Skip to content

C#: Diff-informed queries: phase 3 (non-trivial locations) #20074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

C#: Diff-informed queries: phase 3 (non-trivial locations) #20074

wants to merge 5 commits into from
+43 −0

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Jul 17, 2025

This PR enables diff-informed mode on queries that select a location other than dataflow source or sink. This entails adding a non-trivial location override that returns the locations that are actually selected.

Prior work includes PRs like #19663, #19759, and #19817. This PR uses the same patch script as those PRs to find candidate queries to convert to diff-enabled. This is the final step in mass-enabling diff-informed queries on all the languages.

Commit-by-commit reviewing is recommended.

  • I have split the commits that add/modify tests from the ones that enable/disable diff-informed queries.
  • If the commit modifies a .qll file, in the commit message I've included links to the queries that depend on that .qll for easier reviewing.
  • Feel free to delegate parts of the review to others who may be more specialized in certain languages.

@github-actions github-actions bot added the C# label Jul 17, 2025
@d10c d10c added the no-change-note-required This PR does not need a change note label Jul 17, 2025
@d10c d10c marked this pull request as ready for review July 17, 2025 13:48
@Copilot Copilot AI review requested due to automatic review settings July 17, 2025 13:48
@d10c d10c requested a review from a team as a code owner July 17, 2025 13:48
@d10c d10c requested a review from michaelnebel July 17, 2025 13:48
Copilot
Copilot AI reviewed Jul 17, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables diff-informed mode on C# queries that select locations other than dataflow source or sink by adding the observeDiffInformedIncrementalMode() predicate and custom location overrides where needed. This is the final step in mass-enabling diff-informed queries across all languages.

  • Adds observeDiffInformedIncrementalMode() predicate to enable diff-informed mode on data flow configurations
  • Implements custom location selection logic via getASelectedSinkLocation() for queries that report locations different from sink locations
  • Distinguishes between primary configurations (enabled with any()) and secondary configurations (disabled with none())

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
HardcodedConnectionString.ql Enables diff-informed mode and adds location override to select call locations instead of sink locations
ThreadUnsafeICryptoTransformLambda.ql Enables diff-informed mode for parallel crypto transform usage detection
UnsafeDeserializationQuery.qll Enables diff-informed mode for primary configs, disables for secondary configs used in unsafe deserialization queries
ExternalAPIsQuery.qll Enables diff-informed mode for external API data flow tracking
ConditionalBypassQuery.qll Enables diff-informed mode and adds location override to select both sink and sensitive method call locations

michaelnebel
michaelnebel approved these changes Jul 18, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM under the conditions that
(1) DCA looks good
(2) The discussion started here is resolved.

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
@@ -78,6 +78,8 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }

predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

predicate observeDiffInformedIncrementalMode() { any() }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will also affect the output of cs/count-untrusted-data-external-api (if run in diff informed mode). However, this query is not included in any query suite, so this should be ok.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@michaelnebel michaelnebel michaelnebel approved these changes

Assignees
No one assigned
Labels
C# no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@d10c @michaelnebel