github
diff --git a/‎go/ql/lib/semmle/go/StringOps.qll
Lines changed: 6 additions & 0 deletions b/‎go/ql/lib/semmle/go/StringOps.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
Lines changed: 12 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
Lines changed: 12 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/CleartextLogging.qll
Lines changed: 2 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/CleartextLogging.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/CommandInjection.qll
Lines changed: 14 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/CommandInjection.qll
Lines changed: 14 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/ExternalAPIs.qll
Lines changed: 9 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/ExternalAPIs.qll
Lines changed: 9 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/HardcodedCredentials.qll
Lines changed: 7 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/HardcodedCredentials.qll
Lines changed: 7 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
Lines changed: 6 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/InsecureRandomness.qll
Lines changed: 7 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/InsecureRandomness.qll
Lines changed: 7 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/LogInjection.qll
Lines changed: 2 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/LogInjection.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
Lines changed: 8 additions & 0 deletions b/‎go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
Lines changed: 8 additions & 0 deletions
@@ -231,6 +231,12 @@ module StringOps {
           call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])
         )
       }
+
+      predicate observeDiffInformedIncrementalMode() {
+        // TODO(diff-informed): Manually verify if config can be diff-informed.
+        // ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause
+        none()
+      }
     }
 
     /**
 
@@ -19,6 +19,12 @@ module AllocationSizeOverflow {
     predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }
 
     predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /**
@@ -56,6 +62,12 @@ module AllocationSizeOverflow {
         succ = c
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-190/AllocationSizeOverflow.ql:25: Column 5 does not select a source or sink originating from the flow call on line 22
+      none()
+    }
   }
 
   /** Tracks taint flow to find allocation-size overflows. */
 
@@ -46,6 +46,8 @@ module CleartextLogging {
       // Also exclude protobuf field fetches, since they amount to single field reads.
       not any(Protobuf::GetMethod gm).taintStep(src, trg)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -24,6 +24,13 @@ module CommandInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 1 does not select a source or sink originating from the flow call on line 26
+      // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 5 does not select a source or sink originating from the flow call on line 26
+      none()
+    }
   }
 
   /**
@@ -80,6 +87,13 @@ module CommandInjection {
       node instanceof Sanitizer or
       node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 1 does not select a source or sink originating from the flow call on line 27
+      // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 5 does not select a source or sink originating from the flow call on line 27
+      none()
+    }
   }
 
   /**
 
@@ -186,6 +186,13 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/go/security/ExternalAPIs.qll:210: Flow call outside 'select' clause
+    // ql/lib/semmle/go/security/ExternalAPIs.qll:213: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
@@ -197,6 +204,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -30,6 +30,13 @@ module HardcodedCredentials {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-798/HardcodedCredentials.ql:65: Column 1 does not select a source or sink originating from the flow call on line 62
+      // ql/src/Security/CWE-798/HardcodedCredentials.ql:65: Column 3 does not select a source or sink originating from the flow call on line 62
+      none()
+    }
   }
 
   /** Tracks taint flow for reasoning about hardcoded credentials. */
 
@@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
     state2 = node2.(FlowStateTransformer).transform(state1) and
     DataFlow::simpleLocalFlowStep(node1, node2, _)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql:26: Column 1 selects sink.getASuccessor
+    none()
+  }
 }
 
 /**
 
@@ -39,6 +39,13 @@ module InsecureRandomness {
         n2.getType() instanceof IntegerType
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/Security/CWE-338/InsecureRandomness.ql:33: Column 1 does not select a source or sink originating from the flow call on line 26
+      // ql/src/Security/CWE-338/InsecureRandomness.ql:34: Column 5 does not select a source or sink originating from the flow call on line 26
+      none()
+    }
   }
 
   /**
 
@@ -21,6 +21,8 @@ module LogInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about log injection vulnerabilities. */
 
@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about JWT vulnerabilities. */
@@ -36,6 +38,12 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause
+      none()
+    }
   }
 
   private module SafeParse = TaintTracking::Global<SafeParseConfig>;
Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,12 @@ module StringOps {`
`231`	`231`	`call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])`
`232`	`232`	`)`
`233`	`233`	`}`
	`234`	`+`
	`235`	`+ predicate observeDiffInformedIncrementalMode() {`
	`236`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`237`	`+ // ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause`
	`238`	`+ none()`
	`239`	`+ }`
`234`	`240`	`}`
`235`	`241`
`236`	`242`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,12 @@ module AllocationSizeOverflow {`
`19`	`19`	`predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }`
`20`	`20`
`21`	`21`	`predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }`
	`22`	`+`
	`23`	`+ predicate observeDiffInformedIncrementalMode() {`
	`24`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`25`	`+ // ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause`
	`26`	`+ none()`
	`27`	`+ }`
`22`	`28`	`}`
`23`	`29`
`24`	`30`	`/**`
`@@ -56,6 +62,12 @@ module AllocationSizeOverflow {`
`56`	`62`	`succ = c`
`57`	`63`	`)`
`58`	`64`	`}`
	`65`	`+`
	`66`	`+ predicate observeDiffInformedIncrementalMode() {`
	`67`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`68`	`+ // ql/src/Security/CWE-190/AllocationSizeOverflow.ql:25: Column 5 does not select a source or sink originating from the flow call on line 22`
	`69`	`+ none()`
	`70`	`+ }`
`59`	`71`	`}`
`60`	`72`
`61`	`73`	`/** Tracks taint flow to find allocation-size overflows. */`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ module CleartextLogging {`
`46`	`46`	`// Also exclude protobuf field fetches, since they amount to single field reads.`
`47`	`47`	`not any(Protobuf::GetMethod gm).taintStep(src, trg)`
`48`	`48`	`}`
	`49`	`+`
	`50`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,13 @@ module CommandInjection {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() {`
	`29`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`30`	`+ // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 1 does not select a source or sink originating from the flow call on line 26`
	`31`	`+ // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 5 does not select a source or sink originating from the flow call on line 26`
	`32`	`+ none()`
	`33`	`+ }`
`27`	`34`	`}`
`28`	`35`
`29`	`36`	`/**`
`@@ -80,6 +87,13 @@ module CommandInjection {`
`80`	`87`	`node instanceof Sanitizer or`
`81`	`88`	`node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()`
`82`	`89`	`}`
	`90`	`+`
	`91`	`+ predicate observeDiffInformedIncrementalMode() {`
	`92`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`93`	`+ // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 1 does not select a source or sink originating from the flow call on line 27`
	`94`	`+ // ql/src/Security/CWE-078/CommandInjection.ql:28: Column 5 does not select a source or sink originating from the flow call on line 27`
	`95`	`+ none()`
	`96`	`+ }`
`83`	`97`	`}`
`84`	`98`
`85`	`99`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf`
`440`	`440`	`state2 = node2.(FlowStateTransformer).transform(state1) and`
`441`	`441`	`DataFlow::simpleLocalFlowStep(node1, node2, _)`
`442`	`442`	`}`
	`443`	`+`
	`444`	`+ predicate observeDiffInformedIncrementalMode() {`
	`445`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`446`	`+ // ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql:26: Column 1 selects sink.getASuccessor`
	`447`	`+ none()`
	`448`	`+ }`
`443`	`449`	`}`
`444`	`450`
`445`	`451`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,13 @@ module InsecureRandomness {`
`39`	`39`	`n2.getType() instanceof IntegerType`
`40`	`40`	`)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() {`
	`44`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`45`	`+ // ql/src/Security/CWE-338/InsecureRandomness.ql:33: Column 1 does not select a source or sink originating from the flow call on line 26`
	`46`	`+ // ql/src/Security/CWE-338/InsecureRandomness.ql:34: Column 5 does not select a source or sink originating from the flow call on line 26`
	`47`	`+ none()`
	`48`	`+ }`
`42`	`49`	`}`
`43`	`50`
`44`	`51`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ module LogInjection {`
`21`	`21`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`22`	`22`
`23`	`23`	`predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }`
	`24`	`+`
	`25`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`/** Tracks taint flow for reasoning about log injection vulnerabilities. */`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/** Tracks taint flow for reasoning about JWT vulnerabilities. */`
`@@ -36,6 +38,12 @@ module MissingJwtSignatureCheck {`
`36`	`38`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`37`	`39`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`38`	`40`	`}`
	`41`	`+`
	`42`	`+ predicate observeDiffInformedIncrementalMode() {`
	`43`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`44`	`+ // ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause`
	`45`	`+ none()`
	`46`	`+ }`
`39`	`47`	`}`
`40`	`48`
`41`	`49`	`private module SafeParse = TaintTracking::Global<SafeParseConfig>;`