Is there any good practice to find where the data flow tracking ends?

[ox1234]

When i use codeql to analyse a project to find vulnerabilities, i usually define such ql to find if there are any path from source to sink:

import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking

class BeanSinkMethod extends Method{
    BeanSinkMethod(){
        this.hasQualifiedName("org.springframework.beans.factory.support", "AbstractBeanFactory", "getBean")
    }
}

class BeanEvaluateConfig extends TaintTracking::Configuration{
    BeanEvaluateConfig(){
        this = "BeanEvaluateConfig"
    }

    override predicate isSource(DataFlow::Node source){
        source instanceof RemoteFlowSource
    }

    override predicate isSink(DataFlow::Node sink){
        exists(MethodAccess ma| ma.getMethod() instanceof BeanSinkMethod | sink.asExpr() = ma.getArgument(1))
    }

}

from DataFlow::Node source, DataFlow::Node sink
where any(BeanEvaluateConfig conf).hasFlow(source, sink)
select source, sink

But usually i got no result. I don't know if it is caused by broken taint path or just really no result. And i don't known where i need to add additionalTaintStep. So is there any suggestions?

[smowton]

Have you tried https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/ ?

[ox1234]

I just want to known where the data flow ends. So i have no idea how to specific sink node. If i use any i will get too many results

[smowton]

If you're using the partial-flow debugging tool linked above the sink doesn't really matter -- it's exploring flow outwards from your source and showing everywhere it can get, which is similar to using any, but the override int explorationLimit() { result = ... } predicate lets you limit how far it searches