Java: Avoid low-confidence dispatch to InputStream methods

Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
2026-03-04 22:56:47 +01:00 · 2023-07-19 11:30:44 +02:00
parent 8a46ff344a
commit 2dbbcc2413
2 changed files with 3 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -102,6 +102,8 @@ private module Dispatch {
    or
    t instanceof Interface and not t.fromSource()
    or
+    t.hasQualifiedName("java.io", "InputStream")
+    or
    t.hasQualifiedName("java.io", "Serializable")
    or
    t.hasQualifiedName("java.lang", "Iterable")