From fd88b6fba24ddcf6e4699fc0f8c04091f682b79a Mon Sep 17 00:00:00 2001
From: Michael Hohn <hohn@github.com>
Date: Thu, 10 Jul 2025 13:08:44 -0700
Subject: [PATCH] wip: ** TODO supplement sources via the model editor,    - [
 ] We can supplement in different ways

---
 codeql-sqlite/README.org | 48 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/codeql-sqlite/README.org b/codeql-sqlite/README.org
index 82343c1..4fcecd0 100644
--- a/codeql-sqlite/README.org
+++ b/codeql-sqlite/README.org
@@ -57,7 +57,7 @@
      + check source, sink
      + we have a sink
      + but ActiveThreatModelSource finds no source
-   - [ ] We can
+   - [ ] We can supplement in different ways
      - supplement codeql: Write full manual query: already in workshop
      - supplement codeql: Add to FlowSource or a subclass
 
@@ -81,7 +81,40 @@
        #+END_SRC
        and others.
 
-       ql/java/ql/lib/Customizations.qll
+       In 
+       [[../ql/java/ql/lib/Customizations.qll]]
+       notice the comments mentioning RemoteFlowSource.
+       Use imports from [[../ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql]] 
+       but note that there are conflicts.  you will use
+       : private import semmle.code.java.dataflow.FlowSources
+       Follow this to FlowSources, and find the mentioned RemoteFlowSource
+       : abstract class RemoteFlowSource extends SourceNode
+
+       Add the custom source.  The modified [[../ql/java/ql/lib/Customizations.qll]] is
+       #+BEGIN_SRC java
+         private import semmle.code.java.dataflow.FlowSources
+
+         class ReadLine extends RemoteFlowSource {
+           ReadLine() {
+             exists(Call read |
+               read.getCallee().getName() = "readLine" and
+               read = this.asExpr()
+             )
+           }
+
+           override string getSourceType() { result = "Console readline" }
+         }
+       #+END_SRC
+
+       Note that the predicate
+       #+BEGIN_SRC java
+         module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
+           predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource }
+               ...;
+         }
+       #+END_SRC
+       now also returns the readLine() result -- although we extended
+       RemoteFlowSource, not ActiveThreatModelSource
 
        + [ ] customizations in staging repo
       
@@ -91,6 +124,17 @@
 
        - data sample: [[../.github/codeql/extensions/jedis-db-local-java/models/redis.clients.jedis.model.yml]]
 
+       In the model editor, we see a java.io.*Console.*readline'
+       #+BEGIN_SRC sh 
+         1:$ rg -i 'java.io.*Console.*readline' ql/java
+         ql/java/ql/lib/ext/generated/java.io.model.yml
+         16:      - ["java.io", "Console", False, "readLine", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+         17:      - ["java.io", "Console", False, "readLine", "(String,Object[])", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+         18:      - ["java.io", "Console", False, "readLine", "(String,Object[])", "", "Argument[1].ArrayElement", "Argument[this]", "taint", "df-generated"]
+         19:      - ["java.io", "Console", False, "readLine", "(String,Object[])", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+       #+END_SRC
+
+
 
    - [ ] checkkn