diff --git a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll index 1d461cca3df2..c2fd279ab437 100644 --- a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll @@ -88,6 +88,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig { run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-088/ArgumentInjectionCritical.ql:29: Column 7 does not select a source or sink originating from the flow call on line 22 + none() + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll index d8d5f83c867d..b3723e6aff5c 100644 --- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll +++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll @@ -316,6 +316,12 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig { exists(run.getScript().getAFileReadCommand()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql:28: Column 7 does not select a source or sink originating from the flow call on line 21 + none() + } } /** Tracks flow of unsafe artifacts that is used in an insecure way. */ diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index fac498f72dab..9469397a13ca 100644 --- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -35,6 +35,13 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { exists(run.getScript().getAFileReadCommand()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-094/CodeInjectionCritical.ql:36: Column 7 does not select a source or sink originating from the flow call on line 24 + // ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql:48: Column 7 does not select a source or sink originating from the flow call on line 23 + none() + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ diff --git a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll index 59d523cd5827..edb7c2efa058 100644 --- a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll @@ -16,6 +16,12 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/CommandInjectionCritical.ql:30: Column 7 does not select a source or sink originating from the flow call on line 23 + none() + } } /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ diff --git a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll index 33efc9b1bc8f..1fe4bbad8794 100644 --- a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll @@ -108,6 +108,12 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig { exists(run.getScript().getAFileReadCommand()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-077/EnvPathInjectionCritical.ql:39: Column 7 does not select a source or sink originating from the flow call on line 23 + none() + } } /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */ diff --git a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll index 656ea1207b51..d4542fc01a56 100644 --- a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll @@ -163,6 +163,12 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig { exists(run.getScript().getAFileReadCommand()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-077/EnvVarInjectionCritical.ql:48: Column 7 does not select a source or sink originating from the flow call on line 24 + none() + } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ diff --git a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll index 1d0de83afa34..485d2762798e 100644 --- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll +++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll @@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig { ) ) } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */ diff --git a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll index ca0ac267131f..fb89ebdc8baf 100644 --- a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll +++ b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll @@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */ diff --git a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll index 18a480b1cecc..b3d59210053c 100644 --- a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll +++ b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll @@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink } + + predicate observeDiffInformedIncrementalMode() { any() } } /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */ diff --git a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 9668fce2ae00..a665fb50c2d1 100644 --- a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { exists(run.getScript().getAFileReadCommand()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause + none() + } } module ActionsMutableRefCheckoutFlow = TaintTracking::Global; @@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { exists(run.getScript().getAFileReadCommand()) ) } + + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause + none() + } } module ActionsSHACheckoutFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/CompositeActionsSinks.ql b/actions/ql/src/Models/CompositeActionsSinks.ql index b5ce78fe062a..82f0754f03e2 100644 --- a/actions/ql/src/Models/CompositeActionsSinks.ql +++ b/actions/ql/src/Models/CompositeActionsSinks.ql @@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/CompositeActionsSources.ql b/actions/ql/src/Models/CompositeActionsSources.ql index 8e4275f27c7d..c9974cd73614 100644 --- a/actions/ql/src/Models/CompositeActionsSources.ql +++ b/actions/ql/src/Models/CompositeActionsSources.ql @@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig { isSink(node) and set instanceof DataFlow::FieldContent } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/CompositeActionsSummaries.ql b/actions/ql/src/Models/CompositeActionsSummaries.ql index 8b8b5af3c459..814498f639e0 100644 --- a/actions/ql/src/Models/CompositeActionsSummaries.ql +++ b/actions/ql/src/Models/CompositeActionsSummaries.ql @@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/ReusableWorkflowsSinks.ql b/actions/ql/src/Models/ReusableWorkflowsSinks.ql index 6da9acda9060..e38b13b34502 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql @@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink and not madSink(sink, "code-injection") } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/ReusableWorkflowsSources.ql b/actions/ql/src/Models/ReusableWorkflowsSources.ql index e5612d063432..a7112bf37584 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSources.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSources.ql @@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig { isSink(node) and set instanceof DataFlow::FieldContent } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global; diff --git a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql index 444ce028954e..a05bec744f84 100644 --- a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql +++ b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql @@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr()) } + + predicate observeDiffInformedIncrementalMode() { any() } } module MyFlow = TaintTracking::Global;