Short background: I want to put all my custom taint modeling (complex QL predicates, annotation equivalence, sanitizers, and normal model files) into a single custom pack so teams can depend on it — without modifying standard / *-all libs.
Concrete example: in Java I have @CustomAnno and I want it treated exactly like Spring’s @RequestMapping (i.e. methods/classes with @CustomAnno are sources). I can do this in Customizations.qll inside java-all/lib, but I don’t want to change the standard lib.
Two short questions:
-
Is it supported to expose complex QL-based sources/sinks/sanitizers from an external pack so the standard taint queries pick them up? If yes — what minimal files/config (qlpack.yml / module layout / naming) are required?
-
If not supported, what is the recommended minimal workaround that keeps good maintainability?
Environment: Java target. I can attach a minimal repro pack if useful.
Thanks!
Short background: I want to put all my custom taint modeling (complex QL predicates, annotation equivalence, sanitizers, and normal model files) into a single custom pack so teams can depend on it — without modifying standard / *-all libs.
Concrete example: in Java I have @CustomAnno and I want it treated exactly like Spring’s @RequestMapping (i.e. methods/classes with @CustomAnno are sources). I can do this in Customizations.qll inside java-all/lib, but I don’t want to change the standard lib.
Two short questions:
Is it supported to expose complex QL-based sources/sinks/sanitizers from an external pack so the standard taint queries pick them up? If yes — what minimal files/config (qlpack.yml / module layout / naming) are required?
If not supported, what is the recommended minimal workaround that keeps good maintainability?
Environment: Java target. I can attach a minimal repro pack if useful.
Thanks!