I'm trying to track taint globally across a code repository I downloaded from LGTM (GNU coreutils) but CodeQL seems to also consider calls to libc 'tainted', whereas they do not actually introduce any taint. Consider the following example:
size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
int bytes = fread(some_array, sizeof(*some_array), sizeof(some_array), some_fptr);
If some_array or some_fptr was tainted, bytes will now be considered tainted as well by CodeQL. I suspect this is to be on the safe side (rather overestimate taint than under).
EDIT: apparently external calls are considered not to introduce taint by default, but for common APIs such as libc, models are made about taint tracking based on the documentation. In this case however, it seems to have gotten it a bit wrong, but they are continuously evolving.
How would I go about including f.e. the glibc sources in the source database that CodeQL keeps so queries can more accurately determine taint across these "closed-source" function calls?
What if the code depends on some other precompiled library, how do I make the source code for this available to CodeQL?
OP here. There doesn't seem to be a lot of documentation about it apart from the source code, but I posted the same question on the github/securitylab repo and got an answer here.