taint tracking is not support int type?

[rhakb]

This is the first time I have learn a similar project, i'm try use taint tracking int type,like following code

public class Main {

 public static int taint() { return 5; }

  public static void sink(int o) { }

  public static void maintest() {
    int a = taint();
    int b=a+1;
    sink(b);
   }
}

but it doesn't taint b

Is this normal?

The ql file code I used is as follows

import java
import semmle.code.java.dataflow.TaintTracking

class Conf extends TaintTracking::Configuration {
  Conf() { this = "qqconf" }

  override predicate isSource(DataFlow::Node n) {
    n.asExpr().(MethodAccess).getMethod().hasName("taint")
  }

  override predicate isSink(DataFlow::Node n) {
    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
  }
}

from DataFlow::Node src, DataFlow::Node sink, Conf conf
where conf.hasFlow(src, sink)
select src, sink

[aschackmull]

The question of whether to track taint through additions has different default answers depending on the language. For C/C++ a lot of taint has to with buffer overflows and the like, so in that case we treat addition as a taint-propagating step by default, whereas for something like Java taint is usually propagated in strings and other objects, so there we don't include integer addition as default taint steps.
So if you want to write a query that tracks this sort of thing you can just add some additional taint steps to the configuration by e.g. adding the following override:

override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
  node2.asExpr().(AddExpr).getAnOperand() = node1.asExpr()
}

[rhakb]

o , thinks , it's work , That sounds reasonable