Swift: mass enable diff-informed data flow

Author: asgerf

swift/ql/lib/codeql/swift/regex/Regex.qll

@@ -491,6 +491,12 @@ private module NSStringCompareOptionsFlagConfig implements DataFlow::ConfigSig {
     isSink(node) and
     c.getAReadContent() instanceof DataFlow::Content::CollectionContent
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // swift/ql/lib/codeql/swift/regex/Regex.qll:507: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module NSStringCompareOptionsFlagFlow = DataFlow::Global<NSStringCompareOptionsFlagConfig>;

swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll

@@ -25,6 +25,12 @@ private module StringLiteralUseConfig implements DataFlow::ConfigSig {
     // used to create a regular expression object
     node = any(RegexCreation regexCreation).getStringInput()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // swift/ql/lib/codeql/swift/regex/Regex.qll:53: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module StringLiteralUseFlow = DataFlow::Global<StringLiteralUseConfig>;
@@ -47,6 +53,12 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // swift/ql/lib/codeql/swift/regex/Regex.qll:350: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module RegexUseFlow = DataFlow::Global<RegexUseConfig>;
@@ -102,6 +114,13 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
   ) {
     none()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // swift/ql/lib/codeql/swift/regex/Regex.qll:364: Flow call outside 'select' clause
+    // swift/ql/lib/codeql/swift/regex/Regex.qll:365: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module RegexParseModeFlow = DataFlow::GlobalWithState<RegexParseModeConfig>;

swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll

@@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -48,6 +48,8 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
     node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and
     c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll

@@ -30,6 +30,8 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll

@@ -73,6 +73,12 @@ private module ExcludeUrlConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) { urlInit(_, node.asExpr()) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll:90: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module ExcludeUrlFlow = TaintTracking::Global<ExcludeUrlConfig>;

swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll

@@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll

@@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll

@@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;

swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll

@@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;