From b3b139bb0285fd2896936a5778ca510d2befb57f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Wed, 16 Jul 2025 15:50:02 +0200
Subject: [PATCH] [DIFF-INFORMED] Java: SqlConcatenated

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql#L27
---
 .../semmle/code/java/security/SqlConcatenatedQuery.qll   | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
index fe6e31900e1..7cfea41a8d7 100644
--- a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
@@ -24,6 +24,15 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    exists(Expr uncontrolled, StringBuilderVar sbv | result = uncontrolled.getLocation() |
+      uncontrolledStringBuilderQuery(sbv, uncontrolled) and
+      source = DataFlow::exprNode(sbv.getToStringCall())
+    )
+  }
 }
 
 /**