From 52ce0ef299cb0e45dc4907b2d0acfe2353fe30aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Tue, 3 Jun 2025 20:39:31 +0200
Subject: [PATCH 1/2] C++: mass enable diff-informed data flow

An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on https://github.com/github/codeql/pull/18342 and https://github.com/github/codeql-patch/pull/88
---
 .../semmle/code/cpp/security/PrivateCleartextWrite.qll          | 2 ++
 cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql | 2 ++
 cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll  | 2 ++
 cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql | 2 ++
 cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql | 2 ++
 cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql     | 2 ++
 cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql       | 2 ++
 cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql            | 2 ++
 cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql | 2 ++
 cpp/ql/src/Security/CWE/CWE-611/XXE.ql                          | 2 ++
 cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql  | 2 ++
 .../Security/CWE/CWE-190/AllocMultiplicationOverflow.ql         | 2 ++
 12 files changed, 24 insertions(+)

diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
index 99cd8bfb7fdb..e6495f9a2aa7 100644
--- a/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
+++ b/cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
@@ -42,6 +42,8 @@ module PrivateCleartextWrite {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   module WriteFlow = TaintTracking::Global<WriteConfig>;
diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
index d1645007a321..23240d385adc 100644
--- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
+++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
@@ -48,6 +48,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node, _) }
 
   predicate isBarrierOut(DataFlow::Node node) { isSink(node, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll
index ecb60d113d86..40c0f2173d90 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll	
@@ -141,6 +141,8 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
       gc.controls(node.asExpr().getBasicBlock(), _)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NetworkToBufferSizeFlow = DataFlow::Global<NetworkToBufferSizeConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
index e5fd1a94f181..aedb21da5167 100644
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -39,6 +39,8 @@ module Config implements DataFlow::ConfigSig {
     or
     node.asCertainDefinition().getUnspecifiedType() instanceof ArithmeticType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
index b5dc4d893b21..17c1b09c3e68 100644
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -66,6 +66,8 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
       not offsetIsAlwaysInBounds(arrayExpr, offsetExpr)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ImproperArrayIndexValidation = TaintTracking::Global<ImproperArrayIndexValidationConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
index 04b4fe45fcfa..37e3fa0c49f8 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -44,6 +44,8 @@ module Config implements DataFlow::ConfigSig {
     or
     isArithmeticNonCharType(node.asCertainDefinition().getUnspecifiedType())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
index 8e6bbefbaace..6ff06d355b9b 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -94,6 +94,8 @@ module Config implements DataFlow::ConfigSig {
       not iTo instanceof PointerArithmeticInstruction
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
index 5a6b50675e80..121595e61b0b 100644
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -34,6 +34,8 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
index f3c9ca189b94..2a22f122ca51 100644
--- a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
@@ -54,6 +54,8 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asIndirectArgument() = any(MemsetFunction func).getACallToThisFunction().getAnArgument()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;
diff --git a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
index 56a74d2f70b5..ba09e797491b 100644
--- a/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -45,6 +45,8 @@ module XxeConfig implements DataFlow::StateConfigSig {
   }
 
   predicate neverSkip(DataFlow::Node node) { none() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module XxeFlow = DataFlow::GlobalWithState<XxeConfig>;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
index d5b7b97c136f..cfe04ba23bfa 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
@@ -48,6 +48,8 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.asExpr().getUnspecifiedType() instanceof IntegralType
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
index 00cf017297ff..397a0325d777 100644
--- a/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
@@ -30,6 +30,8 @@ module MultToAllocConfig implements DataFlow::ConfigSig {
     // something that affects an allocation size
     node.asExpr() = any(HeuristicAllocationExpr ae).getSizeExpr().getAChild*()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MultToAlloc = DataFlow::Global<MultToAllocConfig>;

From a623657ac6d8550ea1373f8b58734c437642fe53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 4 Jun 2025 14:12:43 +0200
Subject: [PATCH 2/2] Add change note

---
 cpp/ql/lib/change-notes/2025-06-04-diff-informed.md | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 cpp/ql/lib/change-notes/2025-06-04-diff-informed.md

diff --git a/cpp/ql/lib/change-notes/2025-06-04-diff-informed.md b/cpp/ql/lib/change-notes/2025-06-04-diff-informed.md
new file mode 100644
index 000000000000..137ea39ea087
--- /dev/null
+++ b/cpp/ql/lib/change-notes/2025-06-04-diff-informed.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* A number of built-in C++ queries can now run in diff-informed mode.