From a6c49fde08e549bd7474ce84320e12f062ec87d9 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 19 Sep 2024 13:30:17 +0200 Subject: [PATCH] Dataflow: Simplify diff-informed implementation and tweak flag name. --- .../cpp/dataflow/internal/DataFlowImpl1.qll | 8 +- .../cpp/dataflow/internal/DataFlowImpl2.qll | 8 +- .../cpp/dataflow/internal/DataFlowImpl3.qll | 8 +- .../cpp/dataflow/internal/DataFlowImpl4.qll | 8 +- .../dataflow/internal/DataFlowImplLocal.qll | 8 +- .../ir/dataflow/internal/DataFlowImpl1.qll | 8 +- .../ir/dataflow/internal/DataFlowImpl2.qll | 8 +- .../ir/dataflow/internal/DataFlowImpl3.qll | 8 +- .../ir/dataflow/internal/DataFlowImpl4.qll | 8 +- .../dataflow/internal/DataFlowImpl1.qll | 8 +- .../dataflow/internal/DataFlowImpl2.qll | 8 +- .../dataflow/internal/DataFlowImpl3.qll | 8 +- .../dataflow/internal/DataFlowImpl4.qll | 8 +- .../dataflow/internal/DataFlowImpl5.qll | 8 +- .../go/dataflow/internal/DataFlowImpl1.qll | 8 +- .../go/dataflow/internal/DataFlowImpl2.qll | 8 +- .../java/dataflow/internal/DataFlowImpl1.qll | 8 +- .../java/dataflow/internal/DataFlowImpl2.qll | 8 +- .../java/dataflow/internal/DataFlowImpl3.qll | 8 +- .../java/dataflow/internal/DataFlowImpl4.qll | 8 +- .../java/dataflow/internal/DataFlowImpl5.qll | 8 +- .../java/dataflow/internal/DataFlowImpl6.qll | 8 +- .../AndroidIntentRedirectionQuery.qll | 2 +- .../ExternallyControlledFormatStringQuery.qll | 2 +- .../java/security/FragmentInjectionQuery.qll | 2 +- .../java/security/GroovyInjectionQuery.qll | 2 +- .../security/ImplicitPendingIntentsQuery.qll | 2 +- .../security/InsecureBeanValidationQuery.qll | 2 +- .../java/security/InsecureLdapAuthQuery.qll | 2 +- .../java/security/InsecureRandomnessQuery.qll | 2 +- .../security/InsufficientKeySizeQuery.qll | 2 +- .../IntentUriPermissionManipulationQuery.qll | 2 +- .../code/java/security/JexlInjectionQuery.qll | 2 +- .../code/java/security/JndiInjectionQuery.qll | 2 +- .../code/java/security/LdapInjectionQuery.qll | 2 +- .../MissingJWTSignatureCheckQuery.qll | 2 +- .../code/java/security/MvelInjectionQuery.qll | 2 +- .../java/security/NumericCastTaintedQuery.qll | 2 +- .../code/java/security/OgnlInjectionQuery.qll | 2 +- .../security/PartialPathTraversalQuery.qll | 2 +- .../java/security/RequestForgeryConfig.qll | 2 +- .../java/security/ResponseSplittingQuery.qll | 2 +- .../java/security/RsaWithoutOaepQuery.qll | 2 +- .../code/java/security/SpelInjectionQuery.qll | 2 +- .../StaticInitializationVectorQuery.qll | 2 +- .../code/java/security/TaintedPathQuery.qll | 2 +- .../java/security/TemplateInjectionQuery.qll | 2 +- .../UnsafeContentUriResolutionQuery.qll | 2 +- .../security/UnsafeDeserializationQuery.qll | 2 +- .../code/java/security/UrlForwardQuery.qll | 2 +- .../code/java/security/UrlRedirectQuery.qll | 2 +- .../security/WebviewDebuggingEnabledQuery.qll | 2 +- .../java/security/XPathInjectionQuery.qll | 2 +- .../code/java/security/XsltInjectionQuery.qll | 2 +- .../semmle/code/java/security/XssQuery.qll | 2 +- .../code/java/security/XxeRemoteQuery.qll | 2 +- .../code/java/security/ZipSlipQuery.qll | 2 +- .../security/regexp/RegexInjectionQuery.qll | 2 +- .../dataflow/new/internal/DataFlowImpl1.qll | 8 +- .../dataflow/new/internal/DataFlowImpl2.qll | 8 +- .../dataflow/new/internal/DataFlowImpl3.qll | 8 +- .../dataflow/new/internal/DataFlowImpl4.qll | 8 +- .../ruby/dataflow/internal/DataFlowImpl1.qll | 8 +- .../ruby/dataflow/internal/DataFlowImpl2.qll | 8 +- shared/dataflow/codeql/dataflow/DataFlow.qll | 22 +- .../codeql/dataflow/TaintTracking.qll | 6 +- .../codeql/dataflow/internal/DataFlowImpl.qll | 244 +++++++----------- .../swift/dataflow/internal/DataFlowImpl1.qll | 8 +- 68 files changed, 175 insertions(+), 401 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll index 0b0d557656ca3..0a4c3d566ef00 100644 --- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll @@ -19,7 +19,7 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig { any(IntentRedirectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks the flow of tainted Intents being used to start Android components. */ diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll index cb8feb6879e20..4cf82284dc8c9 100644 --- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll @@ -24,7 +24,7 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig { node.getType() instanceof NumericType or node.getType() instanceof BooleanType } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll index aae00cddaea0d..386f9ead4bc09 100644 --- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll @@ -18,7 +18,7 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig { any(FragmentInjectionAdditionalTaintStep c).step(n1, n2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll index b45b7b8f1ad9e..c1b757c0cc07b 100644 --- a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll @@ -18,7 +18,7 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig { any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll index 1433270c0efde..fb38b9a9ca617 100644 --- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll @@ -49,7 +49,7 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig { c instanceof DataFlow::ArrayContent } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } module ImplicitPendingIntentStartFlow = diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll index b93557c231966..42e0f9e610aae 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll @@ -50,7 +50,7 @@ module BeanValidationConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow from user input to the argument of a method that builds constraint error messages. */ diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll index 25011487f065e..1911260fc7840 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll @@ -23,7 +23,7 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig { ) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } module InsecureLdapUrlFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll index 6b495d9035f61..507f2b619de2d 100644 --- a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll @@ -97,7 +97,7 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig { ) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll index 2845df9c28c1b..4acdccc9dc2ff 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll @@ -17,7 +17,7 @@ module KeySizeConfig implements DataFlow::StateConfigSig { sink.(InsufficientKeySizeSink).hasState(state) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks key sizes used in cryptographic algorithms. */ diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll index 9ceaf347116fd..51c1ba835d067 100644 --- a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll @@ -24,7 +24,7 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig { any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll index f84e18cffd1f1..5769345b90a77 100644 --- a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll @@ -52,7 +52,7 @@ module JexlInjectionConfig implements DataFlow::ConfigSig { any(JexlInjectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll index e9adaa36095fa..c62b5bb1e38fc 100644 --- a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll @@ -24,7 +24,7 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig { any(JndiInjectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow of unvalidated user input that is used in JNDI lookup */ diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll index 7a1ab3afb49c4..4e8b71942e354 100644 --- a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll @@ -18,7 +18,7 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig { any(LdapInjectionAdditionalTaintStep a).step(pred, succ) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow from remote sources to LDAP injection vulnerabilities. */ diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll index 8e4b9d9f47bea..8d1c9648b8773 100644 --- a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll @@ -17,7 +17,7 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig { any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } module MissingJwtSignatureCheckFlow = DataFlow::Global; diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll index 84d69b98fa674..8435604a36acf 100644 --- a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll @@ -20,7 +20,7 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig { any(MvelInjectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */ diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll index 21f6767c8a162..499cbd1c87993 100644 --- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll +++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll @@ -103,7 +103,7 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig { predicate isBarrierIn(DataFlow::Node node) { isSource(node) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll index f80b1589a1e9e..aafb8a1b49cdb 100644 --- a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll @@ -19,7 +19,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig { any(OgnlInjectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */ diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll index 0aed8382bb82e..6d931366cf9d7 100644 --- a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll +++ b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll @@ -18,7 +18,7 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig { any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr() } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */ diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll index ac6a9f42ce18d..7d343a3f2623e 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll @@ -29,7 +29,7 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isBarrierIn(DataFlow::Node node) { isSource(node) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } module RequestForgeryFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll index e5da757ccc725..dbf8a2f3dbb21 100644 --- a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll @@ -32,7 +32,7 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig { ) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll index f16c3ebf00411..7351a70937ac7 100644 --- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll +++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll @@ -21,7 +21,7 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig { exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec()) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Flow for finding RSA ciphers initialized without using OAEP padding. */ diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll index eca7c0aa90677..9c320e0451748 100644 --- a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll @@ -19,7 +19,7 @@ module SpelInjectionConfig implements DataFlow::ConfigSig { any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */ diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll index 444f79c6db116..5cab0c2910c86 100644 --- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll +++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll @@ -127,7 +127,7 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks the flow from a static initialization vector to the initialization of a cipher */ diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll index 663985327b5c6..9c63a8ad1f7e2 100644 --- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll @@ -73,7 +73,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig { any(TaintedPathAdditionalTaintStep s).step(n1, n2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow from remote sources to the creation of a path. */ diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll index 1ca6fd8bbfdfc..7a5b9cc0763a0 100644 --- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll @@ -17,7 +17,7 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig { any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks server-side template injection (SST) vulnerabilities */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll index 44cccba4f2644..e05d9cd918713 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll @@ -21,7 +21,7 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig { any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */ diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll index 2420efc2430ce..c5581918d09a2 100644 --- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll @@ -326,7 +326,7 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } module UnsafeDeserializationFlow = TaintTracking::Global; diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll index 021ca9df17238..374697bcf7e6c 100644 --- a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll @@ -196,7 +196,7 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig { DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll index ba0b91433b23c..20eca57f24a18 100644 --- a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll +++ b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll @@ -14,7 +14,7 @@ module UrlRedirectConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll index c57b0013224ba..ec0c09ebc1138 100644 --- a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll @@ -45,7 +45,7 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig { node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll index d716e670c97b2..181521ad2e4c6 100644 --- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll @@ -13,7 +13,7 @@ module XPathInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll index 04e63acc718e1..b5570afc3b84e 100644 --- a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll @@ -21,7 +21,7 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig { any(XsltInjectionAdditionalTaintStep c).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll index d754ecb4cb965..82a0bf9513298 100644 --- a/java/ql/lib/semmle/code/java/security/XssQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XssQuery.qll @@ -21,7 +21,7 @@ module XssConfig implements DataFlow::ConfigSig { any(XssAdditionalTaintStep s).step(node1, node2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow from remote sources to cross site scripting vulnerabilities. */ diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll index 4d52b8965524f..898daec3a7d91 100644 --- a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll +++ b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll @@ -19,7 +19,7 @@ module XxeConfig implements DataFlow::ConfigSig { any(XxeAdditionalTaintStep s).step(n1, n2) } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 0a57edbe5821c..79ce873c16a54 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -44,7 +44,7 @@ module ZipSlipConfig implements DataFlow::ConfigSig { node instanceof PathInjectionSanitizer } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** Tracks flow from archive entries to file creation. */ diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll index 1694679246821..1714b59b07372 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll @@ -15,7 +15,7 @@ module RegexInjectionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer } - predicate filterForSourceOrSinkAlerts() { any() } + predicate diffInformedIncrementalMode() { any() } } /** diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll index a9ff849d3cc31..c38e173fdf7f0 100644 --- a/shared/dataflow/codeql/dataflow/DataFlow.qll +++ b/shared/dataflow/codeql/dataflow/DataFlow.qll @@ -433,10 +433,14 @@ module Configs Lang> { default predicate includeHiddenNodes() { none() } /** - * Holds to filter out data flows whose source and sink are both not in the - * `AlertFiltering` location range. + * Holds if sources and sinks should be filtered to only include those that + * may lead to a flow path with either a source or a sink in the location + * range given by `AlertFiltering`. + * + * This flag should only be applied to flow configurations whose results + * are used directly in a query result. */ - default predicate filterForSourceOrSinkAlerts() { none() } + default predicate diffInformedIncrementalMode() { none() } } /** An input configuration for data flow using flow state. */ @@ -555,10 +559,14 @@ module Configs Lang> { default predicate includeHiddenNodes() { none() } /** - * Holds to filter out data flows whose source and sink are both not in the - * `AlertFiltering` location range. + * Holds if sources and sinks should be filtered to only include those that + * may lead to a flow path with either a source or a sink in the location + * range given by `AlertFiltering`. + * + * This flag should only be applied to flow configurations whose results + * are used directly in a query result. */ - default predicate filterForSourceOrSinkAlerts() { none() } + default predicate diffInformedIncrementalMode() { none() } } } @@ -637,7 +645,6 @@ module DataFlowMake Lang> { module Global implements GlobalFlowSig { private module C implements FullStateConfigSig { import DefaultState - import FilteredSourceSink import Config predicate accessPathLimit = Config::accessPathLimit/0; @@ -660,7 +667,6 @@ module DataFlowMake Lang> { */ module GlobalWithState implements GlobalFlowSig { private module C implements FullStateConfigSig { - import FilteredStateSourceSink import Config predicate accessPathLimit = Config::accessPathLimit/0; diff --git a/shared/dataflow/codeql/dataflow/TaintTracking.qll b/shared/dataflow/codeql/dataflow/TaintTracking.qll index 3e4de6c6218c1..343f8be041f51 100644 --- a/shared/dataflow/codeql/dataflow/TaintTracking.qll +++ b/shared/dataflow/codeql/dataflow/TaintTracking.qll @@ -60,8 +60,8 @@ module TaintFlowMake< Config::allowImplicitRead(node, c) or ( - Config::isFilteredSink(node) or - Config::isFilteredSink(node, _) or + Config::isSink(node) or + Config::isSink(node, _) or Config::isAdditionalFlowStep(node, _, _) or Config::isAdditionalFlowStep(node, _, _, _) ) and @@ -75,7 +75,6 @@ module TaintFlowMake< module Global implements DataFlow::GlobalFlowSig { private module Config0 implements DataFlowInternal::FullStateConfigSig { import DataFlowInternal::DefaultState - import DataFlowInternal::FilteredSourceSink import Config predicate isAdditionalFlowStep( @@ -102,7 +101,6 @@ module TaintFlowMake< */ module GlobalWithState implements DataFlow::GlobalFlowSig { private module Config0 implements DataFlowInternal::FullStateConfigSig { - import DataFlowInternal::FilteredStateSourceSink import Config predicate isAdditionalFlowStep( diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index c4da42ebf973d..3074953c4afbd 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -126,28 +126,14 @@ module MakeImpl Lang> { predicate includeHiddenNodes(); /** - * Holds to filter out data flows whose source and sink are both not in the - * `AlertFiltering` location range. - */ - predicate filterForSourceOrSinkAlerts(); - - /** - * Holds if `source` is a relevant data flow source with the given initial - * `state` and passes filtering per `filterForSourceOrSinkAlerts`. - */ - predicate isFilteredSource(Node source, FlowState state); - - /** - * Holds if `sink` is a relevant data flow sink accepting `state` and passes - * filtering per `filterForSourceOrSinkAlerts`. - */ - predicate isFilteredSink(Node sink, FlowState state); - - /** - * Holds if `sink` is a relevant data flow sink for any state and passes - * filtering per `filterForSourceOrSinkAlerts`. + * Holds if sources and sinks should be filtered to only include those that + * may lead to a flow path with either a source or a sink in the location + * range given by `AlertFiltering`. + * + * This flag should only be applied to flow configurations whose results + * are used directly in a query result. */ - predicate isFilteredSink(Node sink); + predicate diffInformedIncrementalMode(); } /** @@ -171,112 +157,6 @@ module MakeImpl Lang> { } } - /** - * Provide `isFilteredSource` and `isFilteredSink` implementations given a `ConfigSig`. - */ - module FilteredSourceSink { - private import codeql.util.AlertFiltering - - private module AlertFiltering = AlertFilteringImpl; - - private class FlowState = Unit; - - pragma[noinline] - private predicate hasFilteredSource() { - exists(Node n | Config::isSource(n) | AlertFiltering::filterByLocation(n.getLocation())) - } - - pragma[noinline] - private predicate hasFilteredSink() { - exists(Node n | Config::isSink(n) | AlertFiltering::filterByLocation(n.getLocation())) - } - - predicate isFilteredSource(Node source, FlowState state) { - Config::isSource(source) and - exists(state) and - ( - not Config::filterForSourceOrSinkAlerts() or - // If there are filtered sinks, we need to pass through all sources to preserve all alerts - // with filtered sinks. Otherwise the only alerts of interest are those with filtered - // sources, so we can perform the source filtering right here. - hasFilteredSink() or - AlertFiltering::filterByLocation(source.getLocation()) - ) - } - - predicate isFilteredSink(Node sink, FlowState state) { isFilteredSink(sink) and exists(state) } - - predicate isFilteredSink(Node sink) { - Config::isSink(sink) and - ( - // If there are filtered sources, we need to pass through all sinks to preserve all alerts - // with filtered sources. Otherwise the only alerts of interest are those with filtered - // sinks, so we can perform the sink filtering right here. - hasFilteredSource() or - AlertFiltering::filterByLocation(sink.getLocation()) - ) - } - } - - /** - * Provide `isFilteredSource` and `isFilteredSink` implementations given a `StateConfigSig`. - */ - module FilteredStateSourceSink { - private import codeql.util.AlertFiltering - - private module AlertFiltering = AlertFilteringImpl; - - private class FlowState = Config::FlowState; - - pragma[noinline] - private predicate hasFilteredSource() { - exists(Node n | Config::isSource(n, _) | AlertFiltering::filterByLocation(n.getLocation())) - } - - pragma[noinline] - private predicate hasFilteredSink() { - exists(Node n | - Config::isSink(n, _) or - Config::isSink(n) - | - AlertFiltering::filterByLocation(n.getLocation()) - ) - } - - predicate isFilteredSource(Node source, FlowState state) { - Config::isSource(source, state) and - ( - // If there are filtered sinks, we need to pass through all sources to preserve all alerts - // with filtered sinks. Otherwise the only alerts of interest are those with filtered - // sources, so we can perform the source filtering right here. - hasFilteredSink() or - AlertFiltering::filterByLocation(source.getLocation()) - ) - } - - predicate isFilteredSink(Node sink, FlowState state) { - Config::isSink(sink, state) and - ( - // If there are filtered sources, we need to pass through all sinks to preserve all alerts - // with filtered sources. Otherwise the only alerts of interest are those with filtered - // sinks, so we can perform the sink filtering right here. - hasFilteredSource() or - AlertFiltering::filterByLocation(sink.getLocation()) - ) - } - - predicate isFilteredSink(Node sink) { - Config::isSink(sink) and - ( - // If there are filtered sources, we need to pass through all sinks to preserve all alerts - // with filtered sources. Otherwise the only alerts of interest are those with filtered - // sinks, so we can perform the sink filtering right here. - hasFilteredSource() or - AlertFiltering::filterByLocation(sink.getLocation()) - ) - } - } - /** * Constructs a data flow computation given a full input configuration. */ @@ -376,11 +256,75 @@ module MakeImpl Lang> { ReturnKindExt getKind() { result = pos.getKind() } } + private module SourceSinkFiltering { + private import codeql.util.AlertFiltering + + private module AlertFiltering = AlertFilteringImpl; + + pragma[nomagic] + private predicate isFilteredSource(Node source) { + Config::isSource(source, _) and + if Config::diffInformedIncrementalMode() + then AlertFiltering::filterByLocation(source.getLocation()) + else any() + } + + pragma[nomagic] + private predicate isFilteredSink(Node sink) { + ( + Config::isSink(sink, _) or + Config::isSink(sink) + ) and + if Config::diffInformedIncrementalMode() + then AlertFiltering::filterByLocation(sink.getLocation()) + else any() + } + + private predicate hasFilteredSource() { isFilteredSource(_) } + + private predicate hasFilteredSink() { isFilteredSink(_) } + + predicate isRelevantSource(Node source, FlowState state) { + // If there are filtered sinks, we need to pass through all sources to preserve all alerts + // with filtered sinks. Otherwise the only alerts of interest are those with filtered + // sources, so we can perform the source filtering right here. + Config::isSource(source, state) and + ( + isFilteredSource(source) or + hasFilteredSink() + ) + } + + predicate isRelevantSink(Node sink, FlowState state) { + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + Config::isSink(sink, state) and + ( + isFilteredSink(sink) or + hasFilteredSource() + ) + } + + predicate isRelevantSink(Node sink) { + // If there are filtered sources, we need to pass through all sinks to preserve all alerts + // with filtered sources. Otherwise the only alerts of interest are those with filtered + // sinks, so we can perform the sink filtering right here. + Config::isSink(sink) and + ( + isFilteredSink(sink) or + hasFilteredSource() + ) + } + } + + private import SourceSinkFiltering + private predicate inBarrier(NodeEx node) { exists(Node n | node.asNode() = n and Config::isBarrierIn(n) and - Config::isFilteredSource(n, _) + isRelevantSource(n, _) ) } @@ -389,7 +333,7 @@ module MakeImpl Lang> { exists(Node n | node.asNode() = n and Config::isBarrierIn(n, state) and - Config::isFilteredSource(n, state) + isRelevantSource(n, state) ) } @@ -398,9 +342,9 @@ module MakeImpl Lang> { node.asNodeOrImplicitRead() = n and Config::isBarrierOut(n) | - Config::isFilteredSink(n, _) + isRelevantSink(n, _) or - Config::isFilteredSink(n) + isRelevantSink(n) ) } @@ -410,9 +354,9 @@ module MakeImpl Lang> { node.asNodeOrImplicitRead() = n and Config::isBarrierOut(n, state) | - Config::isFilteredSink(n, state) + isRelevantSink(n, state) or - Config::isFilteredSink(n) + isRelevantSink(n) ) } @@ -422,11 +366,11 @@ module MakeImpl Lang> { Config::isBarrier(n) or Config::isBarrierIn(n) and - not Config::isFilteredSource(n, _) + not isRelevantSource(n, _) or Config::isBarrierOut(n) and - not Config::isFilteredSink(n, _) and - not Config::isFilteredSink(n) + not isRelevantSink(n, _) and + not isRelevantSink(n) ) } @@ -436,24 +380,24 @@ module MakeImpl Lang> { Config::isBarrier(n, state) or Config::isBarrierIn(n, state) and - not Config::isFilteredSource(n, state) + not isRelevantSource(n, state) or Config::isBarrierOut(n, state) and - not Config::isFilteredSink(n, state) and - not Config::isFilteredSink(n) + not isRelevantSink(n, state) and + not isRelevantSink(n) ) } pragma[nomagic] private predicate sourceNode(NodeEx node, FlowState state) { - Config::isFilteredSource(node.asNode(), state) and + isRelevantSource(node.asNode(), state) and not fullBarrier(node) and not stateBarrier(node, state) } pragma[nomagic] private predicate sinkNodeWithState(NodeEx node, FlowState state) { - Config::isFilteredSink(node.asNodeOrImplicitRead(), state) and + isRelevantSink(node.asNodeOrImplicitRead(), state) and not fullBarrier(node) and not stateBarrier(node, state) } @@ -859,7 +803,7 @@ module MakeImpl Lang> { additional predicate sinkNode(NodeEx node, FlowState state) { fwdFlow(node) and fwdFlowState(state) and - Config::isFilteredSink(node.asNodeOrImplicitRead()) + isRelevantSink(node.asNodeOrImplicitRead()) or fwdFlow(node) and fwdFlowState(state) and @@ -3076,7 +3020,7 @@ module MakeImpl Lang> { NodeEx toNormalSinkNodeEx() { exists(Node n | pragma[only_bind_out](node.asNodeOrImplicitRead()) = n and - (Config::isFilteredSink(n) or Config::isFilteredSink(n, _)) and + (isRelevantSink(n) or isRelevantSink(n, _)) and result.asNode() = n ) } @@ -4922,15 +4866,15 @@ module MakeImpl Lang> { } private predicate interestingCallableSrc(DataFlowCallable c) { - exists(Node n | Config::isFilteredSource(n, _) and c = getNodeEnclosingCallable(n)) + exists(Node n | isRelevantSource(n, _) and c = getNodeEnclosingCallable(n)) or exists(DataFlowCallable mid | interestingCallableSrc(mid) and callableStep(mid, c)) } private predicate interestingCallableSink(DataFlowCallable c) { exists(Node n | c = getNodeEnclosingCallable(n) | - Config::isFilteredSink(n, _) or - Config::isFilteredSink(n) + isRelevantSink(n, _) or + isRelevantSink(n) ) or exists(DataFlowCallable mid | interestingCallableSink(mid) and callableStep(c, mid)) @@ -4957,7 +4901,7 @@ module MakeImpl Lang> { or exists(Node n | ce1 = TCallableSrc() and - Config::isFilteredSource(n, _) and + isRelevantSource(n, _) and ce2 = TCallable(getNodeEnclosingCallable(n)) ) or @@ -4965,8 +4909,8 @@ module MakeImpl Lang> { ce2 = TCallableSink() and ce1 = TCallable(getNodeEnclosingCallable(n)) | - Config::isFilteredSink(n, _) or - Config::isFilteredSink(n) + isRelevantSink(n, _) or + isRelevantSink(n) ) } @@ -5030,7 +4974,7 @@ module MakeImpl Lang> { private predicate revSinkNode(NodeEx node, FlowState state) { sinkNodeWithState(node, state) or - Config::isFilteredSink(node.asNodeOrImplicitRead()) and + isRelevantSink(node.asNodeOrImplicitRead()) and relevantState(state) and not fullBarrier(node) and not stateBarrier(node, state) diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll index 1db3402b74695..f84f33dc5dc86 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll @@ -284,13 +284,7 @@ deprecated private module Config implements FullStateConfigSig { predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() } - predicate filterForSourceOrSinkAlerts() { none() } - - predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) } - - predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) } - - predicate isFilteredSink(Node sink) { isSink(sink) } + predicate diffInformedIncrementalMode() { none() } } deprecated private import Impl as I