wip: many revisions

README.org

@@ -219,50 +219,13 @@
     To customize CodeQL for Java, we identify and extend base classes to add
     custom flow sources and sinks. A general explanation of this approach is
     available in the file [[./codeql-dataflow-sql-injection-c/README.org][README.org]], particularly
-    the section [[file:codeql-dataflow-sql-injection-c/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]]. For Java,
-    [[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for
+    the section
+    [[file:codeql-sqlite-java/README.org::*Supplement CodeQL: Add to FlowSource or a Subclass][Supplement CodeQL: Add to FlowSource or a Subclass]]
+    . For Java, [[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for
     custom flow modeling -- this structure is common across most CodeQL-supported
     languages, with the notable exception of C. Further details on this
     customization process can be found in
-    [[./codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]].
-
-    - illustrate what source, sink find using QueryInjectionFlowConfig in
-      SqlInjectionQuery.qll
-      - sink ok
-      - no source
-
-    - find the base class of source, so we know what to extend
-
-    - import gotcha
-      I used 
-
-      import semmle.code.java.dataflow.FlowSources as Sources
-
-      class ReadLine extends Sources::RemoteFlowSource {
-
-      Does this work too or is private better?
-
-    - Q: how to run all the CWE* queries against some file?
-
-    - packs at https://github.com/advanced-security/codeql-bundle
-
-     - how to run all the CWE* queries against some file?
-       -- the codeql database analyze command can take several arguments, including a directory or query spec
-       To get the full options, run
-       0:$  codeql database analyze -vvvv -h
-       Usage: codeql database analyze [OPTIONS] -- <database> [<query|dir|suite|pack>...]
-       Analyze a database, producing meaningful results in the context of the source code.
-
-       Run a query suite (or some individual queries) against a CodeQL database, producing results, styled as
-       alerts or paths, in SARIF or another interpreted format.
-
-       This command combines the effect of the codeql database run-queries and codeql database interpret-result
-
-     - How do you install/include the CodeQL bundles with the modified Customizations.qll?
-
-       That part we have not deciphered in detail.  the CLI tool at
-       https://github.com/advanced-security/codeql-bundle does this -- but it's a
-       black box
+    [[./codeql-sqlite-java/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]].
 
 *** Customizations via Model Editor: Jedis Example (Java Redis client)
     The Jedis example is a straightforward case with no unexpected
@@ -270,12 +233,9 @@
     and repetitive pattern, making it ideal for large-scale modeling. The CodeQL
     model editor can be used to efficiently define sources and sinks for such
     cases. A detailed explanation is provided 
-    OK
     in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Modeling Jedis as a Dependency in Model Editor][Modeling Jedis as a Dependency in Model Editor]], while validation of 
-    OK
     the modeled sink is discussed in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Verifying the Modeled Sink][Verifying the Modeled Sink]]. 
     Finally, the query-level usage of these models can be seen
-    OK
     in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]].
 
 *** Customizations via Model Editor: Single-function case (Java SQLite sample)
@@ -288,7 +248,6 @@
     [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]], and the extension data
     is provided in
     [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]]. A detailed
-    *OK*
     explanation is available in [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]].
 
     To support this, we explain how the "models-as-data" system works