Chris Smowton

Investigated this and found it isn't specific to Java 17, but it is specific to Java >= 16 in combination with use of Error-Prone. Roughly what happens: the Gradle Error-Prone...

The relevant CodeQL build will roll out to Code Scanning within the next week or so. This will be in CodeQL v2.10.4; at the top of a Code Scanning job...

Could you write a code example showing the taint flow you want to identify?

The simplest thing: if we can assume TestCodeQLRequest is only ever used to carry user-controlled (tainted) data, then we can consider as a source any read of the Birthday field....

Try ``` from DataFlow::FieldReadNode frn, string pname where frn.getField().hasQualifiedName(pname, "SetDataRequest", "Birthday") select pname ``` What actual package name is returned?

If you mean arguments to the `package` predicate, then either split it according to the point where any semantic versioning can occur (e.g. if we have `x/v1/y` and `x/v2/y` then...

I don't follow what you'd want `tp` or `f` to be here. If your `select pname` query returned `x.com/y/z` then you could just use `frn.getField().hasQualifiedName("x.com/y/z", "SetDataRequest", "Birthday")`

I don't mean you should use my method in your query, I mean you should run my query once to discover the right package name, then thereafter hard-code the answer...

My suggestion was just a debugging method, a way to discover a package name that you're not sure of. Your eventual query should be a single query like the one...

So what do you know about the field you want to target? You don't know the package name; do you know the type name? The field name? The field's type?