Move things around after rebase

java/ql/lib/semmle/code/java/frameworks/Networking.qll

@@ -47,6 +47,7 @@ class SocketGetInputStreamMethod extends Method {
   }
 }
 
+/** The method `java.net.Socket::getOutputStream`. */
 class SocketGetOutputStreamMethod extends Method {
   SocketGetOutputStreamMethod() {
     this.getDeclaringType() instanceof TypeSocket and
@@ -164,6 +165,7 @@ class CreateSocketMethod extends Method {
   }
 }
 
+/** The method `javax.net.Socket::connect`. */
 class SocketConnectMethod extends Method {
   SocketConnectMethod() {
     this.hasName("connect") and

java/ql/lib/semmle/code/java/security/Encryption.qll

@@ -34,10 +34,12 @@ class SSLSession extends RefType {
   SSLSession() { this.hasQualifiedName("javax.net.ssl", "SSLSession") }
 }
 
+/** The `javax.net.ssl.SSLEngine` class. */
 class SSLEngine extends RefType {
   SSLEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") }
 }
 
+/** The `javax.net.ssl.SSLSocket` class. */
 class SSLSocket extends RefType {
   SSLSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") }
 }
@@ -221,7 +223,7 @@ string getInsecureAlgorithmRegex() {
 string getASecureAlgorithmName() {
   result =
     [
-      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES([^a-zA-Z](?!ECB|CBC/PKCS[57]Padding)).*",
+      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
       "Blowfish", "ECIES"
     ]
 }

java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll

@@ -0,0 +1,65 @@
+/** Provides taint tracking configurations to be used by unsafe certificate trust queries. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.UnsafeCertTrust
+import semmle.code.java.security.Encryption
+
+/**
+ * A taint flow configuration for SSL connections created without a proper certificate trust configuration.
+ */
+class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
+  SslEndpointIdentificationFlowConfig() { this = "SslEndpointIdentificationFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
+
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof SslUnsafeCertTrustSanitizer
+  }
+}
+
+/**
+ * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
+ */
+private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
+  SslConnectionWithSafeSslParameters() {
+    exists(SafeSslParametersFlowConfig config, DataFlow::Node safe, DataFlow::Node sanitizer |
+      config.hasFlowTo(safe) and
+      sanitizer = DataFlow::exprNode(safe.asExpr().(Argument).getCall().getQualifier()) and
+      DataFlow::localFlow(sanitizer, this)
+    )
+  }
+}
+
+private class SafeSslParametersFlowConfig extends DataFlow2::Configuration {
+  SafeSslParametersFlowConfig() { this = "SafeSslParametersFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma |
+      ma instanceof SafeSetEndpointIdentificationAlgorithm and
+      DataFlow::getInstanceArgument(ma) = source.(DataFlow::PostUpdateNode).getPreUpdateNode()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma, RefType t | t instanceof SSLSocket or t instanceof SSLEngine |
+      ma.getMethod().hasName("setSSLParameters") and
+      ma.getMethod().getDeclaringType().getASupertype*() = t and
+      ma.getArgument(0) = sink.asExpr()
+    )
+  }
+}
+
+/**
+ * A call to `SSLParameters.setEndpointIdentificationAlgorithm` with a non-null and non-empty parameter.
+ */
+private class SafeSetEndpointIdentificationAlgorithm extends MethodAccess {
+  SafeSetEndpointIdentificationAlgorithm() {
+    this.getMethod().hasName("setEndpointIdentificationAlgorithm") and
+    this.getMethod().getDeclaringType() instanceof SSLParameters and
+    not this.getArgument(0) instanceof NullLiteral and
+    not this.getArgument(0).(CompileTimeConstantExpr).getStringValue().length() = 0
+  }
+}