Swift: mass enable diff-informed data flow

d10c · d10c · commit fd8f671ea7d7 · 2025-06-03T20:29:58.000+02:00
An auto-generated patch that enables diff-informed data flow in the obvious cases. Builds on #18343 and github/codeql-patch#88
diff --git a/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll
@@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll
@@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
@@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll
@@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll
@@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll b/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll
@@ -22,6 +22,8 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll
@@ -46,6 +46,8 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
@@ -21,6 +21,8 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll
@@ -34,6 +34,8 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsufficientHashIterationsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module InsufficientHashIterationsFlow = TaintTracking::Global<InsufficientHashIterationsConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll
@@ -23,6 +23,8 @@ module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(PathInjectionAdditionalFlowStep s).step(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll
@@ -22,6 +22,8 @@ module PredicateInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(PredicateInjectionAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll
@@ -23,6 +23,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(SqlInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll
@@ -40,6 +40,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(StaticInitializationVectorAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll b/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll
@@ -39,6 +39,8 @@ module StringLengthConflationConfig implements DataFlow::StateConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(StringLengthConflationAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
@@ -23,6 +23,8 @@ module TaintedFormatConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UncontrolledFormatStringAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll
@@ -22,6 +22,8 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeJsEvalAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll
@@ -24,6 +24,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeUnpackAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll
@@ -37,6 +37,8 @@ module WeakPasswordHashingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(WeakPasswordHashingAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WeakPasswordHashingFlow = TaintTracking::Global<WeakPasswordHashingConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll
@@ -38,6 +38,8 @@ module WeakSensitiveDataHashingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(WeakSensitiveDataHashingAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WeakSensitiveDataHashingFlow = TaintTracking::Global<WeakSensitiveDataHashingConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/XXEQuery.qll b/swift/ql/lib/codeql/swift/security/XXEQuery.qll
@@ -22,6 +22,8 @@ module XxeConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(XxeAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll
@@ -22,6 +22,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {`
`25`	`25`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
`26`	`26`	`any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)`
`27`	`27`	`}`
	`28`	`+`
	`29`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {`
`28`	`28`	`// make sources barriers so that we only report the closest instance`
`29`	`29`	`isSource(node)`
`30`	`30`	`}`
	`31`	`+`
	`32`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {`
`38`	`38`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`39`	`39`	`any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`40`	`40`	`}`
	`41`	`+`
	`42`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`41`	`43`	`}`
`42`	`44`
`43`	`45`	`module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {`
`39`	`39`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`40`	`40`	`any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {`
`22`	`22`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`23`	`23`	`any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {`
`46`	`46`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`47`	`47`	`any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`48`	`48`	`}`
	`49`	`+`
	`50`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {`
`21`	`21`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`22`	`22`	`any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`23`	`23`	`}`
	`24`	`+`
	`25`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,8 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {`
`34`	`34`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`35`	`35`	`any(InsufficientHashIterationsAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`37`	`39`	`}`
`38`	`40`
`39`	`41`	`module InsufficientHashIterationsFlow = TaintTracking::Global<InsufficientHashIterationsConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module PathInjectionConfig implements DataFlow::ConfigSig {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`24`	`24`	`any(PathInjectionAdditionalFlowStep s).step(node1, node2)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/**`