Add new module-based query

session/README.org

@@ -15,59 +15,9 @@
       expression, the =query= argument.  Again start from =from..where..select=,
       then convert to a predicate.
 
-   3. Fill in the /taintflow configuration/ boilerplate
-      #+BEGIN_SRC java
-        class SqliFlowConfig extends TaintTracking::Configuration {
-            SqliFlowConfig() { this = "SqliFlow" }
+   3. Fill in the /taintflow configuration/ boilerplate.
 
-            override predicate isSource(DataFlow::Node node) {
-                none()
-                    }
-
-            override predicate isSink(DataFlow::Node node) {
-                none()
-                    }
-        }
-      #+END_SRC
-
-   The final query (without =isAdditionalTaintStep=) is
-   #+BEGIN_SRC java
-     /**
-      ,* @name SQLI Vulnerability
-      ,* @description Using untrusted strings in a sql query allows sql injection attacks.
-      ,* @kind path-problem
-      ,* @id java/SQLIVulnerable
-      ,* @problem.severity warning
-      ,*/
-
-     import java
-     import semmle.code.java.dataflow.TaintTracking
-     import DataFlow::PathGraph
-
-     class SqliFlowConfig extends TaintTracking::Configuration {
-         SqliFlowConfig() { this = "SqliFlow" }
-
-         override predicate isSource(DataFlow::Node source) {
-            // System.console().readLine();
-            exists(Call read |
-                read.getCallee().getName() = "readLine" and
-                read = source.asExpr()
-            )
-        }
-
-         override predicate isSink(DataFlow::Node sink) {
-            // conn.createStatement().executeUpdate(query);
-            exists(Call exec |
-                exec.getCallee().getName() = "executeUpdate" and
-                exec.getArgument(0) = sink.asExpr()
-            )
-        }
-     }
-
-     from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-     where conf.hasFlowPath(source, sink)
-     select sink, source, sink, "Possible SQL injection"
-   #+END_SRC
+   The final query is in [[./full-query.ql]]
 
 ** (optional) Review of the results via SARIF file 
    Query results are available in several output formats using the cli.  The

session/full-query.ql

@@ -0,0 +1,53 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/SQLIVulnerable
+ * @problem.severity warning
+ */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.DataFlow 
+
+/**
+ * A global data-flow configuration using modules
+ */
+// Note result differences between 
+module InputToSQL = TaintTracking::Global<SqliFlowConfig>;
+// and 
+// module InputToSQL = DataFlow::Global<SqliFlowConfig>;
+
+module SqliFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // System.console().readLine();
+    exists(Call read |
+      read.getCallee().getName() = "readLine" and
+      read = source.asExpr()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    // conn.createStatement().executeUpdate(query);
+    exists(Call exec |
+      exec.getCallee().getName() = "executeUpdate" and
+      exec.getArgument(0) = sink.asExpr()
+    )
+  }
+
+  // predicate isSanitizer(DataFlow::Node sanitizer) { none() }
+
+  // predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
+  //   // Extra taint step
+  //   //     String.format("INSERT INTO users VALUES (%d, '%s')", id, info);
+  //   // Not needed here, but may be needed for larger libraries.
+  //   none()
+  // }
+}
+
+// To construct the paths between sources and sinks.
+import InputToSQL::PathGraph
+
+from InputToSQL::PathNode source, InputToSQL::PathNode sink
+where InputToSQL::flowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"