Java: patch-generated stubs

d10c · d10c · commit 6c32f2689ca6 · 2025-07-04T11:48:25.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll
@@ -149,6 +149,8 @@ module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
   predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
     isSink(node) and exists(c)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
@@ -13,6 +13,18 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+  }
 }
 
 /**
@@ -29,6 +41,18 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll
@@ -19,6 +19,18 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
 
   predicate isBarrier(DataFlow::Node n) { overflowBarrier(n) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 29 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@36:8:36:10), Column 5 does not select a source or sink originating from the flow call on line 29 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@38:3:38:18)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 29 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@36:8:36:10), Column 5 does not select a source or sink originating from the flow call on line 29 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@38:3:38:18)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 29 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@36:8:36:10), Column 5 does not select a source or sink originating from the flow call on line 29 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@38:3:38:18)
+  }
 }
 
 /** Taint-tracking flow to reason about overflow from arithmetic with uncontrolled values. */
@@ -32,6 +44,18 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
 
   predicate isBarrier(DataFlow::Node n) { underflowBarrier(n) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@36:8:36:10), Column 5 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@38:3:38:18)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@36:8:36:10), Column 5 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@38:3:38:18)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@36:8:36:10), Column 5 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql@38:3:38:18)
+  }
 }
 
 /** Taint-tracking flow to reason about underflow from arithmetic with uncontrolled values. */
diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
@@ -47,6 +47,10 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     endsWithStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql@26:8:26:8)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll
@@ -101,6 +101,10 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@113:36:113:79), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@116:43:116:92)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll
@@ -24,7 +24,9 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
     node.getType() instanceof NumericType or node.getType() instanceof BooleanType
   }
 
-  predicate observeDiffInformedIncrementalMode() { any() }
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql@24:8:24:37)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
@@ -17,6 +17,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@28:8:28:33), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@29:85:29:97)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
@@ -14,6 +14,10 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
   predicate isSink(DataFlow::Node sink) {
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@26:8:26:33), Column 5 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@27:87:27:99)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll
@@ -14,6 +14,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql@48:8:48:33)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
@@ -18,6 +18,10 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql@24:8:24:33)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/InsecureCookieQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureCookieQuery.qll
@@ -35,6 +35,18 @@ module SecureCookieConfig implements DataFlow::ConfigSig {
     sink.asExpr() =
       any(MethodCall add | add.getMethod() instanceof ResponseAddCookieMethod).getArgument(0)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql@22:8:22:10)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql@22:8:22:10)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql@22:8:22:10)
+  }
 }
 
 /** Data flow to reason about the failure to use secure cookies. */
diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
@@ -40,6 +40,14 @@ private module BasicAuthConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql@23:79:23:94)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 21 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql@23:79:23:94)
+  }
 }
 
 module BasicAuthFlow = DataFlow::Global<BasicAuthConfig>;
@@ -56,6 +64,14 @@ private module RequiresSslConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureLdapUrlSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql@23:79:23:94)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql@23:79:23:94)
+  }
 }
 
 module RequiresSslFlow = DataFlow::Global<RequiresSslConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll
@@ -19,6 +19,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/MaybeBrokenCryptoAlgorithmQuery.qll
@@ -77,6 +77,10 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
     objectToString(n.asExpr()) or
     n.getType().getErasure() instanceof TypeObject
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql@25:8:25:8)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -53,6 +53,8 @@ module SensitiveLoggerConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module SensitiveLoggerFlow = TaintTracking::Global<SensitiveLoggerConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
@@ -24,6 +24,18 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:8:31:12), Column 3 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:80:31:91)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:8:31:12), Column 3 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:80:31:91)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:8:31:12), Column 3 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:80:31:91)
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
@@ -24,8 +24,6 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in SQL queries. */
diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
@@ -38,6 +38,10 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
       ProcessBuilderEnvironmentFlow::flowToExpr(mm.getQualifier())
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
diff --git a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll
diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql

Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,8 @@ module SensitiveCommunicationConfig implements DataFlow::ConfigSig {`
`149`	`149`	`predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
`150`	`150`	`isSink(node) and exists(c)`
`151`	`151`	`}`
	`152`	`+`
	`153`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`152`	`154`	`}`
`153`	`155`
`154`	`156`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,10 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {`
`47`	`47`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`48`	`48`	`endsWithStep(node1, node2)`
`49`	`49`	`}`
	`50`	`+`
	`51`	`+ predicate observeDiffInformedIncrementalMode() {`
	`52`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql@26:8:26:8)`
	`53`	`+ }`
`50`	`54`	`}`
`51`	`55`
`52`	`56`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,10 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {`
`101`	`101`	`predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }`
`102`	`102`
`103`	`103`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
	`104`	`+`
	`105`	`+ predicate observeDiffInformedIncrementalMode() {`
	`106`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@113:36:113:79), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll@116:43:116:92)`
	`107`	`+ }`
`104`	`108`	`}`
`105`	`109`
`106`	`110`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,9 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {`
`24`	`24`	`node.getType() instanceof NumericType or node.getType() instanceof BooleanType`
`25`	`25`	`}`
`26`	`26`
`27`		`- predicate observeDiffInformedIncrementalMode() { any() }`
	`27`	`+ predicate observeDiffInformedIncrementalMode() {`
	`28`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql@24:8:24:37)`
	`29`	`+ }`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {`
`17`	`17`	`predicate isSink(DataFlow::Node sink) {`
`18`	`18`	`any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)`
`19`	`19`	`}`
	`20`	`+`
	`21`	`+ predicate observeDiffInformedIncrementalMode() {`
	`22`	+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@28:8:28:33), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@29:85:29:97)
	`23`	`+ }`
`20`	`24`	`}`
`21`	`25`
`22`	`26`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,10 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi`
`14`	`14`	`predicate isSink(DataFlow::Node sink) {`
`15`	`15`	`any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)`
`16`	`16`	`}`
	`17`	`+`
	`18`	`+ predicate observeDiffInformedIncrementalMode() {`
	`19`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@26:8:26:33), Column 5 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@27:87:27:99)`
	`20`	`+ }`
`17`	`21`	`}`
`18`	`22`
`19`	`23`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,10 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {`
`14`	`14`	`predicate isSink(DataFlow::Node sink) {`
`15`	`15`	`exists(CheckableArrayAccess arrayAccess \| arrayAccess.canThrowOutOfBounds(sink.asExpr()))`
`16`	`16`	`}`
	`17`	`+`
	`18`	`+ predicate observeDiffInformedIncrementalMode() {`
	`19`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql@48:8:48:33)`
	`20`	`+ }`
`17`	`21`	`}`
`18`	`22`
`19`	`23`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,10 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {`
`18`	`18`	`predicate isBarrier(DataFlow::Node node) { node.getType() instanceof BooleanType }`
`19`	`19`
`20`	`20`	`predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
	`21`	`+`
	`22`	`+ predicate observeDiffInformedIncrementalMode() {`
	`23`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql@24:8:24:33)`
	`24`	`+ }`
`21`	`25`	`}`
`22`	`26`
`23`	`27`	`/**`