C#: mass enable diff-informed data flow

[d10c]

An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on #18344 and https://github.com/github/codeql-patch/pull/88

[Copilot]

Pull Request Overview

This PR auto-generates patches to enable diff-informed data flow by adding a default observeDiffInformedIncrementalMode predicate in numerous data-flow configuration modules.

• Added predicate observeDiffInformedIncrementalMode() { any() } to all relevant DataFlow::ConfigSig modules.
• Covers security, cryptography, and likely-bug query modules for incremental diff analysis.

Reviewed Changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql	Added observeDiffInformedIncrementalMode predicate
csharp/ql/src/Security Features/CWE-091/XMLInjection.ql	Added observeDiffInformedIncrementalMode predicate
csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll	Added observeDiffInformedIncrementalMode predicate
csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll	Added observeDiffInformedIncrementalMode predicate

Comments suppressed due to low confidence (2)

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql:45

• [nitpick] Add a brief comment above this predicate to explain its role in diff-informed incremental analysis, improving clarity for future maintainers.

predicate observeDiffInformedIncrementalMode() { any() }

csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql:45

• There are no existing tests exercising the incremental diff mode; consider adding test cases to validate behavior when this predicate is active.

predicate observeDiffInformedIncrementalMode() { any() }

[d10c]

It turns out that some of the generated changes in the PRs were not correct, e.g. because they should have also generated a getASelected{Source,Sink}Location() override but didn't (see Chuan-kai's comment here). So for now I'm putting them back in Draft until I make sure (via the patch script) that we are correctly handling all 3 documented query patterns, starting with the simplest one (both source and sink are used as location sources). If you have already started reviewing the PRs, thank you (also for your patience) and stay tuned for an update as to what has changed in the meantime!

[michaelnebel]

@d10c : Great!
Thank you for doing this. A couple of questions

• Do you expect there will be any configurations that will not be diff-informed?
• How does it impact tests (I remember hearing something along the lines of that tests already worked with "diff-informed", if the tests are .qlref files)?

[d10c]

Update: no changes since last time I opened the PR. It turns out that it's sound (but not optimally performant) to leave getASelected{Source,Sink}Location() un-overridden, specifically in case of a select clause containing only one of source or sink but not both. The patch script currently does not differentiate between that case and the one in which both source and sink are present in the select clause. So I will re-open these PRs as they are, and generate an appropriate getASelected{Source,Sink}Location() override in a follow-up round of PRs.

[d10c]

• Do you expect there will be any configurations that will not be diff-informed?

In this initial PR, we are skipping over the cases where a node other than source or sink is used as a location source in the select clause. To enable these cases, a non-empty override of getASelected{Source,Sink}Location() will be needed. Also, queries with more than one dataflow config are probably another case to be considered separately.

• How does it impact tests (I remember hearing something along the lines of that tests already worked with "diff-informed", if the tests are .qlref files)?

It's true that in order to enable diff-informed testing of queries, the tests have to be .qlref files. I'm planning on doing that kind of rewrite (similar to this PR) in a later phase.