diff --git a/README.org b/README.org
index 264acb1..55168a4 100644
--- a/README.org
+++ b/README.org
@@ -202,13 +202,23 @@
             --ram=14000                              \
             -j12                                     \
             --rerun                                  \
-            --search-path ~/local/vmsync/ql          \
             --format=sarif-latest                    \
             --output cpp-sqli.sarif                  \
             --                                       \
             $DB                                      \
             $SRCDIR/SqlInjection.ql
 
+     codeql database analyze                         \
+            -v                                       \
+            --ram=14000                              \
+            -j12                                     \
+            --rerun                                  \
+            --format=sarif-latest                    \
+            --output cpp-sqli.sarif                  \
+            --                                       \
+            $DB                                      \
+            $SRCDIR/trivial.ql
+
      # Examine the file in an editor
      edit cpp-sqli.sarif
    #+END_SRC
diff --git a/SqlInjection.ql b/SqlInjection.ql
index 63c1d94..9c7ba27 100644
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -20,21 +20,21 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node sanitizer) { none() }
 
-  predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
-      // Extra taint step
-      //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
-      // But snprintf is a macro on mac os.  The actual function's name is
-      //     #undef snprintf
-      //     #define snprintf(str, len, ...) \
-      //       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
-      //     #endif
-      exists(FunctionCall printf |
-          printf.getTarget().getName().matches("%snprintf%") and
-      printf.getArgument(0) = out.asDefiningArgument() and
-          // very specific: shifted index for macro.
-      printf.getArgument(6) = into.asIndirectArgument()
-      )
-  }
+//   predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
+//       // Extra taint step
+//       //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
+//       // But snprintf is a macro on mac os.  The actual function's name is
+//       //     #undef snprintf
+//       //     #define snprintf(str, len, ...) \
+//       //       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
+//       //     #endif
+//       exists(FunctionCall printf |
+//           printf.getTarget().getName().matches("%snprintf%") and
+//       printf.getArgument(0) = out.asDefiningArgument() and
+//           // very specific: shifted index for macro.
+//       printf.getArgument(6) = into.asIndirectArgument()
+//       )
+//   }
   predicate isSink(DataFlow::Node sink) {
     // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
     exists(FunctionCall exec |
diff --git a/notes.org b/notes.org
new file mode 100644
index 0000000..94ad822
--- /dev/null
+++ b/notes.org
@@ -0,0 +1,10 @@
+* sequence
+  - [X] build program
+  - [X] build under codeql control -> codeql db
+    /Users/hohn/2025-05-21/codeqlworkshop/codeql-c-sqli/cpp-sqli-35d4c80
+  - [X] write / use query (db + query -> codeql -> sarif)
+  - [X] view sarif
+
+  - [ ] follow up:
+    + [ ] classes of vulnerabilities
+