add some more meta queries for Ruby evaluations

ruby/ql/src/queries/meta/TaintSteps.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Taint steps
+ * @description The number of default taint steps.
+ * @kind metric
+ * @metricType project
+ * @metricAggregate sum
+ * @tags meta
+ * @id rb/meta/taint-steps
+ */
+
+import ruby
+import internal.TaintMetrics
+import codeql.ruby.dataflow.internal.TaintTrackingPublic
+
+predicate relevantStep(DataFlow::Node pred, DataFlow::Node succ) { localTaintStep(pred, succ) }
+
+select projectRoot(), count(DataFlow::Node pred, DataFlow::Node succ | relevantStep(pred, succ))

ruby/ql/src/queries/meta/TaintedNodes.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Tainted nodes
+ * @description Nodes reachable from a remote flow source via default taint-tracking steps.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id rb/meta/tainted-nodes
+ * @tags meta
+ * @precision very-low
+ */
+
+import internal.TaintMetrics
+import codeql.ruby.DataFlow
+import codeql.ruby.TaintTracking
+
+class BasicTaintConfiguration extends TaintTracking::Configuration {
+  BasicTaintConfiguration() { this = "BasicTaintConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { node = relevantTaintSource(_) }
+
+  override predicate isSink(DataFlow::Node node) {
+    // To reduce noise from synthetic nodes, only count nodes that have an associated expression.
+    exists(node.asExpr().getExpr())
+  }
+}
+
+from DataFlow::Node node
+where any(BasicTaintConfiguration cfg).hasFlow(_, node)
+select node, "Tainted node"

ruby/ql/src/queries/meta/internal/TaintMetrics.qll

@@ -36,3 +36,10 @@ DataFlow::Node relevantTaintSink(string kind) {
     kind = "UrlRedirect" and result instanceof UrlRedirect::Sink
   )
 }
+
+/**
+ * Gets the root folder of the snapshot.
+ *
+ * This is selected as the location for project-wide metrics.
+ */
+Folder projectRoot() { result.getRelativePath() = "" }