Is there a CodeQL query that finds ALL sources and sinks with their function bodies and Flow?

[akanksha1131]

Hi,

I'm looking for a CodeQL query that provides results in this format:

Source: function A (function A body) -> function B (function B body) -> .... -> Sink: function Z (function Z body)

I've researched various queries, including dataflow queries, but they mostly return data flow analysis and do not detail each source and sink function with their function bodies.
I dont want analysis, rather I want source to sink flow with function bodies

Could anyone please let me know if such a query exists and how to run it?

[jketema]

Hi @akanksha1131,

Thanks for your question. I’m not exactly sure what you’re after. Do you want to be the output of your select to be:

Source: function A (function A body) -> function B (function B body) -> .... -> Sink: function Z (function Z body)

or do you want to define your own paths, similar to dataflow paths?

[akanksha1131]

@jketema Hi, yes, I want the output of my select statement to be the source to sink flow [for eg: Source: function A (function A body) -> function B (function B body) -> .... -> Sink: function Z (function Z body) ]
Like this (as the output of the query):

[jketema]

That's called a path, not the output of a select. Roughly, if you want to create something like this yourself, you'll need to write a query that has the following structure:

/**
 * @kind path-problem
 */

class NodeType { ... }

query predicate edges(NodeType a, NodeType b) {
  // should hold if there is a step from a to b
}

query predicate nodes(NodeType n, string key, string val) {
    // if n is a node along a path
    and key = "semmle.label" and val = n.toString()
}

from ...
where ...
select sink, source, sink, "..."

Dataflow queries have such a structure, but the edges and nodes query predicates are imported under the hood in that case, so you don't have to implement them. There should be some other examples of this in the CodeQL codebase, but not a lot. I would recommend searching for query predicate edges in the CodeQL repository.

If there's a concrete problem where you would like the output to be of this form, and are willing to share what the problem is, then we can definitely guide you with filling in the above structure.

[akanksha1131]

Hi @jketema thanks for the insight!
Basically what my project requires is:

1. Identifying Candidate Paths with CodeQL:
   CodeQL first identifies potential source-to-sink paths—e.g., user input (source) flowing to a database query (sink) without validation.

2. LLM Analysis for Context:
   The candidate paths are then passed to an LLM for further analysis.

[jketema]

Identifying Candidate Paths with CodeQL:
CodeQL first identifies potential source-to-sink paths—e.g., user input (source) flowing to a database query (sink) without validation.

You still want to be pretty aggressive with the filtering here, and not postpone everything until step 2, especially when you're using some form of dataflow, because otherwise computing paths might become very expensive.

[akanksha1131]

OK, Noted!
@jketema is there an inbuilt query within codeql that can only give the source to sink path that I want, or will I have to write the query myself?
The queries I found and tried, such as "java-security-and-quality.qls" give more of an analysis than the paths.

Also, which query does codeql itself use to find these paths, as shown in the below picture?

[jketema]

OK, Noted! @jketema is there an inbuilt query within codeql that can only give the source to sink path that I want, or will I have to write the query myself? The queries I found and tried, such as "java-security-and-quality.qls" give more of an analysis than the paths.

"java-security-and-quality.qls" is a query suite consisting of many queries. All the queries for which paths are shown like in your pictures follow the pattern sketched in my earlier comment.

Also, which query does codeql itself use to find these paths, as shown in the below picture?

There is no such query. CodeQL simply outputs the result of a select plus nodes and edges. The construction of the paths is then up to the engine that displays the results (either the web interface or the CodeQL VSCode extension). Roughly these engines take the source and sink from a result and then use edges to construct a number of shortest paths between the source and the sink.

[akanksha1131]

@jketema ok, thanks a lot!