Python: mass enable diff-informed data flow

2025-12-17 01:03:14 +01:00 · 2025-01-23 10:15:59 +01:00
parent 9319b1848d
commit e4a1847dad
55 changed files with 197 additions and 1 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CleartextLoggingQuery.qll
@@ -21,6 +21,8 @@ private module CleartextLoggingConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "Clear-text logging of sensitive information" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CleartextStorageQuery.qll
@@ -21,6 +21,8 @@ private module CleartextStorageConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "Clear-text storage of sensitive information" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CodeInjectionQuery.qll
@@ -17,6 +17,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "code injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CommandInjectionQuery.qll
@@ -20,6 +20,8 @@ module CommandInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "command injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/CookieInjectionQuery.qll
@@ -20,6 +20,8 @@ module CookieInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "cookie injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/HttpHeaderInjectionQuery.qll
@@ -16,6 +16,8 @@ private module HeaderInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof HttpHeaderInjection::Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "HTTP Header injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LdapInjectionQuery.qll
@@ -19,6 +19,13 @@ private module LdapInjectionDnConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof DnSink }

  predicate isBarrier(DataFlow::Node node) { node instanceof DnSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-090/LdapInjection.ql:26: Column 1 does not select a source or sink originating from the flow call on line 21
+    // ql/src/Security/CWE-090/LdapInjection.ql:27: Column 5 does not select a source or sink originating from the flow call on line 21
+    none()
+  }
 }

 /** Global taint-tracking for detecting "LDAP injection via the distinguished name (DN) parameter" vulnerabilities. */
@@ -30,6 +37,13 @@ private module LdapInjectionFilterConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof FilterSink }

  predicate isBarrier(DataFlow::Node node) { node instanceof FilterSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-090/LdapInjection.ql:26: Column 1 does not select a source or sink originating from the flow call on line 24
+    // ql/src/Security/CWE-090/LdapInjection.ql:27: Column 5 does not select a source or sink originating from the flow call on line 24
+    none()
+  }
 }

 /** Global taint-tracking for detecting "LDAP injection via the filter parameter" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/LogInjectionQuery.qll
@@ -17,6 +17,8 @@ private module LogInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "log injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/NoSqlInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/NoSqlInjectionQuery.qll
@@ -56,6 +56,8 @@ module NoSqlInjectionConfig implements DataFlow::StateConfigSig {
  predicate isBarrier(DataFlow::Node node) {
    node = any(NoSqlSanitizer noSqlSanitizer).getAnInput()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module NoSqlInjectionFlow = TaintTracking::GlobalWithState<NoSqlInjectionConfig>;
--- a/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PamAuthorizationQuery.qll
@@ -31,6 +31,8 @@ private module PamAuthorizationConfig implements DataFlow::ConfigSig {
    // Flow from handle to the authenticate call in the final step
    exists(VulnPamAuthCall c | c.getArg(0) = node1 | node2 = c)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "PAM Authorization" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PathInjectionQuery.qll
@@ -71,6 +71,8 @@ module PathInjectionConfig implements DataFlow::StateConfigSig {
    stateFrom instanceof NotNormalized and
    stateTo instanceof NormalizedUnchecked
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "path injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/PolynomialReDoSQuery.qll
@@ -17,6 +17,13 @@ private module PolynomialReDoSConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-730/PolynomialReDoS.ql:31: Column 1 selects sink.getHighlight
+    // ql/src/Security/CWE-730/PolynomialReDoS.ql:33: Column 5 does not select a source or sink originating from the flow call on line 24
+    none()
+  }
 }

 /** Global taint-tracking for detecting "polynomial regular expression denial of service (ReDoS)" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ReflectedXssQuery.qll
@@ -17,6 +17,8 @@ private module ReflectedXssConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "reflected server-side cross-site scripting" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/RegexInjectionQuery.qll
@@ -18,6 +18,12 @@ private module RegexInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-730/RegexInjection.ql:29: Column 7 selects sink.getRegexExecution
+    none()
+  }
 }

 /** Global taint-tracking for detecting "regular expression injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll
@@ -29,6 +29,13 @@ private module FullServerSideRequestForgeryConfig implements DataFlow::ConfigSig
    or
    node instanceof FullUrlControlSanitizer
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryQuery.qll:47: Flow call outside 'select' clause
+    // ql/src/Security/CWE-918/FullServerSideRequestForgery.ql:24: Column 1 selects sink.getRequest
+    none()
+  }
 }

 /**
@@ -58,6 +65,12 @@ private module PartialServerSideRequestForgeryConfig implements DataFlow::Config
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-918/PartialServerSideRequestForgery.ql:24: Column 1 selects sink.getRequest
+    none()
+  }
 }

 /**
--- a/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/SqlInjectionQuery.qll
@@ -17,6 +17,8 @@ private module SqlInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "SQL injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/StackTraceExposureQuery.qll
@@ -26,6 +26,8 @@ private module StackTraceExposureConfig implements DataFlow::ConfigSig {
      nodeTo = attr
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "stack trace exposure" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/TarSlipQuery.qll
@@ -17,6 +17,8 @@ private module TarSlipConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "tar slip" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/TemplateInjectionQuery.qll
@@ -17,6 +17,8 @@ private module TemplateInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node node) { node instanceof Sink }

  predicate isBarrierIn(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "template injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeDeserializationQuery.qll
@@ -17,6 +17,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "code execution from deserialization" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UnsafeShellCommandConstructionQuery.qll
@@ -28,6 +28,13 @@ module UnsafeShellCommandConstructionConfig implements DataFlow::ConfigSig {

  // override to require the path doesn't have unmatched return steps
  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:27: Column 1 selects sink.getStringConstruction
+    // ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql:29: Column 7 selects sink.getCommandExecution
+    none()
+  }
 }

 /** Global taint-tracking for detecting "shell command constructed from library input" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/UrlRedirectQuery.qll
@@ -32,6 +32,8 @@ private module UrlRedirectConfig implements DataFlow::StateConfigSig {
  ) {
    any(UrlRedirect::AdditionalFlowStep a).step(nodeFrom, stateFrom, nodeTo, stateTo)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "URL redirection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll
@@ -33,6 +33,12 @@ module NormalHashFunction {
    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
      sensitiveDataExtraStepForCalls(node1, node2)
    }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll:88: Flow call outside 'select' clause
+      none()
+    }
  }

  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on sensitive data" vulnerabilities. */
@@ -63,6 +69,12 @@ module ComputationallyExpensiveHashFunction {
    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
      sensitiveDataExtraStepForCalls(node1, node2)
    }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/lib/semmle/python/security/dataflow/WeakSensitiveDataHashingQuery.qll:95: Flow call outside 'select' clause
+      none()
+    }
  }

  /** Global taint-tracking for detecting "use of a broken or weak cryptographic hashing algorithm on passwords" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll
@@ -17,6 +17,8 @@ private module XmlBombConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "XML bomb" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XpathInjectionQuery.qll
@@ -17,6 +17,8 @@ private module XpathInjectionConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "Xpath Injection" vulnerabilities. */
--- a/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll
@@ -17,6 +17,8 @@ private module XxeConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "XML External Entity (XXE)" vulnerabilities. */
--- a/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll
@@ -171,6 +171,13 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:181: Flow call outside 'select' clause
+    // ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIs.qll:184: Flow call outside 'select' clause
+    none()
+  }
 }

 /** Global taint-tracking from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
--- a/python/ql/src/Security/CWE-327/FluentApiModel.qll
+++ b/python/ql/src/Security/CWE-327/FluentApiModel.qll
@@ -110,6 +110,12 @@ module InsecureContextConfiguration implements DataFlow::StateConfigSig {
      )
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/Security/CWE-327/FluentApiModel.qll:130: Flow call outside 'select' clause
+    none()
+  }
 }

 private module InsecureContextFlow = DataFlow::GlobalWithState<InsecureContextConfiguration>;
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -119,6 +119,8 @@ private module HardcodedCredentialsConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof HardcodedValueSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof CredentialSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module HardcodedCredentialsFlow = TaintTracking::Global<HardcodedCredentialsConfig>;
--- a/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
+++ b/python/ql/src/experimental/Security/CWE-022bis/TarSlipImprov.ql
@@ -109,6 +109,8 @@ private module TarSlipImprovConfig implements DataFlow::ConfigSig {
    nodeFrom = nodeTo.(API::CallNode).getArg(0) and
    nodeFrom = tarfileOpen().getReturn().getAValueReachableFromSource()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting more "TarSlip" vulnerabilities. */
--- a/python/ql/src/experimental/Security/CWE-091/XsltInjectionQuery.qll
+++ b/python/ql/src/experimental/Security/CWE-091/XsltInjectionQuery.qll
@@ -19,6 +19,8 @@ module XsltInjectionConfig implements DataFlow::ConfigSig {
    // opted for the more simple approach.
    nodeTo = elementTreeConstruction(nodeFrom)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module XsltInjectionFlow = TaintTracking::Global<XsltInjectionConfig>;
--- a/python/ql/src/experimental/Security/CWE-094/Js2Py.ql
+++ b/python/ql/src/experimental/Security/CWE-094/Js2Py.ql
@@ -24,6 +24,8 @@ module Js2PyFlowConfig implements DataFlow::ConfigSig {
    API::moduleImport("js2py").getMember(["eval_js", "eval_js6", "EvalJs"]).getACall().getArg(_) =
      node
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module Js2PyFlow = TaintTracking::Global<Js2PyFlowConfig>;
--- a/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll
+++ b/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidationQuery.qll
@@ -75,6 +75,8 @@ private module UnicodeBypassValidationConfig implements DataFlow::StateConfigSig
    ) and
    state instanceof PostValidation
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "Unicode transformation mishandling" vulnerabilities. */
--- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql
+++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql
@@ -26,6 +26,12 @@ private module PossibleTimingAttackAgainstHashConfig implements DataFlow::Config
  predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }

  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql:41: Column 5 selects source.getResultType
+    none()
+  }
 }

 module PossibleTimingAttackAgainstHashFlow =
--- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql
+++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql
@@ -25,6 +25,12 @@ private module TimingAttackAgainstHashConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ProduceCryptoCall }

  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql:39: Column 5 selects source.getResultType
+    none()
+  }
 }

 module TimingAttackAgainstHashFlow = TaintTracking::Global<TimingAttackAgainstHashConfig>;
--- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql
+++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHeaderValue/TimingAttackAgainstHeaderValue.ql
@@ -23,6 +23,8 @@ private module TimingAttackAgainstHeaderValueConfig implements DataFlow::ConfigS
  predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedSecret }

  predicate isSink(DataFlow::Node sink) { sink instanceof CompareSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module TimingAttackAgainstHeaderValueFlow =
--- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql
+++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/PossibleTimingAttackAgainstSensitiveInfo.ql
@@ -23,6 +23,8 @@ private module PossibleTimingAttackAgainstSensitiveInfoConfig implements DataFlo
  predicate isSource(DataFlow::Node source) { source instanceof SecretSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module PossibleTimingAttackAgainstSensitiveInfoFlow =
--- a/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql
+++ b/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstSensitiveInfo/TimingAttackAgainstSensitiveInfo.ql
@@ -24,6 +24,8 @@ private module TimingAttackAgainstSensitiveInfoConfig implements DataFlow::Confi
  predicate isSource(DataFlow::Node source) { source instanceof SecretSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module TimingAttackAgainstSensitiveInfoFlow =
--- a/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql
+++ b/python/ql/src/experimental/Security/CWE-287-ConstantSecretKey/WebAppConstantSecretKey.ql
@@ -52,6 +52,8 @@ private module WebAppConstantSecretKeyConfig implements DataFlow::StateConfigSig
    or
    state = Django() and DjangoConstantSecretKeyConfig::isSink(sink)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module WebAppConstantSecretKeyFlow = TaintTracking::GlobalWithState<WebAppConstantSecretKeyConfig>;
--- a/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+++ b/python/ql/src/experimental/Security/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
@@ -145,6 +145,8 @@ private module AzureBlobClientConfig implements DataFlow::StateConfigSig {
      node = call.getObject()
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module AzureBlobClientFlow = DataFlow::GlobalWithState<AzureBlobClientConfig>;
--- a/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
+++ b/python/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql
@@ -51,6 +51,8 @@ private module TokenBuiltFromUuidConfig implements DataFlow::ConfigSig {
      nodeTo = call
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "TokenBuiltFromUUID" vulnerabilities. */
--- a/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql
+++ b/python/ql/src/experimental/Security/CWE-346/CorsBypass.ql
@@ -79,6 +79,8 @@ module CorsBypassConfig implements DataFlow::ConfigSig {
      c.getReturn().asSource() = node2 and n.asSource() = node1
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module CorsFlow = TaintTracking::Global<CorsBypassConfig>;
--- a/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+++ b/python/ql/src/experimental/Security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
@@ -45,6 +45,8 @@ private module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::Co
      ss = node.asExpr()
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "client ip used in security check" vulnerabilities. */
--- a/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
+++ b/python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
@@ -108,6 +108,8 @@ private module UnicodeDoSConfig implements DataFlow::ConfigSig {
          .getACall()
          .getArg(_)
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module UnicodeDoSFlow = TaintTracking::Global<UnicodeDoSConfig>;
--- a/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
+++ b/python/ql/src/experimental/Security/UnsafeUnpackQuery.qll
@@ -208,6 +208,8 @@ module UnsafeUnpackConfig implements DataFlow::ConfigSig {
      nodeFrom = mcn.getArg(0)
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "UnsafeUnpacking" vulnerabilities. */
--- a/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll
+++ b/python/ql/src/experimental/semmle/python/libraries/SmtpLib.qll
@@ -38,6 +38,12 @@ module SmtpLib {
    predicate isSink(DataFlow::Node sink) {
      sink = smtpMimeMultipartInstance().getACall().getArgByName("_subparts")
    }
+
+    predicate observeDiffInformedIncrementalMode() {
+      // TODO(diff-informed): Manually verify if config can be diff-informed.
+      // ql/src/experimental/semmle/python/libraries/SmtpLib.qll:91: Flow call outside 'select' clause
+      none()
+    }
  }

  module SmtpMessageFlow = TaintTracking::Global<SmtpMessageConfig>;
--- a/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
+++ b/python/ql/src/experimental/semmle/python/security/DecompressionBomb.qll
@@ -408,6 +408,8 @@ module BombsConfig implements DataFlow::ConfigSig {
      isAdditionalTaintStepTextIOWrapper(pred, succ)
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 module BombsFlow = TaintTracking::Global<BombsConfig>;
--- a/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll
+++ b/python/ql/src/experimental/semmle/python/security/InsecureRandomness.qll
@@ -27,6 +27,8 @@ module InsecureRandomness {
    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }

    predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
  }

  /** Global taint-tracking for detecting "random values that are not cryptographically secure" vulnerabilities. */
--- a/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll
+++ b/python/ql/src/experimental/semmle/python/security/LdapInsecureAuth.qll
@@ -101,6 +101,8 @@ private module LdapInsecureAuthConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) {
    exists(LdapBind ldapBind | not ldapBind.useSsl() and sink = ldapBind.getHost())
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "LDAP insecure authentications" vulnerabilities. */
--- a/python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll
+++ b/python/ql/src/experimental/semmle/python/security/RemoteCommandExecution.qll
@@ -10,6 +10,8 @@ module RemoteCommandExecutionConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) { sink = any(RemoteCommandExecution rce).getCommand() }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "secondary server command injection" vulnerabilities. */
--- a/python/ql/src/experimental/semmle/python/security/TimingAttack.qll
+++ b/python/ql/src/experimental/semmle/python/security/TimingAttack.qll
@@ -271,6 +271,12 @@ module UserInputSecretConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CredentialExpr }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/semmle/python/security/TimingAttack.qll:176: Flow call outside 'select' clause
+    none()
+  }
 }

 module UserInputSecretFlow = TaintTracking::Global<UserInputSecretConfig>;
@@ -288,6 +294,12 @@ module UserInputInComparisonConfig implements DataFlow::ConfigSig {
      sink.asExpr() = [left, right]
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/semmle/python/security/TimingAttack.qll:165: Flow call outside 'select' clause
+    none()
+  }
 }

 module UserInputInComparisonFlow = TaintTracking::Global<UserInputInComparisonConfig>;
@@ -304,6 +316,12 @@ private module ExcludeLenFuncConfig implements DataFlow::ConfigSig {
      sink.asExpr() = call.getArg(0)
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() {
+    // TODO(diff-informed): Manually verify if config can be diff-informed.
+    // ql/src/experimental/semmle/python/security/TimingAttack.qll:347: Flow call outside 'select' clause
+    none()
+  }
 }

 module ExcludeLenFuncFlow = TaintTracking::Global<ExcludeLenFuncConfig>;
--- a/python/ql/src/experimental/semmle/python/security/ZipSlip.qll
+++ b/python/ql/src/experimental/semmle/python/security/ZipSlip.qll
@@ -34,6 +34,8 @@ private module ZipSlipConfig implements DataFlow::ConfigSig {
    ) and
    not sink.getScope().getLocation().getFile().inStdlib()
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "zip slip" vulnerabilities. */
--- a/python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/EmailXss.qll
@@ -34,6 +34,8 @@ private module EmailXssConfig implements DataFlow::ConfigSig {
      nodeFrom = htmlContentCall.getArg(0)
    )
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 /** Global taint-tracking for detecting "Email XSS" vulnerabilities. */
--- a/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll
@@ -17,6 +17,8 @@ private module CsvInjectionConfig implements DataFlow::ConfigSig {
    node = DataFlow::BarrierGuard<startsWithCheck/3>::getABarrierNode() or
    node instanceof ConstCompareBarrier
  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
 }

 private predicate startsWithCheck(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
--- a/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll
+++ b/python/ql/src/semmle/python/functions/ModificationOfParameterWithDefault.qll
@@ -45,11 +45,15 @@ module ModificationOfParameterWithDefault {
      copyTarget(node) and state in [true, false]
    }

-    private predicate copyTarget(DataFlow::Node node) {
+    private predicate observeDiffInformedIncrementalMode() { any() }
+
+    predicate copyTarget(DataFlow::Node node) {
      node = API::moduleImport("copy").getMember(["copy", "deepcopy"]).getACall()
      or
      node.(DataFlow::MethodCallNode).calls(_, "copy")
    }
+
+    predicate observeDiffInformedIncrementalMode() { any() }
  }

  /** Global data-flow for detecting modifications of a parameters default value. */