When you run kwcreatechecker, a knowledge-base file is created in the <CHECKER.CODE>/kb directory that you specified with the --code option. Examples of knowledge base annotations are provided in the .jkb file.

The knowledge base file is the centerpiece of Java Path checker creation. Java knowledge base files are how you educate the checker about your data-flow criteria. A simple text file with the .jkb extension is where you "declare" your criteria to the checker by including the methods of interest and then marking them up using specific Java Knowledge Base (JKB) annotations to indicate to the checker how they should be handled.

In your source, you identify the method that produces the potentially problematic data, copy it into the knowledge base file and annotate that method as the source. Then you identify the method that uses the problematic data, copy that into the file and annotate it as the sink.

A source and a sink are connected by the same data. An issue occurs when there is a path where tainted data from source is used in the sink.

For SV and Common checkers, at minimum, you must identify at least one path as the source and one path as the sink in the knowledge-base file (.jkb) using the appropriate JKB annotations; otherwise, no issue will be reported. For RLK checkers, you only need to specify the source. Optionally, you can also specify the check and the prop, as demonstrated in Tutorial - Creating a Java Path checker.

@Source and @Sink are the crucial JKB annotations for checker creation. The Java knowledge base reference discusses all knowledge-base annotations in detail, with examples.