Struggling with path query

[Lorenzogallone]

Hi everyone,

I’m new to CodeQL, so apologies if this is a trivial question. I’m trying to analyze the flow of code execution between two points in my Java application (e.g., from the start of main to a specific function like capitalizeName). Specifically, I’d like to determine:

Dataflow: How data propagates between these points, including variable assignments and transformations.
Control flow: The exact path of execution, including all intermediate steps or method calls.
Here’s my example code:

package com.example;

import java.util.Scanner;

public class App
{
public static void main(String[] args)
{
Scanner scanner = new Scanner(System.in);

System.out.print("Enter your name: ");
String name = scanner.nextLine();

String greeting = GreetingProcessor.generateGreeting(name);

System.out.println(greeting);

scanner.close();

}

public static class GreetingProcessor
{
public static String generateGreeting(String name)
{
String processedName = NameProcessor.processName(name);
return appendGreeting(processedName);
}

public static String appendGreeting(String name) 
{
    String emphasizedName = emphasizeName(name);
    return "Hello, " + emphasizedName + "!";
}

private static String emphasizeName(String name) 
{
    return name + "!!!";
}

}

public static class NameProcessor
{
public static String processName(String name)
{
String trimmed = StringUtils.trimName(name);
return StringUtils.capitalizeName(trimmed);
}
}

public static class StringUtils
{
public static String trimName(String name)
{
return name.trim();
}

public static String capitalizeName(String name) 
{
    if (name == null || name.isEmpty()) {
        return "";
    }
    return name.substring(0, 1).toUpperCase() + name.substring(1).toLowerCase();
}

}
}
For example, starting in the main method, I want to trace the control and data flow leading up to the execution of capitalizeName. This would include all intermediate method calls (generateGreeting, processName, etc.) and show how the input data (name) is transformed along the way.

Is it possible to track the executed instructions and data transformations between two points (e.g., main and capitalizeName) using CodeQL? If so, how could I write a query to achieve this?

[hvitved]

Hi 👋

This sounds like you want to construct a path problem query, using global taint tracking. In your case, the String[] args parameter of main would be the taint source, and the String name parameter of capitalizeName would be the taint sink.

Hope this helps.

[Lorenzogallone]

can you please give me an example of query that is capable to track it? just a basic one to find the paths