diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll index 0f2d28480cdb..989d928a8c71 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll @@ -48,6 +48,17 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig { node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1 } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() | + cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode() + or + not sink instanceof DataFlow::PostUpdateNode and + cleanSink = sink + ) + } } /** diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll index 2a7bec5dc47f..c3665589482a 100644 --- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll +++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll @@ -30,6 +30,17 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig { // make sources barriers so that we only report the closest instance isSource(node) } + + predicate observeDiffInformedIncrementalMode() { any() } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() | + cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode() + or + not sink instanceof DataFlow::PostUpdateNode and + cleanSink = sink + ) + } } /** diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll index 769c385d4d66..53952f3e1d14 100644 --- a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll +++ b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll @@ -21,6 +21,10 @@ module InsecureTlsConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { + none() // query selects some Swift nodes (e.g. "[post] self") that have location file://:0:0:0:0, which always fall outside the diff range. + } } module InsecureTlsFlow = TaintTracking::Global; diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll index ba24f63231f4..5aba75c18c26 100644 --- a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll +++ b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll @@ -28,6 +28,10 @@ module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig { predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { any(UnsafeWebViewFetchAdditionalFlowStep s).step(nodeFrom, nodeTo) } + + predicate observeDiffInformedIncrementalMode() { + none() // can't override location accurately because of secondary use in select. + } } /**