From 7bf34f0a56c0515cd9029f3ddad8a82c79dcb8f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:21:04 +0200 Subject: [PATCH 01/29] Actions/OutputClobberingQuery actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql uses source as endpoint --- .../ql/lib/codeql/actions/security/OutputClobberingQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index c67d2876b091..485d2762798e 100644 --- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -216,8 +216,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ From 8d6c9bcf40b6b196b8a10031b3a56de0758f405f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:22:57 +0200 Subject: [PATCH 02/29] Actions/RequestForgeryQuery actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql uses source as endpoint --- actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll index d96a12e2608d..fb89ebdc8baf 100644 --- a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll +++ b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -18,8 +18,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ From 56f5a717c0f766fbb3dbec7b8833b689e8885ff1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:24:12 +0200 Subject: [PATCH 03/29] Actions/SecretExfiltrationQuery actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql uses source as endpoint --- .../ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 15cd726c4bba..b3d59210053c 100644 --- a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -17,8 +17,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ From 7cf0f5dfe02371f1f2fd2e5f7689772070f3a882 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:26:05 +0200 Subject: [PATCH 04/29] Actions/CompositeActionsSinks Same file uses source as endpoint --- actions/ql/src/Models/CompositeActionsSinks.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql index 65d3fdce9dc7..82f0754f03e2 100644 --- a/actions/ql/src/Models/CompositeActionsSinks.ql +++ b/actions/ql/src/Models/CompositeActionsSinks.ql @@ -26,8 +26,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 05a0121a5c8c781fa57ac6f25dde43b4cd5e88fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:27:01 +0200 Subject: [PATCH 05/29] Actions/CompositeActionsSources Same file uses source as endpoint --- actions/ql/src/Models/CompositeActionsSources.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql index 2f3e98b3401e..c9974cd73614 100644 --- a/actions/ql/src/Models/CompositeActionsSources.ql +++ b/actions/ql/src/Models/CompositeActionsSources.ql @@ -36,8 +36,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From e96296b823e5fe8aaceb1c104d7a6858c6c0bdb0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:27:58 +0200 Subject: [PATCH 06/29] Actions/CompositeActionsSummaries Same file uses source as endpoint --- actions/ql/src/Models/CompositeActionsSummaries.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql index 1979c381f5d6..814498f639e0 100644 --- a/actions/ql/src/Models/CompositeActionsSummaries.ql +++ b/actions/ql/src/Models/CompositeActionsSummaries.ql @@ -27,8 +27,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 053d439259d598240feff80474bf78742d94ce22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:29:46 +0200 Subject: [PATCH 07/29] Actions/ReusableWorkflowsSinks Same file uses source as endpoint --- actions/ql/src/Models/ReusableWorkflowsSinks.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql index 2b08f2445d90..8d02debbdb4a 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql @@ -26,8 +26,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From feaaeffb2d83e608b700ee5ca38c155930c146a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:34:43 +0200 Subject: [PATCH 08/29] Actions/ReusableWorkflowsSources --- actions/ql/src/Models/ReusableWorkflowsSources.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql index 831191e4bfb6..a7112bf37584 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSources.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSources.ql @@ -36,8 +36,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From ba9e3bae5e38bd9913480a94565a1ec726a81941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:35:15 +0200 Subject: [PATCH 09/29] Actions/ReusableWorkflowsSummaries --- actions/ql/src/Models/ReusableWorkflowsSummaries.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql index fd2d4b396a08..a05bec744f84 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql @@ -27,8 +27,6 @@ private module MyConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module MyFlow = TaintTracking::Global; From 74573b64b1651abc7c80ba0faccb440fe646d942 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:36:15 +0200 Subject: [PATCH 10/29] C++/WordexpTainted Same file usees source and sink as endpoints --- cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql index 1d032a63ba34..cfe04ba23bfa 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql @@ -50,8 +50,6 @@ module WordexpTaintConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { none() } } module WordexpTaint = TaintTracking::Global; From 2da99db1079330a72d63f6cc2c11ce0f4169d19a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:36:52 +0200 Subject: [PATCH 11/29] C#/DontInstallRootCert --- csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql index d2d226716777..b48ddbf0f350 100644 --- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql +++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql @@ -39,8 +39,6 @@ module AddCertToRootStoreConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module AddCertToRootStore = DataFlow::Global; From abe696dd8f87d57d2741b45da875119eb2e68826 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:42:38 +0200 Subject: [PATCH 12/29] Go/PamAuthBypass: disable due to secondary flow --- go/ql/src/experimental/CWE-285/PamAuthBypass.ql | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql index 755a023ef625..a128cfc44e0b 100644 --- a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql +++ b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql @@ -43,9 +43,9 @@ module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig { exists(PamAcctMgmt p | p.getACall().getReceiver() = sink) } - predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSinkLocation(DataFlow::Node sink) { none() } + predicate observeDiffInformedIncrementalMode() { + none() // used as secondary flow + } } module PamStartToAcctMgmtFlow = TaintTracking::Global; @@ -60,9 +60,9 @@ module PamStartToAuthenticateConfig implements DataFlow::ConfigSig { exists(PamAuthenticate p | p.getACall().getReceiver() = sink) } - predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSinkLocation(DataFlow::Node sink) { none() } + predicate observeDiffInformedIncrementalMode() { + none() // uses secondary flow + } } module PamStartToAuthenticateFlow = TaintTracking::Global; From 87ce654b346651c4fd5ada5a7f5af451eacfd391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 13:43:24 +0200 Subject: [PATCH 13/29] Go/DivideByZero --- go/ql/src/experimental/CWE-369/DivideByZero.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/go/ql/src/experimental/CWE-369/DivideByZero.ql b/go/ql/src/experimental/CWE-369/DivideByZero.ql index 8afd165832bc..99cd120dbf8b 100644 --- a/go/ql/src/experimental/CWE-369/DivideByZero.ql +++ b/go/ql/src/experimental/CWE-369/DivideByZero.ql @@ -47,8 +47,6 @@ module Config implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From bddc43bd05a7e31ae39f4090da1f253b6ece5782 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:04:17 +0200 Subject: [PATCH 14/29] Go/InsufficientKeySize --- go/ql/src/Security/CWE-326/InsufficientKeySize.ql | 2 -- 1 file changed, 2 deletions(-) diff --git a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql index 5d0ee7ac6ab3..6fa421baaeb3 100644 --- a/go/ql/src/Security/CWE-326/InsufficientKeySize.ql +++ b/go/ql/src/Security/CWE-326/InsufficientKeySize.ql @@ -27,8 +27,6 @@ module Config implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } /** From fb32d0d762ce4cd06f0916a1b28d3991bff41a9b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:27:49 +0200 Subject: [PATCH 15/29] Java/ArbitraryApkInstallationQuery java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql --- .../semmle/code/java/security/ArbitraryApkInstallationQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll index 8c833bb79d60..e907a9ffeaa8 100644 --- a/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll @@ -25,8 +25,6 @@ module ApkInstallationConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node sink) { none() } } module ApkInstallationFlow = DataFlow::Global; From 02a0eefc06ef2a1522d43ebb37bda2c6be73efb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:56:11 +0200 Subject: [PATCH 16/29] Java/ArithmeticTainted java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql --- .../lib/semmle/code/java/security/ArithmeticTaintedQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll index fbb8509f48f9..c3d4e7876d56 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll @@ -19,6 +19,8 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) } } @@ -43,6 +45,8 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) } } From e5c8d6efc8f6f1ab932cad3be159218a8234e385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:57:34 +0200 Subject: [PATCH 17/29] Java/ArithmeticUncontrolledQuery java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql --- .../semmle/code/java/security/ArithmeticUncontrolledQuery.qll | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index 6b7b337ad656..ac79aef3f377 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -25,6 +25,8 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) } } @@ -46,6 +48,8 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig { } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) } } From 3ee393bc689bf4c7daae51a6932392594207d06f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 8 Oct 2025 14:59:49 +0200 Subject: [PATCH 18/29] Java/BrokenCryptoAlgorithmQuery java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql --- .../semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll index 4f9e39b23f2d..7cdd2c453b5a 100644 --- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll @@ -35,6 +35,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation()) } } From 9667b41673f97706a4678b0d4e2e4c571c784dca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 09:56:44 +0200 Subject: [PATCH 19/29] Java/CommandLineQuery https://github.com/github/codeql/blob/85a4dd0325104ecd613c9e3e7c25190d41906605/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql https://github.com/github/codeql/blob/857b51be5895bf437ea25b5ce2581527d5af69fb/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql https://github.com/github/codeql/blob/b6e56f26c7509a041ce92bdda13db0a09da886e3/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql --- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index a1c75f93802e..82d24eb718ec 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -63,9 +63,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig { // only to prevent overlapping results between two queries. predicate observeDiffInformedIncrementalMode() { any() } - // All queries use the argument as the primary location and do not use the - // sink as an associated location. + // ExecTainted.ql queries use the argument as the primary location; + // ExecUnescaped.ql does not (used to prevent overlapping results). Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation()) } } From 1623ce28587b6f68bbb9af13ca7389b89b588504 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 10:15:54 +0200 Subject: [PATCH 20/29] Java/ConditionalBypass java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql --- .../ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll index 314570369377..087ca674cda6 100644 --- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll @@ -51,6 +51,8 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(MethodCall m, Expr e | result = [m, e].getLocation() | conditionControlsMethod(m, e) and sink.asExpr() = e From be2c824563b131781797c05baab19a963f4b5ff2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 10:42:45 +0200 Subject: [PATCH 21/29] Java/ImproperValidationOfArrayConstructionCodeSpecifiedQuery java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql --- .../ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll index e952971c389f..487d9e3924e1 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll @@ -21,6 +21,8 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess | result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation) From e152b9b74967e63868ce9dbaee6551bcf45a7c15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 10:44:22 +0200 Subject: [PATCH 22/29] Java/ImproperValidationOfArrayConstructionFlow java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql --- .../security/ImproperValidationOfArrayConstructionQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll index 913d50b3159d..d37a8d882b3e 100644 --- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll @@ -18,6 +18,8 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess | result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation) From 3d59f5b63278b07b7d413048a05ba846aba3fda1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:00:05 +0200 Subject: [PATCH 23/29] Java/MaybeBrokenCryptoAlgorithmQuery java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql --- .../code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll index 57622b367f31..22c7320a55aa 100644 --- a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll @@ -81,7 +81,9 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(CryptoAlgoSpec c | result = c.getLocation() | sink.asExpr() = c.getAlgoSpec()) + exists(CryptoAlgoSpec c | result = sink.getLocation() or result = c.getLocation() | + sink.asExpr() = c.getAlgoSpec() + ) } } From 216393f747d856abdc1bea7e5053a26ebcefad16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:01:26 +0200 Subject: [PATCH 24/29] Java/NumericCastTaintedQuery java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql --- .../semmle/code/java/security/NumericCastTaintedQuery.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index bfe22c69e642..841ff4f85153 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -106,8 +106,9 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(NumericNarrowingCastExpr cast | - cast.getExpr() = sink.asExpr() and + exists(NumericNarrowingCastExpr cast | cast.getExpr() = sink.asExpr() | + result = sink.getLocation() + or result = cast.getLocation() ) } From 1edc6b7d3745ba3b2a665e7a946c18b75c18f1cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:05:43 +0200 Subject: [PATCH 25/29] Java/TaintedEnvironmentVariableQuery java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql --- .../code/java/security/TaintedEnvironmentVariableQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll index d972b59986a6..2bc9dba92f01 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll @@ -40,8 +40,6 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { none() } } /** From b1073dd4fe5e5ba1319ef760fa7a78baa6b034ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:14:10 +0200 Subject: [PATCH 26/29] Java/TaintedPermissionsCheckQuery java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql --- .../code/java/security/TaintedPermissionsCheckQuery.qll | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll index bbec7d4f4e6c..7113c7036e4c 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll @@ -63,8 +63,9 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { - exists(PermissionsConstruction p | - sink.asExpr() = p.getInput() and + exists(PermissionsConstruction p | sink.asExpr() = p.getInput() | + result = sink.getLocation() + or result = p.getLocation() ) } From 1f1ec97267b743f22f24bcddb9ed4d1b6878e29c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:15:17 +0200 Subject: [PATCH 27/29] Java/TempDirLocalInformationDisclosureQuery java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql --- .../java/security/TempDirLocalInformationDisclosureQuery.qll | 2 -- 1 file changed, 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll index 098362f2bd53..0ae1d7e4df01 100644 --- a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll @@ -147,8 +147,6 @@ module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSinkLocation(DataFlow::Node sink) { none() } } /** From de517aee99a1a05e92dac1dc15c0ce6296e451f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:38:37 +0200 Subject: [PATCH 28/29] Java/UnsafeDeserializationQuery java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql --- .../semmle/code/java/security/UnsafeDeserializationQuery.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index ce0f649eff35..932f5ca4cbd3 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -313,6 +313,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate observeDiffInformedIncrementalMode() { any() } Location getASelectedSinkLocation(DataFlow::Node sink) { + result = sink.getLocation() + or result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation() } } From 694bae3f2ec3f4432ffa1fed4c187b076a10e0d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Thu, 9 Oct 2025 14:41:30 +0200 Subject: [PATCH 29/29] Java/WebviewDebugEnabledQuery java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql --- .../code/java/security/WebviewDebuggingEnabledQuery.qll | 6 ------ 1 file changed, 6 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index 080a7bb482f6..90e47521bf04 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -46,12 +46,6 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { } predicate observeDiffInformedIncrementalMode() { any() } - - Location getASelectedSourceLocation(DataFlow::Node source) { - // This module is only used in `WebviewDebuggingEnabled.ql`, which doesn't - // select the source in any "$@" column. - none() - } } /**