Refine the start and end of the second and third steps

1. The second step should jump from a argument
of a CQN object *only if the argument originates
from a string concatentation*.

Note that this new version identifies the end point
using a successive application of `getAPredecessor`;
it overapproximates and might accidentally include
code that's not necessarily what we want.

2. The third is a specialization of the second step,
and concerns itself only to the property writes to
the object to be passed as an argument to the CQN
query builder for INSERT and UPSERT.

Author: jeongsoolee09

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll

@@ -189,7 +189,7 @@ class CqlInjectionConfiguration extends TaintTracking::Configuration {
      */
 
     exists(CqlClause cqlClause |
-      start = cqlClause.getArgument().flow() and
+      start = cqlClause.getArgument().flow().getAPredecessor*().(StringOps::Concatenation) and
       end = cqlClause.flow()
     )
     or
@@ -209,8 +209,8 @@ class CqlInjectionConfiguration extends TaintTracking::Configuration {
     exists(CqlClause cqlClause, PropWrite propWrite |
       (cqlClause instanceof CqlInsertClause or cqlClause instanceof CqlUpsertClause) and
       cqlClause.getArgument().flow() = propWrite.getBase() and
-      start = propWrite.getRhs() and
-      end = propWrite.getBase()
+      start = propWrite.getRhs().getAPredecessor*().(StringOps::Concatenation) and
+      end = cqlClause.flow()
     )
   }
 }