From cd3fa64ee3f2427dc32a866e6b1541a5fb269bcb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 16 Jul 2025 16:44:41 +0200
Subject: [PATCH 1/4] [DIFF-INFORMED] Swift: CleartextStorageDatabase

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql#L33
---
 .../swift/security/CleartextStorageDatabaseQuery.qll  | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
index 0f2d28480cdb..989d928a8c71 100644
--- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -48,6 +48,17 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
     node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and
     c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
+      cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
+      or
+      not sink instanceof DataFlow::PostUpdateNode and
+      cleanSink = sink
+    )
+  }
 }
 
 /**

From 6dea73b08138c0464d5dbfd37f97f1da554dcef8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 16 Jul 2025 16:45:28 +0200
Subject: [PATCH 2/4] [DIFF-INFORMED] Swift: CleartextStoragePreferences

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql#L32
---
 .../security/CleartextStoragePreferencesQuery.qll     | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
index 2a7bec5dc47f..c3665589482a 100644
--- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
@@ -30,6 +30,17 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(DataFlow::Node cleanSink | result = cleanSink.getLocation() |
+      cleanSink = sink.(DataFlow::PostUpdateNode).getPreUpdateNode()
+      or
+      not sink instanceof DataFlow::PostUpdateNode and
+      cleanSink = sink
+    )
+  }
 }
 
 /**

From b1e723991e52eb137279f9cf6eb9dea6839ff488 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 16 Jul 2025 16:47:04 +0200
Subject: [PATCH 3/4] [DIFF-INFORMED] Swift: InsecureTLS

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-757/InsecureTLS.ql#L18
---
 swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
index 769c385d4d66..53952f3e1d14 100644
--- a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
@@ -21,6 +21,10 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // query selects some Swift nodes (e.g. "[post] self") that have location file://:0:0:0:0, which always fall outside the diff range.
+  }
 }
 
 module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;

From 4342b2b799aa7877ee1131fe3f5b6db0045cc85e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 16 Jul 2025 16:47:58 +0200
Subject: [PATCH 4/4] [DIFF-INFORMED] Swift: UnsafeWebViewFetch

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql#L24
---
 .../ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll
index ba24f63231f4..5aba75c18c26 100644
--- a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll
@@ -28,6 +28,10 @@ module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeWebViewFetchAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // can't override location accurately because of secondary use in select.
+  }
 }
 
 /**