Ruby: rerun patch query after bugfix

Author: asgerf

ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll

@@ -18,7 +18,11 @@ private module Config implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/cwe-807/ConditionalBypass.ql:78: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll

@@ -21,7 +21,11 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-829/InsecureDownload.ql:20: Column 5 selects sink.getDownloadCall
+    none()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll

@@ -25,7 +25,11 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-094/UnsafeCodeConstruction.ql:25: Column 7 selects sink.getCodeSink
+    none()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll

@@ -22,7 +22,11 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql:24: Column 7 selects sink.getXssSink
+    none()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll

@@ -27,7 +27,12 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.ql:26: Column 1 selects sink.getStringConstruction
+    // ql/src/queries/security/cwe-078/UnsafeShellCommandConstruction.ql:28: Column 7 selects sink.getCommandExecution
+    none()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll

@@ -29,7 +29,11 @@ module NormalHashFunction {
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-    predicate observeDiffInformedIncrementalMode() { any() }
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:83: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -57,7 +61,11 @@ module ComputationallyExpensiveHashFunction {
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-    predicate observeDiffInformedIncrementalMode() { any() }
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll:90: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */

ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll

@@ -18,7 +18,12 @@ private module MissingFullAnchorConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-020/MissingFullAnchor.ql:20: Column 7 selects sink.getCallNode
+    // ql/src/queries/security/cwe-020/MissingFullAnchor.ql:20: Column 9 selects sink.getRegex
+    none()
+  }
 }
 
 /**

ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll

@@ -19,7 +19,12 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-1333/PolynomialReDoS.ql:27: Column 1 selects sink.getHighlight
+    // ql/src/queries/security/cwe-1333/PolynomialReDoS.ql:29: Column 5 selects sink.getRegExp
+    none()
+  }
 }
 
 /**

ruby/ql/src/experimental/decompression-api/DecompressionApi.ql

@@ -40,7 +40,11 @@ private module DecompressionApiConfig implements DataFlow::ConfigSig {
   // our Decompression APIs defined above will be the sinks we use for this query
   predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionApiUse }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/decompression-api/DecompressionApi.ql:54: Column 5 selects sink.getCall
+    none()
+  }
 }
 
 private module DecompressionApiFlow = TaintTracking::Global<DecompressionApiConfig>;

ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql

@@ -55,7 +55,11 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
     exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink)
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-732/WeakFilePermissions.ql:71: Column 5 does not select a source or sink originating from the flow call on line 69
+    none()
+  }
 }
 
 private module PermissivePermissionsFlow = DataFlow::Global<PermissivePermissionsConfig>;