Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

C#: mass enable diff-informed data flow#19661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Draft
d10c wants to merge2 commits intogithub:main
base:main
Choose a base branch
Loading
fromd10c:d10c/csharp/diff-informed

Conversation

d10c
Copy link
Contributor

@d10cd10c commentedJun 3, 2025

An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on#18344 andhttps://github.com/github/codeql-patch/pull/88

An auto-generated patch that enables diff-informed data flow in the obvious cases.Builds ongithub#18344 andgithub/codeql-patch#88
@github-actionsgithub-actionsbot added the C# labelJun 3, 2025
@d10cd10c marked this pull request as ready for reviewJune 4, 2025 11:32
@CopilotCopilotAI review requested due to automatic review settingsJune 4, 2025 11:32
@d10cd10c requested a review froma team as acode ownerJune 4, 2025 11:32
Copy link
Contributor

@CopilotCopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR auto-generates patches to enable diff-informed data flow by adding a defaultobserveDiffInformedIncrementalMode predicate in numerous data-flow configuration modules.

  • Addedpredicate observeDiffInformedIncrementalMode() { any() } to all relevantDataFlow::ConfigSig modules.
  • Covers security, cryptography, and likely-bug query modules for incremental diff analysis.

Reviewed Changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 1 comment.

Show a summary per file
FileDescription
csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.qlAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/src/Security Features/CWE-091/XMLInjection.qlAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.qlAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qllAddedobserveDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qllAddedobserveDiffInformedIncrementalMode predicate
Comments suppressed due to low confidence (2)

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql:45

  • [nitpick] Add a brief comment above this predicate to explain its role in diff-informed incremental analysis, improving clarity for future maintainers.
predicate observeDiffInformedIncrementalMode() { any() }

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql:45

  • There are no existing tests exercising the incremental diff mode; consider adding test cases to validate behavior when this predicate is active.
predicate observeDiffInformedIncrementalMode() { any() }

@d10cd10c marked this pull request as draftJune 5, 2025 15:59
@d10c
Copy link
ContributorAuthor

d10c commentedJun 5, 2025

It turns out that some of the generated changes in the PRs were not correct, e.g. because they should have also generated agetASelected{Source,Sink}Location() override but didn't (see Chuan-kai's comment here). So for now I'm putting them back in Draft until I make sure (via the patch script) that we are correctly handling all 3documented query patterns, starting with the simplest one (both source and sink are used as location sources). If you have already started reviewing the PRs, thank you (also for your patience) and stay tuned for an update as to what has changed in the meantime!

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

Copilot code reviewCopilotCopilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 participant
@d10c
[8]ページ先頭
©2009-2025 Movatter.jp