Apply suggestions from code review

Author: atorralba

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

@@ -135,7 +135,7 @@ predicate isMybatisXmlOrAnnotationSqlInjection(
               "%}") and
       annotation.getType() instanceof TypeParam and
       ma.getAnArgument() = node.asExpr() and
-      annotation.getTarget() = ma.getMethod().getParameter(node.asExpr().getIndex())
+      annotation.getTarget() = ma.getMethod().getParameter(node.asExpr().(Argument).getParameterPos())
     )
     or
     // MyBatis default parameter sql injection vulnerabilities.the default parameter form of the method is arg[0...n] or param[1...n].

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java

@@ -90,13 +90,13 @@ public void badInsert(@RequestParam String name) {
 		mybatisSqlInjectionService.badInsert(name);
 	}
 
-	@GetMapping(value = "kkbad1")
-	public void kkbad1(@RequestParam String name, @RequestParam Integer age) {
-		mybatisSqlInjectionService.kkbad1(name, age);
+	@GetMapping(value = "good2")
+	public void good2(@RequestParam String name, @RequestParam Integer age) {
+		mybatisSqlInjectionService.good2(name, age);
 	}
 
-	@GetMapping(value = "kkbad2")
-	public void kkbad2(@RequestParam String age) {
-		mybatisSqlInjectionService.kkbad2(age);
+	@GetMapping(value = "good3")
+	public void good3(@RequestParam String age) {
+		mybatisSqlInjectionService.good3(age);
 	}
 }

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java

@@ -73,11 +73,11 @@ public void badInsert(String input) {
 		sqlInjectionMapper.badInsert(input);
 	}
 
-	public void kkbad1(String name, Integer age){
-		sqlInjectionMapper.kkbad1(name, age);
+	public void good2(String name, Integer age){
+		sqlInjectionMapper.good2(name, age);
 	}
 
-	public void kkbad2(String age){
-		sqlInjectionMapper.kkbad2(age);
+	public void good3(String age){
+		sqlInjectionMapper.good3(age);
 	}
 }

java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java

@@ -61,9 +61,9 @@ public interface SqlInjectionMapper {
 	void badInsert(String input);
 
 	@Select("select * from user_info where name = #{name} and age = ${age}")
-	String kkbad1(@Param("name") String name, Integer age);
+	String good2(@Param("name") String name, Integer age);
 
 	@Select("select * from user_info where age = #{age}")
-	String kkbad2(@Param("age") String age);
+	String good3(@Param("age") String age);
 
 }