Different result when config name changed

[badnoodle]

<pathquery.ql>
`import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
import semmle.code.java.security.SqlInjectionQuery
import DataFlow::PathGraph

class SSSConfig extends QueryInjectionFlowConfig {
SSSConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
}

from DataFlow::PathNode source, DataFlow::PathNode sink, SSSConfig conf
where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "SQL Injection vulnerability due to a $@.",
source.getNode(), "user-provided value", source.getNode().getLocation().getFile().getBaseName(), source.getState(), sink.getState()
`
When run this query "codeql query run --database=../db/simplebc ./pathquery.ql "， I can get result set for nodes, edges and #select.

But when i change [ this = "SqlInjectionLib::QueryInjectionFlowConfig" ] to [ this = "SqlInjectionLib::SSSConfig" ]
I only get result set for nodes, edges, no #select

[jketema]

Hi @badnoodle

Thanks for your question. This is expected behaviour. As the class SSSConfig extends QueryInjectionFlowConfig it needs to satisfy both the characteristic predicate of its parent QueryInjectionFlowConfig, i.e., this = "SqlInjectionLib::QueryInjectionFlowConfig" and the characteristic predicate of SSSConfig, which with your modification is this = "SqlInjectionLib::SSSConfig". However this cannot be both equal to SqlInjectionLib::QueryInjectionFlowConfig and SqlInjectionLib::SSSConfig at the same time. Hence, there will be no results.

Your options are to leave the name of the configuration as it is, i.e., use this = "SqlInjectionLib::QueryInjectionFlowConfig", or to make a complete copy of QueryInjectionFlowConfig and apply renaming to that copy.