Swift: Use DtatFlow::ConfigSig in InsecureTLS.ql

Author: jketema

swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql

@@ -14,26 +14,24 @@ import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.dataflow.TaintTracking
 import codeql.swift.dataflow.FlowSources
-import DataFlow::PathGraph
+import InsecureTlsFlow::PathGraph
 
 /**
  * A taint config to detect insecure configuration of `NSURLSessionConfiguration`
  */
-class InsecureTlsConfig extends TaintTracking::Configuration {
-  InsecureTlsConfig() { this = "InsecureTLSConfig" }
-
+module InsecureTlsConfig implements DataFlow::ConfigSig {
   /**
    * Holds for enum values that represent an insecure version of TLS
    */
-  override predicate isSource(DataFlow::Node node) {
+  predicate isSource(DataFlow::Node node) {
     node.asExpr().(MethodLookupExpr).getMember().(EnumElementDecl).getName() =
       ["TLSv10", "TLSv11", "tlsProtocol10", "tlsProtocol11"]
   }
 
   /**
    * Holds for assignment of TLS-related properties of `NSURLSessionConfiguration`
    */
-  override predicate isSink(DataFlow::Node node) {
+  predicate isSink(DataFlow::Node node) {
     exists(AssignExpr assign |
       assign.getSource() = node.asExpr() and
       assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
@@ -45,6 +43,8 @@ class InsecureTlsConfig extends TaintTracking::Configuration {
   }
 }
 
-from InsecureTlsConfig config, DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode
-where config.hasFlowPath(sourceNode, sinkNode)
+module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;
+
+from InsecureTlsFlow::PathNode sourceNode, InsecureTlsFlow::PathNode sinkNode
+where InsecureTlsFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode, "This TLS configuration is insecure."