Merge branch 'main' of https://github.com/5idg5/codeql into java/data-extensions-change

2026-04-23 07:45:17 +02:00 · 2025-08-15 15:50:12 -04:00
parent a8889ff056 bb9daa00c3
commit e697e89171
35 changed files with 334 additions and 63 deletions
--- a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -1,6 +1,7 @@
 private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
+private import codeql.actions.security.ControlChecks
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow

@@ -65,6 +66,16 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
  override string getCommand() { result = "unknown" }
 }

+/**
+ * Gets the event that is relevant for the given node in the context of argument injection.
+ *
+ * This is used to highlight the event in the query results when an alert is raised.
+ */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
+  inPrivilegedContext(node.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
+}
+
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate a code script.
@@ -88,6 +99,16 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
      run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
--- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -4,6 +4,7 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.ControlChecks

 string unzipRegexp() { result = "(unzip|tar)\\s+.*" }

@@ -292,6 +293,16 @@ class ArtifactPoisoningSink extends DataFlow::Node {
  string getPath() { result = download.getPath() }
 }

+/**
+ * Gets the event that is relevant for the given node in the context of artifact poisoning.
+ *
+ * This is used to highlight the event in the query results when an alert is raised.
+ */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
+  inPrivilegedContext(node.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(node.asExpr(), result, "artifact-poisoning"))
+}
+
 /**
 * A taint-tracking configuration for unsafe artifacts
 * that is used may lead to artifact poisoning
@@ -318,6 +329,16 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }

 /** Tracks flow of unsafe artifacts that is used in an insecure way. */
--- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -3,6 +3,8 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks
+import codeql.actions.security.CachePoisoningQuery

 class CodeInjectionSink extends DataFlow::Node {
  CodeInjectionSink() {
@@ -11,6 +13,46 @@ class CodeInjectionSink extends DataFlow::Node {
  }
 }

+/**
+ * Get the relevant event for the sink in CodeInjectionCritical.ql.
+ */
+Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.asExpr() and
+    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+  )
+}
+
+/**
+ * Get the relevant event for the sink in CachePoisoningViaCodeInjection.ql.
+ */
+Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) {
+  exists(LocalJob job |
+    job = sink.asExpr().getEnclosingJob() and
+    job.getATriggerEvent() = result and
+    // job can be triggered by an external user
+    result.isExternallyTriggerable() and
+    // excluding privileged workflows since they can be exploited in easier circumstances
+    // which is covered by `actions/code-injection/critical`
+    not job.isPrivilegedExternallyTriggerable(result) and
+    (
+      // the workflow runs in the context of the default branch
+      runsOnDefaultBranch(result)
+      or
+      // the workflow caller runs in the context of the default branch
+      result.getName() = "workflow_call" and
+      exists(ExternalJob caller |
+        caller.getCallee() = job.getLocation().getFile().getRelativePath() and
+        runsOnDefaultBranch(caller.getATriggerEvent())
+      )
+    )
+  )
+}
+
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate a code script.
@@ -35,6 +77,18 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantCriticalEventForSink(sink).getLocation()
+    or
+    result = getRelevantCachePoisoningEventForSink(sink).getLocation()
+  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
--- a/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CommandInjectionQuery.qll
@@ -3,11 +3,20 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.DataFlow
+import codeql.actions.security.ControlChecks

 private class CommandInjectionSink extends DataFlow::Node {
  CommandInjectionSink() { madSink(this, "command-injection") }
 }

+/** Get the relevant event for the sink in CommandInjectionCritical.ql. */
+Event getRelevantEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["command-injection", "code-injection"])
+  )
+}
+
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate a system command.
@@ -16,6 +25,16 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantEventInPrivilegedContext(sink).getLocation()
+  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
--- a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -72,6 +72,25 @@ class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink {
  EnvPathInjectionFromMaDSink() { madSink(this, "envpath-injection") }
 }

+/**
+ * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is "artifact".
+ */
+Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["untrusted-checkout", "artifact-poisoning"])
+  ) and
+  sink instanceof EnvPathInjectionFromFileReadSink
+}
+
+/**
+ * Get the relevant event for a sink in EnvPathInjectionCritical.ql where the source type is not "artifact".
+ */
+Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection"))
+}
+
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate an environment variable.
@@ -108,6 +127,18 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
+    or
+    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
+  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
--- a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -126,6 +126,32 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
  EnvVarInjectionFromMaDSink() { madSink(this, "envvar-injection") }
 }

+/**
+ * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is "artifact".
+ */
+Event getRelevantArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check
+        .protects(sink.asExpr(), result,
+          ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
+  ) and
+  (
+    sink instanceof EnvVarInjectionFromFileReadSink or
+    madSink(sink, "envvar-injection")
+  )
+}
+
+/**
+ * Get the relevant event for a sink in EnvVarInjectionCritical.ql where the source type is not "artifact".
+ */
+Event getRelevantNonArtifactEventInPrivilegedContext(DataFlow::Node sink) {
+  inPrivilegedContext(sink.asExpr(), result) and
+  not exists(ControlCheck check |
+    check.protects(sink.asExpr(), result, ["envvar-injection", "code-injection"])
+  )
+}
+
 /**
 * A taint-tracking configuration for unsafe user input
 * that is used to construct and evaluate an environment variable.
@@ -163,6 +189,18 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
      exists(run.getScript().getAFileReadCommand())
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    result = getRelevantArtifactEventInPrivilegedContext(sink).getLocation()
+    or
+    result = getRelevantNonArtifactEventInPrivilegedContext(sink).getLocation()
+  }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
--- a/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
@@ -21,18 +21,12 @@ import codeql.actions.security.ControlChecks
 from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink, Event event
 where
  EnvPathInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
  (
    not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, "code-injection")
-    )
+    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
    or
    source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, ["untrusted-checkout", "artifact-poisoning"])
-    ) and
-    sink.getNode() instanceof EnvPathInjectionFromFileReadSink
+    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
  )
 select sink.getNode(), source, sink,
  "Potential PATH environment variable injection in $@, which may be controlled by an external user ($@).",
--- a/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
@@ -22,26 +22,15 @@ import codeql.actions.security.ControlChecks
 from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Event event
 where
  EnvVarInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
  // exclude paths to file read sinks from non-artifact sources
  (
    // source is text
    not source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check.protects(sink.getNode().asExpr(), event, ["envvar-injection", "code-injection"])
-    )
+    event = getRelevantNonArtifactEventInPrivilegedContext(sink.getNode())
    or
    // source is an artifact or a file from an untrusted checkout
    source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    not exists(ControlCheck check |
-      check
-          .protects(sink.getNode().asExpr(), event,
-            ["envvar-injection", "untrusted-checkout", "artifact-poisoning"])
-    ) and
-    (
-      sink.getNode() instanceof EnvVarInjectionFromFileReadSink or
-      madSink(sink.getNode(), "envvar-injection")
-    )
+    event = getRelevantArtifactEventInPrivilegedContext(sink.getNode())
  )
 select sink.getNode(), source, sink,
  "Potential environment variable injection in $@, which may be controlled by an external user ($@).",
--- a/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
@@ -22,15 +22,8 @@ import codeql.actions.security.ControlChecks
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
 where
  CodeInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName() and
-  not exists(ControlCheck check | check.protects(sink.getNode().asExpr(), event, "code-injection")) and
-  // exclude cases where the sink is a JS script and the expression uses toJson
-  not exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = sink.getNode().asExpr() and
-    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
-  )
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 select sink.getNode(), source, sink,
  "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
--- a/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+++ b/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
@@ -18,30 +18,13 @@ import codeql.actions.security.CachePoisoningQuery
 import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks

-from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob job, Event event
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
 where
  CodeInjectionFlow::flowPath(source, sink) and
-  job = sink.getNode().asExpr().getEnclosingJob() and
-  job.getATriggerEvent() = event and
-  // job can be triggered by an external user
-  event.isExternallyTriggerable() and
+  event = getRelevantCachePoisoningEventForSink(sink.getNode()) and
  // the checkout is not controlled by an access check
  not exists(ControlCheck check |
    check.protects(source.getNode().asExpr(), event, "code-injection")
-  ) and
-  // excluding privileged workflows since they can be exploited in easier circumstances
-  // which is covered by `actions/code-injection/critical`
-  not job.isPrivilegedExternallyTriggerable(event) and
-  (
-    // the workflow runs in the context of the default branch
-    runsOnDefaultBranch(event)
-    or
-    // the workflow caller runs in the context of the default branch
-    event.getName() = "workflow_call" and
-    exists(ExternalJob caller |
-      caller.getCallee() = job.getLocation().getFile().getRelativePath() and
-      runsOnDefaultBranch(caller.getATriggerEvent())
-    )
  )
 select sink.getNode(), source, sink,
  "Unprivileged code injection in $@, which may lead to cache poisoning ($@).", sink,
--- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
@@ -19,10 +19,7 @@ import codeql.actions.security.ControlChecks
 from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event
 where
  ArtifactPoisoningFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
-  not exists(ControlCheck check |
-    check.protects(sink.getNode().asExpr(), event, "artifact-poisoning")
-  )
+  event = getRelevantEventInPrivilegedContext(sink.getNode())
 select sink.getNode(), source, sink,
  "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().toString(), event, event.getName()
--- a/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+++ b/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
@@ -21,10 +21,7 @@ import codeql.actions.security.ControlChecks
 from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Event event
 where
  CommandInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
-  not exists(ControlCheck check |
-    check.protects(sink.getNode().asExpr(), event, ["command-injection", "code-injection"])
-  )
+  event = getRelevantEventInPrivilegedContext(sink.getNode())
 select sink.getNode(), source, sink,
  "Potential command injection in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
--- a/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+++ b/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
@@ -20,10 +20,7 @@ import codeql.actions.security.ControlChecks
 from ArgumentInjectionFlow::PathNode source, ArgumentInjectionFlow::PathNode sink, Event event
 where
  ArgumentInjectionFlow::flowPath(source, sink) and
-  inPrivilegedContext(sink.getNode().asExpr(), event) and
-  not exists(ControlCheck check |
-    check.protects(sink.getNode().asExpr(), event, "argument-injection")
-  )
+  event = getRelevantEventInPrivilegedContext(sink.getNode())
 select sink.getNode(), source, sink,
  "Potential argument injection in $@ command, which may be controlled by an external user ($@).",
  sink, sink.getNode().(ArgumentInjectionSink).getCommand(), event, event.getName()
--- a/csharp/actions/create-extractor-pack/action.yml
+++ b/csharp/actions/create-extractor-pack/action.yml
@@ -17,7 +17,7 @@ runs:
      run: |
        CODEQL_PATH=$(gh codeql version --format=json | jq -r .unpackedLocation)
        # The legacy ASP extractor is not in this repo, so take the one from the nightly build
-        mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "${{ github.workspace }}/csharp/extractor-pack/tools"
+        mv "$CODEQL_PATH/csharp/tools/extractor-asp.jar" "$GITHUB_WORKSPACE/csharp/extractor-pack/tools"
        # Safe guard against using the bundled extractor
        rm -rf "$CODEQL_PATH/csharp"
      env:
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
@@ -39,6 +39,15 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getLocation()
+    or
+    // from ConditionalBypass.ql
+    result = sink.(Sink).getSensitiveMethodCall().getLocation()
+  }
 }

 /**
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
@@ -59,6 +59,10 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
  predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }

 /**
@@ -77,6 +81,10 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }

 /**
@@ -133,6 +141,10 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
      )
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }

 /**
@@ -149,6 +161,10 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
  predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // used in one of the disjuncts in UnsafeDeserializationUntrustedInput.ql
+  }
 }

 /**
@@ -186,6 +202,10 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
      oc.getObjectType() instanceof StrongTypeDeserializer
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }

 /**
@@ -210,6 +230,10 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
      sink.asExpr() = mc.getQualifier()
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // only used as secondary config in UnsafeDeserializationUntrustedInput.ql
+  }
 }

 /**
--- a/Bugs/ThreadUnsafeICryptoTransformLambda.ql
+++ b/Bugs/ThreadUnsafeICryptoTransformLambda.ql
@@ -24,6 +24,8 @@ module NotThreadSafeCryptoUsageIntoParallelInvokeConfig implements DataFlow::Con
  }

  predicate isSink(DataFlow::Node sink) { sink instanceof ParallelSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module NotThreadSafeCryptoUsageIntoParallelInvoke =
--- a/Features/CWE-798/HardcodedConnectionString.ql
+++ b/Features/CWE-798/HardcodedConnectionString.ql
@@ -38,6 +38,12 @@ module ConnectionStringConfig implements DataFlow::ConfigSig {
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof StringFormatSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    any(Call call | call.getAnArgument() = sink.asExpr()).getLocation() = result
+  }
 }

 /**
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -17,7 +17,7 @@

   .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
   GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
-   Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go``
+   Go (aka Golang), "Go up to 1.25", "Go 1.11 or more recent", ``.go``
   Java,"Java 7 to 24 [6]_","javac (OpenJDK and Oracle JDK),

   Eclipse compiler for Java (ECJ) [7]_",``.java``
--- a/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
+++ b/go/ql/lib/semmle/go/security/AllocationSizeOverflow.qll
@@ -56,6 +56,17 @@ module AllocationSizeOverflow {
        succ = c
      )
    }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.getLocation()
+      or
+      exists(DataFlow::Node allocsz |
+        isSinkWithAllocationSize(sink, allocsz) and
+        result = allocsz.getLocation()
+      )
+    }
  }

  /** Tracks taint flow to find allocation-size overflows. */
--- a/go/ql/lib/semmle/go/security/CommandInjection.qll
+++ b/go/ql/lib/semmle/go/security/CommandInjection.qll
@@ -24,6 +24,8 @@ module CommandInjection {
    }

    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
  }

  /**
@@ -80,6 +82,8 @@ module CommandInjection {
      node instanceof Sanitizer or
      node = any(ArgumentArrayWithDoubleDash array).getASanitizedElement()
    }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
  }

  /**
--- a/go/ql/lib/semmle/go/security/ExternalAPIs.qll
+++ b/go/ql/lib/semmle/go/security/ExternalAPIs.qll
@@ -186,6 +186,8 @@ private module UntrustedDataConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/go/ql/lib/semmle/go/security/HardcodedCredentials.qll
+++ b/go/ql/lib/semmle/go/security/HardcodedCredentials.qll
@@ -30,6 +30,8 @@ module HardcodedCredentials {
    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
  }

  /** Tracks taint flow for reasoning about hardcoded credentials. */
--- a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
+++ b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
@@ -440,6 +440,12 @@ private module ConversionWithoutBoundsCheckConfig implements DataFlow::StateConf
    state2 = node2.(FlowStateTransformer).transform(state1) and
    DataFlow::simpleLocalFlowStep(node1, node2, _)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    result = sink.getASuccessor().getLocation()
+  }
 }

 /**
--- a/go/ql/lib/semmle/go/security/InsecureRandomness.qll
+++ b/go/ql/lib/semmle/go/security/InsecureRandomness.qll
@@ -39,6 +39,10 @@ module InsecureRandomness {
        n2.getType() instanceof IntegerType
      )
    }
+
+    predicate observeDiffInformedIncrementalMode() {
+      none() // Can't have accurate sink location override because of secondary use of `flowPath` in select.
+    }
  }

  /**
--- a/go/ql/lib/semmle/go/security/ReflectedXss.qll
+++ b/go/ql/lib/semmle/go/security/ReflectedXss.qll
@@ -22,6 +22,14 @@ module ReflectedXss {
    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.getLocation()
+      or
+      result = sink.(SharedXss::Sink).getAssociatedLoc().getLocation()
+    }
  }

  /** Tracks taint flow from untrusted data to XSS attack vectors. */
--- a/go/ql/lib/semmle/go/security/RequestForgery.qll
+++ b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -31,6 +31,14 @@ module RequestForgery {
        w.writesField(v.getAUse(), f, pred) and succ = v.getAUse()
      )
    }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.getLocation()
+      or
+      result = sink.(Sink).getARequest().getLocation()
+    }
  }

  /** Tracks taint flow from untrusted data to request forgery attack vectors. */
--- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
+++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -36,6 +36,10 @@ module SafeUrlFlow {
      or
      node instanceof SanitizerEdge
    }
+
+    predicate observeDiffInformedIncrementalMode() {
+      none() // only used as secondary configuration
+    }
  }

  /** Tracks taint flow for reasoning about safe URLs. */
--- a/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
+++ b/go/ql/src/InconsistentCode/UnhandledCloseWritableHandle.ql
@@ -128,6 +128,14 @@ module UnhandledFileCloseConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { isWritableFileHandle(source, _) }

  predicate isSink(DataFlow::Node sink) { isCloseSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    exists(DataFlow::CallNode openCall | result = openCall.getLocation() |
+      isWritableFileHandle(source, openCall)
+    )
+  }
 }

 /**
--- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -68,6 +68,8 @@ module Config implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node sink) { writeIsSink(sink, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /**
--- a/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
+++ b/go/ql/src/Security/CWE-601/BadRedirectCheck.ql
@@ -123,6 +123,17 @@ module Config implements DataFlow::ConfigSig {
  }

  predicate isSink(DataFlow::Node sink) { sink instanceof OpenUrlRedirect::Sink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    result = source.getLocation()
+    or
+    exists(DataFlow::Node check |
+      isCheckedSource(source, check) and
+      result = check.getLocation()
+    )
+  }
 }

 module Flow = TaintTracking::Global<Config>;
--- a/go/ql/src/experimental/CWE-1004/AuthCookie.qll
+++ b/go/ql/src/experimental/CWE-1004/AuthCookie.qll
@@ -116,6 +116,12 @@ private module BoolToGinSetCookieTrackingConfig implements DataFlow::ConfigSig {
      )
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    any() // Merged with other flows in CookieWithoutHttpOnly.ql
+  }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
 }

 /**
--- a/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
+++ b/go/ql/src/experimental/CWE-807/SensitiveConditionBypass.qll
@@ -59,6 +59,14 @@ private module Config implements DataFlow::ConfigSig {
      not c.isPotentialFalsePositive()
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(ComparisonExpr comp | result = comp.getLocation() | sink.asExpr() = comp.getAnOperand())
+  }
 }

 /**
--- a/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
+++ b/go/ql/src/experimental/CWE-840/ConditionalBypass.ql
@@ -22,6 +22,10 @@ module Config implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) {
    exists(ComparisonExpr c | c.getAnOperand() = sink.asExpr())
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // can't override the locations accurately because of secondary use of config.
+  }
 }

 /** Tracks taint flow for reasoning about conditional bypass. */
--- a/go/ql/src/experimental/CWE-918/SSRF.qll
+++ b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -30,6 +30,14 @@ module ServerSideRequestForgery {
    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }

    predicate isBarrierOut(DataFlow::Node node) { node instanceof SanitizerEdge }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
+
+    Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
+    Location getASelectedSinkLocation(DataFlow::Node sink) {
+      result = sink.(Sink).getARequest().getLocation()
+    }
  }

  /** Tracks taint flow for reasoning about request forgery vulnerabilities. */