From 19e5c3d80537110638707b1d554db02fdaa846b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 16 Jul 2025 15:27:48 +0200
Subject: [PATCH] =?UTF-8?q?[DIFF-INFORMED]=20Java:=20ImproperValidationOfA?=
 =?UTF-8?q?rray=E2=80=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql#L48
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql#L28
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql#L26
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql#L24
---
 ...erValidationOfArrayConstructionCodeSpecifiedQuery.qll | 9 +++++++++
 .../ImproperValidationOfArrayConstructionQuery.qll       | 9 +++++++++
 .../ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll | 2 ++
 .../security/ImproperValidationOfArrayIndexQuery.qll     | 2 ++
 4 files changed, 22 insertions(+)

diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
index a6f10913da5..e952971c389 100644
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
@@ -17,6 +17,15 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
+    )
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
index 2af9396a119..913d50b3159 100644
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
@@ -14,6 +14,15 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
   predicate isSink(DataFlow::Node sink) {
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
+    )
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll
index 2ae9eb2c696..01a924de78e 100644
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll
@@ -14,6 +14,8 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
index 6d11962f2f4..7cb3d172483 100644
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
@@ -18,6 +18,8 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**