Java: mass enable diff-informed data flow + none() overrides#19795
Merged
d10c merged 1 commit intogithub:mainfrom Jun 19, 2025
Merged
Java: mass enable diff-informed data flow + none() overrides#19795d10c merged 1 commit intogithub:mainfrom
none() overrides#19795d10c merged 1 commit intogithub:mainfrom
Conversation
An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on github#18346 and github/codeql-patch#88
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR auto-enables diff-informed data flow for several Java security queries by adding the required overrides in their DataFlow configurations.
- Adds
observeDiffInformedIncrementalMode()override returningany()in eight config modules. - Adds
getASelectedSourceLocation()override returningnone()in the APK installation config. - Covers queries that were omitted in the previous diff-informed enablement pass.
Reviewed Changes
Copilot reviewed 8 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| UnsafeAndroidAccessQuery.qll | Added observeDiffInformedIncrementalMode() override |
| SensitiveUiQuery.qll | Added observeDiffInformedIncrementalMode() override |
| InsecureBasicAuthQuery.qll | Added observeDiffInformedIncrementalMode() override |
| HttpsUrlsQuery.qll | Added observeDiffInformedIncrementalMode() override |
| HardcodedCredentialsSourceCallQuery.qll | Added observeDiffInformedIncrementalMode() override |
| HardcodedCredentialsApiCallQuery.qll | Added observeDiffInformedIncrementalMode() override |
| ArbitraryApkInstallationQuery.qll | Added observeDiffInformedIncrementalMode() and getASelectedSourceLocation() overrides |
| TextFieldTrackingConfig in SensitiveUiQuery.qll (module excerpt) | Added observeDiffInformedIncrementalMode() override |
Comments suppressed due to low confidence (2)
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll:29
- [nitpick] If only
getASelectedSourceLocationis overridden, add a comment explaining whygetASelectedSinkLocationisn’t needed, to clarify intent for future readers.
Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll:27
- Consider adding or updating tests to verify that the query behaves correctly under diff-informed incremental mode, ensuring no regressions are introduced.
predicate observeDiffInformedIncrementalMode() { any() }
|
|
||
| predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof RequestForgerySanitizer } | ||
|
|
||
| predicate observeDiffInformedIncrementalMode() { any() } |
There was a problem hiding this comment.
This observeDiffInformedIncrementalMode() override is duplicated across many config modules. Consider providing a default implementation in DataFlow::ConfigSig to reduce boilerplate.
| any(HttpUrlsAdditionalTaintStep c).step(node1, node2) | ||
| } | ||
|
|
||
| predicate observeDiffInformedIncrementalMode() { any() } |
There was a problem hiding this comment.
[nitpick] For consistency with surrounding modules, ensure there’s a blank line after this predicate and before the closing brace, matching the established file style.
Suggested change
| predicate observeDiffInformedIncrementalMode() { any() } | |
| predicate observeDiffInformedIncrementalMode() { any() } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
An auto-generated patch that enables diff-informed data flow in the obvious cases.
observeDiffInformedIncrementalMode() { any() }override to queries that don't select a location other than a dataflow source or sink.getASelected{Source,Sink}Location() { none() }override to queries that select a dataflow source or sink as a location, but not both.Java has previously had a round of diff-informed query enablements, but it seems some queries were missed in the first round.