From dbae0f788417cd9221bc5d27ad045912862d2c05 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Mon, 8 May 2023 14:51:49 +0200
Subject: [PATCH] Java: Update test methods to contain a SQL and a Logging sink
 and update expected test output.

---
 .../experimental/configured-flow/Test.java    | 16 +++--
 .../configured-flow/test-default.expected     | 72 ++++++++++---------
 .../test-hardcoded-all.expected               | 72 ++++++++++---------
 .../test-hardcoded-database.expected          | 72 ++++++++++---------
 .../test-hardcoded-default.expected           | 44 ++++++------
 .../test-hardcoded-remote.expected            | 44 ++++++------
 .../test-sqlinjection1.expected               | 37 +++++-----
 .../test-sqlinjection2.expected               | 60 +++++++---------
 8 files changed, 210 insertions(+), 207 deletions(-)

diff --git a/java/ql/test/experimental/configured-flow/Test.java b/java/ql/test/experimental/configured-flow/Test.java
index a02f18f9e8f..221715035f4 100644
--- a/java/ql/test/experimental/configured-flow/Test.java
+++ b/java/ql/test/experimental/configured-flow/Test.java
@@ -1,5 +1,6 @@
 import java.sql.*;
 import java.net.*;
+import java.util.logging.*;
 import java.nio.charset.StandardCharsets;
 
 class Test {
@@ -13,10 +14,11 @@ class Test {
     byte[] data = new byte[1024];
     sock.getInputStream().read(data);
 
-    // Sink
-    sock.getOutputStream().write(data);
+    // Logging sink
+    Logger logger = Logger.getLogger("foo");
+    logger.severe(byteToString(data));
 
-    // Sink
+    // SQL sink
     handle.executeUpdate("INSERT INTO foo VALUES ('" + byteToString(data) + "')");
   }
 
@@ -24,11 +26,11 @@ class Test {
     // Only a source if "database" is a selected threat model
     ResultSet rs = handle.executeQuery("SELECT * FROM foo");
 
-    // Sink
+    // SQL sink
     handle.executeUpdate("INSERT INTO foo VALUES ('" + rs.getString("name") + "')");
 
-    // Sink
-    Socket sock = new Socket("localhost", 1234);
-    sock.getOutputStream().write(rs.getString("name").getBytes());
+    // Logging sink
+    Logger logger = Logger.getLogger("foo");
+    logger.severe(rs.getString("name"));
   }
 }
diff --git a/java/ql/test/experimental/configured-flow/test-default.expected b/java/ql/test/experimental/configured-flow/test-default.expected
index a8b6f60f458..011f5de0aac 100644
--- a/java/ql/test/experimental/configured-flow/test-default.expected
+++ b/java/ql/test/experimental/configured-flow/test-default.expected
@@ -1,39 +1,41 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:56:28:57 | rs : ResultSet |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:35 | rs : ResultSet |
-| Test.java:28:56:28:57 | rs : ResultSet | Test.java:28:56:28:75 | getString(...) : String |
-| Test.java:28:56:28:75 | getString(...) : String | Test.java:28:26:28:82 | ... + ... |
-| Test.java:32:34:32:35 | rs : ResultSet | Test.java:32:34:32:53 | getString(...) : String |
-| Test.java:32:34:32:53 | getString(...) : String | Test.java:32:34:32:64 | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:20 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+| Test.java:34:19:34:20 | rs : ResultSet | Test.java:34:19:34:38 | getString(...) |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
-| Test.java:28:26:28:82 | ... + ... | semmle.label | ... + ... |
-| Test.java:28:56:28:57 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:28:56:28:75 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:35 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:32:34:32:53 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:64 | getBytes(...) | semmle.label | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:34:19:34:20 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:34:19:34:38 | getString(...) | semmle.label | getString(...) |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:28:26:28:82 | ... + ... | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:26:28:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:25:20:25:59 | executeQuery(...) | Source of that thingy |
-| Test.java:32:34:32:64 | getBytes(...) | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:64 | getBytes(...) | This is some kind of threat model thingy $@. | Test.java:25:20:25:59 | executeQuery(...) | Source of that thingy |
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
+| Test.java:34:19:34:38 | getString(...) | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:38 | getString(...) | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
diff --git a/java/ql/test/experimental/configured-flow/test-hardcoded-all.expected b/java/ql/test/experimental/configured-flow/test-hardcoded-all.expected
index a8b6f60f458..011f5de0aac 100644
--- a/java/ql/test/experimental/configured-flow/test-hardcoded-all.expected
+++ b/java/ql/test/experimental/configured-flow/test-hardcoded-all.expected
@@ -1,39 +1,41 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:56:28:57 | rs : ResultSet |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:35 | rs : ResultSet |
-| Test.java:28:56:28:57 | rs : ResultSet | Test.java:28:56:28:75 | getString(...) : String |
-| Test.java:28:56:28:75 | getString(...) : String | Test.java:28:26:28:82 | ... + ... |
-| Test.java:32:34:32:35 | rs : ResultSet | Test.java:32:34:32:53 | getString(...) : String |
-| Test.java:32:34:32:53 | getString(...) : String | Test.java:32:34:32:64 | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:20 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+| Test.java:34:19:34:20 | rs : ResultSet | Test.java:34:19:34:38 | getString(...) |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
-| Test.java:28:26:28:82 | ... + ... | semmle.label | ... + ... |
-| Test.java:28:56:28:57 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:28:56:28:75 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:35 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:32:34:32:53 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:64 | getBytes(...) | semmle.label | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:34:19:34:20 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:34:19:34:38 | getString(...) | semmle.label | getString(...) |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:28:26:28:82 | ... + ... | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:26:28:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:25:20:25:59 | executeQuery(...) | Source of that thingy |
-| Test.java:32:34:32:64 | getBytes(...) | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:64 | getBytes(...) | This is some kind of threat model thingy $@. | Test.java:25:20:25:59 | executeQuery(...) | Source of that thingy |
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
+| Test.java:34:19:34:38 | getString(...) | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:38 | getString(...) | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
diff --git a/java/ql/test/experimental/configured-flow/test-hardcoded-database.expected b/java/ql/test/experimental/configured-flow/test-hardcoded-database.expected
index a8b6f60f458..011f5de0aac 100644
--- a/java/ql/test/experimental/configured-flow/test-hardcoded-database.expected
+++ b/java/ql/test/experimental/configured-flow/test-hardcoded-database.expected
@@ -1,39 +1,41 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:56:28:57 | rs : ResultSet |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:35 | rs : ResultSet |
-| Test.java:28:56:28:57 | rs : ResultSet | Test.java:28:56:28:75 | getString(...) : String |
-| Test.java:28:56:28:75 | getString(...) : String | Test.java:28:26:28:82 | ... + ... |
-| Test.java:32:34:32:35 | rs : ResultSet | Test.java:32:34:32:53 | getString(...) : String |
-| Test.java:32:34:32:53 | getString(...) : String | Test.java:32:34:32:64 | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:20 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+| Test.java:34:19:34:20 | rs : ResultSet | Test.java:34:19:34:38 | getString(...) |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
-| Test.java:28:26:28:82 | ... + ... | semmle.label | ... + ... |
-| Test.java:28:56:28:57 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:28:56:28:75 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:35 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:32:34:32:53 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:64 | getBytes(...) | semmle.label | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:34:19:34:20 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:34:19:34:38 | getString(...) | semmle.label | getString(...) |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:28:26:28:82 | ... + ... | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:26:28:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:25:20:25:59 | executeQuery(...) | Source of that thingy |
-| Test.java:32:34:32:64 | getBytes(...) | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:64 | getBytes(...) | This is some kind of threat model thingy $@. | Test.java:25:20:25:59 | executeQuery(...) | Source of that thingy |
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
+| Test.java:34:19:34:38 | getString(...) | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:38 | getString(...) | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
diff --git a/java/ql/test/experimental/configured-flow/test-hardcoded-default.expected b/java/ql/test/experimental/configured-flow/test-hardcoded-default.expected
index c7c96f7c09f..c4b24d15964 100644
--- a/java/ql/test/experimental/configured-flow/test-hardcoded-default.expected
+++ b/java/ql/test/experimental/configured-flow/test-hardcoded-default.expected
@@ -1,24 +1,28 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
diff --git a/java/ql/test/experimental/configured-flow/test-hardcoded-remote.expected b/java/ql/test/experimental/configured-flow/test-hardcoded-remote.expected
index c7c96f7c09f..c4b24d15964 100644
--- a/java/ql/test/experimental/configured-flow/test-hardcoded-remote.expected
+++ b/java/ql/test/experimental/configured-flow/test-hardcoded-remote.expected
@@ -1,24 +1,28 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:14:5:14:25 | getInputStream(...) | Source of that thingy |
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
diff --git a/java/ql/test/experimental/configured-flow/test-sqlinjection1.expected b/java/ql/test/experimental/configured-flow/test-sqlinjection1.expected
index bace19009e7..9887ff51e71 100644
--- a/java/ql/test/experimental/configured-flow/test-sqlinjection1.expected
+++ b/java/ql/test/experimental/configured-flow/test-sqlinjection1.expected
@@ -1,24 +1,21 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This query depends on a $@. | Test.java:15:5:15:25 | getInputStream(...) | user-provided value |
diff --git a/java/ql/test/experimental/configured-flow/test-sqlinjection2.expected b/java/ql/test/experimental/configured-flow/test-sqlinjection2.expected
index e03756e6fbc..05cd1b6a04a 100644
--- a/java/ql/test/experimental/configured-flow/test-sqlinjection2.expected
+++ b/java/ql/test/experimental/configured-flow/test-sqlinjection2.expected
@@ -1,39 +1,29 @@
 edges
-| Test.java:6:31:6:41 | data : byte[] | Test.java:7:23:7:26 | data : byte[] |
-| Test.java:7:23:7:26 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:14:32:14:35 | data [post update] : byte[] |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:17:34:17:37 | data |
-| Test.java:14:32:14:35 | data [post update] : byte[] | Test.java:20:69:20:72 | data : byte[] |
-| Test.java:20:56:20:73 | byteToString(...) : String | Test.java:20:26:20:80 | ... + ... |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] |
-| Test.java:20:69:20:72 | data : byte[] | Test.java:20:56:20:73 | byteToString(...) : String |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:56:28:57 | rs : ResultSet |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:35 | rs : ResultSet |
-| Test.java:28:56:28:57 | rs : ResultSet | Test.java:28:56:28:75 | getString(...) : String |
-| Test.java:28:56:28:75 | getString(...) : String | Test.java:28:26:28:82 | ... + ... |
-| Test.java:32:34:32:35 | rs : ResultSet | Test.java:32:34:32:53 | getString(...) : String |
-| Test.java:32:34:32:53 | getString(...) : String | Test.java:32:34:32:64 | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
 nodes
-| Test.java:6:31:6:41 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:7:12:7:51 | new String(...) : String | semmle.label | new String(...) : String |
-| Test.java:7:23:7:26 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:14:5:14:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| Test.java:14:32:14:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
-| Test.java:17:34:17:37 | data | semmle.label | data |
-| Test.java:20:26:20:80 | ... + ... | semmle.label | ... + ... |
-| Test.java:20:56:20:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
-| Test.java:20:69:20:72 | data : byte[] | semmle.label | data : byte[] |
-| Test.java:25:20:25:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
-| Test.java:28:26:28:82 | ... + ... | semmle.label | ... + ... |
-| Test.java:28:56:28:57 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:28:56:28:75 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:35 | rs : ResultSet | semmle.label | rs : ResultSet |
-| Test.java:32:34:32:53 | getString(...) : String | semmle.label | getString(...) : String |
-| Test.java:32:34:32:64 | getBytes(...) | semmle.label | getBytes(...) |
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
 subpaths
-| Test.java:20:69:20:72 | data : byte[] | Test.java:6:31:6:41 | data : byte[] | Test.java:7:12:7:51 | new String(...) : String | Test.java:20:56:20:73 | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
 #select
-| Test.java:17:34:17:37 | data | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:17:34:17:37 | data | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
-| Test.java:20:26:20:80 | ... + ... | Test.java:14:5:14:25 | getInputStream(...) : InputStream | Test.java:20:26:20:80 | ... + ... | This query depends on a $@. | Test.java:14:5:14:25 | getInputStream(...) | user-provided value |
-| Test.java:28:26:28:82 | ... + ... | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:28:26:28:82 | ... + ... | This query depends on a $@. | Test.java:25:20:25:59 | executeQuery(...) | user-provided value |
-| Test.java:32:34:32:64 | getBytes(...) | Test.java:25:20:25:59 | executeQuery(...) : ResultSet | Test.java:32:34:32:64 | getBytes(...) | This query depends on a $@. | Test.java:25:20:25:59 | executeQuery(...) | user-provided value |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This query depends on a $@. | Test.java:15:5:15:25 | getInputStream(...) | user-provided value |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This query depends on a $@. | Test.java:27:20:27:59 | executeQuery(...) | user-provided value |