Skip to content

Python: address diff-informed query alert discrepancies #19378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cklin wants to merge 2 commits into from
Closed

Python: address diff-informed query alert discrepancies #19378

cklin wants to merge 2 commits into from

Conversation

@cklin
Copy link
Contributor

@cklin cklin commented Apr 24, 2025

This PR addresses cases where diff-informed Python queries produce alerts that are not completely in accordance with the given diff ranges.

For queries that incorrectly produce alerts outside the diff ranges, I added expected files so that they can pass QL tests with the --check-diff-informed flag.

For PolynomialReDoS.ql, which incorrectly omits alerts in the diff ranges, I disabled diff-informed mode until the problem can be addressed.

cklin added 2 commits April 24, 2025 11:09
@cklin
Python: update diff-informed expected files
8286cc2 
This commit adds expected files for diff-informed testing. These
expected files describe how diff-informed queries produce alerts that
are not completely in accordance with the given diff ranges.
@cklin
Python: disable diff-informed PolynomialReDoS.ql
2e5fa67 
This commit disabled diff-informed for PolynomialReDoS.ql because it
could miss some alerts within diff ranges.
@cklin cklin marked this pull request as ready for review April 24, 2025 21:27
Copilot AI review requested due to automatic review settings April 24, 2025 21:27
@cklin cklin requested a review from a team as a code owner April 24, 2025 21:27
Copilot AI reviewed Apr 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 25 changed files in this pull request and generated no comments.

Files not reviewed (20)
  • python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-104,106-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-111,113-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-119,121-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-141,143-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-166,168-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-175,177-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-18,20-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-200.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-33,35-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-47,49-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-51,53-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-65,67-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-022-UnsafeUnpacking/DIFF-INFORMED/UnsafeUnpack/1-86,88-201.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-10,12-89.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-20,22-89.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-30,32-89.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-42,44-89.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-327-UnsafeUsageOfClientSideEncryptionVersion/DIFF-INFORMED/UnsafeUsageOfClientSideEncryptionVersion/1-74,76-89.expected: Language not supported
  • python/ql/test/experimental/query-tests/Security/CWE-346/DIFF-INFORMED/CorsBypass/1-7,9-17.expected: Language not supported

@cklin cklin added the no-change-note-required This PR does not need a change note label Apr 24, 2025
@cklin cklin closed this Apr 24, 2025
@cklin cklin deleted the cklin/check-diff-informed-python branch August 12, 2025 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

no-change-note-required This PR does not need a change note Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cklin