Go: patch-generated stubs

d10c · d10c · commit 7d6beb3d5278 · 2025-07-04T11:48:22.000+02:00
diff --git a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
@@ -56,6 +56,10 @@ module AllocationSizeOverflow {
         succ = c
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql@25:80:25:86)
+    }
   }
 
   /** Tracks taint flow to find allocation-size overflows. */
diff --git a/go/ql/lib/semmle/go/security/CommandInjection.qll b/go/ql/lib/semmle/go/security/CommandInjection.qll
@@ -24,6 +24,18 @@ module CommandInjection {
     }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:8:28:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:71:28:86)
+    }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) {
+      none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:8:28:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:71:28:86)
+    }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:8:28:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:71:28:86)
+    }
   }
 
   /**
@@ -80,6 +92,18 @@ module CommandInjection {
       node instanceof Sanitizer or
       node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:8:28:21), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:71:28:86)
+    }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) {
+      none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:8:28:21), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:71:28:86)
+    }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:8:28:21), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-078/CommandInjection.ql@28:71:28:86)
+    }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/ExternalAPIs.qll b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -186,6 +186,10 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/go/ql/lib/semmle/go/security/ExternalAPIs.qll@212:36:212:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/go/ql/lib/semmle/go/security/ExternalAPIs.qll@215:43:215:92)
+  }
 }
 
 /**
diff --git a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll
@@ -30,6 +30,18 @@ module HardcodedCredentials {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 62 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql@65:8:65:11), Column 3 does not select a source or sink originating from the flow call on line 62 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql@65:23:65:28)
+    }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) {
+      none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 62 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql@65:8:65:11), Column 3 does not select a source or sink originating from the flow call on line 62 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql@65:23:65:28)
+    }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 62 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql@65:8:65:11), Column 3 does not select a source or sink originating from the flow call on line 62 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-798/HardcodedCredentials.ql@65:23:65:28)
+    }
   }
 
   /** Tracks taint flow for reasoning about hardcoded credentials. */
diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
@@ -440,6 +440,10 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
     state2 = node2.(FlowStateTransformer).transform(state1) and
     DataFlow::simpleLocalFlowStep(node1, node2, _)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getASuccessor (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql@26:8:26:20)
+  }
 }
 
 /**
diff --git a/go/ql/lib/semmle/go/security/InsecureRandomness.qll b/go/ql/lib/semmle/go/security/InsecureRandomness.qll
@@ -39,6 +39,18 @@ module InsecureRandomness {
         n2.getType() instanceof IntegerType
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@33:8:33:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@34:75:34:90)
+    }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) {
+      none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@33:8:33:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@34:75:34:90)
+    }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@33:8:33:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@34:75:34:90)
+    }
   }
 
   /**
diff --git a/go/ql/lib/semmle/go/security/ReflectedXss.qll b/go/ql/lib/semmle/go/security/ReflectedXss.qll
@@ -22,6 +22,10 @@ module ReflectedXss {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 selects sink.getAssociatedLoc (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-079/ReflectedXss.ql@36:84:36:90)
+    }
   }
 
   /** Tracks taint flow from untrusted data to XSS attack vectors. */
diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -31,6 +31,10 @@ module RequestForgery {
         w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@25:8:25:14)
+    }
   }
 
   /** Tracks taint flow from untrusted data to request forgery attack vectors. */
diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -36,6 +36,14 @@ module SafeUrlFlow {
       or
       node instanceof SanitizerEdge
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@25:8:25:14), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql@26:3:26:18), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@26:52:26:57)
+    }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) {
+      none() // TODO: Make sure that this source location matches the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@25:8:25:14), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql@26:3:26:18), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@26:52:26:57)
+    }
   }
 
   /** Tracks taint flow for reasoning about safe URLs. */
diff --git a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
@@ -128,6 +128,10 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 147 (/Users/d10c/src/semmle-code/ql/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql@153:3:153:10)
+  }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -68,6 +68,10 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql@90:7:90:34), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql@96:9:96:41)
+  }
 }
 
 /**
diff --git a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
@@ -123,6 +123,18 @@ module Config implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 175 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/BadRedirectCheck.ql@176:8:176:12)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 175 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/BadRedirectCheck.ql@176:8:176:12)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 175 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/BadRedirectCheck.ql@176:8:176:12)
+  }
 }
 
 module Flow = TaintTracking::Global<Config>;
diff --git a/go/ql/src/experimental/CWE-1004/AuthCookie.qll b/go/ql/src/experimental/CWE-1004/AuthCookie.qll
@@ -116,6 +116,18 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 97 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql@99:8:99:21)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 97 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql@99:8:99:21)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 97 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-1004/CookieWithoutHttpOnly.ql@99:8:99:21)
+  }
 }
 
 /**
diff --git a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
@@ -59,6 +59,18 @@ private module Config implements DataFlow::ConfigSig {
       not c.isPotentialFalsePositive()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql@33:8:33:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql@33:8:33:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.ql@33:8:33:11)
+  }
 }
 
 /**
diff --git a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
@@ -22,6 +22,14 @@ module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr())
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@38:8:38:8), Column 1 does not select a source or sink originating from the flow call on line 36 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@38:8:38:8), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@38:91:38:99), Column 5 does not select a source or sink originating from the flow call on line 36 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@39:28:39:36)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@38:8:38:8), Column 1 does not select a source or sink originating from the flow call on line 36 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@38:8:38:8), Column 3 does not select a source or sink originating from the flow call on line 34 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@38:91:38:99), Column 5 does not select a source or sink originating from the flow call on line 36 (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-840/ConditionalBypass.ql@39:28:39:36)
+  }
 }
 
 /** Tracks taint flow for reasoning about conditional bypass. */
diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -30,6 +30,10 @@ module ServerSideRequestForgery {
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
 
     predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
+
+    predicate observeDiffInformedIncrementalMode() {
+      any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/experimental/CWE-918/SSRF.ql@23:8:23:14)
+    }
   }
 
   /** Tracks taint flow for reasoning about request forgery vulnerabilities. */

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,10 @@ module AllocationSizeOverflow {`
`56`	`56`	`succ = c`
`57`	`57`	`)`
`58`	`58`	`}`
	`59`	`+`
	`60`	`+ predicate observeDiffInformedIncrementalMode() {`
	`61`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 22 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-190/AllocationSizeOverflow.ql@25:80:25:86)`
	`62`	`+ }`
`59`	`63`	`}`
`60`	`64`
`61`	`65`	`/** Tracks taint flow to find allocation-size overflows. */`
Original file line number	Diff line number	Diff line change
`@@ -186,6 +186,10 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {`
`186`	`186`	`predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }`
`187`	`187`
`188`	`188`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }`
	`189`	`+`
	`190`	`+ predicate observeDiffInformedIncrementalMode() {`
	`191`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/go/ql/lib/semmle/go/security/ExternalAPIs.qll@212:36:212:80), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/go/ql/lib/semmle/go/security/ExternalAPIs.qll@215:43:215:92)`
	`192`	`+ }`
`189`	`193`	`}`
`190`	`194`
`191`	`195`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -440,6 +440,10 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf`
`440`	`440`	`state2 = node2.(FlowStateTransformer).transform(state1) and`
`441`	`441`	`DataFlow::simpleLocalFlowStep(node1, node2, _)`
`442`	`442`	`}`
	`443`	`+`
	`444`	`+ predicate observeDiffInformedIncrementalMode() {`
	`445`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getASuccessor (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql@26:8:26:20)`
	`446`	`+ }`
`443`	`447`	`}`
`444`	`448`
`445`	`449`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,18 @@ module InsecureRandomness {`
`39`	`39`	`n2.getType() instanceof IntegerType`
`40`	`40`	`)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() {`
	`44`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@33:8:33:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@34:75:34:90)`
	`45`	`+ }`
	`46`	`+`
	`47`	`+ Location getASelectedSourceLocation(DataFlow::Node source) {`
	`48`	`+ none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@33:8:33:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@34:75:34:90)`
	`49`	`+ }`
	`50`	`+`
	`51`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`52`	`+ none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@33:8:33:21), Column 5 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-338/InsecureRandomness.ql@34:75:34:90)`
	`53`	`+ }`
`42`	`54`	`}`
`43`	`55`
`44`	`56`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,10 @@ module ReflectedXss {`
`22`	`22`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`23`	`23`
`24`	`24`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`25`	`+`
	`26`	`+ predicate observeDiffInformedIncrementalMode() {`
	`27`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 7 selects sink.getAssociatedLoc (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-079/ReflectedXss.ql@36:84:36:90)`
	`28`	`+ }`
`25`	`29`	`}`
`26`	`30`
`27`	`31`	`/** Tracks taint flow from untrusted data to XSS attack vectors. */`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,10 @@ module RequestForgery {`
`31`	`31`	`w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()`
`32`	`32`	`)`
`33`	`33`	`}`
	`34`	`+`
	`35`	`+ predicate observeDiffInformedIncrementalMode() {`
	`36`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@25:8:25:14)`
	`37`	`+ }`
`34`	`38`	`}`
`35`	`39`
`36`	`40`	`/** Tracks taint flow from untrusted data to request forgery attack vectors. */`
Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,14 @@ module SafeUrlFlow {`
`36`	`36`	`or`
`37`	`37`	`node instanceof SanitizerEdge`
`38`	`38`	`}`
	`39`	`+`
	`40`	`+ predicate observeDiffInformedIncrementalMode() {`
	`41`	+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@25:8:25:14), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql@26:3:26:18), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@26:52:26:57)
	`42`	`+ }`
	`43`	`+`
	`44`	`+ Location getASelectedSourceLocation(DataFlow::Node source) {`
	`45`	+ none() // TODO: Make sure that this source location matches the query's select clause: Column 1 selects sink.getARequest (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@25:8:25:14), Column 5 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-601/OpenUrlRedirect.ql@26:3:26:18), Column 7 does not select a source or sink originating from the flow call on line 24 (/Users/d10c/src/semmle-code/ql/go/ql/src/Security/CWE-918/RequestForgery.ql@26:52:26:57)
	`46`	`+ }`
`39`	`47`	`}`
`40`	`48`
`41`	`49`	`/** Tracks taint flow for reasoning about safe URLs. */`
Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,10 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {`
`128`	`128`	`predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }`
`129`	`129`
`130`	`130`	`predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }`
	`131`	`+`
	`132`	`+ predicate observeDiffInformedIncrementalMode() {`
	`133`	`+ any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 147 (/Users/d10c/src/semmle-code/ql/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql@153:3:153:10)`
	`134`	`+ }`
`131`	`135`	`}`
`132`	`136`
`133`	`137`	`/**`