Merge pull request #10041 from smowton/AddSensitiveApiCalls

Java: support more libraries in hardcoded-credentials queries
2026-05-03 04:39:29 +02:00 · 2022-08-23 10:51:04 +01:00
parent 51ada5c2af 131d6043c1
commit 0a7350f3bf
262 changed files with 5699 additions and 341 deletions
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/CredentialsTest.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/CredentialsTest.java
@@ -10,11 +10,11 @@ public class CredentialsTest {
 		String url = "jdbc:mysql://localhost/test";
 		String u = "admin"; // hard-coded credential (flow source)

-		DriverManager.getConnection(url, u, p); // sensitive call (flow target)
+		DriverManager.getConnection(url, u, p); // $ HardcodedCredentialsApiCall
 		test(url, u, p);
 	}

 	public static void test(String url, String v, String q) throws SQLException {
-		DriverManager.getConnection(url, v, q); // sensitive call (flow target)
+		DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
 	}
 }
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/FileCredentialTest.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/FileCredentialTest.java
@@ -15,12 +15,12 @@ public class FileCredentialTest {

 		String p = readText(new File(file));

-		DriverManager.getConnection("", "admin", p); // sensitive call (flow target)
+		DriverManager.getConnection("", "admin", p); // $ HardcodedCredentialsApiCall
 		test(url, u, p);
 	}

 	public static void test(String url, String v, String q) throws SQLException {
-		DriverManager.getConnection(url, v, q); // sensitive call (flow target)
+		DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
 	}

 	public static String readText(File f) throws IOException
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAWSCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAWSCredentials.java
@@ -4,7 +4,7 @@ import com.amazonaws.auth.BasicAWSCredentials;
 public class HardcodedAWSCredentials {
 	public static void main(String[] args) {
 		//BAD: Hardcoded credentials for connecting to AWS services
-		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead 
-		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY");
+		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead
+		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); // $ HardcodedCredentialsApiCall
 	}
 }
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java
@@ -0,0 +1,13 @@
+import org.apache.commons.net.ftp.FTPClient;
+
+import java.io.IOException;
+
+public class HardcodedApacheFtpCredentials {
+	public static void main(FTPClient client) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      client.login("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      client.login("username", "password", "blah"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    } catch(IOException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java
@@ -0,0 +1,12 @@
+import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.session.AbstractClientSession;
+import java.io.IOException;
+
+public class HardcodedApacheSshdCredentials {
+	public static void main(SshClient client, AbstractClientSession session) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    client.connect("Username", "hostname", 22); // $ HardcodedCredentialsApiCall
+    client.connect("Username", null); // $ HardcodedCredentialsApiCall
+    session.addPasswordIdentity("password"); // $ HardcodedCredentialsApiCall
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAzureCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAzureCredentials.java
@@ -15,8 +15,8 @@ public class HardcodedAzureCredentials {
 	public void testHardcodedUsernamePassword(String input) {
 		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
 		.clientId(clientId)
-		.username(username)
-		.password(clientSecret)
+		.username(username) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+		.password(clientSecret) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
 		.build();

 		SecretClient client = new SecretClientBuilder()
@@ -43,7 +43,7 @@ public class HardcodedAzureCredentials {
 	public void testHardcodedClientSecret(String input) {
 		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
 		.clientId(clientId)
-		.clientSecret(clientSecret)
+		.clientSecret(clientSecret) // $ HardcodedCredentialsApiCall
 		.tenantId(tenantId)
 		.build();
 	}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
@@ -1,138 +0,0 @@
-edges
-| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:13:39:13:39 | p |
-| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:14:16:14:16 | p : String |
-| CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:7:30:7:30 | p : String |
-| CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u |
-| CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:14:13:14:13 | u : String |
-| CredentialsTest.java:14:13:14:13 | u : String | CredentialsTest.java:17:38:17:45 | v : String |
-| CredentialsTest.java:14:16:14:16 | p : String | CredentialsTest.java:17:48:17:55 | q : String |
-| CredentialsTest.java:17:38:17:45 | v : String | CredentialsTest.java:18:36:18:36 | v |
-| CredentialsTest.java:17:48:17:55 | q : String | CredentialsTest.java:18:39:18:39 | q |
-| FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:19:13:19:13 | u : String |
-| FileCredentialTest.java:19:13:19:13 | u : String | FileCredentialTest.java:22:38:22:45 | v : String |
-| FileCredentialTest.java:22:38:22:45 | v : String | FileCredentialTest.java:23:36:23:36 | v |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
-| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
-| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String |
-| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) |
-| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) |
-| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:12:13:12:15 | usr : String |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:12:18:12:21 | pass : String |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:15:41:15:44 | pass |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:18:44:18:61 | toCharArray(...) |
-| Test.java:12:13:12:15 | usr : String | Test.java:29:38:29:48 | user : String |
-| Test.java:12:18:12:21 | pass : String | Test.java:29:51:29:65 | password : String |
-| Test.java:17:44:17:51 | "123456" : String | Test.java:17:44:17:65 | toCharArray(...) |
-| Test.java:20:16:20:39 | new byte[] : byte[] | Test.java:21:78:21:80 | key |
-| Test.java:23:17:23:26 | "abcdefgh" : String | Test.java:24:79:24:82 | key2 |
-| Test.java:29:38:29:48 | user : String | Test.java:30:36:30:39 | user |
-| Test.java:29:51:29:65 | password : String | Test.java:30:42:30:49 | password |
-nodes
-| CredentialsTest.java:7:30:7:30 | p : String | semmle.label | p : String |
-| CredentialsTest.java:7:34:7:41 | "123456" : String | semmle.label | "123456" : String |
-| CredentialsTest.java:11:14:11:20 | "admin" : String | semmle.label | "admin" : String |
-| CredentialsTest.java:13:36:13:36 | u | semmle.label | u |
-| CredentialsTest.java:13:39:13:39 | p | semmle.label | p |
-| CredentialsTest.java:14:13:14:13 | u : String | semmle.label | u : String |
-| CredentialsTest.java:14:16:14:16 | p : String | semmle.label | p : String |
-| CredentialsTest.java:17:38:17:45 | v : String | semmle.label | v : String |
-| CredentialsTest.java:17:48:17:55 | q : String | semmle.label | q : String |
-| CredentialsTest.java:18:36:18:36 | v | semmle.label | v |
-| CredentialsTest.java:18:39:18:39 | q | semmle.label | q |
-| FileCredentialTest.java:13:14:13:20 | "admin" : String | semmle.label | "admin" : String |
-| FileCredentialTest.java:18:35:18:41 | "admin" | semmle.label | "admin" |
-| FileCredentialTest.java:19:13:19:13 | u : String | semmle.label | u : String |
-| FileCredentialTest.java:22:38:22:45 | v : String | semmle.label | v : String |
-| FileCredentialTest.java:23:36:23:36 | v | semmle.label | v |
-| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | semmle.label | "ACCESS_KEY" |
-| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | semmle.label | "SECRET_KEY" |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | semmle.label | "username@example.onmicrosoft.com" : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | semmle.label | clientSecret |
-| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
-| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | semmle.label | "TEST123" : String |
-| HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | semmle.label | getBytes(...) |
-| HardcodedShiroKey.java:18:46:18:87 | decode(...) | semmle.label | decode(...) |
-| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | semmle.label | "4AvVhmFLUs0KTA3Kprsdag==" : String |
-| HardcodedShiroKey.java:26:46:26:109 | decode(...) | semmle.label | decode(...) |
-| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | semmle.label | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String |
-| Test.java:9:16:9:22 | "admin" : String | semmle.label | "admin" : String |
-| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
-| Test.java:12:13:12:15 | usr : String | semmle.label | usr : String |
-| Test.java:12:18:12:21 | pass : String | semmle.label | pass : String |
-| Test.java:14:36:14:42 | "admin" | semmle.label | "admin" |
-| Test.java:14:45:14:52 | "123456" | semmle.label | "123456" |
-| Test.java:15:36:15:38 | usr | semmle.label | usr |
-| Test.java:15:41:15:44 | pass | semmle.label | pass |
-| Test.java:17:39:17:41 | usr | semmle.label | usr |
-| Test.java:17:44:17:51 | "123456" : String | semmle.label | "123456" : String |
-| Test.java:17:44:17:65 | toCharArray(...) | semmle.label | toCharArray(...) |
-| Test.java:18:39:18:41 | usr | semmle.label | usr |
-| Test.java:18:44:18:61 | toCharArray(...) | semmle.label | toCharArray(...) |
-| Test.java:20:16:20:39 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
-| Test.java:21:78:21:80 | key | semmle.label | key |
-| Test.java:23:17:23:26 | "abcdefgh" : String | semmle.label | "abcdefgh" : String |
-| Test.java:24:79:24:82 | key2 | semmle.label | key2 |
-| Test.java:29:38:29:48 | user : String | semmle.label | user : String |
-| Test.java:29:51:29:65 | password : String | semmle.label | password : String |
-| Test.java:30:36:30:39 | user | semmle.label | user |
-| Test.java:30:42:30:49 | password | semmle.label | password |
-subpaths
-#select
-| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:13:39:13:39 | p | Hard-coded value flows to $@. | CredentialsTest.java:13:39:13:39 | p | sensitive API call |
-| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:18:39:18:39 | q | Hard-coded value flows to $@. | CredentialsTest.java:18:39:18:39 | q | sensitive API call |
-| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u | Hard-coded value flows to $@. | CredentialsTest.java:13:36:13:36 | u | sensitive API call |
-| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:18:36:18:36 | v | Hard-coded value flows to $@. | CredentialsTest.java:18:36:18:36 | v | sensitive API call |
-| FileCredentialTest.java:13:14:13:20 | "admin" | FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:23:36:23:36 | v | Hard-coded value flows to $@. | FileCredentialTest.java:23:36:23:36 | v | sensitive API call |
-| FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call |
-| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | sensitive API call |
-| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | sensitive API call |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive API call |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive API call |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | sensitive API call |
-| HardcodedShiroKey.java:9:46:9:54 | "TEST123" | HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | sensitive API call |
-| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" | HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:18:46:18:87 | decode(...) | sensitive API call |
-| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" | HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:26:46:26:109 | decode(...) | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:30:36:30:39 | user | Hard-coded value flows to $@. | Test.java:30:36:30:39 | user | sensitive API call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:15:41:15:44 | pass | Hard-coded value flows to $@. | Test.java:15:41:15:44 | pass | sensitive API call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:18:44:18:61 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:18:44:18:61 | toCharArray(...) | sensitive API call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:30:42:30:49 | password | Hard-coded value flows to $@. | Test.java:30:42:30:49 | password | sensitive API call |
-| Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" | Hard-coded value flows to $@. | Test.java:14:36:14:42 | "admin" | sensitive API call |
-| Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" | Hard-coded value flows to $@. | Test.java:14:45:14:52 | "123456" | sensitive API call |
-| Test.java:17:44:17:51 | "123456" | Test.java:17:44:17:51 | "123456" : String | Test.java:17:44:17:65 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:17:44:17:65 | toCharArray(...) | sensitive API call |
-| Test.java:20:16:20:39 | new byte[] | Test.java:20:16:20:39 | new byte[] : byte[] | Test.java:21:78:21:80 | key | Hard-coded value flows to $@. | Test.java:21:78:21:80 | key | sensitive API call |
-| Test.java:23:17:23:26 | "abcdefgh" | Test.java:23:17:23:26 | "abcdefgh" : String | Test.java:24:79:24:82 | key2 | Hard-coded value flows to $@. | Test.java:24:79:24:82 | key2 | sensitive API call |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql
@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.HardcodedCredentialsApiCallQuery
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedCredentialsApiCallTest extends InlineExpectationsTest {
+  HardcodedCredentialsApiCallTest() { this = "HardcodedCredentialsApiCallTest" }
+
+  override string getARelevantTag() { result = "HardcodedCredentialsApiCall" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedCredentialsApiCall" and
+    exists(DataFlow::Node sink, HardcodedCredentialApiCallConfiguration conf |
+      conf.hasFlow(_, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.expected
@@ -1 +0,0 @@
-| Test.java:36:26:36:32 | "admin" | Hard-coded value is $@ with password variable $@. | Test.java:36:10:36:33 | equals(...) | compared | Test.java:35:38:35:52 | password | password |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.HardcodedCredentialsComparison
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedCredentialsComparisonTest extends InlineExpectationsTest {
+  HardcodedCredentialsComparisonTest() { this = "HardcodedCredentialsComparisonTest" }
+
+  override string getARelevantTag() { result = "HardcodedCredentialsComparison" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedCredentialsComparison" and
+    exists(Expr sink | isHardcodedCredentialsComparison(sink, _, _) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected
@@ -1,42 +0,0 @@
-edges
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass |
-| User.java:2:30:2:39 | DEFAULT_PW : String | User.java:5:15:5:24 | DEFAULT_PW |
-| User.java:2:43:2:50 | "123456" : String | User.java:2:30:2:39 | DEFAULT_PW : String |
-nodes
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | semmle.label | "username@example.onmicrosoft.com" : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
-| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
-| Test.java:26:17:26:20 | pass | semmle.label | pass |
-| User.java:2:30:2:39 | DEFAULT_PW : String | semmle.label | DEFAULT_PW : String |
-| User.java:2:43:2:50 | "123456" : String | semmle.label | "123456" : String |
-| User.java:5:15:5:24 | DEFAULT_PW | semmle.label | DEFAULT_PW |
-subpaths
-#select
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive call |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call |
-| User.java:2:43:2:50 | "123456" | User.java:2:43:2:50 | "123456" : String | User.java:5:15:5:24 | DEFAULT_PW | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedCredentialsSourceCallTest extends InlineExpectationsTest {
+  HardcodedCredentialsSourceCallTest() { this = "HardcodedCredentialsSourceCallTest" }
+
+  override string getARelevantTag() { result = "HardcodedCredentialsSourceCall" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedCredentialsSourceCall" and
+    exists(DataFlow::Node sink, HardcodedCredentialSourceCallConfiguration conf |
+      conf.hasFlow(_, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedGanymedSsh2Credentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedGanymedSsh2Credentials.java
@@ -0,0 +1,11 @@
+import ch.ethz.ssh2.Connection;
+import java.io.IOException;
+
+public class HardcodedGanymedSsh2Credentials {
+	public static void main(Connection conn) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+		  conn.authenticateWithPassword("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    } catch(IOException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJ2sshCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJ2sshCredentials.java
@@ -0,0 +1,11 @@
+import com.sshtools.j2ssh.authentication.SshAuthenticationClient;
+import com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;
+
+public class HardcodedJ2sshCredentials {
+  public static void main(SshAuthenticationClient client1, PasswordAuthenticationClient client2) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    client1.setUsername("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    client2.setUsername("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    client2.setPassword("password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJschCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJschCredentials.java
@@ -0,0 +1,16 @@
+import com.jcraft.jsch.JSch;
+import com.jcraft.jsch.JSchException;
+import com.jcraft.jsch.Session;
+import java.io.IOException;
+
+public class HardcodedJschCredentials {
+	public static void main(JSch jsch) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      Session session = jsch.getSession("Username", "hostname"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      Session session2 = jsch.getSession("Username", "hostname", 22); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      session.setPassword("password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      session2.setPassword("password".getBytes()); // $ HardcodedCredentialsApiCall
+    } catch(JSchException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMongoCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMongoCredentials.java
@@ -0,0 +1,12 @@
+import com.mongodb.MongoCredential;
+
+public class HardcodedMongoCredentials {
+  public static void test() {
+    MongoCredential.createCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createMongoCRCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createPlainCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createScramSha1Credential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createGSSAPICredential("key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createMongoX509Credential("key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.expected
@@ -1 +0,0 @@
-| Test.java:33:29:33:36 | password | Sensitive field is assigned a hard-coded $@. | Test.java:33:40:33:56 | "myOtherPassword" | value |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.HardcodedPasswordField
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedPasswordFieldTest extends InlineExpectationsTest {
+  HardcodedPasswordFieldTest() { this = "HardcodedPasswordFieldTest" }
+
+  override string getARelevantTag() { result = "HardcodedPasswordField" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedPasswordField" and
+    exists(Expr assigned | passwordFieldAssignedHardcodedValue(_, assigned) |
+      assigned.getLocation() = location and
+      element = assigned.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedPasswordField.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedShiroKey.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedShiroKey.java
@@ -6,16 +6,16 @@ public class HardcodedShiroKey {
    //BAD: hard-coded shiro key
    public void testHardcodedShiroKey(String input) {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
-        cookieRememberMeManager.setCipherKey("TEST123".getBytes());
+        cookieRememberMeManager.setCipherKey("TEST123".getBytes()); // $ HardcodedCredentialsApiCall

    }


-    //BAD: hard-coded shiro key encoded by java.util.Base64 
+    //BAD: hard-coded shiro key encoded by java.util.Base64
    public void testHardcodedbase64ShiroKey1(String input) {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        java.util.Base64.Decoder decoder = java.util.Base64.getDecoder();
-        cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag=="));
+        cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag==")); // $ HardcodedCredentialsApiCall

    }

@@ -23,7 +23,7 @@ public class HardcodedShiroKey {
    //BAD: hard-coded shiro key encoded by org.apache.shiro.codec.Base64
    public void testHardcodedbase64ShiroKey2(String input) {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
-        cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA=="));
+        cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA==")); // $ HardcodedCredentialsApiCall

    }

--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedSshjCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedSshjCredentials.java
@@ -0,0 +1,13 @@
+import net.schmizz.sshj.SSHClient;
+import java.io.IOException;
+
+public class HardcodedSshjCredentials {
+	public static void main(SSHClient client) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+		  client.authPassword("Username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      client.authPassword("Username", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    }
+    catch(IOException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedTrileadSshCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedTrileadSshCredentials.java
@@ -0,0 +1,19 @@
+import com.trilead.ssh2.Connection;
+
+import java.io.IOException;
+import java.io.File;
+
+public class HardcodedTrileadSshCredentials {
+	public static void main(Connection conn) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      conn.authenticateWithPassword("Username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithDSA("Username", "password", "key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithNone("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.getRemainingAuthMethods("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.isAuthMethodAvailable("Username", "method"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithPublicKey("Username", "key".toCharArray(), "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithPublicKey("Username", (File)null, "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    } catch(IOException e) { }
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/Test.java
@@ -11,28 +11,28 @@ public class Test {

 		test(url, usr, pass); // flow through method

-		DriverManager.getConnection(url, "admin", "123456"); // hard-coded user/pass used directly in call
-		DriverManager.getConnection(url, usr, pass); // hard-coded user/pass flows into API call
+		DriverManager.getConnection(url, "admin", "123456"); // $ HardcodedCredentialsApiCall
+		DriverManager.getConnection(url, usr, pass); // $ HardcodedCredentialsApiCall

-		new java.net.PasswordAuthentication(usr, "123456".toCharArray()); // flow into char[] array
-		new java.net.PasswordAuthentication(usr, pass.toCharArray()); // flow through variable, then char[] array
+		new java.net.PasswordAuthentication(usr, "123456".toCharArray()); // $ HardcodedCredentialsApiCall
+		new java.net.PasswordAuthentication(usr, pass.toCharArray()); // $ HardcodedCredentialsApiCall

 		byte[] key = {1, 2, 3, 4, 5, 6, 7, 8}; // hard-coded cryptographic key, flowing into API call below
-		javax.crypto.spec.SecretKeySpec spec = new javax.crypto.spec.SecretKeySpec(key, "AES");
+		javax.crypto.spec.SecretKeySpec spec = new javax.crypto.spec.SecretKeySpec(key, "AES"); // $ HardcodedCredentialsApiCall

 		byte[] key2 = "abcdefgh".getBytes(); // hard-coded cryptographic key, flowing into API call below
-		javax.crypto.spec.SecretKeySpec spec2 = new javax.crypto.spec.SecretKeySpec(key2, "AES");
+		javax.crypto.spec.SecretKeySpec spec2 = new javax.crypto.spec.SecretKeySpec(key2, "AES"); // $ HardcodedCredentialsApiCall

-		passwordCheck(pass); // flow through
+		passwordCheck(pass); // $ HardcodedCredentialsSourceCall
 	}

 	public static void test(String url, String user, String password) throws SQLException {
-		DriverManager.getConnection(url, user, password); // sensitive API call (flow target)
+		DriverManager.getConnection(url, user, password); // $ HardcodedCredentialsApiCall
 	}

-	public static final String password = "myOtherPassword"; // hard-coded password
+	public static final String password = "myOtherPassword"; // $ HardcodedPasswordField

 	public static boolean passwordCheck(String password) {
-		return password.equals("admin"); // hard-coded password comparison
+		return password.equals("admin"); // $ HardcodedCredentialsComparison
 	}
 }
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/User.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/User.java
@@ -2,7 +2,7 @@ class User {
 	private static final String DEFAULT_PW = "123456"; // hard-coded password
 	private String pw;
 	public User() {
-		setPassword(DEFAULT_PW); // sensitive call
+		setPassword(DEFAULT_PW); // $ HardcodedCredentialsSourceCall
 	}
 	public void setPassword(String password) {
 		pw = password;
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql`
				`@@ -1 +0,0 @@`
				`\| Test.java:36:26:36:32 \| "admin" \| Hard-coded value is $@ with password variable $@. \| Test.java:36:10:36:33 \| equals(...) \| compared \| Test.java:35:38:35:52 \| password \| password \|`
				`@@ -1 +0,0 @@`
				`\| Test.java:33:29:33:36 \| password \| Sensitive field is assigned a hard-coded $@. \| Test.java:33:40:33:56 \| "myOtherPassword" \| value \|`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-798/HardcodedPasswordField.ql`