A source of all Sources ?

[Sim4n6]

I was thinking does CodeQL has an instance as Sources that encompasses all possible and identified sources.
I mean CodeQL is truly capable of that! For instance I generate a database and a TaintTracking config that takes a Source as an instance of Sources which would consider every potential and tricky possible way to get user input. Something like RemoteFlowSources but with input coming from CLI and filenames in a zipfile as a source, and much more.

What do you think, please? am I missing something?

[atorralba]

If this is for the Java language, you can use UserInput (from FlowSources.qll) which includes RemoteFlowSource and LocalUserInput. These two are currently the only general sources of taint in CodeQL. Other queries have more specialized sources (e.g. encryption queries might have integer literals as sources) but I guess you aren't interested in those.

[Sim4n6]

UserInput looks like a perfect fit. I was thinking about more sources of malicious user input, such as the Java EnvInput.
Is there a similar concept in Python language, please?

[RasmusWL]

There isn't such a thing in Python right now

[Sim4n6]

It would be a sweet addition, thank you guys !

have a nice day.