diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql index 800fc6db56414..8165366713db7 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql @@ -111,9 +111,11 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie ) } -from SpringBootPom pom, ApplicationProperties ap, Dependency d -where - hasConfidentialEndPointExposed(pom, ap) and - d = pom.getADependency() and - d.getArtifact().getValue() = "spring-boot-starter-actuator" -select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." +deprecated query predicate problems(Dependency d, string message) { + exists(SpringBootPom pom, ApplicationProperties ap | + hasConfidentialEndPointExposed(pom, ap) and + d = pom.getADependency() and + d.getArtifact().getValue() = "spring-boot-starter-actuator" + ) and + message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql index b700e691550fa..5743360742540 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql @@ -12,8 +12,9 @@ */ import java -import SpringBootActuators +deprecated import SpringBootActuators -from PermitAllCall permitAllCall -where permitAllCall.permitsSpringBootActuators() -select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed." +deprecated query predicate problems(PermitAllCall permitAllCall, string message) { + permitAllCall.permitsSpringBootActuators() and + message = "Unauthenticated access to Spring Boot actuator is allowed." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll index 195de7a1b8bec..881f2a131720f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll @@ -1,3 +1,5 @@ +deprecated module; + import java /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */ diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql index b729aceffeec8..52ce11d272017 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql @@ -52,7 +52,13 @@ module Log4jInjectionConfig implements DataFlow::ConfigSig { */ module Log4jInjectionFlow = TaintTracking::Global; -from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink -where Log4jInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(), - "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + Log4jInjectionFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Log4j log entry depends on a $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql index 19ce02635605c..b27db86b3b6da 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql @@ -53,11 +53,11 @@ module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig { module RemoteUrlToOpenStreamFlow = TaintTracking::Global; -from - RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink, - MethodCall call -where +deprecated query predicate problems( + MethodCall call, RemoteUrlToOpenStreamFlow::PathNode source, + RemoteUrlToOpenStreamFlow::PathNode sink, string message +) { sink.getNode().asExpr() = call.getQualifier() and - RemoteUrlToOpenStreamFlow::flowPath(source, sink) -select call, source, sink, - "URL on which openStream is called may have been constructed from remote source." + RemoteUrlToOpenStreamFlow::flowPath(source, sink) and + message = "URL on which openStream is called may have been constructed from remote source." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql index 1c50f8304fc98..b25b4b055a73b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql @@ -17,7 +17,7 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.ExternalFlow import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.TaintedPathQuery -import JFinalController +deprecated import JFinalController import semmle.code.java.security.PathSanitizer private import semmle.code.java.security.Sanitizers import InjectFilePathFlow::PathGraph @@ -66,7 +66,13 @@ module InjectFilePathConfig implements DataFlow::ConfigSig { module InjectFilePathFlow = TaintTracking::Global; -from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink -where InjectFilePathFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "External control of file name or path due to $@.", - source.getNode(), "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + InjectFilePathFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "External control of file name or path due to $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll b/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll index 3951be1b56e85..07d7c3bfb6b6c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll @@ -1,3 +1,5 @@ +deprecated module; + import java private import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql index 60a28d2b252a4..a6921245c7dee 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql @@ -11,15 +11,24 @@ * external/cwe/cwe-078 */ -import CommandInjectionRuntimeExec -import ExecUserFlow::PathGraph +import semmle.code.java.dataflow.DataFlow +deprecated import CommandInjectionRuntimeExec +deprecated import ExecUserFlow::PathGraph -class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } +deprecated class ThreatModelSource extends Source instanceof ActiveThreatModelSource { } -from - ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, - DataFlow::Node sinkCmd -where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd) -select sink, source, sink, - "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'", - sourceCmd, sourceCmd.toString(), source.getNode(), source.toString() +deprecated query predicate problems( + ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0, + string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode, + string message3 +) { + exists(DataFlow::Node sinkCmd | + callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd) and + sink0 = sink and + message1 = + "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and + message2 = sourceCmd.toString() and + sourceNode = source.getNode() and + message3 = source.toString() + ) +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll index 280d6608aada3..2bae2d838e45d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions import semmle.code.java.dataflow.DataFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql index 037b331609d2c..d997a428b1763 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql @@ -12,15 +12,23 @@ * external/cwe/cwe-078 */ -import CommandInjectionRuntimeExec -import ExecUserFlow::PathGraph +deprecated import CommandInjectionRuntimeExec +deprecated import ExecUserFlow::PathGraph -class LocalSource extends Source instanceof LocalUserInput { } +deprecated class LocalSource extends Source instanceof LocalUserInput { } -from - ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd, - DataFlow::Node sinkCmd -where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd) -select sink, source, sink, - "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'", - sourceCmd, sourceCmd.toString(), source.getNode(), source.toString() +deprecated query predicate problems( + ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0, + string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode, + string message3 +) { + exists(DataFlow::Node sinkCmd | + callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd) and + sink0 = sink and + message1 = + "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and + message2 = sourceCmd.toString() and + sourceNode = source.getNode() and + message3 = source.toString() + ) +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql index 8e3c34c0dc4b6..c1dedb65cc986 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql @@ -13,6 +13,7 @@ */ import java +import semmle.code.java.dataflow.DataFlow import semmle.code.java.security.CommandLineQuery import InputToArgumentToExecFlow::PathGraph private import semmle.code.java.dataflow.ExternalFlow @@ -22,8 +23,13 @@ private class ActivateModels extends ActiveExperimentalModels { } // This is a clone of query `java/command-line-injection` that also includes experimental sinks. -from - InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg -where execIsTainted(source, sink, execArg) -select execArg, source, sink, "This command line depends on a $@.", source.getNode(), - "user-provided value" +deprecated query predicate problems( + Expr execArg, InputToArgumentToExecFlow::PathNode source, + InputToArgumentToExecFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + execIsTainted(source, sink, execArg) and + message1 = "This command line depends on a $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql index a67d0e06f1617..9d592e3a89f8a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql @@ -13,14 +13,14 @@ */ import java -import MyBatisCommonLib -import MyBatisAnnotationSqlInjectionLib +deprecated import MyBatisCommonLib +deprecated import MyBatisAnnotationSqlInjectionLib import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking private import semmle.code.java.security.Sanitizers -import MyBatisAnnotationSqlInjectionFlow::PathGraph +deprecated import MyBatisAnnotationSqlInjectionFlow::PathGraph -private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig { +deprecated private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument } @@ -37,22 +37,27 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi } } -private module MyBatisAnnotationSqlInjectionFlow = +deprecated private module MyBatisAnnotationSqlInjectionFlow = TaintTracking::Global; -from - MyBatisAnnotationSqlInjectionFlow::PathNode source, - MyBatisAnnotationSqlInjectionFlow::PathNode sink, IbatisSqlOperationAnnotation isoa, - MethodCall ma, string unsafeExpression -where - MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and - ma.getAnArgument() = sink.getNode().asExpr() and - myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and - unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and - ( - isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression) or - isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression) - ) -select sink.getNode(), source, sink, - "MyBatis annotation SQL injection might include code from $@ to $@.", source.getNode(), - "this user input", isoa, "this SQL operation" +deprecated query predicate problems( + DataFlow::Node sinkNode, MyBatisAnnotationSqlInjectionFlow::PathNode source, + MyBatisAnnotationSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2, IbatisSqlOperationAnnotation isoa, string message3 +) { + exists(MethodCall ma, string unsafeExpression | + MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and + ma.getAnArgument() = sinkNode.asExpr() and + myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and + unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and + ( + isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression) or + isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression) + ) + ) and + sinkNode = sink.getNode() and + message1 = "MyBatis annotation SQL injection might include code from $@ to $@." and + sourceNode = source.getNode() and + message2 = "this user input" and + message3 = "this SQL operation" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll index a8a871c3710d7..cfc4a37a0c492 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll @@ -1,6 +1,7 @@ /** * Provides classes for SQL injection detection regarding MyBatis annotated methods. */ +deprecated module; import java import MyBatisCommonLib diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll index 9a0a8232c0428..be635b5987f22 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll @@ -1,6 +1,7 @@ /** * Provides public classes for MyBatis SQL injection detection. */ +deprecated module; import java import semmle.code.xml.MyBatisMapperXML diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql index 7597f0f67a579..a18cccd57376c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql @@ -13,14 +13,14 @@ */ import java -import MyBatisCommonLib -import MyBatisMapperXmlSqlInjectionLib +deprecated import MyBatisCommonLib +deprecated import MyBatisMapperXmlSqlInjectionLib import semmle.code.xml.MyBatisMapperXML import semmle.code.java.dataflow.FlowSources private import semmle.code.java.security.Sanitizers -import MyBatisMapperXmlSqlInjectionFlow::PathGraph +deprecated import MyBatisMapperXmlSqlInjectionFlow::PathGraph -private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig { +deprecated private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument } @@ -37,24 +37,29 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig } } -private module MyBatisMapperXmlSqlInjectionFlow = +deprecated private module MyBatisMapperXmlSqlInjectionFlow = TaintTracking::Global; -from - MyBatisMapperXmlSqlInjectionFlow::PathNode source, - MyBatisMapperXmlSqlInjectionFlow::PathNode sink, MyBatisMapperXmlElement mmxe, MethodCall ma, - string unsafeExpression -where - MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and - ma.getAnArgument() = sink.getNode().asExpr() and - myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and - unsafeExpression = getAMybatisXmlSetValue(mmxe) and - ( - isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression) - or - mmxe instanceof MyBatisMapperForeach and - isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression) - ) -select sink.getNode(), source, sink, - "MyBatis Mapper XML SQL injection might include code from $@ to $@.", source.getNode(), - "this user input", mmxe, "this SQL operation" +deprecated query predicate problems( + DataFlow::Node sinkNode, MyBatisMapperXmlSqlInjectionFlow::PathNode source, + MyBatisMapperXmlSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2, MyBatisMapperXmlElement mmxe, string message3 +) { + exists(MethodCall ma, string unsafeExpression | + MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and + ma.getAnArgument() = sinkNode.asExpr() and + myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and + unsafeExpression = getAMybatisXmlSetValue(mmxe) and + ( + isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression) + or + mmxe instanceof MyBatisMapperForeach and + isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression) + ) + ) and + sinkNode = sink.getNode() and + message1 = "MyBatis Mapper XML SQL injection might include code from $@ to $@." and + sourceNode = source.getNode() and + message2 = "this user input" and + message3 = "this SQL operation" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll index a6852a5c7f950..41ededc7b93e4 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll @@ -1,6 +1,7 @@ /** * Provide classes for SQL injection detection in MyBatis Mapper XML. */ +deprecated module; import java import semmle.code.xml.MyBatisMapperXML diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql index 75ef4e6fec276..25ee1ce0f55ed 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql @@ -12,12 +12,12 @@ */ import java -import BeanShellInjection +deprecated import BeanShellInjection import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking -import BeanShellInjectionFlow::PathGraph +deprecated import BeanShellInjectionFlow::PathGraph -module BeanShellInjectionConfig implements DataFlow::ConfigSig { +deprecated module BeanShellInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink } @@ -41,9 +41,15 @@ module BeanShellInjectionConfig implements DataFlow::ConfigSig { } } -module BeanShellInjectionFlow = TaintTracking::Global; +deprecated module BeanShellInjectionFlow = TaintTracking::Global; -from BeanShellInjectionFlow::PathNode source, BeanShellInjectionFlow::PathNode sink -where BeanShellInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "BeanShell injection from $@.", source.getNode(), - "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, BeanShellInjectionFlow::PathNode source, + BeanShellInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2 +) { + BeanShellInjectionFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "BeanShell injection from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll index be61f876dc9b2..2ba2ae14488c6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll b/java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll index e4c60daaebd4b..471dde94daa24 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql index dec65f09c663e..4c1bbdd26ec92 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql @@ -12,10 +12,17 @@ */ import java -import InsecureDexLoading -import InsecureDexFlow::PathGraph +import semmle.code.java.dataflow.DataFlow +deprecated import InsecureDexLoading +deprecated import InsecureDexFlow::PathGraph -from InsecureDexFlow::PathNode source, InsecureDexFlow::PathNode sink -where InsecureDexFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.", - source.getNode(), "a value loaded from a world-writable source." +deprecated query predicate problems( + DataFlow::Node sinkNode, InsecureDexFlow::PathNode source, InsecureDexFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + InsecureDexFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Potential arbitrary code execution due to $@." and + sourceNode = source.getNode() and + message2 = "a value loaded from a world-writable source." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll index ac19588488468..20db5b954347b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql index 500c6dabca9c9..eafe852cca608 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql @@ -12,12 +12,12 @@ */ import java -import JShellInjection +deprecated import JShellInjection import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking -import JShellInjectionFlow::PathGraph +deprecated import JShellInjectionFlow::PathGraph -module JShellInjectionConfig implements DataFlow::ConfigSig { +deprecated module JShellInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof JShellInjectionSink } @@ -33,9 +33,15 @@ module JShellInjectionConfig implements DataFlow::ConfigSig { } } -module JShellInjectionFlow = TaintTracking::Global; +deprecated module JShellInjectionFlow = TaintTracking::Global; -from JShellInjectionFlow::PathNode source, JShellInjectionFlow::PathNode sink -where JShellInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "JShell injection from $@.", source.getNode(), - "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, JShellInjectionFlow::PathNode source, JShellInjectionFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + JShellInjectionFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "JShell injection from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qll index 99fcb03e77d8a..5050bfa10bf10 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql index 994fcc7630fb2..feb6dd2270f1f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql @@ -12,10 +12,17 @@ */ import java -import JakartaExpressionInjectionLib -import JakartaExpressionInjectionFlow::PathGraph +deprecated import JakartaExpressionInjectionLib +deprecated import JakartaExpressionInjectionFlow::PathGraph -from JakartaExpressionInjectionFlow::PathNode source, JakartaExpressionInjectionFlow::PathNode sink -where JakartaExpressionInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Jakarta Expression Language injection from $@.", - source.getNode(), "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, JakartaExpressionInjectionFlow::PathNode source, + JakartaExpressionInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + JakartaExpressionInjectionFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Jakarta Expression Language injection from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll index 85a1dd11dad07..1f8e5e69cab8d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import FlowUtils import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql index cc919385ba4c9..ccdff05cb34d0 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql @@ -114,7 +114,13 @@ module CodeInjectionConfig implements DataFlow::ConfigSig { */ module CodeInjectionFlow = TaintTracking::Global; -from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink -where CodeInjectionFlow::flowPath(source, sink) -select sink.getNode().(CodeInjectionSink).getMethodCall(), source, sink, "Jython evaluate $@.", - source.getNode(), "user input" +deprecated query predicate problems( + MethodCall sinkCall, CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + CodeInjectionFlow::flowPath(source, sink) and + sinkCall = sink.getNode().(CodeInjectionSink).getMethodCall() and + message1 = "Jython evaluate $@." and + sourceNode = source.getNode() and + message2 = "user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql index 6f8f7ec1cb376..c85c67422b81e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql @@ -142,7 +142,13 @@ module ScriptInjectionConfig implements DataFlow::ConfigSig { module ScriptInjectionFlow = TaintTracking::Global; -from ScriptInjectionFlow::PathNode source, ScriptInjectionFlow::PathNode sink -where ScriptInjectionFlow::flowPath(source, sink) -select sink.getNode().(ScriptInjectionSink).getMethodCall(), source, sink, - "Java Script Engine evaluate $@.", source.getNode(), "user input" +deprecated query predicate problems( + MethodCall sinkCall, ScriptInjectionFlow::PathNode source, ScriptInjectionFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + ScriptInjectionFlow::flowPath(source, sink) and + sinkCall = sink.getNode().(ScriptInjectionSink).getMethodCall() and + message1 = "Java Script Engine evaluate $@." and + sourceNode = source.getNode() and + message2 = "user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringFrameworkLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/SpringFrameworkLib.qll index baf0fbd034a96..b569c7c11dc51 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringFrameworkLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringFrameworkLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.DataFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql b/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql index a99664f49f0c4..faef29d1fde67 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql @@ -11,9 +11,9 @@ */ import java -import SpringViewManipulationLib +deprecated import SpringViewManipulationLib -private predicate canResultInImplicitViewConversion(Method m) { +deprecated private predicate canResultInImplicitViewConversion(Method m) { m.getReturnType() instanceof VoidType or m.getReturnType() instanceof MapType @@ -31,7 +31,7 @@ private predicate maybeATestMethod(Method m) { ) } -private predicate mayBeExploitable(Method m) { +deprecated private predicate mayBeExploitable(Method m) { // There should be a attacker controlled parameter in the URI for the attack to be exploitable. // This is possible only when there exists a parameter with the Spring `@PathVariable` annotation // applied to it. @@ -48,8 +48,7 @@ private predicate mayBeExploitable(Method m) { not maybeATestMethod(m) } -from SpringRequestMappingMethod m -where +deprecated query predicate problems(SpringRequestMappingMethod m, string message) { thymeleafIsUsed() and mayBeExploitable(m) and canResultInImplicitViewConversion(m) and @@ -61,5 +60,6 @@ where m.getAnAnnotation().getType() instanceof SpringRequestMappingAnnotationType and not m.getAnAnnotation().getType() instanceof SpringResponseBodyAnnotationType and // `@RestController` inherits `@ResponseBody` internally so it should be ignored. - not m.getDeclaringType() instanceof SpringRestController -select m, "This method may be vulnerable to spring view manipulation vulnerabilities." + not m.getDeclaringType() instanceof SpringRestController and + message = "This method may be vulnerable to spring view manipulation vulnerabilities." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql index bcf8831f26071..d9705e7c304be 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql @@ -11,12 +11,19 @@ */ import java -import SpringViewManipulationLib -import SpringViewManipulationFlow::PathGraph +import semmle.code.java.dataflow.DataFlow +deprecated import SpringViewManipulationLib +deprecated import SpringViewManipulationFlow::PathGraph -from SpringViewManipulationFlow::PathNode source, SpringViewManipulationFlow::PathNode sink -where +deprecated query predicate problems( + DataFlow::Node sinkNode, SpringViewManipulationFlow::PathNode source, + SpringViewManipulationFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { thymeleafIsUsed() and - SpringViewManipulationFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Potential Spring Expression Language injection from $@.", - source.getNode(), "this user input" + SpringViewManipulationFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Potential Spring Expression Language injection from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll index 0771db5ee32b6..5d65431b415af 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll @@ -1,6 +1,7 @@ /** * Provides classes for reasoning about Spring View Manipulation vulnerabilities */ +deprecated module; import java import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql index 4cf82d267148f..63b818e53a3d8 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql @@ -21,7 +21,8 @@ private class HttpOnlyConfig extends WebContextParameter { predicate isHttpOnlySet() { this.getParamValueElementValue().toLowerCase() = "false" } } -from HttpOnlyConfig config -where config.isHttpOnlySet() -select config, - "'httpOnly' should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks." +deprecated query predicate problems(HttpOnlyConfig config, string message) { + config.isHttpOnlySet() and + message = + "'httpOnly' should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql index 495ed7a4ba5bf..fa5237d32bb9a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql @@ -212,7 +212,13 @@ module MissingHttpOnlyConfig implements DataFlow::ConfigSig { module MissingHttpOnlyFlow = TaintTracking::Global; -from MissingHttpOnlyFlow::PathNode source, MissingHttpOnlyFlow::PathNode sink -where MissingHttpOnlyFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "$@ doesn't have the HttpOnly flag set.", source.getNode(), - "This sensitive cookie" +deprecated query predicate problems( + DataFlow::Node sinkNode, MissingHttpOnlyFlow::PathNode source, MissingHttpOnlyFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + MissingHttpOnlyFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "$@ doesn't have the HttpOnly flag set." and + sourceNode = source.getNode() and + message2 = "This sensitive cookie" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSink.qll b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSink.qll index ba6c895dc8f73..2472637241fd7 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSink.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSink.qll @@ -1,4 +1,5 @@ /** Provides Android sink models related to file creation. */ +deprecated module; import java import semmle.code.java.dataflow.DataFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll index 83cb3a3fda01a..03cabcfbaaa02 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll @@ -1,4 +1,5 @@ /** Provides summary models relating to file content inputs of Android. */ +deprecated module; import java import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll index 0f95923219426..bd898df205a81 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll @@ -1,4 +1,5 @@ /** Provides Android methods relating to web resource response. */ +deprecated module; import java private import semmle.code.java.dataflow.DataFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql index 1a5a97a8691a9..7c12d79027fd0 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql @@ -15,10 +15,10 @@ import semmle.code.java.controlflow.Guards import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking import semmle.code.java.security.PathSanitizer -import AndroidWebResourceResponse -import InsecureWebResourceResponseFlow::PathGraph +deprecated import AndroidWebResourceResponse +deprecated import InsecureWebResourceResponseFlow::PathGraph -module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig { +deprecated module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node src) { src instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof WebResourceResponseSink } @@ -26,10 +26,17 @@ module InsecureWebResourceResponseConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node instanceof PathInjectionSanitizer } } -module InsecureWebResourceResponseFlow = TaintTracking::Global; +deprecated module InsecureWebResourceResponseFlow = + TaintTracking::Global; -from - InsecureWebResourceResponseFlow::PathNode source, InsecureWebResourceResponseFlow::PathNode sink -where InsecureWebResourceResponseFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Leaking arbitrary content in Android from $@.", - source.getNode(), "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, InsecureWebResourceResponseFlow::PathNode source, + InsecureWebResourceResponseFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + InsecureWebResourceResponseFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Leaking arbitrary content in Android from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql b/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql index 106782187c502..5bfd5c194349d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql @@ -12,9 +12,9 @@ import java import semmle.code.java.controlflow.Guards -import AndroidFileIntentSink -import AndroidFileIntentSource -import AndroidFileLeakFlow::PathGraph +deprecated import AndroidFileIntentSink +deprecated import AndroidFileIntentSource +deprecated import AndroidFileLeakFlow::PathGraph private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) { exists(MethodCall ma | @@ -25,7 +25,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) { ) } -module AndroidFileLeakConfig implements DataFlow::ConfigSig { +deprecated module AndroidFileLeakConfig implements DataFlow::ConfigSig { /** * Holds if `src` is a read of some Intent-typed variable guarded by a check like * `requestCode == someCode`, where `requestCode` is the first @@ -75,9 +75,15 @@ module AndroidFileLeakConfig implements DataFlow::ConfigSig { } } -module AndroidFileLeakFlow = TaintTracking::Global; +deprecated module AndroidFileLeakFlow = TaintTracking::Global; -from AndroidFileLeakFlow::PathNode source, AndroidFileLeakFlow::PathNode sink -where AndroidFileLeakFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Leaking arbitrary Android file from $@.", source.getNode(), - "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, AndroidFileLeakFlow::PathNode source, AndroidFileLeakFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + AndroidFileLeakFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Leaking arbitrary Android file from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll index 5972db6749555..2fb6de113b76c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll @@ -1,6 +1,7 @@ /** * Provides classes and predicates for queries that detect timing attacks. */ +deprecated module; import semmle.code.java.controlflow.Guards import semmle.code.java.dataflow.TaintTracking diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql b/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql index fd22bec972bbf..925652d2fd06e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql @@ -14,12 +14,18 @@ */ import java -import NonConstantTimeCheckOnSignatureQuery -import NonConstantTimeCryptoComparisonFlow::PathGraph +import semmle.code.java.dataflow.DataFlow +deprecated import NonConstantTimeCheckOnSignatureQuery +deprecated import NonConstantTimeCryptoComparisonFlow::PathGraph -from - NonConstantTimeCryptoComparisonFlow::PathNode source, - NonConstantTimeCryptoComparisonFlow::PathNode sink -where NonConstantTimeCryptoComparisonFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", source, - source.getNode().(CryptoOperationSource).getCall().getResultType() +deprecated query predicate problems( + DataFlow::Node sinkNode, NonConstantTimeCryptoComparisonFlow::PathNode source, + NonConstantTimeCryptoComparisonFlow::PathNode sink, string message1, + NonConstantTimeCryptoComparisonFlow::PathNode source0, string message2 +) { + NonConstantTimeCryptoComparisonFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Possible timing attack against $@ validation." and + source = source0 and + message2 = source.getNode().(CryptoOperationSource).getCall().getResultType() +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql index 05b91bf7f9d11..ebb8ebafa3ed6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql @@ -65,7 +65,14 @@ module NonConstantTimeComparisonConfig implements DataFlow::ConfigSig { module NonConstantTimeComparisonFlow = TaintTracking::Global; -from NonConstantTimeComparisonFlow::PathNode source, NonConstantTimeComparisonFlow::PathNode sink -where NonConstantTimeComparisonFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", - source.getNode(), "client-supplied token" +deprecated query predicate problems( + DataFlow::Node sinkNode, NonConstantTimeComparisonFlow::PathNode source, + NonConstantTimeComparisonFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + NonConstantTimeComparisonFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Possible timing attack against $@ validation." and + sourceNode = source.getNode() and + message2 = "client-supplied token" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql index b1817ab8fe6e8..2b79fb7a17c71 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql @@ -15,17 +15,22 @@ */ import java -import NonConstantTimeCheckOnSignatureQuery -import NonConstantTimeCryptoComparisonFlow::PathGraph +import semmle.code.java.dataflow.DataFlow +deprecated import NonConstantTimeCheckOnSignatureQuery +deprecated import NonConstantTimeCryptoComparisonFlow::PathGraph -from - NonConstantTimeCryptoComparisonFlow::PathNode source, - NonConstantTimeCryptoComparisonFlow::PathNode sink -where +deprecated query predicate problems( + DataFlow::Node sinkNode, NonConstantTimeCryptoComparisonFlow::PathNode source, + NonConstantTimeCryptoComparisonFlow::PathNode sink, string message1, + NonConstantTimeCryptoComparisonFlow::PathNode source0, string message2 +) { NonConstantTimeCryptoComparisonFlow::flowPath(source, sink) and ( source.getNode().(CryptoOperationSource).includesUserInput() and - sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() - ) -select sink.getNode(), source, sink, "Timing attack against $@ validation.", source, - source.getNode().(CryptoOperationSource).getCall().getResultType() + sinkNode.(NonConstantTimeComparisonSink).includesUserInput() + ) and + sinkNode = sink.getNode() and + message1 = "Timing attack against $@ validation." and + source = source0 and + message2 = source.getNode().(CryptoOperationSource).getCall().getResultType() +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql index e8a127b64d5bc..48c49d5c071d7 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql @@ -83,9 +83,9 @@ private module JxBrowserFlowConfig implements DataFlow::ConfigSig { private module JxBrowserFlow = DataFlow::Global; -from DataFlow::Node src -where +deprecated query predicate problems(DataFlow::Node src, string message) { JxBrowserFlowConfig::isSource(src) and not JxBrowserFlow::flow(src, _) and - not isSafeJxBrowserVersion() -select src, "This JxBrowser instance may not check HTTPS certificates." + not isSafeJxBrowserVersion() and + message = "This JxBrowser instance may not check HTTPS certificates." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql index 9ae5d439743f2..981d2287c03da 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql @@ -25,6 +25,7 @@ private class HostnameVerificationCall extends MethodCall { predicate isIgnored() { this instanceof ValueDiscardingExpr } } -from HostnameVerificationCall verification -where verification.isIgnored() -select verification, "Ignored result of hostname verification." +deprecated query predicate problems(HostnameVerificationCall verification, string message) { + verification.isIgnored() and + message = "Ignored result of hostname verification." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql index 0004f691c6c63..ba860a1309f03 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql @@ -104,8 +104,8 @@ predicate isInsecureSslEndpoint(MethodCall ma) { ) } -from MethodCall ma -where +deprecated query predicate problems(MethodCall ma, string message) { isInsecureSslEndpoint(ma) and - not isTestMethod(ma) -select ma, "LDAPS configuration allows insecure endpoint identification." + not isTestMethod(ma) and + message = "LDAPS configuration allows insecure endpoint identification." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql b/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql index e8e8a9424cfe1..6b28c0bc068ed 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql @@ -12,9 +12,14 @@ */ import java -import RevocationCheckingLib -import DisabledRevocationCheckingFlow::PathGraph +deprecated import RevocationCheckingLib +deprecated import DisabledRevocationCheckingFlow::PathGraph -from DisabledRevocationCheckingFlow::PathNode source, DisabledRevocationCheckingFlow::PathNode sink -where DisabledRevocationCheckingFlow::flowPath(source, sink) -select source.getNode(), source, sink, "This disables revocation checking." +deprecated query predicate problems( + DataFlow::Node sourceNode, DisabledRevocationCheckingFlow::PathNode source, + DisabledRevocationCheckingFlow::PathNode sink, string message +) { + DisabledRevocationCheckingFlow::flowPath(source, sink) and + sourceNode = source.getNode() and + message = "This disables revocation checking." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll b/java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll index 50dc249a9eacb..c664e9e7771c1 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-299/RevocationCheckingLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.FlowSources import DataFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql b/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql index 3ad23de68595c..a5d17250491b8 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql @@ -78,12 +78,14 @@ predicate isCreatingSafeAzureClientSideEncryptionObject(Call call, Class c, Expr ) } -from Expr e, Class c -where - exists(Expr argVersion | - isCreatingAzureClientSideEncryptionObjectNewVersion(e, c, argVersion) and - not isCreatingSafeAzureClientSideEncryptionObject(e, c, argVersion) - ) - or - isCreatingOutdatedAzureClientSideEncryptionObject(e, c) -select e, "Unsafe usage of v1 version of Azure Storage client-side encryption." +deprecated query predicate problems(Expr e, string message) { + exists(Class c | + exists(Expr argVersion | + isCreatingAzureClientSideEncryptionObjectNewVersion(e, c, argVersion) and + not isCreatingSafeAzureClientSideEncryptionObject(e, c, argVersion) + ) + or + isCreatingOutdatedAzureClientSideEncryptionObject(e, c) + ) and + message = "Unsafe usage of v1 version of Azure Storage client-side encryption." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll index d39220990d33b..3b3ad279d0c4d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.security.Encryption import semmle.code.java.dataflow.TaintTracking diff --git a/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql b/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql index 263ea077d5c55..25131c5042a7a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql @@ -12,10 +12,16 @@ */ import java -import SslLib -import UnsafeTlsVersionFlow::PathGraph +deprecated import SslLib +deprecated import UnsafeTlsVersionFlow::PathGraph -from UnsafeTlsVersionFlow::PathNode source, UnsafeTlsVersionFlow::PathNode sink -where UnsafeTlsVersionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "$@ is unsafe.", source.getNode(), - source.getNode().asExpr().(StringLiteral).getValue() +deprecated query predicate problems( + DataFlow::Node sinkNode, UnsafeTlsVersionFlow::PathNode source, + UnsafeTlsVersionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2 +) { + UnsafeTlsVersionFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "$@ is unsafe." and + sourceNode = source.getNode() and + message2 = source.getNode().asExpr().(StringLiteral).getValue() +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql index 3c450d4e04c12..ef95db6f6c534 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql @@ -81,9 +81,14 @@ private module CorsOriginConfig implements DataFlow::ConfigSig { private module CorsOriginFlow = TaintTracking::Global; -from CorsOriginFlow::PathNode source, CorsOriginFlow::PathNode sink -where +deprecated query predicate problems( + DataFlow::Node sinkNode, CorsOriginFlow::PathNode source, CorsOriginFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { CorsOriginFlow::flowPath(source, sink) and - not CorsSourceReachesCheckFlow::flow(source.getNode(), _) -select sink.getNode(), source, sink, "CORS header is being set using user controlled value $@.", - source.getNode(), "user-provided value" + not CorsSourceReachesCheckFlow::flow(sourceNode, _) and + sinkNode = sink.getNode() and + message1 = "CORS header is being set using user controlled value $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql index f5a93b4c6c0e1..778939887f0e6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql @@ -12,9 +12,9 @@ import java import semmle.code.java.dataflow.FlowSources -import JwtAuth0 as JwtAuth0 +deprecated import JwtAuth0 as JwtAuth0 -module JwtDecodeConfig implements DataFlow::ConfigSig { +deprecated module JwtDecodeConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource and not FlowToJwtVerify::flow(source, _) @@ -41,19 +41,25 @@ module JwtDecodeConfig implements DataFlow::ConfigSig { } } -module FlowToJwtVerifyConfig implements DataFlow::ConfigSig { +deprecated module FlowToJwtVerifyConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::Verify a).getArgument(0) } } -module JwtDecode = TaintTracking::Global; +deprecated module JwtDecode = TaintTracking::Global; -module FlowToJwtVerify = TaintTracking::Global; +deprecated module FlowToJwtVerify = TaintTracking::Global; -import JwtDecode::PathGraph +deprecated import JwtDecode::PathGraph -from JwtDecode::PathNode source, JwtDecode::PathNode sink -where JwtDecode::flowPath(source, sink) -select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.", - source.getNode(), "JWT" +deprecated query predicate problems( + DataFlow::Node sinkNode, JwtDecode::PathNode source, JwtDecode::PathNode sink, string message1, + DataFlow::Node sourceNode, string message2 +) { + JwtDecode::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "This parses a $@, but the signature is not verified." and + sourceNode = source.getNode() and + message2 = "JWT" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-347/JwtAuth0.qll b/java/ql/src/experimental/Security/CWE/CWE-347/JwtAuth0.qll index 323ccbadbf238..2f1dde4d76519 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-347/JwtAuth0.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-347/JwtAuth0.qll @@ -1,3 +1,5 @@ +deprecated module; + import java class PayloadType extends RefType { diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql index 91d3fc28744ea..05cfd814fc53e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql @@ -15,13 +15,13 @@ import java import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.Sanitizers -import ClientSuppliedIpUsedInSecurityCheckLib -import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph +deprecated import ClientSuppliedIpUsedInSecurityCheckLib +deprecated import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph /** * Taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use. */ -module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig { +deprecated module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ClientSuppliedIpUsedInSecurityCheck } @@ -43,12 +43,17 @@ module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig } } -module ClientSuppliedIpUsedInSecurityCheckFlow = +deprecated module ClientSuppliedIpUsedInSecurityCheckFlow = TaintTracking::Global; -from - ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source, - ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink -where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "IP address spoofing might include code from $@.", - source.getNode(), "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source, + ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink, string message1, + DataFlow::Node sourceNode, string message2 +) { + ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "IP address spoofing might include code from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll index 7896c49f5314e..42c5f989168df 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheckLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import DataFlow import semmle.code.java.frameworks.Networking diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll index c6d6e68300379..e3cd008b603c1 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql index ce5ba05b6196d..a555c4e99c98f 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql @@ -16,11 +16,11 @@ import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources import semmle.code.java.deadcode.WebEntryPoints import semmle.code.java.security.XSS -import JsonpInjectionLib -import RequestResponseFlow::PathGraph +deprecated import JsonpInjectionLib +deprecated import RequestResponseFlow::PathGraph /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */ -module RequestResponseFlowConfig implements DataFlow::ConfigSig { +deprecated module RequestResponseFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource and any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable()) @@ -38,11 +38,16 @@ module RequestResponseFlowConfig implements DataFlow::ConfigSig { } } -module RequestResponseFlow = TaintTracking::Global; +deprecated module RequestResponseFlow = TaintTracking::Global; -from RequestResponseFlow::PathNode source, RequestResponseFlow::PathNode sink -where +deprecated query predicate problems( + DataFlow::Node sinkNode, RequestResponseFlow::PathNode source, RequestResponseFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { RequestResponseFlow::flowPath(source, sink) and - JsonpInjectionFlow::flowTo(sink.getNode()) -select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(), - "this user input" + JsonpInjectionFlow::flowTo(sink.getNode()) and + sinkNode = sink.getNode() and + message1 = "Jsonp response might include code from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll index b0d2897ea54ee..1ed9877052282 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java private import JsonStringLib private import semmle.code.java.security.XSS diff --git a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql index 51b6574fddc3b..00ea18bab2142 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql @@ -10,10 +10,10 @@ */ import java -import ThreadResourceAbuse +deprecated import ThreadResourceAbuse import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.FlowSources -import ThreadResourceAbuseFlow::PathGraph +deprecated import ThreadResourceAbuseFlow::PathGraph /** The `getInitParameter` method of servlet or JSF. */ class GetInitParameter extends Method { @@ -42,7 +42,7 @@ class InitParameterInput extends LocalUserInput { } /** Taint configuration of uncontrolled thread resource consumption from local user input. */ -module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { +deprecated module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink } @@ -63,9 +63,16 @@ module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { } } -module ThreadResourceAbuseFlow = TaintTracking::Global; +deprecated module ThreadResourceAbuseFlow = TaintTracking::Global; -from ThreadResourceAbuseFlow::PathNode source, ThreadResourceAbuseFlow::PathNode sink -where ThreadResourceAbuseFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Possible uncontrolled resource consumption due to $@.", - source.getNode(), "local user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, ThreadResourceAbuseFlow::PathNode source, + ThreadResourceAbuseFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + ThreadResourceAbuseFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Possible uncontrolled resource consumption due to $@." and + sourceNode = source.getNode() and + message2 = "local user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql index 44af710990cf1..a2b72eda2a0e2 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql @@ -11,12 +11,12 @@ */ import java -import ThreadResourceAbuse +deprecated import ThreadResourceAbuse import semmle.code.java.dataflow.FlowSources -import ThreadResourceAbuseFlow::PathGraph +deprecated import ThreadResourceAbuseFlow::PathGraph /** Taint configuration of uncontrolled thread resource consumption. */ -module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { +deprecated module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof PauseThreadSink } @@ -37,10 +37,16 @@ module ThreadResourceAbuseConfig implements DataFlow::ConfigSig { } } -module ThreadResourceAbuseFlow = TaintTracking::Global; +deprecated module ThreadResourceAbuseFlow = TaintTracking::Global; -from ThreadResourceAbuseFlow::PathNode source, ThreadResourceAbuseFlow::PathNode sink -where ThreadResourceAbuseFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "Vulnerability of uncontrolled resource consumption due to $@.", source.getNode(), - "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, ThreadResourceAbuseFlow::PathNode source, + ThreadResourceAbuseFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + ThreadResourceAbuseFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Vulnerability of uncontrolled resource consumption due to $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll index bbdf36b506551..ce6de1a06798d 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll @@ -1,4 +1,5 @@ /** Provides sink models and classes related to pausing thread operations. */ +deprecated module; import java import semmle.code.java.dataflow.DataFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql b/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql index 2279fa7d71f47..d328b79f5b155 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql @@ -82,7 +82,13 @@ module InsecureLoadFlow = TaintTracking::Global; import InsecureLoadFlow::PathGraph -from InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink -where InsecureLoadFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Class loaded from a $@ without signature check", - source.getNode(), "third party library" +deprecated query predicate problems( + DataFlow::Node sinkNode, InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + InsecureLoadFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Class loaded from a $@ without signature check" and + sourceNode = source.getNode() and + message2 = "third party library" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql index f18355b1d9761..6cd7a69dd82af 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql @@ -13,11 +13,11 @@ import java import DataFlow -import UnsafeReflectionLib +deprecated import UnsafeReflectionLib import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.FlowSources import semmle.code.java.controlflow.Guards -import UnsafeReflectionFlow::PathGraph +deprecated import UnsafeReflectionFlow::PathGraph private predicate containsSanitizer(Guard g, Expr e, boolean branch) { g.(MethodCall).getMethod().hasName("contains") and @@ -31,7 +31,7 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) { branch = true } -module UnsafeReflectionConfig implements DataFlow::ConfigSig { +deprecated module UnsafeReflectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink } @@ -79,19 +79,25 @@ module UnsafeReflectionConfig implements DataFlow::ConfigSig { } } -module UnsafeReflectionFlow = TaintTracking::Global; +deprecated module UnsafeReflectionFlow = TaintTracking::Global; -private Expr getAMethodArgument(MethodCall reflectiveCall) { +deprecated private Expr getAMethodArgument(MethodCall reflectiveCall) { result = reflectiveCall.(NewInstance).getAnArgument() or result = reflectiveCall.(MethodInvokeCall).getAnArgument() } -from - UnsafeReflectionFlow::PathNode source, UnsafeReflectionFlow::PathNode sink, - MethodCall reflectiveCall -where - UnsafeReflectionFlow::flowPath(source, sink) and - sink.getNode().asExpr() = reflectiveCall.getQualifier() and - UnsafeReflectionFlow::flowToExpr(getAMethodArgument(reflectiveCall)) -select sink.getNode(), source, sink, "Unsafe reflection of $@.", source.getNode(), "user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, UnsafeReflectionFlow::PathNode source, + UnsafeReflectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2 +) { + exists(MethodCall reflectiveCall | + UnsafeReflectionFlow::flowPath(source, sink) and + sinkNode.asExpr() = reflectiveCall.getQualifier() and + UnsafeReflectionFlow::flowToExpr(getAMethodArgument(reflectiveCall)) + ) and + sinkNode = sink.getNode() and + message1 = "Unsafe reflection of $@." and + sourceNode = source.getNode() and + message2 = "user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll index ceaf5da51f5e7..27eea8a8f71ec 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import DataFlow import semmle.code.java.Reflection diff --git a/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql b/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql index 4bb636fe6a9e2..87885585955e9 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql @@ -12,10 +12,10 @@ import java import semmle.code.java.J2EE -import TestLib +deprecated import TestLib /** The `main` method in an Enterprise Java Bean. */ -class EnterpriseBeanMainMethod extends Method { +deprecated class EnterpriseBeanMainMethod extends Method { EnterpriseBeanMainMethod() { this.getDeclaringType() instanceof EnterpriseBean and this instanceof MainMethod and @@ -23,5 +23,6 @@ class EnterpriseBeanMainMethod extends Method { } } -from EnterpriseBeanMainMethod sm -select sm, "Java EE application has a main method." +deprecated query predicate problems(EnterpriseBeanMainMethod sm, string message) { + exists(sm) and message = "Java EE application has a main method." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-489/TestLib.qll b/java/ql/src/experimental/Security/CWE/CWE-489/TestLib.qll index e50f6c97f33af..1d20dc0db1e0c 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-489/TestLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-489/TestLib.qll @@ -1,4 +1,5 @@ /** Definitions related to test methods. */ +deprecated module; import java diff --git a/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql b/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql index 38e12700d1aba..01a96803d9018 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql @@ -12,7 +12,7 @@ import java import semmle.code.java.frameworks.Servlets -import TestLib +deprecated import TestLib /** The java type `javax.servlet.Filter`. */ class ServletFilterClass extends Class { @@ -32,7 +32,7 @@ class ServletListenerClass extends Class { } /** The `main` method in `Servlet` and `Action` of the Spring and Struts framework. */ -class WebComponentMainMethod extends Method { +deprecated class WebComponentMainMethod extends Method { WebComponentMainMethod() { ( this.getDeclaringType() instanceof ServletClass or @@ -54,5 +54,6 @@ class WebComponentMainMethod extends Method { } } -from WebComponentMainMethod sm -select sm, "Web application has a main method." +deprecated query predicate problems(WebComponentMainMethod sm, string message) { + exists(sm) and message = "Web application has a main method." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql b/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql index 96fd62e593cca..21c8536068a61 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql @@ -12,14 +12,14 @@ */ import java -import experimental.semmle.code.xml.StrutsXML +deprecated import experimental.semmle.code.xml.StrutsXML bindingset[path] predicate isLikelyDemoProject(string path) { path.regexpMatch("(?i).*(demo|test|example).*") } -from ConstantParameter c -where +deprecated query predicate problems(ConstantParameter c, string message) { c.getNameValue() = "struts.devMode" and c.getValueValue() = "true" and - not isLikelyDemoProject(c.getFile().getRelativePath()) -select c, "Enabling development mode in production environments is dangerous." + not isLikelyDemoProject(c.getFile().getRelativePath()) and + message = "Enabling development mode in production environments is dangerous." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql index fee9b86f1e89f..5573c9e0e1d13 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql @@ -73,6 +73,11 @@ private module BindingUnsafeRemoteObjectConfig implements DataFlow::ConfigSig { private module BindingUnsafeRemoteObjectFlow = TaintTracking::Global; -from BindingUnsafeRemoteObjectFlow::PathNode source, BindingUnsafeRemoteObjectFlow::PathNode sink -where BindingUnsafeRemoteObjectFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Unsafe deserialization in a remote object." +deprecated query predicate problems( + DataFlow::Node sinkNode, BindingUnsafeRemoteObjectFlow::PathNode source, + BindingUnsafeRemoteObjectFlow::PathNode sink, string message +) { + BindingUnsafeRemoteObjectFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message = "Unsafe deserialization in a remote object." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql index 28b164faa0d49..949ffee66e64b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql @@ -13,7 +13,7 @@ */ import java -import UnsafeSpringExporterLib +deprecated import UnsafeSpringExporterLib /** * Holds if `type` is a Spring configuration that declares beans. @@ -34,7 +34,7 @@ private predicate isConfigurationAnnotation(Annotation annotation) { /** * A method that initializes a unsafe bean based on `RemoteInvocationSerializingExporter`. */ -private class UnsafeBeanInitMethod extends Method { +deprecated private class UnsafeBeanInitMethod extends Method { string identifier; UnsafeBeanInitMethod() { @@ -54,6 +54,6 @@ private class UnsafeBeanInitMethod extends Method { string getBeanIdentifier() { result = identifier } } -from UnsafeBeanInitMethod method -select method, - "Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'." +deprecated query predicate problems(UnsafeBeanInitMethod method, string message) { + message = "Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql index d580d98395070..1b570465f23ca 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql @@ -14,8 +14,9 @@ import java import semmle.code.java.frameworks.spring.SpringBean -import UnsafeSpringExporterLib +deprecated import UnsafeSpringExporterLib -from SpringBean bean -where isRemoteInvocationSerializingExporter(bean.getClass()) -select bean, "Unsafe deserialization in a Spring exporter bean '" + bean.getBeanIdentifier() + "'." +deprecated query predicate problems(SpringBean bean, string message) { + isRemoteInvocationSerializingExporter(bean.getClass()) and + message = "Unsafe deserialization in a Spring exporter bean '" + bean.getBeanIdentifier() + "'." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterLib.qll b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterLib.qll index f0fb8ad53d1eb..547fd3b6eb844 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java /** diff --git a/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql b/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql index 23fa36330e759..d734d53054eca 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql @@ -12,10 +12,16 @@ */ import java -import experimental.semmle.code.java.security.DecompressionBombQuery -import DecompressionBombsFlow::PathGraph +deprecated import experimental.semmle.code.java.security.DecompressionBombQuery +deprecated import DecompressionBombsFlow::PathGraph -from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink -where DecompressionBombsFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "This file extraction depends on a $@.", source.getNode(), - "potentially untrusted source" +deprecated query predicate problems( + DataFlow::Node sinkNode, DecompressionBombsFlow::PathNode source, + DecompressionBombsFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2 +) { + DecompressionBombsFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "This file extraction depends on a $@." and + sourceNode = source.getNode() and + message2 = "potentially untrusted source" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql index 55c550921049d..c8e9ae38d8e53 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql @@ -46,6 +46,7 @@ class DirectoryListingInitParam extends WebXmlElement { } } -from DirectoryListingInitParam initp -where initp.isListingEnabled() -select initp, "Directory listing should be disabled to mitigate filename and path disclosure." +deprecated query predicate problems(DirectoryListingInitParam initp, string message) { + initp.isListingEnabled() and + message = "Directory listing should be disabled to mitigate filename and path disclosure." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql index 3c5d8e0185637..624d85f864191 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql @@ -21,17 +21,18 @@ */ import java -import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile +deprecated import experimental.semmle.code.java.frameworks.CredentialsInPropertiesFile /** * Holds if the credentials are in a non-production properties file indicated by: * a) in a non-production directory * b) with a non-production file name */ -predicate isNonProdCredentials(CredentialsConfig cc) { +deprecated predicate isNonProdCredentials(CredentialsConfig cc) { cc.getFile().getAbsolutePath().matches(["%dev%", "%test%", "%sample%"]) } -from CredentialsConfig cc -where not isNonProdCredentials(cc) -select cc, cc.getConfigDesc() +deprecated query predicate problems(CredentialsConfig cc, string message) { + not isNonProdCredentials(cc) and + message = cc.getConfigDesc() +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql b/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql index e13e69dfa6e9e..ee2ac39bfbbd6 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql @@ -33,20 +33,22 @@ predicate hasEmbeddedPassword(string value) { ) } -from XmlAttribute nameAttr -where - nameAttr.getName().toLowerCase() in ["password", "pwd"] and - not isNotPassword(nameAttr.getValue().trim()) // Attribute name "password" or "pwd" - or - exists( - XmlAttribute valueAttr // name/value pair like - | - valueAttr.getElement() = nameAttr.getElement() and - nameAttr.getName().toLowerCase() = "name" and - nameAttr.getValue().toLowerCase() in ["password", "pwd"] and - valueAttr.getName().toLowerCase() = "value" and - not isNotPassword(valueAttr.getValue().trim()) - ) - or - hasEmbeddedPassword(nameAttr.getValue().trim()) // Attribute value matches password pattern -select nameAttr, "Avoid plaintext passwords in configuration files." +deprecated query predicate problems(XmlAttribute nameAttr, string message) { + ( + nameAttr.getName().toLowerCase() in ["password", "pwd"] and + not isNotPassword(nameAttr.getValue().trim()) // Attribute name "password" or "pwd" + or + exists( + XmlAttribute valueAttr // name/value pair like + | + valueAttr.getElement() = nameAttr.getElement() and + nameAttr.getName().toLowerCase() = "name" and + nameAttr.getValue().toLowerCase() in ["password", "pwd"] and + valueAttr.getName().toLowerCase() = "value" and + not isNotPassword(valueAttr.getValue().trim()) + ) + or + hasEmbeddedPassword(nameAttr.getValue().trim()) // Attribute value matches password pattern + ) and + message = "Avoid plaintext passwords in configuration files." +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql index c46768dee2dfc..c661fad26f0ca 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql @@ -73,8 +73,13 @@ module SensitiveGetQueryConfig implements DataFlow::ConfigSig { module SensitiveGetQueryFlow = TaintTracking::Global; -from SensitiveGetQueryFlow::PathNode source, SensitiveGetQueryFlow::PathNode sink -where SensitiveGetQueryFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "$@ uses the GET request method to transmit sensitive information.", source.getNode(), - "This request" +deprecated query predicate problems( + DataFlow::Node sinkNode, SensitiveGetQueryFlow::PathNode source, + SensitiveGetQueryFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2 +) { + SensitiveGetQueryFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "$@ uses the GET request method to transmit sensitive information." and + sourceNode = source.getNode() and + message2 = "This request" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql index c318bd300f5b6..a77c6b21a8eae 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql @@ -74,7 +74,15 @@ module UncaughtServletExceptionConfig implements DataFlow::ConfigSig { module UncaughtServletExceptionFlow = TaintTracking::Global; -from UncaughtServletExceptionFlow::PathNode source, UncaughtServletExceptionFlow::PathNode sink -where UncaughtServletExceptionFlow::flowPath(source, sink) and not hasErrorPage() -select sink.getNode(), source, sink, "This value depends on a $@ and can throw uncaught exception.", - source.getNode(), "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, UncaughtServletExceptionFlow::PathNode source, + UncaughtServletExceptionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, + string message2 +) { + UncaughtServletExceptionFlow::flowPath(source, sink) and + not hasErrorPage() and + sinkNode = sink.getNode() and + message1 = "This value depends on a $@ and can throw uncaught exception." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql index 8b300a0828847..ab875b7f18585 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql @@ -12,10 +12,10 @@ */ import java -import experimental.semmle.code.java.security.SpringUrlRedirect +deprecated import experimental.semmle.code.java.security.SpringUrlRedirect import semmle.code.java.dataflow.FlowSources import semmle.code.java.controlflow.Guards -import SpringUrlRedirectFlow::PathGraph +deprecated import SpringUrlRedirectFlow::PathGraph private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) { g.(MethodCall).getMethod().hasName("startsWith") and @@ -25,7 +25,7 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) { branch = true } -module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig { +deprecated module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink } @@ -60,9 +60,15 @@ module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig { } } -module SpringUrlRedirectFlow = TaintTracking::Global; +deprecated module SpringUrlRedirectFlow = TaintTracking::Global; -from SpringUrlRedirectFlow::PathNode source, SpringUrlRedirectFlow::PathNode sink -where SpringUrlRedirectFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.", - source.getNode(), "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, SpringUrlRedirectFlow::PathNode source, + SpringUrlRedirectFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2 +) { + SpringUrlRedirectFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Potentially untrusted URL redirection due to $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql index 3f90cf2dea569..d7ce476ea257e 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql @@ -14,10 +14,16 @@ import java import semmle.code.java.dataflow.FlowSources -import MatchRegexFlow::PathGraph -import PermissiveDotRegexQuery +deprecated import MatchRegexFlow::PathGraph +deprecated import PermissiveDotRegexQuery -from MatchRegexFlow::PathNode source, MatchRegexFlow::PathNode sink -where MatchRegexFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "Potentially authentication bypass due to $@.", - source.getNode(), "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, MatchRegexFlow::PathNode source, MatchRegexFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + MatchRegexFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Potentially authentication bypass due to $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll index 5f015732cb385..8fe997793f4ad 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll @@ -1,4 +1,5 @@ /** Provides classes related to security-centered regular expression matching. */ +deprecated module; import java private import semmle.code.java.dataflow.ExternalFlow diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll b/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll index 8287eb78fb2e1..e605f31a0b35a 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll @@ -1,4 +1,5 @@ /** Provides methods related to regular expression matching. */ +deprecated module; import java diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql index a758b86279d6a..561560220741b 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql @@ -13,13 +13,13 @@ import java import semmle.code.java.dataflow.FlowSources -import XQueryInjectionLib -import XQueryInjectionFlow::PathGraph +deprecated import XQueryInjectionLib +deprecated import XQueryInjectionFlow::PathGraph /** * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution. */ -module XQueryInjectionConfig implements DataFlow::ConfigSig { +deprecated module XQueryInjectionConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } predicate isSink(DataFlow::Node sink) { @@ -39,9 +39,15 @@ module XQueryInjectionConfig implements DataFlow::ConfigSig { /** * Taint-tracking flow from remote sources, through an XQuery parser, to its eventual execution. */ -module XQueryInjectionFlow = TaintTracking::Global; +deprecated module XQueryInjectionFlow = TaintTracking::Global; -from XQueryInjectionFlow::PathNode source, XQueryInjectionFlow::PathNode sink -where XQueryInjectionFlow::flowPath(source, sink) -select sink.getNode(), source, sink, "XQuery query might include code from $@.", source.getNode(), - "this user input" +deprecated query predicate problems( + DataFlow::Node sinkNode, XQueryInjectionFlow::PathNode source, XQueryInjectionFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + XQueryInjectionFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "XQuery query might include code from $@." and + sourceNode = source.getNode() and + message2 = "this user input" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll index a943f75449688..8cce99baabac8 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll @@ -1,3 +1,5 @@ +deprecated module; + import java /** A call to `XQConnection.prepareExpression`. */ diff --git a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql index f8a6514fb096b..41ec609639e66 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql @@ -83,9 +83,10 @@ string getRmiResult(Expr e) { "RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method." } -from Call c, Expr envArg -where +deprecated query predicate problems(Call c, string message1, Expr envArg, string message2) { (isRmiOrJmxServerCreateConstructor(c.getCallee()) or isRmiOrJmxServerCreateMethod(c.getCallee())) and envArg = c.getArgument(1) and - not SafeFlow::flowToExpr(envArg) -select c, getRmiResult(envArg), envArg, envArg.toString() + not SafeFlow::flowToExpr(envArg) and + message1 = getRmiResult(envArg) and + message2 = envArg.toString() +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql index c6737a11c3231..d14202e3109c5 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql @@ -42,8 +42,13 @@ module NfeLocalDoSConfig implements DataFlow::ConfigSig { module NfeLocalDoSFlow = TaintTracking::Global; -from NfeLocalDoSFlow::PathNode source, NfeLocalDoSFlow::PathNode sink -where NfeLocalDoSFlow::flowPath(source, sink) -select sink.getNode(), source, sink, - "Uncaught NumberFormatException in an exported Android component due to $@.", source.getNode(), - "user-provided value" +deprecated query predicate problems( + DataFlow::Node sinkNode, NfeLocalDoSFlow::PathNode source, NfeLocalDoSFlow::PathNode sink, + string message1, DataFlow::Node sourceNode, string message2 +) { + NfeLocalDoSFlow::flowPath(source, sink) and + sinkNode = sink.getNode() and + message1 = "Uncaught NumberFormatException in an exported Android component due to $@." and + sourceNode = source.getNode() and + message2 = "user-provided value" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql index 97a8f50fa81e5..fd2957151a7ba 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql @@ -174,6 +174,14 @@ module HashWithoutSaltConfig implements DataFlow::ConfigSig { module HashWithoutSaltFlow = TaintTracking::Global; -from HashWithoutSaltFlow::PathNode source, HashWithoutSaltFlow::PathNode sink -where HashWithoutSaltFlow::flowPath(source, sink) -select sink, source, sink, "$@ is hashed without a salt.", source, "The password" +deprecated query predicate problems( + HashWithoutSaltFlow::PathNode sink, HashWithoutSaltFlow::PathNode source, + HashWithoutSaltFlow::PathNode sink0, string message1, HashWithoutSaltFlow::PathNode source0, + string message2 +) { + HashWithoutSaltFlow::flowPath(source, sink) and + sink = sink0 and + source = source0 and + message1 = "$@ is hashed without a salt." and + message2 = "The password" +} diff --git a/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql b/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql index 844e6760101dc..ca78067f4e740 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql @@ -88,6 +88,11 @@ class HostVerificationMethodCall extends MethodCall { } } -from UriGetHostMethod um, MethodCall uma, HostVerificationMethodCall hma -where hma.getQualifier() = uma and uma.getMethod() = um -select hma, "Method has potentially $@.", hma.getArgument(0), "improper URL verification" +deprecated query predicate problems( + HostVerificationMethodCall hma, string message1, Expr arg, string message2 +) { + exists(UriGetHostMethod um, MethodCall uma | hma.getQualifier() = uma and uma.getMethod() = um) and + message1 = "Method has potentially $@." and + arg = hma.getArgument(0) and + message2 = "improper URL verification" +} diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll index 1190e13a9a1a3..caddfb32a2116 100644 --- a/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll +++ b/java/ql/src/experimental/semmle/code/java/frameworks/CredentialsInPropertiesFile.qll @@ -1,6 +1,7 @@ /** * Provides classes for analyzing properties files. */ +deprecated module; import java import semmle.code.configfiles.ConfigFiles diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll index a013c341c67c4..e242fb35627c8 100644 --- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll +++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll @@ -1,6 +1,7 @@ /** * Provides classes and predicates for working with the Java Server Faces (JSF). */ +deprecated module; import java diff --git a/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll b/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll index a4f53284d5d87..7c91c2671f95e 100644 --- a/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll +++ b/java/ql/src/experimental/semmle/code/java/frameworks/SpringResource.qll @@ -1,6 +1,7 @@ /** * Provides classes for working with resource loading in Spring. */ +deprecated module; import java private import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll b/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll index 5f5b149d1d6af..dfe7c2637c3a6 100644 --- a/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll +++ b/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll @@ -1,3 +1,5 @@ +deprecated module; + import java private import semmle.code.java.dataflow.TaintTracking diff --git a/java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll b/java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll index aaff692dc7cf8..e7d35aebe706d 100644 --- a/java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll +++ b/java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll @@ -1,3 +1,5 @@ +deprecated module; + import experimental.semmle.code.java.security.FileAndFormRemoteSource import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb diff --git a/java/ql/src/experimental/semmle/code/java/security/FileAndFormRemoteSource.qll b/java/ql/src/experimental/semmle/code/java/security/FileAndFormRemoteSource.qll index 473dddd959089..6cde0f00689e1 100644 --- a/java/ql/src/experimental/semmle/code/java/security/FileAndFormRemoteSource.qll +++ b/java/ql/src/experimental/semmle/code/java/security/FileAndFormRemoteSource.qll @@ -1,3 +1,5 @@ +deprecated module; + import java import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll b/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll index c068dfbb7e36a..745ea630481b1 100644 --- a/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll +++ b/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll @@ -1,4 +1,4 @@ -/** Provides classes and predicates related to Spring URL redirect. */ +deprecated module; private import java private import semmle.code.java.dataflow.FlowSources diff --git a/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll b/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll index 8d829612d952c..6dcff731f959d 100644 --- a/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll +++ b/java/ql/src/experimental/semmle/code/xml/StrutsXML.qll @@ -1,3 +1,5 @@ +deprecated module; + import java /**