Merge pull request #19660 from d10c/d10c/go/diff-informed

d10c · web-flow · commit a8dc3008ef38 · 2025-06-17T14:52:46.000+02:00
Go: mass enable diff-informed data flow
diff --git a/go/ql/lib/semmle/go/security/CleartextLogging.qll b/go/ql/lib/semmle/go/security/CleartextLogging.qll
@@ -46,6 +46,8 @@ module CleartextLogging {
       // Also exclude protobuf field fetches, since they amount to single field reads.
       not any(Protobuf::GetMethod gm).taintStep(src, trg)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -197,6 +197,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/lib/semmle/go/security/LogInjection.qll b/go/ql/lib/semmle/go/security/LogInjection.qll
@@ -21,6 +21,8 @@ module LogInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about log injection vulnerabilities. */
diff --git a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about JWT vulnerabilities. */
diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
@@ -54,6 +54,8 @@ module OpenUrlRedirect {
       or
       hostnameSanitizingPrefixEdge(node, _)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from unvalidated, untrusted data to URL redirections. */
diff --git a/go/ql/lib/semmle/go/security/SqlInjection.qll b/go/ql/lib/semmle/go/security/SqlInjection.qll
@@ -23,6 +23,8 @@ module SqlInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */
diff --git a/go/ql/lib/semmle/go/security/StoredCommand.qll b/go/ql/lib/semmle/go/security/StoredCommand.qll
@@ -26,6 +26,8 @@ module StoredCommand {
     predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about command-injection vulnerabilities. */
diff --git a/go/ql/lib/semmle/go/security/StoredXss.qll b/go/ql/lib/semmle/go/security/StoredXss.qll
@@ -22,6 +22,8 @@ module StoredXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about XSS. */
diff --git a/go/ql/lib/semmle/go/security/StringBreak.qll b/go/ql/lib/semmle/go/security/StringBreak.qll
@@ -26,6 +26,8 @@ module StringBreak {
     predicate isBarrier(DataFlow::Node node, FlowState state) {
       state = node.(Sanitizer).getQuote()
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/TaintedPath.qll b/go/ql/lib/semmle/go/security/TaintedPath.qll
@@ -17,6 +17,8 @@ module TaintedPath {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about path-traversal vulnerabilities. */
diff --git a/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll b/go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll
@@ -27,6 +27,8 @@ module UncontrolledAllocationSize {
         node2 = cn.getResult(0)
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about uncontrolled allocation size issues. */
diff --git a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
@@ -44,6 +44,8 @@ module UnsafeUnzipSymlink {
     predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/XPathInjection.qll b/go/ql/lib/semmle/go/security/XPathInjection.qll
@@ -19,6 +19,8 @@ module XPathInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/ZipSlip.qll b/go/ql/lib/semmle/go/security/ZipSlip.qll
@@ -17,6 +17,8 @@ module ZipSlip {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about zip-slip vulnerabilities. */
diff --git a/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql b/go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
@@ -103,6 +103,8 @@ module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     StringOps::Concatenation::taintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = DataFlow::Global<IncompleteHostNameRegexpConfig>;
diff --git a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql
@@ -72,6 +72,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = DataFlow::Global<Config>;
diff --git a/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql b/go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
@@ -40,6 +40,8 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-209/StackTraceExposure.ql b/go/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -62,6 +62,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
       cgn.dominates(node.getBasicBlock())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql
@@ -25,6 +25,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node = DataFlow::BarrierGuard<comparisonBarrierGuard/3>::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -40,6 +40,8 @@ module ConstantStateFlowConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { isSinkCall(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-640/EmailInjection.qll b/go/ql/src/Security/CWE-640/EmailInjection.qll
@@ -20,6 +20,8 @@ module EmailInjection {
     predicate isSource(DataFlow::Node source) { source instanceof Source }
 
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about email-injection vulnerabilities. */
diff --git a/go/ql/src/experimental/CWE-090/LDAPInjection.qll b/go/ql/src/experimental/CWE-090/LDAPInjection.qll
@@ -101,6 +101,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof LdapSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/experimental/CWE-203/Timing.ql b/go/ql/src/experimental/CWE-203/Timing.ql
@@ -102,6 +102,8 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink and not isBadResult(sink) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql
@@ -42,6 +42,8 @@ module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(PamAcctMgmt p | p.getACall().getReceiver() = sink)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PamStartToAcctMgmtFlow = TaintTracking::Global<PamStartToAcctMgmtConfig>;
@@ -55,6 +57,8 @@ module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(PamAuthenticate p | p.getACall().getReceiver() = sink)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PamStartToAuthenticateFlow = TaintTracking::Global<PamStartToAuthenticateConfig>;
diff --git a/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll b/go/ql/src/experimental/CWE-287/ImproperLdapAuthCustomizations.qll
@@ -74,6 +74,8 @@ module ImproperLdapAuth {
     predicate isSink(DataFlow::Node sink) { sink instanceof LdapAuthSink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof LdapSanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql
@@ -33,6 +33,8 @@ module JwtParseWithConstantKeyConfig implements DataFlow::ConfigSig {
     // second part is the JWT Parsing Functions that get a string or byte as an argument
     sink = any(JwtParse jp).getKeyArg()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module GolangJwtKeyFuncConfig implements DataFlow::ConfigSig {
diff --git a/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll b/go/ql/src/experimental/CWE-327/WeakCryptoAlgorithmCustomizations.qll
@@ -54,6 +54,8 @@ module WeakCryptoAlgorithm {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
diff --git a/go/ql/src/experimental/CWE-369/DivideByZero.ql b/go/ql/src/experimental/CWE-369/DivideByZero.ql
@@ -45,6 +45,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink = DataFlow::exprNode(any(QuoExpr e).getRightOperand())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll b/go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll
@@ -19,6 +19,8 @@ private module DsnInjectionConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof RegexpCheckBarrier }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/go/ql/src/experimental/frameworks/DecompressionBombs.qll b/go/ql/src/experimental/frameworks/DecompressionBombs.qll
@@ -56,6 +56,8 @@ module DecompressionBomb {
         addStep.isAdditionalFlowStep(fromNode, fromState, toNode, toState)
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about decompression bomb vulnerabilities. */

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ module CleartextLogging {`
`46`	`46`	`// Also exclude protobuf field fetches, since they amount to single field reads.`
`47`	`47`	`not any(Protobuf::GetMethod gm).taintStep(src, trg)`
`48`	`48`	`}`
	`49`	`+`
	`50`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf`
`197`	`197`	`predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }`
`198`	`198`
`199`	`199`	`predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }`
	`200`	`+`
	`201`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`200`	`202`	`}`
`201`	`203`
`202`	`204`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ module LogInjection {`
`21`	`21`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`22`	`22`
`23`	`23`	`predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }`
	`24`	`+`
	`25`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`/** Tracks taint flow for reasoning about log injection vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/** Tracks taint flow for reasoning about JWT vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,8 @@ module OpenUrlRedirect {`
`54`	`54`	`or`
`55`	`55`	`hostnameSanitizingPrefixEdge(node, _)`
`56`	`56`	`}`
	`57`	`+`
	`58`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`57`	`59`	`}`
`58`	`60`
`59`	`61`	`/** Tracks taint flow from unvalidated, untrusted data to URL redirections. */`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module SqlInjection {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,8 @@ module StoredCommand {`
`26`	`26`	`predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }`
`27`	`27`
`28`	`28`	`predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }`
	`29`	`+`
	`30`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`29`	`31`	`}`
`30`	`32`
`31`	`33`	`/** Tracks taint flow for reasoning about command-injection vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ module StoredXss {`
`22`	`22`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`23`	`23`
`24`	`24`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`25`	`+`
	`26`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`/** Tracks taint flow for reasoning about XSS. */`
Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,8 @@ module StringBreak {`
`26`	`26`	`predicate isBarrier(DataFlow::Node node, FlowState state) {`
`27`	`27`	`state = node.(Sanitizer).getQuote()`
`28`	`28`	`}`
	`29`	`+`
	`30`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`29`	`31`	`}`
`30`	`32`
`31`	`33`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@ module TaintedPath {`
`17`	`17`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`18`	`18`
`19`	`19`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`20`	`+`
	`21`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`/** Tracks taint flow for reasoning about path-traversal vulnerabilities. */`