
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll=28=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CleartextStorageQuery.qll: nothing to be done; no path-problem queries use this config.
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll=46=private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll:64:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CommandLineQuery.qll
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll=51=module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll:68:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ConditionalBypassQuery.qll
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll=42=module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ImproperIntentVerificationQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll=17=private module VerifiedIntentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:31:  Location getASelectedSourceLocation(DataFlow::Node src) {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:46:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll=10=module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ImproperValidationOfArrayConstructionQuery.qll
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll=11=module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll:20:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureTrustManagerQuery.qll: nothing to be done, already both source and sink.
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll=11=module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll:24:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • MaybeBrokenCryptoAlgorithmQuery.qll
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll=71=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll:83:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • NumericCastTaintedQuery.qll
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll=87=module NumericCastFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll:108:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RandomQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/RandomQuery.qll=32=private module PredictableSeedFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/RandomQuery.qll:43:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • SqlConcatenatedQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll=21=module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • TaintedEnvironmentVariableQuery.qll
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll=28=module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • TaintedPermissionsCheckQuery.qll
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll=56=module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll:65:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • TempDirLocalInformationDisclosureQuery.qll
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll=131=module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll:151:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • UnsafeCertTrustQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll=11=module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll:20:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • UnsafeDeserializationQuery.qll
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll=302=private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll:315:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHostnameVerificationQuery.qll: nothing to be done, already selects both source and sink.
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll=37=module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll:71:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • WebviewDebuggingEnabledQuery.qll
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll=35=module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll:50:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • PolynomialReDoSQuery.qll: nothing to be done, already selects both source and sink.
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll=37=module PolynomialRedosConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
JS (16)
  • BrokenCryptoAlgorithmQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll=22=module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ClientSideRequestForgeryQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll=17=module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CommandInjectionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll=27=module CommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CorsMisconfigurationForCredentialsQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll=17=module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • DeepObjectResourceExhaustionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll=14=module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll:39:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • IndirectCommandInjectionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll=13=module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureDownloadQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll=16=module InsecureDownloadConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • PrototypePollutionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll=27=module PrototypePollutionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RequestForgeryQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll=17=module RequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ShellCommandInjectionFromEnvironmentQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll=17=module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll:33:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeCodeConstruction.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll=15=module UnsafeCodeConstruction {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll:38:    Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHtmlConstructionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll=18=module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll:66:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeJQueryPluginQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll=13=module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll:42:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll=16=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {

- [x] PolynomialReDoSQuery.qll: 

javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll=14=module PolynomialReDoSConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • SSRF.qll
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll=5=module SsrfConfig implements DataFlow::ConfigSig {
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll:32:  Location getASelectedSourceLocation(DataFlow::Node source) {
Python (8)
  • PolynomialReDoSQuery.qll
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll=14=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RegexInjectionQuery.qll: nothing to be done, already selects both source and sink.
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll=15=private module RegexInjectionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll:24:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ServerSideRequestForgeryQuery.qll
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll=61=private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:70:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll=19=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll:34:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeUsageOfClientSideEncryptionVersion.ql
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql=99=private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql:151:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CorsBypass.ql
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql=64=module CorsBypassConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql:85:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeUnpackQuery.qll
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll=42=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll:214:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • LdapInsecureAuth.qll
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll=91=private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll:107:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Ruby (11)
  • ConditionalBypassQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll=14=private module Config implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureDownloadQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll=13=private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeCodeConstructionQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll=15=private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll:30:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHtmlConstructionQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll=15=private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll=16=private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • PolynomialReDoSQuery.qll
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll=13=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • DecompressionApi.ql: nothing to be done, already selects both source and sink.
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql=36=private module DecompressionApiConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ManuallyCheckHttpVerb.ql
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql=75=private module HttpVerbConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql:92:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • WeakParams.ql
ruby/ql/src/experimental/weak-params/WeakParams.ql=44=private module WeakParamsConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/weak-params/WeakParams.ql:52:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • TaintedNodes.ql: nothing to be done, not a path-problem.
ruby/ql/src/queries/meta/TaintedNodes.ql=15=private module BasicTaintConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/meta/TaintedNodes.ql:25:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • WeakFilePermissions.ql
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql=49=private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql:62:  Location getASelectedSinkLocation(DataFlow::Node sink) {
Shared (3) (documentation only)
  • DataFlow.qll
shared/dataflow/codeql/dataflow/DataFlow.qll=354=module Configs<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/DataFlow.qll:460:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:471:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:609:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:620:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
  • DataFlowImpl.qll
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll=16=module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:146:    Location getASelectedSourceLocation(Node source);
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:148:    Location getASelectedSinkLocation(Node sink);
  • DataFlowImplStage1.qll
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll=15=module MakeImplStage1<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:136:        then AlertFiltering::filterByLocation(Config::getASelectedSourceLocation(source))
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:147:        then AlertFiltering::filterByLocation(Config::getASelectedSinkLocation(sink))
Swift (8)
  • CleartextStorageDatabaseQuery.qll
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll=16=module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll:54:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CleartextStoragePreferencesQuery.qll
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll=16=module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ConstantPasswordQuery.qll
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll=26=module ConstantPasswordConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • InsufficientHashIterationsQuery.qll
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll=27=module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • StaticInitializationVectorQuery.qll
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll=26=module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll:46:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • StringLengthConflationQuery.qll
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll=16=module StringLengthConflationConfig implements DataFlow::StateConfigSig {
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll:45:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeJsEvalQuery.qll
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll=15=module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll:28:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeUnpackQuery.qll
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll=15=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

But for some reason this didn't catch all of them. For the rest, I used codeql test --check-diff-informed to alert me to other queries that needed to be updated because their tests were now failing.

Questions

  1. In queries like Go/PamAuthBypass and Java/CommandLineQuery, in which of these cases is the use of secondary/negated flows permitted?
  • Split off Go/PamAuthBypass into its own PR: increase efficiency by moving query clauses to isSource of other config (that would allow the main config to be diff informed). -> WIP: Go/PamAuthBypass #20642
  1. In Java/CommandLineQuery, not all of the queries using the config are path-problems. How do I correctly override the location in that case?
  • It's fine, but complicated and delicate. Write a code comment.

d10c added 20 commits October 14, 2025 17:03
@d10c
Actions/OutputClobberingQuery
592dd00 
actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql uses source as endpoint
@d10c
Actions/RequestForgeryQuery
74a45e2 
actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql uses source as endpoint
@d10c
Actions/SecretExfiltrationQuery
df236f4 
actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql uses source as endpoint
@d10c
Actions/CompositeActionsSinks
fb7e2d3 
Same file uses source as endpoint
@d10c
Actions/CompositeActionsSources
a58ed0f 
Same file uses source as endpoint
@d10c
Actions/CompositeActionsSummaries
eb4e825 
Same file uses source as endpoint
@d10c
Actions/ReusableWorkflowsSinks
ff65adf 
Same file uses source as endpoint
@d10c
Actions/ReusableWorkflowsSources
f45a679
@d10c
Actions/ReusableWorkflowsSummaries
359e85c
@d10c
C++/WordexpTainted
2340712 
Same file usees source and sink as endpoints
@d10c
C#/DontInstallRootCert
6ba4a69
@d10c
Go/DivideByZero
67516e7
@d10c
Go/InsufficientKeySize
a01aeb8
@d10c
Java/ArbitraryApkInstallationQuery
a782efc 
java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
@d10c
Java/ArithmeticTainted
0f880fe 
java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@d10c
Java/ArithmeticUncontrolledQuery
abab2a1 
java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@d10c
Java/BrokenCryptoAlgorithmQuery
f8255e9 
java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@d10c
Java/CommandLineQuery
507888b 
https://github.com/github/codeql/blob/85a4dd0325104ecd613c9e3e7c25190d41906605/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

https://github.com/github/codeql/blob/857b51be5895bf437ea25b5ce2581527d5af69fb/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

https://github.com/github/codeql/blob/b6e56f26c7509a041ce92bdda13db0a09da886e3/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@d10c
Java/ConditionalBypass
12ef9ca 
java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@d10c
Java/ImproperValidationOfArrayConstructionCodeSpecifiedQuery
a9ee098 
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
@github-actions github-actions bot added the Rust Pull requests that update Rust code label Oct 15, 2025
@d10c d10c marked this pull request as ready for review October 15, 2025 16:01
@Copilot Copilot AI review requested due to automatic review settings October 15, 2025 16:01
@d10c d10c requested review from a team as code owners October 15, 2025 16:01
@d10c d10c added the no-change-note-required This PR does not need a change note label Oct 15, 2025
Copilot
Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates diff-informed testing configurations to always treat sources and sinks as alert locations, aligning with the current SARIF output behavior where sources and sinks are always included in related locations.

Key changes include:

  • Removing getASelectedSourceLocation and getASelectedSinkLocation overrides that returned none()
  • Adding source/sink locations alongside existing location selections
  • Updating documentation to clarify that path-problem queries should always include source/sink locations

Reviewed Changes

Copilot reviewed 76 out of 76 changed files in this pull request and generated 4 comments.

File Description
shared/dataflow/codeql/dataflow/DataFlow.qll Updated documentation for location selection predicates to clarify path-problem query requirements
Multiple language query files Removed overrides that excluded source locations or added sink locations to existing selections
rust/ql/src/queries/security/CWE-614/InsecureCookie.ql Disabled diff-informed mode for negatively-used config
Various Swift, C++, Java, JS, Python, Ruby files Updated location selection to include both source/sink and existing locations

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll Outdated
Comment on lines 36 to 39
Location getASelectedSinkLocation(DataFlow::Node sink) {
exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
or
not sink instanceof DataFlow::PostUpdateNode and
cleanSink = sink
)
result = sink.(CleartextStoragePreferencesSink).getLocation()
or
result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The location selection logic could be simplified. Consider extracting the common pattern of handling PostUpdateNode locations into a helper predicate to reduce code duplication across similar configurations.

See below for a potential fix:

  /**
   * Helper predicate to get the location from a PostUpdateNode's pre-update node.
   */
  predicate getPostUpdateNodeLocation(DataFlow::Node node, Location loc) {
    loc = node.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
  }

  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.(CleartextStoragePreferencesSink).getLocation()
    or
    getPostUpdateNodeLocation(sink, result)

Copilot uses AI. Check for mistakes.

shared/dataflow/codeql/dataflow/DataFlow.qll
* additional location ("$@" interpolation). Queries with `@kind path-problem`
* that override this predicate should also return the location of the source
* itself. For a query that doesn't report the source at all, this predicate
* should be `none()`.
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The documentation could be clearer about when to use none(). Consider adding an example of when a query 'doesn't report the source at all' to help developers understand this edge case.

Suggested change
* should be `none()`.
* should be `none()`.
*
* Example:
* ```
* // If your query does not report the source location at all, override as:
* override Location getASelectedSourceLocation(Node source) { none() }
* ```

Copilot uses AI. Check for mistakes.

go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
Comment on lines +135 to 136
exists(DataFlow::CallNode openCall | result = [openCall.getLocation(), source.getLocation()] |
isWritableFileHandle(source, openCall)
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Using a list expression [openCall.getLocation(), source.getLocation()] for result assignment is unconventional. Consider using separate or branches for better readability and consistency with other files in this PR.

Suggested change
exists(DataFlow::CallNode openCall | result = [openCall.getLocation(), source.getLocation()] |
isWritableFileHandle(source, openCall)
exists(DataFlow::CallNode openCall |
isWritableFileHandle(source, openCall) and
(result = openCall.getLocation() or result = source.getLocation())

Copilot uses AI. Check for mistakes.

rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
Comment on lines +36 to +37
result = [target.getLocation(), source.getLocation()]
|
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Similar to the Go file, using a list expression for result assignment is inconsistent with the pattern used elsewhere in this PR. Consider using separate or branches for consistency.

Suggested change
result = [target.getLocation(), source.getLocation()]
|
(
result = target.getLocation() or
result = source.getLocation()
) and

Copilot uses AI. Check for mistakes.

@d10c d10c requested a review from michaelnebel October 15, 2025 16:02
aschackmull
aschackmull reviewed Oct 16, 2025
View reviewed changes
geoffw0
geoffw0 approved these changes Oct 20, 2025
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, putting this in my own words, getASelectedSourceLocation and getASelectedSinkLocation now need to explicitly specify the source / sink location itself as one of their results, where they did not need to before. The default behaviour for configurations that don't override the predicates remains the same, and an any() implementation also remains the same as the source / sink is already included.

Rust and Swift 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aschackmull aschackmull aschackmull left review comments

Copilot code review Copilot Copilot left review comments

@geoffw0 geoffw0 geoffw0 approved these changes

@michaelnebel michaelnebel Awaiting requested review from michaelnebel

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions C# C++ DataFlow Library Go Java JS no-change-note-required This PR does not need a change note Python Ruby Rust Pull requests that update Rust code Swift

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@d10c @aschackmull @geoffw0