Move from experimental

2026-05-02 12:15:17 +02:00 · 2021-06-18 10:27:03 +02:00
parent 40d98ad678
commit 0e149f0523
11 changed files with 29 additions and 38 deletions
--- a/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.qhelp
+++ b/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>JavaMail is commonly used in Java applications to send emails. There are popular third-party libraries like Apache Commons Email which are built on JavaMail and facilitate integration. Authenticated mail sessions require user credentials and mail sessions can require SSL/TLS authentication. It is a common security vulnerability that host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.</p>
+    <p>This query checks whether SSL certificate is validated when username/password is sent in authenticator and when SSL is enabled.</p>
+    <p>The query has code for both plain JavaMail invocation and mailing through Apache SimpleMail to make it more comprehensive.</p>
+  </overview>
+
+  <recommendation>
+    <p>Validate SSL certificate when sensitive information is sent in email communications.</p>
+  </recommendation>
+
+  <example>
+    <p>The following two examples show two ways of configuring secure emails through JavaMail or Apache SimpleMail. In the 'BAD' case,
+credentials are sent in an SSL session without certificate validation. In the 'GOOD' case, the certificate is validated.</p>
+    <sample src="JavaMail.java" />
+    <sample src="SimpleMail.java" />
+  </example>
+
+  <references>
+    <li>
+      Log4j2:
+      <a href="https://issues.apache.org/jira/browse/LOG4J2-2819">Add support for specifying an SSL configuration for SmtpAppender (CVE-2020-9488)</a>
+    </li>
+  </references>
+</qhelp>
--- a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureJavaMail.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureJavaMail.ql
--- a/java/ql/src/experimental/Security/CWE/CWE-297/JavaMail.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/JavaMail.java
--- a/java/ql/src/experimental/Security/CWE/CWE-297/SimpleMail.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/SimpleMail.java
--- a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureJavaMail.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureJavaMail.qhelp
@@ -1,36 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>JavaMail is commonly used in Java applications to send emails. There are popular third-party libraries like Apache Commons Email which are built on JavaMail and facilitate integration. Authenticated mail sessions require user credentials and mail sessions can require SSL/TLS authentication. It is a common security vulnerability that host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.</p>
-<p>This query checks whether SSL certificate is validated when username/password is sent in authenticator and when SSL is enabled.</p>
-<p>The query has code for both plain JavaMail invocation and mailing through Apache SimpleMail to make it more comprehensive.</p>
-</overview>
-
-<recommendation>
-<p>Validate SSL certificate when sensitive information is sent in email communications.</p>
-</recommendation>
-
-<example>
-<p>The following two examples show two ways of configuring secure emails through JavaMail or Apache SimpleMail. In the 'BAD' case,
-credentials are sent in an SSL session without certificate validation. In the 'GOOD' case, the certificate is validated.</p>
-<sample src="JavaMail.java" />
-<sample src="SimpleMail.java" />
-</example>
-
-<references>
-<li>
-  <a href="https://cwe.mitre.org/data/definitions/297.html">CWE-297</a>
-</li>
-<li>
-  Log4j2:
-  <a href="https://issues.apache.org/jira/browse/LOG4J2-2819">Add support for specifying an SSL configuration for SmtpAppender (CVE-2020-9488)</a>
-</li>
-<li>
-  SonarSource rule:
-  <a href="https://rules.sonarsource.com/java/tag/owasp/RSPEC-4499">SMTP SSL connection should check server identity</a>
-</li>
-</references>
-</qhelp>
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-297/InsecureJavaMail.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-297/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/options
@@ -1 +0,0 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../../stubs/javamail-api-1.6.2
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.expected
--- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureJavaMail.java
--- a/java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.qlref
+++ b/java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-297/InsecureJavaMail.ql
--- a/java/ql/test/query-tests/security/CWE-297/options
+++ b/java/ql/test/query-tests/security/CWE-297/options
@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../stubs/javamail-api-1.6.2
				`@@ -1 +0,0 @@`
				`experimental/Security/CWE/CWE-297/InsecureJavaMail.ql`
				`@@ -1 +0,0 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../../stubs/javamail-api-1.6.2`
				`@@ -0,0 +1 @@`
				`// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-email-1.6.0:${testdir}/../../../stubs/javamail-api-1.6.2`