Show Parent Expression in path-problem query

[elManto]

Hi all,

I've written a path-problem query for python to track certain data flows I'm interested at that have the input parameters (sys.argv, argparse, etc.) as sources and certain APIs as sinks. Without getting into the details of what's the source and what's the sink (I can share, but probably not needed), the body of the query looks like:

module MyFlow = TaintTracking::Global<MyTaintAnalysis>;

import MyFlow::PathGraph

from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink.getNode(), source, sink, 
  "Input arg flowing from " + source.getNode() + " into sink API"

For each node in the PathGraph I would like to obtain the parent expression, if any. For instance, let's consider the following example:

1  x = sys.argv[1]
2  print("no data flow")
3  y = x + "A"
4  print(y)

If I look into the Sarif generated with the query above I'll get the line of each node and the startColumn, endColumn of the variable involved in the Path that is reached by the taint, e.g., x (line 1), x (line 3), y (line 4). I would like to obtain the parent expression for each node, e.g., x = sys.argv[1] , y=x + "A" and print(y) . Is there a way to do so ? Thank you

[redsun82]

👋 @elManto

Could you elaborate on what you want to do with that information? My main point here is whether you intend that for human consumption or to do some further QL or script processing down the line.

If it's just for human consumption when analysing the SARIF result, you could try running your codeql database analyze command with the additional --sarif-add-snippets flag. This will add contextRegion fields with some context (two lines before and after) around the flow nodes. Would that be enough for your use case?