diff --git a/actions/ql/lib/change-notes/2025-06-04-diff-informed.md b/actions/ql/lib/change-notes/2025-06-04-diff-informed.md new file mode 100644 index 000000000000..dea4253df2d7 --- /dev/null +++ b/actions/ql/lib/change-notes/2025-06-04-diff-informed.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* A number of built-in Actions queries can now run in diff-informed mode. diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 1d0de83afa34..485d2762798e 100644 --- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll index ca0ac267131f..fb89ebdc8baf 100644 --- a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll +++ b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 18a480b1cecc..b3d59210053c 100644 --- a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql index b5ce78fe062a..82f0754f03e2 100644 --- a/actions/ql/src/Models/CompositeActionsSinks.ql +++ b/actions/ql/src/Models/CompositeActionsSinks.ql @@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql index 8e4275f27c7d..c9974cd73614 100644 --- a/actions/ql/src/Models/CompositeActionsSources.ql +++ b/actions/ql/src/Models/CompositeActionsSources.ql @@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig { isSink(node) and set instanceof DataFlow::FieldContent } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql index 8b8b5af3c459..814498f639e0 100644 --- a/actions/ql/src/Models/CompositeActionsSummaries.ql +++ b/actions/ql/src/Models/CompositeActionsSummaries.ql @@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql index 05334a533ddf..8d02debbdb4a 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql @@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql index e5612d063432..a7112bf37584 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSources.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSources.ql @@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig { isSink(node) and set instanceof DataFlow::FieldContent } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql index 444ce028954e..a05bec744f84 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql @@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global;