github
diff --git a/‎csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
Lines changed: 6 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll
Lines changed: 6 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
Lines changed: 2 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
Lines changed: 7 additions & 0 deletions b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
Lines changed: 7 additions & 0 deletions
@@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con
       node.asExpr() = mc.getArgumentForName("command")
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DapperCommandDefinitionMethodCallSql =
 
@@ -167,6 +167,12 @@ private module SettingsDataFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof XmlReaderSettingsCreation }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof XmlReaderSettingsInstance }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll:190: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module SettingsDataFlow = DataFlow::Global<SettingsDataFlowConfig>;
 
@@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig {
 
   /** Holds if the node is a key sanitizer. */
   predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey {
         succ.asExpr() = mc
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -39,6 +39,8 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -78,6 +78,13 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:88: Flow call outside 'select' clause
+    // csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:91: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */
Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con`
`68`	`68`	`node.asExpr() = mc.getArgumentForName("command")`
`69`	`69`	`)`
`70`	`70`	`}`
	`71`	`+`
	`72`	`+ predicate observeDiffInformedIncrementalMode() {`
	`73`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`74`	`+ // csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause`
	`75`	`+ none()`
	`76`	`+ }`
`71`	`77`	`}`
`72`	`78`
`73`	`79`	`private module DapperCommandDefinitionMethodCallSql =`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig {`
`70`	`70`
`71`	`71`	`/** Holds if the node is a key sanitizer. */`
`72`	`72`	`predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }`
	`73`	`+`
	`74`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`73`	`75`	`}`
`74`	`76`
`75`	`77`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey {`
`82`	`82`	`succ.asExpr() = mc`
`83`	`83`	`)`
`84`	`84`	`}`
	`85`	`+`
	`86`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`85`	`87`	`}`
`86`	`88`
`87`	`89`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig {`
`32`	`32`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`33`	`33`
`34`	`34`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`35`	`+`
	`36`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`35`	`37`	`}`
`36`	`38`
`37`	`39`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {`
`33`	`33`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`34`	`34`
`35`	`35`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`36`	`+`
	`37`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`36`	`38`	`}`
`37`	`39`
`38`	`40`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`42`	`42`	* `node` from the data flow graph.
`43`	`43`	`*/`
`44`	`44`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`45`	`+`
	`46`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {`
`39`	`39`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`40`	`40`
`41`	`41`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig`
`32`	`32`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`33`	`33`
`34`	`34`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`35`	`+`
	`36`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`35`	`37`	`}`
`36`	`38`
`37`	`39`	`/**`