diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll index cb16f59a1e99..078b1466ffed 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll @@ -26,7 +26,11 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql:27: Column 5 selects sink.getInitialization + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll index 95072467af6e..0d4a00d5664c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll @@ -32,7 +32,11 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig { isAdditionalRequestForgeryStep(node1, node2) } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-918/ClientSideRequestForgery.ql:24: Column 1 selects sink.getARequest + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll index d54c8baee1b3..875222987fff 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll @@ -31,7 +31,12 @@ module CommandInjectionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/CommandInjection.ql:31: Column 1 does not select a source or sink originating from the flow call on line 24 + // ql/src/experimental/heuristics/ql/src/Security/CWE-078/CommandInjection.ql:34: Column 1 does not select a source or sink originating from the flow call on line 26 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll index 4c2c3f4debc9..fe0075d89d25 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll @@ -24,7 +24,12 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig { node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode() } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:22: Column 5 selects sink.getCredentialsHeader + // ql/src/experimental/heuristics/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql:25: Column 5 selects sink.getCredentialsHeader + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll index 2999381581da..f60bf128b7f8 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll @@ -34,7 +34,11 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig { TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2) } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql:23: Column 7 does not select a source or sink originating from the flow call on line 19 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll index a83575ada200..962d4a656e17 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll @@ -27,7 +27,11 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/IndirectCommandInjection.ql:29: Column 1 does not select a source or sink originating from the flow call on line 25 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll index dd3fafabc3ef..4169e72f1d79 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll @@ -24,7 +24,11 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-829/InsecureDownload.ql:21: Column 5 selects sink.getDownloadCall + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll index e7d93aabb977..a5a586e60baa 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/NosqlInjectionQuery.qll @@ -52,7 +52,14 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig { state2 = state1 } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 32 + // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 32 + // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 34 + // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 34 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll index 1f9ed6108183..398a222cb016 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll @@ -48,7 +48,11 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig { node = TaintedObject::SanitizerGuard::getABarrierNode(state) } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql:30: Column 7 does not select a source or sink originating from the flow call on line 26 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll index a558604c82bc..b8f104917f96 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll @@ -27,7 +27,11 @@ module RequestForgeryConfig implements DataFlow::ConfigSig { isAdditionalRequestForgeryStep(node1, node2) } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-918/RequestForgery.ql:21: Column 1 selects sink.getARequest + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll index 668086bc9b58..f134b719f0b4 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll @@ -28,7 +28,11 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql:30: Column 1 does not select a source or sink originating from the flow call on line 26 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll index 69dabac14680..5dc4e4a8dd7c 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll @@ -32,7 +32,14 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { ) } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 1 does not select a source or sink originating from the flow call on line 28 + // ql/src/Security/CWE-089/SqlInjection.ql:35: Column 5 does not select a source or sink originating from the flow call on line 28 + // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 1 does not select a source or sink originating from the flow call on line 30 + // ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql:37: Column 5 does not select a source or sink originating from the flow call on line 30 + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll index c5de11332f6d..d7143334d6ca 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll @@ -33,7 +33,11 @@ module UnsafeCodeConstruction { DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-094/UnsafeCodeConstruction.ql:26: Column 7 selects sink.getCodeSink + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll index 70747f128bee..6de6e3d89be4 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll @@ -61,7 +61,11 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig { DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql:25: Column 7 selects sink.getSink + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll index 0a35e7598442..df192cb4a662 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll @@ -37,7 +37,11 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig { node = any(StringReplaceCall call).getRawReplacement() } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql:25: Column 5 selects source.getPlugin + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll index b4d83d8a87bf..ce3425edae84 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll @@ -26,7 +26,12 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig { DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:24: Column 1 selects sink.getAlertLocation + // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:26: Column 7 selects sink.getCommandExecution + none() + } } /** diff --git a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll index 0970111e32ba..ac12652df22e 100644 --- a/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll +++ b/javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll @@ -26,7 +26,12 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig { int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/Performance/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight + // ql/src/Performance/PolynomialReDoS.ql:33: Column 5 selects sink.getRegExp + none() + } } /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */ diff --git a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql index 5c8ba19f16bc..848e64b5d7d1 100644 --- a/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql +++ b/javascript/ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql @@ -34,7 +34,11 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig { ) } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE-099/EnvValueAndKeyInjection.ql:71: Column 1 does not select a source or sink originating from the flow call on line 68 + none() + } } module EnvValueAndKeyInjectionFlow = TaintTracking::Global; diff --git a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql index 29808686d8f4..e566b0d74fce 100644 --- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql +++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql @@ -28,7 +28,11 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() } - predicate observeDiffInformedIncrementalMode() { any() } + predicate observeDiffInformedIncrementalMode() { + // TODO(diff-informed): Manually verify if config can be diff-informed. + // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql:42: Column 5 does not select a source or sink originating from the flow call on line 41 + none() + } } module VerifiedDecodeFlow = TaintTracking::Global;