session.ql: predicates

session.ql

@@ -22,6 +22,18 @@ int get_new_id() {
 // and buf = read.getArgument(1)
 // select read, buf
 
+predicate isSource(Expr buf) {
+    exists(FunctionCall read |
+         read.getTarget().getName() = "read"
+         and buf = read.getArgument(1)
+    )
+}
+
+// from Expr buf
+// where isSource(buf)
+// select buf
+
+
 
 // 2. writing sql -- sink
 //     rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
@@ -30,6 +42,15 @@ int get_new_id() {
 // where exec.getTarget().getName() = "sqlite3_exec"
 // and query = exec.getArgument(1)
 // select exec, query
+predicate isSink(Expr query) {
+    exists(FunctionCall exec |
+        exec.getTarget().getName() = "sqlite3_exec"
+        and query = exec.getArgument(1)
+    )
+}
+// from Expr query 
+// where isSink(query)
+// select query
 
 
 // 3. find call path between 1 and 2 them