- Notifications
You must be signed in to change notification settings - Fork1.7k
C++: mass enable diff-informed data flow#19663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
An auto-generated patch that enables diff-informed data flow in the obvious cases.Builds ongithub#18342 andgithub/codeql-patch#88
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
Enables diff-informed data flow analysis by injecting anobserveDiffInformedIncrementalMode stub into multiple DataFlow and TaintTracking configurations.
- Adds a stub predicate
observeDiffInformedIncrementalMode() { any() }to enable diff-informed incremental analysis. - Applies across various security checks (CWE rules) and likely-bugs modules.
- Prepares QL libraries for improved incremental performance on code changes.
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-611/XXE.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql | Added stubobserveDiffInformedIncrementalMode |
| cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll | Added stubobserveDiffInformedIncrementalMode |
Comments suppressed due to low confidence (2)
cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql:34
- [nitpick] Add a brief comment above this predicate explaining its role in enabling diff-informed incremental analysis to help future maintainers understand its purpose.
predicate observeDiffInformedIncrementalMode() { any() }cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql:34
- No tests were added to verify that diff-informed data flow actually takes effect. Consider adding regression tests for one or two representative modules to validate this new mode behaves as expected.
predicate observeDiffInformedIncrementalMode() { any() }cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.qlShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
It turns out that some of the generated changes in the PRs were not correct, e.g. because they should have also generated a |
An auto-generated patch that enables diff-informed data flow in the obvious cases.
Builds on#18342 andhttps://github.com/github/codeql-patch/pull/88