JavaScript: Refactor unpromoted-candidate queries to no longer rely on tracked nodes.

javascript/ql/src/meta/analysis-quality/CandidateTracking.qll

@@ -0,0 +1,16 @@
+/**
+ * Provides an auxiliary predicate shared among the unpromoted-candidate queries.
+ */
+
+import javascript
+
+/**
+ * Gets a source node to which `cand` may flow inter-procedurally, with `t` tracking
+ * the state of flow.
+ */
+DataFlow::SourceNode track(HTTP::RouteHandlerCandidate cand, DataFlow::TypeTracker t) {
+  t.start() and
+  result = cand
+  or
+  exists(DataFlow::TypeTracker t2 | result = track(cand, t2).track(t2, t))
+}

javascript/ql/src/meta/analysis-quality/UnpromotedRouteHandlerCandidate.ql

@@ -9,12 +9,13 @@
  */
 
 import javascript
+import CandidateTracking
 
 from HTTP::RouteHandlerCandidate rh
 where
   not rh instanceof HTTP::RouteHandler and
   not exists(HTTP::RouteSetupCandidate setup |
-    rh.(DataFlow::TrackedNode).flowsTo(setup.getARouteHandlerArg())
+    track(rh, DataFlow::TypeTracker::end()).flowsTo(setup.getARouteHandlerArg())
   )
 select rh,
   "A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`."

javascript/ql/src/meta/analysis-quality/UnpromotedRouteSetupCandidate.ql

@@ -9,12 +9,13 @@
  */
 
 import javascript
+import CandidateTracking
 
 from HTTP::RouteSetupCandidate setup
 where
   not setup.asExpr() instanceof HTTP::RouteSetup and
   exists(HTTP::RouteHandlerCandidate rh |
-    rh.(DataFlow::TrackedNode).flowsTo(setup.getARouteHandlerArg())
+    track(rh, DataFlow::TypeTracker::end()).flowsTo(setup.getARouteHandlerArg())
   )
 select setup,
   "A `RouteSetupCandidate` that did not get promoted to `RouteSetup`, and it is using at least one `RouteHandlerCandidate`."