github
diff --git a/‎go/ql/lib/semmle/go/StringOps.qll
+6 b/‎go/ql/lib/semmle/go/StringOps.qll
+6
diff --git a/‎go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
+8 b/‎go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
+8
diff --git a/‎go/ql/lib/semmle/go/security/CleartextLogging.qll
+2 b/‎go/ql/lib/semmle/go/security/CleartextLogging.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/CommandInjection.qll
+4 b/‎go/ql/lib/semmle/go/security/CommandInjection.qll
+4
diff --git a/‎go/ql/lib/semmle/go/security/ExternalAPIs.qll
+9 b/‎go/ql/lib/semmle/go/security/ExternalAPIs.qll
+9
diff --git a/‎go/ql/lib/semmle/go/security/HardcodedCredentials.qll
+2 b/‎go/ql/lib/semmle/go/security/HardcodedCredentials.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
+2 b/‎go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/InsecureRandomness.qll
+2 b/‎go/ql/lib/semmle/go/security/InsecureRandomness.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/LogInjection.qll
+7 b/‎go/ql/lib/semmle/go/security/LogInjection.qll
+7
diff --git a/‎go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
+8 b/‎go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
+8
diff --git a/‎go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
+2 b/‎go/ql/lib/semmle/go/security/OpenUrlRedirect.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/ReflectedXss.qll
+2 b/‎go/ql/lib/semmle/go/security/ReflectedXss.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/RequestForgery.qll
+2 b/‎go/ql/lib/semmle/go/security/RequestForgery.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/SafeUrlFlow.qll
+2 b/‎go/ql/lib/semmle/go/security/SafeUrlFlow.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/SqlInjection.qll
+2 b/‎go/ql/lib/semmle/go/security/SqlInjection.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/StoredCommand.qll
+2 b/‎go/ql/lib/semmle/go/security/StoredCommand.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/StoredXss.qll
+2 b/‎go/ql/lib/semmle/go/security/StoredXss.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/StringBreak.qll
+2 b/‎go/ql/lib/semmle/go/security/StringBreak.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/TaintedPath.qll
+2 b/‎go/ql/lib/semmle/go/security/TaintedPath.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll
+10 b/‎go/ql/lib/semmle/go/security/UncontrolledAllocationSize.qll
+10
diff --git a/‎go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
+8 b/‎go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
+8
diff --git a/‎go/ql/lib/semmle/go/security/XPathInjection.qll
+2 b/‎go/ql/lib/semmle/go/security/XPathInjection.qll
+2
diff --git a/‎go/ql/lib/semmle/go/security/ZipSlip.qll
+2 b/‎go/ql/lib/semmle/go/security/ZipSlip.qll
+2
diff --git a/‎go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
+2 b/‎go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
+2
diff --git a/‎go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
+2 b/‎go/ql/src/Security/CWE-020/IncompleteHostnameRegexp.ql
+2
diff --git a/‎go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql
+2 b/‎go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql
+2
diff --git a/‎go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
+2 b/‎go/ql/src/Security/CWE-020/SuspiciousCharacterInRegexp.ql
+2
diff --git a/‎go/ql/src/Security/CWE-209/StackTraceExposure.ql
+2 b/‎go/ql/src/Security/CWE-209/StackTraceExposure.ql
+2
diff --git a/‎go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+7 b/‎go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+7
diff --git a/‎go/ql/src/Security/CWE-326/InsufficientKeySize.ql
+2 b/‎go/ql/src/Security/CWE-326/InsufficientKeySize.ql
+2
diff --git a/‎go/ql/src/Security/CWE-327/InsecureTLS.ql
+13 b/‎go/ql/src/Security/CWE-327/InsecureTLS.ql
+13
@@ -231,6 +231,12 @@ module StringOps {
           call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])
         )
       }
+
+      predicate observeDiffInformedIncrementalMode() {
+        // TODO(diff-informed): Manually verify if config can be diff-informed.
+        // go/ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause
+        none()
+      }
     }
 
     /**
 
@@ -19,6 +19,12 @@ module AllocationSizeOverflow {
     predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }
 
     predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /**
@@ -56,6 +62,8 @@ module AllocationSizeOverflow {
         succ = c
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow to find allocation-size overflows. */
 
@@ -46,6 +46,8 @@ module CleartextLogging {
       // Also exclude protobuf field fetches, since they amount to single field reads.
       not any(Protobuf::GetMethod gm).taintStep(src, trg)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -24,6 +24,8 @@ module CommandInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
@@ -80,6 +82,8 @@ module CommandInjection {
       node instanceof Sanitizer or
       node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -186,6 +186,13 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/lib/semmle/go/security/ExternalAPIs.qll:210: Flow call outside 'select' clause
+    // go/ql/lib/semmle/go/security/ExternalAPIs.qll:213: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
@@ -197,6 +204,8 @@ private module UntrustedDataToUnknownExternalApiConfig implements DataFlow::Conf
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnknownExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -30,6 +30,8 @@ module HardcodedCredentials {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about hardcoded credentials. */
 
@@ -440,6 +440,8 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
     state2 = node2.(FlowStateTransformer).transform(state1) and
     DataFlow::simpleLocalFlowStep(node1, node2, _)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -39,6 +39,8 @@ module InsecureRandomness {
         n2.getType() instanceof IntegerType
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -21,6 +21,13 @@ module LogInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:140: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /** Tracks taint flow for reasoning about log injection vulnerabilities. */
 
@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about JWT vulnerabilities. */
@@ -36,6 +38,12 @@ module MissingJwtSignatureCheck {
     predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
       any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause
+      none()
+    }
   }
 
   private module SafeParse = TaintTracking::Global<SafeParseConfig>;
 
@@ -54,6 +54,8 @@ module OpenUrlRedirect {
       or
       hostnameSanitizingPrefixEdge(node, _)
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from unvalidated, untrusted data to URL redirections. */
 
@@ -22,6 +22,8 @@ module ReflectedXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from untrusted data to XSS attack vectors. */
 
@@ -31,6 +31,8 @@ module RequestForgery {
         w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow from untrusted data to request forgery attack vectors. */
 
@@ -36,6 +36,8 @@ module SafeUrlFlow {
       or
       node instanceof SanitizerEdge
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about safe URLs. */
 
@@ -23,6 +23,8 @@ module SqlInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */
 
@@ -26,6 +26,8 @@ module StoredCommand {
     predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjection::Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about command-injection vulnerabilities. */
 
@@ -22,6 +22,8 @@ module StoredXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about XSS. */
 
@@ -26,6 +26,8 @@ module StringBreak {
     predicate isBarrier(DataFlow::Node node, FlowState state) {
       state = node.(Sanitizer).getQuote()
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -17,6 +17,8 @@ module TaintedPath {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about path-traversal vulnerabilities. */
 
@@ -27,6 +27,16 @@ module UncontrolledAllocationSize {
         node2 = cn.getResult(0)
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:114: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:122: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:139: Flow call outside 'select' clause
+      // shared/dataflow/codeql/dataflow/test/InlineFlowTest.qll:140: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /** Tracks taint flow for reasoning about uncontrolled allocation size issues. */
 
@@ -20,6 +20,12 @@ module UnsafeUnzipSymlink {
     predicate isSink(DataFlow::Node sink) { sink instanceof EvalSymlinksSink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof EvalSymlinksInvalidator }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll:35: Flow call outside 'select' clause
+      none()
+    }
   }
 
   /**
@@ -44,6 +50,8 @@ module UnsafeUnzipSymlink {
     predicate isSink(DataFlow::Node sink) { sink instanceof SymlinkSink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof SymlinkSanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -19,6 +19,8 @@ module XPathInjection {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -17,6 +17,8 @@ module ZipSlip {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /** Tracks taint flow for reasoning about zip-slip vulnerabilities. */
 
@@ -127,6 +127,8 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -103,6 +103,8 @@ module IncompleteHostNameRegexpConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     StringOps::Concatenation::taintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = DataFlow::Global<IncompleteHostNameRegexpConfig>;
 
@@ -72,6 +72,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module Flow = DataFlow::Global<Config>;
 
@@ -40,6 +40,8 @@ module SuspiciousCharacterInRegexpConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isSourceString(source, _) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexpPattern }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -62,6 +62,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
       cgn.dominates(node.getBasicBlock())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -68,6 +68,13 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:90: Flow call outside 'select' clause
+    // go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql:96: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
 
@@ -25,6 +25,8 @@ module Config implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node = DataFlow::BarrierGuard<comparisonBarrierGuard/3>::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -71,6 +71,13 @@ module TlsVersionFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { intIsSource(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isSink(sink, _, _, _) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/src/Security/CWE-327/InsecureTLS.ql:87: Flow call outside 'select' clause
+    // go/ql/src/Security/CWE-327/InsecureTLS.ql:128: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
@@ -201,6 +208,12 @@ module TlsInsecureCipherSuitesFlowConfig implements DataFlow::ConfigSig {
    * suites.
    */
   predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // go/ql/src/Security/CWE-327/InsecureTLS.ql:221: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,12 @@ module StringOps {`
`231`	`231`	`call.getTarget().hasQualifiedName("strings", "Replacer", ["Replace", "WriteString"])`
`232`	`232`	`)`
`233`	`233`	`}`
	`234`	`+`
	`235`	`+ predicate observeDiffInformedIncrementalMode() {`
	`236`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`237`	`+ // go/ql/lib/semmle/go/StringOps.qll:250: Flow call outside 'select' clause`
	`238`	`+ none()`
	`239`	`+ }`
`234`	`240`	`}`
`235`	`241`
`236`	`242`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,12 @@ module AllocationSizeOverflow {`
`19`	`19`	`predicate isSink(DataFlow::Node nd) { nd = Builtin::len().getACall().getArgument(0) }`
`20`	`20`
`21`	`21`	`predicate isBarrier(DataFlow::Node nd) { nd instanceof Sanitizer }`
	`22`	`+`
	`23`	`+ predicate observeDiffInformedIncrementalMode() {`
	`24`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`25`	`+ // go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll:30: Flow call outside 'select' clause`
	`26`	`+ none()`
	`27`	`+ }`
`22`	`28`	`}`
`23`	`29`
`24`	`30`	`/**`
`@@ -56,6 +62,8 @@ module AllocationSizeOverflow {`
`56`	`62`	`succ = c`
`57`	`63`	`)`
`58`	`64`	`}`
	`65`	`+`
	`66`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`59`	`67`	`}`
`60`	`68`
`61`	`69`	`/** Tracks taint flow to find allocation-size overflows. */`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ module CleartextLogging {`
`46`	`46`	`// Also exclude protobuf field fetches, since they amount to single field reads.`
`47`	`47`	`not any(Protobuf::GetMethod gm).taintStep(src, trg)`
`48`	`48`	`}`
	`49`	`+`
	`50`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`49`	`51`	`}`
`50`	`52`
`51`	`53`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ module CommandInjection {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`27`	`+`
	`28`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`27`	`29`	`}`
`28`	`30`
`29`	`31`	`/**`
`@@ -80,6 +82,8 @@ module CommandInjection {`
`80`	`82`	`node instanceof Sanitizer or`
`81`	`83`	`node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()`
`82`	`84`	`}`
	`85`	`+`
	`86`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`83`	`87`	`}`
`84`	`88`
`85`	`89`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,8 @@ module HardcodedCredentials {`
`30`	`30`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`31`	`31`
`32`	`32`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`33`	`+`
	`34`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`/** Tracks taint flow for reasoning about hardcoded credentials. */`
Original file line number	Diff line number	Diff line change
`@@ -440,6 +440,8 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf`
`440`	`440`	`state2 = node2.(FlowStateTransformer).transform(state1) and`
`441`	`441`	`DataFlow::simpleLocalFlowStep(node1, node2, _)`
`442`	`442`	`}`
	`443`	`+`
	`444`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`443`	`445`	`}`
`444`	`446`
`445`	`447`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ module InsecureRandomness {`
`39`	`39`	`n2.getType() instanceof IntegerType`
`40`	`40`	`)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module MissingJwtSignatureCheck {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/** Tracks taint flow for reasoning about JWT vulnerabilities. */`
`@@ -36,6 +38,12 @@ module MissingJwtSignatureCheck {`
`36`	`38`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`37`	`39`	`any(AdditionalFlowStep s).step(nodeFrom, nodeTo)`
`38`	`40`	`}`
	`41`	`+`
	`42`	`+ predicate observeDiffInformedIncrementalMode() {`
	`43`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`44`	`+ // go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll:18: Flow call outside 'select' clause`
	`45`	`+ none()`
	`46`	`+ }`
`39`	`47`	`}`
`40`	`48`
`41`	`49`	`private module SafeParse = TaintTracking::Global<SafeParseConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,8 @@ module OpenUrlRedirect {`
`54`	`54`	`or`
`55`	`55`	`hostnameSanitizingPrefixEdge(node, _)`
`56`	`56`	`}`
	`57`	`+`
	`58`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`57`	`59`	`}`
`58`	`60`
`59`	`61`	`/** Tracks taint flow from unvalidated, untrusted data to URL redirections. */`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ module ReflectedXss {`
`22`	`22`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`23`	`23`
`24`	`24`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`25`	`+`
	`26`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`/** Tracks taint flow from untrusted data to XSS attack vectors. */`