mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
9151a7e433
If the legacy configuration is only enabled if there are no other configurations, defining a configuration in an imported library can lead to unwanted results. For example, code that uses `any(MyTaintKind t).taints(node)` would *stop* working, if it did not define its own configuration. (this actually happened to us) We performed a dist-compare to ensure there is not a performance deg ration by doing this. Results at https://git.semmle.com/gist/rasmuswl/a1eca07f3a92f5f65ee78d733e5d260e Tests that were affected by this: - RockPaperScissors + Simple: new edges because no configuration was defined for SqlInjectionTaint or CommandInjectionTaint - CleartextLogging + CleartextStorage: new edges because no configuration was defined before, AND duplicate deges. - TestNode: new edges because no configuration was defined before - PathInjection: Duplicate edges - TarSlip: Duplicate edges - CommandInjection: Duplicate edges - ReflectedXss: Duplicate edges - SqlInjection: Duplicate edges - CodeInjection: Duplicate edges - StackTraceExposure: Duplicate edges - UnsafeDeserialization: Duplicate edges - UrlRedirect: Duplicate edges