From c585b2e4835bd6c49f7393c744c97d3215f75841 Mon Sep 17 00:00:00 2001
From: Arthur Baars <arthur@semmle.com>
Date: Mon, 13 Jul 2020 15:25:00 +0200
Subject: [PATCH] Java: stack trace exposure: address false positives

---
 java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index 5c353958bc2..bfb0ae0ad59 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -22,7 +22,10 @@ import semmle.code.java.security.XSS
  */
 class PrintStackTraceMethod extends Method {
   PrintStackTraceMethod() {
-    getDeclaringType().hasQualifiedName("java.lang", "Throwable") and
+    getDeclaringType()
+        .getSourceDeclaration()
+        .getASourceSupertype*()
+        .hasQualifiedName("java.lang", "Throwable") and
     getName() = "printStackTrace"
   }
 }
@@ -96,7 +99,8 @@ class StackTraceStringToXssSinkFlowConfig extends TaintTracking2::Configuration
  */
 predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
   printsStackToWriter(call) and
-  call.getQualifier() = stackTrace
+  call.getQualifier() = stackTrace and
+  not call.getQualifier() instanceof SuperAccess
 }
 
 /**