Skip to content

Swift: mass enable diff-informed data flow #19662

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Swift: mass enable diff-informed data flow #19662

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd8f671
Swift: mass enable diff-informed data flow
d10c Jun 3, 2025
affc25d
Disable diff-informed on InsecureTLSQuery due to DIFF-INFORMED test f…
d10c Jun 4, 2025
02341c0
Add change note
d10c Jun 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions swift/ql/lib/change-notes/2025-06-04-diff-informed.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* A number of built-in Swift queries can now run in diff-informed mode.
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
}

predicate observeDiffInformedIncrementalMode() { any() }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this mean?

(I wrote many of these queries, I'm sure I can figure out if it's appropriate)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line enables diff-informed mode, i.e. only showing results that are in a diff range. There is currently some internal documentation here, not sure if it's documented publicly yet.

}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {
// make sources barriers so that we only report the closest instance
isSource(node)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(InsufficientHashIterationsAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module InsufficientHashIterationsFlow = TaintTracking::Global<InsufficientHashIterationsConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module PathInjectionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
any(PathInjectionAdditionalFlowStep s).step(node1, node2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ module PredicateInjectionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
any(PredicateInjectionAdditionalFlowStep s).step(n1, n2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(SqlInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(StaticInitializationVectorAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ module StringLengthConflationConfig implements DataFlow::StateConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(StringLengthConflationAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(UncontrolledFormatStringAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(UnsafeJsEvalAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(UnsafeUnpackAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ module WeakPasswordHashingConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(WeakPasswordHashingAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module WeakPasswordHashingFlow = TaintTracking::Global<WeakPasswordHashingConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ module WeakSensitiveDataHashingConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(WeakSensitiveDataHashingAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module WeakSensitiveDataHashingFlow = TaintTracking::Global<WeakSensitiveDataHashingConfig>;
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/XXEQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ module XxeConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
any(XxeAdditionalFlowStep s).step(n1, n2)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
2 changes: 2 additions & 0 deletions swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/**
Expand Down
Loading