[C/C++] How to sanitize a class object after its member function change its value?

[UniverseExplorer7274]

codeql binary version: 2.7.5

Hello everyone,
When query path of this code, I got some false-positive paths which I don’t know how to eliminate.
Here is my code and my QL query.
I only want to get the path from getInput(a) to the first system call.

#include <stdio.h>
#include <stdlib.h>

void getInput(char* a) {
    scanf("%s", a);
}

class B {
    public:
    char *b;
    void assign(char *a) {
        b = a;
    }

    char* getPtr() {
        return b;
    }
};

int main() {
    char *a = (char *)malloc(0x100);
    B b; 
    char *c = "This isn't tainted.";
    getInput(a);

    b.assign(a);

    system(b.getPtr());

    b.assign(c);

    system(b.getPtr());

    return 0;
}

/**
 * @kind path-problem
 */

import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph

class MyConfig extends TaintTracking::Configuration {
    MyConfig () {
        this = "MyConfig"
    }

    override predicate isSource(DataFlow::Node node) {
        exists( FunctionCall fc | 
            node.asExpr() = fc.getAnArgument() and
            fc.getTarget().getName().matches("getInput")
        )
    }

    override predicate isSink(DataFlow::Node node) {
        exists( FunctionCall fc | 
            node.asExpr() = fc.getAnArgument() and
            fc.getTarget().getName().matches("system")
        )
    }
}

from DataFlow::PathNode src, DataFlow::PathNode sink, MyConfig conf
where 
    conf.hasFlowPath(src, sink)
select sink.getNode(), src, sink, "From $@ to $@", src, src.toString(), sink, sink.toString()

However, I got 2 paths.

I think I should write a sanitizer which sanitizer the call to class object member function assign whose argument is not tainted. But I don't know how to write it in CodeQL.

I have tried to write a sanitizer like this, but the DataFlow::PathNode causes Non-monotonic recursion.

predicate sanitizerAssign(DataFlow::Node node) {
    exists( FunctionCall fc, DataFlow::PathNode node1 | 
      node.asPartialDefinition() = fc.getQualifier() and
      fc.getTarget().hasName("assign") and
      not(
        fc.getAnArgument() = node1.getNode().asExpr() 
      )
    )
}

The expected result is like the following:

#include <stdio.h>
#include <stdlib.h>

int main() {
    char *a = "echo \'This is tainted.\'";
    char *b;
    char *c = "echo \'This is not tainted.\'";

    b = a;
    system(b);
    
    b = c;
    system(b);

    return 0;
}

/**
 * @kind path-problem
 */

import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph

class MyConfig extends TaintTracking::Configuration {
    MyConfig () {
        this = "MyConfig"
    }

    override predicate isSource(DataFlow::Node node) {
        exists( VariableAccess va | 
            node.asExpr() = va and
            va.getTarget().getName().matches("a")
        )
    }

    override predicate isSink(DataFlow::Node node) {
        exists( FunctionCall fc | 
            node.asExpr() = fc.getAnArgument() and
            fc.getTarget().getName().matches("system")
        )
    }
}

from DataFlow::PathNode src, DataFlow::PathNode sink, MyConfig conf
where 
    conf.hasFlowPath(src, sink)
select sink.getNode(), src, sink, "From $@ to $@", src, src.toString(), sink, sink.toString()

there is not path to the second system call

Any reply will be appreciated. If there is any other information needed, please let me know.