github
diff --git a/‎cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
Lines changed: 30 additions & 0 deletions b/‎cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll
Lines changed: 30 additions & 0 deletions
diff --git a/‎cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
Lines changed: 2 additions & 0 deletions b/‎cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
Lines changed: 6 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
Lines changed: 7 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
Lines changed: 7 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
Lines changed: 14 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll
Lines changed: 14 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll
Lines changed: 6 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll
Lines changed: 6 additions & 0 deletions b/‎cpp/ql/lib/semmle/code/cpp/security/boostorg/asio/protocols.qll
Lines changed: 6 additions & 0 deletions
diff --git a/‎cpp/ql/src/Critical/MissingCheckScanf.ql
Lines changed: 12 additions & 0 deletions b/‎cpp/ql/src/Critical/MissingCheckScanf.ql
Lines changed: 12 additions & 0 deletions
diff --git a/‎cpp/ql/src/Critical/OverflowDestination.ql
Lines changed: 2 additions & 0 deletions b/‎cpp/ql/src/Critical/OverflowDestination.ql
Lines changed: 2 additions & 0 deletions
diff --git a/‎cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
Lines changed: 2 additions & 0 deletions b/‎cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
Lines changed: 2 additions & 0 deletions
@@ -127,6 +127,12 @@ module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {
       c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:141: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;
@@ -535,6 +541,12 @@ module KeyGeneration {
         c.getArgument(sizeInd) = node.asExpr()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:557: Flow call outside 'select' clause
+      none()
+    }
   }
 
   module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;
@@ -574,6 +586,12 @@ module KeyGeneration {
         c.getArgument(3) = node.asExpr()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:598: Flow call outside 'select' clause
+      none()
+    }
   }
 
   module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =
@@ -622,6 +640,12 @@ module KeyGeneration {
         isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:689: Flow call outside 'select' clause
+      none()
+    }
   }
 
   module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;
@@ -656,6 +680,12 @@ module KeyGeneration {
     predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }
 
     predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:706: Flow call outside 'select' clause
+      none()
+    }
   }
 
   module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =
 
@@ -42,6 +42,8 @@ module PrivateCleartextWrite {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   module WriteFlow = TaintTracking::Global<WriteConfig>;
 
@@ -756,6 +756,12 @@ private module FieldFlow {
       or
       node.asExpr().getParent() instanceof ThrowExpr
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll:764: Flow call outside 'select' clause
+      none()
+    }
   }
 
   private module Flow = DataFlow::Global<FieldConfig>;
 
@@ -387,6 +387,13 @@ module ProductFlow {
       predicate isBarrierIn(DataFlow::Node node) { Config::isBarrierIn1(node) }
 
       int fieldFlowBranchLimit() { result = Config::fieldFlowBranchLimit1() }
+
+      predicate observeDiffInformedIncrementalMode() {
+        // TODO(diff-informed): Manually verify if config can be diff-informed.
+        // cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:400: Flow call outside 'select' clause
+        // cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll:407: Flow call outside 'select' clause
+        none()
+      }
     }
 
     private module Flow1 = DataFlow::GlobalWithState<Config1>;
 
@@ -142,6 +142,14 @@ private module SizeBarrier {
     }
 
     predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:151: Flow call outside 'select' clause
+      // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:162: Flow call outside 'select' clause
+      // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:211: Flow call outside 'select' clause
+      none()
+    }
   }
 
   module SizeBarrierFlow = DataFlow::Global<SizeBarrierConfig>;
@@ -330,6 +338,12 @@ private module Config implements ProductFlow::StateConfigSig {
   predicate isBarrierOut2(DataFlow::Node node) {
     node = any(DataFlow::SsaPhiNode phi).getAnInput(true)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:377: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module AllocToInvalidPointerFlow = ProductFlow::GlobalWithState<Config>;
 
@@ -110,6 +110,12 @@ private module InvalidPointerToDerefBarrier {
     predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }
 
     int fieldFlowBranchLimit() { result = invalidPointerToDereferenceFieldFlowBranchLimit() }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/InvalidPointerToDereference.qll:129: Flow call outside 'select' clause
+      none()
+    }
   }
 
   private module BarrierFlow = DataFlow::Global<BarrierConfig>;
 
@@ -503,6 +503,12 @@ module BoostorgAsio {
         not sink.getLocation().getFile().toString().matches("%/boost/asio/%")
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:48: Flow call outside 'select' clause
+      none()
+    }
   }
 
   module SslOptionFlow = DataFlow::Global<SslOptionConfig>;
 
@@ -60,6 +60,12 @@ module UninitializedToScanfConfig implements ConfigSig {
   FlowFeature getAFeature() { result instanceof FeatureEqualSourceSinkCallContext }
 
   int accessPathLimit() { result = 0 }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // cpp/ql/src/Critical/MissingCheckScanf.ql:72: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module UninitializedToScanfFlow = Global<UninitializedToScanfConfig>;
@@ -111,6 +117,12 @@ module ScanfToUseConfig implements ConfigSig {
     // modified, and thus it's safe to later read the value.
     exists(n.asIndirectArgument())
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // cpp/ql/src/Critical/MissingCheckScanf.ql:127: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ScanfToUseFlow = Global<ScanfToUseConfig>;
 
@@ -82,6 +82,8 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
       nodeIsBarrierEqualityCandidate(node, access, checkedVar)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;
 
@@ -44,6 +44,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {
     ) and
     getFullyConvertedType(node) = state
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,12 @@ module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig {`
`127`	`127`	`c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"]`
`128`	`128`	`)`
`129`	`129`	`}`
	`130`	`+`
	`131`	`+ predicate observeDiffInformedIncrementalMode() {`
	`132`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`133`	`+ // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:141: Flow call outside 'select' clause`
	`134`	`+ none()`
	`135`	`+ }`
`130`	`136`	`}`
`131`	`137`
`132`	`138`	`module LiteralAlgorithmTracer = DataFlow::Global<LiteralAlgorithmTracerConfig>;`
`@@ -535,6 +541,12 @@ module KeyGeneration {`
`535`	`541`	`c.getArgument(sizeInd) = node.asExpr()`
`536`	`542`	`)`
`537`	`543`	`}`
	`544`	`+`
	`545`	`+ predicate observeDiffInformedIncrementalMode() {`
	`546`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`547`	`+ // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:557: Flow call outside 'select' clause`
	`548`	`+ none()`
	`549`	`+ }`
`538`	`550`	`}`
`539`	`551`
`540`	`552`	`module AsymExplicitAlgKeyLengthFlow = DataFlow::Global<AsymExplicitAlgKeyLengthFlowConfig>;`
`@@ -574,6 +586,12 @@ module KeyGeneration {`
`574`	`586`	`c.getArgument(3) = node.asExpr()`
`575`	`587`	`)`
`576`	`588`	`}`
	`589`	`+`
	`590`	`+ predicate observeDiffInformedIncrementalMode() {`
	`591`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`592`	`+ // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:598: Flow call outside 'select' clause`
	`593`	`+ none()`
	`594`	`+ }`
`577`	`595`	`}`
`578`	`596`
`579`	`597`	`module Length_to_RSA_EVP_PKEY_Q_keygen_Flow =`
`@@ -622,6 +640,12 @@ module KeyGeneration {`
`622`	`640`	`isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr()`
`623`	`641`	`)`
`624`	`642`	`}`
	`643`	`+`
	`644`	`+ predicate observeDiffInformedIncrementalMode() {`
	`645`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`646`	`+ // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:689: Flow call outside 'select' clause`
	`647`	`+ none()`
	`648`	`+ }`
`625`	`649`	`}`
`626`	`650`
`627`	`651`	`module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global<KeyGenKeySizeInitToKeyGenConfig>;`
`@@ -656,6 +680,12 @@ module KeyGeneration {`
`656`	`680`	`predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) }`
`657`	`681`
`658`	`682`	`predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) }`
	`683`	`+`
	`684`	`+ predicate observeDiffInformedIncrementalMode() {`
	`685`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`686`	`+ // cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll:706: Flow call outside 'select' clause`
	`687`	`+ none()`
	`688`	`+ }`
`659`	`689`	`}`
`660`	`690`
`661`	`691`	`module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow =`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ module PrivateCleartextWrite {`
`42`	`42`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`43`	`43`
`44`	`44`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`45`	`+`
	`46`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`module WriteFlow = TaintTracking::Global<WriteConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -756,6 +756,12 @@ private module FieldFlow {`
`756`	`756`	`or`
`757`	`757`	`node.asExpr().getParent() instanceof ThrowExpr`
`758`	`758`	`}`
	`759`	`+`
	`760`	`+ predicate observeDiffInformedIncrementalMode() {`
	`761`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`762`	`+ // cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll:764: Flow call outside 'select' clause`
	`763`	`+ none()`
	`764`	`+ }`
`759`	`765`	`}`
`760`	`766`
`761`	`767`	`private module Flow = DataFlow::Global<FieldConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -142,6 +142,14 @@ private module SizeBarrier {`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`predicate isSink(DataFlow::Node sink) { isSink(_, sink, _, _, _) }`
	`145`	`+`
	`146`	`+ predicate observeDiffInformedIncrementalMode() {`
	`147`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`148`	`+ // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:151: Flow call outside 'select' clause`
	`149`	`+ // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:162: Flow call outside 'select' clause`
	`150`	`+ // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:211: Flow call outside 'select' clause`
	`151`	`+ none()`
	`152`	`+ }`
`145`	`153`	`}`
`146`	`154`
`147`	`155`	`module SizeBarrierFlow = DataFlow::Global<SizeBarrierConfig>;`
`@@ -330,6 +338,12 @@ private module Config implements ProductFlow::StateConfigSig {`
`330`	`338`	`predicate isBarrierOut2(DataFlow::Node node) {`
`331`	`339`	`node = any(DataFlow::SsaPhiNode phi).getAnInput(true)`
`332`	`340`	`}`
	`341`	`+`
	`342`	`+ predicate observeDiffInformedIncrementalMode() {`
	`343`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`344`	`+ // cpp/ql/lib/semmle/code/cpp/security/InvalidPointerDereference/AllocationToInvalidPointer.qll:377: Flow call outside 'select' clause`
	`345`	`+ none()`
	`346`	`+ }`
`333`	`347`	`}`
`334`	`348`
`335`	`349`	`private module AllocToInvalidPointerFlow = ProductFlow::GlobalWithState<Config>;`
Original file line number	Diff line number	Diff line change
`@@ -503,6 +503,12 @@ module BoostorgAsio {`
`503`	`503`	`not sink.getLocation().getFile().toString().matches("%/boost/asio/%")`
`504`	`504`	`)`
`505`	`505`	`}`
	`506`	`+`
	`507`	`+ predicate observeDiffInformedIncrementalMode() {`
	`508`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`509`	`+ // cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql:48: Flow call outside 'select' clause`
	`510`	`+ none()`
	`511`	`+ }`
`506`	`512`	`}`
`507`	`513`
`508`	`514`	`module SslOptionFlow = DataFlow::Global<SslOptionConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {`
`82`	`82`	`nodeIsBarrierEqualityCandidate(node, access, checkedVar)`
`83`	`83`	`)`
`84`	`84`	`}`
	`85`	`+`
	`86`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`85`	`87`	`}`
`86`	`88`
`87`	`89`	`module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ module CastToPointerArithFlowConfig implements DataFlow::StateConfigSig {`
`44`	`44`	`) and`
`45`	`45`	`getFullyConvertedType(node) = state`
`46`	`46`	`}`
	`47`	`+`
	`48`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`47`	`49`	`}`
`48`	`50`
`49`	`51`	`/**`