C#: patch-generated stubs

Author: d10c

csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll

@@ -39,6 +39,10 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 selects sink.getSensitiveMethodCall (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql@23:3:23:48)
+  }
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll

@@ -78,6 +78,10 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll@88:36:88:75), Flow call outside 'select' clause (/Users/d10c/src/semmle-code/ql/csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll@91:43:91:87)
+  }
 }
 
 /** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */

csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll

@@ -59,6 +59,18 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 33 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
 }
 
 /**
@@ -77,6 +89,18 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 55 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 55 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 55 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 55 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 55 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 55 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
 }
 
 /**
@@ -133,6 +157,18 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 56 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 56 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 56 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 56 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 56 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 56 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
 }
 
 /**
@@ -149,6 +185,18 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
   predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 50 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 50 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 50 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 50 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 50 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 50 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
 }
 
 /**
@@ -186,6 +234,18 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof StrongTypeDeserializer
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 43 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 43 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 43 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 43 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 43 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 43 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
 }
 
 /**
@@ -210,6 +270,18 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
       sink.asExpr() = mc.getQualifier()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 37 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 37 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 37 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 37 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 37 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@59:8:59:25), Column 5 does not select a source or sink originating from the flow call on line 37 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql@60:3:60:11)
+  }
 }
 
 /**

csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql

@@ -24,6 +24,8 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module NotThreadSafeCryptoUsageIntoParallelInvoke =

csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql

@@ -38,6 +38,10 @@ module ConnectionStringConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // TODO: Make sure that the location overrides match the query's select clause: Column 5 does not select a source or sink originating from the flow call on line 49 (/Users/d10c/src/semmle-code/ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql@52:3:52:73)
+  }
 }
 
 /**