Ruby: mass enable diff-informed data flow

asgerf · asgerf · commit 4dc632f742c1 · 2025-01-17T13:21:52.000+01:00
diff --git a/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll b/ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll
@@ -158,6 +158,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
     ) and
     state = PostValidationState()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll b/ruby/ql/lib/codeql/ruby/experimental/ZipSlipQuery.qll
@@ -29,6 +29,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof ZipSlip::Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll
@@ -118,6 +118,12 @@ private module ExconDisablesCertificateValidationConfig implements DataFlow::Con
   predicate isSink(DataFlow::Node sink) {
     sink = any(ExconHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/Excon.qll:74: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module ExconDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll
@@ -99,6 +99,12 @@ private module FaradayDisablesCertificateValidationConfig implements DataFlow::S
   predicate isSink(DataFlow::Node sink, FlowState state) {
     sink = any(FaradayHttpRequest req).getCertificateValidationControllingValue(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/Faraday.qll:80: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module FaradayDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/HttpClient.qll
@@ -80,6 +80,12 @@ private module HttpClientDisablesCertificateValidationConfig implements DataFlow
   predicate isSink(DataFlow::Node sink) {
     sink = any(HttpClientRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/HttpClient.qll:67: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module HttpClientDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Httparty.qll
@@ -70,6 +70,12 @@ private module HttpartyDisablesCertificateValidationConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     sink = any(HttpartyRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/Httparty.qll:59: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module HttpartyDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
@@ -103,6 +103,12 @@ private module NetHttpDisablesCertificateValidationConfig implements DataFlow::C
   predicate isSink(DataFlow::Node sink) {
     sink = any(NetHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/NetHttp.qll:90: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module NetHttpDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/OpenURI.qll
@@ -110,6 +110,13 @@ private module OpenUriDisablesCertificateValidationConfig implements DataFlow::C
     or
     sink = any(OpenUriKernelOpenRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:48: Flow call outside 'select' clause
+    // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:95: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module OpenUriDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/RestClient.qll
@@ -73,6 +73,12 @@ private module RestClientDisablesCertificateValidationConfig implements DataFlow
   predicate isSink(DataFlow::Node sink) {
     sink = any(RestClientHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/RestClient.qll:60: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module RestClientDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll
@@ -64,6 +64,12 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     sink = any(TyphoeusHttpRequest req).getCertificateValidationControllingValue()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll:53: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module TyphoeusDisablesCertificateValidationFlow =
diff --git a/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll b/ruby/ql/lib/codeql/ruby/frameworks/stdlib/Pathname.qll
@@ -52,6 +52,12 @@ module Pathname {
             ]
         )
     }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // lib/codeql/ruby/frameworks/stdlib/Pathname.qll:30: Flow call outside 'select' clause
+      none()
+    }
   }
 
   private module PathnameFlow = DataFlow::Global<PathnameConfig>;
diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextLoggingQuery.qll
@@ -27,6 +27,8 @@ private module Config implements DataFlow::ConfigSig {
     cs.isAny() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll b/ruby/ql/lib/codeql/ruby/security/CleartextStorageQuery.qll
@@ -26,6 +26,8 @@ private module Config implements DataFlow::ConfigSig {
     cs.isAny() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll
@@ -31,6 +31,8 @@ private module Config implements DataFlow::StateConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { node instanceof Source }
 
   int fieldFlowBranchLimit() { result = 10 }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/CommandInjectionQuery.qll
@@ -23,6 +23,8 @@ private module Config implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll b/ruby/ql/lib/codeql/ruby/security/ConditionalBypassQuery.qll
@@ -17,6 +17,12 @@ private module Config implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // src/experimental/cwe-807/ConditionalBypass.ql:78: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll b/ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll
@@ -33,6 +33,8 @@ private module Config implements DataFlow::StateConfigSig {
     ) and
     stateTo = FlowState::Taint()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessQuery.qll
@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll b/ruby/ql/lib/codeql/ruby/security/ImproperLdapAuthQuery.qll
@@ -13,6 +13,8 @@ private module ImproperLdapAuthConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll
@@ -20,6 +20,8 @@ private module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, FlowState label) { sink.(Sink).getAFlowLabel() = label }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll b/ruby/ql/lib/codeql/ruby/security/InsecureRandomnessQuery.qll
@@ -13,6 +13,8 @@ private module InsecureRandomnessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll b/ruby/ql/lib/codeql/ruby/security/KernelOpenQuery.qll
@@ -85,6 +85,8 @@ private module KernelOpenConfig implements DataFlow::ConfigSig {
     node instanceof StringConstArrayInclusionCallBarrier or
     node instanceof Sanitizer
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LdapInjectionQuery.qll
@@ -26,6 +26,8 @@ private module LdapInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     LI::isAdditionalFlowStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/LogInjectionQuery.qll
@@ -73,6 +73,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll b/ruby/ql/lib/codeql/ruby/security/MassAssignmentQuery.qll
@@ -59,6 +59,8 @@ private module Config implements DataFlow::StateConfigSig {
       state2 instanceof FlowState::Permitted
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Taint tracking for reasoning about user input used for mass assignment. */
diff --git a/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
@@ -20,6 +20,8 @@ private module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/ReflectedXSSQuery.qll
@@ -22,6 +22,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     RX::isAdditionalXssTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryQuery.qll
@@ -16,6 +16,12 @@ private module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof Source }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // src/queries/security/cwe-598/SensitiveGetQuery.ql:21: Column 3 does not select a source or sink originating from the flow call on line 20
+    none()
+  }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll b/ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryQuery.qll
@@ -22,6 +22,8 @@ private module ServerSideRequestForgeryConfig implements DataFlow::ConfigSig {
     node instanceof StringConstCompareBarrier or
     node instanceof StringConstArrayInclusionCallBarrier
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionQuery.qll
@@ -13,6 +13,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll b/ruby/ql/lib/codeql/ruby/security/StackTraceExposureQuery.qll
@@ -17,6 +17,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll b/ruby/ql/lib/codeql/ruby/security/StoredXSSQuery.qll
@@ -32,6 +32,8 @@ private module StoredXssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalXssTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll b/ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll
@@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/TemplateInjectionQuery.qll
@@ -13,6 +13,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionQuery.qll
@@ -24,6 +24,8 @@ private module UnsafeCodeConstructionConfig implements DataFlow::ConfigSig {
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationQuery.qll
@@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserialization::Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof UnsafeDeserialization::Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeHtmlConstructionQuery.qll
@@ -21,6 +21,8 @@ private module UnsafeHtmlConstructionConfig implements DataFlow::ConfigSig {
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll b/ruby/ql/lib/codeql/ruby/security/UnsafeShellCommandConstructionQuery.qll
@@ -26,6 +26,8 @@ private module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigS
 
   // override to require the path doesn't have unmatched return steps
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll b/ruby/ql/lib/codeql/ruby/security/UrlRedirectQuery.qll
@@ -22,6 +22,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     UrlRedirect::isAdditionalTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll b/ruby/ql/lib/codeql/ruby/security/WeakSensitiveDataHashingQuery.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/XpathInjectionQuery.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/MissingFullAnchorQuery.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/PolynomialReDoSQuery.qll
diff --git a/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll b/ruby/ql/lib/codeql/ruby/security/regexp/RegExpInjectionQuery.qll
diff --git a/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql b/ruby/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
diff --git a/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql b/ruby/ql/src/experimental/decompression-api/DecompressionApi.ql
diff --git a/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql b/ruby/ql/src/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.ql
diff --git a/ruby/ql/src/experimental/weak-params/WeakParams.ql b/ruby/ql/src/experimental/weak-params/WeakParams.ql
diff --git a/ruby/ql/src/queries/meta/TaintedNodes.ql b/ruby/ql/src/queries/meta/TaintedNodes.ql
diff --git a/ruby/ql/src/queries/security/cwe-611/Xxe.ql b/ruby/ql/src/queries/security/cwe-611/Xxe.ql
diff --git a/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql b/ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
diff --git a/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql b/ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql

Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig`
`158`	`158`	`) and`
`159`	`159`	`state = PostValidationState()`
`160`	`160`	`}`
	`161`	`+`
	`162`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`161`	`163`	`}`
`162`	`164`
`163`	`165`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`predicate isBarrier(DataFlow::Node node) { node instanceof ZipSlip::Sanitizer }`
	`32`	`+`
	`33`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`32`	`34`	`}`
`33`	`35`
`34`	`36`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,12 @@ private module ExconDisablesCertificateValidationConfig implements DataFlow::Con`
`118`	`118`	`predicate isSink(DataFlow::Node sink) {`
`119`	`119`	`sink = any(ExconHttpRequest req).getCertificateValidationControllingValue()`
`120`	`120`	`}`
	`121`	`+`
	`122`	`+ predicate observeDiffInformedIncrementalMode() {`
	`123`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`124`	`+ // lib/codeql/ruby/frameworks/http_clients/Excon.qll:74: Flow call outside 'select' clause`
	`125`	`+ none()`
	`126`	`+ }`
`121`	`127`	`}`
`122`	`128`
`123`	`129`	`private module ExconDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -99,6 +99,12 @@ private module FaradayDisablesCertificateValidationConfig implements DataFlow::S`
`99`	`99`	`predicate isSink(DataFlow::Node sink, FlowState state) {`
`100`	`100`	`sink = any(FaradayHttpRequest req).getCertificateValidationControllingValue(state)`
`101`	`101`	`}`
	`102`	`+`
	`103`	`+ predicate observeDiffInformedIncrementalMode() {`
	`104`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`105`	`+ // lib/codeql/ruby/frameworks/http_clients/Faraday.qll:80: Flow call outside 'select' clause`
	`106`	`+ none()`
	`107`	`+ }`
`102`	`108`	`}`
`103`	`109`
`104`	`110`	`private module FaradayDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,12 @@ private module HttpClientDisablesCertificateValidationConfig implements DataFlow`
`80`	`80`	`predicate isSink(DataFlow::Node sink) {`
`81`	`81`	`sink = any(HttpClientRequest req).getCertificateValidationControllingValue()`
`82`	`82`	`}`
	`83`	`+`
	`84`	`+ predicate observeDiffInformedIncrementalMode() {`
	`85`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`86`	`+ // lib/codeql/ruby/frameworks/http_clients/HttpClient.qll:67: Flow call outside 'select' clause`
	`87`	`+ none()`
	`88`	`+ }`
`83`	`89`	`}`
`84`	`90`
`85`	`91`	`private module HttpClientDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,12 @@ private module HttpartyDisablesCertificateValidationConfig implements DataFlow::`
`70`	`70`	`predicate isSink(DataFlow::Node sink) {`
`71`	`71`	`sink = any(HttpartyRequest req).getCertificateValidationControllingValue()`
`72`	`72`	`}`
	`73`	`+`
	`74`	`+ predicate observeDiffInformedIncrementalMode() {`
	`75`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`76`	`+ // lib/codeql/ruby/frameworks/http_clients/Httparty.qll:59: Flow call outside 'select' clause`
	`77`	`+ none()`
	`78`	`+ }`
`73`	`79`	`}`
`74`	`80`
`75`	`81`	`private module HttpartyDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -103,6 +103,12 @@ private module NetHttpDisablesCertificateValidationConfig implements DataFlow::C`
`103`	`103`	`predicate isSink(DataFlow::Node sink) {`
`104`	`104`	`sink = any(NetHttpRequest req).getCertificateValidationControllingValue()`
`105`	`105`	`}`
	`106`	`+`
	`107`	`+ predicate observeDiffInformedIncrementalMode() {`
	`108`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`109`	`+ // lib/codeql/ruby/frameworks/http_clients/NetHttp.qll:90: Flow call outside 'select' clause`
	`110`	`+ none()`
	`111`	`+ }`
`106`	`112`	`}`
`107`	`113`
`108`	`114`	`private module NetHttpDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,13 @@ private module OpenUriDisablesCertificateValidationConfig implements DataFlow::C`
`110`	`110`	`or`
`111`	`111`	`sink = any(OpenUriKernelOpenRequest req).getCertificateValidationControllingValue()`
`112`	`112`	`}`
	`113`	`+`
	`114`	`+ predicate observeDiffInformedIncrementalMode() {`
	`115`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`116`	`+ // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:48: Flow call outside 'select' clause`
	`117`	`+ // lib/codeql/ruby/frameworks/http_clients/OpenURI.qll:95: Flow call outside 'select' clause`
	`118`	`+ none()`
	`119`	`+ }`
`113`	`120`	`}`
`114`	`121`
`115`	`122`	`private module OpenUriDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,12 @@ private module RestClientDisablesCertificateValidationConfig implements DataFlow`
`73`	`73`	`predicate isSink(DataFlow::Node sink) {`
`74`	`74`	`sink = any(RestClientHttpRequest req).getCertificateValidationControllingValue()`
`75`	`75`	`}`
	`76`	`+`
	`77`	`+ predicate observeDiffInformedIncrementalMode() {`
	`78`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`79`	`+ // lib/codeql/ruby/frameworks/http_clients/RestClient.qll:60: Flow call outside 'select' clause`
	`80`	`+ none()`
	`81`	`+ }`
`76`	`82`	`}`
`77`	`83`
`78`	`84`	`private module RestClientDisablesCertificateValidationFlow =`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,12 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow::`
`64`	`64`	`predicate isSink(DataFlow::Node sink) {`
`65`	`65`	`sink = any(TyphoeusHttpRequest req).getCertificateValidationControllingValue()`
`66`	`66`	`}`
	`67`	`+`
	`68`	`+ predicate observeDiffInformedIncrementalMode() {`
	`69`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`70`	`+ // lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll:53: Flow call outside 'select' clause`
	`71`	`+ none()`
	`72`	`+ }`
`67`	`73`	`}`
`68`	`74`
`69`	`75`	`private module TyphoeusDisablesCertificateValidationFlow =`