github
diff --git a/‎csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
+6 b/‎csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
+6
diff --git a/‎csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll
+6 b/‎csharp/ql/lib/semmle/code/csharp/frameworks/system/Xml.qll
+6
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/EncryptionKeyDataFlowQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/cryptography/HardcodedSymmetricEncryptionKey.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
+6 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll
+6
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
+7 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll
+7
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll
+8 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll
+8
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
+78 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
+78
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll
+2
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
+6 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
+6
diff --git a/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll
+2 b/‎csharp/ql/lib/semmle/code/csharp/security/dataflow/ZipSlipQuery.qll
+2
@@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con
       node.asExpr() = mc.getArgumentForName("command")
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DapperCommandDefinitionMethodCallSql =
 
@@ -167,6 +167,12 @@ private module SettingsDataFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof XmlReaderSettingsCreation }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof XmlReaderSettingsInstance }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/frameworks/system/Xml.qll:190: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module SettingsDataFlow = DataFlow::Global<SettingsDataFlowConfig>;
 
@@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig {
 
   /** Holds if the node is a key sanitizer. */
   predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey {
         succ.asExpr() = mc
       )
     }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**
 
@@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -39,6 +39,12 @@ private module ConditionalBypassConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-807/ConditionalBypass.ql:23: Column 5 selects sink.getSensitiveMethodCall
+    none()
+  }
 }
 
 /**
 
@@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -78,6 +78,13 @@ private module RemoteSourceToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:88: Flow call outside 'select' clause
+    // ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll:91: Flow call outside 'select' clause
+    none()
+  }
 }
 
 /** A module for tracking flow from `ActiveThreatModelSource`s to `ExternalApiDataNode`s. */
 
@@ -45,6 +45,8 @@ module LdapInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -35,6 +35,8 @@ private module LogForgingConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -39,6 +39,8 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { exists(sink.(Sink).getReason()) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -33,6 +33,8 @@ private module ReDoSConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
@@ -77,6 +79,12 @@ private module ExponentialRegexDataFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node s) { isExponentialRegex(s.asExpr()) }
 
   predicate isSink(DataFlow::Node s) { s.asExpr() = any(RegexOperation c).getPattern() }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll:92: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module ExponentialRegexDataFlow = DataFlow::Global<ExponentialRegexDataFlowConfig>;
 
@@ -33,6 +33,8 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -32,6 +32,8 @@ private module ResourceInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -43,6 +43,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -35,6 +35,8 @@ private module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -59,6 +59,13 @@ private module TaintToObjectMethodTrackingConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { sink instanceof InstanceMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 33
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 33
+    none()
+  }
 }
 
 /**
@@ -77,6 +84,13 @@ private module JsonConvertTrackingConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 55
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 55
+    none()
+  }
 }
 
 /**
@@ -133,6 +147,13 @@ private module TypeNameTrackingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 56
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 56
+    none()
+  }
 }
 
 /**
@@ -149,6 +170,13 @@ private module TaintToConstructorOrStaticMethodTrackingConfig implements DataFlo
   predicate isSink(DataFlow::Node sink) { sink instanceof ConstructorOrStaticMethodSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 50
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 50
+    none()
+  }
 }
 
 /**
@@ -186,6 +214,13 @@ private module TaintToObjectTypeTrackingConfig implements DataFlow::ConfigSig {
       oc.getObjectType() instanceof StrongTypeDeserializer
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 43
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 43
+    none()
+  }
 }
 
 /**
@@ -210,6 +245,13 @@ private module WeakTypeCreationToUsageTrackingConfig implements DataFlow::Config
       sink.asExpr() = mc.getQualifier()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:59: Column 1 does not select a source or sink originating from the flow call on line 37
+    // ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql:60: Column 5 does not select a source or sink originating from the flow call on line 37
+    none()
+  }
 }
 
 /**
@@ -342,6 +384,12 @@ private module DataContractJsonSafeConstructorTrackingConfig implements DataFlow
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:28: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DataContractJsonSafeConstructorTracking =
@@ -389,6 +437,12 @@ private module JavaScriptSerializerSafeConstructorTrackingConfig implements Data
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:29: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module JavaScriptSerializerSafeConstructorTracking =
@@ -434,6 +488,12 @@ private module XmlObjectSerializerDerivedConstructorTrackingConfig implements Da
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:30: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module XmlObjectSerializerDerivedConstructorTracking =
@@ -476,6 +536,12 @@ private module XmlSerializerSafeConstructorTrackingConfig implements DataFlow::C
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:31: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module XmlSerializerSafeConstructorTracking =
@@ -522,6 +588,12 @@ private module DataContractSerializerSafeConstructorTrackingConfig implements Da
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:32: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module DataContractSerializerSafeConstructorTracking =
@@ -564,6 +636,12 @@ private module XmlMessageFormatterSafeConstructorTrackingConfig implements DataF
       mc.getQualifier() = sink.asExpr()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll:33: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module XmlMessageFormatterSafeConstructorTracking =
 
@@ -37,6 +37,8 @@ private module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -43,6 +43,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
 
@@ -158,6 +158,12 @@ module XssTrackingConfig implements DataFlow::ConfigSig {
    * `node` from the data flow graph.
    */
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll:22: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module XssTracking = TaintTracking::Global<XssTrackingConfig>;
 
@@ -30,6 +30,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,12 @@ private module DapperCommandDefitionMethodCallSqlConfig implements DataFlow::Con`
`68`	`68`	`node.asExpr() = mc.getArgumentForName("command")`
`69`	`69`	`)`
`70`	`70`	`}`
	`71`	`+`
	`72`	`+ predicate observeDiffInformedIncrementalMode() {`
	`73`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`74`	`+ // ql/lib/semmle/code/csharp/frameworks/Sql.qll:54: Flow call outside 'select' clause`
	`75`	`+ none()`
	`76`	`+ }`
`71`	`77`	`}`
`72`	`78`
`73`	`79`	`private module DapperCommandDefinitionMethodCallSql =`
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,8 @@ private module SymmetricKeyConfig implements DataFlow::ConfigSig {`
`70`	`70`
`71`	`71`	`/** Holds if the node is a key sanitizer. */`
`72`	`72`	`predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof KeySanitizer }`
	`73`	`+`
	`74`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`73`	`75`	`}`
`74`	`76`
`75`	`77`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,8 @@ module HardcodedSymmetricEncryptionKey {`
`82`	`82`	`succ.asExpr() = mc`
`83`	`83`	`)`
`84`	`84`	`}`
	`85`	`+`
	`86`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`85`	`87`	`}`
`86`	`88`
`87`	`89`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ private module ClearTextStorageConfig implements DataFlow::ConfigSig {`
`32`	`32`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`33`	`33`
`34`	`34`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`35`	`+`
	`36`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`35`	`37`	`}`
`36`	`38`
`37`	`39`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {`
`33`	`33`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`34`	`34`
`35`	`35`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`36`	`+`
	`37`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`36`	`38`	`}`
`37`	`39`
`38`	`40`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`42`	`42`	* `node` from the data flow graph.
`43`	`43`	`*/`
`44`	`44`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`45`	`+`
	`46`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`45`	`47`	`}`
`46`	`48`
`47`	`49`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ private module ExposureOfPrivateInformationConfig implements DataFlow::ConfigSig`
`32`	`32`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`33`	`33`
`34`	`34`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`35`	`+`
	`36`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`35`	`37`	`}`
`36`	`38`
`37`	`39`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ module LdapInjectionConfig implements DataFlow::ConfigSig {`
`45`	`45`	* `node` from the data flow graph.
`46`	`46`	`*/`
`47`	`47`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`48`	`+`
	`49`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`48`	`50`	`}`
`49`	`51`
`50`	`52`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,8 @@ private module LogForgingConfig implements DataFlow::ConfigSig {`
`35`	`35`	`predicate isSink(DataFlow::Node sink) { sink instanceof Sink }`
`36`	`36`
`37`	`37`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`38`	`+`
	`39`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`38`	`40`	`}`
`39`	`41`
`40`	`42`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ private module MissingXmlValidationConfig implements DataFlow::ConfigSig {`
`39`	`39`	`predicate isSink(DataFlow::Node sink) { exists(sink.(Sink).getReason()) }`
`40`	`40`
`41`	`41`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`/**`