Skip to content

Update diff-informed testing to always treat sources and sinks as alert locations #20607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 52 commits into
base: main
Choose a base branch
from
Draft

Update diff-informed testing to always treat sources and sinks as alert locations #20607

wants to merge 52 commits into from

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Oct 8, 2025
edited
Loading

Now that sources/sinks are always added to the Sarif related locations, this PR updates location overrides of diff-informed queries to match that behaviour.

Methodology

$ git grep -P 'getASelectedSourceLocation|getASelectedSinkLocation'
Actions (9)
  • OutputClobberingQuery.qll
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll=185=private module OutputClobberingConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll:220:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • RequestForgeryQuery.qll
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll=15=private module RequestForgeryConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll:22:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • SecretExfiltrationQuery.qll
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll=14=private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll:21:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSinks.ql
actions/ql/src/Models/CompositeActionsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSources.ql
actions/ql/src/Models/CompositeActionsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSummaries.ql
actions/ql/src/Models/CompositeActionsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSinks.ql
actions/ql/src/Models/ReusableWorkflowsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSources.ql
actions/ql/src/Models/ReusableWorkflowsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSummaries.ql
actions/ql/src/Models/ReusableWorkflowsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
C++ (1)
  • WordexpTainted.ql
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql=38=module WordexpTaintConfig implements DataFlow::ConfigSig {
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql:54:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
C# (1)
  • DontInstallRootCert.ql
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql=17=module AddCertToRootStoreConfig implements DataFlow::ConfigSig {
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql:43:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Go (4)
  • MissingRegexpAnchor.ql: nothing to do (not a path-problem)
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql=63=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql:78:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • InsufficientKeySize.ql
go/ql/src/Security/CWE-326/InsufficientKeySize.ql=15=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-326/InsufficientKeySize.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • PamAuthBypass.ql: shouldn't be diff-informed; uses secondary config.
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=37=module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:48:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=54=module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:65:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • DivideByZero.ql
go/ql/src/experimental/CWE-369/DivideByZero.ql=30=module Config implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-369/DivideByZero.ql:51:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Java (23)
  • ArbitraryApkInstallationQuery.qll
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll=12=module ApkInstallationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll:29:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ArithmeticTaintedQuery.qll
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=8=module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:21:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=32=module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ArithmeticUncontrolledQuery.qll
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=16=module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=37=module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:48:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • BrokenCryptoAlgorithmQuery.qll
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll=28=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CleartextStorageQuery.qll: nothing to be done; no path-problem queries use this config.
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll=46=private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll:64:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CommandLineQuery.qll
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll=51=module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll:68:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ConditionalBypassQuery.qll
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll=42=module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ImproperIntentVerificationQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll=17=private module VerifiedIntentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:31:  Location getASelectedSourceLocation(DataFlow::Node src) {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:46:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll=10=module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ImproperValidationOfArrayConstructionQuery.qll
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll=11=module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll:20:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureTrustManagerQuery.qll: nothing to be done, already both source and sink.
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll=11=module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll:24:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • MaybeBrokenCryptoAlgorithmQuery.qll
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll=71=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll:83:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • NumericCastTaintedQuery.qll
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll=87=module NumericCastFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll:108:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RandomQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/RandomQuery.qll=32=private module PredictableSeedFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/RandomQuery.qll:43:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • SqlConcatenatedQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll=21=module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • TaintedEnvironmentVariableQuery.qll
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll=28=module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • TaintedPermissionsCheckQuery.qll
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll=56=module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll:65:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • TempDirLocalInformationDisclosureQuery.qll
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll=131=module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll:151:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • UnsafeCertTrustQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll=11=module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll:20:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • UnsafeDeserializationQuery.qll
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll=302=private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll:315:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHostnameVerificationQuery.qll: nothing to be done, already selects both source and sink.
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll=37=module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll:71:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • WebviewDebuggingEnabledQuery.qll
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll=35=module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll:50:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • PolynomialReDoSQuery.qll: nothing to be done, already selects both source and sink.
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll=37=module PolynomialRedosConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
JS (16)
  • BrokenCryptoAlgorithmQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll=22=module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ClientSideRequestForgeryQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll=17=module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CommandInjectionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll=27=module CommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CorsMisconfigurationForCredentialsQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll=17=module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • DeepObjectResourceExhaustionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll=14=module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll:39:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • IndirectCommandInjectionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll=13=module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureDownloadQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll=16=module InsecureDownloadConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • PrototypePollutionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll=27=module PrototypePollutionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RequestForgeryQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll=17=module RequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ShellCommandInjectionFromEnvironmentQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll=17=module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll:33:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeCodeConstruction.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll=15=module UnsafeCodeConstruction {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll:38:    Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHtmlConstructionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll=18=module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll:66:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeJQueryPluginQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll=13=module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll:42:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll=16=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {

- [x] PolynomialReDoSQuery.qll: 

javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll=14=module PolynomialReDoSConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • SSRF.qll
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll=5=module SsrfConfig implements DataFlow::ConfigSig {
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll:32:  Location getASelectedSourceLocation(DataFlow::Node source) {
Python (8)
  • PolynomialReDoSQuery.qll
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll=14=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RegexInjectionQuery.qll: nothing to be done, already selects both source and sink.
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll=15=private module RegexInjectionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll:24:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ServerSideRequestForgeryQuery.qll
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll=61=private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:70:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll=19=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll:34:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeUsageOfClientSideEncryptionVersion.ql
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql=99=private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql:151:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CorsBypass.ql
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql=64=module CorsBypassConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql:85:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeUnpackQuery.qll
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll=42=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll:214:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • LdapInsecureAuth.qll
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll=91=private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll:107:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Ruby (11)
  • ConditionalBypassQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll=14=private module Config implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureDownloadQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll=13=private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeCodeConstructionQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll=15=private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll:30:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHtmlConstructionQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll=15=private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll=16=private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • PolynomialReDoSQuery.qll
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll=13=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • DecompressionApi.ql: nothing to be done, already selects both source and sink.
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql=36=private module DecompressionApiConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ManuallyCheckHttpVerb.ql
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql=75=private module HttpVerbConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql:92:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • WeakParams.ql
ruby/ql/src/experimental/weak-params/WeakParams.ql=44=private module WeakParamsConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/weak-params/WeakParams.ql:52:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • TaintedNodes.ql: nothing to be done, not a path-problem.
ruby/ql/src/queries/meta/TaintedNodes.ql=15=private module BasicTaintConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/meta/TaintedNodes.ql:25:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • WeakFilePermissions.ql
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql=49=private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql:62:  Location getASelectedSinkLocation(DataFlow::Node sink) {
Shared (3) (documentation only)
  • DataFlow.qll
shared/dataflow/codeql/dataflow/DataFlow.qll=354=module Configs<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/DataFlow.qll:460:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:471:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:609:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:620:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
  • DataFlowImpl.qll
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll=16=module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:146:    Location getASelectedSourceLocation(Node source);
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:148:    Location getASelectedSinkLocation(Node sink);
  • DataFlowImplStage1.qll
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll=15=module MakeImplStage1<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:136:        then AlertFiltering::filterByLocation(Config::getASelectedSourceLocation(source))
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:147:        then AlertFiltering::filterByLocation(Config::getASelectedSinkLocation(sink))
Swift (8)
  • CleartextStorageDatabaseQuery.qll
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll=16=module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll:54:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CleartextStoragePreferencesQuery.qll
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll=16=module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ConstantPasswordQuery.qll
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll=26=module ConstantPasswordConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • InsufficientHashIterationsQuery.qll
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll=27=module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • StaticInitializationVectorQuery.qll
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll=26=module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll:46:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • StringLengthConflationQuery.qll
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll=16=module StringLengthConflationConfig implements DataFlow::StateConfigSig {
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll:45:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeJsEvalQuery.qll
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll=15=module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll:28:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeUnpackQuery.qll
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll=15=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

Questions

  1. In queries like Go/PamAuthBypass and Java/CommandLineQuery, in which of these cases is the use of secondary/negated flows permitted?
  • Split off Go/PamAuthBypass into its own PR: increase efficiency by moving query clauses to isSource of other config (that would allow the main config to be diff informed). -> WIP: Go/PamAuthBypass #20642
  1. In Java/CommandLineQuery, not all of the queries using the config are path-problems. How do I correctly override the location in that case?
  • It's fine, but complicated and delicate. Write a code comment.

d10c added 20 commits October 14, 2025 17:03
@d10c
Actions/OutputClobberingQuery
592dd00 
actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql uses source as endpoint
@d10c
Actions/RequestForgeryQuery
74a45e2 
actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql uses source as endpoint
@d10c
Actions/SecretExfiltrationQuery
df236f4 
actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql uses source as endpoint
@d10c
Actions/CompositeActionsSinks
fb7e2d3 
Same file uses source as endpoint
@d10c
Actions/CompositeActionsSources
a58ed0f 
Same file uses source as endpoint
@d10c
Actions/CompositeActionsSummaries
eb4e825 
Same file uses source as endpoint
@d10c
Actions/ReusableWorkflowsSinks
ff65adf 
Same file uses source as endpoint
@d10c
Actions/ReusableWorkflowsSources
f45a679
@d10c
Actions/ReusableWorkflowsSummaries
359e85c
@d10c
C++/WordexpTainted
2340712 
Same file usees source and sink as endpoints
@d10c
C#/DontInstallRootCert
6ba4a69
@d10c
Go/DivideByZero
67516e7
@d10c
Go/InsufficientKeySize
a01aeb8
@d10c
Java/ArbitraryApkInstallationQuery
a782efc 
java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
@d10c
Java/ArithmeticTainted
0f880fe 
java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@d10c
Java/ArithmeticUncontrolledQuery
abab2a1 
java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@d10c
Java/BrokenCryptoAlgorithmQuery
f8255e9 
java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@d10c
Java/CommandLineQuery
507888b 
https://github.com/github/codeql/blob/85a4dd0325104ecd613c9e3e7c25190d41906605/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

https://github.com/github/codeql/blob/857b51be5895bf437ea25b5ce2581527d5af69fb/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

https://github.com/github/codeql/blob/b6e56f26c7509a041ce92bdda13db0a09da886e3/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@d10c
Java/ConditionalBypass
12ef9ca 
java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@d10c
Java/ImproperValidationOfArrayConstructionCodeSpecifiedQuery
a9ee098 
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
d10c added 29 commits October 14, 2025 17:05
@d10c
Java/TaintedEnvironmentVariableQuery
b3d73a0 
java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
@d10c
Java/TaintedPermissionsCheckQuery
6e8b90e 
java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
@d10c
Java/TempDirLocalInformationDisclosureQuery
39affc6 
java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@d10c
Java/UnsafeDeserializationQuery
e5ea133 
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@d10c
Java/WebviewDebugEnabledQuery
6f40435 
java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
@d10c
JS/CommandInjectionQuery
33763a5 
javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql

javascript/ql/src/Security/CWE-078/CommandInjection.ql
@d10c
JS/IndirectCommandInjectionQuery
ebdc0e2 
javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
@d10c
JS/ShellCommandInjectionFromEnvironmentQuery
b50ec58 
javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
@d10c
JS/PolynomialReDoSQuery
48cf9b7 
javascript/ql/src/Performance/PolynomialReDoS.ql
@d10c
JS/SSRF
9bb8013 
javascript/ql/src/experimental/Security/CWE-918/SSRF.ql
@d10c
Python/PolynomialReDoSQuery
796bd19 
python/ql/src/Security/CWE-730/PolynomialReDoS.ql
@d10c
Python/ServerSideRequestForgeryQuery
29f30fd 
python/ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql
@d10c
Python/UnsafeUnpackQuery
60194a5 
python/ql/src/experimental/Security/CWE-022bis/UnsafeUnpack.ql
@d10c
Python/UnsafeUsageOfClientSideEncryptionVersion
47bad73
@d10c
Python/CorsBypass
62e83c6
@d10c
Python/LdapInsecureAuth
9604f75 
python/ql/src/experimental/Security/CWE-522/LdapInsecureAuth.ql
@d10c
Ruby/PolynomialReDoSQuery
a19d669 
ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
@d10c
Ruby/ManuallyCheckHttpVerb
9fc4ee0
@d10c
Ruby/WeakParams
b2f16a0
@d10c
Ruby/WeakFilePermissions
615a816
@d10c
Shared: update qldoc
a362113
@d10c
Swift/CleartextStorageDatabaseQuery
da192f6 
swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql
@d10c
Swift/CleartextStoragePreferencesQuery
54d328d 
swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql
@d10c
Swift/ConstantPasswordQuery
1b34990 
swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
@d10c
Swift/InsufficientHashIterationsQuery
b86174c 
swift/ql/src/queries/Security/CWE-916/InsufficientHashIterations.ql
@d10c
Swift/StaticInitializationVectorQuery
49f7bd7 
swift/ql/src/queries/Security/CWE-1204/StaticInitializationVector.ql
@d10c
Swift/StringLengthConflationQuery
e3f7db3 
swift/ql/src/queries/Security/CWE-135/StringLengthConflation.ql
@d10c
Swift/UnsafeJsEvalQuery
616c9f3 
swift/ql/src/queries/Security/CWE-094/UnsafeJsEval.ql
@d10c
Swift/UnsafeUnpackQuery
9144f52 
swift/ql/src/experimental/Security/CWE-022/UnsafeUnpack.ql
@d10c d10c force-pushed the d10c/update-diff-informed-testing branch from a1c5d9d to 9144f52 Compare October 14, 2025 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions C# C++ DataFlow Library Go Java JS Python Ruby Swift

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@d10c @Copilot