Remove dependencies on isSink in the taint tracking configurations of the default queries

[jeongsoolee09]

Remove dependencies on isSink of the standard library configurations in the custom taint tracking configurations. This will hopefully remove the duplicate XSS alerts raised by the default queries. These are done by:

1. Not making our custom configurations extend the default ones; don't mix up the two, and make the custom configuration be on its own one.
2. Removing super.isSink(...) in the custom configurations to make the kind of vulnerabilities sink dependent.
   • For example, if a UI5 function call happens to be the sink of an XSS, it's a UI5 XSS and should only be raised by the UI5Xss query.
3. Keeping the sources from the default configurations in the isSource definitions.

[lcartey]

Thanks @jeongsoolee09!

As noted in the review comments, I think it's both fine and desirable for us to extend the default configurations for the queries we've implemented, so long as we ensure isSink specifies only SAP specific sinks not reported by the standard library. Then we're guaranteed to avoid duplication.

[jeongsoolee09]

Thanks @lcartey! I agree with the CAP log injection and XSJS Reflected XSS queries needing to extend the default configurations, but will deleting the UrlRedirect::LocationSink in CAPLoginjectionConfiguration.isSink remove the URL Redirect alert raised from a default query?

The only thing that line does is to make queries with CAPLogInjectionConfiguration raise an alert on URL redirection sinks, and that doesn't contribute anything to the default URL redirection query.

[jeongsoolee09]

Yep, totally agree - I made the configurations extend the default ones again, but retained the deletion of UrlRedirect::Sink in UI5Xss.

[lcartey]

Looks good, thanks!