Merge branch 'main' into msgConsis

2026-04-28 02:05:14 +02:00 · 2022-08-24 09:21:43 +02:00
parent a50234adb0 18ed9ed2ee
commit 27fcc90a97
306 changed files with 14239 additions and 3497 deletions
--- a/java/documentation/library-coverage/coverage.csv
+++ b/java/documentation/library-coverage/coverage.csv
@@ -34,7 +34,7 @@ java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
 java.io,37,,39,,15,,,,,,,,,,,,,,,,,,,,,,,,22,,,,,,,,39,
 java.lang,13,,58,,,,,,,,,,,8,,,,,4,,,1,,,,,,,,,,,,,,,46,12
 java.net,10,3,7,,,,,,,,,,,,,,10,,,,,,,,,,,,,,,,,,,3,7,
-java.nio,15,,6,,13,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,6,
+java.nio,15,,11,,13,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,11,
 java.sql,11,,,,,,,,,4,,,,,,,,,,,,,,,,7,,,,,,,,,,,,
 java.util,44,,461,,,,,,,,,,,34,,,,,,5,2,,1,2,,,,,,,,,,,,,36,425
 javax.faces.context,2,7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,7,,
--- a/java/documentation/library-coverage/coverage.rst
+++ b/java/documentation/library-coverage/coverage.rst
@@ -15,9 +15,9 @@ Java framework & library support
   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
   `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,728,39,,6,,,,,
   `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,,
-   Java Standard Library,``java.*``,3,572,130,28,,,7,,,10
+   Java Standard Library,``java.*``,3,577,130,28,,,7,,,10
   Java extensions,"``javax.*``, ``jakarta.*``",63,609,32,,,4,,1,1,2
   `Spring <https://spring.io/>`_,``org.springframework.*``,29,476,101,,,,19,14,,29
   Others,"``androidx.slice``, ``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``kotlin.jvm.internal``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.logging``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.logging.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jboss.logging``, ``org.jdbi.v3.core``, ``org.jooq``, ``org.mvel2``, ``org.scijava.log``, ``org.slf4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",65,395,932,,,,14,18,,3
-   Totals,,217,6433,1474,117,6,10,107,33,1,84
+   Totals,,217,6438,1474,117,6,10,107,33,1,84

--- a/java/downgrades/ecb42310286011ada450ff65b9b417509863549f/old.dbscheme
+++ b/java/downgrades/ecb42310286011ada450ff65b9b417509863549f/old.dbscheme
--- a/java/downgrades/ecb42310286011ada450ff65b9b417509863549f/semmlecode.dbscheme
+++ b/java/downgrades/ecb42310286011ada450ff65b9b417509863549f/semmlecode.dbscheme
--- a/java/downgrades/ecb42310286011ada450ff65b9b417509863549f/upgrade.properties
+++ b/java/downgrades/ecb42310286011ada450ff65b9b417509863549f/upgrade.properties
@@ -0,0 +1,3 @@
+description: Remove ktDataClasses relation
+compatibility: backwards
+ktDataClasses.rel: delete
--- a/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
+++ b/java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt
@@ -435,6 +435,10 @@ open class KotlinFileExtractor(
                    } else if (kind != ClassKind.CLASS && kind != ClassKind.OBJECT) {
                        logger.warnElement("Unrecognised class kind $kind", c)
                    }
+
+                    if (c.isData) {
+                        tw.writeKtDataClasses(classId)
+                    }
                }

                val locId = tw.getLocation(c)
@@ -1469,14 +1473,22 @@ open class KotlinFileExtractor(
                    val extractionMethod = if (isFunctionInvoke) {
                        // For `kotlin.FunctionX` and `kotlin.reflect.KFunctionX` interfaces, we're making sure that we
                        // extract the call to the `invoke` method that does exist, `kotlin.jvm.functions.FunctionX::invoke`.
-                        val interfaceType = getFunctionalInterfaceTypeWithTypeArgs(drType.arguments).classOrNull!!.owner
-                        val substituted = getJavaEquivalentClass(interfaceType) ?: interfaceType
-                        findFunction(substituted, OperatorNameConventions.INVOKE.asString())!!
+                        val functionalInterface = getFunctionalInterfaceTypeWithTypeArgs(drType.arguments)
+                        if (functionalInterface == null) {
+                            logger.warn("Cannot find functional interface type for raw method access")
+                            null
+                        } else {
+                            val interfaceType = functionalInterface.classOrNull!!.owner
+                            val substituted = getJavaEquivalentClass(interfaceType) ?: interfaceType
+                            findFunction(substituted, OperatorNameConventions.INVOKE.asString())!!
+                        }
                    } else {
                        callTarget
                    }

-                    if (isBigArityFunctionInvoke) {
+                    if (extractionMethod == null) {
+                        null
+                    } else if (isBigArityFunctionInvoke) {
                        // Big arity `invoke` methods have a special implementation on JVM, they are transformed to a call to
                        // `kotlin.jvm.functions.FunctionN<out R>::invoke(vararg args: Any?)`, so we only need to pass the type
                        // argument for the return type. Additionally, the arguments are extracted inside an array literal below.
@@ -1485,10 +1497,15 @@ open class KotlinFileExtractor(
                        useFunction<DbCallable>(extractionMethod, getDeclaringTypeArguments(callTarget, drType))
                    }
                }
-                else
+                else {
                    useFunction<DbCallable>(callTarget)
+                }

-            tw.writeCallableBinding(id, methodId)
+            if (methodId == null) {
+                logger.warn("No method to bind call to for raw method access")
+            } else {
+                tw.writeCallableBinding(id, methodId)
+            }

            if (callTarget.shouldExtractAsStatic) {
                extractStaticTypeAccessQualifier(callTarget, id, locId, enclosingCallable, enclosingStmt)
@@ -3022,11 +3039,6 @@ open class KotlinFileExtractor(
                    var types = parameters.map { it.type }
                    types += e.function.returnType

-                    val fnInterfaceType = getFunctionalInterfaceType(types)
-                    val id = extractGeneratedClass(
-                        e.function, // We're adding this function as a member, and changing its name to `invoke` to implement `kotlin.FunctionX<,,,>.invoke(,,)`
-                        listOf(pluginContext.irBuiltIns.anyType, fnInterfaceType))
-
                    val isBigArity = types.size > BuiltInFunctionArity.BIG_ARITY
                    if (isBigArity) {
                        implementFunctionNInvoke(e.function, ids, locId, parameters)
@@ -3043,12 +3055,21 @@ open class KotlinFileExtractor(
                    tw.writeStatementEnclosingExpr(idLambdaExpr, exprParent.enclosingStmt)
                    tw.writeCallableBinding(idLambdaExpr, ids.constructor)

-                    extractTypeAccessRecursive(fnInterfaceType, locId, idLambdaExpr, -3, callable, exprParent.enclosingStmt)
-
                    // todo: fix hard coded block body of lambda
                    tw.writeLambdaKind(idLambdaExpr, 1)

-                    tw.writeIsAnonymClass(id, idLambdaExpr)
+                    val fnInterfaceType = getFunctionalInterfaceType(types)
+                    if (fnInterfaceType == null) {
+                        logger.warnElement("Cannot find functional interface type for function expression", e)
+                    } else {
+                        val id = extractGeneratedClass(
+                            e.function, // We're adding this function as a member, and changing its name to `invoke` to implement `kotlin.FunctionX<,,,>.invoke(,,)`
+                            listOf(pluginContext.irBuiltIns.anyType, fnInterfaceType))
+
+                        extractTypeAccessRecursive(fnInterfaceType, locId, idLambdaExpr, -3, callable, exprParent.enclosingStmt)
+
+                        tw.writeIsAnonymClass(id, idLambdaExpr)
+                    }
                }
                is IrClassReference -> {
                    val exprParent = parent.expr(e, callable)
@@ -3738,7 +3759,6 @@ open class KotlinFileExtractor(
                dispatchReceiverIdx = -1
            }

-            val targetCallableId = useFunction<DbCallable>(target.owner.realOverrideTarget, classTypeArguments)
            val locId = tw.getLocation(functionReferenceExpr)

            val javaResult = TypeResult(tw.getFreshIdLabel<DbClass>(), "", "")
@@ -3751,36 +3771,6 @@ open class KotlinFileExtractor(
                constructorBlock = tw.getFreshIdLabel()
            )

-            val helper = CallableReferenceHelper(functionReferenceExpr, locId, ids)
-
-            val fnInterfaceType = getFunctionalInterfaceTypeWithTypeArgs(type.arguments)
-
-            val currentDeclaration = declarationStack.peek()
-            // `FunctionReference` base class is required, because that's implementing `KFunction`.
-            val baseClass = pluginContext.referenceClass(FqName("kotlin.jvm.internal.FunctionReference"))?.owner?.typeWith()
-                ?: pluginContext.irBuiltIns.anyType
-
-            val classId = extractGeneratedClass(ids, listOf(baseClass, fnInterfaceType), locId, currentDeclaration)
-
-            helper.extractReceiverField()
-
-            val isBigArity = type.arguments.size > BuiltInFunctionArity.BIG_ARITY
-            val funLabels = if (isBigArity) {
-                addFunctionNInvoke(ids.function, parameterTypes.last(), classId, locId)
-            } else {
-                addFunctionInvoke(ids.function, parameterTypes.dropLast(1), parameterTypes.last(), classId, locId)
-            }
-
-            helper.extractCallToReflectionTarget(
-                funLabels,
-                target,
-                parameterTypes.last(),
-                expressionTypeArguments,
-                classTypeArguments,
-                dispatchReceiverIdx,
-                isBigArity,
-                parameterTypes.dropLast(1))
-
            // Add constructor (member ref) call:
            val exprParent = parent.expr(functionReferenceExpr, callable)
            val idMemberRef = tw.getFreshIdLabel<DbMemberref>()
@@ -3791,40 +3781,87 @@ open class KotlinFileExtractor(
            tw.writeStatementEnclosingExpr(idMemberRef, exprParent.enclosingStmt)
            tw.writeCallableBinding(idMemberRef, ids.constructor)

-            val typeAccessArguments = if (isBigArity) listOf(parameterTypes.last()) else parameterTypes
-            if (target is IrConstructorSymbol) {
-                val returnType = typeAccessArguments.last()
-
-                val typeAccessId = extractTypeAccess(useType(fnInterfaceType, TypeContext.OTHER), locId, idMemberRef, -3, callable, exprParent.enclosingStmt)
-                typeAccessArguments.dropLast(1).forEachIndexed { argIdx, arg ->
-                    extractTypeAccessRecursive(arg, locId, typeAccessId, argIdx, callable, exprParent.enclosingStmt, TypeContext.GENERIC_ARGUMENT)
-                }
-
-                extractConstructorTypeAccess(returnType, useType(returnType), target, locId, typeAccessId, typeAccessArguments.count() - 1, callable, exprParent.enclosingStmt)
-            } else {
-                extractTypeAccessRecursive(fnInterfaceType, locId, idMemberRef, -3, callable, exprParent.enclosingStmt)
-            }
-
+            val targetCallableId = useFunction<DbCallable>(target.owner.realOverrideTarget, classTypeArguments)
            tw.writeMemberRefBinding(idMemberRef, targetCallableId)

-            helper.extractConstructorArguments(callable, idMemberRef, exprParent.enclosingStmt)
+            val helper = CallableReferenceHelper(functionReferenceExpr, locId, ids)

-            tw.writeIsAnonymClass(classId, idMemberRef)
+            val fnInterfaceType = getFunctionalInterfaceTypeWithTypeArgs(type.arguments)
+            if (fnInterfaceType == null) {
+                logger.warnElement("Cannot find functional interface type for function reference", functionReferenceExpr)
+            } else {
+                val currentDeclaration = declarationStack.peek()
+                // `FunctionReference` base class is required, because that's implementing `KFunction`.
+                val baseClass = pluginContext.referenceClass(FqName("kotlin.jvm.internal.FunctionReference"))?.owner?.typeWith()
+                    ?: pluginContext.irBuiltIns.anyType
+
+                val classId = extractGeneratedClass(ids, listOf(baseClass, fnInterfaceType), locId, currentDeclaration)
+
+                helper.extractReceiverField()
+
+                val isBigArity = type.arguments.size > BuiltInFunctionArity.BIG_ARITY
+                val funLabels = if (isBigArity) {
+                    addFunctionNInvoke(ids.function, parameterTypes.last(), classId, locId)
+                } else {
+                    addFunctionInvoke(ids.function, parameterTypes.dropLast(1), parameterTypes.last(), classId, locId)
+                }
+
+                helper.extractCallToReflectionTarget(
+                    funLabels,
+                    target,
+                    parameterTypes.last(),
+                    expressionTypeArguments,
+                    classTypeArguments,
+                    dispatchReceiverIdx,
+                    isBigArity,
+                    parameterTypes.dropLast(1))
+
+                val typeAccessArguments = if (isBigArity) listOf(parameterTypes.last()) else parameterTypes
+                if (target is IrConstructorSymbol) {
+                    val returnType = typeAccessArguments.last()
+
+                    val typeAccessId = extractTypeAccess(useType(fnInterfaceType, TypeContext.OTHER), locId, idMemberRef, -3, callable, exprParent.enclosingStmt)
+                    typeAccessArguments.dropLast(1).forEachIndexed { argIdx, arg ->
+                        extractTypeAccessRecursive(arg, locId, typeAccessId, argIdx, callable, exprParent.enclosingStmt, TypeContext.GENERIC_ARGUMENT)
+                    }
+
+                    extractConstructorTypeAccess(returnType, useType(returnType), target, locId, typeAccessId, typeAccessArguments.count() - 1, callable, exprParent.enclosingStmt)
+                } else {
+                    extractTypeAccessRecursive(fnInterfaceType, locId, idMemberRef, -3, callable, exprParent.enclosingStmt)
+                }
+
+                helper.extractConstructorArguments(callable, idMemberRef, exprParent.enclosingStmt)
+
+                tw.writeIsAnonymClass(classId, idMemberRef)
+            }
        }
    }

-    private fun getFunctionalInterfaceType(functionNTypeArguments: List<IrType>) =
+    private fun getFunctionalInterfaceType(functionNTypeArguments: List<IrType>): IrSimpleType? {
        if (functionNTypeArguments.size > BuiltInFunctionArity.BIG_ARITY) {
-            pluginContext.referenceClass(FqName("kotlin.jvm.functions.FunctionN"))!!
-                .typeWith(functionNTypeArguments.last())
+            val funName = "kotlin.jvm.functions.FunctionN"
+            val theFun = pluginContext.referenceClass(FqName(funName))
+            if (theFun == null) {
+                logger.warn("Cannot find $funName for getFunctionalInterfaceType")
+                return null
+            } else {
+                return theFun.typeWith(functionNTypeArguments.last())
+            }
        } else {
-            functionN(pluginContext)(functionNTypeArguments.size - 1).typeWith(functionNTypeArguments)
+            return functionN(pluginContext)(functionNTypeArguments.size - 1).typeWith(functionNTypeArguments)
        }
+    }

-    private fun getFunctionalInterfaceTypeWithTypeArgs(functionNTypeArguments: List<IrTypeArgument>) =
+    private fun getFunctionalInterfaceTypeWithTypeArgs(functionNTypeArguments: List<IrTypeArgument>): IrSimpleType? =
        if (functionNTypeArguments.size > BuiltInFunctionArity.BIG_ARITY) {
-            pluginContext.referenceClass(FqName("kotlin.jvm.functions.FunctionN"))!!
-                .typeWithArguments(listOf(functionNTypeArguments.last()))
+            val funName = "kotlin.jvm.functions.FunctionN"
+            val theFun = pluginContext.referenceClass(FqName(funName))
+            if (theFun == null) {
+                logger.warn("Cannot find $funName for getFunctionalInterfaceTypeWithTypeArgs")
+                null
+            } else {
+                theFun.typeWithArguments(listOf(functionNTypeArguments.last()))
+            }
        } else {
            functionN(pluginContext)(functionNTypeArguments.size - 1).symbol.typeWithArguments(functionNTypeArguments)
        }
@@ -4327,6 +4364,10 @@ open class KotlinFileExtractor(

                    // Either Function1, ... Function22 or FunctionN type, but not Function23 or above.
                    val functionType = getFunctionalInterfaceTypeWithTypeArgs(st.arguments)
+                    if (functionType == null) {
+                        logger.errorElement("Cannot find functional interface.", e)
+                        return
+                    }

                    val invokeMethod = functionType.classOrNull?.owner?.declarations?.filterIsInstance<IrFunction>()?.find { it.name.asString() == OperatorNameConventions.INVOKE.asString()}
                    if (invokeMethod == null) {
--- a/java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md
+++ b/java/ql/lib/change-notes/2022-08-13-more-hardcoded-credential-apis.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects. 
--- a/java/ql/lib/change-notes/2022-08-22-path-summaries.md
+++ b/java/ql/lib/change-notes/2022-08-22-path-summaries.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added new flow steps for the classes `java.io.Path` and `java.nio.Paths`.
--- a/java/ql/lib/config/semmlecode.dbscheme
+++ b/java/ql/lib/config/semmlecode.dbscheme
@@ -1234,3 +1234,7 @@ ktFunctionOriginalNames(
  unique int id: @method ref,
  string name: string ref
 )
+
+ktDataClasses(
+  unique int id: @class ref
+)
--- a/java/ql/lib/config/semmlecode.dbscheme.stats
+++ b/java/ql/lib/config/semmlecode.dbscheme.stats
--- a/java/ql/lib/semmle/code/java/Type.qll
+++ b/java/ql/lib/semmle/code/java/Type.qll
@@ -726,6 +726,13 @@ class CompanionObject extends Class {
  Field getInstance() { type_companion_object(_, result, this) }
 }

+/**
+ * A Kotlin data class declaration.
+ */
+class DataClass extends Class {
+  DataClass() { ktDataClasses(this) }
+}
+
 /**
 * A record declaration.
 */
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -317,7 +317,12 @@ private predicate summaryModelCsv(string row) {
      "java.io;File;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint;manual",
      "java.io;File;true;getCanonicalPath;;;Argument[-1];ReturnValue;taint;manual",
      "java.nio;ByteBuffer;false;array;();;Argument[-1];ReturnValue;taint;manual",
+      "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual",
+      "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual",
      "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint;manual",
+      "java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint;manual",
+      "java.nio.file;Path;true;toUri;;;Argument[-1];ReturnValue;taint;manual",
+      "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual",
      "java.io;BufferedReader;true;readLine;;;Argument[-1];ReturnValue;taint;manual",
      "java.io;Reader;true;read;();;Argument[-1];ReturnValue;taint;manual",
      // arg to return
--- a/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentials.qll
@@ -1,3 +1,7 @@
+/**
+ * Provides classes and predicates relating to hardcoded credentials.
+ */
+
 import java
 import SensitiveApi

--- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll
@@ -0,0 +1,54 @@
+/**
+ * Provides a data-flow configuration for tracking a hard-coded credential in a call to a sensitive Java API which may compromise security.
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import HardcodedCredentials
+
+/**
+ * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
+ */
+class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
+  HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr() instanceof HardcodedExpr and
+    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
+  }
+
+  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.asExpr().getType() instanceof TypeString and
+    (
+      exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
+        node2.asExpr() = ma and
+        ma.getQualifier() = node1.asExpr()
+      )
+      or
+      // These base64 routines are usually taint propagators, and this is not a general
+      // TaintTracking::Configuration, so we must specifically include them here
+      // as a common transform applied to a constant before passing to a remote API.
+      exists(MethodAccess ma |
+        ma.getMethod()
+            .hasQualifiedName([
+                "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
+                "apache.commons.codec.binary", "org.springframework.util"
+              ], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
+              [
+                "encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
+                "encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
+                "encodeBase64URLSafeString"
+              ])
+      |
+        node1.asExpr() = ma.getArgument(0) and
+        node2.asExpr() = ma
+      )
+    )
+  }
+
+  override predicate isBarrier(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsComparison.qll
@@ -0,0 +1,26 @@
+/**
+ * Provides classes and predicates to detect comparing a parameter to a hard-coded credential.
+ */
+
+import java
+import HardcodedCredentials
+
+/**
+ * A call to a method that is or overrides `java.lang.Object.equals`.
+ */
+class EqualsAccess extends MethodAccess {
+  EqualsAccess() { getMethod() instanceof EqualsMethod }
+}
+
+/**
+ * Holds if `sink` compares password `p` against a hardcoded expression `source`.
+ */
+predicate isHardcodedCredentialsComparison(
+  EqualsAccess sink, HardcodedExpr source, PasswordVariable p
+) {
+  source = sink.getQualifier() and
+  p.getAnAccess() = sink.getArgument(0)
+  or
+  source = sink.getArgument(0) and
+  p.getAnAccess() = sink.getQualifier()
+}
--- a/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll
@@ -0,0 +1,51 @@
+/**
+ * Provides classes to detect using a hard-coded credential in a sensitive call.
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow2
+import HardcodedCredentials
+
+/**
+ * A data-flow configuration that tracks hardcoded expressions flowing to a parameter whose name suggests
+ * it may be a credential, excluding those which flow on to other such insecure usage sites.
+ */
+class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
+  HardcodedCredentialSourceCallConfiguration() {
+    this = "HardcodedCredentialSourceCallConfiguration"
+  }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
+
+  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
+}
+
+/**
+ * A data-flow configuration that tracks flow from an argument whose corresponding parameter name suggests
+ * a credential, to an argument to a sensitive call.
+ */
+class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
+  HardcodedCredentialSourceCallConfiguration2() {
+    this = "HardcodedCredentialSourceCallConfiguration2"
+  }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
+
+  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
+}
+
+/**
+ * An argument to a call, where the parameter name corresponding
+ * to the argument indicates that it may contain credentials, and
+ * where this expression does not flow on to another `CredentialsSink`.
+ */
+class FinalCredentialsSourceSink extends CredentialsSourceSink {
+  FinalCredentialsSourceSink() {
+    not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
+      this != other
+    |
+      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
+    )
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/HardcodedPasswordField.qll
+++ b/java/ql/lib/semmle/code/java/security/HardcodedPasswordField.qll
@@ -0,0 +1,15 @@
+/**
+ * Provides a predicate identifying assignments of harcoded values to password fields.
+ */
+
+import java
+import HardcodedCredentials
+
+/**
+ * Holds if non-empty constant value `e` is assigned to password field `f`.
+ */
+predicate passwordFieldAssignedHardcodedValue(PasswordVariable f, CompileTimeConstantExpr e) {
+  f instanceof Field and
+  f.getAnAssignedValue() = e and
+  not e.(StringLiteral).getValue() = ""
+}
--- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
@@ -0,0 +1,23 @@
+/** Definitions for the RSA without OAEP query */
+
+import java
+import Encryption
+import semmle.code.java.dataflow.DataFlow
+
+/** A configuration for finding RSA ciphers initialized without using OAEP padding. */
+class RsaWithoutOaepConfig extends DataFlow::Configuration {
+  RsaWithoutOaepConfig() { this = "RsaWithoutOaepConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(CompileTimeConstantExpr specExpr, string spec |
+      specExpr.getStringValue() = spec and
+      specExpr = src.asExpr() and
+      spec.matches("RSA/%") and
+      not spec.matches("%OAEP%")
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
+  }
+}
--- a/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveApi.qll
@@ -1,3 +1,7 @@
+/**
+ * Provides predicates defining methods that consume sensitive data, such as usernames and passwords.
+ */
+
 import java

 /**
@@ -438,6 +442,49 @@ private predicate otherApiCallableCredentialParam(string s) {
      "com.azure.identity.UsernamePasswordCredentialBuilder;username(String);0",
      "com.azure.identity.UsernamePasswordCredentialBuilder;password(String);0",
      "com.azure.identity.ClientSecretCredentialBuilder;clientSecret(String);0",
-      "org.apache.shiro.mgt.AbstractRememberMeManager;setCipherKey(byte[]);0"
+      "org.apache.shiro.mgt.AbstractRememberMeManager;setCipherKey(byte[]);0",
+      "com.jcraft.jsch.JSch;getSession(String, String, int);0",
+      "com.jcraft.jsch.JSch;getSession(String, String);0",
+      "ch.ethz.ssh2.Connection;authenticateWithPassword(String, String);0",
+      "org.apache.sshd.client.session.ClientSessionCreator;connect(String, String, int);0",
+      "org.apache.sshd.client.session.ClientSessionCreator;connect(String, SocketAddress);0",
+      "net.schmizz.sshj.SSHClient;authPassword(String, char[]);0",
+      "net.schmizz.sshj.SSHClient;authPassword(String, String);0",
+      "com.sshtools.j2ssh.authentication.SshAuthenticationClient;setUsername(String);0",
+      "com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;setUsername(String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPassword(String, String);0",
+      "com.trilead.ssh2.Connection;authenticateWithDSA(String, String, String);0",
+      "com.trilead.ssh2.Connection;authenticateWithNone(String);0",
+      "com.trilead.ssh2.Connection;getRemainingAuthMethods(String);0",
+      "com.trilead.ssh2.Connection;isAuthMethodAvailable(String, String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, char[], String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, File, String);0",
+      "com.jcraft.jsch.Session;setPassword(byte[]);0",
+      "com.jcraft.jsch.Session;setPassword(String);0",
+      "ch.ethz.ssh2.Connection;authenticateWithPassword(String, String);1",
+      "org.apache.sshd.client.session.AbstractClientSession;addPasswordIdentity(String);0",
+      "net.schmizz.sshj.SSHClient;authPassword(String, char[]);1",
+      "net.schmizz.sshj.SSHClient;authPassword(String, String);1",
+      "com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;setPassword(String);0",
+      "com.trilead.ssh2.Connection;authenticateWithPassword(String, String);1",
+      "com.trilead.ssh2.Connection;authenticateWithDSA(String, String, String);2",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, char[], String);2",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, File, String);2",
+      "com.trilead.ssh2.Connection;authenticateWithDSA(String, String, String);1",
+      "com.trilead.ssh2.Connection;authenticateWithPublicKey(String, char[], String);1",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String);0",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String, String);0",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String);1",
+      "org.apache.commons.net.ftp.FTPClient;login(String, String, String);1",
+      "com.mongodb.MongoCredential;createCredential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createMongoCRCredential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createPlainCredential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createScramSha1Credential(String, String, char[]);0",
+      "com.mongodb.MongoCredential;createGSSAPICredential(String);0",
+      "com.mongodb.MongoCredential;createMongoX509Credential(String);0",
+      "com.mongodb.MongoCredential;createCredential(String, String, char[]);2",
+      "com.mongodb.MongoCredential;createMongoCRCredential(String, String, char[]);2",
+      "com.mongodb.MongoCredential;createPlainCredential(String, String, char[]);2",
+      "com.mongodb.MongoCredential;createScramSha1Credential(String, String, char[]);2"
    ]
 }
--- a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
@@ -54,10 +54,25 @@ private class ArrayUpdate extends Expr {
      ma = this and
      ma.getArgument(0) = array
    |
-      m.hasQualifiedName("java.io", "InputStream", "read") or
+      m.getAnOverride*().hasQualifiedName("java.io", ["InputStream", "RandomAccessFile"], "read") or
+      m.getAnOverride*().hasQualifiedName("java.io", "DataInput", "readFully") or
      m.hasQualifiedName("java.nio", "ByteBuffer", "get") or
      m.hasQualifiedName("java.security", "SecureRandom", "nextBytes") or
-      m.hasQualifiedName("java.util", "Random", "nextBytes")
+      m.hasQualifiedName("java.util", "Random", "nextBytes") or
+      m.hasQualifiedName("java.util.zip", "Inflater", "inflate") or
+      m.hasQualifiedName("io.netty.buffer", "ByteBuf", "readBytes") or
+      m.getAnOverride*().hasQualifiedName("org.bouncycastle.crypto", "Digest", "doFinal")
+    )
+    or
+    exists(MethodAccess ma, Method m |
+      m = ma.getMethod() and
+      ma = this and
+      ma.getArgument(1) = array
+    |
+      m.hasQualifiedName("org.apache.commons.io", "IOUtils", ["read", "readFully"]) or
+      m.hasQualifiedName("io.netty.buffer", "ByteBuf", "getBytes") or
+      m.hasQualifiedName("org.bouncycastle.crypto.generators",
+        any(string s | s.matches("%BytesGenerator")), "generateBytes")
    )
  }

@@ -95,17 +110,15 @@ private class StaticInitializationVectorSource extends DataFlow::Node {
 }

 /**
- * A sink that initializes a cipher for encryption with unsafe parameters.
+ * A sink that initializes a cipher with unsafe parameters.
 */
 private class EncryptionInitializationSink extends DataFlow::Node {
  EncryptionInitializationSink() {
-    exists(MethodAccess ma, Method m, FieldRead fr | m = ma.getMethod() |
+    exists(MethodAccess ma, Method m | m = ma.getMethod() |
      m.hasQualifiedName("javax.crypto", "Cipher", "init") and
      m.getParameterType(2)
          .(RefType)
          .hasQualifiedName("java.security.spec", "AlgorithmParameterSpec") and
-      fr.getField().hasQualifiedName("javax.crypto", "Cipher", "ENCRYPT_MODE") and
-      DataFlow::localExprFlow(fr, ma.getArgument(0)) and
      ma.getArgument(2) = this.asExpr()
    )
  }
--- a/java/ql/lib/upgrades/81ccfabe82e696953268e784979262e56871ce86/old.dbscheme
+++ b/java/ql/lib/upgrades/81ccfabe82e696953268e784979262e56871ce86/old.dbscheme
--- a/java/ql/lib/upgrades/81ccfabe82e696953268e784979262e56871ce86/semmlecode.dbscheme
+++ b/java/ql/lib/upgrades/81ccfabe82e696953268e784979262e56871ce86/semmlecode.dbscheme
--- a/java/ql/lib/upgrades/81ccfabe82e696953268e784979262e56871ce86/upgrade.properties
+++ b/java/ql/lib/upgrades/81ccfabe82e696953268e784979262e56871ce86/upgrade.properties
@@ -0,0 +1,2 @@
+description: Add ktDataClasses relation
+compatibility: backwards
--- a/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+++ b/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
@@ -8,6 +8,7 @@
 * @precision high
 * @id java/polynomial-redos
 * @tags security
+ *       external/cwe/cwe-1333
 *       external/cwe/cwe-730
 *       external/cwe/cwe-400
 */
--- a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+++ b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
@@ -9,6 +9,7 @@
 * @precision high
 * @id java/redos
 * @tags security
+ *       external/cwe/cwe-1333
 *       external/cwe/cwe-730
 *       external/cwe/cwe-400
 */
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
@@ -0,0 +1,7 @@
+// BAD: No padding scheme is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
+...
+
+//GOOD: OAEP padding is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
+...
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Cryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption.
+    Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>Use the OAEP scheme when using RSA encryption.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.</p>
+    <sample src="RsaWithoutOaep.java" />
+  </example>
+
+  <references>
+    <li>
+      <a href="https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations">Mobile Security Testing Guide</a>.
+    </li>
+    <li>
+      <a href="https://robertheaton.com/2013/07/29/padding-oracle-attack/">The Padding Oracle Attack</a>.
+    </li>
+  </references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Use of RSA algorithm without OAEP
+ * @description Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id java/rsa-without-oaep
+ * @tags security
+ *       external/cwe/cwe-780
+ */
+
+import java
+import semmle.code.java.security.RsaWithoutOaepQuery
+import DataFlow::PathGraph
+
+from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select source, source, sink,
+  "This specification is used to initialize an RSA cipher without OAEP padding $@.", sink, "here"
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -10,55 +10,9 @@
 *       external/cwe/cwe-798
 */

-import java
-import semmle.code.java.dataflow.DataFlow
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentialsApiCallQuery
 import DataFlow::PathGraph

-class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
-  HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
-
-  override predicate isSource(DataFlow::Node n) {
-    n.asExpr() instanceof HardcodedExpr and
-    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
-  }
-
-  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
-
-  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.asExpr().getType() instanceof TypeString and
-    (
-      exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
-        node2.asExpr() = ma and
-        ma.getQualifier() = node1.asExpr()
-      )
-      or
-      // These base64 routines are usually taint propagators, and this is not a general
-      // TaintTracking::Configuration, so we must specifically include them here
-      // as a common transform applied to a constant before passing to a remote API.
-      exists(MethodAccess ma |
-        ma.getMethod()
-            .hasQualifiedName([
-                "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
-                "apache.commons.codec.binary", "org.springframework.util"
-              ], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
-              [
-                "encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
-                "encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
-                "encodeBase64URLSafeString"
-              ])
-      |
-        node1.asExpr() = ma.getArgument(0) and
-        node2.asExpr() = ma
-      )
-    )
-  }
-
-  override predicate isBarrier(DataFlow::Node n) {
-    n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
-  }
-}
-
 from
  DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialApiCallConfiguration conf
 where conf.hasFlowPath(source, sink)
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
@@ -11,17 +11,8 @@
 */

 import java
-import HardcodedCredentials
-
-class EqualsAccess extends MethodAccess {
-  EqualsAccess() { getMethod() instanceof EqualsMethod }
-}
+import semmle.code.java.security.HardcodedCredentialsComparison

 from EqualsAccess sink, HardcodedExpr source, PasswordVariable p
-where
-  source = sink.getQualifier() and
-  p.getAnAccess() = sink.getArgument(0)
-  or
-  source = sink.getArgument(0) and
-  p.getAnAccess() = sink.getQualifier()
+where isHardcodedCredentialsComparison(sink, source, p)
 select source, "Hard-coded value is $@ with password variable $@.", sink, "compared", p, p.getName()
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -11,41 +11,9 @@
 */

 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.DataFlow2
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
 import DataFlow::PathGraph

-class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
-  HardcodedCredentialSourceCallConfiguration() {
-    this = "HardcodedCredentialSourceCallConfiguration"
-  }
-
-  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
-
-  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
-}
-
-class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
-  HardcodedCredentialSourceCallConfiguration2() {
-    this = "HardcodedCredentialSourceCallConfiguration2"
-  }
-
-  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
-
-  override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
-}
-
-class FinalCredentialsSourceSink extends CredentialsSourceSink {
-  FinalCredentialsSourceSink() {
-    not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
-      this != other
-    |
-      conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
-    )
-  }
-}
-
 from
  DataFlow::PathNode source, DataFlow::PathNode sink,
  HardcodedCredentialSourceCallConfiguration conf
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
@@ -11,11 +11,8 @@
 */

 import java
-import HardcodedCredentials
+import semmle.code.java.security.HardcodedPasswordField

 from PasswordVariable f, CompileTimeConstantExpr e
-where
-  f instanceof Field and
-  f.getAnAssignedValue() = e and
-  not e.(StringLiteral).getValue() = ""
+where passwordFieldAssignedHardcodedValue(f, e)
 select f, "Sensitive field is assigned a hard-coded $@.", e, "value"
--- a/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
+++ b/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
--- a/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md
+++ b/java/ql/src/change-notes/2022-08-22-static-init-vector-query-improvements.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/static-initialization-vector` no longer requires a `Cipher` object to be initialized with `ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.
--- a/java/ql/src/change-notes/2022-08-23-redos-cwe-1333.md
+++ b/java/ql/src/change-notes/2022-08-23-redos-cwe-1333.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The queries `java/redos` and `java/polynomial-redos` now have a tag for CWE-1333. 
--- a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.expected
@@ -1,12 +1,12 @@
 edges
-| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... |
-| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... |
+| JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... |
+| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... |
 nodes
 | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | semmle.label | ... + ... |
-| JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | semmle.label | ... + ... |
+| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | semmle.label | ... + ... |
+| JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
-| JSchOSInjectionTest.java:26:48:26:64 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:26:48:26:64 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value |
-| JSchOSInjectionTest.java:50:32:50:48 | ... + ... | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) : String | JSchOSInjectionTest.java:50:32:50:48 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:38:30:38:60 | getParameter(...) | User-provided value |
+| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value |
+| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | User-provided value |
--- a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java
@@ -17,17 +17,19 @@ public class JSchOSInjectionTest extends HttpServlet {
            config.put("StrictHostKeyChecking", "no");
            
            JSch jsch = new JSch();
-            Session session = jsch.getSession(user, host, 22);
-            session.setPassword(password);
-            session.setConfig(config);
-            session.connect();
+            try {
+                Session session = jsch.getSession(user, host, 22);
+                session.setPassword(password);
+                session.setConfig(config);
+                session.connect();

-            Channel channel = session.openChannel("exec");
-            ((ChannelExec) channel).setCommand("ping " + command);
-            channel.setInputStream(null);
-            ((ChannelExec) channel).setErrStream(System.err);
+                Channel channel = session.openChannel("exec");
+                ((ChannelExec) channel).setCommand("ping " + command);
+                channel.setInputStream(null);
+                ((ChannelExec) channel).setErrStream(System.err);

-            channel.connect();
+                channel.connect();
+            } catch (JSchException e) { }
    }

    protected void doPost(HttpServletRequest request, HttpServletResponse response)
@@ -41,16 +43,18 @@ public class JSchOSInjectionTest extends HttpServlet {
            config.put("StrictHostKeyChecking", "no");
            
            JSch jsch = new JSch();
-            Session session = jsch.getSession(user, host, 22);
-            session.setPassword(password);
-            session.setConfig(config);
-            session.connect();
+            try {
+                Session session = jsch.getSession(user, host, 22);
+                session.setPassword(password);
+                session.setConfig(config);
+                session.connect();

-            ChannelExec channel = (ChannelExec)session.openChannel("exec");
-            channel.setCommand("ping " + command);
-            channel.setInputStream(null);
-            channel.setErrStream(System.err);
+                ChannelExec channel = (ChannelExec)session.openChannel("exec");
+                channel.setCommand("ping " + command);
+                channel.setInputStream(null);
+                channel.setErrStream(System.err);

-            channel.connect();
+                channel.connect();
+            } catch (JSchException e) { }
    }
-}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-078/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-078/options
@@ -1,2 +1,2 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jsch-0.1.55
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsch-0.1.55

--- a/java/ql/test/kotlin/library-tests/data-classes/data_classes.expected
+++ b/java/ql/test/kotlin/library-tests/data-classes/data_classes.expected
@@ -0,0 +1 @@
+| dc.kt:1:1:1:71 | ProtoMapValue |
--- a/java/ql/test/kotlin/library-tests/data-classes/data_classes.ql
+++ b/java/ql/test/kotlin/library-tests/data-classes/data_classes.ql
@@ -0,0 +1,5 @@
+import java
+
+from DataClass c
+where c.fromSource()
+select c
--- a/java/ql/test/library-tests/paths/Test.java
+++ b/java/ql/test/library-tests/paths/Test.java
@@ -0,0 +1,98 @@
+package generatedtest;
+
+import java.io.File;
+import java.net.URI;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() { return null; }
+	void sink(Object o) { }
+
+	public void test() throws Exception {
+
+		{
+			// "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual"
+			Path out = null;
+			Path in = (Path)source();
+			out = in.normalize();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual"
+			Path out = null;
+			Path in = (Path)source();
+			Path instance = null;
+			out = instance.resolve(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual"
+			Path out = null;
+			Path in = (Path)source();
+			out = in.resolve((Path)null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual"
+			Path out = null;
+			Path in = (Path)source();
+			out = in.resolve((String)null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual"
+			Path out = null;
+			String in = (String)source();
+			Path instance = null;
+			out = instance.resolve(in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;toFile;;;Argument[-1];ReturnValue;taint;manual"
+			File out = null;
+			Path in = (Path)source();
+			out = in.toFile();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint;manual"
+			String out = null;
+			Path in = (Path)source();
+			out = in.toString();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Path;true;toUri;;;Argument[-1];ReturnValue;taint;manual"
+			URI out = null;
+			Path in = (Path)source();
+			out = in.toUri();
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
+			Path out = null;
+			String in = (String)source();
+			out = Paths.get(in, (String[])null);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
+			Path out = null;
+			String[] in = (String[])source();
+			out = Paths.get((String)null, in);
+			sink(out); // $ hasTaintFlow
+		}
+		{
+			// "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual"
+			Path out = null;
+			URI in = (URI)source();
+			out = Paths.get(in);
+			sink(out); // $ hasTaintFlow
+		}
+
+	}
+
+}
--- a/java/ql/test/library-tests/paths/test.expected
+++ b/java/ql/test/library-tests/paths/test.expected
--- a/java/ql/test/library-tests/paths/test.ql
+++ b/java/ql/test/library-tests/paths/test.ql
@@ -0,0 +1,2 @@
+import java
+import TestUtilities.InlineFlowTest
--- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected
+++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected
--- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java
+++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java
@@ -0,0 +1,17 @@
+import javax.crypto.Cipher;
+
+class RsaWithoutOaep {
+    public void test() throws Exception {
+        Cipher rsaBad = Cipher.getInstance("RSA/ECB/NoPadding"); // $hasTaintFlow
+
+        Cipher rsaGood = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"); 
+    }
+
+    public Cipher getCipher(String spec) throws Exception {
+        return Cipher.getInstance(spec); // $hasTaintFlow
+    }
+
+    public void test2() throws Exception {
+        Cipher rsa = getCipher("RSA/ECB/NoPadding");
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql
+++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql
@@ -0,0 +1,10 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import TestUtilities.InlineFlowTest
+import semmle.code.java.security.RsaWithoutOaepQuery
+
+class HasFlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() { result instanceof RsaWithoutOaepConfig }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/CredentialsTest.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/CredentialsTest.java
@@ -10,11 +10,11 @@ public class CredentialsTest {
 		String url = "jdbc:mysql://localhost/test";
 		String u = "admin"; // hard-coded credential (flow source)

-		DriverManager.getConnection(url, u, p); // sensitive call (flow target)
+		DriverManager.getConnection(url, u, p); // $ HardcodedCredentialsApiCall
 		test(url, u, p);
 	}

 	public static void test(String url, String v, String q) throws SQLException {
-		DriverManager.getConnection(url, v, q); // sensitive call (flow target)
+		DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
 	}
 }
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/FileCredentialTest.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/FileCredentialTest.java
@@ -15,12 +15,12 @@ public class FileCredentialTest {

 		String p = readText(new File(file));

-		DriverManager.getConnection("", "admin", p); // sensitive call (flow target)
+		DriverManager.getConnection("", "admin", p); // $ HardcodedCredentialsApiCall
 		test(url, u, p);
 	}

 	public static void test(String url, String v, String q) throws SQLException {
-		DriverManager.getConnection(url, v, q); // sensitive call (flow target)
+		DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
 	}

 	public static String readText(File f) throws IOException
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAWSCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAWSCredentials.java
@@ -4,7 +4,7 @@ import com.amazonaws.auth.BasicAWSCredentials;
 public class HardcodedAWSCredentials {
 	public static void main(String[] args) {
 		//BAD: Hardcoded credentials for connecting to AWS services
-		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead 
-		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY");
+		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead
+		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); // $ HardcodedCredentialsApiCall
 	}
 }
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java
@@ -0,0 +1,13 @@
+import org.apache.commons.net.ftp.FTPClient;
+
+import java.io.IOException;
+
+public class HardcodedApacheFtpCredentials {
+	public static void main(FTPClient client) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      client.login("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      client.login("username", "password", "blah"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    } catch(IOException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java
@@ -0,0 +1,12 @@
+import org.apache.sshd.client.SshClient;
+import org.apache.sshd.client.session.AbstractClientSession;
+import java.io.IOException;
+
+public class HardcodedApacheSshdCredentials {
+	public static void main(SshClient client, AbstractClientSession session) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    client.connect("Username", "hostname", 22); // $ HardcodedCredentialsApiCall
+    client.connect("Username", null); // $ HardcodedCredentialsApiCall
+    session.addPasswordIdentity("password"); // $ HardcodedCredentialsApiCall
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAzureCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAzureCredentials.java
@@ -15,8 +15,8 @@ public class HardcodedAzureCredentials {
 	public void testHardcodedUsernamePassword(String input) {
 		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
 		.clientId(clientId)
-		.username(username)
-		.password(clientSecret)
+		.username(username) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+		.password(clientSecret) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
 		.build();

 		SecretClient client = new SecretClientBuilder()
@@ -43,7 +43,7 @@ public class HardcodedAzureCredentials {
 	public void testHardcodedClientSecret(String input) {
 		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
 		.clientId(clientId)
-		.clientSecret(clientSecret)
+		.clientSecret(clientSecret) // $ HardcodedCredentialsApiCall
 		.tenantId(tenantId)
 		.build();
 	}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.expected
@@ -1,138 +0,0 @@
-edges
-| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:13:39:13:39 | p |
-| CredentialsTest.java:7:30:7:30 | p : String | CredentialsTest.java:14:16:14:16 | p : String |
-| CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:7:30:7:30 | p : String |
-| CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u |
-| CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:14:13:14:13 | u : String |
-| CredentialsTest.java:14:13:14:13 | u : String | CredentialsTest.java:17:38:17:45 | v : String |
-| CredentialsTest.java:14:16:14:16 | p : String | CredentialsTest.java:17:48:17:55 | q : String |
-| CredentialsTest.java:17:38:17:45 | v : String | CredentialsTest.java:18:36:18:36 | v |
-| CredentialsTest.java:17:48:17:55 | q : String | CredentialsTest.java:18:39:18:39 | q |
-| FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:19:13:19:13 | u : String |
-| FileCredentialTest.java:19:13:19:13 | u : String | FileCredentialTest.java:22:38:22:45 | v : String |
-| FileCredentialTest.java:22:38:22:45 | v : String | FileCredentialTest.java:23:36:23:36 | v |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
-| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
-| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String |
-| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) |
-| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) |
-| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:12:13:12:15 | usr : String |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr |
-| Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:12:18:12:21 | pass : String |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:15:41:15:44 | pass |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:18:44:18:61 | toCharArray(...) |
-| Test.java:12:13:12:15 | usr : String | Test.java:29:38:29:48 | user : String |
-| Test.java:12:18:12:21 | pass : String | Test.java:29:51:29:65 | password : String |
-| Test.java:17:44:17:51 | "123456" : String | Test.java:17:44:17:65 | toCharArray(...) |
-| Test.java:20:16:20:39 | new byte[] : byte[] | Test.java:21:78:21:80 | key |
-| Test.java:23:17:23:26 | "abcdefgh" : String | Test.java:24:79:24:82 | key2 |
-| Test.java:29:38:29:48 | user : String | Test.java:30:36:30:39 | user |
-| Test.java:29:51:29:65 | password : String | Test.java:30:42:30:49 | password |
-nodes
-| CredentialsTest.java:7:30:7:30 | p : String | semmle.label | p : String |
-| CredentialsTest.java:7:34:7:41 | "123456" : String | semmle.label | "123456" : String |
-| CredentialsTest.java:11:14:11:20 | "admin" : String | semmle.label | "admin" : String |
-| CredentialsTest.java:13:36:13:36 | u | semmle.label | u |
-| CredentialsTest.java:13:39:13:39 | p | semmle.label | p |
-| CredentialsTest.java:14:13:14:13 | u : String | semmle.label | u : String |
-| CredentialsTest.java:14:16:14:16 | p : String | semmle.label | p : String |
-| CredentialsTest.java:17:38:17:45 | v : String | semmle.label | v : String |
-| CredentialsTest.java:17:48:17:55 | q : String | semmle.label | q : String |
-| CredentialsTest.java:18:36:18:36 | v | semmle.label | v |
-| CredentialsTest.java:18:39:18:39 | q | semmle.label | q |
-| FileCredentialTest.java:13:14:13:20 | "admin" : String | semmle.label | "admin" : String |
-| FileCredentialTest.java:18:35:18:41 | "admin" | semmle.label | "admin" |
-| FileCredentialTest.java:19:13:19:13 | u : String | semmle.label | u : String |
-| FileCredentialTest.java:22:38:22:45 | v : String | semmle.label | v : String |
-| FileCredentialTest.java:23:36:23:36 | v | semmle.label | v |
-| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | semmle.label | "ACCESS_KEY" |
-| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | semmle.label | "SECRET_KEY" |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | semmle.label | "username@example.onmicrosoft.com" : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:43:14:43:38 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | semmle.label | clientSecret |
-| HardcodedAzureCredentials.java:46:17:46:28 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
-| HardcodedAzureCredentials.java:63:3:63:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | semmle.label | "TEST123" : String |
-| HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | semmle.label | getBytes(...) |
-| HardcodedShiroKey.java:18:46:18:87 | decode(...) | semmle.label | decode(...) |
-| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | semmle.label | "4AvVhmFLUs0KTA3Kprsdag==" : String |
-| HardcodedShiroKey.java:26:46:26:109 | decode(...) | semmle.label | decode(...) |
-| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | semmle.label | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String |
-| Test.java:9:16:9:22 | "admin" : String | semmle.label | "admin" : String |
-| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
-| Test.java:12:13:12:15 | usr : String | semmle.label | usr : String |
-| Test.java:12:18:12:21 | pass : String | semmle.label | pass : String |
-| Test.java:14:36:14:42 | "admin" | semmle.label | "admin" |
-| Test.java:14:45:14:52 | "123456" | semmle.label | "123456" |
-| Test.java:15:36:15:38 | usr | semmle.label | usr |
-| Test.java:15:41:15:44 | pass | semmle.label | pass |
-| Test.java:17:39:17:41 | usr | semmle.label | usr |
-| Test.java:17:44:17:51 | "123456" : String | semmle.label | "123456" : String |
-| Test.java:17:44:17:65 | toCharArray(...) | semmle.label | toCharArray(...) |
-| Test.java:18:39:18:41 | usr | semmle.label | usr |
-| Test.java:18:44:18:61 | toCharArray(...) | semmle.label | toCharArray(...) |
-| Test.java:20:16:20:39 | new byte[] : byte[] | semmle.label | new byte[] : byte[] |
-| Test.java:21:78:21:80 | key | semmle.label | key |
-| Test.java:23:17:23:26 | "abcdefgh" : String | semmle.label | "abcdefgh" : String |
-| Test.java:24:79:24:82 | key2 | semmle.label | key2 |
-| Test.java:29:38:29:48 | user : String | semmle.label | user : String |
-| Test.java:29:51:29:65 | password : String | semmle.label | password : String |
-| Test.java:30:36:30:39 | user | semmle.label | user |
-| Test.java:30:42:30:49 | password | semmle.label | password |
-subpaths
-#select
-| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:13:39:13:39 | p | Hard-coded value flows to $@. | CredentialsTest.java:13:39:13:39 | p | sensitive API call |
-| CredentialsTest.java:7:34:7:41 | "123456" | CredentialsTest.java:7:34:7:41 | "123456" : String | CredentialsTest.java:18:39:18:39 | q | Hard-coded value flows to $@. | CredentialsTest.java:18:39:18:39 | q | sensitive API call |
-| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:13:36:13:36 | u | Hard-coded value flows to $@. | CredentialsTest.java:13:36:13:36 | u | sensitive API call |
-| CredentialsTest.java:11:14:11:20 | "admin" | CredentialsTest.java:11:14:11:20 | "admin" : String | CredentialsTest.java:18:36:18:36 | v | Hard-coded value flows to $@. | CredentialsTest.java:18:36:18:36 | v | sensitive API call |
-| FileCredentialTest.java:13:14:13:20 | "admin" | FileCredentialTest.java:13:14:13:20 | "admin" : String | FileCredentialTest.java:23:36:23:36 | v | Hard-coded value flows to $@. | FileCredentialTest.java:23:36:23:36 | v | sensitive API call |
-| FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | FileCredentialTest.java:18:35:18:41 | "admin" | Hard-coded value flows to $@. | FileCredentialTest.java:18:35:18:41 | "admin" | sensitive API call |
-| HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:50:8:61 | "ACCESS_KEY" | sensitive API call |
-| HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | Hard-coded value flows to $@. | HardcodedAWSCredentials.java:8:64:8:75 | "SECRET_KEY" | sensitive API call |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive API call |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive API call |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:46:17:46:28 | clientSecret | sensitive API call |
-| HardcodedShiroKey.java:9:46:9:54 | "TEST123" | HardcodedShiroKey.java:9:46:9:54 | "TEST123" : String | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:9:46:9:65 | getBytes(...) | sensitive API call |
-| HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" | HardcodedShiroKey.java:18:61:18:86 | "4AvVhmFLUs0KTA3Kprsdag==" : String | HardcodedShiroKey.java:18:46:18:87 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:18:46:18:87 | decode(...) | sensitive API call |
-| HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" | HardcodedShiroKey.java:26:83:26:108 | "6ZmI6I2j5Y+R5aSn5ZOlAA==" : String | HardcodedShiroKey.java:26:46:26:109 | decode(...) | Hard-coded value flows to $@. | HardcodedShiroKey.java:26:46:26:109 | decode(...) | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:15:36:15:38 | usr | Hard-coded value flows to $@. | Test.java:15:36:15:38 | usr | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:17:39:17:41 | usr | Hard-coded value flows to $@. | Test.java:17:39:17:41 | usr | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:18:39:18:41 | usr | Hard-coded value flows to $@. | Test.java:18:39:18:41 | usr | sensitive API call |
-| Test.java:9:16:9:22 | "admin" | Test.java:9:16:9:22 | "admin" : String | Test.java:30:36:30:39 | user | Hard-coded value flows to $@. | Test.java:30:36:30:39 | user | sensitive API call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:15:41:15:44 | pass | Hard-coded value flows to $@. | Test.java:15:41:15:44 | pass | sensitive API call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:18:44:18:61 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:18:44:18:61 | toCharArray(...) | sensitive API call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:30:42:30:49 | password | Hard-coded value flows to $@. | Test.java:30:42:30:49 | password | sensitive API call |
-| Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" | Test.java:14:36:14:42 | "admin" | Hard-coded value flows to $@. | Test.java:14:36:14:42 | "admin" | sensitive API call |
-| Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" | Test.java:14:45:14:52 | "123456" | Hard-coded value flows to $@. | Test.java:14:45:14:52 | "123456" | sensitive API call |
-| Test.java:17:44:17:51 | "123456" | Test.java:17:44:17:51 | "123456" : String | Test.java:17:44:17:65 | toCharArray(...) | Hard-coded value flows to $@. | Test.java:17:44:17:65 | toCharArray(...) | sensitive API call |
-| Test.java:20:16:20:39 | new byte[] | Test.java:20:16:20:39 | new byte[] : byte[] | Test.java:21:78:21:80 | key | Hard-coded value flows to $@. | Test.java:21:78:21:80 | key | sensitive API call |
-| Test.java:23:17:23:26 | "abcdefgh" | Test.java:23:17:23:26 | "abcdefgh" : String | Test.java:24:79:24:82 | key2 | Hard-coded value flows to $@. | Test.java:24:79:24:82 | key2 | sensitive API call |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql
@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.HardcodedCredentialsApiCallQuery
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedCredentialsApiCallTest extends InlineExpectationsTest {
+  HardcodedCredentialsApiCallTest() { this = "HardcodedCredentialsApiCallTest" }
+
+  override string getARelevantTag() { result = "HardcodedCredentialsApiCall" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedCredentialsApiCall" and
+    exists(DataFlow::Node sink, HardcodedCredentialApiCallConfiguration conf |
+      conf.hasFlow(_, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.expected
@@ -1 +0,0 @@
-| Test.java:36:26:36:32 | "admin" | Hard-coded value is $@ with password variable $@. | Test.java:36:10:36:33 | equals(...) | compared | Test.java:35:38:35:52 | password | password |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.HardcodedCredentialsComparison
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedCredentialsComparisonTest extends InlineExpectationsTest {
+  HardcodedCredentialsComparisonTest() { this = "HardcodedCredentialsComparisonTest" }
+
+  override string getARelevantTag() { result = "HardcodedCredentialsComparison" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedCredentialsComparison" and
+    exists(Expr sink | isHardcodedCredentialsComparison(sink, _, _) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.expected
@@ -1,42 +0,0 @@
-edges
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | HardcodedAzureCredentials.java:18:13:18:20 | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String |
-| Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass |
-| User.java:2:30:2:39 | DEFAULT_PW : String | User.java:5:15:5:24 | DEFAULT_PW |
-| User.java:2:43:2:50 | "123456" : String | User.java:2:30:2:39 | DEFAULT_PW : String |
-nodes
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [clientSecret] : String | semmle.label | this <.method> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:8:14:8:38 | this <.method> [post update] [username] : String | semmle.label | this <.method> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:2:10:68 | this <.field> [post update] [username] : String | semmle.label | this <.field> [post update] [username] : String |
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | semmle.label | "username@example.onmicrosoft.com" : String |
-| HardcodedAzureCredentials.java:11:2:11:74 | this <.field> [post update] [clientSecret] : String | semmle.label | this <.field> [post update] [clientSecret] : String |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | semmle.label | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [clientSecret] : String | semmle.label | parameter this [clientSecret] : String |
-| HardcodedAzureCredentials.java:15:14:15:42 | parameter this [username] : String | semmle.label | parameter this [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | this <.field> [username] : String | semmle.label | this <.field> [username] : String |
-| HardcodedAzureCredentials.java:18:13:18:20 | username | semmle.label | username |
-| HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | semmle.label | clientSecret |
-| HardcodedAzureCredentials.java:19:13:19:24 | this <.field> [clientSecret] : String | semmle.label | this <.field> [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [clientSecret] : String | semmle.label | new HardcodedAzureCredentials(...) [clientSecret] : String |
-| HardcodedAzureCredentials.java:61:3:61:33 | new HardcodedAzureCredentials(...) [username] : String | semmle.label | new HardcodedAzureCredentials(...) [username] : String |
-| Test.java:10:17:10:24 | "123456" : String | semmle.label | "123456" : String |
-| Test.java:26:17:26:20 | pass | semmle.label | pass |
-| User.java:2:30:2:39 | DEFAULT_PW : String | semmle.label | DEFAULT_PW : String |
-| User.java:2:43:2:50 | "123456" : String | semmle.label | "123456" : String |
-| User.java:5:15:5:24 | DEFAULT_PW | semmle.label | DEFAULT_PW |
-subpaths
-#select
-| HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" | HardcodedAzureCredentials.java:10:34:10:67 | "username@example.onmicrosoft.com" : String | HardcodedAzureCredentials.java:18:13:18:20 | username | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:18:13:18:20 | username | sensitive call |
-| HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" | HardcodedAzureCredentials.java:11:38:11:73 | "1n1.qAc~3Q-1t38aF79Xzv5AUEfR5-ct3_" : String | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | Hard-coded value flows to $@. | HardcodedAzureCredentials.java:19:13:19:24 | clientSecret | sensitive call |
-| Test.java:10:17:10:24 | "123456" | Test.java:10:17:10:24 | "123456" : String | Test.java:26:17:26:20 | pass | Hard-coded value flows to $@. | Test.java:26:17:26:20 | pass | sensitive call |
-| User.java:2:43:2:50 | "123456" | User.java:2:43:2:50 | "123456" : String | User.java:5:15:5:24 | DEFAULT_PW | Hard-coded value flows to $@. | User.java:5:15:5:24 | DEFAULT_PW | sensitive call |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
@@ -0,0 +1,20 @@
+import java
+import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedCredentialsSourceCallTest extends InlineExpectationsTest {
+  HardcodedCredentialsSourceCallTest() { this = "HardcodedCredentialsSourceCallTest" }
+
+  override string getARelevantTag() { result = "HardcodedCredentialsSourceCall" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedCredentialsSourceCall" and
+    exists(DataFlow::Node sink, HardcodedCredentialSourceCallConfiguration conf |
+      conf.hasFlow(_, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedGanymedSsh2Credentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedGanymedSsh2Credentials.java
@@ -0,0 +1,11 @@
+import ch.ethz.ssh2.Connection;
+import java.io.IOException;
+
+public class HardcodedGanymedSsh2Credentials {
+	public static void main(Connection conn) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+		  conn.authenticateWithPassword("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    } catch(IOException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJ2sshCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJ2sshCredentials.java
@@ -0,0 +1,11 @@
+import com.sshtools.j2ssh.authentication.SshAuthenticationClient;
+import com.sshtools.j2ssh.authentication.PasswordAuthenticationClient;
+
+public class HardcodedJ2sshCredentials {
+  public static void main(SshAuthenticationClient client1, PasswordAuthenticationClient client2) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    client1.setUsername("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    client2.setUsername("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    client2.setPassword("password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJschCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedJschCredentials.java
@@ -0,0 +1,16 @@
+import com.jcraft.jsch.JSch;
+import com.jcraft.jsch.JSchException;
+import com.jcraft.jsch.Session;
+import java.io.IOException;
+
+public class HardcodedJschCredentials {
+	public static void main(JSch jsch) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      Session session = jsch.getSession("Username", "hostname"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      Session session2 = jsch.getSession("Username", "hostname", 22); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      session.setPassword("password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      session2.setPassword("password".getBytes()); // $ HardcodedCredentialsApiCall
+    } catch(JSchException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMongoCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedMongoCredentials.java
@@ -0,0 +1,12 @@
+import com.mongodb.MongoCredential;
+
+public class HardcodedMongoCredentials {
+  public static void test() {
+    MongoCredential.createCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createMongoCRCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createPlainCredential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createScramSha1Credential("Username", "blah", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createGSSAPICredential("key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    MongoCredential.createMongoX509Credential("key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.expected
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.expected
@@ -1 +0,0 @@
-| Test.java:33:29:33:36 | password | Sensitive field is assigned a hard-coded $@. | Test.java:33:40:33:56 | "myOtherPassword" | value |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.ql
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.HardcodedPasswordField
+import TestUtilities.InlineExpectationsTest
+
+class HardcodedPasswordFieldTest extends InlineExpectationsTest {
+  HardcodedPasswordFieldTest() { this = "HardcodedPasswordFieldTest" }
+
+  override string getARelevantTag() { result = "HardcodedPasswordField" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "HardcodedPasswordField" and
+    exists(Expr assigned | passwordFieldAssignedHardcodedValue(_, assigned) |
+      assigned.getLocation() = location and
+      element = assigned.toString() and
+      value = ""
+    )
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.qlref
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-798/HardcodedPasswordField.ql
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedShiroKey.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedShiroKey.java
@@ -6,16 +6,16 @@ public class HardcodedShiroKey {
    //BAD: hard-coded shiro key
    public void testHardcodedShiroKey(String input) {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
-        cookieRememberMeManager.setCipherKey("TEST123".getBytes());
+        cookieRememberMeManager.setCipherKey("TEST123".getBytes()); // $ HardcodedCredentialsApiCall

    }


-    //BAD: hard-coded shiro key encoded by java.util.Base64 
+    //BAD: hard-coded shiro key encoded by java.util.Base64
    public void testHardcodedbase64ShiroKey1(String input) {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        java.util.Base64.Decoder decoder = java.util.Base64.getDecoder();
-        cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag=="));
+        cookieRememberMeManager.setCipherKey(decoder.decode("4AvVhmFLUs0KTA3Kprsdag==")); // $ HardcodedCredentialsApiCall

    }

@@ -23,7 +23,7 @@ public class HardcodedShiroKey {
    //BAD: hard-coded shiro key encoded by org.apache.shiro.codec.Base64
    public void testHardcodedbase64ShiroKey2(String input) {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
-        cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA=="));
+        cookieRememberMeManager.setCipherKey(org.apache.shiro.codec.Base64.decode("6ZmI6I2j5Y+R5aSn5ZOlAA==")); // $ HardcodedCredentialsApiCall

    }

--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedSshjCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedSshjCredentials.java
@@ -0,0 +1,13 @@
+import net.schmizz.sshj.SSHClient;
+import java.io.IOException;
+
+public class HardcodedSshjCredentials {
+	public static void main(SSHClient client) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+		  client.authPassword("Username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      client.authPassword("Username", "password".toCharArray()); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    }
+    catch(IOException e) { }
+	}
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedTrileadSshCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedTrileadSshCredentials.java
@@ -0,0 +1,19 @@
+import com.trilead.ssh2.Connection;
+
+import java.io.IOException;
+import java.io.File;
+
+public class HardcodedTrileadSshCredentials {
+	public static void main(Connection conn) {
+    // BAD: Hardcoded credentials used for the session username and/or password.
+    try {
+      conn.authenticateWithPassword("Username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithDSA("Username", "password", "key"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithNone("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.getRemainingAuthMethods("Username"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.isAuthMethodAvailable("Username", "method"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithPublicKey("Username", "key".toCharArray(), "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      conn.authenticateWithPublicKey("Username", (File)null, "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+    } catch(IOException e) { }
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/Test.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/Test.java
@@ -11,28 +11,28 @@ public class Test {

 		test(url, usr, pass); // flow through method

-		DriverManager.getConnection(url, "admin", "123456"); // hard-coded user/pass used directly in call
-		DriverManager.getConnection(url, usr, pass); // hard-coded user/pass flows into API call
+		DriverManager.getConnection(url, "admin", "123456"); // $ HardcodedCredentialsApiCall
+		DriverManager.getConnection(url, usr, pass); // $ HardcodedCredentialsApiCall

-		new java.net.PasswordAuthentication(usr, "123456".toCharArray()); // flow into char[] array
-		new java.net.PasswordAuthentication(usr, pass.toCharArray()); // flow through variable, then char[] array
+		new java.net.PasswordAuthentication(usr, "123456".toCharArray()); // $ HardcodedCredentialsApiCall
+		new java.net.PasswordAuthentication(usr, pass.toCharArray()); // $ HardcodedCredentialsApiCall

 		byte[] key = {1, 2, 3, 4, 5, 6, 7, 8}; // hard-coded cryptographic key, flowing into API call below
-		javax.crypto.spec.SecretKeySpec spec = new javax.crypto.spec.SecretKeySpec(key, "AES");
+		javax.crypto.spec.SecretKeySpec spec = new javax.crypto.spec.SecretKeySpec(key, "AES"); // $ HardcodedCredentialsApiCall

 		byte[] key2 = "abcdefgh".getBytes(); // hard-coded cryptographic key, flowing into API call below
-		javax.crypto.spec.SecretKeySpec spec2 = new javax.crypto.spec.SecretKeySpec(key2, "AES");
+		javax.crypto.spec.SecretKeySpec spec2 = new javax.crypto.spec.SecretKeySpec(key2, "AES"); // $ HardcodedCredentialsApiCall

-		passwordCheck(pass); // flow through
+		passwordCheck(pass); // $ HardcodedCredentialsSourceCall
 	}

 	public static void test(String url, String user, String password) throws SQLException {
-		DriverManager.getConnection(url, user, password); // sensitive API call (flow target)
+		DriverManager.getConnection(url, user, password); // $ HardcodedCredentialsApiCall
 	}

-	public static final String password = "myOtherPassword"; // hard-coded password
+	public static final String password = "myOtherPassword"; // $ HardcodedPasswordField

 	public static boolean passwordCheck(String password) {
-		return password.equals("admin"); // hard-coded password comparison
+		return password.equals("admin"); // $ HardcodedCredentialsComparison
 	}
 }
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/User.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/User.java
@@ -2,7 +2,7 @@ class User {
 	private static final String DEFAULT_PW = "123456"; // hard-coded password
 	private String pw;
 	public User() {
-		setPassword(DEFAULT_PW); // sensitive call
+		setPassword(DEFAULT_PW); // $ HardcodedCredentialsSourceCall
 	}
 	public void setPassword(String password) {
 		pw = password;
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/amazon-aws-sdk-1.11.700:${testdir}/../../../../../stubs/azure-sdk-for-java:${testdir}/../../../../../stubs/shiro-core-1.4.0:${testdir}/../../../../../stubs/jsch-0.1.55:${testdir}/../../../../../stubs/ganymed-ssh-2-260:${testdir}/../../../../../stubs/apache-mina-sshd-2.8.0:${testdir}/../../../../../stubs/sshj-0.33.0:${testdir}/../../../../../stubs/j2ssh-1.5.5:${testdir}/../../../../../stubs/trilead-ssh2-212:${testdir}/../../../../../stubs/apache-commons-net-3.8.0:${testdir}/../../../../../stubs/mongodbClient
--- a/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/SocketClient.java
+++ b/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/SocketClient.java
@@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.net;
+
+public abstract class SocketClient
+{
+}
--- a/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/ftp/Configurable.java
+++ b/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/ftp/Configurable.java
@@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.net.ftp;
+
+public interface Configurable {
+
+}
--- a/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/ftp/FTP.java
+++ b/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/ftp/FTP.java
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.commons.net.ftp;
+
+import org.apache.commons.net.SocketClient;
+
+public class FTP extends SocketClient
+{
+}
--- a/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/ftp/FTPClient.java
+++ b/java/ql/test/stubs/apache-commons-net-3.8.0/org/apache/commons/net/ftp/FTPClient.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.net.ftp;
+
+import java.io.IOException;
+
+public class FTPClient extends FTP implements Configurable {
+
+    public boolean login(final String username, final String password) throws IOException
+    {
+        return true;
+    }
+
+    public boolean login(final String username, final String password, final String account) throws IOException
+    {
+        return true;
+    }
+
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgent.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgent.java
@@ -0,0 +1,21 @@
+// Generated automatically from org.apache.sshd.agent.SshAgent for testing purposes
+
+package org.apache.sshd.agent;
+
+import java.nio.channels.Channel;
+import java.security.KeyPair;
+import java.security.PublicKey;
+import java.util.Map;
+import org.apache.sshd.agent.SshAgentKeyConstraint;
+import org.apache.sshd.common.session.SessionContext;
+
+public interface SshAgent extends Channel
+{
+    Iterable<? extends Map.Entry<PublicKey, String>> getIdentities();
+    Map.Entry<String, byte[]> sign(SessionContext p0, PublicKey p1, String p2, byte[] p3);
+    default KeyPair resolveLocalIdentity(PublicKey p0){ return null; }
+    static String SSH_AUTHSOCKET_ENV_NAME = null;
+    void addIdentity(KeyPair p0, String p1, SshAgentKeyConstraint... p2);
+    void removeAllIdentities();
+    void removeIdentity(PublicKey p0);
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgentFactory.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgentFactory.java
@@ -0,0 +1,18 @@
+// Generated automatically from org.apache.sshd.agent.SshAgentFactory for testing purposes
+
+package org.apache.sshd.agent;
+
+import java.util.List;
+import org.apache.sshd.agent.SshAgent;
+import org.apache.sshd.agent.SshAgentServer;
+import org.apache.sshd.common.FactoryManager;
+import org.apache.sshd.common.channel.ChannelFactory;
+import org.apache.sshd.common.session.ConnectionService;
+import org.apache.sshd.common.session.Session;
+
+public interface SshAgentFactory
+{
+    List<ChannelFactory> getChannelForwardingFactories(FactoryManager p0);
+    SshAgent createClient(Session p0, FactoryManager p1);
+    SshAgentServer createServer(ConnectionService p0);
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgentKeyConstraint.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgentKeyConstraint.java
@@ -0,0 +1,14 @@
+// Generated automatically from org.apache.sshd.agent.SshAgentKeyConstraint for testing purposes
+
+package org.apache.sshd.agent;
+
+import org.apache.sshd.common.util.buffer.Buffer;
+
+abstract public class SshAgentKeyConstraint
+{
+    protected SshAgentKeyConstraint() {}
+    protected SshAgentKeyConstraint(byte p0){}
+    public byte getId(){ return 0; }
+    public static SshAgentKeyConstraint CONFIRM = null;
+    public void put(Buffer p0){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgentServer.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/SshAgentServer.java
@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.sshd.agent.SshAgentServer for testing purposes
+
+package org.apache.sshd.agent;
+
+import java.nio.channels.Channel;
+
+public interface SshAgentServer extends Channel
+{
+    String getId();
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/common/AgentForwardSupport.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/agent/common/AgentForwardSupport.java
@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.sshd.agent.common.AgentForwardSupport for testing purposes
+
+package org.apache.sshd.agent.common;
+
+import org.apache.sshd.common.Closeable;
+
+public interface AgentForwardSupport extends Closeable
+{
+    String initialize();
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/ClientAuthenticationManager.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/ClientAuthenticationManager.java
@@ -0,0 +1,43 @@
+// Generated automatically from org.apache.sshd.client.ClientAuthenticationManager for testing purposes
+
+package org.apache.sshd.client;
+
+import java.security.KeyPair;
+import java.util.Collection;
+import org.apache.sshd.client.auth.AuthenticationIdentitiesProvider;
+import org.apache.sshd.client.auth.UserAuth;
+import org.apache.sshd.client.auth.UserAuthFactory;
+import org.apache.sshd.client.auth.hostbased.HostBasedAuthenticationReporter;
+import org.apache.sshd.client.auth.keyboard.UserInteraction;
+import org.apache.sshd.client.auth.password.PasswordAuthenticationReporter;
+import org.apache.sshd.client.auth.password.PasswordIdentityProvider;
+import org.apache.sshd.client.auth.pubkey.PublicKeyAuthenticationReporter;
+import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
+import org.apache.sshd.client.session.ClientSession;
+import org.apache.sshd.common.auth.UserAuthFactoriesManager;
+import org.apache.sshd.common.auth.UserAuthInstance;
+import org.apache.sshd.common.auth.UserAuthMethodFactory;
+import org.apache.sshd.common.keyprovider.KeyIdentityProviderHolder;
+import org.apache.sshd.common.session.SessionContext;
+
+public interface ClientAuthenticationManager extends KeyIdentityProviderHolder, UserAuthFactoriesManager<ClientSession, UserAuth, UserAuthFactory>
+{
+    AuthenticationIdentitiesProvider getRegisteredIdentities();
+    HostBasedAuthenticationReporter getHostBasedAuthenticationReporter();
+    KeyPair removePublicKeyIdentity(KeyPair p0);
+    PasswordAuthenticationReporter getPasswordAuthenticationReporter();
+    PasswordIdentityProvider getPasswordIdentityProvider();
+    PublicKeyAuthenticationReporter getPublicKeyAuthenticationReporter();
+    ServerKeyVerifier getServerKeyVerifier();
+    String removePasswordIdentity(String p0);
+    UserInteraction getUserInteraction();
+    default void setUserAuthFactoriesNames(Collection<String> p0){}
+    void addPasswordIdentity(String p0);
+    void addPublicKeyIdentity(KeyPair p0);
+    void setHostBasedAuthenticationReporter(HostBasedAuthenticationReporter p0);
+    void setPasswordAuthenticationReporter(PasswordAuthenticationReporter p0);
+    void setPasswordIdentityProvider(PasswordIdentityProvider p0);
+    void setPublicKeyAuthenticationReporter(PublicKeyAuthenticationReporter p0);
+    void setServerKeyVerifier(ServerKeyVerifier p0);
+    void setUserInteraction(UserInteraction p0);
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/ClientFactoryManager.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/ClientFactoryManager.java
@@ -0,0 +1,17 @@
+// Generated automatically from org.apache.sshd.client.ClientFactoryManager for testing purposes
+
+package org.apache.sshd.client;
+
+import org.apache.sshd.client.ClientAuthenticationManager;
+import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
+import org.apache.sshd.client.config.keys.ClientIdentityLoaderManager;
+import org.apache.sshd.client.session.ClientProxyConnectorHolder;
+import org.apache.sshd.client.session.ClientSessionCreator;
+import org.apache.sshd.common.FactoryManager;
+import org.apache.sshd.common.config.keys.FilePasswordProviderManager;
+
+public interface ClientFactoryManager extends ClientAuthenticationManager, ClientIdentityLoaderManager, ClientProxyConnectorHolder, ClientSessionCreator, FactoryManager, FilePasswordProviderManager
+{
+    HostConfigEntryResolver getHostConfigEntryResolver();
+    void setHostConfigEntryResolver(HostConfigEntryResolver p0);
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/SshClient.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/SshClient.java
@@ -0,0 +1,108 @@
+// Generated automatically from org.apache.sshd.client.SshClient for testing purposes
+
+package org.apache.sshd.client;
+
+import java.net.SocketAddress;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import java.security.KeyPair;
+import java.util.Collection;
+import java.util.List;
+import org.apache.sshd.client.ClientFactoryManager;
+import org.apache.sshd.client.auth.AuthenticationIdentitiesProvider;
+import org.apache.sshd.client.auth.UserAuthFactory;
+import org.apache.sshd.client.auth.hostbased.HostBasedAuthenticationReporter;
+import org.apache.sshd.client.auth.keyboard.UserInteraction;
+import org.apache.sshd.client.auth.password.PasswordAuthenticationReporter;
+import org.apache.sshd.client.auth.password.PasswordIdentityProvider;
+import org.apache.sshd.client.auth.pubkey.PublicKeyAuthenticationReporter;
+import org.apache.sshd.client.config.hosts.HostConfigEntry;
+import org.apache.sshd.client.config.hosts.HostConfigEntryResolver;
+import org.apache.sshd.client.config.keys.ClientIdentityLoader;
+import org.apache.sshd.client.future.ConnectFuture;
+import org.apache.sshd.client.keyverifier.ServerKeyVerifier;
+import org.apache.sshd.client.session.ClientProxyConnector;
+import org.apache.sshd.client.session.ClientSession;
+import org.apache.sshd.client.session.SessionFactory;
+import org.apache.sshd.client.simple.SimpleClient;
+import org.apache.sshd.common.AttributeRepository;
+import org.apache.sshd.common.Closeable;
+import org.apache.sshd.common.Factory;
+import org.apache.sshd.common.NamedResource;
+import org.apache.sshd.common.ServiceFactory;
+import org.apache.sshd.common.config.keys.FilePasswordProvider;
+import org.apache.sshd.common.future.SshFuture;
+import org.apache.sshd.common.future.SshFutureListener;
+import org.apache.sshd.common.helpers.AbstractFactoryManager;
+import org.apache.sshd.common.io.IoConnectFuture;
+import org.apache.sshd.common.io.IoConnector;
+import org.apache.sshd.common.io.IoSession;
+import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
+
+public class SshClient extends AbstractFactoryManager implements ClientFactoryManager, Closeable
+{
+    protected Closeable getInnerCloseable(){ return null; }
+    protected ConnectFuture doConnect(HostConfigEntry p0, List<HostConfigEntry> p1, AttributeRepository p2, SocketAddress p3){ return null; }
+    protected ConnectFuture doConnect(String p0, SocketAddress p1, AttributeRepository p2, SocketAddress p3, KeyIdentityProvider p4, HostConfigEntry p5){ return null; }
+    protected HostConfigEntry resolveHost(String p0, String p1, int p2, AttributeRepository p3, SocketAddress p4){ return null; }
+    protected IoConnector connector = null;
+    protected IoConnector createConnector(){ return null; }
+    protected KeyIdentityProvider preloadClientIdentities(Collection<? extends NamedResource> p0){ return null; }
+    protected List<HostConfigEntry> parseProxyJumps(String p0, AttributeRepository p1){ return null; }
+    protected List<UserAuthFactory> userAuthFactories = null;
+    protected SessionFactory createSessionFactory(){ return null; }
+    protected SessionFactory sessionFactory = null;
+    protected SshFutureListener<IoConnectFuture> createConnectCompletionListener(ConnectFuture p0, String p1, SocketAddress p2, KeyIdentityProvider p3, HostConfigEntry p4){ return null; }
+    protected void checkConfig(){}
+    protected void onConnectOperationComplete(IoSession p0, ConnectFuture p1, String p2, SocketAddress p3, KeyIdentityProvider p4, HostConfigEntry p5){}
+    protected void setupDefaultSessionIdentities(ClientSession p0, KeyIdentityProvider p1){}
+    public AuthenticationIdentitiesProvider getRegisteredIdentities(){ return null; }
+    public ClientIdentityLoader getClientIdentityLoader(){ return null; }
+    public ClientProxyConnector getClientProxyConnector(){ return null; }
+    public ConnectFuture connect(HostConfigEntry p0, AttributeRepository p1, SocketAddress p2){ return null; }
+    public ConnectFuture connect(String p0){ return null; }
+    public ConnectFuture connect(String p0, SocketAddress p1, AttributeRepository p2, SocketAddress p3){ return null; }
+    public ConnectFuture connect(String p0, String p1, int p2, AttributeRepository p3, SocketAddress p4){ return null; }
+    public FilePasswordProvider getFilePasswordProvider(){ return null; }
+    public HostBasedAuthenticationReporter getHostBasedAuthenticationReporter(){ return null; }
+    public HostConfigEntryResolver getHostConfigEntryResolver(){ return null; }
+    public KeyIdentityProvider getKeyIdentityProvider(){ return null; }
+    public KeyPair removePublicKeyIdentity(KeyPair p0){ return null; }
+    public List<UserAuthFactory> getUserAuthFactories(){ return null; }
+    public PasswordAuthenticationReporter getPasswordAuthenticationReporter(){ return null; }
+    public PasswordIdentityProvider getPasswordIdentityProvider(){ return null; }
+    public PublicKeyAuthenticationReporter getPublicKeyAuthenticationReporter(){ return null; }
+    public ServerKeyVerifier getServerKeyVerifier(){ return null; }
+    public SessionFactory getSessionFactory(){ return null; }
+    public SshClient(){}
+    public String removePasswordIdentity(String p0){ return null; }
+    public String toString(){ return null; }
+    public UserInteraction getUserInteraction(){ return null; }
+    public boolean isStarted(){ return false; }
+    public static <C extends SshClient> C setKeyPairProvider(C p0, Path p1, boolean p2, boolean p3, FilePasswordProvider p4, LinkOption... p5){ return null; }
+    public static <C extends SshClient> C setKeyPairProvider(C p0, boolean p1, boolean p2, FilePasswordProvider p3, LinkOption... p4){ return null; }
+    public static Factory<SshClient> DEFAULT_SSH_CLIENT_FACTORY = null;
+    public static List<ServiceFactory> DEFAULT_SERVICE_FACTORIES = null;
+    public static List<UserAuthFactory> DEFAULT_USER_AUTH_FACTORIES = null;
+    public static SimpleClient setUpDefaultSimpleClient(){ return null; }
+    public static SimpleClient wrapAsSimpleClient(SshClient p0){ return null; }
+    public static SshClient setUpDefaultClient(){ return null; }
+    public void addPasswordIdentity(String p0){}
+    public void addPublicKeyIdentity(KeyPair p0){}
+    public void open(){}
+    public void setClientIdentityLoader(ClientIdentityLoader p0){}
+    public void setClientProxyConnector(ClientProxyConnector p0){}
+    public void setFilePasswordProvider(FilePasswordProvider p0){}
+    public void setHostBasedAuthenticationReporter(HostBasedAuthenticationReporter p0){}
+    public void setHostConfigEntryResolver(HostConfigEntryResolver p0){}
+    public void setKeyIdentityProvider(KeyIdentityProvider p0){}
+    public void setPasswordAuthenticationReporter(PasswordAuthenticationReporter p0){}
+    public void setPasswordIdentityProvider(PasswordIdentityProvider p0){}
+    public void setPublicKeyAuthenticationReporter(PublicKeyAuthenticationReporter p0){}
+    public void setServerKeyVerifier(ServerKeyVerifier p0){}
+    public void setSessionFactory(SessionFactory p0){}
+    public void setUserAuthFactories(List<UserAuthFactory> p0){}
+    public void setUserInteraction(UserInteraction p0){}
+    public void start(){}
+    public void stop(){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/AuthenticationIdentitiesProvider.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/AuthenticationIdentitiesProvider.java
@@ -0,0 +1,18 @@
+// Generated automatically from org.apache.sshd.client.auth.AuthenticationIdentitiesProvider for testing purposes
+
+package org.apache.sshd.client.auth;
+
+import java.util.Comparator;
+import java.util.List;
+import org.apache.sshd.client.auth.password.PasswordIdentityProvider;
+import org.apache.sshd.common.keyprovider.KeyIdentityProvider;
+import org.apache.sshd.common.session.SessionContext;
+
+public interface AuthenticationIdentitiesProvider extends KeyIdentityProvider, PasswordIdentityProvider
+{
+    Iterable<? extends Object> loadIdentities(SessionContext p0);
+    static AuthenticationIdentitiesProvider wrapIdentities(Iterable<? extends Object> p0){ return null; }
+    static Comparator<Object> KEYPAIR_IDENTITY_COMPARATOR = null;
+    static Comparator<Object> PASSWORD_IDENTITY_COMPARATOR = null;
+    static int findIdentityIndex(List<? extends Object> p0, Comparator<? super Object> p1, Object p2){ return 0; }
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/UserAuth.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/UserAuth.java
@@ -0,0 +1,19 @@
+// Generated automatically from org.apache.sshd.client.auth.UserAuth for testing purposes
+
+package org.apache.sshd.client.auth;
+
+import java.util.List;
+import org.apache.sshd.client.session.ClientSession;
+import org.apache.sshd.client.session.ClientSessionHolder;
+import org.apache.sshd.common.auth.UserAuthInstance;
+import org.apache.sshd.common.session.SessionContext;
+import org.apache.sshd.common.util.buffer.Buffer;
+
+public interface UserAuth extends ClientSessionHolder, UserAuthInstance<ClientSession>
+{
+    boolean process(Buffer p0);
+    default void signalAuthMethodFailure(ClientSession p0, String p1, boolean p2, List<String> p3, Buffer p4){}
+    default void signalAuthMethodSuccess(ClientSession p0, String p1, Buffer p2){}
+    void destroy();
+    void init(ClientSession p0, String p1);
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/UserAuthFactory.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/UserAuthFactory.java
@@ -0,0 +1,13 @@
+// Generated automatically from org.apache.sshd.client.auth.UserAuthFactory for testing purposes
+
+package org.apache.sshd.client.auth;
+
+import org.apache.sshd.client.auth.UserAuth;
+import org.apache.sshd.client.session.ClientSession;
+import org.apache.sshd.common.auth.UserAuthInstance;
+import org.apache.sshd.common.auth.UserAuthMethodFactory;
+import org.apache.sshd.common.session.SessionContext;
+
+public interface UserAuthFactory extends UserAuthMethodFactory<ClientSession, UserAuth>
+{
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/hostbased/HostBasedAuthenticationReporter.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/hostbased/HostBasedAuthenticationReporter.java
@@ -0,0 +1,15 @@
+// Generated automatically from org.apache.sshd.client.auth.hostbased.HostBasedAuthenticationReporter for testing purposes
+
+package org.apache.sshd.client.auth.hostbased;
+
+import java.security.KeyPair;
+import java.util.List;
+import org.apache.sshd.client.session.ClientSession;
+
+public interface HostBasedAuthenticationReporter
+{
+    default void signalAuthenticationAttempt(ClientSession p0, String p1, KeyPair p2, String p3, String p4, byte[] p5){}
+    default void signalAuthenticationExhausted(ClientSession p0, String p1, String p2, String p3){}
+    default void signalAuthenticationFailure(ClientSession p0, String p1, KeyPair p2, String p3, String p4, boolean p5, List<String> p6){}
+    default void signalAuthenticationSuccess(ClientSession p0, String p1, KeyPair p2, String p3, String p4){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/keyboard/UserInteraction.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/keyboard/UserInteraction.java
@@ -0,0 +1,26 @@
+// Generated automatically from org.apache.sshd.client.auth.keyboard.UserInteraction for testing purposes
+
+package org.apache.sshd.client.auth.keyboard;
+
+import java.security.KeyPair;
+import java.util.List;
+import org.apache.sshd.client.session.ClientSession;
+
+public interface UserInteraction
+{
+    String getUpdatedPassword(ClientSession p0, String p1, String p2);
+    String[] interactive(ClientSession p0, String p1, String p2, String p3, String[] p4, boolean[] p5);
+    default KeyPair resolveAuthPublicKeyIdentityAttempt(ClientSession p0){ return null; }
+    default String resolveAuthPasswordAttempt(ClientSession p0){ return null; }
+    default boolean isInteractionAllowed(ClientSession p0){ return false; }
+    default void serverVersionInfo(ClientSession p0, List<String> p1){}
+    default void welcome(ClientSession p0, String p1, String p2){}
+    static String AUTO_DETECT_PASSWORD_PROMPT = null;
+    static String CHECK_INTERACTIVE_PASSWORD_DELIM = null;
+    static String DEFAULT_CHECK_INTERACTIVE_PASSWORD_DELIM = null;
+    static String DEFAULT_INTERACTIVE_PASSWORD_PROMPT = null;
+    static String INTERACTIVE_PASSWORD_PROMPT = null;
+    static UserInteraction NONE = null;
+    static boolean DEFAULT_AUTO_DETECT_PASSWORD_PROMPT = false;
+    static int findPromptComponentLastPosition(String p0, String p1){ return 0; }
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/password/PasswordAuthenticationReporter.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/password/PasswordAuthenticationReporter.java
@@ -0,0 +1,14 @@
+// Generated automatically from org.apache.sshd.client.auth.password.PasswordAuthenticationReporter for testing purposes
+
+package org.apache.sshd.client.auth.password;
+
+import java.util.List;
+import org.apache.sshd.client.session.ClientSession;
+
+public interface PasswordAuthenticationReporter
+{
+    default void signalAuthenticationAttempt(ClientSession p0, String p1, String p2, boolean p3, String p4){}
+    default void signalAuthenticationExhausted(ClientSession p0, String p1){}
+    default void signalAuthenticationFailure(ClientSession p0, String p1, String p2, boolean p3, List<String> p4){}
+    default void signalAuthenticationSuccess(ClientSession p0, String p1, String p2){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/password/PasswordIdentityProvider.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/password/PasswordIdentityProvider.java
@@ -0,0 +1,21 @@
+// Generated automatically from org.apache.sshd.client.auth.password.PasswordIdentityProvider for testing purposes
+
+package org.apache.sshd.client.auth.password;
+
+import java.util.Collection;
+import java.util.Iterator;
+import org.apache.sshd.common.session.SessionContext;
+
+public interface PasswordIdentityProvider
+{
+    Iterable<String> loadPasswords(SessionContext p0);
+    static Iterable<String> iterableOf(SessionContext p0, Collection<? extends PasswordIdentityProvider> p1){ return null; }
+    static Iterator<String> iteratorOf(SessionContext p0, PasswordIdentityProvider p1){ return null; }
+    static Iterator<String> iteratorOf(SessionContext p0, PasswordIdentityProvider p1, PasswordIdentityProvider p2){ return null; }
+    static PasswordIdentityProvider EMPTY_PASSWORDS_PROVIDER = null;
+    static PasswordIdentityProvider multiProvider(SessionContext p0, Collection<? extends PasswordIdentityProvider> p1){ return null; }
+    static PasswordIdentityProvider multiProvider(SessionContext p0, PasswordIdentityProvider... p1){ return null; }
+    static PasswordIdentityProvider resolvePasswordIdentityProvider(SessionContext p0, PasswordIdentityProvider p1, PasswordIdentityProvider p2){ return null; }
+    static PasswordIdentityProvider wrapPasswords(Iterable<String> p0){ return null; }
+    static PasswordIdentityProvider wrapPasswords(String... p0){ return null; }
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/pubkey/PublicKeyAuthenticationReporter.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/auth/pubkey/PublicKeyAuthenticationReporter.java
@@ -0,0 +1,16 @@
+// Generated automatically from org.apache.sshd.client.auth.pubkey.PublicKeyAuthenticationReporter for testing purposes
+
+package org.apache.sshd.client.auth.pubkey;
+
+import java.security.KeyPair;
+import java.util.List;
+import org.apache.sshd.client.session.ClientSession;
+
+public interface PublicKeyAuthenticationReporter
+{
+    default void signalAuthenticationAttempt(ClientSession p0, String p1, KeyPair p2, String p3){}
+    default void signalAuthenticationExhausted(ClientSession p0, String p1){}
+    default void signalAuthenticationFailure(ClientSession p0, String p1, KeyPair p2, boolean p3, List<String> p4){}
+    default void signalAuthenticationSuccess(ClientSession p0, String p1, KeyPair p2){}
+    default void signalSignatureAttempt(ClientSession p0, String p1, KeyPair p2, String p3, byte[] p4){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/AbstractClientChannel.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/AbstractClientChannel.java
@@ -0,0 +1,78 @@
+// Generated automatically from org.apache.sshd.client.channel.AbstractClientChannel for testing purposes
+
+package org.apache.sshd.client.channel;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Collection;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
+import org.apache.sshd.client.channel.ClientChannel;
+import org.apache.sshd.client.channel.ClientChannelEvent;
+import org.apache.sshd.client.future.OpenFuture;
+import org.apache.sshd.common.Closeable;
+import org.apache.sshd.common.channel.AbstractChannel;
+import org.apache.sshd.common.channel.Channel;
+import org.apache.sshd.common.channel.ChannelAsyncInputStream;
+import org.apache.sshd.common.channel.ChannelAsyncOutputStream;
+import org.apache.sshd.common.channel.RequestHandler;
+import org.apache.sshd.common.channel.StreamingChannel;
+import org.apache.sshd.common.io.IoInputStream;
+import org.apache.sshd.common.io.IoOutputStream;
+import org.apache.sshd.common.util.EventNotifier;
+import org.apache.sshd.common.util.buffer.Buffer;
+
+abstract public class AbstractClientChannel extends AbstractChannel implements ClientChannel
+{
+    protected AbstractClientChannel() {}
+    protected <C extends Collection<ClientChannelEvent>> C updateCurrentChannelState(C p0){ return null; }
+    protected AbstractClientChannel(String p0){}
+    protected AbstractClientChannel(String p0, Collection<? extends RequestHandler<Channel>> p1){}
+    protected ChannelAsyncInputStream asyncErr = null;
+    protected ChannelAsyncInputStream asyncOut = null;
+    protected ChannelAsyncOutputStream asyncIn = null;
+    protected Closeable getInnerCloseable(){ return null; }
+    protected InputStream in = null;
+    protected InputStream invertedErr = null;
+    protected InputStream invertedOut = null;
+    protected OpenFuture openFuture = null;
+    protected OutputStream err = null;
+    protected OutputStream invertedIn = null;
+    protected OutputStream out = null;
+    protected StreamingChannel.Streaming streaming = null;
+    protected String openFailureLang = null;
+    protected String openFailureMsg = null;
+    protected abstract void doOpen();
+    protected final AtomicBoolean opened = null;
+    protected final AtomicReference<Integer> exitStatusHolder = null;
+    protected final AtomicReference<String> exitSignalHolder = null;
+    protected int openFailureReason = 0;
+    protected void addChannelSignalRequestHandlers(EventNotifier<String> p0){}
+    protected void doWriteData(byte[] p0, int p1, long p2){}
+    protected void doWriteExtendedData(byte[] p0, int p1, long p2){}
+    public InputStream getIn(){ return null; }
+    public InputStream getInvertedErr(){ return null; }
+    public InputStream getInvertedOut(){ return null; }
+    public Integer getExitStatus(){ return null; }
+    public IoInputStream getAsyncErr(){ return null; }
+    public IoInputStream getAsyncOut(){ return null; }
+    public IoOutputStream getAsyncIn(){ return null; }
+    public OpenFuture open(){ return null; }
+    public OpenFuture open(int p0, long p1, long p2, Buffer p3){ return null; }
+    public OutputStream getErr(){ return null; }
+    public OutputStream getInvertedIn(){ return null; }
+    public OutputStream getOut(){ return null; }
+    public Set<ClientChannelEvent> getChannelState(){ return null; }
+    public Set<ClientChannelEvent> waitFor(Collection<ClientChannelEvent> p0, long p1){ return null; }
+    public StreamingChannel.Streaming getStreaming(){ return null; }
+    public String getChannelType(){ return null; }
+    public String getExitSignal(){ return null; }
+    public void handleOpenFailure(Buffer p0){}
+    public void handleOpenSuccess(int p0, long p1, long p2, Buffer p3){}
+    public void handleWindowAdjust(Buffer p0){}
+    public void setErr(OutputStream p0){}
+    public void setIn(InputStream p0){}
+    public void setOut(OutputStream p0){}
+    public void setStreaming(StreamingChannel.Streaming p0){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelDirectTcpip.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelDirectTcpip.java
@@ -0,0 +1,18 @@
+// Generated automatically from org.apache.sshd.client.channel.ChannelDirectTcpip for testing purposes
+
+package org.apache.sshd.client.channel;
+
+import org.apache.sshd.client.channel.AbstractClientChannel;
+import org.apache.sshd.client.future.OpenFuture;
+import org.apache.sshd.common.util.net.SshdSocketAddress;
+
+public class ChannelDirectTcpip extends AbstractClientChannel
+{
+    protected ChannelDirectTcpip() {}
+    protected void doOpen(){}
+    protected void doWriteData(byte[] p0, int p1, long p2){}
+    public ChannelDirectTcpip(SshdSocketAddress p0, SshdSocketAddress p1){}
+    public OpenFuture open(){ return null; }
+    public SshdSocketAddress getLocalSocketAddress(){ return null; }
+    public SshdSocketAddress getRemoteSocketAddress(){ return null; }
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelExec.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelExec.java
@@ -0,0 +1,16 @@
+// Generated automatically from org.apache.sshd.client.channel.ChannelExec for testing purposes
+
+package org.apache.sshd.client.channel;
+
+import java.util.Map;
+import org.apache.sshd.client.channel.PtyCapableChannelSession;
+import org.apache.sshd.common.channel.PtyChannelConfigurationHolder;
+
+public class ChannelExec extends PtyCapableChannelSession
+{
+    protected ChannelExec() {}
+    protected void doOpen(){}
+    public ChannelExec(String p0, PtyChannelConfigurationHolder p1, Map<String, ? extends Object> p2){}
+    public void handleFailure(){}
+    public void handleSuccess(){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelSession.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelSession.java
@@ -0,0 +1,21 @@
+// Generated automatically from org.apache.sshd.client.channel.ChannelSession for testing purposes
+
+package org.apache.sshd.client.channel;
+
+import java.io.InputStream;
+import org.apache.sshd.client.channel.AbstractClientChannel;
+import org.apache.sshd.common.Closeable;
+import org.apache.sshd.common.channel.RequestHandler;
+import org.apache.sshd.common.util.buffer.Buffer;
+
+public class ChannelSession extends AbstractClientChannel
+{
+    protected Closeable getInnerCloseable(){ return null; }
+    protected RequestHandler.Result handleInternalRequest(String p0, boolean p1, Buffer p2){ return null; }
+    protected RequestHandler.Result handleXonXoff(Buffer p0, boolean p1){ return null; }
+    protected int securedRead(InputStream p0, int p1, byte[] p2, int p3, int p4){ return 0; }
+    protected void closeImmediately0(){}
+    protected void doOpen(){}
+    protected void pumpInputStream(){}
+    public ChannelSession(){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelShell.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelShell.java
@@ -0,0 +1,16 @@
+// Generated automatically from org.apache.sshd.client.channel.ChannelShell for testing purposes
+
+package org.apache.sshd.client.channel;
+
+import java.util.Map;
+import org.apache.sshd.client.channel.PtyCapableChannelSession;
+import org.apache.sshd.common.channel.PtyChannelConfigurationHolder;
+
+public class ChannelShell extends PtyCapableChannelSession
+{
+    protected ChannelShell() {}
+    protected void doOpen(){}
+    public ChannelShell(PtyChannelConfigurationHolder p0, Map<String, ? extends Object> p1){}
+    public void handleFailure(){}
+    public void handleSuccess(){}
+}
--- a/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelSubsystem.java
+++ b/java/ql/test/stubs/apache-mina-sshd-2.8.0/org/apache/sshd/client/channel/ChannelSubsystem.java
@@ -0,0 +1,17 @@
+// Generated automatically from org.apache.sshd.client.channel.ChannelSubsystem for testing purposes
+
+package org.apache.sshd.client.channel;
+
+import org.apache.sshd.client.channel.ChannelSession;
+
+public class ChannelSubsystem extends ChannelSession
+{
+    protected ChannelSubsystem() {}
+    protected void doOpen(){}
+    public ChannelSubsystem(String p0){}
+    public String toString(){ return null; }
+    public final String getSubsystem(){ return null; }
+    public void handleFailure(){}
+    public void handleSuccess(){}
+    public void onClose(Runnable p0){}
+}
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql`
				`@@ -1 +0,0 @@`
				`\| Test.java:36:26:36:32 \| "admin" \| Hard-coded value is $@ with password variable $@. \| Test.java:36:10:36:33 \| equals(...) \| compared \| Test.java:35:38:35:52 \| password \| password \|`
				`@@ -1 +0,0 @@`
				`\| Test.java:33:29:33:36 \| password \| Sensitive field is assigned a hard-coded $@. \| Test.java:33:40:33:56 \| "myOtherPassword" \| value \|`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-798/HardcodedPasswordField.ql`