Swift: mass enable diff-informed data flow

asgerf · asgerf · commit 1f0b362307fa · 2025-01-23T10:26:08.000+01:00
diff --git a/swift/ql/lib/codeql/swift/regex/Regex.qll b/swift/ql/lib/codeql/swift/regex/Regex.qll
@@ -491,6 +491,12 @@ private module NSStringCompareOptionsFlagConfig implements DataFlow::ConfigSig {
     isSink(node) and
     c.getAReadContent() instanceof DataFlow::Content::CollectionContent
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/swift/regex/Regex.qll:507: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module NSStringCompareOptionsFlagFlow = DataFlow::Global<NSStringCompareOptionsFlagConfig>;
diff --git a/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll b/swift/ql/lib/codeql/swift/regex/internal/RegexTracking.qll
@@ -25,6 +25,12 @@ private module StringLiteralUseConfig implements DataFlow::ConfigSig {
     // used to create a regular expression object
     node = any(RegexCreation regexCreation).getStringInput()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/swift/regex/Regex.qll:53: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module StringLiteralUseFlow = DataFlow::Global<StringLiteralUseConfig>;
@@ -47,6 +53,12 @@ private module RegexUseConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(RegexAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/swift/regex/Regex.qll:350: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module RegexUseFlow = DataFlow::Global<RegexUseConfig>;
@@ -102,6 +114,13 @@ private module RegexParseModeConfig implements DataFlow::StateConfigSig {
   ) {
     none()
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/swift/regex/Regex.qll:364: Flow call outside 'select' clause
+    // ql/lib/codeql/swift/regex/Regex.qll:365: Flow call outside 'select' clause
+    none()
+  }
 }
 
 module RegexParseModeFlow = DataFlow::GlobalWithState<RegexParseModeConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextLoggingQuery.qll
@@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -48,6 +48,12 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
     node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and
     c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql:35: Column 1 does not select a source or sink originating from the flow call on line 33
+    none()
+  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
@@ -30,6 +30,12 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql:34: Column 1 does not select a source or sink originating from the flow call on line 32
+    none()
+  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll
@@ -73,6 +73,12 @@ private module ExcludeUrlConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node node) { urlInit(_, node.asExpr()) }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll:90: Flow call outside 'select' clause
+    none()
+  }
 }
 
 private module ExcludeUrlFlow = TaintTracking::Global<ExcludeUrlConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextTransmissionQuery.qll
@@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {
     // make sources barriers so that we only report the closest instance
     isSource(node)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/CommandInjectionQuery.qll
@@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantPasswordQuery.qll
@@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll b/swift/ql/lib/codeql/swift/security/ConstantSaltQuery.qll
@@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll b/swift/ql/lib/codeql/swift/security/ECBEncryptionQuery.qll
@@ -22,6 +22,8 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll b/swift/ql/lib/codeql/swift/security/HardcodedEncryptionKeyQuery.qll
@@ -46,6 +46,8 @@ module HardcodedKeyConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(HardcodedEncryptionKeyAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module HardcodedKeyFlow = TaintTracking::Global<HardcodedKeyConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll b/swift/ql/lib/codeql/swift/security/InsecureTLSQuery.qll
@@ -21,6 +21,8 @@ module InsecureTlsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsecureTlsExtensionsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module InsecureTlsFlow = TaintTracking::Global<InsecureTlsConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll b/swift/ql/lib/codeql/swift/security/InsufficientHashIterationsQuery.qll
@@ -34,6 +34,8 @@ module InsufficientHashIterationsConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(InsufficientHashIterationsAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module InsufficientHashIterationsFlow = TaintTracking::Global<InsufficientHashIterationsConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PathInjectionQuery.qll
@@ -23,6 +23,8 @@ module PathInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(PathInjectionAdditionalFlowStep s).step(node1, node2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/PredicateInjectionQuery.qll
@@ -22,6 +22,8 @@ module PredicateInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(PredicateInjectionAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/SqlInjectionQuery.qll
@@ -23,6 +23,8 @@ module SqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(SqlInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll b/swift/ql/lib/codeql/swift/security/StaticInitializationVectorQuery.qll
@@ -40,6 +40,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(StaticInitializationVectorAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module StaticInitializationVectorFlow = TaintTracking::Global<StaticInitializationVectorConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll b/swift/ql/lib/codeql/swift/security/StringLengthConflationQuery.qll
@@ -39,6 +39,8 @@ module StringLengthConflationConfig implements DataFlow::StateConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(StringLengthConflationAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll b/swift/ql/lib/codeql/swift/security/UncontrolledFormatStringQuery.qll
@@ -23,6 +23,8 @@ module TaintedFormatConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UncontrolledFormatStringAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeJsEvalQuery.qll
@@ -22,6 +22,8 @@ module UnsafeJsEvalConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeJsEvalAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeUnpackQuery.qll
@@ -24,6 +24,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeUnpackAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll b/swift/ql/lib/codeql/swift/security/UnsafeWebViewFetchQuery.qll
@@ -28,6 +28,12 @@ module UnsafeWebViewFetchConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(UnsafeWebViewFetchAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql:39: Column 1 does not select a source or sink originating from the flow call on line 36
+    none()
+  }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakPasswordHashingQuery.qll
@@ -37,6 +37,8 @@ module WeakPasswordHashingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(WeakPasswordHashingAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module WeakPasswordHashingFlow = TaintTracking::Global<WeakPasswordHashingConfig>;
diff --git a/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll b/swift/ql/lib/codeql/swift/security/WeakSensitiveDataHashingQuery.qll
@@ -38,6 +38,8 @@ module WeakSensitiveDataHashingConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(WeakSensitiveDataHashingAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 deprecated module WeakHashingConfig = WeakSensitiveDataHashingConfig;
diff --git a/swift/ql/lib/codeql/swift/security/XXEQuery.qll b/swift/ql/lib/codeql/swift/security/XXEQuery.qll
@@ -22,6 +22,8 @@ module XxeConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(XxeAdditionalFlowStep s).step(n1, n2)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**
diff --git a/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll b/swift/ql/lib/codeql/swift/security/regex/RegexInjectionQuery.qll
@@ -22,6 +22,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
     any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -491,6 +491,12 @@ private module NSStringCompareOptionsFlagConfig implements DataFlow::ConfigSig {`
`491`	`491`	`isSink(node) and`
`492`	`492`	`c.getAReadContent() instanceof DataFlow::Content::CollectionContent`
`493`	`493`	`}`
	`494`	`+`
	`495`	`+ predicate observeDiffInformedIncrementalMode() {`
	`496`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`497`	`+ // ql/lib/codeql/swift/regex/Regex.qll:507: Flow call outside 'select' clause`
	`498`	`+ none()`
	`499`	`+ }`
`494`	`500`	`}`
`495`	`501`
`496`	`502`	`module NSStringCompareOptionsFlagFlow = DataFlow::Global<NSStringCompareOptionsFlagConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {`
`25`	`25`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
`26`	`26`	`any(CleartextLoggingAdditionalFlowStep s).step(n1, n2)`
`27`	`27`	`}`
	`28`	`+`
	`29`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`28`	`30`	`}`
`29`	`31`
`30`	`32`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,12 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {`
`48`	`48`	`node.asExpr().getType().getUnderlyingType() instanceof DictionaryType and`
`49`	`49`	`c.getAReadContent().(DataFlow::Content::TupleContent).getIndex() = 1`
`50`	`50`	`}`
	`51`	`+`
	`52`	`+ predicate observeDiffInformedIncrementalMode() {`
	`53`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`54`	`+ // ql/src/queries/Security/CWE-311/CleartextStorageDatabase.ql:35: Column 1 does not select a source or sink originating from the flow call on line 33`
	`55`	`+ none()`
	`56`	`+ }`
`51`	`57`	`}`
`52`	`58`
`53`	`59`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,12 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {`
`30`	`30`	`// make sources barriers so that we only report the closest instance`
`31`	`31`	`isSource(node)`
`32`	`32`	`}`
	`33`	`+`
	`34`	`+ predicate observeDiffInformedIncrementalMode() {`
	`35`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`36`	`+ // ql/src/queries/Security/CWE-312/CleartextStoragePreferences.ql:34: Column 1 does not select a source or sink originating from the flow call on line 32`
	`37`	`+ none()`
	`38`	`+ }`
`33`	`39`	`}`
`34`	`40`
`35`	`41`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,12 @@ private module ExcludeUrlConfig implements DataFlow::ConfigSig {`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`predicate isSink(DataFlow::Node node) { urlInit(_, node.asExpr()) }`
	`76`	`+`
	`77`	`+ predicate observeDiffInformedIncrementalMode() {`
	`78`	`+ // TODO(diff-informed): Manually verify if config can be diff-informed.`
	`79`	`+ // ql/lib/codeql/swift/security/CleartextTransmissionExtensions.qll:90: Flow call outside 'select' clause`
	`80`	`+ none()`
	`81`	`+ }`
`76`	`82`	`}`
`77`	`83`
`78`	`84`	`private module ExcludeUrlFlow = TaintTracking::Global<ExcludeUrlConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ module CleartextTransmissionConfig implements DataFlow::ConfigSig {`
`28`	`28`	`// make sources barriers so that we only report the closest instance`
`29`	`29`	`isSource(node)`
`30`	`30`	`}`
	`31`	`+`
	`32`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`24`	`24`	`any(CommandInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,8 @@ module ConstantPasswordConfig implements DataFlow::ConfigSig {`
`38`	`38`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`39`	`39`	`any(ConstantPasswordAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`40`	`40`	`}`
	`41`	`+`
	`42`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`41`	`43`	`}`
`42`	`44`
`43`	`45`	`module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ module ConstantSaltConfig implements DataFlow::ConfigSig {`
`39`	`39`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`40`	`40`	`any(ConstantSaltAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`module ConstantSaltFlow = TaintTracking::Global<ConstantSaltConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ module EcbEncryptionConfig implements DataFlow::ConfigSig {`
`22`	`22`	`predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {`
`23`	`23`	`any(EcbEncryptionAdditionalFlowStep s).step(nodeFrom, nodeTo)`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`module EcbEncryptionFlow = DataFlow::Global<EcbEncryptionConfig>;`