Ruby: rerun patch query after bugfix

2026-04-26 01:05:15 +02:00 · 2025-01-23 10:33:58 +01:00
parent 28f307390a
commit 1c136e3cd0
10 changed files with 58 additions and 11 deletions
--- a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
+++ b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
@@ -40,7 +40,11 @@ private module DecompressionApiConfig implements DataFlow::ConfigSig {
  // our Decompression APIs defined above will be the sinks we use for this query
  predicate isSink(DataFlow::Node sink) { sink instanceof DecompressionApiUse }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/decompression-api/DecompressionApi.ql:54: Column 5 selects sink.getCall
+    none()
+  }
 }

 private module DecompressionApiFlow = TaintTracking::Global<DecompressionApiConfig>;
--- a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
+++ b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -55,7 +55,11 @@ private module PermissivePermissionsConfig implements DataFlow::ConfigSig {
    exists(FileSystemPermissionModification mod | mod.getAPermissionNode() = sink)
  }

-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/security/cwe-732/WeakFilePermissions.ql:71: Column 5 does not select a source or sink originating from the flow call on line 69
+    none()
+  }
 }

 private module PermissivePermissionsFlow = DataFlow::Global<PermissivePermissionsConfig>;