Merge branch 'main' into atorralba/promote-log-injection

java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

java/ql/test/experimental/query-tests/security/CWE-020/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-log4j-2.14.1:${testdir}/../../../../stubs/servlet-api-2.4

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.expected

@@ -0,0 +1,16 @@
+edges
+| MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjection.java:63:35:63:38 | name : String |
+| MybatisSqlInjection.java:63:35:63:38 | name : String | MybatisSqlInjectionService.java:48:19:48:29 | name : String |
+| MybatisSqlInjectionService.java:48:19:48:29 | name : String | MybatisSqlInjectionService.java:50:23:50:26 | name : String |
+| MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] [<map.value>] : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap |
+| MybatisSqlInjectionService.java:50:23:50:26 | name : String | MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] [<map.value>] : String |
+nodes
+| MybatisSqlInjection.java:62:19:62:43 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:63:35:63:38 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:48:19:48:29 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] [<map.value>] : String | semmle.label | hashMap [post update] [<map.value>] : String |
+| MybatisSqlInjectionService.java:50:23:50:26 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:51:27:51:33 | hashMap | semmle.label | hashMap |
+subpaths
+#select
+| MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MyBatis annotation SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:62:19:62:43 | name | this user input | SqlInjectionMapper.java:29:2:29:54 | Select | this SQL operation |

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.expected

@@ -0,0 +1,69 @@
+edges
+| MybatisSqlInjection.java:19:25:19:49 | name : String | MybatisSqlInjection.java:20:55:20:58 | name : String |
+| MybatisSqlInjection.java:20:55:20:58 | name : String | MybatisSqlInjectionService.java:13:25:13:35 | name : String |
+| MybatisSqlInjection.java:25:25:25:49 | name : String | MybatisSqlInjection.java:26:55:26:58 | name : String |
+| MybatisSqlInjection.java:26:55:26:58 | name : String | MybatisSqlInjectionService.java:18:25:18:35 | name : String |
+| MybatisSqlInjection.java:31:25:31:49 | test : Test | MybatisSqlInjection.java:32:55:32:58 | test : Test |
+| MybatisSqlInjection.java:32:55:32:58 | test : Test | MybatisSqlInjectionService.java:23:25:23:33 | test : Test |
+| MybatisSqlInjection.java:37:19:37:40 | test : Test | MybatisSqlInjection.java:38:35:38:38 | test : Test |
+| MybatisSqlInjection.java:38:35:38:38 | test : Test | MybatisSqlInjectionService.java:28:19:28:27 | test : Test |
+| MybatisSqlInjection.java:42:19:42:40 | test : Test | MybatisSqlInjection.java:43:35:43:38 | test : Test |
+| MybatisSqlInjection.java:43:35:43:38 | test : Test | MybatisSqlInjectionService.java:32:19:32:27 | test : Test |
+| MybatisSqlInjection.java:47:19:47:57 | params : Map | MybatisSqlInjection.java:48:35:48:40 | params : Map |
+| MybatisSqlInjection.java:48:35:48:40 | params : Map | MybatisSqlInjectionService.java:36:19:36:44 | params : Map |
+| MybatisSqlInjection.java:52:19:52:50 | params : List | MybatisSqlInjection.java:53:35:53:40 | params : List |
+| MybatisSqlInjection.java:53:35:53:40 | params : List | MybatisSqlInjectionService.java:40:19:40:37 | params : List |
+| MybatisSqlInjection.java:57:19:57:46 | params : String[] | MybatisSqlInjection.java:58:35:58:40 | params : String[] |
+| MybatisSqlInjection.java:58:35:58:40 | params : String[] | MybatisSqlInjectionService.java:44:19:44:33 | params : String[] |
+| MybatisSqlInjectionService.java:13:25:13:35 | name : String | MybatisSqlInjectionService.java:14:47:14:50 | name |
+| MybatisSqlInjectionService.java:18:25:18:35 | name : String | MybatisSqlInjectionService.java:19:47:19:50 | name |
+| MybatisSqlInjectionService.java:23:25:23:33 | test : Test | MybatisSqlInjectionService.java:24:47:24:50 | test |
+| MybatisSqlInjectionService.java:28:19:28:27 | test : Test | MybatisSqlInjectionService.java:29:27:29:30 | test |
+| MybatisSqlInjectionService.java:32:19:32:27 | test : Test | MybatisSqlInjectionService.java:33:27:33:30 | test |
+| MybatisSqlInjectionService.java:36:19:36:44 | params : Map | MybatisSqlInjectionService.java:37:27:37:32 | params |
+| MybatisSqlInjectionService.java:40:19:40:37 | params : List | MybatisSqlInjectionService.java:41:27:41:32 | params |
+| MybatisSqlInjectionService.java:44:19:44:33 | params : String[] | MybatisSqlInjectionService.java:45:27:45:32 | params |
+nodes
+| MybatisSqlInjection.java:19:25:19:49 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:20:55:20:58 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:25:25:25:49 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:26:55:26:58 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:31:25:31:49 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:32:55:32:58 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:37:19:37:40 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:38:35:38:38 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:42:19:42:40 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:43:35:43:38 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:47:19:47:57 | params : Map | semmle.label | params : Map |
+| MybatisSqlInjection.java:48:35:48:40 | params : Map | semmle.label | params : Map |
+| MybatisSqlInjection.java:52:19:52:50 | params : List | semmle.label | params : List |
+| MybatisSqlInjection.java:53:35:53:40 | params : List | semmle.label | params : List |
+| MybatisSqlInjection.java:57:19:57:46 | params : String[] | semmle.label | params : String[] |
+| MybatisSqlInjection.java:58:35:58:40 | params : String[] | semmle.label | params : String[] |
+| MybatisSqlInjectionService.java:13:25:13:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:14:47:14:50 | name | semmle.label | name |
+| MybatisSqlInjectionService.java:18:25:18:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:19:47:19:50 | name | semmle.label | name |
+| MybatisSqlInjectionService.java:23:25:23:33 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjectionService.java:24:47:24:50 | test | semmle.label | test |
+| MybatisSqlInjectionService.java:28:19:28:27 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjectionService.java:29:27:29:30 | test | semmle.label | test |
+| MybatisSqlInjectionService.java:32:19:32:27 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjectionService.java:33:27:33:30 | test | semmle.label | test |
+| MybatisSqlInjectionService.java:36:19:36:44 | params : Map | semmle.label | params : Map |
+| MybatisSqlInjectionService.java:37:27:37:32 | params | semmle.label | params |
+| MybatisSqlInjectionService.java:40:19:40:37 | params : List | semmle.label | params : List |
+| MybatisSqlInjectionService.java:41:27:41:32 | params | semmle.label | params |
+| MybatisSqlInjectionService.java:44:19:44:33 | params : String[] | semmle.label | params : String[] |
+| MybatisSqlInjectionService.java:45:27:45:32 | params | semmle.label | params |
+subpaths
+#select
+| MybatisSqlInjectionService.java:14:47:14:50 | name | MybatisSqlInjection.java:19:25:19:49 | name : String | MybatisSqlInjectionService.java:14:47:14:50 | name | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:19:25:19:49 | name | this user input | SqlInjectionMapper.xml:23:3:25:12 | select | this SQL operation |
+| MybatisSqlInjectionService.java:19:47:19:50 | name | MybatisSqlInjection.java:25:25:25:49 | name : String | MybatisSqlInjectionService.java:19:47:19:50 | name | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:25:25:25:49 | name | this user input | SqlInjectionMapper.xml:27:3:29:12 | select | this SQL operation |
+| MybatisSqlInjectionService.java:24:47:24:50 | test | MybatisSqlInjection.java:31:25:31:49 | test : Test | MybatisSqlInjectionService.java:24:47:24:50 | test | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:31:25:31:49 | test | this user input | SqlInjectionMapper.xml:31:3:33:12 | select | this SQL operation |
+| MybatisSqlInjectionService.java:29:27:29:30 | test | MybatisSqlInjection.java:37:19:37:40 | test : Test | MybatisSqlInjectionService.java:29:27:29:30 | test | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:37:19:37:40 | test | this user input | SqlInjectionMapper.xml:14:7:16:12 | if | this SQL operation |
+| MybatisSqlInjectionService.java:33:27:33:30 | test | MybatisSqlInjection.java:42:19:42:40 | test : Test | MybatisSqlInjectionService.java:33:27:33:30 | test | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:42:19:42:40 | test | this user input | SqlInjectionMapper.xml:50:7:52:12 | if | this SQL operation |
+| MybatisSqlInjectionService.java:33:27:33:30 | test | MybatisSqlInjection.java:42:19:42:40 | test : Test | MybatisSqlInjectionService.java:33:27:33:30 | test | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:42:19:42:40 | test | this user input | SqlInjectionMapper.xml:53:7:55:12 | if | this SQL operation |
+| MybatisSqlInjectionService.java:37:27:37:32 | params | MybatisSqlInjection.java:47:19:47:57 | params : Map | MybatisSqlInjectionService.java:37:27:37:32 | params | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:47:19:47:57 | params | this user input | SqlInjectionMapper.xml:59:3:61:12 | select | this SQL operation |
+| MybatisSqlInjectionService.java:41:27:41:32 | params | MybatisSqlInjection.java:52:19:52:50 | params : List | MybatisSqlInjectionService.java:41:27:41:32 | params | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:52:19:52:50 | params | this user input | SqlInjectionMapper.xml:65:5:67:15 | foreach | this SQL operation |
+| MybatisSqlInjectionService.java:45:27:45:32 | params | MybatisSqlInjection.java:57:19:57:46 | params : String[] | MybatisSqlInjectionService.java:45:27:45:32 | params | MyBatis Mapper XML SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:57:19:57:46 | params | this user input | SqlInjectionMapper.xml:72:5:74:15 | foreach | this SQL operation |

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java

@@ -0,0 +1,71 @@
+import java.util.List;
+import java.util.Map;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ModelAttribute;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@Controller
+public class MybatisSqlInjection {
+
+	@Autowired
+	private MybatisSqlInjectionService mybatisSqlInjectionService;
+
+	@GetMapping(value = "msi1")
+	public List<Test> bad1(@RequestParam String name) {
+		List<Test> result = mybatisSqlInjectionService.bad1(name);
+		return result;
+	}
+
+	@GetMapping(value = "msi2")
+	public List<Test> bad2(@RequestParam String name) {
+		List<Test> result = mybatisSqlInjectionService.bad2(name);
+		return result;
+	}
+
+	@GetMapping(value = "msi3")
+	public List<Test> bad3(@ModelAttribute Test test) {
+		List<Test> result = mybatisSqlInjectionService.bad3(test);
+		return result;
+	}
+
+	@RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json")
+	public void bad4(@RequestBody Test test) {
+		mybatisSqlInjectionService.bad4(test);
+	}
+
+	@RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json")
+	public void bad5(@RequestBody Test test) {
+		mybatisSqlInjectionService.bad5(test);
+	}
+
+	@RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json")
+	public void bad6(@RequestBody Map<String, String> params) {
+		mybatisSqlInjectionService.bad6(params);
+	}
+
+	@RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json")
+	public void bad7(@RequestBody List<String> params) {
+		mybatisSqlInjectionService.bad7(params);
+	}
+
+	@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
+	public void bad8(@RequestBody String[] params) {
+		mybatisSqlInjectionService.bad8(params);
+	}
+
+	@GetMapping(value = "msi9")
+	public void bad9(@RequestParam String name) {
+		mybatisSqlInjectionService.bad9(name);
+	}
+
+	@GetMapping(value = "good1")
+	public List<Test> good1(Integer id) {
+		List<Test> result = mybatisSqlInjectionService.good1(id);
+		return result;
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java

@@ -0,0 +1,58 @@
+import java.util.List;
+import java.util.Map;
+import java.util.HashMap;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+@Service
+public class MybatisSqlInjectionService {
+
+	@Autowired
+	private SqlInjectionMapper sqlInjectionMapper;
+
+	public List<Test> bad1(String name) {
+		List<Test> result = sqlInjectionMapper.bad1(name);
+		return result;
+	}
+
+	public List<Test> bad2(String name) {
+		List<Test> result = sqlInjectionMapper.bad2(name);
+		return result;
+	}
+
+	public List<Test> bad3(Test test) {
+		List<Test> result = sqlInjectionMapper.bad3(test);
+		return result;
+	}
+
+	public void bad4(Test test) {
+		sqlInjectionMapper.bad4(test);
+	}
+
+	public void bad5(Test test) {
+		sqlInjectionMapper.bad5(test);
+	}
+
+	public void bad6(Map<String, String> params) {
+		sqlInjectionMapper.bad6(params);
+	}
+
+	public void bad7(List<String> params) {
+		sqlInjectionMapper.bad7(params);
+	}
+
+	public void bad8(String[] params) {
+		sqlInjectionMapper.bad8(params);
+	}
+
+	public void bad9(String name) {
+		HashMap hashMap = new HashMap();
+		hashMap.put("name", name);
+		sqlInjectionMapper.bad9(hashMap);
+	}
+
+	public List<Test> good1(Integer id) {
+		List<Test> result = sqlInjectionMapper.good1(id);
+		return result;
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java

@@ -0,0 +1,33 @@
+import java.util.List;
+import java.util.Map;
+import java.util.HashMap;
+import org.apache.ibatis.annotations.Mapper;
+import org.apache.ibatis.annotations.Param;
+import org.springframework.stereotype.Repository;
+import org.apache.ibatis.annotations.Select;
+
+@Mapper
+@Repository
+public interface SqlInjectionMapper {
+
+	List<Test> bad1(String name);
+
+	List<Test> bad2(@Param("orderby") String name);
+
+	List<Test> bad3(Test test);
+
+	void bad4(@Param("test") Test test);
+
+	void bad5(Test test);
+
+	void bad6(Map<String, String> params);
+
+	void bad7(List<String> params);
+
+	void bad8(String[] params);
+
+	@Select({"select * from test", "where id = ${name}"})
+	public Test bad9(HashMap<String, Object> map);
+
+	List<Test> good1(Integer id);
+}

java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+  "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+<mapper namespace="SqlInjectionMapper">
+
+  <resultMap id="BaseResultMap" type="Test">
+    <id column="id" jdbcType="INTEGER" property="id"/>
+    <result column="name" jdbcType="VARCHAR" property="name"/>
+    <result column="pass" jdbcType="VARCHAR" property="pass"/>
+  </resultMap>
+
+  <sql id="Update_By_Example_Where_Clause">
+    <where>
+      <if test="test.name != null">
+        and name = ${test.name,jdbcType=VARCHAR}
+      </if>
+      <if test="test.id != null">
+        and id = #{test.id}
+      </if>
+    </where>
+  </sql>
+
+  <select id="bad1" parameterType="java.lang.String" resultMap="BaseResultMap">
+    select id,name from test where name like '%${name}%'
+  </select>
+
+  <select id="bad2" resultMap="BaseResultMap">
+    select id,name from test order by ${orderby,jdbcType=VARCHAR} desc
+  </select>
+
+  <select id="bad3" parameterType="Test" resultMap="BaseResultMap">
+    select id,name from test where name in ${name}
+  </select>
+
+  <update id="bad4" parameterType="Test">
+    update test
+    <set>
+      <if test="test.pass != null">
+        pass = #{test.pass},
+      </if>
+    </set>
+    <if test="_parameter != null">
+      <include refid="Update_By_Example_Where_Clause" />
+    </if>
+  </update>
+
+  <insert id="bad5" parameterType="Test">
+    insert into test (name, pass)
+    <trim prefix="values (" suffix=")" suffixOverrides=",">
+      <if test="name != null">
+        name = ${name,jdbcType=VARCHAR},
+      </if>
+      <if test="pass != null">
+        pass = ${pass},
+      </if>
+    </trim>
+  </insert>
+
+  <select id="bad6" resultMap="BaseResultMap">
+    select id,name from test where name like '%${name}%'
+  </select>
+
+  <select id="bad7" resultMap="BaseResultMap">
+    select id,name from test where name in
+    <foreach collection="list" item="value" open="(" close=")" separator=",">
+      ${value}
+    </foreach>
+  </select>
+
+  <select id="bad8" resultMap="BaseResultMap">
+    select id,name from test where name in
+    <foreach collection="array" item="value" open="(" close=")" separator=",">
+      ${value}
+    </foreach>
+  </select>
+
+  <select id="good1" parameterType="java.lang.Integer" resultMap="BaseResultMap">
+    select id,name from test where id = ${id}
+  </select>
+</mapper>

java/ql/test/experimental/query-tests/security/CWE-089/src/main/Test.java

@@ -0,0 +1,43 @@
+import java.io.Serializable;
+
+public class Test implements Serializable {
+
+	private Integer id;
+
+	private String name;
+
+	private String pass;
+
+	public Integer getId() {
+		return id;
+	}
+
+	public void setId(Integer id) {
+		this.id = id;
+	}
+
+	public String getName() {
+		return name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
+	public String getPass() {
+		return pass;
+	}
+
+	public void setPass(String pass) {
+		this.pass = pass;
+	}
+
+	@Override
+	public String toString() {
+		return "Test{" +
+				"id=" + id +
+				", name='" + name + '\'' +
+				", pass='" + pass + '\'' +
+				'}';
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-089/src/main/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.3.8/:${testdir}/../../../../../../stubs/org.mybatis-3.5.4/

java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected

@@ -4,13 +4,17 @@ edges
 | FileService.java:21:28:21:64 | getStringExtra(...) : Object | FileService.java:25:42:25:50 | localPath : Object |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
+| FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object | FileService.java:40:41:40:55 | params [[]] : Object |
 | FileService.java:25:42:25:50 | localPath : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) [[]] : Object |
 | FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object |
 | FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:35:17:35:25 | sourceUri : Object |
 | FileService.java:34:20:36:13 | {...} [[]] : Object | FileService.java:34:20:36:13 | new Object[] [[]] : Object |
 | FileService.java:35:17:35:25 | sourceUri : Object | FileService.java:34:20:36:13 | {...} [[]] : Object |
 | FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : Object |
+| FileService.java:40:41:40:55 | params [[]] : Object | FileService.java:44:44:44:49 | params [[]] : Object |
 | FileService.java:44:33:44:52 | (...)... : Object | FileService.java:45:53:45:59 | ...[...] |
+| FileService.java:44:44:44:49 | params [[]] : Object | FileService.java:44:44:44:52 | ...[...] : Object |
+| FileService.java:44:44:44:52 | ...[...] : Object | FileService.java:44:33:44:52 | (...)... : Object |
 | LeakFileActivity2.java:15:13:15:18 | intent : Intent | LeakFileActivity2.java:16:26:16:31 | intent : Intent |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent |
 | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent |
@@ -30,7 +34,10 @@ nodes
 | FileService.java:34:20:36:13 | {...} [[]] : Object | semmle.label | {...} [[]] : Object |
 | FileService.java:35:17:35:25 | sourceUri : Object | semmle.label | sourceUri : Object |
 | FileService.java:40:41:40:55 | params : Object[] | semmle.label | params : Object[] |
+| FileService.java:40:41:40:55 | params [[]] : Object | semmle.label | params [[]] : Object |
 | FileService.java:44:33:44:52 | (...)... : Object | semmle.label | (...)... : Object |
+| FileService.java:44:44:44:49 | params [[]] : Object | semmle.label | params [[]] : Object |
+| FileService.java:44:44:44:52 | ...[...] : Object | semmle.label | ...[...] : Object |
 | FileService.java:45:53:45:59 | ...[...] | semmle.label | ...[...] |
 | LeakFileActivity2.java:15:13:15:18 | intent : Intent | semmle.label | intent : Intent |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | semmle.label | intent : Intent |

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.expected

@@ -0,0 +1,23 @@
+edges
+| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number |
+| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
+nodes
+| ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | semmle.label | getInitParameter(...) : String |
+| ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | semmle.label | delayTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | semmle.label | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | semmle.label | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
+subpaths
+| ThreadResourceAbuse.java:40:28:40:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:40:4:40:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+#select
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Possible uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:37:25:37:73 | getInitParameter(...) | local user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.expected

@@ -0,0 +1,68 @@
+edges
+| ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number |
+| ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
+| ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number |
+| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number | ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | ThreadResourceAbuse.java:74:18:74:25 | waitTime |
+| ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime |
+| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter |
+| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number |
+| ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number | UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number |
+| UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:17:16:33 | sleepMilliseconds : Number |
+| UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number |
+| UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number | UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number |
+| UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number | UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number |
+| UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number | UploadListener.java:33:7:33:17 | this <.field> [slowUploads] : Number |
+| UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number | UploadListener.java:35:18:35:28 | this <.field> [slowUploads] : Number |
+| UploadListener.java:33:7:33:17 | slowUploads : Number | UploadListener.java:35:18:35:28 | slowUploads |
+| UploadListener.java:33:7:33:17 | this <.field> [slowUploads] : Number | UploadListener.java:33:7:33:17 | slowUploads : Number |
+| UploadListener.java:35:18:35:28 | this <.field> [slowUploads] : Number | UploadListener.java:35:18:35:28 | slowUploads |
+nodes
+| ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | semmle.label | delayTime : Number |
+| ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number | semmle.label | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | semmle.label | delayTime : Number |
+| ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | semmle.label | this [post update] [waitTime] : Number |
+| ThreadResourceAbuse.java:67:20:67:27 | waitTime : Number | semmle.label | waitTime : Number |
+| ThreadResourceAbuse.java:71:15:71:17 | parameter this [waitTime] : Number | semmle.label | parameter this [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | this <.field> [waitTime] : Number | semmle.label | this <.field> [waitTime] : Number |
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | semmle.label | waitTime |
+| ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | semmle.label | getValue(...) : String |
+| ThreadResourceAbuse.java:144:34:144:42 | delayTime | semmle.label | delayTime |
+| ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | semmle.label | getHeader(...) : String |
+| ThreadResourceAbuse.java:176:17:176:26 | retryAfter | semmle.label | retryAfter |
+| ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number | semmle.label | new UploadListener(...) [slowUploads] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | semmle.label | uploadDelay : Number |
+| UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
+| UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | semmle.label | this <.field> [post update] [slowUploads] : Number |
+| UploadListener.java:16:17:16:33 | sleepMilliseconds : Number | semmle.label | sleepMilliseconds : Number |
+| UploadListener.java:28:14:28:19 | parameter this [slowUploads] : Number | semmle.label | parameter this [slowUploads] : Number |
+| UploadListener.java:29:3:29:11 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+| UploadListener.java:30:3:30:15 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+| UploadListener.java:33:7:33:17 | slowUploads : Number | semmle.label | slowUploads : Number |
+| UploadListener.java:33:7:33:17 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+| UploadListener.java:35:18:35:28 | slowUploads | semmle.label | slowUploads |
+| UploadListener.java:35:18:35:28 | this <.field> [slowUploads] : Number | semmle.label | this <.field> [slowUploads] : Number |
+subpaths
+| ThreadResourceAbuse.java:21:28:21:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:21:4:21:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:30:28:30:36 | delayTime : Number | ThreadResourceAbuse.java:66:30:66:41 | waitTime : Number | ThreadResourceAbuse.java:67:4:67:7 | this [post update] [waitTime] : Number | ThreadResourceAbuse.java:30:4:30:37 | new UncheckedSyncAction(...) [waitTime] : Number |
+| ThreadResourceAbuse.java:209:49:209:59 | uploadDelay : Number | UploadListener.java:15:24:15:44 | sleepMilliseconds : Number | UploadListener.java:16:3:16:13 | this <.field> [post update] [slowUploads] : Number | ThreadResourceAbuse.java:209:30:209:87 | new UploadListener(...) [slowUploads] : Number |
+#select
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:18:25:18:57 | getParameter(...) | user-provided value |
+| ThreadResourceAbuse.java:74:18:74:25 | waitTime | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) : String | ThreadResourceAbuse.java:74:18:74:25 | waitTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:29:82:29:114 | getParameter(...) | user-provided value |
+| ThreadResourceAbuse.java:144:34:144:42 | delayTime | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) : String | ThreadResourceAbuse.java:144:34:144:42 | delayTime | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:141:27:141:43 | getValue(...) | user-provided value |
+| ThreadResourceAbuse.java:176:17:176:26 | retryAfter | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) : String | ThreadResourceAbuse.java:176:17:176:26 | retryAfter | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:172:19:172:50 | getHeader(...) | user-provided value |
+| UploadListener.java:35:18:35:28 | slowUploads | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) : String | UploadListener.java:35:18:35:28 | slowUploads | Vulnerability of uncontrolled resource consumption due to $@. | ThreadResourceAbuse.java:206:28:206:56 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java

@@ -0,0 +1,212 @@
+package test.cwe400.cwe.examples;
+
+import java.io.IOException;
+import java.util.concurrent.TimeUnit;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class ThreadResourceAbuse extends HttpServlet {
+	static final int DEFAULT_RETRY_AFTER = 5*1000;
+	static final int MAX_RETRY_AFTER = 10*1000;
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// BAD: Get thread pause time from request parameter without validation
+		String delayTimeStr = request.getParameter("DelayTime");
+		try {
+			int delayTime = Integer.valueOf(delayTimeStr);
+			new UncheckedSyncAction(delayTime).start();
+		} catch (NumberFormatException e) {
+		}
+	}
+
+	protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// BAD: Get thread pause time from request parameter without validation
+		try {
+			int delayTime = request.getParameter("nodelay") != null ? 0 : Integer.valueOf(request.getParameter("DelayTime"));
+			new UncheckedSyncAction(delayTime).start();
+		} catch (NumberFormatException e) {
+		}
+	}
+
+	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// BAD: Get thread pause time from context init parameter without validation
+		String delayTimeStr = getServletContext().getInitParameter("DelayTime");
+		try {
+			int delayTime = Integer.valueOf(delayTimeStr);
+			new UncheckedSyncAction(delayTime).start();
+		} catch (NumberFormatException e) {
+		}
+	}
+
+	protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// GOOD: Get thread pause time from request cookie with validation
+		Cookie[] cookies = request.getCookies();
+
+		for ( int i=0; i<cookies.length; i++) {
+			Cookie cookie = cookies[i];
+
+			if (cookie.getName().equals("DelayTime")) {
+				String delayTimeStr = cookie.getValue();
+				try {
+					int delayTime = Integer.valueOf(delayTimeStr);
+					new CheckedSyncAction(delayTime).start();
+				} catch (NumberFormatException e) {
+				}
+			}
+		}
+	}
+
+	class UncheckedSyncAction extends Thread {
+		int waitTime;
+
+		public UncheckedSyncAction(int waitTime) {
+			this.waitTime = waitTime;
+		}
+
+		@Override
+		public void run() {
+			// BAD: no boundary check on wait time
+			try {
+				Thread.sleep(waitTime);
+				// Do other updates
+			} catch (InterruptedException e) {
+			}
+		}
+	}
+
+	class CheckedSyncAction extends Thread {
+		int waitTime;
+
+		public CheckedSyncAction(int waitTime) {
+			this.waitTime = waitTime;
+		}
+
+		@Override
+		public void run() {
+			// GOOD: enforce an upper limit on wait time
+			try {
+				if (waitTime > 0 && waitTime < 5000) {
+					Thread.sleep(waitTime);
+					// Do other updates
+				}
+			} catch (InterruptedException e) {
+			}
+		}
+	}
+
+	class CheckedSyncAction2 extends Thread {
+		int waitTime;
+
+		public CheckedSyncAction2(int waitTime) {
+			this.waitTime = waitTime;
+		}
+
+		@Override
+		public void run() {
+			// GOOD: enforce an upper limit on wait time
+			try {
+				if (waitTime >= 5000) {
+					// No action
+				} else {
+					Thread.sleep(waitTime);
+				}
+				// Do other updates
+			} catch (InterruptedException e) {
+			}
+		}
+	}
+
+	protected void doPost2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// GOOD: Get thread pause time from init container parameter with validation
+		String delayTimeStr = getServletContext().getInitParameter("DelayTime");
+		try {
+			int delayTime = Integer.valueOf(delayTimeStr);
+			new CheckedSyncAction2(delayTime).start();
+		} catch (NumberFormatException e) {
+		}
+	}
+
+	protected void doHead(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// BAD: Get thread pause time from request cookie without validation
+		Cookie[] cookies = request.getCookies();
+
+		for ( int i=0; i<cookies.length; i++) {
+			Cookie cookie = cookies[i];
+
+			if (cookie.getName().equals("DelayTime")) {
+				String delayTimeStr = cookie.getValue();
+				try {
+					int delayTime = Integer.valueOf(delayTimeStr);
+					TimeUnit.MILLISECONDS.sleep(delayTime);
+					// Do other updates
+				} catch (NumberFormatException ne) {
+				} catch (InterruptedException ie) {
+				}
+			}
+		}
+	}
+
+	int parseRetryAfter(String value) {
+		if (value == null || value.isEmpty()) {
+			return DEFAULT_RETRY_AFTER;
+		}
+
+		try {
+			int n = Integer.parseInt(value);
+			if (n < 0) {
+				return DEFAULT_RETRY_AFTER;
+			}
+
+			return Math.min(n, MAX_RETRY_AFTER);
+		} catch (NumberFormatException e) {
+			return DEFAULT_RETRY_AFTER;
+		}
+	}
+
+	protected void doHead2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// BAD: Get thread pause time from request header without validation
+		String header = request.getHeader("Retry-After");
+		int retryAfter = Integer.parseInt(header);
+
+		try {
+			Thread.sleep(retryAfter);
+		} catch (InterruptedException ignore) {
+			// ignore
+		}
+	}
+
+	protected void doHead3(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// GOOD: Get thread pause time from request header with validation
+		String header = request.getHeader("Retry-After");
+		int retryAfter = parseRetryAfter(header);
+
+		try {
+			Thread.sleep(retryAfter);
+		} catch (InterruptedException ignore) {
+			// ignore
+		}
+	}
+
+	private long getContentLength(HttpServletRequest request) {
+		long size = -1;
+		try {
+		  size = Long.parseLong(request.getHeader("Content-length"));
+		} catch (NumberFormatException e) {
+		}
+		return size;
+	}
+
+	protected void doHead4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+		// BAD: Get thread pause time from request header without validation
+		try {
+			String uploadDelayStr = request.getParameter("delay");
+			int uploadDelay = Integer.parseInt(uploadDelayStr);
+
+			UploadListener listener = new UploadListener(uploadDelay, getContentLength(request));
+		} catch (Exception e) { }
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql

java/ql/test/experimental/query-tests/security/CWE-400/UploadListener.java

@@ -0,0 +1,40 @@
+package test.cwe400.cwe.examples;
+
+import java.io.Serializable;
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.fileupload2.ProgressListener;
+
+public class UploadListener implements ProgressListener, Serializable {
+	protected int slowUploads = 0;
+	private Long bytesRead = 0L;
+	private long contentLength = 0L;
+
+	public UploadListener(int sleepMilliseconds, long requestSize) {
+		slowUploads = sleepMilliseconds;
+		contentLength = requestSize;
+	}
+
+	public long getPercent() {
+		return contentLength != 0 ? bytesRead * 100 / contentLength : 0;
+	}
+
+	public long getBytesRead() {
+		return bytesRead;
+	}
+
+	public void update(long done, long total, int item) {
+		bytesRead = done;
+		contentLength = total;
+
+		// Just a way to slow down the upload process and see the progress bar in fast networks.
+		if (slowUploads > 0 && done < total) {
+			try {
+				Thread.sleep(slowUploads);
+			} catch (Exception e) {
+			}
+		}
+	}
+}

java/ql/test/experimental/query-tests/security/CWE-400/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/apache-commons-fileupload-1.4

java/ql/test/library-tests/Encryption/insecure.ql

@@ -2,5 +2,5 @@ import default
 import semmle.code.java.security.Encryption
 
 from StringLiteral s
-where s.getRepresentedString().regexpMatch(getInsecureAlgorithmRegex())
+where s.getValue().regexpMatch(getInsecureAlgorithmRegex())
 select s

java/ql/test/library-tests/Encryption/secure.ql

@@ -2,5 +2,5 @@ import default
 import semmle.code.java.security.Encryption
 
 from StringLiteral s
-where s.getRepresentedString().regexpMatch(getSecureAlgorithmRegex())
+where s.getValue().regexpMatch(getSecureAlgorithmRegex())
 select s

java/ql/test/library-tests/constants/constants/Values.java

@@ -16,7 +16,7 @@ class Values {
         int binary_literal = 0b101010; //42
         int negative_binary_literal = -0b101010; //-42
         int binary_literal_underscores = 0b1_0101_0; //42
-        char char_literal = '*'; //Not handled
+        char char_literal = '*'; //42
         long long_literal = 42L; //Not handled
         boolean boolean_literal = true; //true
         Integer boxed_int = new Integer(42); //Not handled
@@ -30,7 +30,7 @@ class Values {
         byte downcast_byte_4 = (byte) 214; // -42
         byte downcast_byte_5 = (byte) (-214); // 42
         short downcast_short = (short) 32768; // -32768
-        int cast_of_non_constant = (int) '*'; //Not handled
+        int cast_of_non_constant = (int) '*'; //42
         long cast_to_long = (long) 42; //Not handled
 
         int unary_plus = +42; //42

java/ql/test/library-tests/constants/getIntValue.expected

@@ -9,6 +9,7 @@
 | constants/Values.java:16:30:16:37 | 0b101010 | 42 |
 | constants/Values.java:17:39:17:47 | -... | -42 |
 | constants/Values.java:18:42:18:51 | 0b1_0101_0 | 42 |
+| constants/Values.java:19:29:19:31 | '*' | 42 |
 | constants/Values.java:25:20:25:27 | (...)... | 42 |
 | constants/Values.java:26:25:26:33 | (...)... | 42 |
 | constants/Values.java:27:32:27:43 | (...)... | -42 |
@@ -17,6 +18,7 @@
 | constants/Values.java:30:32:30:41 | (...)... | -42 |
 | constants/Values.java:31:32:31:44 | (...)... | 42 |
 | constants/Values.java:32:32:32:44 | (...)... | -32768 |
+| constants/Values.java:33:36:33:44 | (...)... | 42 |
 | constants/Values.java:36:26:36:28 | +... | 42 |
 | constants/Values.java:39:27:39:29 | -... | -42 |
 | constants/Values.java:43:27:43:28 | ~... | -1 |

java/ql/test/library-tests/dataflow/callback-dispatch/A.java

@@ -151,15 +151,7 @@ public class A {
 
     forEach(new Object[] {source(16)}, x -> sink(x)); // $ flow=16
 
-    // Spurious flow from 17 is reasonable as it would likely
-    // also occur if the lambda body was inlined in a for loop.
-    // It occurs from the combination of being able to observe
-    // the side-effect of the callback on the other argument and
-    // being able to chain summaries that update/read arguments,
-    // e.g. fluent apis.
-    // Spurious flow from 18 is due to not matching call targets
-    // in a return-from-call-to-enter-call flow sequence.
-    forEach(new Object[2][], xs -> { sink(xs[0]); xs[0] = source(17); }); // $ SPURIOUS: flow=17 flow=18
+    forEach(new Object[2][], xs -> { sink(xs[0]); xs[0] = source(17); });
 
     Object[][] xss = new Object[][] { { null } };
     forEach(xss, x -> {x[0] = source(18);});
@@ -182,7 +174,7 @@ public class A {
     a1.field1 = source(20);
     A a2 = new A();
     applyConsumer1Field1Field2(a1, a2, p -> {
-      sink(p); // MISSING FLOW
+      sink(p); // $ flow=20
     });
     wrapSinkToAvoidFieldSsa(a1);
     sink(a2.field2);

java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java

@@ -0,0 +1,73 @@
+public class EntryPointTypesTest {
+
+    static class TestObject {
+        public String field1;
+        private String field2;
+        private AnotherTestObject field3;
+
+        public String getField2() {
+            return field2;
+        }
+
+        public AnotherTestObject getField3() {
+            return field3;
+        }
+    }
+
+    static class AnotherTestObject {
+        public String field4;
+        private String field5;
+
+        public String getField5() {
+            return field5;
+        }
+    }
+
+    static class ParameterizedTestObject<T, K> {
+        public String field6;
+        public T field7;
+        private K field8;
+
+        public K getField8() {
+            return field8;
+        }
+    }
+
+    static class ChildObject extends ParameterizedTestObject<TestObject, Object> {
+        public Object field9;
+    }
+
+    class UnrelatedObject {
+        public String safeField;
+    }
+
+    private static void sink(String sink) {}
+
+    public static void test(TestObject source) {
+        sink(source.field1); // $hasTaintFlow
+        sink(source.getField2()); // $hasTaintFlow
+        sink(source.getField3().field4); // $hasTaintFlow
+        sink(source.getField3().getField5()); // $hasTaintFlow
+    }
+
+    public static void testParameterized(
+            ParameterizedTestObject<TestObject, AnotherTestObject> source) {
+        sink(source.field6); // $hasTaintFlow
+        sink(source.field7.field1); // $hasTaintFlow
+        sink(source.field7.getField2()); // $hasTaintFlow
+        sink(source.getField8().field4); // $hasTaintFlow
+        sink(source.getField8().getField5()); // $hasTaintFlow
+    }
+
+    public static void testSubtype(ParameterizedTestObject<?, ?> source) {
+        ChildObject subtypeSource = (ChildObject) source;
+        sink(subtypeSource.field6); // $hasTaintFlow
+        sink(subtypeSource.field7.field1); // $hasTaintFlow
+        sink(subtypeSource.field7.getField2()); // $hasTaintFlow
+        sink((String) subtypeSource.getField8()); // $hasTaintFlow
+        sink((String) subtypeSource.field9); // $hasTaintFlow
+        // Ensure that we are not tainting every subclass of Object
+        UnrelatedObject unrelated = (UnrelatedObject) subtypeSource.getField8();
+        sink(unrelated.safeField); // Safe
+    }
+}

java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql

@@ -0,0 +1,34 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import TestUtilities.InlineExpectationsTest
+
+class TestRemoteFlowSource extends RemoteFlowSource {
+  TestRemoteFlowSource() { this.asParameter().hasName("source") }
+
+  override string getSourceType() { result = "test" }
+}
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:dataflow:entrypoint-types-taint" }
+
+  override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasTaintFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/dataflow/taint/A.java

@@ -72,4 +72,13 @@ public class A {
     arrayWrite(taint(), b);
     sink(b);
   }
+
+  void testFilterOutputStream() throws IOException {
+    ByteArrayOutputStream bOutput = new ByteArrayOutputStream();
+    bOutput.write(taint());
+    FilterOutputStream filterOutput = new FilterOutputStream(bOutput) {
+    };
+    sink(filterOutput);
+  }
+
 }

java/ql/test/library-tests/dataflow/taint/CharSeq.java

@@ -9,5 +9,8 @@ public class CharSeq {
   
       CharSequence seqFromSeq = seq.subSequence(0, 1);
       sink(seqFromSeq);
+
+      String stringFromSeq = seq.toString();
+      sink(stringFromSeq);
     }
   }

java/ql/test/library-tests/dataflow/taint/test.expected

@@ -3,6 +3,7 @@
 | A.java:33:23:33:29 | taint(...) | A.java:34:10:34:27 | toByteArray(...) |
 | A.java:46:27:46:33 | taint(...) | A.java:47:10:47:30 | toByteArray(...) |
 | A.java:55:58:55:64 | taint(...) | A.java:61:10:61:16 | dh.data |
+| A.java:78:19:78:25 | taint(...) | A.java:81:10:81:21 | filterOutput |
 | B.java:15:21:15:27 | taint(...) | B.java:18:10:18:16 | aaaargs |
 | B.java:15:21:15:27 | taint(...) | B.java:21:10:21:10 | s |
 | B.java:15:21:15:27 | taint(...) | B.java:24:10:24:15 | concat |
@@ -42,6 +43,7 @@
 | B.java:15:21:15:27 | taint(...) | B.java:157:10:157:46 | toFile(...) |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:8:12:8:14 | seq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:11:12:11:21 | seqFromSeq |
+| CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:14:12:14:24 | stringFromSeq |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |

java/ql/test/library-tests/dataflow/taintsources/IntentSources.java

@@ -29,7 +29,6 @@ public class IntentSources extends Activity {
 
 }
 
-
 class OtherClass {
 
 	private static void sink(Object o) {}

java/ql/test/library-tests/frameworks/android/asynctask/Test.java

@@ -0,0 +1,34 @@
+import android.os.AsyncTask;
+
+public class Test {
+
+    private static Object source(String kind) {
+        return null;
+    }
+
+    private static void sink(Object o) {}
+
+    public void test() {
+        TestAsyncTask t = new TestAsyncTask();
+        t.execute(source("execute"));
+        t.executeOnExecutor(null, source("executeOnExecutor"));
+        SafeAsyncTask t2 = new SafeAsyncTask();
+        t2.execute("safe");
+    }
+
+    private class TestAsyncTask extends AsyncTask<Object, Object, Object> {
+        @Override
+        protected Object doInBackground(Object... params) {
+            sink(params); // $ hasValueFlow=execute hasValueFlow=executeOnExecutor
+            return null;
+        }
+    }
+
+    private class SafeAsyncTask extends AsyncTask<Object, Object, Object> {
+        @Override
+        protected Object doInBackground(Object... params) {
+            sink(params); // Safe
+            return null;
+        }
+    }
+}

java/ql/test/library-tests/frameworks/android/asynctask/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0

java/ql/test/library-tests/frameworks/android/asynctask/test.ql

@@ -0,0 +1,6 @@
+import java
+import TestUtilities.InlineFlowTest
+
+class AsyncTaskTest extends InlineFlowTest {
+  override TaintTracking::Configuration getTaintFlowConfig() { none() }
+}

java/ql/test/library-tests/frameworks/android/intent/Test.java

@@ -1,5 +1,6 @@
 package generatedtest;
 
+import android.content.ComponentName;
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentSender;
@@ -1597,6 +1598,167 @@ public class Test {
 			out.readFromParcel(in);
 			sink(getMapValue(out)); // $ hasTaintFlow
 		}
+		{
+			// "android.content;ComponentName;false;ComponentName;(Context,Class);;Argument[1];Argument[-1];taint"
+			ComponentName out = null;
+			Class in = (Class) source();
+			out = new ComponentName((Context) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;ComponentName;(Context,String);;Argument[1];Argument[-1];taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = new ComponentName((Context) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;ComponentName;(Parcel);;Argument[0];Argument[-1];taint"
+			ComponentName out = null;
+			Parcel in = (Parcel) source();
+			out = new ComponentName(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;ComponentName;(String,String);;Argument[0..1];Argument[-1];taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = new ComponentName(in, (String) null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;ComponentName;(String,String);;Argument[0..1];Argument[-1];taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = new ComponentName((String) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;createRelative;(Context,String);;Argument[1];ReturnValue;taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = ComponentName.createRelative((Context) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;createRelative;(String,String);;Argument[0..1];ReturnValue;taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = ComponentName.createRelative(in, (String) null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;createRelative;(String,String);;Argument[0..1];ReturnValue;taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = ComponentName.createRelative((String) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;flattenToShortString;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			ComponentName in = (ComponentName) source();
+			out = in.flattenToShortString();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;flattenToString;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			ComponentName in = (ComponentName) source();
+			out = in.flattenToString();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;getClassName;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			ComponentName in = (ComponentName) source();
+			out = in.getClassName();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;getPackageName;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			ComponentName in = (ComponentName) source();
+			out = in.getPackageName();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;getShortClassName;;;Argument[-1];ReturnValue;taint"
+			String out = null;
+			ComponentName in = (ComponentName) source();
+			out = in.getShortClassName();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;ComponentName;false;unflattenFromString;;;Argument[0];ReturnValue;taint"
+			ComponentName out = null;
+			String in = (String) source();
+			out = ComponentName.unflattenFromString(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;Intent;(Context,Class);;Argument[1];Argument[-1];taint"
+			Intent out = null;
+			Class in = (Class) source();
+			out = new Intent((Context) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;Intent;(Intent);;Argument[0];Argument[-1];taint"
+			Intent out = null;
+			Intent in = (Intent) source();
+			out = new Intent(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;Intent;(String,Uri,Context,Class);;Argument[3];Argument[-1];taint"
+			Intent out = null;
+			Class in = (Class) source();
+			out = new Intent(null, null, null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;setClass;;;Argument[1];Argument[-1];taint"
+			Intent out = null;
+			Class in = (Class) source();
+			out.setClass(null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;setClassName;(Context,String);;Argument[1];Argument[-1];taint"
+			Intent out = null;
+			String in = (String) source();
+			out.setClassName((Context) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;setClassName;(String,String);;Argument[0..1];Argument[-1];taint"
+			Intent out = null;
+			String in = (String) source();
+			out.setClassName(in, (String) null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;setClassName;(String,String);;Argument[0..1];Argument[-1];taint"
+			Intent out = null;
+			String in = (String) source();
+			out.setClassName((String) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;setComponent;;;Argument[0];Argument[-1];taint"
+			Intent out = null;
+			ComponentName in = (ComponentName) source();
+			out.setComponent(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.content;Intent;true;setPackage;;;Argument[0];Argument[-1];taint"
+			Intent out = null;
+			String in = (String) source();
+			out.setPackage(in);
+			sink(out); // $ hasTaintFlow
+		}
 
 	}
 

java/ql/test/library-tests/frameworks/android/notification/Test.java

@@ -0,0 +1,702 @@
+package generatedtest;
+
+import android.app.Notification;
+import android.app.PendingIntent;
+import android.app.Person;
+import android.app.Notification.Action;
+import android.graphics.Bitmap;
+import android.graphics.drawable.Icon;
+import android.media.AudioAttributes;
+import android.net.Uri;
+import android.os.Bundle;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object getMapKeyDefault(Bundle container) {
+		return null;
+	}
+
+	Object getMapValueDefault(Bundle container) {
+		return container.get("key");
+	}
+
+	Bundle newWithMapKeyDefault(Object element) {
+		Bundle bundle = new Bundle();
+		bundle.putString((String) element, null);
+		return bundle;
+	}
+
+	Bundle newWithMapValueDefault(Object element) {
+		Bundle bundle = new Bundle();
+		bundle.putString("key", (String) element);
+		return bundle;
+	}
+
+	Object source() {
+		return null;
+	}
+
+	void sink(Object o) {}
+
+	public void test() throws Exception {
+
+		{
+			// "android.app;Notification$Action$Builder;true;Builder;(Action);;Argument[0];Argument[-1];taint"
+			Notification.Action.Builder out = null;
+			Notification.Action in = (Notification.Action) source();
+			out = new Notification.Action.Builder(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;Builder;(Icon,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint"
+			Notification.Action.Builder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out = new Notification.Action.Builder((Icon) null, (CharSequence) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;Builder;(int,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint"
+			Notification.Action.Builder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out = new Notification.Action.Builder(0, (CharSequence) null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;addExtras;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.addExtras(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;addExtras;;;MapKey of
+			// Argument[0];MapKey of SyntheticField[android.content.Intent.extras] of
+			// Argument[-1];value"
+			Notification.Action.Builder out = null;
+			Bundle in = (Bundle) newWithMapKeyDefault(source());
+			out.addExtras(in);
+			sink(getMapKeyDefault(out.getExtras())); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;addExtras;;;MapValue of
+			// Argument[0];MapValue of SyntheticField[android.content.Intent.extras]
+			// of Argument[-1];value"
+			Notification.Action.Builder out = null;
+			Bundle in = (Bundle) newWithMapValueDefault(source());
+			out.addExtras(in);
+			sink(getMapValueDefault(out.getExtras())); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;addRemoteInput;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.addRemoteInput(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;build;;;Argument[-1];ReturnValue;taint"
+			Notification.Action out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.build();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;build;;;SyntheticField[android.content.Intent.extras]
+			// of Argument[-1];SyntheticField[android.content.Intent.extras] of ReturnValue;value"
+			Notification.Action out = null;
+			Notification.Action.Builder builder = null;
+			Bundle in = (Bundle) newWithMapValueDefault(source());
+			builder.addExtras(in);
+			out = builder.build();
+			sink(getMapValueDefault(out.getExtras())); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;extend;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.extend(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras]
+			// of Argument[-1];ReturnValue;value"
+			Bundle out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.getExtras();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;setAllowGeneratedReplies;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.setAllowGeneratedReplies(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;setAuthenticationRequired;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.setAuthenticationRequired(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;setContextual;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.setContextual(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action$Builder;true;setSemanticAction;;;Argument[-1];ReturnValue;value"
+			Notification.Action.Builder out = null;
+			Notification.Action.Builder in = (Notification.Action.Builder) source();
+			out = in.setSemanticAction(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Action;true;Action;(int,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint"
+			Notification.Action out = null;
+			PendingIntent in = (PendingIntent) source();
+			out = new Notification.Action(0, null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addAction;(Action);;Argument[0];Argument[-1];taint"
+			Notification.Builder out = null;
+			Notification.Action in = (Notification.Action) source();
+			out.addAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addAction;(int,CharSequence,PendingIntent);;Argument[2];Argument[-1];taint"
+			Notification.Builder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out.addAction(0, null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addAction;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.addAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addAction;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.addAction(0, null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addExtras;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.addExtras(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addExtras;;;MapKey of Argument[0];MapKey of
+			// SyntheticField[android.content.Intent.extras] of Argument[-1];value"
+			Notification.Builder out = null;
+			Bundle in = (Bundle) newWithMapKeyDefault(source());
+			out.addExtras(in);
+			sink(getMapKeyDefault(out.getExtras())); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addExtras;;;MapValue of Argument[0];MapValue
+			// of SyntheticField[android.content.Intent.extras] of Argument[-1];value"
+			Notification.Builder out = null;
+			Bundle in = (Bundle) newWithMapValueDefault(source());
+			out.addExtras(in);
+			sink(getMapValueDefault(out.getExtras())); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addPerson;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.addPerson((String) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;addPerson;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.addPerson((Person) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;build;;;Argument[-1];ReturnValue;taint"
+			Notification out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.build();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;build;;;SyntheticField[android.content.Intent.extras]
+			// of Argument[-1];Field[android.app.Notification.extras] of ReturnValue;value"
+			Notification out = null;
+			Notification.Builder builder = null;
+			Bundle in = (Bundle) newWithMapValueDefault(source());
+			builder.addExtras(in);
+			out = builder.build();
+			sink(getMapValueDefault(out.extras)); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;extend;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.extend(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;getExtras;;;SyntheticField[android.content.Intent.extras]
+			// of Argument[-1];ReturnValue;value"
+			Bundle out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.getExtras();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;recoverBuilder;;;Argument[1];ReturnValue;taint"
+			Notification.Builder out = null;
+			Notification in = (Notification) source();
+			out = Notification.Builder.recoverBuilder(null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setActions;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setActions((Notification.Action[]) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setActions;;;ArrayElement of
+			// Argument[0];SyntheticField[android.app.Notification.action] of
+			// Argument[-1];taint"
+			Notification.Builder out = null;
+			Notification.Action[] in = (Notification.Action[]) new Notification.Action[] {
+					(Notification.Action) source()};
+			out.setActions(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setAutoCancel;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setAutoCancel(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setBadgeIconType;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setBadgeIconType(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setBubbleMetadata;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setBubbleMetadata(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setCategory;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setCategory(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setChannelId;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setChannelId(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setChronometerCountDown;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setChronometerCountDown(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setColor;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setColor(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setColorized;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setColorized(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setContent;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setContent(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setContentInfo;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setContentInfo(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setContentIntent;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setContentIntent(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setContentIntent;;;Argument[0];Argument[-1];taint"
+			Notification.Builder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out.setContentIntent(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setContentText;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setContentText(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setContentTitle;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setContentTitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setCustomBigContentView;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setCustomBigContentView(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setCustomHeadsUpContentView;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setCustomHeadsUpContentView(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setDefaults;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setDefaults(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setDeleteIntent;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setDeleteIntent(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setDeleteIntent;;;Argument[0];Argument[-1];taint"
+			Notification.Builder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out.setDeleteIntent(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setExtras;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setExtras(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setExtras;;;Argument[0];SyntheticField[android.content.Intent.extras]
+			// of Argument[-1];value"
+			Notification.Builder out = null;
+			Bundle in = (Bundle) source();
+			out.setExtras(in);
+			sink(out.getExtras()); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setFlag;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setFlag(0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setForegroundServiceBehavior;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setForegroundServiceBehavior(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setFullScreenIntent;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setFullScreenIntent(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setGroup;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setGroup(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setGroupAlertBehavior;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setGroupAlertBehavior(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setGroupSummary;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setGroupSummary(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setLargeIcon;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setLargeIcon((Icon) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setLargeIcon;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setLargeIcon((Bitmap) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setLights;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setLights(0, 0, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setLocalOnly;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setLocalOnly(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setLocusId;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setLocusId(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setNumber;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setNumber(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setOngoing;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setOngoing(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setOnlyAlertOnce;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setOnlyAlertOnce(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setPriority;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setPriority(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setProgress;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setProgress(0, 0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setPublicVersion;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setPublicVersion(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setPublicVersion;;;Argument[0];Argument[-1];taint"
+			Notification.Builder out = null;
+			Notification in = (Notification) source();
+			out.setPublicVersion(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setRemoteInputHistory;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setRemoteInputHistory(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSettingsText;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSettingsText(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setShortcutId;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setShortcutId(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setShowWhen;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setShowWhen(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSmallIcon;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSmallIcon(0, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSmallIcon;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSmallIcon(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSmallIcon;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSmallIcon((Icon) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSortKey;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSortKey(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSound;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSound(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSound;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSound((Uri) null, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSound;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSound((Uri) null, (AudioAttributes) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setStyle;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setStyle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setSubText;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setSubText(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setTicker;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setTicker(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setTicker;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setTicker(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setTimeoutAfter;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setTimeoutAfter(0L);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setUsesChronometer;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setUsesChronometer(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setVibrate;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setVibrate(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setVisibility;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setVisibility(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "android.app;Notification$Builder;true;setWhen;;;Argument[-1];ReturnValue;value"
+			Notification.Builder out = null;
+			Notification.Builder in = (Notification.Builder) source();
+			out = in.setWhen(0L);
+			sink(out); // $ hasValueFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/android/notification/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0

java/ql/test/library-tests/frameworks/android/notification/test.ql

@@ -0,0 +1,13 @@
+import java
+import semmle.code.java.frameworks.android.Intent
+import TestUtilities.InlineFlowTest
+
+class SummaryModelTest extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        "generatedtest;Test;false;getMapKeyDefault;(Bundle);;MapKey of Argument[0];ReturnValue;value"
+      ]
+  }
+}

java/ql/test/library-tests/frameworks/android/slice/AndroidManifest.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest
+    xmlns:android="http://schemas.android.com/apk/res/android"
+    android:versionCode="1"
+    android:versionName="1.0"
+    package="com.example.app">
+
+    <application
+        android:allowBackup="true"
+        android:icon="@mipmap/ic_launcher"
+        android:roundIcon="@mipmap/ic_launcher_round"
+        android:label="@string/app_name"
+        android:supportsRtl="true"
+        android:theme="@style/AppTheme">
+
+        <activity
+            android:name=".MainActivity"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <provider
+            android:name=".TestSources"
+            android:authority="com.example.myapp.Test"
+            android:exported="true" />
+
+    </application>
+</manifest>

java/ql/test/library-tests/frameworks/android/slice/Test.java

@@ -0,0 +1,841 @@
+package generatedtest;
+
+import android.app.PendingIntent;
+import androidx.core.graphics.drawable.IconCompat;
+import androidx.remotecallback.RemoteCallback;
+import androidx.slice.Slice;
+import androidx.slice.builders.GridRowBuilder;
+import androidx.slice.builders.ListBuilder;
+import androidx.slice.builders.SelectionBuilder;
+import androidx.slice.builders.SliceAction;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object newWithSlice_actionDefault(Object element) {
+		return null;
+	}
+
+	Object source() {
+		return null;
+	}
+
+	void sink(Object o) {}
+
+	public void test() throws Exception {
+
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;false;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.HeaderBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setPrimaryAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setContentDescription;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setContentDescription(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setLayoutDirection;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setLayoutDirection(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setPrimaryAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setPrimaryAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setSubtitle(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setSubtitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setSummary;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setSummary(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setSummary;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setSummary(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setTitle(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$HeaderBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.HeaderBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out = in.setTitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;false;addEndItem;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.InputRangeBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.addEndItem(in, false);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;false;addEndItem;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.InputRangeBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.addEndItem(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;false;setInputAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action]
+			// of Argument[-1];taint"
+			ListBuilder.InputRangeBuilder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out.setInputAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;false;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.InputRangeBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setPrimaryAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.addEndItem(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.addEndItem(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setContentDescription;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setContentDescription(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setInputAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setInputAction((RemoteCallback) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setInputAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setInputAction((PendingIntent) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setLayoutDirection;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setLayoutDirection(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setMax;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setMax(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setMin;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setMin(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setPrimaryAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setPrimaryAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setSubtitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setThumb;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setThumb(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setTitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setTitleItem(null, 0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setTitleItem(null, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$InputRangeBuilder;true;setValue;;;Argument[-1];ReturnValue;value"
+			ListBuilder.InputRangeBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out = in.setValue(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;false;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RangeBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setPrimaryAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setContentDescription;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setContentDescription(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setMax;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setMax(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setMode;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setMode(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setPrimaryAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setPrimaryAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setSubtitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setTitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setTitleItem(null, 0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setTitleItem(null, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RangeBuilder;true;setValue;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RangeBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out = in.setValue(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;false;setInputAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action]
+			// of Argument[-1];taint"
+			ListBuilder.RatingBuilder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out.setInputAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;false;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RatingBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setPrimaryAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setContentDescription;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setContentDescription(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setInputAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setInputAction((RemoteCallback) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setInputAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setInputAction((PendingIntent) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setMax;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setMax(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setMin;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setMin(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setPrimaryAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setPrimaryAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setSubtitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setTitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setTitleItem(null, 0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setTitleItem(null, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RatingBuilder;true;setValue;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RatingBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out = in.setValue(0.0f);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;false;addEndItem;(SliceAction);;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RowBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.addEndItem(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;false;addEndItem;(SliceAction,boolean);;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RowBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.addEndItem(in, false);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;false;setPrimaryAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RowBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setPrimaryAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;false;setTitleItem;(SliceAction);;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RowBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setTitleItem(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;false;setTitleItem;(SliceAction,boolean);;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder.RowBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.setTitleItem(in, false);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.addEndItem(null, 0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.addEndItem(0L);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.addEndItem((SliceAction) null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.addEndItem((SliceAction) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;addEndItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.addEndItem((IconCompat) null, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setContentDescription;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setContentDescription(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setEndOfSection;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setEndOfSection(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setLayoutDirection;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setLayoutDirection(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setPrimaryAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setPrimaryAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setSubtitle(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setSubtitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setSubtitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitle(null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitle;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitle(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitleItem(null, 0, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitleItem(0L);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitleItem((SliceAction) null, false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitleItem((SliceAction) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder$RowBuilder;true;setTitleItem;;;Argument[-1];ReturnValue;value"
+			ListBuilder.RowBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out = in.setTitleItem((IconCompat) null, 0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			SliceAction in = (SliceAction) source();
+			out.addAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addGridRow;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			GridRowBuilder in = (GridRowBuilder) source();
+			out.addGridRow(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addInputRange;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			ListBuilder.InputRangeBuilder in = (ListBuilder.InputRangeBuilder) source();
+			out.addInputRange(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addRange;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			ListBuilder.RangeBuilder in = (ListBuilder.RangeBuilder) source();
+			out.addRange(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addRating;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			ListBuilder.RatingBuilder in = (ListBuilder.RatingBuilder) source();
+			out.addRating(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addRow;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out.addRow(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;addSelection;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			SelectionBuilder in = (SelectionBuilder) source();
+			out.addSelection(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;setHeader;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			ListBuilder.HeaderBuilder in = (ListBuilder.HeaderBuilder) source();
+			out.setHeader(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;false;setSeeMoreAction;(PendingIntent);;Argument[0];SyntheticField[androidx.slice.Slice.action]
+			// of Argument[-1];taint"
+			ListBuilder out = null;
+			PendingIntent in = (PendingIntent) source();
+			out.setSeeMoreAction(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addAction(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addGridRow;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addGridRow(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addInputRange;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addInputRange(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addRange;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addRange(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addRating;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addRating(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addRow;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addRow(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;addSelection;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.addSelection(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;build;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[-1];ReturnValue;taint"
+			Slice out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.build();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setAccentColor;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setAccentColor(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setHeader;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setHeader(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setHostExtras;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setHostExtras(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setIsError;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setIsError(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setKeywords;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setKeywords(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setLayoutDirection;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setLayoutDirection(0);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setSeeMoreAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setSeeMoreAction((RemoteCallback) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setSeeMoreAction;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setSeeMoreAction((PendingIntent) null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setSeeMoreRow;;;Argument[-1];ReturnValue;value"
+			ListBuilder out = null;
+			ListBuilder in = (ListBuilder) source();
+			out = in.setSeeMoreRow(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;ListBuilder;true;setSeeMoreRow;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[0];SyntheticField[androidx.slice.Slice.action] of
+			// Argument[-1];taint"
+			ListBuilder out = null;
+			ListBuilder.RowBuilder in = (ListBuilder.RowBuilder) source();
+			out.setSeeMoreRow(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;false;create;(PendingIntent,IconCompat,int,CharSequence);;Argument[0];SyntheticField[androidx.slice.Slice.action]
+			// of ReturnValue;taint"
+			SliceAction out = null;
+			PendingIntent in = (PendingIntent) source();
+			out = SliceAction.create(in, (IconCompat) null, 0, (CharSequence) null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;false;createDeeplink;(PendingIntent,IconCompat,int,CharSequence);;Argument[0];SyntheticField[androidx.slice.Slice.action]
+			// of ReturnValue;taint"
+			SliceAction out = null;
+			PendingIntent in = (PendingIntent) source();
+			out = SliceAction.createDeeplink(in, (IconCompat) null, 0, (CharSequence) null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;false;createToggle;(PendingIntent,CharSequence,boolean);;Argument[0];SyntheticField[androidx.slice.Slice.action]
+			// of ReturnValue;taint"
+			SliceAction out = null;
+			PendingIntent in = (PendingIntent) source();
+			out = SliceAction.createToggle(in, (CharSequence) null, false);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;false;getAction;;;SyntheticField[androidx.slice.Slice.action]
+			// of Argument[-1];ReturnValue;taint"
+			PendingIntent out = null;
+			SliceAction in = (SliceAction) source();
+			out = in.getAction();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;true;setChecked;;;Argument[-1];ReturnValue;value"
+			SliceAction out = null;
+			SliceAction in = (SliceAction) source();
+			out = in.setChecked(false);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;true;setContentDescription;;;Argument[-1];ReturnValue;value"
+			SliceAction out = null;
+			SliceAction in = (SliceAction) source();
+			out = in.setContentDescription(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "androidx.slice.builders;SliceAction;true;setPriority;;;Argument[-1];ReturnValue;value"
+			SliceAction out = null;
+			SliceAction in = (SliceAction) source();
+			out = in.setPriority(0);
+			sink(out); // $ hasValueFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/android/slice/TestSources.java

@@ -0,0 +1,71 @@
+package com.example.app;
+
+import java.io.FileNotFoundException;
+import android.app.PendingIntent;
+import android.content.Intent;
+import android.content.res.AssetFileDescriptor;
+import android.net.Uri;
+import android.os.Bundle;
+import android.os.CancellationSignal;
+import android.os.RemoteException;
+import androidx.slice.Slice;
+import androidx.slice.SliceProvider;
+
+public class TestSources extends SliceProvider {
+
+    void sink(Object o) {}
+
+    // "androidx.slice;SliceProvider;true;onBindSlice;;;Parameter[0];contentprovider",
+    @Override
+    public Slice onBindSlice(Uri sliceUri) {
+        sink(sliceUri); // $hasValueFlow
+        return null;
+    }
+
+    // "androidx.slice;SliceProvider;true;onCreatePermissionRequest;;;Parameter[0];contentprovider",
+    @Override
+    public PendingIntent onCreatePermissionRequest(Uri sliceUri, String callingPackage) {
+        sink(sliceUri); // $hasValueFlow
+        sink(callingPackage); // Safe
+        return null;
+    }
+
+    // "androidx.slice;SliceProvider;true;onMapIntentToUri;;;Parameter[0];contentprovider",
+    @Override
+    public Uri onMapIntentToUri(Intent intent) {
+        sink(intent); // $hasValueFlow
+        return null;
+    }
+
+    // "androidx.slice;SliceProvider;true;onSlicePinned;;;Parameter[0];contentprovider",
+    public void onSlicePinned(Uri sliceUri) {
+        sink(sliceUri); // $hasValueFlow
+    }
+
+    // "androidx.slice;SliceProvider;true;onSliceUnpinned;;;Parameter[0];contentprovider"
+    public void onSliceUnpinned(Uri sliceUri) {
+        sink(sliceUri); // $hasValueFlow
+    }
+
+    // Methods needed for compilation
+
+    @Override
+    public AssetFileDescriptor openTypedAssetFile(Uri uri, String mimeTypeFilter, Bundle opts,
+            CancellationSignal signal) throws RemoteException, FileNotFoundException {
+        return null;
+    }
+
+    @Override
+    public Bundle call(String authority, String method, String arg, Bundle extras)
+            throws RemoteException {
+        return null;
+    }
+
+    @Override
+    public boolean onCreateSliceProvider() {
+        return false;
+    }
+
+
+
+}

java/ql/test/library-tests/frameworks/android/slice/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0

java/ql/test/library-tests/frameworks/android/slice/test.ql

@@ -0,0 +1,18 @@
+import java
+import TestUtilities.InlineFlowTest
+import semmle.code.java.dataflow.FlowSources
+
+class SliceValueFlowConf extends DefaultValueFlowConf {
+  override predicate isSource(DataFlow::Node source) {
+    super.isSource(source) or source instanceof RemoteFlowSource
+  }
+}
+
+class SliceTaintFlowConf extends DefaultTaintFlowConf {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    super.allowImplicitRead(node, c)
+    or
+    isSink(node) and
+    c.(DataFlow::SyntheticFieldContent).getField() = "androidx.slice.Slice.action"
+  }
+}

java/ql/test/library-tests/frameworks/ratpack/resources/PairTest.java

@@ -0,0 +1,308 @@
+import ratpack.exec.Promise;
+import ratpack.exec.Result;
+import ratpack.func.Action;
+import ratpack.func.Pair;
+
+
+public class PairTest {
+    
+    void sink(Object o) {}
+
+    String taint() {
+        return null;
+    }
+
+    void test1() {
+        Pair<String, String> pair = Pair.of("safe", "safe");
+        sink(pair.left); // no taint flow
+        sink(pair.left()); // no taint flow
+        sink(pair.getLeft()); // no taint flow
+        sink(pair.right); // no taint flow
+        sink(pair.right()); // no taint flow
+        sink(pair.getRight()); // no taint flow
+        Pair<String, String> updatedLeftPair = pair.left(taint());
+        sink(updatedLeftPair.left); //$hasTaintFlow
+        sink(updatedLeftPair.left()); //$hasTaintFlow
+        sink(updatedLeftPair.getLeft()); //$hasTaintFlow
+        sink(updatedLeftPair.right); // no taint flow
+        sink(updatedLeftPair.right()); // no taint flow
+        sink(updatedLeftPair.getRight()); // no taint flow
+        Pair<String, String> updatedRightPair = pair.right(taint());
+        sink(updatedRightPair.left); // no taint flow
+        sink(updatedRightPair.left()); // no taint flow
+        sink(updatedRightPair.getLeft()); // no taint flow
+        sink(updatedRightPair.right); //$hasTaintFlow
+        sink(updatedRightPair.right()); //$hasTaintFlow
+        sink(updatedRightPair.getRight()); //$hasTaintFlow
+        Pair<String, String> updatedBothPair = pair.left(taint()).right(taint());
+        sink(updatedBothPair.left); //$hasTaintFlow
+        sink(updatedBothPair.left()); //$hasTaintFlow
+        sink(updatedBothPair.getLeft()); //$hasTaintFlow
+        sink(updatedBothPair.right); //$hasTaintFlow
+        sink(updatedBothPair.right()); //$hasTaintFlow
+        sink(updatedBothPair.getRight()); //$hasTaintFlow
+    }
+
+    void test2() {
+        Pair<String, String> pair = Pair.of(taint(), taint());
+        sink(pair.left); //$hasTaintFlow
+        sink(pair.left()); //$hasTaintFlow
+        sink(pair.getLeft()); //$hasTaintFlow
+        sink(pair.right); //$hasTaintFlow
+        sink(pair.right()); //$hasTaintFlow
+        sink(pair.getRight()); //$hasTaintFlow
+        Pair<String, Pair<String, String>> pushedLeftPair = pair.pushLeft("safe");
+        sink(pushedLeftPair.left()); // no taint flow
+        sink(pushedLeftPair.right().left()); //$hasTaintFlow
+        sink(pushedLeftPair.right().right()); //$hasTaintFlow
+        Pair<Pair<String, String>, String> pushedRightPair = pair.pushRight("safe");
+        sink(pushedRightPair.left().left()); //$hasTaintFlow
+        sink(pushedRightPair.left().right()); //$hasTaintFlow
+        sink(pushedRightPair.right()); // no taint flow
+    }
+
+    void test3() {
+        Pair<String, String> pair = Pair.of("safe", "safe");
+        sink(pair.left); // no taint flow
+        sink(pair.left()); // no taint flow
+        sink(pair.getLeft()); // no taint flow
+        sink(pair.right); // no taint flow
+        sink(pair.right()); // no taint flow
+        sink(pair.getRight()); // no taint flow
+        Pair<String, Pair<String, String>> pushedLeftPair = pair.pushLeft(taint());
+        sink(pushedLeftPair.left()); //$hasTaintFlow
+        sink(pushedLeftPair.right().left()); // no taint flow
+        sink(pushedLeftPair.right().right()); // no taint flow
+        Pair<Pair<String, String>, String> pushedRightPair = pair.pushRight(taint());
+        sink(pushedRightPair.left().left()); // no taint flow
+        sink(pushedRightPair.left().right()); // no taint flow
+        sink(pushedRightPair.right()); //$hasTaintFlow
+    }
+
+    void test4() {
+        Pair<String, String> pair = Pair.of(taint(), taint());
+        sink(pair.left()); //$hasTaintFlow
+        sink(pair.right()); //$hasTaintFlow
+        Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft("safe");
+        sink(nestLeftPair.left().left()); // no taint flow
+        sink(nestLeftPair.left().right()); //$hasTaintFlow
+        sink(nestLeftPair.right()); //$hasTaintFlow
+        Pair<String, Pair<String, String>> nestRightPair = pair.nestRight("safe");
+        sink(nestRightPair.left()); //$hasTaintFlow
+        sink(nestRightPair.right().left()); // no taint flow
+        sink(nestRightPair.right().right()); //$hasTaintFlow
+    }
+
+    void test5() {
+        Pair<String, String> pair = Pair.of(taint(), "safe");
+        sink(pair.left()); //$hasTaintFlow
+        sink(pair.right()); // no taint flow
+        Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft("safe");
+        sink(nestLeftPair.left().left()); // no taint flow
+        sink(nestLeftPair.left().right()); //$hasTaintFlow
+        sink(nestLeftPair.right()); // no taint flow
+        Pair<String, Pair<String, String>> nestRightPair = pair.nestRight("safe");
+        sink(nestRightPair.left()); //$hasTaintFlow
+        sink(nestRightPair.right().left()); // no taint flow
+        sink(nestRightPair.right().right()); // no taint flow
+    }
+
+    void test6() {
+        Pair<String, String> pair = Pair.of("safe", taint());
+        sink(pair.left()); // no taint flow
+        sink(pair.right()); //$hasTaintFlow
+        Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft("safe");
+        sink(nestLeftPair.left().left()); // no taint flow
+        sink(nestLeftPair.left().right()); // no taint flow
+        sink(nestLeftPair.right()); //$hasTaintFlow
+        Pair<String, Pair<String, String>> nestRightPair = pair.nestRight("safe");
+        sink(nestRightPair.left()); // no taint flow
+        sink(nestRightPair.right().left()); // no taint flow
+        sink(nestRightPair.right().right()); //$hasTaintFlow
+    }
+
+    void test7() {
+        Pair<String, String> pair = Pair.of("safe", "safe");
+        sink(pair.left()); // no taint flow
+        sink(pair.right()); // no taint flow
+        Pair<Pair<String, String>, String> nestLeftPair = pair.nestLeft(taint());
+        sink(nestLeftPair.left().left()); // $hasTaintFlow
+        sink(nestLeftPair.left().right()); // no taint flow
+        sink(nestLeftPair.right()); // no taint flow
+        Pair<String, Pair<String, String>> nestRightPair = pair.nestRight(taint());
+        sink(nestRightPair.left()); // no taint flow
+        sink(nestRightPair.right().left()); // $hasTaintFlow
+        sink(nestRightPair.right().right()); // no taint flow
+    }
+
+    void test8() throws Exception {
+        Pair<String, String> pair = Pair.of("safe", "safe");
+        Pair<String, String> taintLeft = pair.mapLeft(left -> {
+            sink(left); // no taint flow
+            return taint();
+        });
+        sink(taintLeft.left()); //$hasTaintFlow
+        sink(taintLeft.right()); // no taint flow
+    }
+
+    void test9() throws Exception  {
+        Pair<String, String> pair = Pair.of("safe", "safe");
+        Pair<String, String> taintRight = pair.mapRight(left -> {
+            sink(left); // no taint flow
+            return taint();
+        });
+        sink(taintRight.left()); // no taint flow
+        sink(taintRight.right()); //$hasTaintFlow
+    }
+
+    void test10() throws Exception {
+        Pair<String, String> pair = Pair.of(taint(), taint());
+        Pair<String, String> taintLeft = pair.mapLeft(left -> {
+            sink(left); //$hasTaintFlow
+            return "safe";
+        });
+        sink(taintLeft.left()); // no taint flow
+        sink(taintLeft.right()); //$hasTaintFlow
+    }
+
+    void test11() throws Exception {
+        Pair<String, String> pair = Pair.of(taint(), taint());
+        Pair<String, String> taintRight = pair.mapRight(right -> {
+            sink(right); //$hasTaintFlow
+            return "safe";
+        });
+        sink(taintRight.left()); //$hasTaintFlow
+        sink(taintRight.right()); // no taint flow
+    }
+
+    void test12() throws Exception {
+        Pair<String, String> pair = Pair.of(taint(), taint());
+        String safe = pair.map(p -> {
+            sink(p.left()); //$hasTaintFlow
+            sink(p.right()); //$hasTaintFlow
+            return "safe";
+        });
+        sink(safe); // no taint flow
+        String unsafe = pair.map(p -> {
+            sink(p.left()); //$hasTaintFlow
+            sink(p.right()); //$hasTaintFlow
+            return taint();
+        });
+        sink(unsafe); //$hasTaintFlow
+    }
+
+    void test13() {
+        Promise
+            .value(taint())
+            .left(Promise.value("safe"))
+            .then(pair -> {
+                sink(pair.left()); // no taint flow
+                sink(pair.right()); //$hasTaintFlow
+            });
+        Promise
+            .value(taint())
+            .right(Promise.value("safe"))
+            .then(pair -> {
+                sink(pair.left()); //$hasTaintFlow
+                sink(pair.right()); // no taint flow
+            });
+        Promise
+            .value("safe")
+            .left(Promise.value(taint()))
+            .then(pair -> {
+                sink(pair.left()); //$hasTaintFlow
+                sink(pair.right()); // no taint flow
+            });
+        Promise
+            .value("safe")
+            .right(Promise.value(taint()))
+            .then(pair -> {
+                sink(pair.left()); // no taint flow
+                sink(pair.right()); //$hasTaintFlow
+            });
+    }
+
+    void test14() {
+        Promise
+            .value(taint())
+            .left(value -> {
+                sink(value); //$hasTaintFlow
+                return "safe";
+            })
+            .then(pair -> {
+                sink(pair.left()); // no taint flow
+                sink(pair.right()); //$hasTaintFlow
+            });
+        Promise
+            .value(taint())
+            .right(value -> {
+                sink(value); //$hasTaintFlow
+                return "safe";
+            })
+            .then(pair -> {
+                sink(pair.left()); //$hasTaintFlow
+                sink(pair.right()); // no taint flow
+            });
+        Promise
+            .value("safe")
+            .left(value -> {
+                sink(value); // no taint flow
+                return taint();
+            })
+            .then(pair -> {
+                sink(pair.left()); //$hasTaintFlow
+                sink(pair.right()); // no taint flow
+            });
+        Promise
+            .value("safe")
+            .right(value -> {
+                sink(value); // no taint flow
+                return taint();
+            })
+            .then(pair -> {
+                sink(pair.left()); // no taint flow
+                sink(pair.right()); //$hasTaintFlow
+            });
+    }
+
+    void test15() {
+        Promise
+            .value(taint())
+            .flatLeft(value -> {
+                sink(value); //$hasTaintFlow
+                return Promise.value("safe");
+            })
+            .then(pair -> {
+                sink(pair.left()); // no taint flow
+                sink(pair.right()); //$hasTaintFlow
+            });
+        Promise
+            .value(taint())
+            .flatRight(value -> {
+                sink(value); //$hasTaintFlow
+                return Promise.value("safe");
+            })
+            .then(pair -> {
+                sink(pair.left()); //$hasTaintFlow
+                sink(pair.right()); // no taint flow
+            });
+        Promise
+            .value("safe")
+            .flatLeft(value -> {
+                return Promise.value(taint());
+            })
+            .then(pair -> {
+                sink(pair.left()); //$hasTaintFlow
+                sink(pair.right()); // no taint flow
+            });
+        Promise
+            .value("safe")
+            .flatRight(value -> {
+                return Promise.value(taint());
+            })
+            .then(pair -> {
+                sink(pair.left()); // no taint flow
+                sink(pair.right()); //$hasTaintFlow
+            });
+    }
+}

java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java

@@ -3,7 +3,9 @@ import ratpack.core.http.TypedData;
 import ratpack.core.form.Form;
 import ratpack.core.form.UploadedFile;
 import ratpack.core.parse.Parse;
+import ratpack.exec.Operation;
 import ratpack.exec.Promise;
+import ratpack.exec.Result;
 import ratpack.func.Action;
 import ratpack.func.Function;
 import java.io.OutputStream;
@@ -167,6 +169,14 @@ class Resource {
             .next(value -> {
                 sink(value); //$hasTaintFlow
             })
+            .map(value -> {
+                sink(value); //$hasTaintFlow
+                return value;
+            })
+            .blockingMap(value -> {
+                sink(value); //$hasTaintFlow
+                return value;
+            })
             .then(value -> {
                 sink(value); //$hasTaintFlow
             });
@@ -316,5 +326,77 @@ class Resource {
             .then(value -> {
                 sink(value); // no tainted flow
             });
-    }    
+    }
+
+    void test13() {
+        String tainted = taint();
+        Promise
+            .value(tainted)
+            .replace(Promise.value("safe"))
+            .then(value -> {
+                sink(value); // no tainted flow
+            });
+        Promise
+            .value("safe")
+            .replace(Promise.value(tainted))
+            .then(value -> {
+                sink(value); //$hasTaintFlow
+            });
+    }
+
+    void test14() {
+        String tainted = taint();
+        Promise
+            .value(tainted)
+            .blockingOp(value -> {
+                sink(value); //$hasTaintFlow
+            })
+            .then(value -> {
+                sink(value); //$hasTaintFlow
+            });
+    }
+
+    void test15() {
+        String tainted = taint();
+        Promise
+            .value(tainted)
+            .nextOp(value -> Operation.of(() -> {
+                sink(value); //$hasTaintFlow
+            }))
+            .nextOpIf(value -> {
+                sink(value); //$hasTaintFlow
+                return true;
+            }, value -> Operation.of(() -> {
+                sink(value); //$hasTaintFlow
+            }))
+            .then(value -> {
+                sink(value); //$hasTaintFlow
+            });
+    }
+
+    void test16() {
+        String tainted = taint();
+        Promise
+            .value(tainted)
+            .flatOp(value ->  Operation.of(() -> {
+                sink(value); //$hasTaintFlow
+            }));
+    }
+
+    void test17() throws Exception {
+        String tainted = taint();
+        Result<String> result = Result.success(tainted);
+        sink(result.getValue()); //$hasTaintFlow
+        sink(result.getValueOrThrow()); //$hasTaintFlow
+        Promise
+            .value(tainted)
+            .wiretap(r -> {
+                sink(r.getValue()); //$hasTaintFlow
+                sink(r.getValueOrThrow()); //$hasTaintFlow
+            })
+            .then(value -> {
+                sink(value); //$hasTaintFlow
+            });
+    }
+
 }

java/ql/test/library-tests/frameworks/stream/Test.java

@@ -436,7 +436,7 @@ public class Test {
                     sink(y); // $ hasValueFlow=reduce_3 hasValueFlow=reduce_4 hasValueFlow=reduce_5
                     return source("reduce_5");
                 });
-            sink(out); // $ hasValueFlow=reduce_4 hasValueFlow=reduce_5 SPURIOUS: hasValueFlow=reduce_3
+            sink(out); // $ hasValueFlow=reduce_4 hasValueFlow=reduce_5
         }
         {
             // "java.util.stream;Stream;true;reduce;(Object,BiFunction,BinaryOperator);;Argument[0];ReturnValue;value"

java/ql/test/library-tests/literals/charLiterals/CharLiterals.java

@@ -13,6 +13,7 @@ public class CharLiterals {
 		'\\',
 		'\'',
 		'\123', // octal escape sequence for 'S'
+		// CodeQL uses U+FFFD for unpaired surrogates, see https://github.com/github/codeql/issues/6611
 		'\uD800', // high surrogate
 		'\uDC00', // low surrogate
 		// Using Unicode escapes (which are handled during pre-processing)

java/ql/test/library-tests/literals/charLiterals/charLiterals.expected

@@ -1,20 +1,20 @@
-| CharLiterals.java:5:3:5:5 | 'a' | a |
-| CharLiterals.java:6:3:6:10 | '\\u0061' | a |
-| CharLiterals.java:7:3:7:10 | '\\u0000' | \u0000 |
-| CharLiterals.java:8:3:8:10 | '\\uFFFF' | \uffff |
-| CharLiterals.java:9:3:9:10 | '\\ufFfF' | \uffff |
-| CharLiterals.java:10:3:10:6 | '\\0' | \u0000 |
-| CharLiterals.java:11:3:11:6 | '\\n' | \n |
-| CharLiterals.java:12:3:12:5 | '"' | " |
-| CharLiterals.java:13:3:13:6 | '\\\\' | \\ |
-| CharLiterals.java:14:3:14:6 | '\\'' | ' |
-| CharLiterals.java:15:3:15:8 | '\\123' | S |
-| CharLiterals.java:16:3:16:10 | '\\uD800' | \ufffd |
-| CharLiterals.java:17:3:17:10 | '\\uDC00' | \ufffd |
-| CharLiterals.java:19:3:19:16 | '\\u005C\\u005C' | \\ |
-| CharLiterals.java:20:3:20:16 | '\\u005C\\u0027' | ' |
-| CharLiterals.java:21:8:21:15 | 7a\\u0027 | a |
-| CharLiterals.java:26:4:26:6 | 'a' | a |
-| CharLiterals.java:27:4:27:6 | 'a' | a |
-| CharLiterals.java:32:3:32:5 | 'a' | a |
-| CharLiterals.java:32:9:32:11 | 'b' | b |
+| CharLiterals.java:5:3:5:5 | 'a' | a | 97 |
+| CharLiterals.java:6:3:6:10 | '\\u0061' | a | 97 |
+| CharLiterals.java:7:3:7:10 | '\\u0000' | \u0000 | 0 |
+| CharLiterals.java:8:3:8:10 | '\\uFFFF' | \uffff | 65535 |
+| CharLiterals.java:9:3:9:10 | '\\ufFfF' | \uffff | 65535 |
+| CharLiterals.java:10:3:10:6 | '\\0' | \u0000 | 0 |
+| CharLiterals.java:11:3:11:6 | '\\n' | \n | 10 |
+| CharLiterals.java:12:3:12:5 | '"' | " | 34 |
+| CharLiterals.java:13:3:13:6 | '\\\\' | \\ | 92 |
+| CharLiterals.java:14:3:14:6 | '\\'' | ' | 39 |
+| CharLiterals.java:15:3:15:8 | '\\123' | S | 83 |
+| CharLiterals.java:17:3:17:10 | '\\uD800' | \ufffd | 55296 |
+| CharLiterals.java:18:3:18:10 | '\\uDC00' | \ufffd | 56320 |
+| CharLiterals.java:20:3:20:16 | '\\u005C\\u005C' | \\ | 92 |
+| CharLiterals.java:21:3:21:16 | '\\u005C\\u0027' | ' | 39 |
+| CharLiterals.java:22:8:22:15 | 7a\\u0027 | a | 97 |
+| CharLiterals.java:27:4:27:6 | 'a' | a | 97 |
+| CharLiterals.java:28:4:28:6 | 'a' | a | 97 |
+| CharLiterals.java:33:3:33:5 | 'a' | a | 97 |
+| CharLiterals.java:33:9:33:11 | 'b' | b | 98 |

java/ql/test/library-tests/literals/charLiterals/charLiterals.ql

@@ -1,4 +1,4 @@
 import semmle.code.java.Expr
 
 from CharacterLiteral lit
-select lit, lit.getValue()
+select lit, lit.getValue(), lit.getCodePointValue()

java/ql/test/library-tests/literals/stringLiterals/StringLiterals.java

@@ -24,6 +24,7 @@ public class StringLiterals {
 		"\uD800\uDC00", // surrogate pair
 		"\uDBFF\uDFFF", // U+10FFFF
 		// Unpaired surrogates
+		// CodeQL uses U+FFFD for them, see https://github.com/github/codeql/issues/6611
 		"\uD800",
 		"\uDC00",
 		"hello\uD800hello\uDC00world", // malformed surrogates

java/ql/test/library-tests/literals/stringLiterals/stringLiterals.expected

@@ -1,48 +1,48 @@
-| StringLiterals.java:7:3:7:4 | "" |  |  |  |
-| StringLiterals.java:8:3:8:17 | "hello,\\tworld" | hello,\tworld | hello,\tworld |  |
-| StringLiterals.java:9:3:9:21 | "hello,\\u0009world" | hello,\tworld | hello,\tworld |  |
-| StringLiterals.java:10:3:10:10 | "\\u0061" | a | a |  |
-| StringLiterals.java:11:3:11:6 | "\\0" | \u0000 | \u0000 |  |
-| StringLiterals.java:12:3:12:10 | "\\uFFFF" | \uffff | \uffff |  |
-| StringLiterals.java:13:3:13:10 | "\\ufFfF" | \uffff | \uffff |  |
-| StringLiterals.java:14:3:14:6 | "\\"" | " | " |  |
-| StringLiterals.java:15:3:15:6 | "\\'" | ' | ' |  |
-| StringLiterals.java:16:3:16:6 | "\\n" | \n | \n |  |
-| StringLiterals.java:17:3:17:6 | "\\\\" | \\ | \\ |  |
-| StringLiterals.java:18:3:18:13 | "test \\123" | test S | test S |  |
-| StringLiterals.java:19:3:19:9 | "\\1234" | S4 | S4 |  |
-| StringLiterals.java:20:3:20:9 | "\\0000" | \u00000 | \u00000 |  |
-| StringLiterals.java:21:3:21:13 | "\\u0061567" | a567 | a567 |  |
-| StringLiterals.java:22:3:22:13 | "\\u1234567" | \u1234567 | \u1234567 |  |
-| StringLiterals.java:23:3:23:18 | "\\uaBcDeF\\u0aB1" | \uabcdeF\u0ab1 | \uabcdeF\u0ab1 |  |
-| StringLiterals.java:24:3:24:16 | "\\uD800\\uDC00" | \ud800\udc00 | \ud800\udc00 |  |
-| StringLiterals.java:25:3:25:16 | "\\uDBFF\\uDFFF" | \udbff\udfff | \udbff\udfff |  |
-| StringLiterals.java:27:3:27:10 | "\\uD800" | \ufffd | \ufffd |  |
-| StringLiterals.java:28:3:28:10 | "\\uDC00" | \ufffd | \ufffd |  |
-| StringLiterals.java:29:3:29:31 | "hello\\uD800hello\\uDC00world" | hello\ufffdhello\ufffdworld | hello\ufffdhello\ufffdworld |  |
-| StringLiterals.java:31:3:31:16 | "\\u005C\\u0022" | " | " |  |
-| StringLiterals.java:32:8:32:20 | 2\\u0061\\u0022 | a | a |  |
-| StringLiterals.java:37:3:39:5 | """      \t  \n\t\ttest "text" and escaped \\u0022\n\t\t""" | test "text" and escaped "\n | test "text" and escaped "\n | text-block |
-| StringLiterals.java:41:3:43:5 | """\n\t\t\tindented\n\t\t""" | \tindented\n | \tindented\n | text-block |
-| StringLiterals.java:44:3:46:5 | """\n\tno indentation last line\n\t\t""" | no indentation last line\n | no indentation last line\n | text-block |
-| StringLiterals.java:47:3:49:7 | """\n\tindentation last line\n\t\t\\s""" | indentation last line\n\t  | indentation last line\n\t  | text-block |
-| StringLiterals.java:50:3:52:6 | """\n\t\t\tnot-indented\n\t\t\t""" | not-indented\n | not-indented\n | text-block |
-| StringLiterals.java:53:3:55:4 | """\n\t\tindented\n\t""" | \tindented\n | \tindented\n | text-block |
-| StringLiterals.java:56:4:58:5 | """\n\t\tnot-indented\n\t\t""" | not-indented\n | not-indented\n | text-block |
-| StringLiterals.java:59:3:62:6 | """\n\t\t    spaces (only single space is trimmed)\n\t\t\ttab\n\t\t\t""" |    spaces (only single space is trimmed)\ntab\n |    spaces (only single space is trimmed)\ntab\n | text-block |
-| StringLiterals.java:63:3:64:22 | """\n\t\t\tend on same line""" | end on same line | end on same line | text-block |
-| StringLiterals.java:65:3:68:5 | """\n\t\ttrailing spaces ignored:  \t \n\t\tnot ignored: \t \\s\n\t\t""" | trailing spaces ignored:\nnot ignored: \t  \n | trailing spaces ignored:\nnot ignored: \t  \n | text-block |
-| StringLiterals.java:69:3:70:18 | """\n\t\t3 quotes:""\\"""" | 3 quotes:""" | 3 quotes:""" | text-block |
-| StringLiterals.java:71:3:74:5 | """\n\t\tline \\\n\t\tcontinuation \\\n\t\t""" | line continuation  | line continuation  | text-block |
-| StringLiterals.java:75:3:79:5 | """\n\t\tExplicit line breaks:\\n\n\t\t\\r\\n\n\t\t\\r\n\t\t""" | Explicit line breaks:\n\n\r\n\n\r\n | Explicit line breaks:\n\n\r\n\n\r\n | text-block |
-| StringLiterals.java:82:10:84:16 | 2"\\u0022\n\t\ttest\n\t\t\\u0022\\uu0022" | test\n | test\n |  |
-| StringLiterals.java:90:3:90:19 | "hello" + "world" | helloworld | helloworld |  |
-| StringLiterals.java:91:3:92:20 | """\n\t\thello""" + "world" | helloworld | helloworld | text-block |
-| StringLiterals.java:93:10:93:12 | "a" | a | a |  |
-| StringLiterals.java:94:3:94:5 | "a" | a | a |  |
-| StringLiterals.java:95:3:95:5 | "a" | a | a |  |
-| StringLiterals.java:96:7:96:9 | "a" | a | a |  |
-| StringLiterals.java:97:3:97:5 | "a" | a | a |  |
-| StringLiterals.java:98:10:98:12 | "a" | a | a |  |
-| StringLiterals.java:99:3:99:5 | "a" | a | a |  |
-| StringLiterals.java:100:9:100:11 | "a" | a | a |  |
+| StringLiterals.java:7:3:7:4 | "" |  |  |
+| StringLiterals.java:8:3:8:17 | "hello,\\tworld" | hello,\tworld |  |
+| StringLiterals.java:9:3:9:21 | "hello,\\u0009world" | hello,\tworld |  |
+| StringLiterals.java:10:3:10:10 | "\\u0061" | a |  |
+| StringLiterals.java:11:3:11:6 | "\\0" | \u0000 |  |
+| StringLiterals.java:12:3:12:10 | "\\uFFFF" | \uffff |  |
+| StringLiterals.java:13:3:13:10 | "\\ufFfF" | \uffff |  |
+| StringLiterals.java:14:3:14:6 | "\\"" | " |  |
+| StringLiterals.java:15:3:15:6 | "\\'" | ' |  |
+| StringLiterals.java:16:3:16:6 | "\\n" | \n |  |
+| StringLiterals.java:17:3:17:6 | "\\\\" | \\ |  |
+| StringLiterals.java:18:3:18:13 | "test \\123" | test S |  |
+| StringLiterals.java:19:3:19:9 | "\\1234" | S4 |  |
+| StringLiterals.java:20:3:20:9 | "\\0000" | \u00000 |  |
+| StringLiterals.java:21:3:21:13 | "\\u0061567" | a567 |  |
+| StringLiterals.java:22:3:22:13 | "\\u1234567" | \u1234567 |  |
+| StringLiterals.java:23:3:23:18 | "\\uaBcDeF\\u0aB1" | \uabcdeF\u0ab1 |  |
+| StringLiterals.java:24:3:24:16 | "\\uD800\\uDC00" | \ud800\udc00 |  |
+| StringLiterals.java:25:3:25:16 | "\\uDBFF\\uDFFF" | \udbff\udfff |  |
+| StringLiterals.java:28:3:28:10 | "\\uD800" | \ufffd |  |
+| StringLiterals.java:29:3:29:10 | "\\uDC00" | \ufffd |  |
+| StringLiterals.java:30:3:30:31 | "hello\\uD800hello\\uDC00world" | hello\ufffdhello\ufffdworld |  |
+| StringLiterals.java:32:3:32:16 | "\\u005C\\u0022" | " |  |
+| StringLiterals.java:33:8:33:20 | 2\\u0061\\u0022 | a |  |
+| StringLiterals.java:38:3:40:5 | """      \t  \n\t\ttest "text" and escaped \\u0022\n\t\t""" | test "text" and escaped "\n | text-block |
+| StringLiterals.java:42:3:44:5 | """\n\t\t\tindented\n\t\t""" | \tindented\n | text-block |
+| StringLiterals.java:45:3:47:5 | """\n\tno indentation last line\n\t\t""" | no indentation last line\n | text-block |
+| StringLiterals.java:48:3:50:7 | """\n\tindentation last line\n\t\t\\s""" | indentation last line\n\t  | text-block |
+| StringLiterals.java:51:3:53:6 | """\n\t\t\tnot-indented\n\t\t\t""" | not-indented\n | text-block |
+| StringLiterals.java:54:3:56:4 | """\n\t\tindented\n\t""" | \tindented\n | text-block |
+| StringLiterals.java:57:4:59:5 | """\n\t\tnot-indented\n\t\t""" | not-indented\n | text-block |
+| StringLiterals.java:60:3:63:6 | """\n\t\t    spaces (only single space is trimmed)\n\t\t\ttab\n\t\t\t""" |    spaces (only single space is trimmed)\ntab\n | text-block |
+| StringLiterals.java:64:3:65:22 | """\n\t\t\tend on same line""" | end on same line | text-block |
+| StringLiterals.java:66:3:69:5 | """\n\t\ttrailing spaces ignored:  \t \n\t\tnot ignored: \t \\s\n\t\t""" | trailing spaces ignored:\nnot ignored: \t  \n | text-block |
+| StringLiterals.java:70:3:71:18 | """\n\t\t3 quotes:""\\"""" | 3 quotes:""" | text-block |
+| StringLiterals.java:72:3:75:5 | """\n\t\tline \\\n\t\tcontinuation \\\n\t\t""" | line continuation  | text-block |
+| StringLiterals.java:76:3:80:5 | """\n\t\tExplicit line breaks:\\n\n\t\t\\r\\n\n\t\t\\r\n\t\t""" | Explicit line breaks:\n\n\r\n\n\r\n | text-block |
+| StringLiterals.java:83:10:85:16 | 2"\\u0022\n\t\ttest\n\t\t\\u0022\\uu0022" | test\n |  |
+| StringLiterals.java:91:3:91:19 | "hello" + "world" | helloworld |  |
+| StringLiterals.java:92:3:93:20 | """\n\t\thello""" + "world" | helloworld | text-block |
+| StringLiterals.java:94:10:94:12 | "a" | a |  |
+| StringLiterals.java:95:3:95:5 | "a" | a |  |
+| StringLiterals.java:96:3:96:5 | "a" | a |  |
+| StringLiterals.java:97:7:97:9 | "a" | a |  |
+| StringLiterals.java:98:3:98:5 | "a" | a |  |
+| StringLiterals.java:99:10:99:12 | "a" | a |  |
+| StringLiterals.java:100:3:100:5 | "a" | a |  |
+| StringLiterals.java:101:9:101:11 | "a" | a |  |

java/ql/test/library-tests/literals/stringLiterals/stringLiterals.ql

@@ -4,4 +4,4 @@ from StringLiteral lit, string isTextBlock
 where
   lit.getFile().(CompilationUnit).fromSource() and
   if lit.isTextBlock() then isTextBlock = "text-block" else isTextBlock = ""
-select lit, lit.getValue(), lit.getRepresentedString(), isTextBlock
+select lit, lit.getValue(), isTextBlock

java/ql/test/library-tests/optional/FunctionalTest.java

@@ -0,0 +1,58 @@
+import java.util.Optional;
+
+public class FunctionalTest {
+    String source() {
+        return null;
+    }
+
+    void sink(Object o) {
+    }
+
+    void test() {
+        Optional<String> o = Optional.of(source());
+        o.ifPresent(v -> {
+            sink(v); // $hasValueFlow
+        });
+        o.ifPresentOrElse(v -> {
+            sink(v); // $hasValueFlow
+        }, () -> {
+            // no-op
+        });
+        o.map(v -> {
+            sink(v); // $hasValueFlow
+            return v;
+        }).ifPresent(v -> {
+            sink(v); // $hasValueFlow
+        });
+        o.flatMap(v -> {
+            sink(v); // $hasValueFlow
+            return Optional.of(v);
+        }).ifPresent(v -> {
+            sink(v); // $hasValueFlow
+        });
+        o.flatMap(v -> {
+            sink(v); // $hasValueFlow
+            return Optional.of("safe");
+        }).ifPresent(v -> {
+            sink(v); // no value flow
+        });
+        o.filter(v -> {
+            sink(v); // $hasValueFlow
+            return true;
+        }).ifPresent(v -> {
+            sink(v); // $hasValueFlow
+        });
+        Optional.of("safe").map(v -> {
+            sink(v); // no value flow
+            return v;
+        }).or(() -> o).ifPresent(v -> {
+            sink(v); // $hasValueFlow
+        });
+        Optional<String> safe = Optional.of("safe");
+        o.or(() -> safe).ifPresent(v -> {
+            sink(v); // $hasValueFlow
+        });
+        String value = safe.orElseGet(() -> source());
+        sink(value); // $hasValueFlow
+    }
+}

java/ql/test/library-tests/overrides/ConstructedOverrides2.expected

@@ -3,4 +3,3 @@
 | ConstructedOverrides.java:17:7:17:9 | Sub | usedGeneric(U, String) | Super.class:0:0:0:0 | Super<String> | usedGeneric(U, String) |
 | ConstructedOverrides.java:23:7:23:10 | Sub2 | unusedGeneric(V, String) | Super.class:0:0:0:0 | Super<String> | unusedGeneric(U, String) |
 | ConstructedOverrides.java:23:7:23:10 | Sub2 | usedGeneric(V, String) | ConstructedOverrides.java:17:7:17:9 | Sub | usedGeneric(U, String) |
-| ConstructedOverrides.java:23:7:23:10 | Sub2 | usedGeneric(V, String) | Super.class:0:0:0:0 | Super<String> | usedGeneric(U, String) |

java/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-tests
-version: 0.0.2
+groups: [java, test]
 dependencies:
     codeql/java-all: "*"
     codeql/java-queries: "*"

java/ql/test/query-tests/UselessComparisonTest/CharLiterals.java

@@ -0,0 +1,77 @@
+public class CharLiterals {
+  public static boolean redundantSurrogateRange(char c) {
+    if(c >= '\uda00') {
+      if(c >= '\ud900') {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  public static boolean goodSurrogateRange(char c) {
+    if(c >= '\ud900') {
+      if(c >= '\uda00') {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  public static boolean redundantNonSurrogateRange(char c) {
+    if(c >= 'b') {
+      if(c >= 'a') {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  public static boolean goodNonSurrogateRange(char c) {
+    if(c >= 'a') {
+      if(c >= 'b') {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  public static boolean redundantSurrogateEquality(char c) {
+    if(c == '\uda00') {
+      return true;
+    }
+    else if(c == '\uda00') {
+      return true;
+    }
+    return false;
+  }
+
+  public static boolean goodSurrogateEquality(char c) {
+    if(c == '\uda00') {
+      return true;
+    }
+    else if(c == '\ud900') {
+      return true;
+    }
+    return false;
+  }
+
+  public static boolean redundantNonSurrogateEquality(char c) {
+    if(c == 'a') {
+      return true;
+    }
+    else if(c == 'a') {
+      return true;
+    }
+    return false;
+  }
+
+  public static boolean goodNonSurrogateEquality(char c) {
+    if(c == 'a') {
+      return true;
+    }
+    else if(c == 'b') {
+      return true;
+    }
+    return false;
+  }
+}

java/ql/test/query-tests/UselessComparisonTest/UselessComparisonTest.expected

@@ -15,6 +15,10 @@
 | A.java:76:11:76:16 | ... >= ... | Test is always false, because of $@. | A.java:74:13:74:18 | ... >= ... | this condition |
 | A.java:84:21:84:30 | ... < ... | Test is always false, because of $@. | A.java:80:12:80:21 | ... > ... | this condition |
 | A.java:88:9:88:13 | ... > ... | Test is always false. | A.java:88:9:88:13 | ... > ... | this condition |
+| CharLiterals.java:4:10:4:22 | ... >= ... | Test is always true, because of $@. | CharLiterals.java:3:8:3:20 | ... >= ... | this condition |
+| CharLiterals.java:22:10:22:17 | ... >= ... | Test is always true, because of $@. | CharLiterals.java:21:8:21:15 | ... >= ... | this condition |
+| CharLiterals.java:42:13:42:25 | ... == ... | Test is always false, because of $@. | CharLiterals.java:39:8:39:20 | ... == ... | this condition |
+| CharLiterals.java:62:13:62:20 | ... == ... | Test is always false, because of $@. | CharLiterals.java:59:8:59:15 | ... == ... | this condition |
 | Test.java:9:7:9:12 | ... >= ... | Test is always true, because of $@. | Test.java:5:7:5:11 | ... < ... | this condition |
 | Test.java:10:7:10:12 | ... >= ... | Test is always true, because of $@. | Test.java:5:16:5:20 | ... < ... | this condition |
 | Test.java:14:9:14:15 | ... == ... | Test is always false, because of $@. | Test.java:12:8:12:13 | ... < ... | this condition |

java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.expected

@@ -1,7 +1,8 @@
 edges
 | UnsafeHostnameVerification.java:66:37:80:9 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:81:55:81:62 | verifier |
 | UnsafeHostnameVerification.java:88:37:93:9 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:94:55:94:62 | verifier |
-| UnsafeHostnameVerification.java:97:72:102:5 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:34:59:34:85 | ALLOW_ALL_HOSTNAME_VERIFIER |
+| UnsafeHostnameVerification.java:97:42:97:68 | ALLOW_ALL_HOSTNAME_VERIFIER : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:34:59:34:85 | ALLOW_ALL_HOSTNAME_VERIFIER |
+| UnsafeHostnameVerification.java:97:72:102:5 | new (...) : new HostnameVerifier(...) { ... } | UnsafeHostnameVerification.java:97:42:97:68 | ALLOW_ALL_HOSTNAME_VERIFIER : new HostnameVerifier(...) { ... } |
 nodes
 | UnsafeHostnameVerification.java:14:55:19:9 | new (...) | semmle.label | new (...) |
 | UnsafeHostnameVerification.java:26:55:26:71 | ...->... | semmle.label | ...->... |
@@ -12,6 +13,7 @@ nodes
 | UnsafeHostnameVerification.java:81:55:81:62 | verifier | semmle.label | verifier |
 | UnsafeHostnameVerification.java:88:37:93:9 | new (...) : new HostnameVerifier(...) { ... } | semmle.label | new (...) : new HostnameVerifier(...) { ... } |
 | UnsafeHostnameVerification.java:94:55:94:62 | verifier | semmle.label | verifier |
+| UnsafeHostnameVerification.java:97:42:97:68 | ALLOW_ALL_HOSTNAME_VERIFIER : new HostnameVerifier(...) { ... } | semmle.label | ALLOW_ALL_HOSTNAME_VERIFIER : new HostnameVerifier(...) { ... } |
 | UnsafeHostnameVerification.java:97:72:102:5 | new (...) : new HostnameVerifier(...) { ... } | semmle.label | new (...) : new HostnameVerifier(...) { ... } |
 subpaths
 #select

java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java

@@ -25,14 +25,14 @@ class DocumentBuilderTests {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //safe
+    builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
   }
 
   public void enableSecurityFeature2(Socket sock) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
     factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
     DocumentBuilder builder = factory.newDocumentBuilder();
-    builder.parse(sock.getInputStream()); //safe
+    builder.parse(sock.getInputStream()); //unsafe -- secure-processing by itself is insufficient
   }
 
   public void enableDTD(Socket sock) throws Exception {

java/ql/test/query-tests/security/CWE-611/XXE.expected

@@ -77,6 +77,8 @@ edges
 | XPathExpressionTests.java:27:37:27:57 | getInputStream(...) : InputStream | XPathExpressionTests.java:27:21:27:58 | new InputSource(...) |
 nodes
 | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | semmle.label | getInputStream(...) |
+| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | semmle.label | getInputStream(...) |
+| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | semmle.label | getInputStream(...) |
 | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | semmle.label | getInputStream(...) |
 | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | semmle.label | getInputStream(...) |
 | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | semmle.label | getInputStream(...) |
@@ -250,6 +252,8 @@ nodes
 subpaths
 #select
 | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:14:19:14:39 | getInputStream(...) | user input |
+| DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:28:19:28:39 | getInputStream(...) | user input |
+| DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:35:19:35:39 | getInputStream(...) | user input |
 | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:42:19:42:39 | getInputStream(...) | user input |
 | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:49:19:49:39 | getInputStream(...) | user input |
 | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | Unsafe parsing of XML file from $@. | DocumentBuilderTests.java:64:19:64:39 | getInputStream(...) | user input |

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected

@@ -1,6 +1,7 @@
 edges
-| CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:13:39:13:39 | p |
-| CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:14:16:14:16 | p : String |
+| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:13:39:13:39 | p |
+| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:14:16:14:16 | p : String |
+| CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:7:30:7:30 | p : String |
 | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u |
 | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:14:13:14:13 | u : String |
 | CredentialsTest.java:14:13:14:13 | u : String | CredentialsTest.java:17:38:17:45 | v : String |
@@ -44,6 +45,7 @@ edges
 | Test.java:29:38:29:48 | user : String | Test.java:30:36:30:39 | user |
 | Test.java:29:51:29:65 | password : String | Test.java:30:42:30:49 | password |
 nodes
+| CredentialsTest.java:7:30:7:30 | p : String | semmle.label | p : String |
 | CredentialsTest.java:7:34:7:41 | "123456" : String | semmle.label | "123456" : String |
 | CredentialsTest.java:11:14:11:20 | "admin" : String | semmle.label | "admin" : String |
 | CredentialsTest.java:13:36:13:36 | u | semmle.label | u |

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected

@@ -12,7 +12,8 @@ edges
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
 | Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass |
-| User.java:2:43:2:50 | "123456" : String | User.java:5:15:5:24 | DEFAULT_PW |
+| User.java:2:30:2:39 | DEFAULT_PW : String | User.java:5:15:5:24 | DEFAULT_PW |
+| User.java:2:43:2:50 | "123456" : String | User.java:2:30:2:39 | DEFAULT_PW : String |
 nodes
 | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
 | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
@@ -30,6 +31,7 @@ nodes
 | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
 | Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
 | Test.java:26:17:26:20 | pass | semmle.label | pass |
+| User.java:2:30:2:39 | DEFAULT_PW : String | semmle.label | DEFAULT_PW : String |
 | User.java:2:43:2:50 | "123456" : String | semmle.label | "123456" : String |
 | User.java:5:15:5:24 | DEFAULT_PW | semmle.label | DEFAULT_PW |
 subpaths

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.java

@@ -0,0 +1,197 @@
+package com.example.app;
+
+import android.app.Activity;
+import android.content.ComponentName;
+import android.content.Context;
+import android.content.Intent;
+import android.os.Bundle;
+
+public class AndroidIntentRedirectionTest extends Activity {
+
+    public void onCreate(Bundle savedInstanceState) {
+        Intent intent = (Intent) getIntent().getParcelableExtra("forward_intent");
+
+        // @formatter:off
+        startActivities(new Intent[] {intent}); // $ hasAndroidIntentRedirection
+        startActivities(new Intent[] {intent}, null); // $ hasAndroidIntentRedirection
+        startActivity(intent); // $ hasAndroidIntentRedirection
+        startActivity(intent, null); // $ hasAndroidIntentRedirection
+        startActivityAsUser(intent, null); // $ hasAndroidIntentRedirection
+        startActivityAsCaller(intent, null, false, 0); // $ hasAndroidIntentRedirection
+        startActivityForResult(intent, 0); // $ hasAndroidIntentRedirection
+        startActivityForResult(intent, 0, null); // $ hasAndroidIntentRedirection
+        startActivityForResult(null, intent, 0, null); // $ hasAndroidIntentRedirection
+        startActivityForResultAsUser(intent, null, 0, null, null); // $ hasAndroidIntentRedirection
+        startActivityForResultAsUser(intent, 0, null, null); // $ hasAndroidIntentRedirection
+        startActivityForResultAsUser(intent, 0, null); // $ hasAndroidIntentRedirection
+        bindService(intent, null, 0);
+        bindServiceAsUser(intent, null, 0, null);
+        startService(intent); // $ hasAndroidIntentRedirection
+        startServiceAsUser(intent, null); // $ hasAndroidIntentRedirection
+        startForegroundService(intent); // $ hasAndroidIntentRedirection
+        sendBroadcast(intent); // $ hasAndroidIntentRedirection
+        sendBroadcast(intent, null); // $ hasAndroidIntentRedirection
+        sendBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
+        sendBroadcastAsUser(intent, null, null); // $ hasAndroidIntentRedirection
+        sendBroadcastWithMultiplePermissions(intent, null); // $ hasAndroidIntentRedirection
+        sendStickyBroadcast(intent); // $ hasAndroidIntentRedirection
+        sendStickyBroadcastAsUser(intent, null); // $ hasAndroidIntentRedirection
+        sendStickyOrderedBroadcast(intent, null, null, 0, null, null); // $ hasAndroidIntentRedirection
+        sendStickyOrderedBroadcastAsUser(intent, null, null, null, 0, null, null); // $ hasAndroidIntentRedirection
+        // @formatter:on
+
+        if (intent.getComponent().getPackageName().equals("something")) {
+            startActivity(intent); // Safe - sanitized
+        } else {
+            startActivity(intent); // $ hasAndroidIntentRedirection
+        }
+        if (intent.getComponent().getClassName().equals("something")) {
+            startActivity(intent); // Safe - sanitized
+        } else {
+            startActivity(intent); // $ hasAndroidIntentRedirection
+        }
+
+        try {
+            {
+                // Delayed cast
+                Object obj = getIntent().getParcelableExtra("forward_intent");
+                Intent fwdIntent = (Intent) obj;
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                fwdIntent.setClassName((Context) null, intent.getStringExtra("className"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                fwdIntent.setClassName(intent.getStringExtra("packageName"), null);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                fwdIntent.setClassName(intent.getStringExtra("packageName"),
+                        intent.getStringExtra("className"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                fwdIntent.setClass(null, Class.forName(intent.getStringExtra("className")));
+                // needs taint step for Class.forName
+                startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                fwdIntent.setPackage(intent.getStringExtra("packageName"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component =
+                        new ComponentName(intent.getStringExtra("packageName"), null);
+                fwdIntent.setComponent(component);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component =
+                        new ComponentName("", intent.getStringExtra("className"));
+                fwdIntent.setComponent(component);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component =
+                        new ComponentName((Context) null, intent.getStringExtra("className"));
+                fwdIntent.setComponent(component);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component = new ComponentName((Context) null,
+                        Class.forName(intent.getStringExtra("className")));
+                fwdIntent.setComponent(component);
+                // needs taint step for Class.forName
+                startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component =
+                        ComponentName.createRelative("", intent.getStringExtra("className"));
+                fwdIntent.setComponent(component);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component =
+                        ComponentName.createRelative(intent.getStringExtra("packageName"), "");
+                fwdIntent.setComponent(component);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = new Intent();
+                ComponentName component = ComponentName.createRelative((Context) null,
+                        intent.getStringExtra("className"));
+                fwdIntent.setComponent(component);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent originalIntent = getIntent();
+                ComponentName cp = new ComponentName(originalIntent.getStringExtra("packageName"),
+                        originalIntent.getStringExtra("className"));
+                Intent anotherIntent = new Intent();
+                anotherIntent.setComponent(cp);
+                startActivity(originalIntent); // Safe - not a tainted Intent
+            }
+            {
+                Intent originalIntent = getIntent();
+                Intent anotherIntent = new Intent(originalIntent);
+                startActivity(anotherIntent); // Safe - copy constructor from original Intent
+            }
+            {
+                Intent originalIntent = getIntent();
+                Intent fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");
+                if (originalIntent.getBooleanExtra("use_fwd_intent", false)) {
+                    startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+                } else {
+                    startActivity(originalIntent); // Safe - not an Intent obtained from the Extras
+                }
+            }
+            {
+                Intent originalIntent = getIntent();
+                originalIntent.setClassName(originalIntent.getStringExtra("package_name"),
+                        originalIntent.getStringExtra("class_name"));
+                startActivity(originalIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent originalIntent = getIntent();
+                originalIntent.setClassName("not_user_provided", "not_user_provided");
+                startActivity(originalIntent); // Safe - component changed but not tainted
+            }
+            {
+                Intent originalIntent = getIntent();
+                Intent fwdIntent;
+                if (originalIntent.getBooleanExtra("use_fwd_intent", false)) {
+                    fwdIntent = (Intent) originalIntent.getParcelableExtra("forward_intent");
+                } else {
+                    fwdIntent = originalIntent;
+                }
+                // Conditionally tainted sinks aren't supported currently
+                startActivity(fwdIntent); // $ MISSING: $hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.parseUri(getIntent().getStringExtra("uri"), 0);
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.getIntent(getIntent().getStringExtra("uri"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+            {
+                Intent fwdIntent = Intent.getIntentOld(getIntent().getStringExtra("uri"));
+                startActivity(fwdIntent); // $ hasAndroidIntentRedirection
+            }
+        } catch (Exception e) {
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql

@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.AndroidIntentRedirectionQuery
+import TestUtilities.InlineExpectationsTest
+
+class HasAndroidIntentRedirectionTest extends InlineExpectationsTest {
+  HasAndroidIntentRedirectionTest() { this = "HasAndroidIntentRedirectionTest" }
+
+  override string getARelevantTag() { result = "hasAndroidIntentRedirection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasAndroidIntentRedirection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, IntentRedirectionConfiguration conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-940/AndroidManifest.xml

@@ -0,0 +1,24 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android"
+    package="com.example.app"
+    android:installLocation="auto"
+    android:versionCode="1"
+    android:versionName="0.1" >
+
+    <application
+        android:icon="@drawable/ic_launcher"
+        android:label="@string/app_name"
+        android:theme="@style/AppTheme" >
+        <activity
+            android:name=".AndroidIntentRedirectionTest"
+            android:icon="@drawable/ic_launcher"
+			android:label="@string/app_name">
+            <intent-filter>
+                <action android:name="android.intent.action.MAIN" />
+                <category android:name="android.intent.category.LAUNCHER" />
+            </intent-filter>
+        </activity>
+
+        <activity android:name=".SafeActivity" />
+    </application>
+
+</manifest>

java/ql/test/query-tests/security/CWE-940/options

@@ -0,0 +1 @@
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0

java/ql/test/stubs/apache-commons-fileupload-1.4/org/apache/commons/fileupload2/ProgressListener.java

@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.fileupload2;
+
+/**
+ * The {@link ProgressListener} may be used to display a progress bar
+ * or do stuff like that.
+ */
+public interface ProgressListener {
+
+    /**
+     * Updates the listeners status information.
+     *
+     * @param pBytesRead The total number of bytes, which have been read
+     *   so far.
+     * @param pContentLength The total number of bytes, which are being
+     *   read. May be -1, if this number is unknown.
+     * @param pItems The number of the field, which is currently being
+     *   read. (0 = no item so far, 1 = first item is being read, ...)
+     */
+    void update(long pBytesRead, long pContentLength, int pItems);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/AsyncContext.java

@@ -0,0 +1,30 @@
+// Generated automatically from javax.servlet.AsyncContext for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.AsyncListener;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface AsyncContext
+{
+    <T extends AsyncListener> T createListener(Class<T> p0);
+    ServletRequest getRequest();
+    ServletResponse getResponse();
+    boolean hasOriginalRequestAndResponse();
+    long getTimeout();
+    static String ASYNC_CONTEXT_PATH = null;
+    static String ASYNC_PATH_INFO = null;
+    static String ASYNC_QUERY_STRING = null;
+    static String ASYNC_REQUEST_URI = null;
+    static String ASYNC_SERVLET_PATH = null;
+    void addListener(AsyncListener p0);
+    void addListener(AsyncListener p0, ServletRequest p1, ServletResponse p2);
+    void complete();
+    void dispatch();
+    void dispatch(ServletContext p0, String p1);
+    void dispatch(String p0);
+    void setTimeout(long p0);
+    void start(Runnable p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/AsyncEvent.java

@@ -0,0 +1,20 @@
+// Generated automatically from javax.servlet.AsyncEvent for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.AsyncContext;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public class AsyncEvent
+{
+    protected AsyncEvent() {}
+    public AsyncContext getAsyncContext(){ return null; }
+    public AsyncEvent(AsyncContext p0){}
+    public AsyncEvent(AsyncContext p0, ServletRequest p1, ServletResponse p2){}
+    public AsyncEvent(AsyncContext p0, ServletRequest p1, ServletResponse p2, Throwable p3){}
+    public AsyncEvent(AsyncContext p0, Throwable p1){}
+    public ServletRequest getSuppliedRequest(){ return null; }
+    public ServletResponse getSuppliedResponse(){ return null; }
+    public Throwable getThrowable(){ return null; }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/AsyncListener.java

@@ -0,0 +1,14 @@
+// Generated automatically from javax.servlet.AsyncListener for testing purposes
+
+package javax.servlet;
+
+import java.util.EventListener;
+import javax.servlet.AsyncEvent;
+
+public interface AsyncListener extends EventListener
+{
+    void onComplete(AsyncEvent p0);
+    void onError(AsyncEvent p0);
+    void onStartAsync(AsyncEvent p0);
+    void onTimeout(AsyncEvent p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/DispatcherType.java

@@ -0,0 +1,10 @@
+// Generated automatically from javax.servlet.DispatcherType for testing purposes
+
+package javax.servlet;
+
+
+public enum DispatcherType
+{
+    ASYNC, ERROR, FORWARD, INCLUDE, REQUEST;
+    private DispatcherType() {}
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/Filter.java

@@ -0,0 +1,15 @@
+// Generated automatically from javax.servlet.Filter for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface Filter
+{
+    void destroy();
+    void doFilter(ServletRequest p0, ServletResponse p1, FilterChain p2);
+    void init(FilterConfig p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/FilterChain.java

@@ -0,0 +1,11 @@
+// Generated automatically from javax.servlet.FilterChain for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface FilterChain
+{
+    void doFilter(ServletRequest p0, ServletResponse p1);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/FilterConfig.java

@@ -0,0 +1,14 @@
+// Generated automatically from javax.servlet.FilterConfig for testing purposes
+
+package javax.servlet;
+
+import java.util.Enumeration;
+import javax.servlet.ServletContext;
+
+public interface FilterConfig
+{
+    Enumeration<String> getInitParameterNames();
+    ServletContext getServletContext();
+    String getFilterName();
+    String getInitParameter(String p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/FilterRegistration.java

@@ -0,0 +1,19 @@
+// Generated automatically from javax.servlet.FilterRegistration for testing purposes
+
+package javax.servlet;
+
+import java.util.Collection;
+import java.util.EnumSet;
+import javax.servlet.DispatcherType;
+import javax.servlet.Registration;
+
+public interface FilterRegistration extends Registration
+{
+    Collection<String> getServletNameMappings();
+    Collection<String> getUrlPatternMappings();
+    static public interface Dynamic extends FilterRegistration, Registration.Dynamic
+    {
+    }
+    void addMappingForServletNames(EnumSet<DispatcherType> p0, boolean p1, String... p2);
+    void addMappingForUrlPatterns(EnumSet<DispatcherType> p0, boolean p1, String... p2);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/HttpConstraintElement.java

@@ -0,0 +1,16 @@
+// Generated automatically from javax.servlet.HttpConstraintElement for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.annotation.ServletSecurity;
+
+public class HttpConstraintElement
+{
+    public HttpConstraintElement(){}
+    public HttpConstraintElement(ServletSecurity.EmptyRoleSemantic p0){}
+    public HttpConstraintElement(ServletSecurity.EmptyRoleSemantic p0, ServletSecurity.TransportGuarantee p1, String... p2){}
+    public HttpConstraintElement(ServletSecurity.TransportGuarantee p0, String... p1){}
+    public ServletSecurity.EmptyRoleSemantic getEmptyRoleSemantic(){ return null; }
+    public ServletSecurity.TransportGuarantee getTransportGuarantee(){ return null; }
+    public String[] getRolesAllowed(){ return null; }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/HttpMethodConstraintElement.java

@@ -0,0 +1,13 @@
+// Generated automatically from javax.servlet.HttpMethodConstraintElement for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.HttpConstraintElement;
+
+public class HttpMethodConstraintElement extends HttpConstraintElement
+{
+    protected HttpMethodConstraintElement() {}
+    public HttpMethodConstraintElement(String p0){}
+    public HttpMethodConstraintElement(String p0, HttpConstraintElement p1){}
+    public String getMethodName(){ return null; }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/MultipartConfigElement.java

@@ -0,0 +1,17 @@
+// Generated automatically from javax.servlet.MultipartConfigElement for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.annotation.MultipartConfig;
+
+public class MultipartConfigElement
+{
+    protected MultipartConfigElement() {}
+    public MultipartConfigElement(MultipartConfig p0){}
+    public MultipartConfigElement(String p0){}
+    public MultipartConfigElement(String p0, long p1, long p2, int p3){}
+    public String getLocation(){ return null; }
+    public int getFileSizeThreshold(){ return 0; }
+    public long getMaxFileSize(){ return 0; }
+    public long getMaxRequestSize(){ return 0; }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ReadListener.java

@@ -0,0 +1,12 @@
+// Generated automatically from javax.servlet.ReadListener for testing purposes
+
+package javax.servlet;
+
+import java.util.EventListener;
+
+public interface ReadListener extends EventListener
+{
+    void onAllDataRead();
+    void onDataAvailable();
+    void onError(Throwable p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/Registration.java

@@ -0,0 +1,20 @@
+// Generated automatically from javax.servlet.Registration for testing purposes
+
+package javax.servlet;
+
+import java.util.Map;
+import java.util.Set;
+
+public interface Registration
+{
+    Map<String, String> getInitParameters();
+    Set<String> setInitParameters(Map<String, String> p0);
+    String getClassName();
+    String getInitParameter(String p0);
+    String getName();
+    boolean setInitParameter(String p0, String p1);
+    static public interface Dynamic extends Registration
+    {
+        void setAsyncSupported(boolean p0);
+    }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/RequestDispatcher.java

@@ -0,0 +1,28 @@
+// Generated automatically from javax.servlet.RequestDispatcher for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface RequestDispatcher
+{
+    static String ERROR_EXCEPTION = null;
+    static String ERROR_EXCEPTION_TYPE = null;
+    static String ERROR_MESSAGE = null;
+    static String ERROR_REQUEST_URI = null;
+    static String ERROR_SERVLET_NAME = null;
+    static String ERROR_STATUS_CODE = null;
+    static String FORWARD_CONTEXT_PATH = null;
+    static String FORWARD_PATH_INFO = null;
+    static String FORWARD_QUERY_STRING = null;
+    static String FORWARD_REQUEST_URI = null;
+    static String FORWARD_SERVLET_PATH = null;
+    static String INCLUDE_CONTEXT_PATH = null;
+    static String INCLUDE_PATH_INFO = null;
+    static String INCLUDE_QUERY_STRING = null;
+    static String INCLUDE_REQUEST_URI = null;
+    static String INCLUDE_SERVLET_PATH = null;
+    void forward(ServletRequest p0, ServletResponse p1);
+    void include(ServletRequest p0, ServletResponse p1);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/Servlet.java

@@ -0,0 +1,16 @@
+// Generated automatically from javax.servlet.Servlet for testing purposes
+
+package javax.servlet;
+
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+
+public interface Servlet
+{
+    ServletConfig getServletConfig();
+    String getServletInfo();
+    void destroy();
+    void init(ServletConfig p0);
+    void service(ServletRequest p0, ServletResponse p1);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletConfig.java

@@ -0,0 +1,14 @@
+// Generated automatically from javax.servlet.ServletConfig for testing purposes
+
+package javax.servlet;
+
+import java.util.Enumeration;
+import javax.servlet.ServletContext;
+
+public interface ServletConfig
+{
+    Enumeration<String> getInitParameterNames();
+    ServletContext getServletContext();
+    String getInitParameter(String p0);
+    String getServletName();
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletContext.java

@@ -0,0 +1,76 @@
+// Generated automatically from javax.servlet.ServletContext for testing purposes
+
+package javax.servlet;
+
+import java.io.InputStream;
+import java.net.URL;
+import java.util.Enumeration;
+import java.util.EventListener;
+import java.util.Map;
+import java.util.Set;
+import javax.servlet.Filter;
+import javax.servlet.FilterRegistration;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.Servlet;
+import javax.servlet.ServletRegistration;
+import javax.servlet.SessionCookieConfig;
+import javax.servlet.SessionTrackingMode;
+import javax.servlet.descriptor.JspConfigDescriptor;
+
+public interface ServletContext
+{
+    <T extends EventListener> T createListener(Class<T> p0);
+    <T extends EventListener> void addListener(T p0);
+    <T extends Filter> T createFilter(Class<T> p0);
+    <T extends Servlet> T createServlet(Class<T> p0);
+    ClassLoader getClassLoader();
+    Enumeration<Servlet> getServlets();
+    Enumeration<String> getAttributeNames();
+    Enumeration<String> getInitParameterNames();
+    Enumeration<String> getServletNames();
+    FilterRegistration getFilterRegistration(String p0);
+    FilterRegistration.Dynamic addFilter(String p0, Class<? extends Filter> p1);
+    FilterRegistration.Dynamic addFilter(String p0, Filter p1);
+    FilterRegistration.Dynamic addFilter(String p0, String p1);
+    InputStream getResourceAsStream(String p0);
+    JspConfigDescriptor getJspConfigDescriptor();
+    Map<String, ? extends FilterRegistration> getFilterRegistrations();
+    Map<String, ? extends ServletRegistration> getServletRegistrations();
+    Object getAttribute(String p0);
+    RequestDispatcher getNamedDispatcher(String p0);
+    RequestDispatcher getRequestDispatcher(String p0);
+    Servlet getServlet(String p0);
+    ServletContext getContext(String p0);
+    ServletRegistration getServletRegistration(String p0);
+    ServletRegistration.Dynamic addServlet(String p0, Class<? extends Servlet> p1);
+    ServletRegistration.Dynamic addServlet(String p0, Servlet p1);
+    ServletRegistration.Dynamic addServlet(String p0, String p1);
+    SessionCookieConfig getSessionCookieConfig();
+    Set<SessionTrackingMode> getDefaultSessionTrackingModes();
+    Set<SessionTrackingMode> getEffectiveSessionTrackingModes();
+    Set<String> getResourcePaths(String p0);
+    String getContextPath();
+    String getInitParameter(String p0);
+    String getMimeType(String p0);
+    String getRealPath(String p0);
+    String getServerInfo();
+    String getServletContextName();
+    String getVirtualServerName();
+    URL getResource(String p0);
+    boolean setInitParameter(String p0, String p1);
+    int getEffectiveMajorVersion();
+    int getEffectiveMinorVersion();
+    int getMajorVersion();
+    int getMinorVersion();
+    static String ORDERED_LIBS = null;
+    static String TEMPDIR = null;
+    void addListener(Class<? extends EventListener> p0);
+    void addListener(String p0);
+    void declareRoles(String... p0);
+    void log(Exception p0, String p1);
+    void log(String p0);
+    void log(String p0, Throwable p1);
+    void removeAttribute(String p0);
+    void setAttribute(String p0, Object p1);
+    void setSessionTrackingModes(Set<SessionTrackingMode> p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletInputStream.java

@@ -0,0 +1,15 @@
+// Generated automatically from javax.servlet.ServletInputStream for testing purposes
+
+package javax.servlet;
+
+import java.io.InputStream;
+import javax.servlet.ReadListener;
+
+abstract public class ServletInputStream extends InputStream
+{
+    protected ServletInputStream(){}
+    public abstract boolean isFinished();
+    public abstract boolean isReady();
+    public abstract void setReadListener(ReadListener p0);
+    public int readLine(byte[] p0, int p1, int p2){ return 0; }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletOutputStream.java

@@ -0,0 +1,28 @@
+// Generated automatically from javax.servlet.ServletOutputStream for testing purposes
+
+package javax.servlet;
+
+import java.io.OutputStream;
+import javax.servlet.WriteListener;
+
+abstract public class ServletOutputStream extends OutputStream
+{
+    protected ServletOutputStream(){}
+    public abstract boolean isReady();
+    public abstract void setWriteListener(WriteListener p0);
+    public void print(String p0){}
+    public void print(boolean p0){}
+    public void print(char p0){}
+    public void print(double p0){}
+    public void print(float p0){}
+    public void print(int p0){}
+    public void print(long p0){}
+    public void println(){}
+    public void println(String p0){}
+    public void println(boolean p0){}
+    public void println(char p0){}
+    public void println(double p0){}
+    public void println(float p0){}
+    public void println(int p0){}
+    public void println(long p0){}
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletRegistration.java

@@ -0,0 +1,23 @@
+// Generated automatically from javax.servlet.ServletRegistration for testing purposes
+
+package javax.servlet;
+
+import java.util.Collection;
+import java.util.Set;
+import javax.servlet.MultipartConfigElement;
+import javax.servlet.Registration;
+import javax.servlet.ServletSecurityElement;
+
+public interface ServletRegistration extends Registration
+{
+    Collection<String> getMappings();
+    Set<String> addMapping(String... p0);
+    String getRunAsRole();
+    static public interface Dynamic extends Registration.Dynamic, ServletRegistration
+    {
+        Set<String> setServletSecurity(ServletSecurityElement p0);
+        void setLoadOnStartup(int p0);
+        void setMultipartConfig(MultipartConfigElement p0);
+        void setRunAsRole(String p0);
+    }
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletRequest.java

@@ -0,0 +1,55 @@
+// Generated automatically from javax.servlet.ServletRequest for testing purposes
+
+package javax.servlet;
+
+import java.io.BufferedReader;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.util.Map;
+import javax.servlet.AsyncContext;
+import javax.servlet.DispatcherType;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletInputStream;
+import javax.servlet.ServletResponse;
+
+public interface ServletRequest
+{
+    AsyncContext getAsyncContext();
+    AsyncContext startAsync();
+    AsyncContext startAsync(ServletRequest p0, ServletResponse p1);
+    BufferedReader getReader();
+    DispatcherType getDispatcherType();
+    Enumeration<Locale> getLocales();
+    Enumeration<String> getAttributeNames();
+    Enumeration<String> getParameterNames();
+    Locale getLocale();
+    Map<String, String[]> getParameterMap();
+    Object getAttribute(String p0);
+    RequestDispatcher getRequestDispatcher(String p0);
+    ServletContext getServletContext();
+    ServletInputStream getInputStream();
+    String getCharacterEncoding();
+    String getContentType();
+    String getLocalAddr();
+    String getLocalName();
+    String getParameter(String p0);
+    String getProtocol();
+    String getRealPath(String p0);
+    String getRemoteAddr();
+    String getRemoteHost();
+    String getScheme();
+    String getServerName();
+    String[] getParameterValues(String p0);
+    boolean isAsyncStarted();
+    boolean isAsyncSupported();
+    boolean isSecure();
+    int getContentLength();
+    int getLocalPort();
+    int getRemotePort();
+    int getServerPort();
+    long getContentLengthLong();
+    void removeAttribute(String p0);
+    void setAttribute(String p0, Object p1);
+    void setCharacterEncoding(String p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletResponse.java

@@ -0,0 +1,27 @@
+// Generated automatically from javax.servlet.ServletResponse for testing purposes
+
+package javax.servlet;
+
+import java.io.PrintWriter;
+import java.util.Locale;
+import javax.servlet.ServletOutputStream;
+
+public interface ServletResponse
+{
+    Locale getLocale();
+    PrintWriter getWriter();
+    ServletOutputStream getOutputStream();
+    String getCharacterEncoding();
+    String getContentType();
+    boolean isCommitted();
+    int getBufferSize();
+    void flushBuffer();
+    void reset();
+    void resetBuffer();
+    void setBufferSize(int p0);
+    void setCharacterEncoding(String p0);
+    void setContentLength(int p0);
+    void setContentLengthLong(long p0);
+    void setContentType(String p0);
+    void setLocale(Locale p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/ServletSecurityElement.java

@@ -0,0 +1,19 @@
+// Generated automatically from javax.servlet.ServletSecurityElement for testing purposes
+
+package javax.servlet;
+
+import java.util.Collection;
+import javax.servlet.HttpConstraintElement;
+import javax.servlet.HttpMethodConstraintElement;
+import javax.servlet.annotation.ServletSecurity;
+
+public class ServletSecurityElement extends HttpConstraintElement
+{
+    public Collection<HttpMethodConstraintElement> getHttpMethodConstraints(){ return null; }
+    public Collection<String> getMethodNames(){ return null; }
+    public ServletSecurityElement(){}
+    public ServletSecurityElement(Collection<HttpMethodConstraintElement> p0){}
+    public ServletSecurityElement(HttpConstraintElement p0){}
+    public ServletSecurityElement(HttpConstraintElement p0, Collection<HttpMethodConstraintElement> p1){}
+    public ServletSecurityElement(ServletSecurity p0){}
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/SessionCookieConfig.java

@@ -0,0 +1,22 @@
+// Generated automatically from javax.servlet.SessionCookieConfig for testing purposes
+
+package javax.servlet;
+
+
+public interface SessionCookieConfig
+{
+    String getComment();
+    String getDomain();
+    String getName();
+    String getPath();
+    boolean isHttpOnly();
+    boolean isSecure();
+    int getMaxAge();
+    void setComment(String p0);
+    void setDomain(String p0);
+    void setHttpOnly(boolean p0);
+    void setMaxAge(int p0);
+    void setName(String p0);
+    void setPath(String p0);
+    void setSecure(boolean p0);
+}

java/ql/test/stubs/apache-log4j-2.14.1/javax/servlet/SessionTrackingMode.java

@@ -0,0 +1,10 @@
+// Generated automatically from javax.servlet.SessionTrackingMode for testing purposes
+
+package javax.servlet;
+
+
+public enum SessionTrackingMode
+{
+    COOKIE, SSL, URL;
+    private SessionTrackingMode() {}
+}