Tom Hvitved

Hi What happens if you do not create the `my-db` inside the folder containing the source root? E.g., something like ``` codeql database create ../my-db --language=javascript --source-root=. --overwrite ``` instead?

Hi The parameter `userReference` is not actually user controllable, so this is why we do not flag it. See https://github.com/github/codeql/tree/main/csharp/ql/test/query-tests/Security%20Features/CWE-089 for some test examples.

Thanks for identifying the lacking `CreateSQLQuery` sink; this is definitely something we should add. Regarding the missing taint sources, I wonder if the right thing would be to mark all...

> Is it not possible to mark everything under a namespace as tainted? Or are their performances considerations to be concerned about? There can certainly be performance issues with that,...

Something like this should work: ```ql private class AdHocRemoteFlowSource extends RemoteFlowSource { AdHocRemoteFlowSource() { exists(AssignableMember m | m.getDeclaringType().getNamespace().getParentNamespace*().getFullName() = "appname.api" and this.asExpr() = m.getAnAccess() ) } override string getSourceType() {...