Swift: Hide 'DynamicSelfType' from the main AST.

swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -199,7 +199,22 @@ predicate interpretOutputSpecific(string c, InterpretNode mid, InterpretNode nod
   )
 }
 
-predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode n) { none() }
+predicate interpretInputSpecific(string c, InterpretNode mid, InterpretNode node) {
+  exists(Node n, AstNode ast, MemberRefExpr e |
+    n = node.asNode() and
+    ast = mid.asElement() and
+    e.getMember() = ast
+  |
+    // Allow fields to be picked as input nodes.
+    c = "" and
+    e.getBase() = n.asExpr()
+    or
+    // Allow post update nodes to be picked as input nodes when the `input` column
+    // of the row is `PostUpdate`.
+    c = "PostUpdate" and
+    e.getBase() = n.(PostUpdateNode).getPreUpdateNode().asExpr()
+  )
+}
 
 /** Gets the argument position obtained by parsing `X` in `Parameter[X]`. */
 bindingset[s]

swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPublic.qll

@@ -26,4 +26,14 @@ predicate localTaintStep = localTaintStepCached/2;
  * of `c` at sinks and inputs to additional taint steps.
  */
 bindingset[node]
-predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet c) { none() }
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::ContentSet cs) {
+  // If a `PostUpdateNode` is specified as a sink, there's (almost) always a store step preceding it.
+  // So when the node is a `PostUpdateNode` we allow any sequence of implicit read steps of an appropriate
+  // type to make sure we arrive at the sink with an empty access path.
+  exists(NominalTypeDecl d, Decl cx |
+    node.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getType() =
+      d.getType().getABaseType*() and
+    cx.asNominalTypeDecl() = d and
+    cs.getAReadContent().(DataFlow::Content::FieldContent).getField() = cx.getAMember()
+  )
+}

swift/ql/lib/codeql/swift/elements/type/DynamicSelfType.qll

@@ -1,4 +1,9 @@
-// generated by codegen/codegen.py, remove this comment if you wish to edit this file
 private import codeql.swift.generated.type.DynamicSelfType
 
-class DynamicSelfType extends Generated::DynamicSelfType { }
+class DynamicSelfType extends Generated::DynamicSelfType {
+  override Type getResolveStep() {
+    // The type of qualifiers in a Swift constructor is assigned the type `Self` by the Swift compiler
+    // This `getResolveStep` replaces that `Self` type with the type of the enclosing class.
+    result = this.getImmediateStaticSelfType()
+  }
+}

swift/ql/lib/codeql/swift/security/InsecureTLSExtensions.qll

@@ -45,19 +45,16 @@ private class EnumInsecureTlsExtensionsSource extends InsecureTlsExtensionsSourc
   }
 }
 
-/**
- * A sink for assignment of TLS-related properties of `NSURLSessionConfiguration`.
- */
-private class NsUrlTlsExtensionsSink extends InsecureTlsExtensionsSink {
-  NsUrlTlsExtensionsSink() {
-    exists(AssignExpr assign |
-      assign.getSource() = this.asExpr() and
-      assign.getDest().(MemberRefExpr).getMember().(ConcreteVarDecl).getName() =
-        [
-          "tlsMinimumSupportedProtocolVersion", "tlsMinimumSupportedProtocol",
-          "tlsMaximumSupportedProtocolVersion", "tlsMaximumSupportedProtocol"
-        ]
-    )
+private class TlsExtensionsSinks extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        // TLS-related properties of `URLSessionConfiguration`
+        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocolVersion;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMinimumSupportedProtocol;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocolVersion;;;PostUpdate;tls-protocol-version",
+        ";URLSessionConfiguration;false;tlsMaximumSupportedProtocol;;;PostUpdate;tls-protocol-version",
+      ]
   }
 }
 

swift/ql/test/extractor-tests/generated/type/DynamicSelfType/DynamicSelfType.expected

@@ -1 +0,0 @@
-| Self | getName: | Self | getCanonicalType: | Self | getStaticSelfType: | X |

swift/ql/test/library-tests/dataflow/dataflow/DataFlow.expected

@@ -235,7 +235,7 @@ edges
 | test.swift:536:10:536:13 | s :  | test.swift:537:13:537:13 | s :  |
 | test.swift:537:7:537:7 | [post] self [str] :  | test.swift:536:5:538:5 | self[return] [str] :  |
 | test.swift:537:13:537:13 | s :  | test.swift:537:7:537:7 | [post] self [str] :  |
-| test.swift:542:17:545:5 | self[return] [str] :  | test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  |
+| test.swift:542:17:545:5 | self[return] [str] :  | test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  |
 | test.swift:543:7:543:7 | [post] self [str] :  | test.swift:542:17:545:5 | self[return] [str] :  |
 | test.swift:543:7:543:7 | [post] self [str] :  | test.swift:544:17:544:17 | self [str] :  |
 | test.swift:543:20:543:28 | call to source3() :  | test.swift:536:10:536:13 | s :  |
@@ -245,8 +245,8 @@ edges
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  | test.swift:549:13:549:35 | .str |
 | test.swift:549:24:549:32 | call to source3() :  | test.swift:536:10:536:13 | s :  |
 | test.swift:549:24:549:32 | call to source3() :  | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | test.swift:550:13:550:43 | .str |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | test.swift:550:13:550:43 | .str |
 | test.swift:567:8:567:11 | x :  | test.swift:568:14:568:14 | x :  |
 | test.swift:568:5:568:5 | [post] self [x] :  | test.swift:567:3:569:3 | self[return] [x] :  |
 | test.swift:568:14:568:14 | x :  | test.swift:568:5:568:5 | [post] self [x] :  |
@@ -541,7 +541,7 @@ nodes
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  | semmle.label | call to MyClass.init(s:) [str] :  |
 | test.swift:549:13:549:35 | .str | semmle.label | .str |
 | test.swift:549:24:549:32 | call to source3() :  | semmle.label | call to source3() :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | semmle.label | call to Self.init(contentsOfFile:) [str] :  |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | semmle.label | call to MyClass.init(contentsOfFile:) [str] :  |
 | test.swift:550:13:550:43 | .str | semmle.label | .str |
 | test.swift:567:3:569:3 | self[return] [x] :  | semmle.label | self[return] [x] :  |
 | test.swift:567:8:567:11 | x :  | semmle.label | x :  |
@@ -609,7 +609,7 @@ subpaths
 | test.swift:543:20:543:28 | call to source3() :  | test.swift:536:10:536:13 | s :  | test.swift:537:7:537:7 | [post] self [str] :  | test.swift:543:7:543:7 | [post] self [str] :  |
 | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  | test.swift:535:9:535:9 | self [str] :  | file://:0:0:0:0 | .str :  | test.swift:549:13:549:35 | .str |
 | test.swift:549:24:549:32 | call to source3() :  | test.swift:536:10:536:13 | s :  | test.swift:536:5:538:5 | self[return] [str] :  | test.swift:549:13:549:33 | call to MyClass.init(s:) [str] :  |
-| test.swift:550:13:550:41 | call to Self.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  | file://:0:0:0:0 | .str :  | test.swift:550:13:550:43 | .str |
+| test.swift:550:13:550:41 | call to MyClass.init(contentsOfFile:) [str] :  | test.swift:535:9:535:9 | self [str] :  | file://:0:0:0:0 | .str :  | test.swift:550:13:550:43 | .str |
 | test.swift:573:16:573:23 | call to source() :  | test.swift:567:8:567:11 | x :  | test.swift:567:3:569:3 | self[return] [x] :  | test.swift:573:11:573:24 | call to S.init(x:) [x] :  |
 | test.swift:575:13:575:13 | s [x] :  | test.swift:574:11:574:14 | enter #keyPath(...) [x] :  | test.swift:574:11:574:14 | exit #keyPath(...) :  | test.swift:575:13:575:25 | \\...[...] |
 | test.swift:578:13:578:13 | s [x] :  | test.swift:577:36:577:38 | enter #keyPath(...) [x] :  | test.swift:577:36:577:38 | exit #keyPath(...) :  | test.swift:578:13:578:32 | \\...[...] |

swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.expected

@@ -1,86 +1,175 @@
 edges
-| InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | value |
-| InsecureTLS.swift:20:7:20:7 | value :  | file://:0:0:0:0 | value |
-| InsecureTLS.swift:22:7:22:7 | value :  | file://:0:0:0:0 | value |
-| InsecureTLS.swift:23:7:23:7 | value :  | file://:0:0:0:0 | value |
+| InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | value :  |
+| InsecureTLS.swift:20:7:20:7 | value :  | file://:0:0:0:0 | value :  |
+| InsecureTLS.swift:22:7:22:7 | value :  | file://:0:0:0:0 | value :  |
+| InsecureTLS.swift:23:7:23:7 | value :  | file://:0:0:0:0 | value :  |
+| InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:40:3:40:3 | [post] config |
 | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:40:3:40:3 | [post] config |
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:45:3:45:3 | [post] config |
 | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:45:3:45:3 | [post] config |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] :  | InsecureTLS.swift:57:3:57:3 | [post] config |
 | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:20:7:20:7 | value :  |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:57:3:57:3 | [post] config |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] :  | InsecureTLS.swift:64:3:64:3 | [post] config |
 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:22:7:22:7 | value :  |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:64:3:64:3 | [post] config |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] :  |
+| InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] :  | InsecureTLS.swift:76:3:76:3 | [post] config |
 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:23:7:23:7 | value :  |
-| InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:76:3:76:3 | [post] config |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] :  |
 | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  |
+| InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:111:3:111:3 | [post] config |
 | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | InsecureTLS.swift:19:7:19:7 | value :  |
-| InsecureTLS.swift:121:55:121:66 | version :  | InsecureTLS.swift:122:47:122:47 | version |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | InsecureTLS.swift:111:3:111:3 | [post] config |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:121:55:121:66 | version :  | InsecureTLS.swift:122:47:122:47 | version :  |
+| InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:122:3:122:3 | [post] config |
 | InsecureTLS.swift:122:47:122:47 | version :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:122:47:122:47 | version :  | InsecureTLS.swift:122:3:122:3 | [post] config |
+| InsecureTLS.swift:122:47:122:47 | version :  | InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | InsecureTLS.swift:121:55:121:66 | version :  |
 | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | file://:0:0:0:0 | self [TLSVersion] :  |
 | InsecureTLS.swift:158:7:158:7 | value :  | file://:0:0:0:0 | value :  |
 | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  |
 | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:158:7:158:7 | value :  |
 | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  |
+| InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:165:3:165:3 | [post] config |
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  |
-| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  |
 | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:165:3:165:3 | [post] config |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:181:3:181:9 | [post] getter for .config |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:181:3:181:9 | [post] getter for .config |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:185:20:185:36 | withMinVersion :  | InsecureTLS.swift:187:42:187:42 | withMinVersion :  |
+| InsecureTLS.swift:187:5:187:5 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:187:5:187:5 | [post] self |
+| InsecureTLS.swift:187:42:187:42 | withMinVersion :  | InsecureTLS.swift:187:5:187:5 | [post] self [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:193:51:193:74 | .TLSv10 :  | InsecureTLS.swift:185:20:185:36 | withMinVersion :  |
+| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] :  | file://:0:0:0:0 | [post] self |
+| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] :  | file://:0:0:0:0 | [post] self :  |
+| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] :  | file://:0:0:0:0 | [post] self |
+| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] :  | file://:0:0:0:0 | [post] self :  |
+| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | file://:0:0:0:0 | [post] self |
+| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | file://:0:0:0:0 | [post] self :  |
+| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] :  | file://:0:0:0:0 | [post] self |
+| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] :  | file://:0:0:0:0 | [post] self :  |
 | file://:0:0:0:0 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  |
 | file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [TLSVersion] :  |
+| file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] :  |
+| file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] :  |
+| file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  |
+| file://:0:0:0:0 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] :  |
 nodes
 | InsecureTLS.swift:19:7:19:7 | value :  | semmle.label | value :  |
 | InsecureTLS.swift:20:7:20:7 | value :  | semmle.label | value :  |
 | InsecureTLS.swift:22:7:22:7 | value :  | semmle.label | value :  |
 | InsecureTLS.swift:23:7:23:7 | value :  | semmle.label | value :  |
-| InsecureTLS.swift:40:47:40:70 | .TLSv10 | semmle.label | .TLSv10 |
+| InsecureTLS.swift:40:3:40:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | semmle.label | .TLSv10 :  |
-| InsecureTLS.swift:45:47:45:70 | .TLSv11 | semmle.label | .TLSv11 |
+| InsecureTLS.swift:45:3:45:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | semmle.label | .TLSv11 :  |
-| InsecureTLS.swift:57:47:57:70 | .TLSv10 | semmle.label | .TLSv10 |
+| InsecureTLS.swift:57:3:57:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] :  | semmle.label | [post] config [tlsMaximumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | semmle.label | .TLSv10 :  |
-| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | semmle.label | .tlsProtocol10 |
+| InsecureTLS.swift:64:3:64:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] :  | semmle.label | [post] config [tlsMinimumSupportedProtocol] :  |
 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | semmle.label | .tlsProtocol10 :  |
-| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | semmle.label | .tlsProtocol10 |
+| InsecureTLS.swift:76:3:76:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] :  | semmle.label | [post] config [tlsMaximumSupportedProtocol] :  |
 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | semmle.label | .tlsProtocol10 :  |
 | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | semmle.label | .TLSv10 :  |
-| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | semmle.label | call to getBadTLSVersion() |
+| InsecureTLS.swift:111:3:111:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | semmle.label | call to getBadTLSVersion() :  |
 | InsecureTLS.swift:121:55:121:66 | version :  | semmle.label | version :  |
-| InsecureTLS.swift:122:47:122:47 | version | semmle.label | version |
+| InsecureTLS.swift:122:3:122:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:122:47:122:47 | version :  | semmle.label | version :  |
 | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | semmle.label | .TLSv11 :  |
 | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | semmle.label | self [TLSVersion] :  |
 | InsecureTLS.swift:158:7:158:7 | value :  | semmle.label | value :  |
 | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  | semmle.label | [post] def [TLSVersion] :  |
 | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:165:3:165:3 | [post] config | semmle.label | [post] config |
+| InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | semmle.label | def [TLSVersion] :  |
-| InsecureTLS.swift:165:47:165:51 | .TLSVersion | semmle.label | .TLSVersion |
 | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | semmle.label | .TLSVersion :  |
+| InsecureTLS.swift:181:3:181:9 | [post] getter for .config | semmle.label | [post] getter for .config |
+| InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] getter for .config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | semmle.label | .TLSv10 :  |
+| InsecureTLS.swift:185:20:185:36 | withMinVersion :  | semmle.label | withMinVersion :  |
+| InsecureTLS.swift:187:5:187:5 | [post] self | semmle.label | [post] self |
+| InsecureTLS.swift:187:5:187:5 | [post] self [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] self [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:187:42:187:42 | withMinVersion :  | semmle.label | withMinVersion :  |
+| InsecureTLS.swift:193:51:193:74 | .TLSv10 :  | semmle.label | .TLSv10 :  |
 | file://:0:0:0:0 | .TLSVersion :  | semmle.label | .TLSVersion :  |
+| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
+| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
+| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
+| file://:0:0:0:0 | [post] self | semmle.label | [post] self |
+| file://:0:0:0:0 | [post] self :  | semmle.label | [post] self :  |
+| file://:0:0:0:0 | [post] self :  | semmle.label | [post] self :  |
+| file://:0:0:0:0 | [post] self :  | semmle.label | [post] self :  |
+| file://:0:0:0:0 | [post] self :  | semmle.label | [post] self :  |
 | file://:0:0:0:0 | [post] self [TLSVersion] :  | semmle.label | [post] self [TLSVersion] :  |
+| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] :  | semmle.label | [post] self [tlsMaximumSupportedProtocolVersion] :  |
+| file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] :  | semmle.label | [post] self [tlsMaximumSupportedProtocol] :  |
+| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | semmle.label | [post] self [tlsMinimumSupportedProtocolVersion] :  |
+| file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] :  | semmle.label | [post] self [tlsMinimumSupportedProtocol] :  |
 | file://:0:0:0:0 | self [TLSVersion] :  | semmle.label | self [TLSVersion] :  |
-| file://:0:0:0:0 | value | semmle.label | value |
-| file://:0:0:0:0 | value | semmle.label | value |
-| file://:0:0:0:0 | value | semmle.label | value |
-| file://:0:0:0:0 | value | semmle.label | value |
+| file://:0:0:0:0 | value :  | semmle.label | value :  |
+| file://:0:0:0:0 | value :  | semmle.label | value :  |
+| file://:0:0:0:0 | value :  | semmle.label | value :  |
+| file://:0:0:0:0 | value :  | semmle.label | value :  |
 | file://:0:0:0:0 | value :  | semmle.label | value :  |
 subpaths
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:40:3:40:3 | [post] config |
+| InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:40:3:40:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:45:3:45:3 | [post] config |
+| InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:45:3:45:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:20:7:20:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:57:3:57:3 | [post] config |
+| InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:20:7:20:7 | value :  | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocolVersion] :  | InsecureTLS.swift:57:3:57:3 | [post] config [tlsMaximumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:22:7:22:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:64:3:64:3 | [post] config |
+| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:22:7:22:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocol] :  | InsecureTLS.swift:64:3:64:3 | [post] config [tlsMinimumSupportedProtocol] :  |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:23:7:23:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:76:3:76:3 | [post] config |
+| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:23:7:23:7 | value :  | file://:0:0:0:0 | [post] self [tlsMaximumSupportedProtocol] :  | InsecureTLS.swift:76:3:76:3 | [post] config [tlsMaximumSupportedProtocol] :  |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:111:3:111:3 | [post] config |
+| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:111:3:111:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:122:47:122:47 | version :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:122:3:122:3 | [post] config |
+| InsecureTLS.swift:122:47:122:47 | version :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:122:3:122:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
 | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:158:7:158:7 | value :  | file://:0:0:0:0 | [post] self [TLSVersion] :  | InsecureTLS.swift:163:3:163:3 | [post] def [TLSVersion] :  |
-| InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion |
 | InsecureTLS.swift:165:47:165:47 | def [TLSVersion] :  | InsecureTLS.swift:158:7:158:7 | self [TLSVersion] :  | file://:0:0:0:0 | .TLSVersion :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion :  |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:165:3:165:3 | [post] config |
+| InsecureTLS.swift:165:47:165:51 | .TLSVersion :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:165:3:165:3 | [post] config [tlsMinimumSupportedProtocolVersion] :  |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self :  | InsecureTLS.swift:181:3:181:9 | [post] getter for .config |
+| InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:19:7:19:7 | value :  | file://:0:0:0:0 | [post] self [tlsMinimumSupportedProtocolVersion] :  | InsecureTLS.swift:181:3:181:9 | [post] getter for .config [tlsMinimumSupportedProtocolVersion] :  |
 #select
-| InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | InsecureTLS.swift:40:47:40:70 | .TLSv10 | This TLS configuration is insecure. |
-| InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | InsecureTLS.swift:45:47:45:70 | .TLSv11 | This TLS configuration is insecure. |
-| InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | InsecureTLS.swift:57:47:57:70 | .TLSv10 | This TLS configuration is insecure. |
-| InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 | This TLS configuration is insecure. |
-| InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 | This TLS configuration is insecure. |
-| InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:47:111:64 | call to getBadTLSVersion() | This TLS configuration is insecure. |
-| InsecureTLS.swift:122:47:122:47 | version | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | InsecureTLS.swift:122:47:122:47 | version | This TLS configuration is insecure. |
-| InsecureTLS.swift:165:47:165:51 | .TLSVersion | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:165:47:165:51 | .TLSVersion | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
-| file://:0:0:0:0 | value | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | file://:0:0:0:0 | value | This TLS configuration is insecure. |
+| InsecureTLS.swift:40:3:40:3 | [post] config | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | InsecureTLS.swift:40:3:40:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:45:3:45:3 | [post] config | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | InsecureTLS.swift:45:3:45:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:57:3:57:3 | [post] config | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | InsecureTLS.swift:57:3:57:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:64:3:64:3 | [post] config | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | InsecureTLS.swift:64:3:64:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:76:3:76:3 | [post] config | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | InsecureTLS.swift:76:3:76:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:111:3:111:3 | [post] config | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | InsecureTLS.swift:111:3:111:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:122:3:122:3 | [post] config | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | InsecureTLS.swift:122:3:122:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:165:3:165:3 | [post] config | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | InsecureTLS.swift:165:3:165:3 | [post] config | This TLS configuration is insecure. |
+| InsecureTLS.swift:181:3:181:9 | [post] getter for .config | InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | InsecureTLS.swift:181:3:181:9 | [post] getter for .config | This TLS configuration is insecure. |
+| InsecureTLS.swift:187:5:187:5 | [post] self | InsecureTLS.swift:193:51:193:74 | .TLSv10 :  | InsecureTLS.swift:187:5:187:5 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:40:47:40:70 | .TLSv10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:45:47:45:70 | .TLSv11 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:57:47:57:70 | .TLSv10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:64:40:64:52 | .tlsProtocol10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:76:40:76:52 | .tlsProtocol10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:102:10:102:33 | .TLSv10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:127:25:127:48 | .TLSv11 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:163:20:163:43 | .TLSv10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |
+| file://:0:0:0:0 | [post] self | InsecureTLS.swift:181:53:181:76 | .TLSv10 :  | file://:0:0:0:0 | [post] self | This TLS configuration is insecure. |

swift/ql/test/query-tests/Security/CWE-757/InsecureTLS.swift

@@ -171,3 +171,33 @@ func case_19() {
   let config = URLSessionConfiguration()
   config.tlsMinimumSupportedProtocolVersion = def.TLSVersion // GOOD
 }
+
+class MyClass {
+  var config = URLSessionConfiguration()
+}
+
+func case_20(myObj: MyClass) {
+  myObj.config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv13 // GOOD
+  myObj.config.tlsMinimumSupportedProtocolVersion = tls_protocol_version_t.TLSv10 // BAD
+}
+
+extension URLSessionConfiguration {
+  convenience init(withMinVersion: tls_protocol_version_t) {
+    self.init()
+    tlsMinimumSupportedProtocolVersion = withMinVersion
+  }
+}
+
+func case_21() {
+  let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv13) // GOOD
+  let _ = URLSessionConfiguration(withMinVersion: tls_protocol_version_t.TLSv10) // BAD
+}
+
+func setVersion(version: inout tls_protocol_version_t, value: tls_protocol_version_t) {
+  version = value
+}
+
+func case_22(config: URLSessionConfiguration) {
+  setVersion(version: &config.tlsMinimumSupportedProtocolVersion, value: tls_protocol_version_t.TLSv13) // GOOD
+  setVersion(version: &config.tlsMinimumSupportedProtocolVersion, value: tls_protocol_version_t.TLSv10) // BAD [NOT DETECTED]
+}