From 0bcdb421ed40cd862a340092bb20209783edd9fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= Date: Wed, 16 Jul 2025 15:02:14 +0200 Subject: [PATCH] [DIFF-INFORMED] Java: ArithmeticUncontrolled https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql#L36 --- .../security/ArithmeticUncontrolledQuery.qll | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll index a5fa0d3ee4b..6b7b337ad65 100644 --- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll @@ -19,6 +19,14 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) } + + predicate observeDiffInformedIncrementalMode() { + any() // merged with ArithmeticUncontrolledUnderflow in ArithmeticUncontrolled.ql + } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr())) + } } /** Taint-tracking flow to reason about overflow from arithmetic with uncontrolled values. */ @@ -32,6 +40,14 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) } predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) } + + predicate observeDiffInformedIncrementalMode() { + any() // merged with ArithmeticUncontrolledOverflow in ArithmeticUncontrolled.ql + } + + Location getASelectedSinkLocation(DataFlow::Node sink) { + exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr())) + } } /** Taint-tracking flow to reason about underflow from arithmetic with uncontrolled values. */