Update diff-informed testing to always treat sources and sinks as alert locations

[d10c]

Now that sources/sinks are always added to the Sarif related locations, this PR updates location overrides of diff-informed queries to match that behaviour.

Methodology

$ git grep -P 'getASelectedSourceLocation|getASelectedSinkLocation'

Actions (9)

• OutputClobberingQuery.qll

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll=185=private module OutputClobberingConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll:220:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• RequestForgeryQuery.qll

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll=15=private module RequestForgeryConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll:22:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• SecretExfiltrationQuery.qll

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll=14=private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll:21:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• CompositeActionsSinks.ql

actions/ql/src/Models/CompositeActionsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• CompositeActionsSources.ql

actions/ql/src/Models/CompositeActionsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• CompositeActionsSummaries.ql

actions/ql/src/Models/CompositeActionsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/CompositeActionsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• ReusableWorkflowsSinks.ql

actions/ql/src/Models/ReusableWorkflowsSinks.ql=19=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSinks.ql:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• ReusableWorkflowsSources.ql

actions/ql/src/Models/ReusableWorkflowsSources.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSources.ql:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• ReusableWorkflowsSummaries.ql

actions/ql/src/Models/ReusableWorkflowsSummaries.ql=20=private module MyConfig implements DataFlow::ConfigSig {
actions/ql/src/Models/ReusableWorkflowsSummaries.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

C++ (1)

• WordexpTainted.ql

cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql=38=module WordexpTaintConfig implements DataFlow::ConfigSig {
cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql:54:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }

C# (1)

• DontInstallRootCert.ql

csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql=17=module AddCertToRootStoreConfig implements DataFlow::ConfigSig {
csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql:43:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

Go (4)

• MissingRegexpAnchor.ql: nothing to do (not a path-problem)

go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql=63=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql:78:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }

• InsufficientKeySize.ql

go/ql/src/Security/CWE-326/InsufficientKeySize.ql=15=module Config implements DataFlow::ConfigSig {
go/ql/src/Security/CWE-326/InsufficientKeySize.ql:31:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• PamAuthBypass.ql: shouldn't be diff-informed; uses secondary config.

go/ql/src/experimental/CWE-285/PamAuthBypass.ql=37=module PamStartToAcctMgmtConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:48:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }
go/ql/src/experimental/CWE-285/PamAuthBypass.ql=54=module PamStartToAuthenticateConfig implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-285/PamAuthBypass.ql:65:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }

• DivideByZero.ql

go/ql/src/experimental/CWE-369/DivideByZero.ql=30=module Config implements DataFlow::ConfigSig {
go/ql/src/experimental/CWE-369/DivideByZero.ql:51:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

Java (23)

• ArbitraryApkInstallationQuery.qll

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll=12=module ApkInstallationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll:29:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• ArithmeticTaintedQuery.qll

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=8=module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:21:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll=32=module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ArithmeticUncontrolledQuery.qll

java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=16=module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll=37=module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll:48:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• BrokenCryptoAlgorithmQuery.qll

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll=28=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• CleartextStorageQuery.qll: nothing to be done; no path-problem queries use this config.

java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll=46=private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll:64:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• CommandLineQuery.qll

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll=51=module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll:68:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ConditionalBypassQuery.qll

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll=42=module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ImproperIntentVerificationQuery.qll: nothing to be done, not a path-problem.

java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll=17=private module VerifiedIntentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:31:  Location getASelectedSourceLocation(DataFlow::Node src) {
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll:46:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }

• ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll=10=module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ImproperValidationOfArrayConstructionQuery.qll

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll=11=module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll:20:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• InsecureTrustManagerQuery.qll: nothing to be done, already both source and sink.

java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll=11=module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll:24:  Location getASelectedSourceLocation(DataFlow::Node source) {

• MaybeBrokenCryptoAlgorithmQuery.qll

java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll=71=module InsecureCryptoConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll:83:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• NumericCastTaintedQuery.qll

java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll=87=module NumericCastFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll:108:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• RandomQuery.qll: nothing to be done, not a path-problem.

java/ql/lib/semmle/code/java/security/RandomQuery.qll=32=private module PredictableSeedFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/RandomQuery.qll:43:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• SqlConcatenatedQuery.qll: nothing to be done, not a path-problem.

java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll=21=module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node source) {

• TaintedEnvironmentVariableQuery.qll

java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll=28=module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }

• TaintedPermissionsCheckQuery.qll

java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll=56=module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll:65:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• TempDirLocalInformationDisclosureQuery.qll

java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll=131=module TempDirSystemGetPropertyToCreateConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll:151:  Location getASelectedSinkLocation(DataFlow::Node sink) { none() }

• UnsafeCertTrustQuery.qll: nothing to be done, not a path-problem.

java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll=11=module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll:20:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }

• UnsafeDeserializationQuery.qll

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll=302=private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll:315:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeHostnameVerificationQuery.qll: nothing to be done, already selects both source and sink.

java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll=37=module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll:71:  Location getASelectedSourceLocation(DataFlow::Node source) {

• WebviewDebuggingEnabledQuery.qll

java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll=35=module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll:50:  Location getASelectedSourceLocation(DataFlow::Node source) {

• PolynomialReDoSQuery.qll: nothing to be done, already selects both source and sink.

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll=37=module PolynomialRedosConfig implements DataFlow::ConfigSig {
java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {

JS (16)

• BrokenCryptoAlgorithmQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll=22=module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/BrokenCryptoAlgorithmQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ClientSideRequestForgeryQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll=17=module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideRequestForgeryQuery.qll:37:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• CommandInjectionQuery.qll

javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll=27=module CommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• CorsMisconfigurationForCredentialsQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll=17=module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• DeepObjectResourceExhaustionQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll=14=module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionQuery.qll:39:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• IndirectCommandInjectionQuery.qll

javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll=13=module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• InsecureDownloadQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll=16=module InsecureDownloadConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/InsecureDownloadQuery.qll:29:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• PrototypePollutionQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll=27=module PrototypePollutionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/PrototypePollutionQuery.qll:53:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• RequestForgeryQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll=17=module RequestForgeryConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ShellCommandInjectionFromEnvironmentQuery.qll

javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll=17=module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll:33:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeCodeConstruction.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll=15=module UnsafeCodeConstruction {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeCodeConstruction.qll:38:    Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeHtmlConstructionQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll=18=module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeHtmlConstructionQuery.qll:66:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeJQueryPluginQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll=13=module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeJQueryPluginQuery.qll:42:  Location getASelectedSourceLocation(DataFlow::Node source) {

• UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll=16=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {

- [x] PolynomialReDoSQuery.qll: 

javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll=14=module PolynomialReDoSConfig implements DataFlow::ConfigSig {
javascript/ql/lib/semmle/javascript/security/regexp/PolynomialReDoSQuery.qll:31:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• SSRF.qll

javascript/ql/src/experimental/Security/CWE-918/SSRF.qll=5=module SsrfConfig implements DataFlow::ConfigSig {
javascript/ql/src/experimental/Security/CWE-918/SSRF.qll:32:  Location getASelectedSourceLocation(DataFlow::Node source) {

Python (8)

• PolynomialReDoSQuery.qll

python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll=14=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• RegexInjectionQuery.qll: nothing to be done, already selects both source and sink.

python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll=15=private module RegexInjectionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll:24:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ServerSideRequestForgeryQuery.qll

python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll=61=private module PartialServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:70:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.

python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll=19=module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll:34:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeUsageOfClientSideEncryptionVersion.ql

python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql=99=private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql:151:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• CorsBypass.ql

python/ql/src/experimental/Security/CWE-346/CorsBypass.ql=64=module CorsBypassConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/CWE-346/CorsBypass.ql:85:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• UnsafeUnpackQuery.qll

python/ql/src/experimental/Security/UnsafeUnpackQuery.qll=42=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/Security/UnsafeUnpackQuery.qll:214:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• LdapInsecureAuth.qll

python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll=91=private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll:107:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

Ruby (11)

• ConditionalBypassQuery.qll: nothing to be done, already selects both source and sink.

ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll=14=private module Config implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll:23:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• InsecureDownloadQuery.qll: nothing to be done, already selects both source and sink.

ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll=13=private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeCodeConstructionQuery.qll: nothing to be done, already selects both source and sink.

ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll=15=private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll:30:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeHtmlConstructionQuery.qll: nothing to be done, already selects both source and sink.

ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll=15=private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll:27:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• UnsafeShellCommandConstructionQuery.qll: nothing to be done, already selects both source and sink.

ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll=16=private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll:32:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• PolynomialReDoSQuery.qll

ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll=13=private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll:26:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• DecompressionApi.ql: nothing to be done, already selects both source and sink.

ruby/ql/src/experimental/decompression-api/DecompressionApi.ql=36=private module DecompressionApiConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/decompression-api/DecompressionApi.ql:45:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ManuallyCheckHttpVerb.ql

ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql=75=private module HttpVerbConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql:92:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }

• WeakParams.ql

ruby/ql/src/experimental/weak-params/WeakParams.ql=44=private module WeakParamsConfig implements DataFlow::ConfigSig {
ruby/ql/src/experimental/weak-params/WeakParams.ql:52:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }

• TaintedNodes.ql: nothing to be done, not a path-problem.

ruby/ql/src/queries/meta/TaintedNodes.ql=15=private module BasicTaintConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/meta/TaintedNodes.ql:25:  Location getASelectedSourceLocation(DataFlow::Node source) { none() }

• WeakFilePermissions.ql

ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql=49=private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql:62:  Location getASelectedSinkLocation(DataFlow::Node sink) {

Shared (3) (documentation only)

• DataFlow.qll

shared/dataflow/codeql/dataflow/DataFlow.qll=354=module Configs<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/DataFlow.qll:460:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:471:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:609:    default Location getASelectedSourceLocation(Node source) { result = source.getLocation() }
shared/dataflow/codeql/dataflow/DataFlow.qll:620:    default Location getASelectedSinkLocation(Node sink) { result = sink.getLocation() }

• DataFlowImpl.qll

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll=16=module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:146:    Location getASelectedSourceLocation(Node source);
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll:148:    Location getASelectedSinkLocation(Node sink);

• DataFlowImplStage1.qll

shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll=15=module MakeImplStage1<LocationSig Location, InputSig<Location> Lang> {
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:136:        then AlertFiltering::filterByLocation(Config::getASelectedSourceLocation(source))
shared/dataflow/codeql/dataflow/internal/DataFlowImplStage1.qll:147:        then AlertFiltering::filterByLocation(Config::getASelectedSinkLocation(sink))

Swift (8)

• CleartextStorageDatabaseQuery.qll

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll=16=module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll:54:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• CleartextStoragePreferencesQuery.qll

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll=16=module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll:36:  Location getASelectedSinkLocation(DataFlow::Node sink) {

• ConstantPasswordQuery.qll

swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll=26=module ConstantPasswordConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll:44:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• InsufficientHashIterationsQuery.qll

swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll=27=module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll:40:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• StaticInitializationVectorQuery.qll

swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll=26=module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll:46:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• StringLengthConflationQuery.qll

swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll=16=module StringLengthConflationConfig implements DataFlow::StateConfigSig {
swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll:45:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• UnsafeJsEvalQuery.qll

swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll=15=module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll:28:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

• UnsafeUnpackQuery.qll

swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll=15=module UnsafeUnpackConfig implements DataFlow::ConfigSig {
swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll:30:  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }

But for some reason this didn't catch all of them. For the rest, I used codeql test --check-diff-informed to alert me to other queries that needed to be updated because their tests were now failing.

Questions

1. In queries like Go/PamAuthBypass and Java/CommandLineQuery, in which of these cases is the use of secondary/negated flows permitted?

• Split off Go/PamAuthBypass into its own PR: increase efficiency by moving query clauses to isSource of other config (that would allow the main config to be diff informed). -> WIP: Go/PamAuthBypass #20642

3. In Java/CommandLineQuery, not all of the queries using the config are path-problems. How do I correctly override the location in that case?

• It's fine, but complicated and delicate. Write a code comment.

[Copilot]

Pull Request Overview

This PR updates diff-informed testing configurations to always treat sources and sinks as alert locations, aligning with the current SARIF output behavior where sources and sinks are always included in related locations.

Key changes include:

• Removing getASelectedSourceLocation and getASelectedSinkLocation overrides that returned none()
• Adding source/sink locations alongside existing location selections
• Updating documentation to clarify that path-problem queries should always include source/sink locations

Reviewed Changes

Copilot reviewed 76 out of 76 changed files in this pull request and generated 4 comments.

File	Description
shared/dataflow/codeql/dataflow/DataFlow.qll	Updated documentation for location selection predicates to clarify path-problem query requirements
Multiple language query files	Removed overrides that excluded source locations or added sink locations to existing selections
rust/ql/src/queries/security/CWE-614/InsecureCookie.ql	Disabled diff-informed mode for negatively-used config
Various Swift, C++, Java, JS, Python, Ruby files	Updated location selection to include both source/sink and existing locations

[Copilot]

[nitpick] The location selection logic could be simplified. Consider extracting the common pattern of handling PostUpdateNode locations into a helper predicate to reduce code duplication across similar configurations.

See below for a potential fix:

  /**
   * Helper predicate to get the location from a PostUpdateNode's pre-update node.
   */
  predicate getPostUpdateNodeLocation(DataFlow::Node node, Location loc) {
    loc = node.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
  }

  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.(CleartextStoragePreferencesSink).getLocation()
    or
    getPostUpdateNodeLocation(sink, result)

[Copilot]

[nitpick] The documentation could be clearer about when to use none(). Consider adding an example of when a query 'doesn't report the source at all' to help developers understand this edge case.

Suggested change

	* should be `none()`.
	* should be `none()`.
	*
	* Example:
	* ```
	* // If your query does not report the source location at all, override as:
	* override Location getASelectedSourceLocation(Node source) { none() }
	* ```

[Copilot]

[nitpick] Using a list expression [openCall.getLocation(), source.getLocation()] for result assignment is unconventional. Consider using separate or branches for better readability and consistency with other files in this PR.

Suggested change

	exists(DataFlow::CallNode openCall | result = [openCall.getLocation(), source.getLocation()] |
	isWritableFileHandle(source, openCall)
	exists(DataFlow::CallNode openCall |
	isWritableFileHandle(source, openCall) and
	(result = openCall.getLocation() or result = source.getLocation())

[Copilot]

[nitpick] Similar to the Go file, using a list expression for result assignment is inconsistent with the pattern used elsewhere in this PR. Consider using separate or branches for consistency.

Suggested change

	result = [target.getLocation(), source.getLocation()]
	|
	(
	result = target.getLocation() or
	result = source.getLocation()
	) and

[geoffw0]

So, putting this in my own words, getASelectedSourceLocation and getASelectedSinkLocation now need to explicitly specify the source / sink location itself as one of their results, where they did not need to before. The default behaviour for configurations that don't override the predicates remains the same, and an any() implementation also remains the same as the source / sink is already included.

Rust and Swift 👍

[michaelnebel]

Yes, great. A sink location is only relevant if the below holds.

[michaelnebel]

Why is this needed?

[d10c]

It's not necessary for correctness, but it reduces the size of getASelectedSourceLocation from all nodes down to the sources.

[michaelnebel]

Should the default of this predicate also include and isSource(source) (the dual question to the previous comment on why isSource(...) was introduced)?

[d10c]

I think that change would maintain correctness, but I can't say a priori (before testing the performance of it) whether the predicate's smaller size (leading to smaller joins down the line) outweighs the extra join inside the predicate.

[michaelnebel]

LGTM!