Skip to content

Update diff-informed testing to always treat sources and sinks as alert locations #20607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 29 commits into
base: main
Choose a base branch
from
Draft

Update diff-informed testing to always treat sources and sinks as alert locations #20607

wants to merge 29 commits into from
+37 −51

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Oct 8, 2025
edited
Loading

Methodology

$ git grep -P 'getASelectedSourceLocation|getASelectedSinkLocation'
Actions (9)
  • OutputClobberingQuery.qll
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll=185=private module OutputClobberingConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll:220:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • RequestForgeryQuery.qll
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll=15=private module RequestForgeryConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll:22:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • SecretExfiltrationQuery.qll
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll=14=private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll:21:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSinks.ql
actions/ql/src/Models/CompositeActionsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSources.ql
actions/ql/src/Models/CompositeActionsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CompositeActionsSummaries.ql
actions/ql/src/Models/CompositeActionsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSinks.ql
actions/ql/src/Models/ReusableWorkflowsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSources.ql
actions/ql/src/Models/ReusableWorkflowsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ReusableWorkflowsSummaries.ql
actions/ql/src/Models/ReusableWorkflowsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
C++ (1)
  • WordexpTainted.ql
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql=38=module WordexpTaintConfig implements DataFlow::ConfigSig {
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql:54:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
C# (1)
  • DontInstallRootCert.ql
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql=17=module AddCertToRootStoreConfig implements DataFlow::ConfigSig {
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql:43:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Go (4)
  • MissingRegexpAnchor.ql: nothing to do (not a path-problem)
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql=63=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql:78:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • InsufficientKeySize.ql
go/ql/src/Security/CWE-326/InsufficientKeySize.ql=15=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-326/InsufficientKeySize.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • PamAuthBypass.ql: shouldn't be diff-informed; uses secondary config.
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=37=module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:48:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=54=module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:65:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • DivideByZero.ql
go/ql/src/experimental/CWE-369/DivideByZero.ql=30=module Config implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-369/DivideByZero.ql:51:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Java (23)
  • ArbitraryApkInstallationQuery.qll
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll=12=module ApkInstallationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll:29:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • ArithmeticTaintedQuery.qll
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=8=module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:21:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=32=module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ArithmeticUncontrolledQuery.qll
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=16=module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=37=module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:48:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • BrokenCryptoAlgorithmQuery.qll
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll=28=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CleartextStorageQuery.qll: nothing to be done; no path-problem queries use this config.
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll=46=private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll:64:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CommandLineQuery.qll
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll=51=module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll:68:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ConditionalBypassQuery.qll
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll=42=module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ImproperIntentVerificationQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll=17=private module VerifiedIntentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:31:  Location getASelectedSourceLocation(DataFlow::Node src) {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:46:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll=10=module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ImproperValidationOfArrayConstructionQuery.qll
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll=11=module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll:20:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureTrustManagerQuery.qll: nothing to be done, already both source and sink.
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll=11=module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll:24:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • MaybeBrokenCryptoAlgorithmQuery.qll
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll=71=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll:83:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • NumericCastTaintedQuery.qll
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll=87=module NumericCastFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll:108:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RandomQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/RandomQuery.qll=32=private module PredictableSeedFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/RandomQuery.qll:43:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • SqlConcatenatedQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll=21=module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • TaintedEnvironmentVariableQuery.qll
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll=28=module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • TaintedPermissionsCheckQuery.qll
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll=56=module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll:65:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • TempDirLocalInformationDisclosureQuery.qll
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll=131=module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll:151:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
  • UnsafeCertTrustQuery.qll: nothing to be done, not a path-problem.
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll=11=module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll:20:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • UnsafeDeserializationQuery.qll
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll=302=private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll:315:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHostnameVerificationQuery.qll: nothing to be done, already selects both source and sink.
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll=37=module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll:71:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • WebviewDebuggingEnabledQuery.qll
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll=35=module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll:50:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • PolynomialReDoSQuery.qll: nothing to be done, already selects both source and sink.
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll=37=module PolynomialRedosConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
JS (15)
  • BrokenCryptoAlgorithmQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll=22=module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ClientSideRequestForgeryQuery.qll: nothing to be done, already selects both source and sink.
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll=17=module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CommandInjectionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll=27=module CommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CorsMisconfigurationForCredentialsQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll=17=module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • DeepObjectResourceExhaustionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll=14=module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll:39:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • IndirectCommandInjectionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll=13=module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureDownloadQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll=16=module InsecureDownloadConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • PrototypePollutionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll=27=module PrototypePollutionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RequestForgeryQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll=17=module RequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ShellCommandInjectionFromEnvironmentQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll=17=module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll:33:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeCodeConstruction.qll
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll=15=module UnsafeCodeConstruction {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll:38:    Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHtmlConstructionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll=18=module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll:66:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeJQueryPluginQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll=13=module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll:42:  Location getASelectedSourceLocation(DataFlow::Node source) {
  • UnsafeShellCommandConstructionQuery.qll
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll=16=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll=14=module PolynomialReDoSConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • SSRF.qll
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll=5=module SsrfConfig implements DataFlow::ConfigSig {
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll:32:  Location getASelectedSourceLocation(DataFlow::Node source) {
Python (8)
  • PolynomialReDoSQuery.qll
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll=14=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • RegexInjectionQuery.qll
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll=15=private module RegexInjectionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll:24:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ServerSideRequestForgeryQuery.qll
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll=61=private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:70:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeShellCommandConstructionQuery.qll
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll=19=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll:34:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeUsageOfClientSideEncryptionVersion.ql
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql=99=private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql:151:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • CorsBypass.ql
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql=64=module CorsBypassConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql:85:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeUnpackQuery.qll
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll=42=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll:214:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • LdapInsecureAuth.qll
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll=91=private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll:107:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
Ruby (11)
  • ConditionalBypassQuery.qll
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll=14=private module Config implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • InsecureDownloadQuery.qll
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll=13=private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeCodeConstructionQuery.qll
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll=15=private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll:30:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeHtmlConstructionQuery.qll
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll=15=private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • UnsafeShellCommandConstructionQuery.qll
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll=16=private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • PolynomialReDoSQuery.qll
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll=13=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • DecompressionApi.ql
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql=36=private module DecompressionApiConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ManuallyCheckHttpVerb.ql
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql=75=private module HttpVerbConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql:92:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • WeakParams.ql
ruby/ql/src/experimental/weak-params/WeakParams.ql=44=private module WeakParamsConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/weak-params/WeakParams.ql:52:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • TaintedNodes.ql
ruby/ql/src/queries/meta/TaintedNodes.ql=15=private module BasicTaintConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/meta/TaintedNodes.ql:25:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
  • WeakFilePermissions.ql
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql=49=private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql:62:  Location getASelectedSinkLocation(DataFlow::Node sink) {
Shared (3)
  • DataFlow.qll
shared/dataflow/codeql/dataflow/DataFlow.qll=354=module Configs<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/DataFlow.qll:460:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:471:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:609:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:620:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
  • DataFlowImpl.qll
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll=16=module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:146:    Location getASelectedSourceLocation(Node source);
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:148:    Location getASelectedSinkLocation(Node sink);
  • DataFlowImplStage1.qll
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll=15=module MakeImplStage1<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:136:        then AlertFiltering::filterByLocation(Config::getASelectedSourceLocation(source))
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:147:        then AlertFiltering::filterByLocation(Config::getASelectedSinkLocation(sink))
Swift (3)
  • CleartextStorageDatabaseQuery.qll
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll=16=module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll:54:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • CleartextStoragePreferencesQuery.qll
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll=16=module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {
  • ConstantPasswordQuery.qll
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll=26=module ConstantPasswordConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • InsufficientHashIterationsQuery.qll
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll=27=module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • StaticInitializationVectorQuery.qll
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll=26=module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll:46:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • StringLengthConflationQuery.qll
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll=16=module StringLengthConflationConfig implements DataFlow::StateConfigSig {
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll:45:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeJsEvalQuery.qll
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll=15=module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll:28:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
  • UnsafeUnpackQuery.qll
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll=15=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

Questions

  1. In queries like Go/PamAuthBypass and Java/CommandLineQuery, in which of these cases is the use of secondary/negated flows permitted?
  • Split off Go/PamAuthBypass into its own PR: increase efficiency by moving query clauses to isSource of other config (that would allow the main config to be diff informed).
  1. In Java/CommandLineQuery, not all of the queries using the config are path-problems. How do I correctly override the location in that case?
  • It's fine, but complicated and delicate. Write a code comment.

d10c added 18 commits October 8, 2025 13:21
@d10c
Actions/OutputClobberingQuery
7bf34f0 
actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql uses source as endpoint
@d10c
Actions/RequestForgeryQuery
8d6c9bc 
actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql uses source as endpoint
@d10c
Actions/SecretExfiltrationQuery
56f5a71 
actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql uses source as endpoint
@d10c
Actions/CompositeActionsSinks
7cf0f5d 
Same file uses source as endpoint
@d10c
Actions/CompositeActionsSources
05a0121 
Same file uses source as endpoint
@d10c
Actions/CompositeActionsSummaries
e96296b 
Same file uses source as endpoint
@d10c
Actions/ReusableWorkflowsSinks
053d439 
Same file uses source as endpoint
@d10c
Actions/ReusableWorkflowsSources
feaaeff
@d10c
Actions/ReusableWorkflowsSummaries
ba9e3ba
@d10c
C++/WordexpTainted
74573b6 
Same file usees source and sink as endpoints
@d10c
C#/DontInstallRootCert
2da99db
@d10c
Go/PamAuthBypass: disable due to secondary flow
abe696d
@d10c
Go/DivideByZero
87ce654
@d10c
Go/InsufficientKeySize
bddc43b
@d10c
Java/ArbitraryApkInstallationQuery
fb32d0d 
java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
@d10c
Java/ArithmeticTainted
02a0eef 
java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@d10c
Java/ArithmeticUncontrolledQuery
e5c8d6e 
java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@d10c
Java/BrokenCryptoAlgorithmQuery
3ee393b 
java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@github-actions github-actions bot added C# C++ Java Go Actions Analysis of GitHub Actions labels Oct 8, 2025
d10c added 7 commits October 9, 2025 09:56
@d10c
Java/CommandLineQuery
9667b41 
https://github.com/github/codeql/blob/85a4dd0325104ecd613c9e3e7c25190d41906605/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

https://github.com/github/codeql/blob/857b51be5895bf437ea25b5ce2581527d5af69fb/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

https://github.com/github/codeql/blob/b6e56f26c7509a041ce92bdda13db0a09da886e3/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@d10c
Java/ConditionalBypass
1623ce2 
java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@d10c
Java/ImproperValidationOfArrayConstructionCodeSpecifiedQuery
be2c824 
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
@d10c
Java/ImproperValidationOfArrayConstructionFlow
e152b9b 
java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
@d10c
Java/MaybeBrokenCryptoAlgorithmQuery
3d59f5b 
java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@d10c
Java/NumericCastTaintedQuery
216393f 
java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@d10c
Java/TaintedEnvironmentVariableQuery
1edc6b7 
java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
d10c added 4 commits October 9, 2025 14:14
@d10c
Java/TaintedPermissionsCheckQuery
b1073dd 
java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
@d10c
Java/TempDirLocalInformationDisclosureQuery
1f1ec97 
java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@d10c
Java/UnsafeDeserializationQuery
de517ae 
java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@d10c
Java/WebviewDebugEnabledQuery
694bae3 
java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Actions Analysis of GitHub Actions C# C++ Go Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@d10c