[DIFF-INFORMED] C++: CWE-311/Cleartext…

d10c · d10c · commit 05df2f2216ff · 2025-08-15T12:01:13.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -47,6 +47,12 @@ module ToBufferConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(SensitiveBufferWrite w | result = w.getLocation() | isSinkImpl(sink, w))
+  }
 }
 
 module ToBufferFlow = TaintTracking::Global<ToBufferConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -31,6 +31,16 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sourceNode) {
+    exists(SensitiveExpr source | result = source.getLocation() | isSourceImpl(sourceNode, source))
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(FileWrite w | result = w.getLocation() | isSinkImpl(sink, w, _))
+  }
 }
 
 module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -245,6 +245,14 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
     // sources to not get path duplication.
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(NetworkSendRecv networkSendRecv | result = networkSendRecv.getLocation() |
+      isSinkSendRecv(sink, networkSendRecv)
+    )
+  }
 }
 
 module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
@@ -266,6 +274,10 @@ module ToEncryptionConfig implements DataFlow::ConfigSig {
     // sources to not get path duplication.
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used negatively
+  }
 }
 
 module ToEncryptionFlow = TaintTracking::Global<ToEncryptionConfig>;
@@ -281,6 +293,10 @@ module FromEncryptionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used negatively
+  }
 }
 
 module FromEncryptionFlow = TaintTracking::Global<FromEncryptionConfig>;

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,12 @@ module ToBufferConfig implements DataFlow::ConfigSig {`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }`
	`50`	`+`
	`51`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`52`	`+`
	`53`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`54`	`+ exists(SensitiveBufferWrite w \| result = w.getLocation() \| isSinkImpl(sink, w))`
	`55`	`+ }`
`50`	`56`	`}`
`51`	`57`
`52`	`58`	`module ToBufferFlow = TaintTracking::Global<ToBufferConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -245,6 +245,14 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {`
`245`	`245`	`// sources to not get path duplication.`
`246`	`246`	`isSource(node)`
`247`	`247`	`}`
	`248`	`+`
	`249`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`250`	`+`
	`251`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`252`	`+ exists(NetworkSendRecv networkSendRecv \| result = networkSendRecv.getLocation() \|`
	`253`	`+ isSinkSendRecv(sink, networkSendRecv)`
	`254`	`+ )`
	`255`	`+ }`
`248`	`256`	`}`
`249`	`257`
`250`	`258`	`module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;`
`@@ -266,6 +274,10 @@ module ToEncryptionConfig implements DataFlow::ConfigSig {`
`266`	`274`	`// sources to not get path duplication.`
`267`	`275`	`isSource(node)`
`268`	`276`	`}`
	`277`	`+`
	`278`	`+ predicate observeDiffInformedIncrementalMode() {`
	`279`	`+ none() // only used negatively`
	`280`	`+ }`
`269`	`281`	`}`
`270`	`282`
`271`	`283`	`module ToEncryptionFlow = TaintTracking::Global<ToEncryptionConfig>;`
`@@ -281,6 +293,10 @@ module FromEncryptionConfig implements DataFlow::ConfigSig {`
`281`	`293`	`predicate isBarrier(DataFlow::Node node) {`
`282`	`294`	`node.asExpr().getUnspecifiedType() instanceof IntegralType`
`283`	`295`	`}`
	`296`	`+`
	`297`	`+ predicate observeDiffInformedIncrementalMode() {`
	`298`	`+ none() // only used negatively`
	`299`	`+ }`
`284`	`300`	`}`
`285`	`301`
`286`	`302`	`module FromEncryptionFlow = TaintTracking::Global<FromEncryptionConfig>;`