github · asgerf · Jan 20, 2025 · Dec 19, 2024 · Jan 17, 2025 · Jan 17, 2025
@@ -25,6 +25,8 @@ module BrokenCryptoAlgorithmConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module BuildArtifactLeakConfig implements DataFlow::ConfigSig {
     contents = DataFlow::ContentSet::anyProperty() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -41,6 +41,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
     contents = DataFlow::ContentSet::anyProperty() and
     isSink(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -25,6 +25,8 @@ module ClearTextStorageConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ClearTextStorageFlow = TaintTracking::Global<ClearTextStorageConfig>;

@@ -31,6 +31,8 @@ module ClientSideRequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalRequestForgeryStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -54,6 +54,8 @@ module ClientSideUrlRedirectConfig implements DataFlow::StateConfigSig {
       state1 = state2
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -24,6 +24,8 @@ module CodeInjectionConfig implements DataFlow::ConfigSig {
     // HTML sanitizers are insufficient protection against code injection
     node1 = node2.(HtmlSanitizerCall).getInput()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -24,6 +24,10 @@ module ConditionalBypassConfig implements DataFlow::ConfigSig {
     // comparing a tainted expression against a constant gives a tainted result
     node2.asExpr().(Comparison).hasOperands(node1.asExpr(), any(ConstantExpr c))
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since the enclosing comparison is sometimes selected instead of the sink
+  }
 }
 
 /**

@@ -23,6 +23,8 @@ module CorsMisconfigurationConfig implements DataFlow::ConfigSig {
     node instanceof Sanitizer or
     node = TaintTracking::AdHocWhitelistCheckSanitizer::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -33,6 +33,8 @@ module DeepObjectResourceExhaustionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -20,6 +20,10 @@ private module DifferentKindsComparisonBypassConfig implements DataFlow::ConfigS
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since multiple related sinks are selected simultaneously
+  }
 }
 
 /**

@@ -113,6 +113,8 @@ module DomBasedXssConfig implements DataFlow::StateConfigSig {
       state1 = state2
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -155,6 +155,8 @@ module ExceptionXssConfig implements DataFlow::StateConfigSig {
   }
 
   int accessPathLimit() { result = 1 }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -31,6 +31,10 @@ module ExternalAPIUsedWithUntrustedDataConfig implements DataFlow::ConfigSig {
     // Also report values that escape while inside a property
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Not used for PR analysis
+  }
 }
 
 /**

@@ -24,6 +24,8 @@ module FileAccessToHttpConfig implements DataFlow::ConfigSig {
     isSink(node) and
     contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -69,6 +69,8 @@ module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
       node2 = n.getACall()
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -34,6 +34,8 @@ module HardcodedDataInterpretedAsCodeConfig implements DataFlow::StateConfigSig
     state1 = [FlowState::modified(), FlowState::unmodified()] and
     state2 = FlowState::modified()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -17,6 +17,8 @@ module HostHeaderPoisoningConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) { exists(EmailSender email | node = email.getABody()) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -17,6 +17,8 @@ module HttpToFileAccessConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module ImproperCodeSanitizationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -42,6 +42,8 @@ module IncompleteHtmlAttributeSanitizationConfig implements DataFlow::StateConfi
   }
 
   predicate isBarrier(DataFlow::Node n) { n instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -26,6 +26,8 @@ module IndirectCommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -23,6 +23,8 @@ module InsecureDownloadConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, FlowState state) { sink.(Sink).getAFlowState() = state }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -40,6 +40,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
     // taint steps as additional flow steps.
     TaintTracking::defaultTaintStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module InsecureTemporaryFileConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -25,6 +25,8 @@ module InsufficientPasswordHashConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -28,6 +28,8 @@ module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -38,6 +38,8 @@ module LoopBoundInjectionConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedObject::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -51,6 +51,8 @@ module NosqlInjectionConfig implements DataFlow::StateConfigSig {
     state1.isTaint() and
     state2 = state1
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -37,6 +37,8 @@ module PostMessageStarConfig implements DataFlow::ConfigSig {
     // If an object leaks, all of its properties have leaked
     isSink(node) and contents = DataFlow::ContentSet::anyProperty()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -113,6 +113,8 @@ module PrototypePollutingAssignmentConfig implements DataFlow::StateConfigSig {
     or
     node = DataFlow::MakeStateBarrierGuard<FlowState, BarrierGuard>::getABarrierNode(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Taint-tracking for reasoning about prototype-polluting assignments. */

@@ -47,6 +47,8 @@ module PrototypePollutionConfig implements DataFlow::StateConfigSig {
   predicate isBarrier(DataFlow::Node node, FlowState state) {
     node = TaintedObject::SanitizerGuard::getABarrierNode(state)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -18,6 +18,8 @@ module ReflectedXssConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Sanitizer or node = SharedXss::BarrierGuard::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module RegExpInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -23,6 +23,8 @@ module RemotePropertyInjectionConfig implements DataFlow::ConfigSig {
     node instanceof Sanitizer or
     node = StringConcatenation::getRoot(any(ConstantString str).flow())
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -26,6 +26,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isAdditionalRequestForgeryStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -27,6 +27,8 @@ module ResourceExhaustionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     isNumericFlowStep(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -47,6 +47,8 @@ module SecondOrderCommandInjectionConfig implements DataFlow::StateConfigSig {
     TaintTracking::defaultTaintStep(node1, node2) and
     state1 = state2
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -30,6 +30,8 @@ module ServerSideUrlRedirectConfig implements DataFlow::ConfigSig {
       node2 = call
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -27,6 +27,8 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate isSink(DataFlow::Node sink) { isSinkWithHighlight(sink, _) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
       node2 = call
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -28,6 +28,8 @@ module StackTraceExposureConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node snk) { snk instanceof Sink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -18,6 +18,8 @@ module StoredXssConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Sanitizer or node = Shared::BarrierGuard::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module TaintedFormatStringConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -47,6 +47,8 @@ module TaintedPathConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -45,6 +45,8 @@ module TemplateObjectInjectionConfig implements DataFlow::StateConfigSig {
     TaintTracking::defaultTaintStep(node1, node2) and
     state1 = state2
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -27,6 +27,8 @@ module TypeConfusionConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node instanceof Barrier or node = DataFlow::MakeBarrierGuard<BarrierGuard>::getABarrierNode()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -32,6 +32,8 @@ module UnsafeCodeConstruction {
     }
 
     DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   /**

@@ -18,6 +18,8 @@ module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -75,6 +75,8 @@ module UnsafeDynamicMethodAccessConfig implements DataFlow::StateConfigSig {
     TaintTracking::defaultTaintStep(node1, node2) and
     state1 = state2
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -60,6 +60,8 @@ module UnsafeHtmlConstructionConfig implements DataFlow::StateConfigSig {
   }
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -36,6 +36,8 @@ module UnsafeJQueryPluginConfig implements DataFlow::ConfigSig {
     // prefixing through a poor-mans templating system:
     node = any(StringReplaceCall call).getRawReplacement()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -25,6 +25,8 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {
   }
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -91,6 +91,8 @@ module UnvalidatedDynamicMethodCallConfig implements DataFlow::StateConfigSig {
     TaintTracking::defaultTaintStep(node1, node2) and
     state1 = state2
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module XmlBombConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -20,6 +20,8 @@ module XpathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -28,6 +28,8 @@ module XssThroughDomConfig implements DataFlow::ConfigSig {
     node2 = DataFlow::globalVarRef("URL").getAMemberCall("createObjectURL") and
     node1 = node2.(DataFlow::InvokeNode).getArgument(0)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -19,6 +19,8 @@ module XxeConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

@@ -44,6 +44,8 @@ module ZipSlipConfig implements DataFlow::StateConfigSig {
   ) {
     TaintedPath::isAdditionalFlowStep(node1, state1, node2, state2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** A taint tracking configuration for unsafe archive extraction. */

@@ -25,6 +25,8 @@ module PolynomialReDoSConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { none() }
 
   int fieldFlowBranchLimit() { result = 1 } // library inputs are too expensive on some projects
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Taint-tracking for reasoning about polynomial regular expression denial-of-service attacks. */

@@ -283,6 +283,10 @@ module PropNameTrackingConfig implements DataFlow::StateConfigSig {
     // flows through any contents, apart from a capture content.
     result = 1
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    none() // Disabled since the alert references some locations other than the source or sink
+  }
 }
 
 class FlowState = PropNameTrackingConfig::FlowState;

@@ -87,6 +87,8 @@ module CodeInjectionConfig implements DataFlow::StateConfigSig {
     state1 = TTaint() and
     state2 = TUrlConstructor()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module CodeInjectionFlow = TaintTracking::GlobalWithState<CodeInjectionConfig>;

@@ -33,6 +33,8 @@ module EnvValueAndKeyInjectionConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module EnvValueAndKeyInjectionFlow = TaintTracking::Global<EnvValueAndKeyInjectionConfig>;

@@ -19,6 +19,8 @@ module EnvValueInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink = API::moduleImport("process").getMember("env").getAMember().asSink()
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module EnvValueInjectionFlow = TaintTracking::Global<EnvValueInjectionConfig>;

@@ -41,6 +41,8 @@ module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof PredictableResultSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof TokenAssignmentValueSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module TokenBuiltFromUuidFlow = TaintTracking::Global<TokenBuiltFromUuidConfig>;

@@ -17,6 +17,8 @@ module UnverifiedDecodeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink = unverifiedDecode() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module UnverifiedDecodeFlow = TaintTracking::Global<UnverifiedDecodeConfig>;
@@ -25,6 +27,8 @@ module VerifiedDecodeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink = verifiedDecode() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module VerifiedDecodeFlow = TaintTracking::Global<VerifiedDecodeConfig>;

@@ -23,6 +23,13 @@ module DecodeWithoutVerificationConfig implements DataFlow::ConfigSig {
     or
     sink = verifiedDecode()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:32: Flow call outside 'select' clause
+    // ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerificationLocalSource.ql:42: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module DecodeWithoutVerificationFlow = TaintTracking::Global<DecodeWithoutVerificationConfig>;

@@ -24,6 +24,8 @@ module DecompressionBombConfig implements DataFlow::ConfigSig {
       addstep.isAdditionalTaintStep(node1, node2)
     )
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module DecompressionBombFlow = TaintTracking::Global<DecompressionBombConfig>;

@@ -28,6 +28,8 @@ module SsrfConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrierOut(DataFlow::Node node) { strictSanitizingPrefixEdge(node, _) }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module SsrfFlow = TaintTracking::Global<SsrfConfig>;

@@ -33,6 +33,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module CorsPermissiveConfigurationFlow =
-Original file line number
+Diff line change
@@ @@ -31,6 +31,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig { @@
           node2 = call
         )
       }
+      predicate observeDiffInformedIncrementalMode() { any() }
     }
     /**