Java: Update java models with provenance column information.

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -153,10 +153,10 @@ class Log4jInjectionSummaries extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "org.apache.logging.log4j.message;MapMessage;true;with;;;Argument[1];Argument[-1];taint",
-        "org.apache.logging.log4j.message;MapMessage;true;with;;;Argument[-1];ReturnValue;value",
-        "org.apache.logging.log4j.message;MapMessage;true;put;;;Argument[1];Argument[-1];taint",
-        "org.apache.logging.log4j.message;MapMessage;true;putAll;;;Argument[0].MapValue;Argument[-1];taint",
+        "org.apache.logging.log4j.message;MapMessage;true;with;;;Argument[1];Argument[-1];taint;manual",
+        "org.apache.logging.log4j.message;MapMessage;true;with;;;Argument[-1];ReturnValue;value;manual",
+        "org.apache.logging.log4j.message;MapMessage;true;put;;;Argument[1];Argument[-1];taint;manual",
+        "org.apache.logging.log4j.message;MapMessage;true;putAll;;;Argument[0].MapValue;Argument[-1];taint;manual",
       ]
   }
 }

java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll

@@ -68,17 +68,17 @@ private class JFinalControllerSource extends SourceModelCsv {
     row =
       [
         "com.jfinal.core;Controller;true;getCookie" + ["", "Object", "Objects", "ToInt", "ToLong"] +
-          ";;;ReturnValue;remote",
-        "com.jfinal.core;Controller;true;getFile" + ["", "s"] + ";;;ReturnValue;remote",
-        "com.jfinal.core;Controller;true;getHeader;;;ReturnValue;remote",
-        "com.jfinal.core;Controller;true;getKv;;;ReturnValue;remote",
+          ";;;ReturnValue;remote;manual",
+        "com.jfinal.core;Controller;true;getFile" + ["", "s"] + ";;;ReturnValue;remote;manual",
+        "com.jfinal.core;Controller;true;getHeader;;;ReturnValue;remote;manual",
+        "com.jfinal.core;Controller;true;getKv;;;ReturnValue;remote;manual",
         "com.jfinal.core;Controller;true;getPara" +
           [
             "", "Map", "ToBoolean", "ToDate", "ToInt", "ToLong", "Values", "ValuesToInt",
             "ValuesToLong"
-          ] + ";;;ReturnValue;remote",
+          ] + ";;;ReturnValue;remote;manual",
         "com.jfinal.core;Controller;true;get" + ["", "Int", "Long", "Boolean", "Date"] +
-          ";;;ReturnValue;remote"
+          ";;;ReturnValue;remote;manual"
       ]
   }
 }

java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll

@@ -74,8 +74,8 @@ private class LoadUrlSummaries extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "java.io;FileInputStream;true;FileInputStream;;;Argument[0];Argument[-1];taint",
-        "android.webkit;WebResourceRequest;false;getUrl;;;Argument[-1];ReturnValue;taint"
+        "java.io;FileInputStream;true;FileInputStream;;;Argument[0];Argument[-1];taint;manual",
+        "android.webkit;WebResourceRequest;false;getUrl;;;Argument[-1];ReturnValue;taint;manual"
       ]
   }
 }

java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.qll

@@ -131,15 +131,15 @@ private class VerificationFlowStep extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "com.auth0.jwt.interfaces;Verification;true;build;;;Argument[-1];ReturnValue;taint",
+        "com.auth0.jwt.interfaces;Verification;true;build;;;Argument[-1];ReturnValue;taint;manual",
         "com.auth0.jwt.interfaces;Verification;true;" +
           ["acceptLeeway", "acceptExpiresAt", "acceptNotBefore", "acceptIssuedAt", "ignoreIssuedAt"]
-          + ";;;Argument[-1];ReturnValue;value",
+          + ";;;Argument[-1];ReturnValue;value;manual",
         "com.auth0.jwt.interfaces;Verification;true;with" +
           [
             "Issuer", "Subject", "Audience", "AnyOfAudience", "ClaimPresence", "Claim",
             "ArrayClaim", "JWTId"
-          ] + ";;;Argument[-1];ReturnValue;value"
+          ] + ";;;Argument[-1];ReturnValue;value;manual"
       ]
   }
 }

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll

@@ -10,8 +10,8 @@ private class MathCompDataModel extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;value",
-        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;value"
+        "java.lang;Math;false;min;;;Argument[0..1];ReturnValue;value;manual",
+        "java.lang;Math;false;max;;;Argument[0..1];ReturnValue;value;manual"
       ]
   }
 }

java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll

@@ -154,8 +154,8 @@ private class ServletGetPathSource extends SourceModelCsv {
   override predicate row(string row) {
     row =
       [
-        "javax.servlet.http;HttpServletRequest;true;getServletPath;;;ReturnValue;remote",
-        "jakarta.servlet.http;HttpServletRequest;true;getServletPath;;;ReturnValue;remote"
+        "javax.servlet.http;HttpServletRequest;true;getServletPath;;;ReturnValue;remote;manual",
+        "jakarta.servlet.http;HttpServletRequest;true;getServletPath;;;ReturnValue;remote;manual"
       ]
   }
 }
@@ -165,13 +165,13 @@ private class FilePathFlowStep extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint",
-        "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint",
-        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint",
-        "java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint",
-        "io.undertow.server.handlers.resource;Resource;true;getFile;;;Argument[-1];ReturnValue;taint",
-        "io.undertow.server.handlers.resource;Resource;true;getFilePath;;;Argument[-1];ReturnValue;taint",
-        "io.undertow.server.handlers.resource;Resource;true;getPath;;;Argument[-1];ReturnValue;taint"
+        "java.nio.file;Paths;true;get;;;Argument[0..1];ReturnValue;taint;manual",
+        "java.nio.file;Path;true;resolve;;;Argument[-1..0];ReturnValue;taint;manual",
+        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual",
+        "java.nio.file;Path;true;toString;;;Argument[-1];ReturnValue;taint;manual",
+        "io.undertow.server.handlers.resource;Resource;true;getFile;;;Argument[-1];ReturnValue;taint;manual",
+        "io.undertow.server.handlers.resource;Resource;true;getFilePath;;;Argument[-1];ReturnValue;taint;manual",
+        "io.undertow.server.handlers.resource;Resource;true;getPath;;;Argument[-1];ReturnValue;taint;manual"
       ]
   }
 }

java/ql/src/experimental/semmle/code/java/PathSanitizer.qll

@@ -196,8 +196,8 @@ private class PathDataModel extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint",
-        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint"
+        "java.nio.file;Paths;true;get;;;Argument[0];ReturnValue;taint;manual",
+        "java.nio.file;Path;true;normalize;;;Argument[-1];ReturnValue;taint;manual"
       ]
   }
 }

java/ql/src/utils/flowtestcasegenerator/FlowTestCaseSupportMethods.qll

@@ -165,7 +165,7 @@ private class DefaultGetMethod extends GetMethod {
   override string getCsvModel() {
     result =
       "generatedtest;Test;false;" + this.getName() + ";(Object);;" +
-        getComponentSpec(SummaryComponent::content(c)) + "Argument[0].;ReturnValue;value"
+        getComponentSpec(SummaryComponent::content(c)) + "Argument[0].;ReturnValue;value;manual"
   }
 }
 
@@ -361,7 +361,7 @@ private class DefaultGenMethod extends GenMethod {
   override string getCsvModel() {
     result =
       "generatedtest;Test;false;" + this.getName() + ";(Object);;Argument[0];" +
-        getComponentSpec(SummaryComponent::content(c)) + "ReturnValue.;value"
+        getComponentSpec(SummaryComponent::content(c)) + "ReturnValue.;value;manual"
   }
 }