Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer

# Conflicts: # java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected # java/ql/test/query-tests/security/CWE-532/Test.java
2026-05-14 11:19:27 +02:00 · 2026-04-29 20:59:59 +08:00
parent 51e2a5418b 0192ffab07
commit 28a6ff208c
1227 changed files with 153732 additions and 103286 deletions
--- a/java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected
+++ b/java/ql/test/library-tests/compact-source-files/CompactSourceAnalysis.expected
@@ -1 +1 @@
-| Test.java:0:0:0:0 | Test | Test.java:1:1:1:1 | Test | Compact source file 'Test' contains implicit class 'Test' |
+| Test.java:0:0:0:0 | Test | Test.java:1:1:29:1 | Test | Compact source file 'Test' contains implicit class 'Test' |
--- a/java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected
+++ b/java/ql/test/library-tests/compact-source-files/ImplicitClassDetection.expected
@@ -1,2 +1,2 @@
-| Test.java:1:1:1:1 | Test | implicit |
+| Test.java:1:1:29:1 | Test | implicit |
 | Test.java:25:7:25:16 | NotCompact | not implicit |
--- a/java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected
+++ b/java/ql/test/library-tests/compact-source-files/MethodInCompactSource.expected
@@ -1,5 +1,5 @@
-| Test.java:1:1:1:1 | <clinit> | in compact source |
-| Test.java:1:1:1:1 | <obinit> | in compact source |
+| Test.java:1:1:29:1 | <clinit> | in compact source |
+| Test.java:1:1:29:1 | <obinit> | in compact source |
 | Test.java:5:6:5:9 | main | in compact source |
 | Test.java:11:6:11:16 | processData | in compact source |
 | Test.java:16:14:16:31 | updatePrivateField | in compact source |
--- a/java/ql/test/library-tests/compact-source-files/options
+++ b/java/ql/test/library-tests/compact-source-files/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --release 25 --enable-preview
+//semmle-extractor-options: --javac-args --release 25
--- a/java/ql/test/library-tests/dataflow/kdf/options
+++ b/java/ql/test/library-tests/dataflow/kdf/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --enable-preview --release 25
+//semmle-extractor-options: --javac-args --release 25
--- a/java/ql/test/library-tests/dataflow/scoped-values/options
+++ b/java/ql/test/library-tests/dataflow/scoped-values/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 25 -target 25 --enable-preview
+//semmle-extractor-options: --javac-args -source 25 -target 25
--- a/java/ql/test/library-tests/errorexpr/Test.java
+++ b/java/ql/test/library-tests/errorexpr/Test.java
@@ -13,6 +13,5 @@ public class Test {
 }

 // Diagnostic Matches: Erroneous node in tree: (ERROR)
-// Diagnostic Matches: In file Test.java:8:15 no end location for JCMethodInvocation : yield(x)
 // Diagnostic Matches: 1 errors during annotation processing
 // Diagnostic Matches: Unknown or erroneous type for expression of kind ErrorExpr
--- a/java/ql/test/library-tests/flexible-constructors/options
+++ b/java/ql/test/library-tests/flexible-constructors/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --release 25 --enable-preview
+//semmle-extractor-options: --javac-args --release 25
--- a/java/ql/test/library-tests/module-import-declarations/options
+++ b/java/ql/test/library-tests/module-import-declarations/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args --release 25 --enable-preview
+//semmle-extractor-options: --javac-args --release 25
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java
@@ -72,6 +72,27 @@ public class TaintedPath {
        }
    }

+    public void sendUserFileGood5(Socket sock, String user) throws Exception {
+        BufferedReader filenameReader =
+                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
+        String filename = filenameReader.readLine();
+
+        Path publicFolder = Paths.get("/home/" + user + "/public").toRealPath();
+        Path filePath = publicFolder.resolve(filename).toRealPath();
+
+        // GOOD: toRealPath() normalizes the path (resolves ".." and symlinks),
+        // equivalent to File.getCanonicalPath()
+        if (!filePath.startsWith(publicFolder + File.separator)) {
+            throw new IllegalArgumentException("Invalid filename");
+        }
+        BufferedReader fileReader = new BufferedReader(new FileReader(filePath.toString()));
+        String fileLine = fileReader.readLine();
+        while (fileLine != null) {
+            sock.getOutputStream().write(fileLine.getBytes());
+            fileLine = fileReader.readLine();
+        }
+    }
+
    public void sendUserFileGood4(Socket sock, String user) throws IOException {
        BufferedReader filenameReader =
                new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8"));
--- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.qlref
+++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversal.qlref
@@ -1 +1,4 @@
-Security/CWE/CWE-023/PartialPathTraversal.ql
+query: Security/CWE/CWE-023/PartialPathTraversal.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected
+++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalFromRemoteTest.expected
@@ -1,19 +1,19 @@
 #select
-| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
-| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:32:14:32:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:38:14:38:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:45:14:45:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:52:14:52:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:56:14:56:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:64:14:64:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:67:14:67:27 | canonicalPath2 | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:97:14:97:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:105:14:105:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:108:14:108:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:176:14:176:37 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
+| PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@. | PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | user-supplied data |
 edges
 | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | PartialPathTraversalTest.java:13:14:13:37 | getCanonicalPath(...) | provenance | MaD:6 |
 | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | PartialPathTraversalTest.java:20:10:20:33 | getCanonicalPath(...) | provenance | MaD:6 |
@@ -43,30 +43,30 @@ edges
 | PartialPathTraversalTest.java:194:18:194:28 | encodedFile : File | PartialPathTraversalTest.java:194:18:194:47 | getCanonicalPath(...) | provenance | MaD:6 |
 | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | provenance | MaD:6 |
 | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | provenance |  |
-| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | provenance |  |
-| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 |
-| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 |
-| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | provenance | MaD:3 |
-| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | PartialPathTraversalTest.java:254:29:254:36 | filename : String | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | provenance |  |
-| PartialPathTraversalTest.java:254:29:254:36 | filename : String | PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | provenance | MaD:4 |
-| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | provenance | MaD:5 |
-| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | provenance | MaD:10 |
-| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance |  |
+| PartialPathTraversalTest.java:260:45:260:117 | new BufferedReader(...) : BufferedReader | PartialPathTraversalTest.java:261:31:261:44 | filenameReader : BufferedReader | provenance |  |
+| PartialPathTraversalTest.java:260:64:260:116 | new InputStreamReader(...) : InputStreamReader | PartialPathTraversalTest.java:260:45:260:117 | new BufferedReader(...) : BufferedReader | provenance | MaD:2 |
+| PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | PartialPathTraversalTest.java:260:64:260:116 | new InputStreamReader(...) : InputStreamReader | provenance | Src:MaD:1 MaD:7 |
+| PartialPathTraversalTest.java:261:31:261:44 | filenameReader : BufferedReader | PartialPathTraversalTest.java:261:31:261:55 | readLine(...) : String | provenance | MaD:3 |
+| PartialPathTraversalTest.java:261:31:261:55 | readLine(...) : String | PartialPathTraversalTest.java:262:29:262:36 | filename : String | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:13:14:13:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:20:10:20:14 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:32:14:32:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:38:14:38:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:44:32:44:36 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:51:32:51:36 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:55:33:55:37 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:62:32:62:36 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:63:33:63:37 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:97:14:97:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:105:14:105:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:108:14:108:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:176:14:176:18 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | PartialPathTraversalTest.java:269:16:269:20 | dir(...) : File | provenance |  |
+| PartialPathTraversalTest.java:262:29:262:36 | filename : String | PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | provenance | MaD:4 |
+| PartialPathTraversalTest.java:269:16:269:20 | dir(...) : File | PartialPathTraversalTest.java:269:16:269:38 | getAbsolutePath(...) : String | provenance | MaD:5 |
+| PartialPathTraversalTest.java:269:16:269:38 | getAbsolutePath(...) : String | PartialPathTraversalTest.java:269:16:269:60 | split(...) : String[] | provenance | MaD:10 |
+| PartialPathTraversalTest.java:269:16:269:60 | split(...) : String[] | PartialPathTraversalTest.java:186:25:186:30 | path(...) : String[] | provenance |  |
 models
 | 1 | Source: java.net; Socket; false; getInputStream; (); ; ReturnValue; remote; manual |
 | 2 | Summary: java.io; BufferedReader; false; BufferedReader; ; ; Argument[0]; Argument[this]; taint; manual |
@@ -122,14 +122,14 @@ nodes
 | PartialPathTraversalTest.java:211:46:211:50 | dir(...) : File | semmle.label | dir(...) : File |
 | PartialPathTraversalTest.java:211:46:211:69 | getCanonicalPath(...) : String | semmle.label | getCanonicalPath(...) : String |
 | PartialPathTraversalTest.java:212:14:212:26 | canonicalPath | semmle.label | canonicalPath |
-| PartialPathTraversalTest.java:252:45:252:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
-| PartialPathTraversalTest.java:252:64:252:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
-| PartialPathTraversalTest.java:252:86:252:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
-| PartialPathTraversalTest.java:253:31:253:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
-| PartialPathTraversalTest.java:253:31:253:55 | readLine(...) : String | semmle.label | readLine(...) : String |
-| PartialPathTraversalTest.java:254:20:254:37 | new File(...) : File | semmle.label | new File(...) : File |
-| PartialPathTraversalTest.java:254:29:254:36 | filename : String | semmle.label | filename : String |
-| PartialPathTraversalTest.java:261:16:261:20 | dir(...) : File | semmle.label | dir(...) : File |
-| PartialPathTraversalTest.java:261:16:261:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String |
-| PartialPathTraversalTest.java:261:16:261:60 | split(...) : String[] | semmle.label | split(...) : String[] |
+| PartialPathTraversalTest.java:260:45:260:117 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
+| PartialPathTraversalTest.java:260:64:260:116 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
+| PartialPathTraversalTest.java:260:86:260:106 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| PartialPathTraversalTest.java:261:31:261:44 | filenameReader : BufferedReader | semmle.label | filenameReader : BufferedReader |
+| PartialPathTraversalTest.java:261:31:261:55 | readLine(...) : String | semmle.label | readLine(...) : String |
+| PartialPathTraversalTest.java:262:20:262:37 | new File(...) : File | semmle.label | new File(...) : File |
+| PartialPathTraversalTest.java:262:29:262:36 | filename : String | semmle.label | filename : String |
+| PartialPathTraversalTest.java:269:16:269:20 | dir(...) : File | semmle.label | dir(...) : File |
+| PartialPathTraversalTest.java:269:16:269:38 | getAbsolutePath(...) : String | semmle.label | getAbsolutePath(...) : String |
+| PartialPathTraversalTest.java:269:16:269:60 | split(...) : String[] | semmle.label | split(...) : String[] |
 subpaths
--- a/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
+++ b/java/ql/test/query-tests/security/CWE-023/semmle/tests/PartialPathTraversalTest.java
@@ -10,14 +10,14 @@ import java.net.Socket;

 public class PartialPathTraversalTest {
    public void esapiExample(File parent) throws IOException {
-        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }

    @SuppressWarnings("ResultOfMethodCallIgnored")
    void foo1(File parent) throws IOException {
-        (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert
+        (dir().getCanonicalPath()).startsWith((parent.getCanonicalPath())); // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
    }

    void foo2(File parent) throws IOException {
@@ -29,31 +29,31 @@ public class PartialPathTraversalTest {

    void foo3(File parent) throws IOException {
        String parentPath = parent.getCanonicalPath();
-        if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentPath)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }

    void foo4() throws IOException {
-        if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith("/usr" + "/dir")) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }

    void foo5(File parent) throws IOException {
        String canonicalPath = dir().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }

    void foo6(File parent) throws IOException {
        String canonicalPath = dir().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
        String canonicalPath2 = dir().getCanonicalPath();
-        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }
@@ -61,10 +61,10 @@ public class PartialPathTraversalTest {
    void foo7(File dir, File parent) throws IOException {
        String canonicalPath = dir().getCanonicalPath();
        String canonicalPath2 = dir().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
-        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath2.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }
@@ -75,7 +75,7 @@ public class PartialPathTraversalTest {

    void foo8(File parent) throws IOException {
        String canonicalPath = getChild().getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) {
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + getChild().getCanonicalPath());
        }
    }
@@ -94,7 +94,7 @@ public class PartialPathTraversalTest {

    void foo11(File parent) throws IOException {
        String parentCanonical = parent.getCanonicalPath();
-        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }
@@ -102,10 +102,10 @@ public class PartialPathTraversalTest {
    void foo12(File parent) throws IOException {
        String parentCanonical = parent.getCanonicalPath();
        String parentCanonical2 = parent.getCanonicalPath();
-        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
-        if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical2)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }
@@ -173,7 +173,7 @@ public class PartialPathTraversalTest {

    void foo19(File parent) throws IOException {
        String parentCanonical = parent.getCanonicalPath() + "/potato";
-        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert
+        if (!dir().getCanonicalPath().startsWith(parentCanonical)) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }
@@ -191,7 +191,7 @@ public class PartialPathTraversalTest {
        String filePath = sb.toString();
        File encodedFile = new File(filePath);
        try {
-            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert
+            if (!encodedFile.getCanonicalPath().startsWith(cacheDir.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
                return null;
            }
            return Files.newInputStream(encodedFile.toPath());
@@ -209,7 +209,7 @@ public class PartialPathTraversalTest {

    void foo22(File dir2, File parent, boolean conditional) throws IOException {
        String canonicalPath = conditional ? dir().getCanonicalPath() : dir2.getCanonicalPath();
-        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert
+        if (!canonicalPath.startsWith(parent.getCanonicalPath())) { // $ Alert[java/partial-path-traversal-from-remote] Alert[java/partial-path-traversal]
            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
        }
    }
@@ -228,6 +228,14 @@ public class PartialPathTraversalTest {
        }
    }

+    void foo25(File parent) throws IOException {
+        String path = parent.getCanonicalPath();
+        path += File.separator;
+        if (!dir().getCanonicalPath().startsWith(path)) {
+            throw new IOException("Invalid directory: " + dir().getCanonicalPath());
+        }
+    }
+
    public void doesNotFlagOptimalSafeVersion(File parent) throws IOException {
        if (!dir().toPath().normalize().startsWith(parent.toPath())) { // Safe
            throw new IOException("Path traversal attempt: " + dir().getCanonicalPath());
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
@@ -0,0 +1,25 @@
+import org.hibernate.Session;
+import org.hibernate.SharedSessionContract;
+import org.hibernate.query.QueryProducer;
+
+public class Hibernate {
+
+  public static String source() { return null; }
+
+  public static void test(
+      Session session, SharedSessionContract sharedSessionContract, QueryProducer queryProducer) {
+    session.createQuery(source()); // $ sqlInjection
+    session.createSQLQuery(source()); // $ sqlInjection
+
+    sharedSessionContract.createQuery(source()); // $ sqlInjection
+    sharedSessionContract.createSQLQuery(source()); // $ sqlInjection
+
+    queryProducer.createNativeQuery(source()); // $ sqlInjection
+    queryProducer.createNativeMutationQuery(source()); // $ sqlInjection
+    queryProducer.createQuery(source()); // $ sqlInjection
+    queryProducer.createMutationQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source(), Object.class); // $ sqlInjection
+    queryProducer.createSQLQuery(source()); // $ sqlInjection
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0 --release 21
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0:${testdir}/../../../../../stubs/hibernate-5.x --release 21
--- a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
+++ b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
@@ -4,6 +4,14 @@
 | Test.java:21:22:21:75 | ... + ... | Test.java:21:44:21:52 | authToken : String | Test.java:21:22:21:75 | ... + ... | This $@ is written to a log file. | Test.java:21:44:21:52 | authToken | potentially sensitive information |
 | Test.java:22:22:22:75 | ... + ... | Test.java:22:44:22:52 | authToken : String | Test.java:22:22:22:75 | ... + ... | This $@ is written to a log file. | Test.java:22:44:22:52 | authToken | potentially sensitive information |
 | Test.java:31:21:31:37 | ... + ... | Test.java:31:30:31:37 | password : String | Test.java:31:21:31:37 | ... + ... | This $@ is written to a log file. | Test.java:31:30:31:37 | password | potentially sensitive information |
+| Test.java:75:21:75:43 | ... + ... | Test.java:75:33:75:43 | accessToken : String | Test.java:75:21:75:43 | ... + ... | This $@ is written to a log file. | Test.java:75:33:75:43 | accessToken | potentially sensitive information |
+| Test.java:76:21:76:45 | ... + ... | Test.java:76:34:76:45 | clientSecret : String | Test.java:76:21:76:45 | ... + ... | This $@ is written to a log file. | Test.java:76:34:76:45 | clientSecret | potentially sensitive information |
+| Test.java:77:21:77:42 | ... + ... | Test.java:77:34:77:42 | apiSecret : String | Test.java:77:21:77:42 | ... + ... | This $@ is written to a log file. | Test.java:77:34:77:42 | apiSecret | potentially sensitive information |
+| Test.java:78:21:78:44 | ... + ... | Test.java:78:33:78:44 | sessionToken : String | Test.java:78:21:78:44 | ... + ... | This $@ is written to a log file. | Test.java:78:33:78:44 | sessionToken | potentially sensitive information |
+| Test.java:79:21:79:43 | ... + ... | Test.java:79:33:79:43 | bearerToken : String | Test.java:79:21:79:43 | ... + ... | This $@ is written to a log file. | Test.java:79:33:79:43 | bearerToken | potentially sensitive information |
+| Test.java:80:21:80:39 | ... + ... | Test.java:80:31:80:39 | secretKey : String | Test.java:80:21:80:39 | ... + ... | This $@ is written to a log file. | Test.java:80:31:80:39 | secretKey | potentially sensitive information |
+| Test.java:81:21:81:44 | ... + ... | Test.java:81:33:81:44 | refreshToken : String | Test.java:81:21:81:44 | ... + ... | This $@ is written to a log file. | Test.java:81:33:81:44 | refreshToken | potentially sensitive information |
+| Test.java:82:21:82:43 | ... + ... | Test.java:82:33:82:43 | secretValue : String | Test.java:82:21:82:43 | ... + ... | This $@ is written to a log file. | Test.java:82:33:82:43 | secretValue | potentially sensitive information |
 edges
 | Test.java:11:46:11:53 | password : String | Test.java:11:21:11:53 | ... + ... | provenance | Sink:MaD:2 |
 | Test.java:12:44:12:52 | authToken : String | Test.java:12:22:12:52 | ... + ... | provenance | Sink:MaD:1 |
@@ -12,6 +20,14 @@ edges
 | Test.java:22:44:22:52 | authToken : String | Test.java:22:44:22:67 | substring(...) : String | provenance | MaD:3 |
 | Test.java:22:44:22:67 | substring(...) : String | Test.java:22:22:22:75 | ... + ... | provenance | Sink:MaD:1 |
 | Test.java:31:30:31:37 | password : String | Test.java:31:21:31:37 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:75:33:75:43 | accessToken : String | Test.java:75:21:75:43 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:76:34:76:45 | clientSecret : String | Test.java:76:21:76:45 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:77:34:77:42 | apiSecret : String | Test.java:77:21:77:42 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:78:33:78:44 | sessionToken : String | Test.java:78:21:78:44 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:79:33:79:43 | bearerToken : String | Test.java:79:21:79:43 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:80:31:80:39 | secretKey : String | Test.java:80:21:80:39 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:81:33:81:44 | refreshToken : String | Test.java:81:21:81:44 | ... + ... | provenance | Sink:MaD:2 |
+| Test.java:82:33:82:43 | secretValue : String | Test.java:82:21:82:43 | ... + ... | provenance | Sink:MaD:2 |
 models
 | 1 | Sink: org.apache.logging.log4j; Logger; true; error; (String); ; Argument[0]; log-injection; manual |
 | 2 | Sink: org.apache.logging.log4j; Logger; true; info; (String); ; Argument[0]; log-injection; manual |
@@ -29,4 +45,20 @@ nodes
 | Test.java:22:44:22:67 | substring(...) : String | semmle.label | substring(...) : String |
 | Test.java:31:21:31:37 | ... + ... | semmle.label | ... + ... |
 | Test.java:31:30:31:37 | password : String | semmle.label | password : String |
+| Test.java:75:21:75:43 | ... + ... | semmle.label | ... + ... |
+| Test.java:75:33:75:43 | accessToken : String | semmle.label | accessToken : String |
+| Test.java:76:21:76:45 | ... + ... | semmle.label | ... + ... |
+| Test.java:76:34:76:45 | clientSecret : String | semmle.label | clientSecret : String |
+| Test.java:77:21:77:42 | ... + ... | semmle.label | ... + ... |
+| Test.java:77:34:77:42 | apiSecret : String | semmle.label | apiSecret : String |
+| Test.java:78:21:78:44 | ... + ... | semmle.label | ... + ... |
+| Test.java:78:33:78:44 | sessionToken : String | semmle.label | sessionToken : String |
+| Test.java:79:21:79:43 | ... + ... | semmle.label | ... + ... |
+| Test.java:79:33:79:43 | bearerToken : String | semmle.label | bearerToken : String |
+| Test.java:80:21:80:39 | ... + ... | semmle.label | ... + ... |
+| Test.java:80:31:80:39 | secretKey : String | semmle.label | secretKey : String |
+| Test.java:81:21:81:44 | ... + ... | semmle.label | ... + ... |
+| Test.java:81:33:81:44 | refreshToken : String | semmle.label | refreshToken : String |
+| Test.java:82:21:82:43 | ... + ... | semmle.label | ... + ... |
+| Test.java:82:33:82:43 | secretValue : String | semmle.label | secretValue : String |
 subpaths
--- a/java/ql/test/query-tests/security/CWE-532/Test.java
+++ b/java/ql/test/query-tests/security/CWE-532/Test.java
@@ -31,6 +31,57 @@ class Test {
        logger.info("pw: " + password); // $ Alert // not hashed
    }

+    // Tests for false positive exclusions: variables with "token" or "secret" in the name
+    // that do not hold sensitive data.
+    void testFalsePositiveExclusions(
+        String nextToken, String pageToken, String continuationToken, String cursorToken,
+        String tokenType, String tokenEndpoint, String tokenCount, String tokenUrl,
+        String tokenIndex, String tokenLength, String tokenName, String tokenId,
+        String secretName, String secretId, String secretVersion, String secretArn,
+        String secretPath, String secretType,
+        String secretManager, String secretProperties
+    ) {
+        Logger logger = null;
+        // Pagination/iteration tokens (e.g., AWS SDK, GCP, Azure pagination cursors)
+        logger.info("cursor: " + nextToken); // Safe
+        logger.info("cursor: " + pageToken); // Safe
+        logger.info("cursor: " + continuationToken); // Safe
+        logger.info("cursor: " + cursorToken); // Safe
+        // Token metadata (e.g., OAuth token type, OIDC discovery endpoint)
+        logger.info("type: " + tokenType); // Safe
+        logger.info("endpoint: " + tokenEndpoint); // Safe
+        logger.info("count: " + tokenCount); // Safe
+        logger.info("url: " + tokenUrl); // Safe
+        logger.info("index: " + tokenIndex); // Safe
+        logger.info("length: " + tokenLength); // Safe
+        logger.info("name: " + tokenName); // Safe
+        logger.info("id: " + tokenId); // Safe
+        // Secret metadata (e.g., K8s secret name, AWS Secrets Manager identifiers)
+        logger.info("name: " + secretName); // Safe
+        logger.info("id: " + secretId); // Safe
+        logger.info("version: " + secretVersion); // Safe
+        logger.info("arn: " + secretArn); // Safe
+        logger.info("path: " + secretPath); // Safe
+        logger.info("type: " + secretType); // Safe
+        logger.info("manager: " + secretManager); // Safe
+        logger.info("properties: " + secretProperties); // Safe
+    }
+
+    // These should still be flagged as sensitive
+    void testTruePositives(String accessToken, String clientSecret, String apiSecret,
+                           String sessionToken, String bearerToken, String secretKey,
+                           String refreshToken, String secretValue) {
+        Logger logger = null;
+        logger.info("token: " + accessToken); // $ Alert
+        logger.info("secret: " + clientSecret); // $ Alert
+        logger.info("secret: " + apiSecret); // $ Alert
+        logger.info("token: " + sessionToken); // $ Alert
+        logger.info("token: " + bearerToken); // $ Alert
+        logger.info("key: " + secretKey); // $ Alert
+        logger.info("token: " + refreshToken); // $ Alert
+        logger.info("value: " + secretValue); // $ Alert
+    }
+
    static String hashPassword(String input) { return input; }
    static String sha256Digest(String input) { return input; }
    static String encryptValue(String input) { return input; }
--- a/java/ql/test/query-tests/security/CWE-611/WstxInputFactoryTests.java
+++ b/java/ql/test/query-tests/security/CWE-611/WstxInputFactoryTests.java
@@ -0,0 +1,44 @@
+import java.net.Socket;
+
+import javax.xml.stream.XMLInputFactory;
+
+import com.ctc.wstx.stax.WstxInputFactory;
+
+public class WstxInputFactoryTests {
+
+  public void unconfiguredFactory(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
+    factory.createXMLEventReader(sock.getInputStream()); // $ Alert
+  }
+
+  public void safeFactory(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    factory.createXMLStreamReader(sock.getInputStream()); // safe
+    factory.createXMLEventReader(sock.getInputStream()); // safe
+  }
+
+  public void safeFactoryStringProperties(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty("javax.xml.stream.supportDTD", false);
+    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+    factory.createXMLStreamReader(sock.getInputStream()); // safe
+    factory.createXMLEventReader(sock.getInputStream()); // safe
+  }
+
+  public void misConfiguredFactory(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+    factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
+    factory.createXMLEventReader(sock.getInputStream()); // $ Alert
+  }
+
+  public void misConfiguredFactory2(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
+    factory.createXMLEventReader(sock.getInputStream()); // $ Alert
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-611/XXE.expected
+++ b/java/ql/test/query-tests/security/CWE-611/XXE.expected
@@ -89,6 +89,12 @@
 | TransformerTests.java:141:21:141:73 | new SAXSource(...) | TransformerTests.java:141:51:141:71 | getInputStream(...) : InputStream | TransformerTests.java:141:21:141:73 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:51:141:71 | getInputStream(...) | user-provided value |
 | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | user-provided value |
 | ValidatorTests.java:22:28:22:33 | source | ValidatorTests.java:17:49:17:72 | getInputStream(...) : ServletInputStream | ValidatorTests.java:22:28:22:33 | source | XML parsing depends on a $@ without guarding against external entity expansion. | ValidatorTests.java:17:49:17:72 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | user-provided value |
 | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XML parsing depends on a $@ without guarding against external entity expansion. | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) | user-provided value |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
@@ -390,6 +396,12 @@ nodes
 | ValidatorTests.java:21:31:21:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | ValidatorTests.java:21:48:21:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
 | ValidatorTests.java:22:28:22:33 | source | semmle.label | source |
+| WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | semmle.label | getInputStream(...) |
 | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
 | XMLDecoderTests.java:17:33:17:66 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
 | XMLDecoderTests.java:17:48:17:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
--- a/java/ql/test/query-tests/security/CWE-611/options
+++ b/java/ql/test/query-tests/security/CWE-611/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/:${testdir}/../../../stubs/woodstox-core-6.4.0
--- a/java/ql/test/query-tests/security/CWE-676/semmle/tests/options
+++ b/java/ql/test/query-tests/security/CWE-676/semmle/tests/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args --release 25
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
@@ -0,0 +1,10 @@
+package org.hibernate;
+
+import org.hibernate.query.Query;
+
+public interface Session extends SharedSessionContract {
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
@@ -0,0 +1,11 @@
+package org.hibernate;
+
+import org.hibernate.query.Query;
+import org.hibernate.query.QueryProducer;
+
+public interface SharedSessionContract extends QueryProducer {
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface MutationQuery {
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface Query {
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
@@ -0,0 +1,18 @@
+package org.hibernate.query;
+
+public interface QueryProducer {
+
+  Query createNativeQuery(String sqlString);
+
+  MutationQuery createNativeMutationQuery(String sqlString);
+
+  Query createQuery(String queryString);
+
+  MutationQuery createMutationQuery(String hqlString);
+
+  SelectionQuery<?> createSelectionQuery(String hqlString);
+
+  <R> SelectionQuery<R> createSelectionQuery(String hqlString, Class<R> resultType);
+
+  Query createSQLQuery(String queryString);
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface SelectionQuery<R> {
+}
--- a/java/ql/test/stubs/woodstox-core-6.4.0/com/ctc/wstx/stax/WstxInputFactory.java
+++ b/java/ql/test/stubs/woodstox-core-6.4.0/com/ctc/wstx/stax/WstxInputFactory.java
@@ -0,0 +1,49 @@
+// Generated automatically from com.ctc.wstx.stax.WstxInputFactory for testing purposes
+
+package com.ctc.wstx.stax;
+
+import java.io.InputStream;
+import java.io.Reader;
+import javax.xml.stream.EventFilter;
+import javax.xml.stream.StreamFilter;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLReporter;
+import javax.xml.stream.XMLResolver;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.stream.util.XMLEventAllocator;
+import javax.xml.transform.Source;
+import org.codehaus.stax2.XMLInputFactory2;
+
+public class WstxInputFactory extends XMLInputFactory2 {
+    public WstxInputFactory() {}
+
+    public XMLStreamReader createXMLStreamReader(InputStream in) throws XMLStreamException { return null; }
+    public XMLStreamReader createXMLStreamReader(InputStream in, String enc) throws XMLStreamException { return null; }
+    public XMLStreamReader createXMLStreamReader(Reader r) throws XMLStreamException { return null; }
+    public XMLStreamReader createXMLStreamReader(Source src) throws XMLStreamException { return null; }
+    public XMLStreamReader createXMLStreamReader(String systemId, InputStream in) throws XMLStreamException { return null; }
+    public XMLStreamReader createXMLStreamReader(String systemId, Reader r) throws XMLStreamException { return null; }
+
+    public XMLEventReader createXMLEventReader(InputStream in) throws XMLStreamException { return null; }
+    public XMLEventReader createXMLEventReader(InputStream in, String enc) throws XMLStreamException { return null; }
+    public XMLEventReader createXMLEventReader(Reader r) throws XMLStreamException { return null; }
+    public XMLEventReader createXMLEventReader(Source src) throws XMLStreamException { return null; }
+    public XMLEventReader createXMLEventReader(String systemId, InputStream in) throws XMLStreamException { return null; }
+    public XMLEventReader createXMLEventReader(String systemId, Reader r) throws XMLStreamException { return null; }
+    public XMLEventReader createXMLEventReader(XMLStreamReader sr) throws XMLStreamException { return null; }
+
+    public XMLStreamReader createFilteredReader(XMLStreamReader reader, StreamFilter filter) { return null; }
+    public XMLEventReader createFilteredReader(XMLEventReader reader, EventFilter filter) { return null; }
+
+    public void setProperty(String name, Object value) {}
+    public Object getProperty(String name) { return null; }
+    public boolean isPropertySupported(String name) { return false; }
+
+    public XMLResolver getXMLResolver() { return null; }
+    public void setXMLResolver(XMLResolver r) {}
+    public XMLReporter getXMLReporter() { return null; }
+    public void setXMLReporter(XMLReporter r) {}
+    public XMLEventAllocator getEventAllocator() { return null; }
+    public void setEventAllocator(XMLEventAllocator a) {}
+}
--- a/java/ql/test/stubs/woodstox-core-6.4.0/org/codehaus/stax2/XMLInputFactory2.java
+++ b/java/ql/test/stubs/woodstox-core-6.4.0/org/codehaus/stax2/XMLInputFactory2.java
@@ -0,0 +1,9 @@
+// Generated automatically from org.codehaus.stax2.XMLInputFactory2 for testing purposes
+
+package org.codehaus.stax2;
+
+import javax.xml.stream.XMLInputFactory;
+
+public abstract class XMLInputFactory2 extends XMLInputFactory {
+    protected XMLInputFactory2() {}
+}
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args --release 25`