\n

The problem is, when I click through the steps in the alerts section, the only two steps for this function I see are:
\nfunc GetImageWH(url string) (int32, int32, error) { - definition of url
\nresp, err = transport.RoundTrip(req) - req

\n

\n
1. How to make my customised taint step visible in the path?
\n
2. And when it becomes visible, I'd like to name the taint step as NewRequestStep in the graph visualisation, instead of definition of url. How can I customise this if possible?
\n

\n

---

\n

I need to explicitly reflect in the query results that my taint step contributed to the flow, for my internal SAST metrics/statistics.

\n

Thanks for taking time with this!

","upvoteCount":1,"answerCount":2,"acceptedAnswer":{"@type":"Answer","text":"

You could try in your data-flow configuration specifying predicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges.

\n

The names printed in the path explanation refer to nodes, not edges, but you could try something like class CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.

","upvoteCount":1,"url":"https://github.com/github/codeql/discussions/20596#discussioncomment-14619540"}}}

[Golang] Additional Taint Step hidden in PathGraph Visualisation #20596

Answered by smowton

KseniiaSmirn0va asked this question in Q&A

[Golang] Additional Taint Step hidden in PathGraph Visualisation #20596

KseniiaSmirn0va

Oct 7, 2025 · 2 comments · 5 replies

Answered by smowton Return to top

Discussion options

edited

KseniiaSmirn0va

Oct 7, 2025

Hello, I added a taint step by extending TaintTracking::AdditionalTaintStep in golang. Now codeql builds the path with this step correctly, but I don't see the step itself in the alerts section, version 2.21.0. Here is a simplified code snippet for my query, which works like a charm: // url comes already tainted func GetImageInfo(url string) (int32, int32, error) { ... req, err := http.NewRequest(http.MethodGet, url, nil) // my taint step: taint from url to the req variable req = req.WithContext(extmon.MethodNameToCtx(req.Context(), "Get")) var resp *http.Response resp, err = transport.RoundTrip(req) // RoundTrip() is sink ... } The problem is, when I click through the steps in the alerts section, the only two steps for this function I see are: func GetImageWH(url string) (int32, int32, error) { - definition of url resp, err = transport.RoundTrip(req) - req How to make my customised taint step visible in the path? And when it becomes visible, I'd like to name the taint step as NewRequestStep in the graph visualisation, instead of definition of url. How can I customise this if possible? I need to explicitly reflect in the query results that my taint step contributed to the flow, for my internal SAST metrics/statistics. Thanks for taking time with this!

1 You must be logged in to vote

Answered by smowton Oct 7, 2025

You could try in your data-flow configuration specifying predicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges.

The names printed in the path explanation refer to nodes, not edges, but you could try something like class CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.

View full answer

Replies: 2 comments · 5 replies

Comment options

smowton

Oct 7, 2025

Maintainer

You could try in your data-flow configuration specifying predicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges. The names printed in the path explanation refer to nodes, not edges, but you could try something like class CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.

Marked as answer

1 You must be logged in to vote

3 replies

Comment options

KseniiaSmirn0va Oct 8, 2025

Author

Thank you so much! That helps a lot.

Comment options

edited

KseniiaSmirn0va Oct 30, 2025

Author

@smowton Hello, Now I'm trying to do the same for Csharp, but Csharp DataFlow::Node has the final annotation so I can't override it: final string toString() { result = this.(NodeImpl).toStringImpl() }. Is there any way to solve it out?

Comment options

smowton Oct 30, 2025

Maintainer

Hmm, well you could wrap the types involved in the PathGraph's nodes, edges, subpaths relations? Remove import SomeFlow::PathGraph and instead do something like... string customToString(PathNode n) { ... your custom stringification here ... } newtype TMyPathNode = TWrapPathNode(PathNode pn) class MyPathNode extends TMyPathNode { PathNode pn; MyPathNode() { this = TWrapPathNode(pn) } string toString() { result = customToString(pn) or not exists(customToString(pn)) and result = pn.toString() } PathNode getPathNode() { result = pn } } query predicate nodes(MyPathNode mpn) { SomeFlow::PathGraph::nodes(mpn.getPathNode()) } query predicate edges(MyPathNode mpn1, MyPathNode mpn2) { SomeFlow::PathGraph::edges(mpn1.getPathNode(), mpn2.getPathNode()) } query predicate subpaths(...) // similar

Answer selected by KseniiaSmirn0va

Comment options

owen-mc

Oct 8, 2025

Maintainer

We already make sure that we never skip over steps coming from function models for any configuration. We could do additional taint steps too. There are edge labels for some edges, e.g. those coming from function models or from additional flow steps specified in the flow configuration. For steps coming from TaintTracking::AdditionalTaintStep the label is "AdditionalTaintStep". We could make that customizable when you define the additional taint step. Would either of these be helpful, @KseniiaSmirn0va ? Or has @smowton's suggestions already solved your problem?

1 You must be logged in to vote

2 replies

Comment options

KseniiaSmirn0va Oct 8, 2025

Author

Thank you, @owen-mc, for the suggestion! Did you mean a new patch is coming out for the feature I need? Actually, I've solved out the matter with @smowton's suggestion

Comment options

edited

owen-mc Oct 9, 2025

Maintainer

Glad to hear your problem is solved. In that case I will not implement the more general solution that I suggested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Category

🙏

Q&A

Labels

None yet

3 participants