Java: Deprecate the content of ImproperValidationOrArray and remove local query variants.

2026-05-01 11:45:14 +02:00 · 2024-04-30 15:28:26 +02:00
parent acd0fa4b7b
commit 301a6cc191
14 changed files with 22 additions and 72 deletions
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources
 /**
 * A taint-tracking configuration to reason about improper validation of local user-provided size used for array construction.
 */
-module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
+deprecated module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -16,7 +16,9 @@ module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::Con
 }

 /**
+ * DEPRECATED: Use `ImproperValidationOfArrayConstructionFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for improper validation of local user-provided size used for array construction.
 */
-module ImproperValidationOfArrayConstructionLocalFlow =
+deprecated module ImproperValidationOfArrayConstructionLocalFlow =
  TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources
 /**
 * A taint-tracking configuration to reason about improper validation of local user-provided array index.
 */
-module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
+deprecated module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -20,7 +20,9 @@ module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig
 }

 /**
+ * DEPRECATED: Use `ImproperValidationOfArrayIndexFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for improper validation of local user-provided array index.
 */
-module ImproperValidationOfArrayIndexLocalFlow =
+deprecated module ImproperValidationOfArrayIndexLocalFlow =
  TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;