Feature request: Cross-database query

[bananabr]

It's very common for a project to have many dependencies. Sometimes just analyzing application A will call a method in dependency B, and when you look at them as isolated pieces of software, codeQL might not find any problems. However, if you manually build a database containing both codebases and let codeQL analyze the whole chain, a new result is found.

My proposal is for codeQL to allow a user to have many active databases when running a query and for it to cross-reference every method, data type, class, etc., when running its queries. Another viable yet less preferable option would be to be able to merge databases.

[jbj]

Your feature request is valid, but it would require major technical changes in CodeQL, which fundamentally operates only on one database at a time. It's not on our roadmap to make those changes.

Our long-term plan for accounting for dependencies is to create data-flow summaries for enough libraries and frameworks. That process is becoming increasingly automated, and with enough automation we will hopefully be able to cover the libraries that are most important in practice.

As you note in the issue description, the best trick we have today is to build a database containing the project itself and all the dependencies that might touch security-related data.