[DIFF-INFORMED] Java: InsecureLdapAuth

d10c · d10c · commit 4a985bf9d867 · 2025-07-17T10:55:54.000+02:00
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql#L21
diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
@@ -40,6 +40,20 @@ private module BasicAuthConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    exists(InsecureLdapUrlFlow::PathNode pathSource, InsecureLdapUrlFlow::PathNode pathSink |
+      result = pathSource.getNode().getLocation() and
+      pathSink.getNode() = sink and
+      InsecureLdapUrlFlow::flowPath(pathSource, pathSink)
+    )
+  }
 }
 
 module BasicAuthFlow = DataFlow::Global<BasicAuthConfig>;
@@ -56,6 +70,10 @@ private module RequiresSslConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used negatively in InsecureLdapAuth.ql
+  }
 }
 
 module RequiresSslFlow = DataFlow::Global<RequiresSslConfig>;
