Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer

# Conflicts: # java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected # java/ql/test/query-tests/security/CWE-532/Test.java
2026-05-14 19:29:28 +02:00 · 2026-04-29 20:59:59 +08:00
parent 51e2a5418b 0192ffab07
commit 28a6ff208c
1227 changed files with 153732 additions and 103286 deletions
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,18 @@
+## 9.0.4
+
+### Minor Analysis Improvements
+
+* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the Woodstox StAX library when `com.ctc.wstx.stax.WstxInputFactory` or `org.codehaus.stax2.XMLInputFactory2` are used directly.
+
+## 9.0.3
+
+### Minor Analysis Improvements
+
+* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
+* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
+* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
+* Kotlin versions up to 2.3.20 are now supported.
+
 ## 9.0.2

 No user-facing changes.
--- a/java/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
+++ b/java/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for Java and Kotlin](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-java-and-kotlin/).
--- a/java/ql/lib/change-notes/2026-03-26-kotlin-2.3.20.md
+++ b/java/ql/lib/change-notes/2026-03-26-kotlin-2.3.20.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Kotlin versions up to 2.3.20 are now supported.
--- a/java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
+++ b/java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
--- a/java/ql/lib/change-notes/2026-04-04-path-injection-torealpath.md
+++ b/java/ql/lib/change-notes/2026-04-04-path-injection-torealpath.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/path-injection` and `java/zipslip` queries now recognize `Path.toRealPath()` as a path normalization sanitizer, consistent with the existing treatment of `Path.normalize()` and `File.getCanonicalPath()`. This reduces false positives for code that uses the NIO.2 API for path canonicalization.
--- a/java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md
+++ b/java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/sensitive-log` query now excludes additional common variable naming patterns that do not hold sensitive data, reducing false positives. This includes pagination/iteration tokens (`nextToken`, `pageToken`, `continuationToken`), token metadata (`tokenType`, `tokenEndpoint`, `tokenCount`), and secret metadata (`secretName`, `secretId`, `secretVersion`).
--- a/java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md
+++ b/java/ql/lib/change-notes/2026-04-18-partial-path-traversal-fix.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/partial-path-traversal` and `java/partial-path-traversal-from-remote` queries now correctly recognize file separator appends using `+=`.
--- a/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
+++ b/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
--- a/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
+++ b/java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md
@@ -1,5 +1,8 @@
---
-category: minorAnalysis
---
+## 9.0.3
+
+### Minor Analysis Improvements
+
+* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
 * The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
 * The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
+* Kotlin versions up to 2.3.20 are now supported.
--- a/java/ql/lib/change-notes/released/9.0.4.md
+++ b/java/ql/lib/change-notes/released/9.0.4.md
@@ -0,0 +1,5 @@
+## 9.0.4
+
+### Minor Analysis Improvements
+
+* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the Woodstox StAX library when `com.ctc.wstx.stax.WstxInputFactory` or `org.codehaus.stax2.XMLInputFactory2` are used directly.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.0.2
+lastReleaseVersion: 9.0.4
--- a/java/ql/lib/ext/generated/modelgenerator/java.applet.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.applet.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.beans.beancontext.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.beans.beancontext.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.beans.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.beans.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.io.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.io.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.annotation.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.annotation.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.constant.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.constant.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.instrument.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.instrument.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.invoke.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.invoke.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.management.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.management.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.module.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.module.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.ref.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.ref.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.reflect.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.reflect.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.lang.runtime.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.lang.runtime.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.math.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.math.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.net.http.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.net.http.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.net.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.net.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.channels.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.channels.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.channels.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.channels.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.charset.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.charset.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.charset.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.charset.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.file.attribute.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.file.attribute.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.file.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.file.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.file.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.file.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.nio.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.nio.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.rmi.dgc.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.rmi.dgc.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.rmi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.rmi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.rmi.registry.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.rmi.registry.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.rmi.server.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.rmi.server.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.security.cert.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.security.cert.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.security.interfaces.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.security.interfaces.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.security.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.security.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.security.spec.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.security.spec.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.sql.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.sql.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.text.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.text.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.text.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.text.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.time.chrono.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.time.chrono.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.time.format.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.time.format.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.time.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.time.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.time.temporal.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.time.temporal.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.time.zone.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.time.zone.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.concurrent.atomic.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.concurrent.atomic.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.concurrent.locks.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.concurrent.locks.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.concurrent.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.concurrent.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.function.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.function.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.jar.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.jar.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.logging.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.logging.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.prefs.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.prefs.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.random.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.random.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.regex.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.regex.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.stream.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.stream.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/java.util.zip.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/java.util.zip.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.accessibility.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.accessibility.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.annotation.processing.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.annotation.processing.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.crypto.interfaces.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.crypto.interfaces.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.crypto.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.crypto.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.crypto.spec.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.crypto.spec.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.metadata.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.metadata.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.plugins.bmp.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.plugins.bmp.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.plugins.jpeg.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.plugins.jpeg.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.plugins.tiff.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.plugins.tiff.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.imageio.stream.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.imageio.stream.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.element.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.element.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.type.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.type.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.util.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.lang.model.util.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.loading.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.loading.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.modelmbean.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.modelmbean.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.monitor.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.monitor.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.openmbean.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.openmbean.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.relation.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.relation.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.remote.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.remote.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.remote.rmi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.remote.rmi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.management.timer.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.management.timer.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.naming.directory.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.naming.directory.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.naming.event.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.naming.event.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.naming.ldap.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.naming.ldap.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.naming.ldap.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.naming.ldap.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.naming.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.naming.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.naming.spi.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.naming.spi.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.net.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.net.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.net.ssl.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.net.ssl.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.print.attribute.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.print.attribute.model.yml
--- a/java/ql/lib/ext/generated/modelgenerator/javax.print.attribute.standard.model.yml
+++ b/java/ql/lib/ext/generated/modelgenerator/javax.print.attribute.standard.model.yml
--- a/Show More
+++ b/Show More