How can i add all possible sink in codeql-java

[ox1234]

I want to add all sink definition which class extends TaintTracking. But when i add all modules under java/ql/lib/semmle/code/java/security, it seems i got import cycle issue.

here is my import list:

import java
import semmle.code.java.security.AndroidIntentRedirection
import semmle.code.java.security.AndroidIntentRedirectionQuery
import semmle.code.java.security.AndroidSensitiveCommunicationQuery
import semmle.code.java.security.CleartextStorageAndroidDatabaseQuery
import semmle.code.java.security.CleartextStorageAndroidFilesystemQuery
import semmle.code.java.security.CleartextStorageClassQuery
import semmle.code.java.security.CleartextStorageCookieQuery
import semmle.code.java.security.CleartextStoragePropertiesQuery
import semmle.code.java.security.CleartextStorageQuery
import semmle.code.java.security.CleartextStorageSharedPrefsQuery
import semmle.code.java.security.CommandArguments
import semmle.code.java.security.CommandLineQuery
import semmle.code.java.security.ConditionalBypassQuery
import semmle.code.java.security.ControlledString
import semmle.code.java.security.Encryption
import semmle.code.java.security.ExternalAPIs
import semmle.code.java.security.ExternalProcess
import semmle.code.java.security.FileReadWrite
import semmle.code.java.security.FileWritable
import semmle.code.java.security.Files
import semmle.code.java.security.FragmentInjection
import semmle.code.java.security.FragmentInjectionQuery
import semmle.code.java.security.GroovyInjection
import semmle.code.java.security.GroovyInjectionQuery
import semmle.code.java.security.HttpsUrls
import semmle.code.java.security.HttpsUrlsQuery
import semmle.code.java.security.ImplicitPendingIntents
import semmle.code.java.security.ImplicitPendingIntentsQuery
import semmle.code.java.security.InformationLeak
import semmle.code.java.security.InsecureBasicAuth
import semmle.code.java.security.InsecureBasicAuthQuery
import semmle.code.java.security.InsecureTrustManager
import semmle.code.java.security.InsecureTrustManagerQuery
import semmle.code.java.security.IntentUriPermissionManipulation
import semmle.code.java.security.IntentUriPermissionManipulationQuery
import semmle.code.java.security.JWT
import semmle.code.java.security.JexlInjectionQuery
import semmle.code.java.security.JexlInjectionSinkModels
import semmle.code.java.security.JndiInjection
import semmle.code.java.security.JndiInjectionQuery
import semmle.code.java.security.LdapInjection
import semmle.code.java.security.LogInjection
import semmle.code.java.security.LogInjectionQuery
import semmle.code.java.security.Mail
import semmle.code.java.security.MissingJWTSignatureCheckQuery
import semmle.code.java.security.MvelInjection
import semmle.code.java.security.MvelInjectionQuery
import semmle.code.java.security.OgnlInjection
import semmle.code.java.security.OgnlInjectionQuery
import semmle.code.java.security.PathCreation
import semmle.code.java.security.QueryInjection
import semmle.code.java.security.RandomDataSource
import semmle.code.java.security.RandomQuery
import semmle.code.java.security.RelativePaths
import semmle.code.java.security.RequestForgery
import semmle.code.java.security.RequestForgeryConfig
import semmle.code.java.security.ResponseSplitting
import semmle.code.java.security.SecurityFlag
import semmle.code.java.security.SecurityTests
import semmle.code.java.security.SensitiveActions
import semmle.code.java.security.SensitiveLoggingQuery
import semmle.code.java.security.SpelInjection
import semmle.code.java.security.SpelInjectionQuery
import semmle.code.java.security.SqlUnescapedLib
import semmle.code.java.security.UnsafeAndroidAccess
import semmle.code.java.security.UnsafeAndroidAccessQuery
import semmle.code.java.security.UnsafeCertTrust
import semmle.code.java.security.UnsafeCertTrustQuery
import semmle.code.java.security.UnsafeDeserializationQuery
import semmle.code.java.security.UrlRedirect
import semmle.code.java.security.Validation
import semmle.code.java.security.XPath
import semmle.code.java.security.XSS
import semmle.code.java.security.XmlParsers
import semmle.code.java.security.XsltInjection
import semmle.code.java.security.XsltInjectionQuery

so is there a way to import all sink definition?

[smowton]

#8748 should enable you to import these files concurrently.

The situation you're seeing isn't an import loop, btw -- you're seeing a non-monotonic recursion issue (see https://codeql.github.com/docs/ql-language-reference/recursion/#non-monotonic-recursion)

However this one is a deliberately induced non-monotonic recursion by the class ConfigurationRecursionPrevention, which seeks to prevent a common error: having a DataFlow::Configuration that depends on another DataFlow::Configuration, like isSource(DataFlow::Node n) { any(MyOtherConfiguration c).hasFlowTo(n) }.

In QL terms there's nothing wrong with this, but the performance of such code is so bad that we introduce ConfigurationRecursionPrevention to stop you from accidentally writing QL that makes this mistake. To allow you to write dataflow configurations that depend on one another, we instead provide many numbered instances of the dataflow library -- DataFlow2, DataFlow3, and so on, as well as corresponding TaintTracking instances. This side-steps the performance problem because if you make MyOtherConfiguration a DataFlow2::Configuration, then all of DataFlow2 will be evaluated, followed by DataFlow which depends on it. If your MyOtherConfiguration depended on a DataFlow::Configuration, completing the loop DataFlow -> DataFlow2 -> DataFlow then again ConfigurationRecursionPrevention would kick in to stop you doing something extremely costly.

Normally the convention is that higher-numbered configurations should be used by lower-numbered ones -- DataFlow5::Configuration should be a simple free-standing config, DataFlow4::Configurations may use DataFlow5::Configurations, DataFlow3::Configurations may use 4s, and so on. However some of our libraries had accidentally used the reverse pattern, meaning that they couldn't be imported at the same time without triggering recursion prevention -- one lib used 2 -> 3, the other used 3 -> 2, and so only one of them could be in scope at a time without completing the loop.

The linked PR restores the convention that those dependency arrows go numerically up -- n depends on n + 1, not the reverse -- and so lets you import all those QLLs at the same time.

[ox1234]

Thanks a lot, i will try this