diff --git a/.github/workflows/csv-coverage-pr-artifacts.yml b/.github/workflows/csv-coverage-pr-artifacts.yml
new file mode 100644
index 00000000000..0941adba3c3
--- /dev/null
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -0,0 +1,83 @@
+name: Check framework coverage changes
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/csv-coverage-pr-comment.yml'
+      - '*/ql/src/**/*.ql'
+      - '*/ql/src/**/*.qll'
+      - 'misc/scripts/library-coverage/*.py'
+      # input data files
+      - '*/documentation/library-coverage/cwe-sink.csv'
+      - '*/documentation/library-coverage/frameworks.csv'
+    branches:
+      - main
+      - 'rc/*'
+
+jobs:
+  generate:
+    name: Generate framework coverage artifacts
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql) - MERGE
+      uses: actions/checkout@v2
+      with:
+        path: merge
+    - name: Clone self (github/codeql) - BASE
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.base.sha }}
+        path: base
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Generate CSV files on merge and base of the PR
+      run: |
+        echo "Running generator on ${{github.sha}}"
+        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
+        mkdir out_merge
+        cp framework-coverage-*.csv out_merge/
+        cp framework-coverage-*.rst out_merge/
+
+        echo "Running generator on ${{github.event.pull_request.base.sha}}"
+        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
+        mkdir out_base
+        cp framework-coverage-*.csv out_base/
+        cp framework-coverage-*.rst out_base/
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-merge
+        path: |
+          out_merge/framework-coverage-*.csv
+          out_merge/framework-coverage-*.rst
+    - name: Upload CSV package list
+      uses: actions/upload-artifact@v2
+      with:
+        name: csv-framework-coverage-base
+        path: |
+          out_base/framework-coverage-*.csv
+          out_base/framework-coverage-*.rst
+    - name: Save PR number
+      run: |
+        mkdir -p pr
+        echo ${{ github.event.pull_request.number }} > pr/NR
+    - name: Upload PR number
+      uses: actions/upload-artifact@v2
+      with:
+        name: pr
+        path: pr/
diff --git a/.github/workflows/csv-coverage-pr-comment.yml b/.github/workflows/csv-coverage-pr-comment.yml
new file mode 100644
index 00000000000..3fdb8963d05
--- /dev/null
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -0,0 +1,65 @@
+name: Comment on PR with framework coverage changes
+
+on:
+  workflow_run:
+    workflows: ["Check framework coverage changes"]
+    types:
+      - completed
+
+jobs:
+  check:
+    name: Check framework coverage differences and comment
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+    - name: Dump GitHub context
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
+      run: echo "$GITHUB_CONTEXT"
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    # download artifacts from the PR job:
+
+    - name: Download artifact - MERGE
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "csv-framework-coverage-merge" --dir "out_merge" "$RUN_ID"
+
+    - name: Download artifact - BASE
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "csv-framework-coverage-base" --dir "out_base" "$RUN_ID"
+
+    - name: Download artifact - PR
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        gh run download --name "pr" --dir "pr" "$RUN_ID"
+
+    - name: Check coverage files
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        RUN_ID: ${{ github.event.workflow_run.id }}
+      run: |
+        PR=$(cat "pr/NR")
+        python misc/scripts/library-coverage/compare-files-comment-pr.py \
+          out_merge out_base comparison.md "$GITHUB_REPOSITORY" "$PR" "$RUN_ID"
+    - name: Upload comparison results
+      uses: actions/upload-artifact@v2
+      with:
+        name: comparison
+        path: |
+          comparison.md
diff --git a/.github/workflows/csv-coverage-timeseries.yml b/.github/workflows/csv-coverage-timeseries.yml
new file mode 100644
index 00000000000..e7c01623e04
--- /dev/null
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -0,0 +1,42 @@
+name: Build framework coverage timeseries reports
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Clone self (github/codeql)
+      uses: actions/checkout@v2
+      with:
+        path: script
+    - name: Clone self (github/codeql) for analysis
+      uses: actions/checkout@v2
+      with:
+        path: codeqlModels
+        fetch-depth: 0
+    - name: Set up Python 3.8
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+    - name: Download CodeQL CLI
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
+    - name: Unzip CodeQL CLI
+      run: unzip -d codeql-cli codeql-linux64.zip
+    - name: Build modeled package list
+      run: |
+        CLI=$(realpath "codeql-cli/codeql")
+        echo $CLI
+        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
+    - name: Upload timeseries CSV
+      uses: actions/upload-artifact@v2
+      with:
+        name: framework-coverage-timeseries
+        path: framework-coverage-timeseries-*.csv
+
diff --git a/.github/workflows/csv-coverage.yml b/.github/workflows/csv-coverage.yml
index 54c172d66d3..c7ab92eb0f3 100644
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -1,4 +1,4 @@
-name: Build/check CSV flow coverage report
+name: Build framework coverage reports
 
 on:
   workflow_dispatch:
@@ -6,22 +6,6 @@ on:
       qlModelShaOverride:
         description: 'github/codeql repo SHA used for looking up the CSV models'
         required: false
-  push:
-    branches:
-     - main
-     - 'rc/**'
-  pull_request:
-    paths:
-      - '.github/workflows/csv-coverage.yml'
-      - '*/ql/src/**/*.ql'
-      - '*/ql/src/**/*.qll'
-      - 'misc/scripts/library-coverage/*.py'
-      # input data files
-      - '*/documentation/library-coverage/cwe-sink.csv'
-      - '*/documentation/library-coverage/frameworks.csv'
-      # coverage report files
-      - '*/documentation/library-coverage/flow-model-coverage.csv'
-      - '*/documentation/library-coverage/flow-model-coverage.rst'
 
 jobs:
   build:
@@ -33,28 +17,20 @@ jobs:
       uses: actions/checkout@v2
       with:
         path: script
-    - name: Clone self (github/codeql) at a given SHA for analysis
-      if: github.event.inputs.qlModelShaOverride != ''
-      uses: actions/checkout@v2
-      with:
-        path: codeqlModels
-        ref: github.event.inputs.qlModelShaOverride
     - name: Clone self (github/codeql) for analysis
-      if: github.event.inputs.qlModelShaOverride == ''
       uses: actions/checkout@v2
       with:
         path: codeqlModels
+        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
     - name: Set up Python 3.8
       uses: actions/setup-python@v2
       with:
         python-version: 3.8
     - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
-      with:
-        repo: "github/codeql-cli-binaries"
-        version: "latest"
-        file: "codeql-linux64.zip"
-        token: ${{ secrets.GITHUB_TOKEN }}
+      env:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
     - name: Unzip CodeQL CLI
       run: unzip -d codeql-cli codeql-linux64.zip
     - name: Build modeled package list
@@ -63,15 +39,11 @@ jobs:
     - name: Upload CSV package list
       uses: actions/upload-artifact@v2
       with:
-        name: csv-flow-model-coverage
-        path: flow-model-coverage-*.csv
+        name: framework-coverage-csv
+        path: framework-coverage-*.csv
     - name: Upload RST package list
       uses: actions/upload-artifact@v2
       with:
-        name: rst-flow-model-coverage
-        path: flow-model-coverage-*.rst
-    # - name: Check coverage files
-    #   if: github.event.pull_request
-    #   run: |
-    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels
+        name: framework-coverage-rst
+        path: framework-coverage-*.rst
 
diff --git a/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql b/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
index ecf739b91be..c8bf3842773 100644
--- a/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql	
+++ b/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql	
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/offset-use-before-range-check
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.2
  * @precision medium
  * @tags reliability
  *       security
diff --git a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
index 24cd9dc16fd..3ef487fbec2 100644
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/DescriptorNeverClosed.ql b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
index 331d787be62..85e41ad1928 100644
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/descriptor-never-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/FileMayNotBeClosed.ql b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
index 395bac61f0b..af38b437778 100644
--- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/file-may-not-be-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/FileNeverClosed.ql b/cpp/ql/src/Critical/FileNeverClosed.ql
index eeeed80af92..b9e71978359 100644
--- a/cpp/ql/src/Critical/FileNeverClosed.ql
+++ b/cpp/ql/src/Critical/FileNeverClosed.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/file-never-closed
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags efficiency
  *       security
  *       external/cwe/cwe-775
diff --git a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
index 7abfaeb9ebe..6c3435eeba9 100644
--- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/global-use-before-init
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-457
diff --git a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
index b356c64b3fc..da64be1fdb9 100644
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/inconsistent-nullness-testing
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476
diff --git a/cpp/ql/src/Critical/InitialisationNotRun.ql b/cpp/ql/src/Critical/InitialisationNotRun.ql
index d4bb90962f7..ba575c55921 100644
--- a/cpp/ql/src/Critical/InitialisationNotRun.ql
+++ b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/initialization-not-run
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-456
diff --git a/cpp/ql/src/Critical/LateNegativeTest.ql b/cpp/ql/src/Critical/LateNegativeTest.ql
index 98d1d7cba2b..5de36fcc5a9 100644
--- a/cpp/ql/src/Critical/LateNegativeTest.ql
+++ b/cpp/ql/src/Critical/LateNegativeTest.ql
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/late-negative-test
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823
diff --git a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
index 3726117615e..51467b52be8 100644
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/memory-may-not-be-freed
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401
diff --git a/cpp/ql/src/Critical/MemoryNeverFreed.ql b/cpp/ql/src/Critical/MemoryNeverFreed.ql
index 89ca2245d7f..e9593e9d749 100644
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/memory-never-freed
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags efficiency
  *       security
  *       external/cwe/cwe-401
diff --git a/cpp/ql/src/Critical/MissingNegativityTest.ql b/cpp/ql/src/Critical/MissingNegativityTest.ql
index 937510afec6..a4409f2dabf 100644
--- a/cpp/ql/src/Critical/MissingNegativityTest.ql
+++ b/cpp/ql/src/Critical/MissingNegativityTest.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/missing-negativity-test
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-823
diff --git a/cpp/ql/src/Critical/MissingNullTest.ql b/cpp/ql/src/Critical/MissingNullTest.ql
index dcd45f2baf1..b50d06a8dd1 100644
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/missing-null-test
  * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags reliability
  *       security
  *       external/cwe/cwe-476
diff --git a/cpp/ql/src/Critical/NewFreeMismatch.ql b/cpp/ql/src/Critical/NewFreeMismatch.ql
index 09356762e43..19b9b197214 100644
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,7 +3,7 @@
  * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cpp/new-free-mismatch
  * @tags reliability
diff --git a/cpp/ql/src/Critical/OverflowCalculated.ql b/cpp/ql/src/Critical/OverflowCalculated.ql
index 01cb7b3eaa3..d8a08cc6a69 100644
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/overflow-calculated
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @tags reliability
  *       security
  *       external/cwe/cwe-131
diff --git a/cpp/ql/src/Critical/OverflowDestination.ql b/cpp/ql/src/Critical/OverflowDestination.ql
index c89ec46cb42..94d46001660 100644
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/overflow-destination
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision low
  * @tags reliability
  *       security
diff --git a/cpp/ql/src/Critical/OverflowStatic.ql b/cpp/ql/src/Critical/OverflowStatic.ql
index d287f43b1c8..7c447c12323 100644
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,7 +4,7 @@
  *              may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/static-buffer-overflow
  * @tags reliability
diff --git a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
index 72ff93e24ab..40082ad5d9c 100644
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/return-stack-allocated-object
  * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 2.1
  * @tags reliability
  *       security
  *       external/cwe/cwe-562
diff --git a/cpp/ql/src/Critical/SizeCheck.ql b/cpp/ql/src/Critical/SizeCheck.ql
index 7fff35cf717..e7a00ea3621 100644
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,7 +4,7 @@
  *              an instance of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/allocation-too-small
  * @tags reliability
diff --git a/cpp/ql/src/Critical/SizeCheck2.ql b/cpp/ql/src/Critical/SizeCheck2.ql
index f9a09b66352..eb3aec9a5fe 100644
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,7 +4,7 @@
  *              multiple instances of the type of the pointer may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/suspicious-allocation-size
  * @tags reliability
diff --git a/cpp/ql/src/Critical/UseAfterFree.ql b/cpp/ql/src/Critical/UseAfterFree.ql
index 1b714267ef1..d770a42b3c2 100644
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/use-after-free
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.3
  * @tags reliability
  *       security
  *       external/cwe/cwe-416
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
index 1037e4d9063..5a7389205f9 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql	
@@ -6,7 +6,7 @@
  *              to a larger type.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision very-high
  * @id cpp/bad-addition-overflow-check
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
index 941fecc453d..03ad085b6d3 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql	
@@ -4,7 +4,7 @@
  *              be a sign that the result can overflow the type converted from.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
index 6da994e6729..7911049599a 100644
--- a/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql	
@@ -5,7 +5,7 @@
  *              unsigned integer values.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id cpp/signed-overflow-check
  * @tags correctness
diff --git a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
index 19e50a3f368..9032919da44 100644
--- a/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
+++ b/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql	
@@ -6,7 +6,7 @@
  *              use the width of the base type, leading to misaligned reads.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id cpp/upcast-array-pointer-arithmetic
  * @tags correctness
diff --git a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
index f480501f7ba..f00dfa2213b 100644
--- a/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql	
@@ -6,7 +6,7 @@
  *              from an untrusted source, this can be used for exploits.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/non-constant-format
  * @tags maintainability
diff --git a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
index 78427655c22..7da8db7f226 100644
--- a/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql	
@@ -3,7 +3,7 @@
  * @description Using the return value from snprintf without proper checks can cause overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id cpp/overflowing-snprintf
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
index 1147c6c66a1..cc3510ee5eb 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql	
@@ -4,7 +4,7 @@
  *              a source of security issues.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision high
  * @id cpp/wrong-number-format-arguments
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
index d1624e484fe..a7306e401e4 100644
--- a/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql	
@@ -4,7 +4,7 @@
  *              behavior.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql b/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
index 1b20aa1b224..30664869adc 100644
--- a/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql	
+++ b/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql	
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/incorrect-not-operator-usage
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision medium
  * @tags security
  *       external/cwe/cwe-480
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql b/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
index 1af4ba839b5..61d7a266d86 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql	
@@ -3,7 +3,7 @@
  * @description Using alloca in a loop can lead to a stack overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cpp/alloca-in-loop
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql b/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
index c72086060fd..7f1541f7ea8 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql	
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/improper-null-termination
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security
  *       external/cwe/cwe-170
  *       external/cwe/cwe-665
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
index 3035d3ba2ea..e11d114d1fb 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql	
@@ -4,7 +4,7 @@
  *              on undefined behavior and may lead to memory corruption.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 2.1
  * @precision high
  * @id cpp/pointer-overflow-check
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql b/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
index 4a9fc949f89..8e7bc5bfcf4 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql	
@@ -4,7 +4,7 @@
  *              as the third argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/bad-strncpy-size
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
index 28742629b37..644c48622a2 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql	
@@ -3,7 +3,7 @@
  * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/unsafe-strncat
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
index 9198cd0497e..a80af562bda 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql	
@@ -5,7 +5,7 @@
  *              the machine pointer size.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-sizeof
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
index 94e230e8838..5861167659f 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql	
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/uninitialized-local
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @tags security
  *       external/cwe/cwe-665
diff --git a/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql b/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
index 2eb8d0b4060..d0b0f7f1e71 100644
--- a/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql	
+++ b/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql	
@@ -4,7 +4,7 @@
  *              may result in a buffer overflow
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id cpp/unsafe-strcat
  * @tags reliability
diff --git a/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql b/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
index 2702cbdcea7..9ddf445f4bf 100644
--- a/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql	
+++ b/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql	
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/self-assignment-check
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.0
  * @tags reliability
  *       security
  *       external/cwe/cwe-826
diff --git a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
index 746a2761e49..04325e8497e 100644
--- a/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql	
+++ b/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql	
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id cpp/unsafe-use-of-this
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision very-high
  * @tags correctness
  *       language-features
diff --git a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
index 3196143c5d1..bc53015c905 100644
--- a/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
+++ b/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql	
@@ -7,7 +7,7 @@
  *              undefined data.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision very-high
  * @id cpp/too-few-arguments
  * @tags correctness
diff --git a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
index 77c4f149cac..33c31972295 100644
--- a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/memset-may-be-deleted
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-14
diff --git a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
index 0396d5c7bb0..47a0bf14b7f 100644
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
index 196fe57f74b..b85a5b26a7f 100644
--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
index c96b6f6dc5b..5e22506d03a 100644
--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,7 +4,7 @@
  *              attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/path-injection
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
index d3020406f15..5f516eec83b 100644
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,7 +5,7 @@
  *              to command injection.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id cpp/command-line-injection
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
index 0b56e972320..bb38609927e 100644
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id cpp/cgi-xss
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
index 1e4536f0942..a3f935170d7 100644
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,7 +5,7 @@
  *              to SQL Injection.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id cpp/sql-injection
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
index 3aba72ed741..e75f62b0eb7 100644
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,7 +5,7 @@
  *              commands.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.0
+ * @security-severity 8.2
  * @precision medium
  * @id cpp/uncontrolled-process-operation
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
index c61498ac2e0..1c903081baf 100644
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/overflow-buffer
  * @problem.severity recommendation
- * @security-severity 10.0
+ * @security-severity 9.3
  * @tags security
  *       external/cwe/cwe-119
  *       external/cwe/cwe-121
diff --git a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
index 01d8d8db4e2..247606c683d 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,7 +5,7 @@
  *              overflow.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/badly-bounded-write
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
index 6832561e10c..ac4144d1c6f 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,7 +4,7 @@
  *              of data written may overflow.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/overrunning-write
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
index 73ef5e62fb2..27adab9b06c 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,7 +5,7 @@
  *              take extreme values.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/overrunning-write-with-float
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
index 656b52b03bf..b9922da9c75 100644
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,7 +4,7 @@
  *              of data written may overflow.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
  * @precision medium
  * @id cpp/unbounded-write
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
index 3dacc443a74..842798102bd 100644
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,7 +5,7 @@
  *              a specific value to terminate the argument list.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/unterminated-variadic-call
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
index 59498017b1f..0621def4d98 100644
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/unclear-array-index-validation
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @tags security
  *       external/cwe/cwe-129
  */
diff --git a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
index b31213b09f3..1780c2a0199 100644
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,7 +5,7 @@
  *              terminator can cause a buffer overrun.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cpp/no-space-for-terminator
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
index 0593679c3f5..f24510bba05 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,7 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/tainted-format-string
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
index 67853b9e361..d2f5243d4a4 100644
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,7 +5,7 @@
  *              or data representation problems.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cpp/tainted-format-string-through-global
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
index ad4d0389f0c..e3634734b5e 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,7 +4,7 @@
  *              not validated can cause overflows.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision low
  * @id cpp/tainted-arithmetic
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index 359ac7a0d1a..fd486efdab0 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,7 +4,7 @@
  *              validated can cause overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id cpp/uncontrolled-arithmetic
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index 9addbab5c1c..35668953acc 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/arithmetic-with-extreme-values
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision low
  * @tags security
  *       reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index 1ec3c6554fe..6636d100746 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -5,7 +5,7 @@
  * @id cpp/comparison-with-wider-type
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @tags reliability
  *       security
diff --git a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
index 7e4880ffca6..bc0dff58244 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/integer-overflow-tainted
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision low
  * @tags security
  *       external/cwe/cwe-190
diff --git a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
index 765a2519a38..585875798cc 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -4,7 +4,7 @@
  *              user can result in integer overflow.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/uncontrolled-allocation-size
  * @tags reliability
diff --git a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
index ddd7bf3430f..5be71472c92 100644
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/unsigned-difference-expression-compared-zero
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @tags security
  *       correctness
diff --git a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
index bde1e265690..67ba5b0c45b 100644
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cpp/hresult-boolean-conversion
  * @problem.severity error
- * @security-severity 4.2
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-253
diff --git a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
index 7cdd5c34b8b..814c6aff21b 100644
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -5,7 +5,7 @@
  *              vulnerable to spoofing attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.8
+ * @security-severity 8.1
  * @precision medium
  * @id cpp/user-controlled-bypass
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
index 6785700d077..696c5764fcd 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -4,7 +4,7 @@
  *              to an attacker.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/cleartext-storage-buffer
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
index fcf2a00435e..aa90ff9567c 100644
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -4,7 +4,7 @@
  *              to an attacker.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/cleartext-storage-file
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
index ccb67f54d3a..bb9135a92ff 100644
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -4,7 +4,7 @@
  *              database can expose it to an attacker.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/cleartext-storage-database
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 848adfd7adc..aef114bcc4e 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -4,7 +4,7 @@
  *              an attacker to compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/weak-cryptographic-algorithm
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
index 5ee196994ac..38067ae200c 100644
--- a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
@@ -4,7 +4,7 @@
  *              attackers to retrieve portions of memory.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision very-high
  * @id cpp/openssl-heartbleed
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
index 7d19e323f2b..f5bed0bee64 100644
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -5,7 +5,7 @@
  *              the two operations.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
  * @precision medium
  * @id cpp/toctou-race-condition
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
index 73e0d8794ad..7c540e9d313 100644
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -4,7 +4,7 @@
  * @id cpp/unsafe-create-process-call
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @msrc.severity important
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
index 3d6c54e33ae..c6a797929bb 100644
--- a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
@@ -5,7 +5,7 @@
  *              state, and reading the variable may result in undefined behavior.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
  * @opaque-id SM02313
  * @id cpp/conditionally-uninitialized-variable
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
index a582813ed5f..ce99ce1ebce 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
@@ -4,7 +4,7 @@
  *              can cause buffer overflow conditions.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-pointer-scaling
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
index c1bfb9c4ee9..5b7e3379929 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/incorrect-pointer-scaling-char
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision low
  * @tags security
  *       external/cwe/cwe-468
diff --git a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
index aa267a25f4e..460c98bf1e3 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
@@ -4,7 +4,7 @@
  *              can cause buffer overflow conditions.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id cpp/suspicious-pointer-scaling-void
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
index 7532f7e9fcf..4ac00fc42c6 100644
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -5,7 +5,7 @@
  *              implicitly scaled.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision high
  * @id cpp/suspicious-add-sizeof
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
index ead50c9620e..bbe3b0805e1 100644
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -5,7 +5,7 @@
  *              attack plan.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @precision medium
  * @id cpp/system-data-exposure
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
index 321684dc93c..65551a1f138 100644
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/incorrect-string-type-conversion
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-704
diff --git a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
index 67dce658ed8..1fd55a02d01 100644
--- a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -3,7 +3,7 @@
  * @description Creating a file that is world-writable can allow an attacker to write to the file.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id cpp/world-writable-file-creation
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
index 72399cec376..bf673826347 100644
--- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -7,7 +7,7 @@
  * @id cpp/unsafe-dacl-security-descriptor
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-732
diff --git a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
index 2a0d765f239..cd5d8771807 100644
--- a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/lock-order-cycle
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @tags security
  *       external/cwe/cwe-764
  *       external/cwe/cwe-833
diff --git a/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql b/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
index c32e747f3e4..051ad2eeeea 100644
--- a/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/twice-locked
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision low
  * @tags security
  *       external/cwe/cwe-764
diff --git a/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql b/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
index 8f3d9e92149..dd224352b12 100644
--- a/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cpp/unreleased-lock
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision low
  * @tags security
  *       external/cwe/cwe-764
diff --git a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
index 08a5ceb49db..64505ee8283 100644
--- a/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
@@ -5,7 +5,7 @@
  *              attack.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cpp/tainted-permissions-check
  * @tags security
diff --git a/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql b/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
index cd85179d14d..3db5e15874b 100644
--- a/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+++ b/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cpp/infinite-loop-with-unsatisfiable-exit-condition
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags security
  *       external/cwe/cwe-835
  */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
index 4e1cd281488..a55e65a81f6 100644
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
@@ -168,7 +168,13 @@ module Consistency {
     msg = "ArgumentNode is missing PostUpdateNode."
   }
 
-  query predicate postWithInFlow(PostUpdateNode n, string msg) {
+  // This predicate helps the compiler forget that in some languages
+  // it is impossible for a `PostUpdateNode` to be the target of
+  // `simpleLocalFlowStep`.
+  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
+
+  query predicate postWithInFlow(Node n, string msg) {
+    isPostUpdateNode(n) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
index 4e1cd281488..a55e65a81f6 100644
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll
@@ -168,7 +168,13 @@ module Consistency {
     msg = "ArgumentNode is missing PostUpdateNode."
   }
 
-  query predicate postWithInFlow(PostUpdateNode n, string msg) {
+  // This predicate helps the compiler forget that in some languages
+  // it is impossible for a `PostUpdateNode` to be the target of
+  // `simpleLocalFlowStep`.
+  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
+
+  query predicate postWithInFlow(Node n, string msg) {
+    isPostUpdateNode(n) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }
diff --git a/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll b/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
index e086b810478..d351bac89a8 100644
--- a/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/cpp/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -181,14 +181,14 @@ private int getEndOfColumnPosition(int start, string content) {
     min(string name, int cand |
       exists(TNamedColumn(name)) and
       cand = content.indexOf(name + ":") and
-      cand > start
+      cand >= start
     |
       cand
     )
   or
   not exists(string name |
     exists(TNamedColumn(name)) and
-    content.indexOf(name + ":") > start
+    content.indexOf(name + ":") >= start
   ) and
   result = content.length()
 }
diff --git a/csharp/change-notes/2021-06-15-effective-visibility.md b/csharp/change-notes/2021-06-15-effective-visibility.md
new file mode 100644
index 00000000000..f14e338079a
--- /dev/null
+++ b/csharp/change-notes/2021-06-15-effective-visibility.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `isEffectivelyPrivate`, `isEffectivelyInternal` and `isEffectivelyPublic` predicates on `Modifiable` have been reworked to handle `private protected` and `internal protected` visibilities and explicitly implemented interfaces.
\ No newline at end of file
diff --git a/csharp/change-notes/2021-06-15-unsafe-non-source-code.md b/csharp/change-notes/2021-06-15-unsafe-non-source-code.md
new file mode 100644
index 00000000000..8e45080b132
--- /dev/null
+++ b/csharp/change-notes/2021-06-15-unsafe-non-source-code.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The `Modifiable::isUnsafe` predicate has been fixed to handle symbols that are not extracted from source code.
\ No newline at end of file
diff --git a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
index 806e73e3590..3d6cb01837e 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Modifier.cs
@@ -72,15 +72,11 @@ namespace Semmle.Extraction.CSharp.Entities
 
         public static void ExtractModifiers(Context cx, TextWriter trapFile, IEntity key, ISymbol symbol)
         {
-            var interfaceDefinition = symbol.ContainingType is not null
-                && symbol.ContainingType.Kind == SymbolKind.NamedType
-                && symbol.ContainingType.TypeKind == TypeKind.Interface;
-
             HasAccessibility(cx, trapFile, key, symbol.DeclaredAccessibility);
             if (symbol.Kind == SymbolKind.ErrorType)
                 trapFile.has_modifiers(key, Modifier.Create(cx, Accessibility.Public));
 
-            if (symbol.IsAbstract && (symbol.Kind != SymbolKind.NamedType || ((INamedTypeSymbol)symbol).TypeKind != TypeKind.Interface) && !interfaceDefinition)
+            if (symbol.IsAbstract && (symbol.Kind != SymbolKind.NamedType || ((INamedTypeSymbol)symbol).TypeKind != TypeKind.Interface))
                 HasModifier(cx, trapFile, key, "abstract");
 
             if (symbol.IsSealed)
@@ -94,10 +90,6 @@ namespace Semmle.Extraction.CSharp.Entities
             if (symbol.IsVirtual)
                 HasModifier(cx, trapFile, key, "virtual");
 
-            // For some reason, method in interfaces are "virtual", not "abstract"
-            if (symbol.IsAbstract && interfaceDefinition)
-                HasModifier(cx, trapFile, key, "virtual");
-
             if (symbol.Kind == SymbolKind.Field && ((IFieldSymbol)symbol).IsReadOnly)
                 HasModifier(cx, trapFile, key, "readonly");
 
diff --git a/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql b/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql
index 09ee699163f..47097fea753 100644
--- a/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql	
+++ b/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql	
@@ -3,7 +3,7 @@
  * @description Finds uses of hidden fields on forms
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id cs/web/html-hidden-input
  * @tags security
diff --git a/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql b/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
index e7dee2143c1..9fe53d2cc90 100644
--- a/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
+++ b/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
@@ -3,7 +3,7 @@
  * @description Finds empty passwords in configuration files.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id cs/empty-password-in-configuration
  * @tags security
diff --git a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
index eb4756ea962..8e4dd77febd 100644
--- a/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
+++ b/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
@@ -3,7 +3,7 @@
  * @description Finds passwords in configuration files.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision medium
  * @id cs/password-in-configuration
  * @tags security
diff --git a/csharp/ql/src/Input Validation/UseOfFileUpload.ql b/csharp/ql/src/Input Validation/UseOfFileUpload.ql
index 4eb96e2c072..e936962ad51 100644
--- a/csharp/ql/src/Input Validation/UseOfFileUpload.ql	
+++ b/csharp/ql/src/Input Validation/UseOfFileUpload.ql	
@@ -3,7 +3,7 @@
  * @description Finds uses of file upload
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/web/file-upload
  * @tags security
diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
index 1ee9c4a2bfa..392c3e843d7 100644
--- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql	
+++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql	
@@ -5,7 +5,7 @@
  *              but under some circumstances may also result in incorrect results.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.0
  * @precision medium
  * @id cs/thread-unsafe-icryptotransform-field-in-class
  * @tags concurrency
diff --git a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
index 33f8a8ab47c..7787a1bd622 100644
--- a/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql	
+++ b/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql	
@@ -6,7 +6,7 @@
  *              but under some circumstances may also result in incorrect results.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.0
  * @precision medium
  * @id cs/thread-unsafe-icryptotransform-captured-in-lambda
  * @tags concurrency
diff --git a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
index c9b2112b488..3bccd9b0331 100644
--- a/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql	
+++ b/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql	
@@ -4,7 +4,7 @@
  *              debug builds provide additional information useful to a malicious attacker.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision very-high
  * @id cs/web/debug-binary
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql
index 6c58c910089..5a527c96084 100644
--- a/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql	
+++ b/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql	
@@ -4,7 +4,7 @@
  *              denial-of-service attacks.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.5
  * @id cs/web/large-max-request-length
  * @tags security
  *       frameworks/asp.net
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
index 362b8a70ebe..f093a888446 100644
--- a/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql	
+++ b/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql	
@@ -3,7 +3,7 @@
  * @description ASP.NET pages should not disable the built-in request validation.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.5
  * @id cs/web/request-validation-disabled
  * @tags security
  *       frameworks/asp.net
diff --git a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
index a270a5928bb..dd9ed5218ff 100644
--- a/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql	
+++ b/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql	
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cs/insecure-request-validation-mode
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.5
  * @tags security
  *       external/cwe/cwe-016
  */
diff --git a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
index cda257234ab..6148f0f6ae9 100644
--- a/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql	
+++ b/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql	
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cs/serialization-check-bypass
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @tags security
  *       external/cwe/cwe-20
diff --git a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql
index c378e31d8aa..ca21947ee9b 100644
--- a/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql	
+++ b/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql	
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
index bf75ab47904..b3659df1617 100644
--- a/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql	
+++ b/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql	
@@ -3,7 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id cs/path-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
index 5f6855701ed..4203f94cb33 100644
--- a/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql	
+++ b/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql	
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id cs/zipslip
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-022
diff --git a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
index 7056d3222f2..f66f86f290e 100644
--- a/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql	
@@ -4,7 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/command-line-injection
  * @tags correctness
diff --git a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql
index b8264b4d8a1..b15dd866e72 100644
--- a/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql	
@@ -4,7 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id cs/stored-command-line-injection
  * @tags correctness
diff --git a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql
index fcf10553a6a..548e72dbd56 100644
--- a/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql	
+++ b/csharp/ql/src/Security Features/CWE-079/StoredXSS.ql	
@@ -4,7 +4,7 @@
  *              scripting vulnerability if the data was originally user-provided.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision medium
  * @id cs/web/stored-xss
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-079/XSS.ql b/csharp/ql/src/Security Features/CWE-079/XSS.ql
index d58a7828a6f..34a7ea87a72 100644
--- a/csharp/ql/src/Security Features/CWE-079/XSS.ql	
+++ b/csharp/ql/src/Security Features/CWE-079/XSS.ql	
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id cs/web/xss
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql
index fde86253edc..7b9bfef0ef9 100644
--- a/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql	
@@ -4,7 +4,7 @@
  *              of malicious SQL code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision medium
  * @id cs/second-order-sql-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
index 456e36db36e..e818eaeb0af 100644
--- a/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql	
@@ -4,7 +4,7 @@
  *              malicious SQL code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id cs/sql-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
index e0e667ed8da..4878b449eb8 100644
--- a/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql	
@@ -4,7 +4,7 @@
  *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/ldap-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql
index 0c705fbce33..c2791b8f2b1 100644
--- a/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql	
@@ -4,7 +4,7 @@
  *              insertion of malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id cs/stored-ldap-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
index 4e2548895ad..1ad4fad9e41 100644
--- a/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql	
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cs/xml-injection
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-091
diff --git a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
index 8c711400d61..2d85c9aabbc 100644
--- a/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql	
@@ -4,7 +4,7 @@
  *              malicious code.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id cs/code-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
index ca32d21b3cb..dee11139a58 100644
--- a/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql	
@@ -4,7 +4,7 @@
  *              malicious user providing an unintended resource.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/resource-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
index b13d357980b..24716639aa5 100644
--- a/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql	
+++ b/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql	
@@ -4,7 +4,7 @@
  *              schema.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 4.3
  * @precision high
  * @id cs/xml/missing-validation
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
index 54b578d3072..9c3b9b21bac 100644
--- a/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql	
@@ -6,7 +6,7 @@
  * @kind problem
  * @id cs/assembly-path-injection
  * @problem.severity error
- * @security-severity 6.0
+ * @security-severity 8.2
  * @precision high
  * @tags security
  *       external/cwe/cwe-114
diff --git a/csharp/ql/src/Security Features/CWE-117/LogForging.ql b/csharp/ql/src/Security Features/CWE-117/LogForging.ql
index b7642d4e15a..4c31a02c86e 100644
--- a/csharp/ql/src/Security Features/CWE-117/LogForging.ql	
+++ b/csharp/ql/src/Security Features/CWE-117/LogForging.ql	
@@ -4,7 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id cs/log-forging
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql b/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
index 263429e6995..57d6e500134 100644
--- a/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql	
+++ b/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql	
@@ -5,7 +5,7 @@
  *              to return any value.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id cs/unvalidated-local-pointer-arithmetic
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
index 7494412e3b3..d079c4f9ac9 100644
--- a/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql	
+++ b/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql	
@@ -4,7 +4,7 @@
  *              and cause a denial of service.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id cs/uncontrolled-format-string
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
index fa40db533d5..ed3e5da0b1f 100644
--- a/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql	
+++ b/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql	
@@ -3,7 +3,7 @@
  * @description Transmitting sensitive information to the user is a potential security risk.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 1.4
+ * @security-severity 4.3
  * @precision high
  * @id cs/sensitive-data-transmission
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
index 23e72e4e5e9..34f45c0c64e 100644
--- a/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql	
+++ b/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql	
@@ -5,7 +5,7 @@
  *              developing a subsequent exploit.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 5.4
  * @precision high
  * @id cs/information-exposure-through-exception
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql b/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
index 323630d0c4e..416608b9115 100644
--- a/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql	
+++ b/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql	
@@ -4,7 +4,7 @@
  *              a global error handler, otherwise they may leak exception information.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cs/web/missing-global-error-handler
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
index b19ca4ff1bd..6e957788776 100644
--- a/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql	
+++ b/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql	
@@ -4,7 +4,7 @@
  *              attacker.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id cs/cleartext-storage-of-sensitive-information
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql
index ff244adee95..20298cac6f7 100644
--- a/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql	
+++ b/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql	
@@ -4,7 +4,7 @@
  * @kind problem
  * @id cs/hardcoded-key
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @tags security
  *       external/cwe/cwe-320
  */
diff --git a/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql b/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql
index 2cabc38aa8b..4de91b9a214 100644
--- a/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql	
+++ b/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql	
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @id cs/hard-coded-symmetric-encryption-key
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @tags security
  *       external/cwe/cwe-321
  */
diff --git a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
index a843008e582..a4f4d63d6ee 100644
--- a/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql	
+++ b/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql	
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @id cs/adding-cert-to-root-store
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @tags security
  *       external/cwe/cwe-327
  */
diff --git a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
index a16358b1f90..fd4a37f7ee3 100644
--- a/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql	
+++ b/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql	
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @id cs/insecure-sql-connection
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @tags security
  *       external/cwe/cwe-327
diff --git a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
index fb40413716f..e50566d6ca9 100644
--- a/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql	
+++ b/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql	
@@ -4,7 +4,7 @@
  *              allows a malicious attacker to submit a request on behalf of the user.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id cs/web/missing-token-validation
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
index 20323b66bb9..de509e38a3c 100644
--- a/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql	
+++ b/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql	
@@ -4,7 +4,7 @@
  *              unauthorized persons.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.5
  * @precision high
  * @id cs/exposure-of-sensitive-information
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql b/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
index 75daa5fc10c..87dab081188 100644
--- a/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql	
+++ b/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql	
@@ -5,7 +5,7 @@
  *              their session.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision high
  * @id cs/session-reuse
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql b/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
index 87757be5400..67f3ae1d7b8 100644
--- a/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql	
+++ b/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql	
@@ -4,7 +4,7 @@
  *              overlay their own UI on top of the site by using an iframe.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id cs/web/missing-x-frame-options
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
index 76035d9fcba..c0d0d7ad00b 100644
--- a/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql	
+++ b/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql	
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cs/deserialized-delegate
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-502
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
index 338347c0887..68c4822544d 100644
--- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql	
+++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql	
@@ -5,7 +5,7 @@
  * @kind problem
  * @id cs/unsafe-deserialization
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @tags security
  *       external/cwe/cwe-502
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
index 32981563ab6..949daa4986c 100644
--- a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql	
+++ b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql	
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @id cs/unsafe-deserialization-untrusted-input
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @tags security
  *       external/cwe/cwe-502
diff --git a/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql b/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
index 82532ed40e0..9416fa32f0a 100644
--- a/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql	
+++ b/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql	
@@ -3,7 +3,7 @@
  * @description Directory browsing should not be enabled in production as it can leak sensitive information.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @precision very-high
  * @id cs/web/directory-browse-enabled
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
index 37594e7cf72..18aaed307b5 100644
--- a/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql	
+++ b/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql	
@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.7
+ * @security-severity 6.1
  * @precision high
  * @id cs/web/unvalidated-url-redirection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
index 2b37eb33390..29bd2386316 100644
--- a/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql	
+++ b/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql	
@@ -3,7 +3,7 @@
  * @description Untrusted XML is read with an insecure resolver and DTD processing enabled.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.1
  * @precision high
  * @id cs/xml/insecure-dtd-handling
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql b/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql
index 1073c873d8c..afda204d115 100644
--- a/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql	
+++ b/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql	
@@ -4,7 +4,7 @@
  *              be restricted using a secure resolver or disabling DTD processing.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.1
  * @precision low
  * @id cs/insecure-xml-read
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql b/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
index 49dd6e52e13..3e5e64ca22e 100644
--- a/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql	
+++ b/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql	
@@ -5,7 +5,7 @@
  *              is used at all times.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id cs/web/requiressl-not-set
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql
index 5d3ee1db4e7..c63ed490d09 100644
--- a/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql	
@@ -4,7 +4,7 @@
  *              user is vulnerable to insertion of malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id cs/xml/stored-xpath-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
index a158ccfab69..15a5cf11be9 100644
--- a/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql	
@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/xml/xpath-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
index 79ade61af90..7a933dc18bd 100644
--- a/csharp/ql/src/Security Features/CWE-730/ReDoS.ql	
+++ b/csharp/ql/src/Security Features/CWE-730/ReDoS.ql	
@@ -4,7 +4,7 @@
  *              exponential time on certain input.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cs/redos
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
index 5aca2ad9c49..e358e59b612 100644
--- a/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql	
+++ b/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql	
@@ -5,7 +5,7 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id cs/regex-injection
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
index 0aa5f9026d1..697ce99d127 100644
--- a/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql	
+++ b/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql	
@@ -3,7 +3,7 @@
  * @description Credentials are hard-coded in a connection string in the source code of the application.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/hardcoded-connection-string-credentials
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
index 7b183189921..34961ac0953 100644
--- a/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql	
+++ b/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql	
@@ -3,7 +3,7 @@
  * @description Credentials are hard coded in the source code of the application.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id cs/hardcoded-credentials
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
index 3922c262031..9069c77b603 100644
--- a/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql	
+++ b/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql	
@@ -4,7 +4,7 @@
  *              passing through authentication systems.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id cs/user-controlled-bypass
  * @tags security
diff --git a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
index 8b8bd478031..75982a02943 100644
--- a/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql	
+++ b/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql	
@@ -4,7 +4,7 @@
  *              pose a security risk.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision low
  * @id cs/inappropriate-encoding
  * @tags security
diff --git a/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql b/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
index 472a87441ed..ca59bd42bdc 100644
--- a/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql	
+++ b/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql	
@@ -3,7 +3,7 @@
  * @description Finds cookies with an overly broad domain.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 9.3
  * @precision high
  * @id cs/web/broad-cookie-domain
  * @tags security
diff --git a/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql b/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
index ec6953f72e1..bfb2f24f360 100644
--- a/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql	
+++ b/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql	
@@ -3,7 +3,7 @@
  * @description Finds cookies with an overly broad path.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 9.3
  * @precision high
  * @id cs/web/broad-cookie-path
  * @tags security
diff --git a/csharp/ql/src/Security Features/Encryption using ECB.ql b/csharp/ql/src/Security Features/Encryption using ECB.ql
index 72c63b9c565..ec9719aa781 100644
--- a/csharp/ql/src/Security Features/Encryption using ECB.ql	
+++ b/csharp/ql/src/Security Features/Encryption using ECB.ql	
@@ -3,7 +3,7 @@
  * @description Highlights uses of the encryption mode 'CipherMode.ECB'. This mode should normally not be used because it is vulnerable to replay attacks.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id cs/ecb-encryption
  * @tags security
diff --git a/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql b/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
index 94d01609100..631b408a5a3 100644
--- a/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql	
+++ b/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql	
@@ -3,7 +3,7 @@
  * @description Finds places where header checking is disabled.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id cs/web/disabled-header-checking
  * @tags security
diff --git a/csharp/ql/src/Security Features/InadequateRSAPadding.ql b/csharp/ql/src/Security Features/InadequateRSAPadding.ql
index ddeb9b370f6..2968b39b6b3 100644
--- a/csharp/ql/src/Security Features/InadequateRSAPadding.ql	
+++ b/csharp/ql/src/Security Features/InadequateRSAPadding.ql	
@@ -3,7 +3,7 @@
  * @description Finds uses of RSA encryption with inadequate padding.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id cs/inadequate-rsa-padding
  * @tags security
diff --git a/csharp/ql/src/Security Features/InsecureRandomness.ql b/csharp/ql/src/Security Features/InsecureRandomness.ql
index 434f8c287f2..b618bff07a5 100644
--- a/csharp/ql/src/Security Features/InsecureRandomness.ql	
+++ b/csharp/ql/src/Security Features/InsecureRandomness.ql	
@@ -5,7 +5,7 @@
  *              be generated.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id cs/insecure-randomness
  * @tags security
diff --git a/csharp/ql/src/Security Features/InsufficientKeySize.ql b/csharp/ql/src/Security Features/InsufficientKeySize.ql
index 70caea4b179..9829d1dcf4d 100644
--- a/csharp/ql/src/Security Features/InsufficientKeySize.ql	
+++ b/csharp/ql/src/Security Features/InsufficientKeySize.ql	
@@ -3,7 +3,7 @@
  * @description Finds uses of encryption algorithms with too small a key size
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id cs/insufficient-key-size
  * @tags security
diff --git a/csharp/ql/src/Security Features/PersistentCookie.ql b/csharp/ql/src/Security Features/PersistentCookie.ql
index c7041cb7a36..be99e63b906 100644
--- a/csharp/ql/src/Security Features/PersistentCookie.ql	
+++ b/csharp/ql/src/Security Features/PersistentCookie.ql	
@@ -3,7 +3,7 @@
  * @description Persistent cookies are vulnerable to attacks.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.2
  * @precision high
  * @id cs/web/persistent-cookie
  * @tags security
diff --git a/csharp/ql/src/Security Features/WeakEncryption.ql b/csharp/ql/src/Security Features/WeakEncryption.ql
index b6d543d6de7..9bf7fae7356 100644
--- a/csharp/ql/src/Security Features/WeakEncryption.ql	
+++ b/csharp/ql/src/Security Features/WeakEncryption.ql	
@@ -3,7 +3,7 @@
  * @description Finds uses of encryption algorithms that are weak and obsolete
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id cs/weak-encryption
  * @tags security
diff --git a/csharp/ql/src/semmle/code/csharp/Member.qll b/csharp/ql/src/semmle/code/csharp/Member.qll
index 520df43cfb8..191c7c85516 100644
--- a/csharp/ql/src/semmle/code/csharp/Member.qll
+++ b/csharp/ql/src/semmle/code/csharp/Member.qll
@@ -86,32 +86,69 @@ class Modifiable extends Declaration, @modifiable {
   predicate isConst() { this.hasModifier("const") }
 
   /** Holds if this declaration is `unsafe`. */
-  predicate isUnsafe() { this.hasModifier("unsafe") }
+  predicate isUnsafe() {
+    this.hasModifier("unsafe") or
+    this.(Parameterizable).getAParameter().getType() instanceof PointerType or
+    this.(Property).getType() instanceof PointerType or
+    this.(Callable).getReturnType() instanceof PointerType
+  }
 
   /** Holds if this declaration is `async`. */
   predicate isAsync() { this.hasModifier("async") }
 
+  private predicate isReallyPrivate() {
+    this.isPrivate() and
+    not this.isProtected() and
+    // Rare case when a member is defined with the same name in multiple assemblies with different visibility
+    not this.isPublic()
+  }
+
   /**
-   * Holds if this declaration is effectively `private` (either directly or
-   * because one of the enclosing types is `private`).
+   * Holds if this declaration is effectively `private`. A declaration is considered
+   * effectively `private` if it can only be referenced from
+   * - the declaring and its nested types, similarly to `private` declarations, and
+   * - the enclosing types.
+   *
+   * Note that explicit interface implementations are also considered effectively
+   * `private` if the implemented interface is itself effectively `private`. Finally,
+   * `private protected` members are not considered effectively `private`, because
+   * they can be overriden within the declaring assembly.
    */
   predicate isEffectivelyPrivate() {
-    this.isPrivate() or
-    this.getDeclaringType+().isPrivate()
+    this.isReallyPrivate() or
+    this.getDeclaringType+().(Modifiable).isReallyPrivate() or
+    this.(Virtualizable).getExplicitlyImplementedInterface().isEffectivelyPrivate()
+  }
+
+  private predicate isReallyInternal() {
+    (
+      this.isInternal() and not this.isProtected()
+      or
+      this.isPrivate() and this.isProtected()
+    ) and
+    // Rare case when a member is defined with the same name in multiple assemblies with different visibility
+    not this.isPublic()
   }
 
   /**
-   * Holds if this declaration is effectively `internal` (either directly or
-   * because one of the enclosing types is `internal`).
+   * Holds if this declaration is effectively `internal`. A declaration is considered
+   * effectively `internal` if it can only be referenced from the declaring assembly.
+   *
+   * Note that friend assemblies declared in `InternalsVisibleToAttribute` are not
+   * considered. Explicit interface implementations are also considered effectively
+   * `internal` if the implemented interface is itself effectively `internal`. Finally,
+   * `internal protected` members are not considered effectively `internal`, because
+   * they can be overriden outside the declaring assembly.
    */
   predicate isEffectivelyInternal() {
-    this.isInternal() or
-    this.getDeclaringType+().isInternal()
+    this.isReallyInternal() or
+    this.getDeclaringType+().(Modifiable).isReallyInternal() or
+    this.(Virtualizable).getExplicitlyImplementedInterface().isEffectivelyInternal()
   }
 
   /**
-   * Holds if this declaration is effectively `public`, because it
-   * and all enclosing types are `public`.
+   * Holds if this declaration is effectively `public`, meaning that it can be
+   * referenced outside the declaring assembly.
    */
   predicate isEffectivelyPublic() { not isEffectivelyPrivate() and not isEffectivelyInternal() }
 }
@@ -154,6 +191,11 @@ class Virtualizable extends Member, @virtualizable {
     implementsExplicitInterface()
   }
 
+  override predicate isPrivate() {
+    super.isPrivate() and
+    not implementsExplicitInterface()
+  }
+
   /**
    * Gets any interface this member explicitly implements; this only applies
    * to members that can be declared on an interface, i.e. methods, properties,
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll
index 4e1cd281488..a55e65a81f6 100644
--- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll
+++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll
@@ -168,7 +168,13 @@ module Consistency {
     msg = "ArgumentNode is missing PostUpdateNode."
   }
 
-  query predicate postWithInFlow(PostUpdateNode n, string msg) {
+  // This predicate helps the compiler forget that in some languages
+  // it is impossible for a `PostUpdateNode` to be the target of
+  // `simpleLocalFlowStep`.
+  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
+
+  query predicate postWithInFlow(Node n, string msg) {
+    isPostUpdateNode(n) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }
diff --git a/csharp/ql/test/library-tests/modifiers/Effectively.expected b/csharp/ql/test/library-tests/modifiers/Effectively.expected
index 454295f0065..36afd1bc288 100644
--- a/csharp/ql/test/library-tests/modifiers/Effectively.expected
+++ b/csharp/ql/test/library-tests/modifiers/Effectively.expected
@@ -21,3 +21,11 @@
 | Modifiers.cs:54:52:54:54 | set_P1 | public |
 | Modifiers.cs:55:20:55:21 | P2 | public |
 | Modifiers.cs:55:36:55:38 | get_P2 | public |
+| Modifiers.cs:60:22:60:23 | I1 | public |
+| Modifiers.cs:62:14:62:15 | M1 | public |
+| Modifiers.cs:63:14:63:15 | M2 | public |
+| Modifiers.cs:68:14:68:15 | M1 | internal |
+| Modifiers.cs:71:18:71:19 | C2 | public |
+| Modifiers.cs:73:17:73:18 | M1 | internal |
+| Modifiers.cs:75:32:75:33 | M2 | internal |
+| Modifiers.cs:76:33:76:34 | M3 | public |
diff --git a/csharp/ql/test/library-tests/modifiers/Modifiers.cs b/csharp/ql/test/library-tests/modifiers/Modifiers.cs
index c0377abb9e0..3868b5f9cc4 100644
--- a/csharp/ql/test/library-tests/modifiers/Modifiers.cs
+++ b/csharp/ql/test/library-tests/modifiers/Modifiers.cs
@@ -56,4 +56,23 @@ namespace N
         /*private*/
         int P3 { /*private*/ get; /*private*/ set; }
     }
+
+    public interface I1
+    {
+        void M1();
+        void M2() => throw null;
+    }
+
+    internal interface I2
+    {
+        void M1() => throw null;
+    }
+
+    public class C2 : I2
+    {
+        void I2.M1() => throw null;
+
+        protected private void M2() { }
+        protected internal void M3() { }
+    }
 }
diff --git a/csharp/ql/test/library-tests/modifiers/Modifiers.expected b/csharp/ql/test/library-tests/modifiers/Modifiers.expected
index 8f89e302453..50f6ee31a0b 100644
--- a/csharp/ql/test/library-tests/modifiers/Modifiers.expected
+++ b/csharp/ql/test/library-tests/modifiers/Modifiers.expected
@@ -44,3 +44,17 @@
 | Modifiers.cs:57:13:57:14 | P3 | file://:0:0:0:0 | private |
 | Modifiers.cs:57:30:57:32 | get_P3 | file://:0:0:0:0 | private |
 | Modifiers.cs:57:47:57:49 | set_P3 | file://:0:0:0:0 | private |
+| Modifiers.cs:60:22:60:23 | I1 | file://:0:0:0:0 | public |
+| Modifiers.cs:62:14:62:15 | M1 | file://:0:0:0:0 | abstract |
+| Modifiers.cs:62:14:62:15 | M1 | file://:0:0:0:0 | public |
+| Modifiers.cs:63:14:63:15 | M2 | file://:0:0:0:0 | public |
+| Modifiers.cs:63:14:63:15 | M2 | file://:0:0:0:0 | virtual |
+| Modifiers.cs:66:24:66:25 | I2 | file://:0:0:0:0 | internal |
+| Modifiers.cs:68:14:68:15 | M1 | file://:0:0:0:0 | public |
+| Modifiers.cs:68:14:68:15 | M1 | file://:0:0:0:0 | virtual |
+| Modifiers.cs:71:18:71:19 | C2 | file://:0:0:0:0 | public |
+| Modifiers.cs:73:17:73:18 | M1 | file://:0:0:0:0 | private |
+| Modifiers.cs:75:32:75:33 | M2 | file://:0:0:0:0 | private |
+| Modifiers.cs:75:32:75:33 | M2 | file://:0:0:0:0 | protected |
+| Modifiers.cs:76:33:76:34 | M3 | file://:0:0:0:0 | internal |
+| Modifiers.cs:76:33:76:34 | M3 | file://:0:0:0:0 | protected |
diff --git a/csharp/ql/test/library-tests/unsafe/unsafe4.ql b/csharp/ql/test/library-tests/unsafe/unsafe4.ql
index 8aa38fc8fbb..c086e0c00a5 100644
--- a/csharp/ql/test/library-tests/unsafe/unsafe4.ql
+++ b/csharp/ql/test/library-tests/unsafe/unsafe4.ql
@@ -1,3 +1,3 @@
 import csharp
 
-select any(Modifiable m | m.isUnsafe())
+select any(Modifiable m | m.isUnsafe() and m.fromSource())
diff --git a/docs/codeql/support/reusables/frameworks.rst b/docs/codeql/support/reusables/frameworks.rst
index 0205c4b2df9..790cfd0ada7 100644
--- a/docs/codeql/support/reusables/frameworks.rst
+++ b/docs/codeql/support/reusables/frameworks.rst
@@ -1,7 +1,7 @@
 C and C++ built-in support
 ================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -14,7 +14,7 @@ C and C++ built-in support
 C# built-in support
 ================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -84,7 +84,7 @@ Go built-in support
 Java built-in support
 ==================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -109,7 +109,7 @@ Java built-in support
 JavaScript and TypeScript built-in support
 =======================================================
 
-.. csv-table:: 
+.. csv-table::
    :header-rows: 1
    :class: fullWidthTable
    :widths: auto
@@ -165,6 +165,8 @@ Python built-in support
    invoke, Utility library
    multidict, Utility library
    yarl, Utility library
+   aioch, Database
+   clickhouse-driver, Database
    mysql-connector-python, Database
    mysql-connector, Database
    MySQL-python, Database
diff --git a/docs/codeql/support/reusables/versions-compilers.rst b/docs/codeql/support/reusables/versions-compilers.rst
index 74b9c196564..52f373d1d2a 100644
--- a/docs/codeql/support/reusables/versions-compilers.rst
+++ b/docs/codeql/support/reusables/versions-compilers.rst
@@ -4,9 +4,9 @@
    :stub-columns: 1
 
    Language,Variants,Compilers,Extensions
-   C/C++,"C89, C99, C11, C18, C++98, C++03, C++11, C++14, C++17","Clang (and clang-cl [1]_) extensions (up to Clang 9.0),
+   C/C++,"C89, C99, C11, C18, C++98, C++03, C++11, C++14, C++17","Clang (and clang-cl [1]_) extensions (up to Clang 12.0),
 
-   GNU extensions (up to GCC 9.2),
+   GNU extensions (up to GCC 11.1),
 
    Microsoft extensions (up to VS 2019),
 
diff --git a/java/change-notes/2021-03-22-jax-rs-improvements.md b/java/change-notes/2021-03-22-jax-rs-improvements.md
new file mode 100644
index 00000000000..0fe567fab89
--- /dev/null
+++ b/java/change-notes/2021-03-22-jax-rs-improvements.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for detecting XSS via JAX-RS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap).
diff --git a/java/change-notes/2021-04-06-ssrf-query.md b/java/change-notes/2021-04-06-ssrf-query.md
new file mode 100644
index 00000000000..96afb56f1f8
--- /dev/null
+++ b/java/change-notes/2021-04-06-ssrf-query.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The query "Server-side request forgery (SSRF)" (`java/ssrf`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @porcupineyhairs](https://github.com/github/codeql/pull/3454).
+* Models for `URI` and `HttpRequest` in the `java.net` package have been improved. This may lead to more results from any query where these types' methods are relevant.
+* Models for Apache HttpComponents' `RequestLine` and `BasicRequestLine` types. This may lead to more results from any query where these types' methods are relevant.
diff --git a/java/change-notes/2021-05-11-apache-tuples.md b/java/change-notes/2021-05-11-apache-tuples.md
new file mode 100644
index 00000000000..2eab20ecd4f
--- /dev/null
+++ b/java/change-notes/2021-05-11-apache-tuples.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models for the Apache Commons Lang tuple types (Pair, Triple and their immutable and mutable implementations). This may lead to more results from any query using data-flow analysis where a relevant path uses one of these container types.
diff --git a/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
new file mode 100644
index 00000000000..f294b223d01
--- /dev/null
+++ b/java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `Castor`, `Hessian` and `Burlap` deserialization.
diff --git a/java/documentation/library-coverage/coverage.csv b/java/documentation/library-coverage/coverage.csv
new file mode 100644
index 00000000000..b7b83a6c217
--- /dev/null
+++ b/java/documentation/library-coverage/coverage.csv
@@ -0,0 +1,44 @@
+package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:information-leak,sink:jexl,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
+android.util,,16,,,,,,,,,,,,,16,,
+android.webkit,3,2,,,,,,,,,,,,3,2,,
+com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,1,
+com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,1,
+com.fasterxml.jackson.databind,,,3,,,,,,,,,,,,,3,
+com.google.common.base,,,34,,,,,,,,,,,,,28,6
+com.google.common.io,6,,73,,,,,,,,,6,,,,72,1
+com.unboundid.ldap.sdk,17,,,,,,,,17,,,,,,,,
+java.beans,,,1,,,,,,,,,,,,,1,
+java.io,3,,20,,3,,,,,,,,,,,20,
+java.lang,,,3,,,,,,,,,,,,,1,2
+java.net,2,3,4,,,,,,,2,,,,,3,4,
+java.nio,10,,2,,10,,,,,,,,,,,2,
+java.util,,,283,,,,,,,,,,,,,15,268
+javax.naming.directory,1,,,,,,,,1,,,,,,,,
+javax.net.ssl,2,,,,,,,,,,2,,,,,,
+javax.servlet,4,21,2,,,3,1,,,,,,,,21,2,
+javax.validation,1,1,,1,,,,,,,,,,,1,,
+javax.ws.rs.core,1,,,,,1,,,,,,,,,,,
+javax.xml.transform.sax,,,4,,,,,,,,,,,,,4,
+javax.xml.transform.stream,,,2,,,,,,,,,,,,,2,
+javax.xml.xpath,3,,,,,,,,,,,,3,,,,
+org.apache.commons.codec,,,2,,,,,,,,,,,,,2,
+org.apache.commons.io,,,22,,,,,,,,,,,,,22,
+org.apache.commons.jexl2,15,,,,,,,15,,,,,,,,,
+org.apache.commons.jexl3,15,,,,,,,15,,,,,,,,,
+org.apache.commons.lang3,,,370,,,,,,,,,,,,,324,46
+org.apache.commons.text,,,272,,,,,,,,,,,,,220,52
+org.apache.directory.ldap.client.api,1,,,,,,,,1,,,,,,,,
+org.apache.hc.core5.function,,,1,,,,,,,,,,,,,1,
+org.apache.hc.core5.http,1,2,39,,,,,,,,,,,1,2,39,
+org.apache.hc.core5.net,,,2,,,,,,,,,,,,,2,
+org.apache.hc.core5.util,,,24,,,,,,,,,,,,,18,6
+org.apache.http,2,3,67,,,,,,,,,,,2,3,59,8
+org.dom4j,20,,,,,,,,,,,,20,,,,
+org.springframework.ldap.core,14,,,,,,,,14,,,,,,,,
+org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,6,,
+org.springframework.web.client,,3,,,,,,,,,,,,,3,,
+org.springframework.web.context.request,,8,,,,,,,,,,,,,8,,
+org.springframework.web.multipart,,12,,,,,,,,,,,,,12,,
+org.xml.sax,,,1,,,,,,,,,,,,,1,
+org.xmlpull.v1,,3,,,,,,,,,,,,,3,,
+play.mvc,,4,,,,,,,,,,,,,4,,
diff --git a/java/documentation/library-coverage/flow-model-coverage.rst b/java/documentation/library-coverage/coverage.rst
similarity index 53%
rename from java/documentation/library-coverage/flow-model-coverage.rst
rename to java/documentation/library-coverage/coverage.rst
index b9b54aad158..c99a41d3be2 100644
--- a/java/documentation/library-coverage/flow-model-coverage.rst
+++ b/java/documentation/library-coverage/coverage.rst
@@ -8,12 +8,14 @@ Java framework & library support
 
    Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
    Android,``android.*``,18,,3,,,3,,,,
-   Apache,``org.apache.*``,5,648,4,,,3,,1,,
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
-   Google,``com.google.common.*``,,97,6,,6,,,,,
-   Java Standard Library,``java.*``,3,41,15,13,,,,,,2
+   `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,370,,,,,,,,
+   `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,,
+   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,133,3,,,3,,,,
+   `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,107,6,,6,,,,,
+   Java Standard Library,``java.*``,3,313,15,13,,,,,,2
    Java extensions,``javax.*``,22,8,12,,,,,1,1,
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
-   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
-   Totals,,84,821,91,13,6,6,,33,1,2
+   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.directory.ldap.client.api``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,8,68,,,,,18,,
+   Totals,,84,1233,121,13,6,6,,33,1,2
 
diff --git a/java/documentation/library-coverage/flow-model-coverage.csv b/java/documentation/library-coverage/flow-model-coverage.csv
deleted file mode 100644
index 464228bb022..00000000000
--- a/java/documentation/library-coverage/flow-model-coverage.csv
+++ /dev/null
@@ -1,42 +0,0 @@
-package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:information-leak,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
-android.util,,16,,,,,,,,,,,,16,,
-android.webkit,3,2,,,,,,,,,,,3,2,,
-com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,1,
-com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,1,
-com.fasterxml.jackson.databind,,,2,,,,,,,,,,,,2,
-com.google.common.base,,,28,,,,,,,,,,,,22,6
-com.google.common.io,6,,69,,,,,,,,6,,,,68,1
-com.unboundid.ldap.sdk,17,,,,,,,17,,,,,,,,
-java.beans,,,1,,,,,,,,,,,,1,
-java.io,3,,20,,3,,,,,,,,,,20,
-java.lang,,,1,,,,,,,,,,,,1,
-java.net,2,3,4,,,,,,2,,,,,3,4,
-java.nio,10,,2,,10,,,,,,,,,,2,
-java.util,,,13,,,,,,,,,,,,13,
-javax.naming.directory,1,,,,,,,1,,,,,,,,
-javax.net.ssl,2,,,,,,,,,2,,,,,,
-javax.servlet,4,21,2,,,3,1,,,,,,,21,2,
-javax.validation,1,1,,1,,,,,,,,,,1,,
-javax.ws.rs.core,1,,,,,1,,,,,,,,,,
-javax.xml.transform.sax,,,4,,,,,,,,,,,,4,
-javax.xml.transform.stream,,,2,,,,,,,,,,,,2,
-javax.xml.xpath,3,,,,,,,,,,,3,,,,
-org.apache.commons.codec,,,2,,,,,,,,,,,,2,
-org.apache.commons.io,,,22,,,,,,,,,,,,22,
-org.apache.commons.lang3,,,313,,,,,,,,,,,,299,14
-org.apache.commons.text,,,203,,,,,,,,,,,,203,
-org.apache.directory.ldap.client.api,1,,,,,,,1,,,,,,,,
-org.apache.hc.core5.function,,,1,,,,,,,,,,,,1,
-org.apache.hc.core5.http,1,2,39,,,,,,,,,,1,2,39,
-org.apache.hc.core5.net,,,2,,,,,,,,,,,,2,
-org.apache.hc.core5.util,,,22,,,,,,,,,,,,18,4
-org.apache.http,2,3,66,,,,,,,,,,2,3,59,7
-org.dom4j,20,,,,,,,,,,,20,,,,
-org.springframework.ldap.core,14,,,,,,,14,,,,,,,,
-org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,6,,
-org.springframework.web.client,,3,,,,,,,,,,,,3,,
-org.springframework.web.context.request,,8,,,,,,,,,,,,8,,
-org.springframework.web.multipart,,12,,,,,,,,,,,,12,,
-org.xml.sax,,,1,,,,,,,,,,,,1,
-org.xmlpull.v1,,3,,,,,,,,,,,,3,,
-play.mvc,,4,,,,,,,,,,,,4,,
diff --git a/java/documentation/library-coverage/frameworks.csv b/java/documentation/library-coverage/frameworks.csv
index 0e39bc51836..751883eaf4b 100644
--- a/java/documentation/library-coverage/frameworks.csv
+++ b/java/documentation/library-coverage/frameworks.csv
@@ -1,8 +1,10 @@
-Framework name,URL,Package prefix
+Framework name,URL,Package prefixes
 Java Standard Library,,java.*
-Google,,com.google.common.*
-Apache,,org.apache.*
+Java extensions,,javax.*
+Google Guava,https://guava.dev/,com.google.common.*
 Apache Commons IO,https://commons.apache.org/proper/commons-io/,org.apache.commons.io
+Apache Commons Lang,https://commons.apache.org/proper/commons-lang/,org.apache.commons.lang3
+Apache Commons Text,https://commons.apache.org/proper/commons-text/,org.apache.commons.text
+Apache HttpComponents,https://hc.apache.org/,org.apache.hc.core5.* org.apache.http
 Android,,android.*
-Spring,https://spring.io/,org.springframework.*
-Java extensions,,javax.*
\ No newline at end of file
+Spring,https://spring.io/,org.springframework.*
\ No newline at end of file
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
index 6b08a14c244..cbd74a838f3 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
@@ -7,7 +7,7 @@
  *              Such operations could interfere with the EJB container's operation.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/container-interference
  * @tags reliability
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
index 62b2d5f48ec..ec406ac3171 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
@@ -5,7 +5,7 @@
  *              for enterprise components.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/file-io
  * @tags reliability
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
index 787ae9a72c5..bbc57fca5e9 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
@@ -4,7 +4,7 @@
  *              Such use could compromise security and system stability.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/native-code
  * @tags reliability
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
index 4e6eea2cbf1..7bc062209df 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
@@ -4,7 +4,7 @@
  *              as this could compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/reflection
  * @tags external/cwe/cwe-573
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
index 4efde8d82bf..ea8a7087d26 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
@@ -5,7 +5,7 @@
  *              This functionality is reserved for the EJB container for security reasons.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/security-configuration-access
  * @tags external/cwe/cwe-573
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
index 02c493c7a70..7de0a0f8aed 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
@@ -4,7 +4,7 @@
  *              the Java serialization protocol, since their use could compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/substitution-in-serialization
  * @tags external/cwe/cwe-573
diff --git a/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql b/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
index 8011b3c1d22..e8b898b00cc 100644
--- a/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
+++ b/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
@@ -5,7 +5,7 @@
  *              compromise security or interfere with the EJB container's operation.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/socket-or-stream-handler-factory
  * @tags reliability
diff --git a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
index 52bb9f04289..29b60cae012 100644
--- a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql	
+++ b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql	
@@ -5,7 +5,7 @@
  *              numeric errors such as overflows.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision very-high
  * @id java/implicit-cast-in-compound-assignment
  * @tags reliability
diff --git a/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql b/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql
index fb1a44b2222..f2b78dcaf18 100644
--- a/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql	
+++ b/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql	
@@ -4,7 +4,7 @@
  *              guarantee an evenly distributed sequence of random numbers.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/random-used-once
  * @tags reliability
diff --git a/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql b/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql
index 4a3fc548085..10a054f4106 100644
--- a/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql	
+++ b/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql	
@@ -4,7 +4,7 @@
  *              may cause a deadlock.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision medium
  * @id java/unreleased-lock
  * @tags reliability
diff --git a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
index bf2e3f06f26..63c66ffa9d0 100644
--- a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
index ac3ec8664a2..adb51f751b4 100644
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -3,7 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id java/path-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
index 90b77661500..ebd9c4f079d 100644
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
@@ -3,7 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id java/path-injection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
index 1a70b273d84..a7c15a82b87 100644
--- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id java/zipslip
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-022
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
index f7d844f225a..501826c6426 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
@@ -4,7 +4,7 @@
  *              malicious changes in the PATH environment variable.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/relative-path-command
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
index fc409bcfd5a..e95d81dcf06 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -4,7 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/command-line-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
index c98a45a06d8..febd020db46 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -4,7 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/command-line-injection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
index a3b88b40ae7..d250b242c05 100644
--- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -4,7 +4,7 @@
  *              insertion of special characters in the strings.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/concatenated-command-line
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql
index d864d24a95e..f1f8a5afa9b 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSS.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id java/xss
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
index 44ab185b3b5..e16a9bbc2e9 100644
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision medium
  * @id java/xss-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
index d002bb96ce1..28b09d37dbb 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id java/sql-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
index ada846dcf47..df5807f3f5f 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision medium
  * @id java/sql-injection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
index 9ddd5def883..6ec2be3e1c8 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -4,7 +4,7 @@
  *              characters is vulnerable to insertion of malicious code.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id java/concatenated-sql-query
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
index 5a7ab632a55..df57a810033 100644
--- a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
@@ -4,7 +4,7 @@
  *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/ldap-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
index f865d7d16b1..a673142f810 100644
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -3,7 +3,7 @@
  * @description User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id java/insecure-bean-validation
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
index cf555aa3442..c780fa60f20 100644
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -4,7 +4,7 @@
  *              may lead to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id java/jexl-expression-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
index 76fa154ae7b..350358b69c1 100644
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -5,7 +5,7 @@
  *              an HTTP header.
  * @kind problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id java/netty-http-response-splitting
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
index 92468d61936..d32e7544f3e 100644
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -4,7 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id java/http-response-splitting
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
index ff9a379d1f7..608636982c9 100644
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -4,7 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision medium
  * @id java/http-response-splitting-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
index ca5d05db10c..8ccf937355c 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
@@ -3,7 +3,7 @@
  * @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-construction
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
index f3471027561..62038fe73a6 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
@@ -4,7 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-construction-code-specified
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
index 94e06109da4..db7dfc0aec5 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
@@ -4,7 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-construction-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
index 5fe23b564d6..4cc9c58e64f 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
@@ -3,7 +3,7 @@
  * @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-index
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
index 99c819533cb..79911f5422d 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
@@ -4,7 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-index-code-specified
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
index c246bcff158..537c47b34cc 100644
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
@@ -4,7 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-index-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
index 0208955e10f..4e319b388e6 100644
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
@@ -3,7 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id java/tainted-format-string
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
index 5dd2f629393..36027f97c30 100644
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -3,7 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision medium
  * @id java/tainted-format-string-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
index 261c6891039..5fa48ee10d1 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,7 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/tainted-arithmetic
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
index 54e3fa1b10a..20bec26dd9f 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
@@ -4,7 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/tainted-arithmetic-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index ad67e3b55bc..9cc3dfbabeb 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,7 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/uncontrolled-arithmetic
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
index 0ffcbec38e6..5c49e1b3229 100644
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -4,7 +4,7 @@
  *              is then used in an arithmetic expression, this may result in an overflow.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/extreme-value-arithmetic
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql b/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
index c6e72a94b65..259f36fb42b 100644
--- a/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -4,7 +4,7 @@
  *              to behave unexpectedly.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision medium
  * @id java/comparison-with-wider-type
  * @tags reliability
diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
index bf96ee8d1bb..3b085b609b2 100644
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -5,7 +5,7 @@
  *              that are useful to an attacker for developing a subsequent exploit.
  * @kind problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 5.4
  * @precision high
  * @id java/stack-trace-exposure
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
index d7a5f374953..1828b924752 100644
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -3,7 +3,7 @@
  * @description Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.9
  * @precision high
  * @id java/unsafe-hostname-verification
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
index 00527d4ab60..e14b9bfe552 100644
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
@@ -3,7 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision medium
  * @id java/cleartext-storage-in-class
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
index 7a3c55379de..c5a76434dcd 100644
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
@@ -3,7 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision high
  * @id java/cleartext-storage-in-cookie
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql b/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
index 7f05192357d..495fd3f6f20 100644
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
@@ -3,7 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id java/cleartext-storage-in-properties
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
index 544197f0252..001afb8efb1 100644
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -3,7 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/non-https-url
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-319/UseSSL.ql b/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
index b4fabf15940..1b267af52cf 100644
--- a/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
@@ -3,7 +3,7 @@
  * @description Non-SSL connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/non-ssl-connection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
index 6fa51d4caf2..5defe0cd612 100644
--- a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
@@ -4,7 +4,7 @@
  *              third parties.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/non-ssl-socket-factory
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
index 194d7ecf7d5..5c8a5b51df0 100644
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id java/weak-cryptographic-algorithm
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
index fac3d66f2b8..1b99c53561b 100644
--- a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/potentially-weak-cryptographic-algorithm
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql b/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
index 2cd7bbae1dd..9b873aa407f 100644
--- a/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+++ b/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
@@ -3,7 +3,7 @@
  * @description Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/predictable-seed
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
index 6a456fbae32..9a530e5078f 100644
--- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
@@ -3,7 +3,7 @@
  * @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision very-high
  * @id java/jhipster-prng
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
index d7fe7b8611e..9bca9dc3ed9 100644
--- a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+++ b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -4,7 +4,7 @@
  *              a Cross-Site Request Forgery (CSRF) attack.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id java/spring-disabled-csrf-protection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql b/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
index 740dd6ba314..2fb46ad8943 100644
--- a/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+++ b/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
@@ -4,7 +4,7 @@
  *              if the state may be changed between the check and use.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
  * @precision medium
  * @id java/toctou-race-condition
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql b/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
index d4301a3d620..c8515f2b085 100644
--- a/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+++ b/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
@@ -3,7 +3,7 @@
  * @description Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 7.2
  * @precision medium
  * @id java/socket-auth-race-condition
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
index 0d1f21ca87f..e9600f11b93 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
-<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
+and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
 
@@ -75,6 +75,22 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
 SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
+<li>
+Hessian deserialization and related gadget chains:
+<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
+</li>
+<li>
+Castor and Hessian java deserialization vulnerabilities:
+<a href="https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/">Castor and Hessian deserialization</a>.
+</li>
+<li>
+Remote code execution in JYaml library:
+<a href="https://www.cybersecurity-help.cz/vdb/SB2020022512">JYaml deserialization</a>.
+</li>
+<li>
+JsonIO deserialization vulnerabilities:
+<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
+</li>
 </references>
 
 </qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
index 82dd42c3c32..606468d451d 100644
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -4,7 +4,7 @@
  *              execute arbitrary code.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/unsafe-deserialization
  * @tags security
@@ -22,6 +22,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ClassInstanceExpr cie |
+      cie.getArgument(0) = pred.asExpr() and
+      cie = succ.asExpr() and
+      (
+        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+        cie.getConstructor().getDeclaringType() instanceof BurlapInput
+      )
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof BurlapInputInitMethod and
+      ma.getArgument(0) = pred.asExpr() and
+      ma.getQualifier() = succ.asExpr()
+    )
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      cie = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      ma.getArgument(0) = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
index 7d072091245..02840afaf65 100644
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.7
+ * @security-severity 6.1
  * @precision high
  * @id java/unvalidated-url-redirection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
index 4f60a15d8a6..a8157748d7b 100644
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 2.7
+ * @security-severity 6.1
  * @precision medium
  * @id java/unvalidated-url-redirection-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.ql b/java/ql/src/Security/CWE/CWE-611/XXE.ql
index dc277337769..bfcedb19d17 100644
--- a/java/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -4,7 +4,7 @@
  * references may lead to disclosure of confidential data or denial of service.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.1
  * @precision high
  * @id java/xxe
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
index ef6d143ece8..d71be47bc79 100644
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -4,7 +4,7 @@
  *              interception.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision high
  * @id java/insecure-cookie
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
index 0dd73370569..9e2d1c1a2ac 100644
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/xml/xpath-injection
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
index 0518b99e221..fcc2651ae9e 100644
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@@ -4,7 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.0
  * @precision high
  * @id java/tainted-numeric-cast
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
index 519e4c398ee..ad02cb21bc7 100644
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -4,7 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.0
  * @precision medium
  * @id java/tainted-numeric-cast-local
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
index 3797f11dfd5..7d2a309c6c0 100644
--- a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+++ b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
@@ -4,7 +4,7 @@
  *              the file may be modified or removed by external actors.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id java/world-writable-file-read
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
index 5300e3864ef..13cb2a7a69d 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -3,7 +3,7 @@
  * @description Using a hard-coded credential in a call to a sensitive Java API may compromise security.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/hardcoded-credential-api-call
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
index 8583f4bef39..d43530f7d69 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
@@ -3,7 +3,7 @@
  * @description Comparing a parameter to a hard-coded credential may compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id java/hardcoded-credential-comparison
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
index 724916f1511..e14188905fa 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -3,7 +3,7 @@
  * @description Using a hard-coded credential in a sensitive call may compromise security.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id java/hardcoded-credential-sensitive-call
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
index 4464268a5ec..0a98c000300 100644
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
@@ -3,7 +3,7 @@
  * @description Hard-coding a password string may compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id java/hardcoded-password-field
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
index 6f1c7275bb4..0dca7acd64d 100644
--- a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+++ b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@@ -4,7 +4,7 @@
  *              passing through authentication systems.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id java/user-controlled-bypass
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
index 7eb03c1ecd7..beabdead5af 100644
--- a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+++ b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
@@ -4,7 +4,7 @@
  *              permissions being granted.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id java/tainted-permissions-check
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
index d3b833eaf72..0123354572d 100644
--- a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+++ b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
@@ -3,7 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision very-high
  * @id java/maven/non-https-url
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
index 241965f4b09..5ad653bd6dd 100644
--- a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
+++ b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
@@ -3,7 +3,7 @@
  * @description Acquiring multiple locks in a different order may cause deadlock.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision medium
  * @id java/lock-order-inconsistency
  * @tags security
diff --git a/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql b/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
index 4fe1c38c6d5..35f951d6d52 100644
--- a/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+++ b/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
@@ -5,7 +5,7 @@
  *              looping.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision medium
  * @id java/unreachable-exit-in-loop
  * @tags security
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.java b/java/ql/src/Security/CWE/CWE-918/RequestForgery.java
similarity index 100%
rename from java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.java
rename to java/ql/src/Security/CWE/CWE-918/RequestForgery.java
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qhelp b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
similarity index 55%
rename from java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qhelp
rename to java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
index 0a34747413d..f89198ee378 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qhelp
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
@@ -5,22 +5,24 @@
 
 
 <overview>
-<p>Directly incorporating user input into a HTTP request without validating the input
-can facilitate Server Side Request Forgery (SSRF) attacks. In these attacks, the server
-may be tricked into making a request and interacting with an attacker-controlled server. 
+<p>Directly incorporating user input into an HTTP request without validating the input
+can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server
+may be tricked into making a request and interacting with an attacker-controlled server.
 </p>
 
 </overview>
 <recommendation>
 
-<p>To guard against SSRF attacks, it is advisable to avoid putting user input
-directly into the request URL. Instead, maintain a list of authorized
-URLs on the server; then choose from that list based on the user input provided.</p>
+<p>To guard against SSRF attacks, you should avoid putting user-provided input
+directly into a request URL. Instead, maintain a list of authorized
+URLs on the server; then choose from that list based on the input provided.
+Alternatively, ensure requests constructed from user input are limited to
+a particular host or more restrictive URL prefix.</p>
 
 </recommendation>
 <example>
 
-<p>The following example shows an HTTP request parameter being used directly in a forming a
+<p>The following example shows an HTTP request parameter being used directly to form a
 new request without validating the input, which facilitates SSRF attacks.
 It also shows how to remedy the problem by validating the user input against a known fixed string.
 </p>
diff --git a/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql b/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
new file mode 100644
index 00000000000..7a1ff4ac933
--- /dev/null
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Server-side request forgery
+ * @description Making web requests based on unvalidated user-input
+ *              may cause the server to communicate with malicious servers.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import java
+import semmle.code.java.security.RequestForgeryConfig
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential server-side request forgery due to $@.",
+  source.getNode(), "a user-provided value"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.java b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.java
new file mode 100644
index 00000000000..ee98929312b
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.java
@@ -0,0 +1,33 @@
+import bsh.Interpreter;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.scripting.bsh.BshScriptEvaluator;
+import org.springframework.scripting.support.StaticScriptSource;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class BeanShellInjection {
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		BshScriptEvaluator evaluator = new BshScriptEvaluator();
+		evaluator.evaluate(new StaticScriptSource(code)); //bad
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) throws Exception {
+		String code = request.getParameter("code");
+		Interpreter interpreter = new Interpreter();
+		interpreter.eval(code);  //bad
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		StaticScriptSource staticScriptSource = new StaticScriptSource("test");
+		staticScriptSource.setScript(code);
+		BshScriptEvaluator evaluator = new BshScriptEvaluator();
+		evaluator.evaluate(staticScriptSource);  //bad
+	}
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qhelp b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qhelp
new file mode 100644
index 00000000000..f86d7759552
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qhelp
@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+BeanShell is a small, free, embeddable Java source interpreter with object scripting language 
+features, written in Java. BeanShell dynamically executes standard Java syntax and extends it 
+with common scripting conveniences such as loose types, commands, and method closures like 
+those in Perl and JavaScript. If a BeanShell expression is built using attacker-controlled data, 
+and then evaluated, then it may allow the attacker to run arbitrary code.
+</p>
+</overview>
+
+<recommendation>
+<p>
+It is generally recommended to avoid using untrusted input in a BeanShell expression.
+If it is not possible, BeanShell expressions should be run in a sandbox that allows accessing only
+explicitly allowed classes.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses untrusted data to build and run a BeanShell expression.
+</p>
+<sample src="BeanShellInjection.java" />
+</example>
+
+<references>
+<li>
+CVE-2016-2510:<a href="https://nvd.nist.gov/vuln/detail/CVE-2016-2510">BeanShell Injection</a>.
+</li>
+</references>
+</qhelp>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
new file mode 100644
index 00000000000..b8301d4f977
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
@@ -0,0 +1,47 @@
+/**
+ * @name BeanShell injection
+ * @description Evaluation of a user-controlled BeanShell expression
+ *              may lead to arbitrary code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/beanshell-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import BeanShellInjection
+import semmle.code.java.dataflow.FlowSources
+import DataFlow::PathGraph
+
+class BeanShellInjectionConfig extends TaintTracking::Configuration {
+  BeanShellInjectionConfig() { this = "BeanShellInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructedType()
+          .hasQualifiedName("org.springframework.scripting.support", "StaticScriptSource") and
+      cie.getArgument(0) = prod.asExpr() and
+      cie = succ.asExpr()
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().hasName("setScript") and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName("org.springframework.scripting.support", "StaticScriptSource") and
+      ma.getArgument(0) = prod.asExpr() and
+      ma.getQualifier() = succ.asExpr()
+    )
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, BeanShellInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "BeanShell injection from $@.", source.getNode(),
+  "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll
new file mode 100644
index 00000000000..3d1cc122339
--- /dev/null
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll
@@ -0,0 +1,28 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+
+/** A call to `Interpreter.eval`. */
+class InterpreterEvalCall extends MethodAccess {
+  InterpreterEvalCall() {
+    this.getMethod().hasName("eval") and
+    this.getMethod().getDeclaringType().hasQualifiedName("bsh", "Interpreter")
+  }
+}
+
+/** A call to `BshScriptEvaluator.evaluate`. */
+class BshScriptEvaluatorEvaluateCall extends MethodAccess {
+  BshScriptEvaluatorEvaluateCall() {
+    this.getMethod().hasName("evaluate") and
+    this.getMethod()
+        .getDeclaringType()
+        .hasQualifiedName("org.springframework.scripting.bsh", "BshScriptEvaluator")
+  }
+}
+
+/** A sink for BeanShell expression injection vulnerabilities. */
+class BeanShellInjectionSink extends DataFlow::Node {
+  BeanShellInjectionSink() {
+    this.asExpr() = any(InterpreterEvalCall iec).getArgument(0) or
+    this.asExpr() = any(BshScriptEvaluatorEvaluateCall bseec).getArgument(0)
+  }
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
index 4c0dc624d07..2aa2d487cae 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -74,12 +74,9 @@ class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration {
   }
 }
 
-/** A class descended from `javax.servlet.http.Cookie` or `javax/jakarta.ws.rs.core.Cookie`. */
+/** A class descended from `javax.servlet.http.Cookie`. */
 class CookieClass extends RefType {
-  CookieClass() {
-    this.getASupertype*()
-        .hasQualifiedName(["javax.servlet.http", "javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
-  }
+  CookieClass() { this.getASupertype*().hasQualifiedName("javax.servlet.http", "Cookie") }
 }
 
 /** Holds if `expr` is any boolean-typed expression other than literal `false`. */
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
index 97d2f6dad33..8945f30fd45 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
@@ -194,15 +194,6 @@ predicate urlOpen(DataFlow::Node node1, DataFlow::Node node2) {
   )
 }
 
-/** Constructor of `BasicRequestLine` */
-predicate basicRequestLine(DataFlow::Node node1, DataFlow::Node node2) {
-  exists(ConstructorCall mcc |
-    mcc.getConstructedType().hasQualifiedName("org.apache.http.message", "BasicRequestLine") and
-    mcc.getArgument(1) = node1.asExpr() and // `BasicRequestLine(String method, String uri, ProtocolVersion version)
-    node2.asExpr() = mcc
-  )
-}
-
 class BasicAuthFlowConfig extends TaintTracking::Configuration {
   BasicAuthFlowConfig() { this = "InsecureBasicAuth::BasicAuthFlowConfig" }
 
@@ -236,7 +227,6 @@ class BasicAuthFlowConfig extends TaintTracking::Configuration {
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     apacheHttpRequest(node1, node2) or
     createURI(node1, node2) or
-    basicRequestLine(node1, node2) or
     createURL(node1, node2) or
     urlOpen(node1, node2)
   }
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
deleted file mode 100644
index c3bf787881f..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.ql
+++ /dev/null
@@ -1,33 +0,0 @@
-/**
- * @name Server Side Request Forgery (SSRF)
- * @description Making web requests based on unvalidated user-input
- *              may cause server to communicate with malicious servers.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/ssrf
- * @tags security
- *       external/cwe/cwe-918
- */
-
-import java
-import semmle.code.java.dataflow.FlowSources
-import RequestForgery
-import DataFlow::PathGraph
-
-class RequestForgeryConfiguration extends TaintTracking::Configuration {
-  RequestForgeryConfiguration() { this = "Server Side Request Forgery" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    requestForgeryStep(pred, succ)
-  }
-}
-
-from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
-where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potential server side request forgery due to $@.",
-  source.getNode(), "a user-provided value"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll b/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
deleted file mode 100644
index 3fc52ddca76..00000000000
--- a/java/ql/src/experimental/Security/CWE/CWE-918/RequestForgery.qll
+++ /dev/null
@@ -1,192 +0,0 @@
-import java
-import semmle.code.java.frameworks.Networking
-import semmle.code.java.frameworks.ApacheHttp
-import semmle.code.java.frameworks.spring.Spring
-import semmle.code.java.frameworks.JaxWS
-import semmle.code.java.frameworks.javase.Http
-import semmle.code.java.dataflow.DataFlow
-
-predicate requestForgeryStep(DataFlow::Node pred, DataFlow::Node succ) {
-  // propagate to a URI when its host is assigned to
-  exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
-  or
-  // propagate to a URL when its host is assigned to
-  exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
-  or
-  // propagate to a RequestEntity when its url is assigned to
-  exists(MethodAccess m |
-    m.getMethod().getDeclaringType() instanceof SpringRequestEntity and
-    (
-      m.getMethod().hasName(["get", "post", "head", "delete", "options", "patch", "put"]) and
-      m.getArgument(0) = pred.asExpr() and
-      m = succ.asExpr()
-      or
-      m.getMethod().hasName("method") and
-      m.getArgument(1) = pred.asExpr() and
-      m = succ.asExpr()
-    )
-  )
-  or
-  // propagate from a `RequestEntity<>$BodyBuilder` to a `RequestEntity`
-  // when the builder is tainted
-  exists(MethodAccess m, RefType t |
-    m.getMethod().getDeclaringType() = t and
-    t.hasQualifiedName("org.springframework.http", "RequestEntity<>$BodyBuilder") and
-    m.getMethod().hasName("body") and
-    m.getQualifier() = pred.asExpr() and
-    m = succ.asExpr()
-  )
-}
-
-/** A data flow sink for request forgery vulnerabilities. */
-abstract class RequestForgerySink extends DataFlow::Node { }
-
-/**
- * An argument to an url `openConnection` or `openStream` call
- *  taken as a sink for request forgery vulnerabilities.
- */
-private class UrlOpen extends RequestForgerySink {
-  UrlOpen() {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof UrlOpenConnectionMethod or
-      ma.getMethod() instanceof UrlOpenStreamMethod
-    |
-      this.asExpr() = ma.getQualifier()
-    )
-  }
-}
-
-/**
- * An argument to an Apache `setURI` call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class ApacheSetUri extends RequestForgerySink {
-  ApacheSetUri() {
-    exists(MethodAccess ma |
-      ma.getReceiverType() instanceof ApacheHttpRequest and
-      ma.getMethod().hasName("setURI")
-    |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to any Apache Request Instantiation call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class ApacheHttpRequestInstantiation extends RequestForgerySink {
-  ApacheHttpRequestInstantiation() {
-    exists(ClassInstanceExpr c | c.getConstructedType() instanceof ApacheHttpRequest |
-      this.asExpr() = c.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to a Apache RequestBuilder method call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class ApacheHttpRequestBuilderArgument extends RequestForgerySink {
-  ApacheHttpRequestBuilderArgument() {
-    exists(MethodAccess ma |
-      ma.getReceiverType() instanceof TypeApacheHttpRequestBuilder and
-      ma.getMethod().hasName(["setURI", "get", "post", "put", "optons", "head", "delete"])
-    |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to any Java.net.http.request Instantiation call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class HttpRequestNewBuilder extends RequestForgerySink {
-  HttpRequestNewBuilder() {
-    exists(MethodAccess call |
-      call.getCallee().hasName("newBuilder") and
-      call.getMethod().getDeclaringType().getName() = "HttpRequest"
-    |
-      this.asExpr() = call.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to an Http Builder `uri` call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class HttpBuilderUriArgument extends RequestForgerySink {
-  HttpBuilderUriArgument() {
-    exists(MethodAccess ma | ma.getMethod() instanceof HttpBuilderUri |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to a Spring Rest Template method call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class SpringRestTemplateArgument extends RequestForgerySink {
-  SpringRestTemplateArgument() {
-    exists(MethodAccess ma |
-      this.asExpr() = ma.getMethod().(SpringRestTemplateUrlMethods).getUrlArgument(ma)
-    )
-  }
-}
-
-/**
- * An argument to `javax.ws.rs.Client`s `target` method call taken as a
- *   sink for request forgery vulnerabilities.
- */
-private class JaxRsClientTarget extends RequestForgerySink {
-  JaxRsClientTarget() {
-    exists(MethodAccess ma |
-      ma.getMethod().getDeclaringType() instanceof JaxRsClient and
-      ma.getMethod().hasName("target")
-    |
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}
-
-/**
- * An argument to `org.springframework.http.RequestEntity`s constructor call
- *   which is an URI taken as a sink for request forgery vulnerabilities.
- */
-private class RequestEntityUriArg extends RequestForgerySink {
-  RequestEntityUriArg() {
-    exists(ClassInstanceExpr e, Argument a |
-      e.getConstructedType() instanceof SpringRequestEntity and
-      e.getAnArgument() = a and
-      a.getType() instanceof TypeUri and
-      this.asExpr() = a
-    )
-  }
-}
-
-/**
- * A class representing all Spring Rest Template methods
- * which take an URL as an argument.
- */
-private class SpringRestTemplateUrlMethods extends Method {
-  SpringRestTemplateUrlMethods() {
-    this.getDeclaringType() instanceof SpringRestTemplate and
-    this.hasName([
-        "doExecute", "postForEntity", "postForLocation", "postForObject", "put", "exchange",
-        "execute", "getForEntity", "getForObject", "patchForObject"
-      ])
-  }
-
-  /**
-   * Gets the argument which corresponds to a URL argument
-   * passed as a `java.net.URL` object or as a string or the like
-   */
-  Argument getUrlArgument(MethodAccess ma) {
-    // doExecute(URI url, HttpMethod method, RequestCallback requestCallback,
-    //  ResponseExtractor<T> responseExtractor)
-    result = ma.getArgument(0)
-  }
-}
diff --git a/java/ql/src/semmle/code/java/StringFormat.qll b/java/ql/src/semmle/code/java/StringFormat.qll
index aa77feafeb9..cc37ee8212a 100644
--- a/java/ql/src/semmle/code/java/StringFormat.qll
+++ b/java/ql/src/semmle/code/java/StringFormat.qll
@@ -175,6 +175,19 @@ class FormattingCall extends Call {
     )
   }
 
+  /** Gets the `i`th argument to be formatted. The index `i` is one-based. */
+  Expr getArgumentToBeFormatted(int i) {
+    i >= 1 and
+    if this.hasExplicitVarargsArray()
+    then
+      result =
+        this.getArgument(1 + this.getFormatStringIndex())
+            .(ArrayCreationExpr)
+            .getInit()
+            .getInit(i - 1)
+    else result = this.getArgument(this.getFormatStringIndex() + i)
+  }
+
   /** Holds if the varargs argument is given as an explicit array. */
   private predicate hasExplicitVarargsArray() {
     this.getNumArgument() = this.getFormatStringIndex() + 2 and
@@ -353,6 +366,11 @@ class FormatString extends string {
    * is not referred by any format specifier.
    */
   /*abstract*/ int getASkippedFmtSpecIndex() { none() }
+
+  /**
+   * Gets an offset (zero-based) in this format string where argument `argNo` (1-based) will be interpolated, if any.
+   */
+  int getAnArgUsageOffset(int argNo) { none() }
 }
 
 private class PrintfFormatString extends FormatString {
@@ -425,6 +443,22 @@ private class PrintfFormatString extends FormatString {
     result > count(int i | fmtSpecRefersToSequentialIndex(i)) and
     not result = fmtSpecRefersToSpecificIndex(_)
   }
+
+  private int getFmtSpecRank(int specOffset) {
+    rank[result](int i | this.fmtSpecIsRef(i)) = specOffset
+  }
+
+  override int getAnArgUsageOffset(int argNo) {
+    argNo = fmtSpecRefersToSpecificIndex(result)
+    or
+    result = rank[argNo](int i | fmtSpecRefersToSequentialIndex(i))
+    or
+    fmtSpecRefersToPrevious(result) and
+    exists(int previousOffset |
+      getFmtSpecRank(previousOffset) = getFmtSpecRank(result) - 1 and
+      previousOffset = getAnArgUsageOffset(argNo)
+    )
+  }
 }
 
 private class LoggerFormatString extends FormatString {
@@ -449,4 +483,6 @@ private class LoggerFormatString extends FormatString {
   }
 
   override int getMaxFmtSpecIndex() { result = count(int i | fmtPlaceholder(i)) }
+
+  override int getAnArgUsageOffset(int argNo) { result = rank[argNo](int i | fmtPlaceholder(i)) }
 }
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
index 8080bd28ab6..535c667698f 100644
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -81,6 +81,9 @@ private module Frameworks {
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.JaxWS
+  private import semmle.code.java.frameworks.spring.SpringHttp
+  private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.XSS
@@ -208,6 +211,8 @@ private predicate sinkModelCsv(string row) {
       // Open URL
       "java.net;URL;false;openConnection;;;Argument[-1];open-url",
       "java.net;URL;false;openStream;;;Argument[-1];open-url",
+      "java.net.http;HttpRequest;false;newBuilder;;;Argument[0];open-url",
+      "java.net.http;HttpRequest$Builder;false;uri;;;Argument[0];open-url",
       // Create file
       "java.io;FileOutputStream;false;FileOutputStream;;;Argument[0];create-file",
       "java.io;RandomAccessFile;false;RandomAccessFile;;;Argument[0];create-file",
@@ -247,6 +252,8 @@ private predicate summaryModelCsv(string row) {
       "javax.xml.transform.stream;StreamSource;false;getInputStream;;;Argument[-1];ReturnValue;taint",
       "java.nio;ByteBuffer;false;get;;;Argument[-1];ReturnValue;taint",
       "java.net;URI;false;toURL;;;Argument[-1];ReturnValue;taint",
+      "java.net;URI;false;toString;;;Argument[-1];ReturnValue;taint",
+      "java.net;URI;false;toAsciiString;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint",
       "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint",
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll
index 4e1cd281488..a55e65a81f6 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll
@@ -168,7 +168,13 @@ module Consistency {
     msg = "ArgumentNode is missing PostUpdateNode."
   }
 
-  query predicate postWithInFlow(PostUpdateNode n, string msg) {
+  // This predicate helps the compiler forget that in some languages
+  // it is impossible for a `PostUpdateNode` to be the target of
+  // `simpleLocalFlowStep`.
+  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
+
+  query predicate postWithInFlow(Node n, string msg) {
+    isPostUpdateNode(n) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
index d28dd2206ac..974982a9c29 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/FlowSummaryImplSpecific.qll
@@ -70,9 +70,22 @@ predicate summaryElement(DataFlowCallable c, string input, string output, string
   )
 }
 
+private FieldContent parseField(string c) {
+  External::specSplit(_, c, _) and
+  exists(string fieldRegex, string package, string className, string fieldName |
+    fieldRegex = "^Field\\[(.*)\\.([^.]+)\\.([^.]+)\\]$" and
+    package = c.regexpCapture(fieldRegex, 1) and
+    className = c.regexpCapture(fieldRegex, 2) and
+    fieldName = c.regexpCapture(fieldRegex, 3) and
+    result.getField().hasQualifiedName(package, className, fieldName)
+  )
+}
+
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]
 SummaryComponent interpretComponentSpecific(string c) {
+  result = SummaryComponent::content(parseField(c))
+  or
   c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
   or
   c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
diff --git a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
index 80cb589e6f2..952efe9f7dc 100644
--- a/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll
@@ -92,6 +92,39 @@ private class ApacheHttpXssSink extends SinkModelCsv {
   }
 }
 
+private class ApacheHttpOpenUrlSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.http;HttpRequest;true;setURI;;;Argument[0];open-url",
+        "org.apache.http.message;BasicHttpRequest;false;BasicHttpRequest;(RequestLine);;Argument[0];open-url",
+        "org.apache.http.message;BasicHttpRequest;false;BasicHttpRequest;(String,String);;Argument[1];open-url",
+        "org.apache.http.message;BasicHttpRequest;false;BasicHttpRequest;(String,String,ProtocolVersion);;Argument[1];open-url",
+        "org.apache.http.message;BasicHttpEntityEnclosingRequest;false;BasicHttpEntityEnclosingRequest;(RequestLine);;Argument[0];open-url",
+        "org.apache.http.message;BasicHttpEntityEnclosingRequest;false;BasicHttpEntityEnclosingRequest;(String,String);;Argument[1];open-url",
+        "org.apache.http.message;BasicHttpEntityEnclosingRequest;false;BasicHttpEntityEnclosingRequest;(String,String,ProtocolVersion);;Argument[1];open-url",
+        "org.apache.http.client.methods;HttpGet;false;HttpGet;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpHead;false;HttpHead;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpPut;false;HttpPut;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpPost;false;HttpPost;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpDelete;false;HttpDelete;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpOptions;false;HttpOptions;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpTrace;false;HttpTrace;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpPatch;false;HttpPatch;;;Argument[0];open-url",
+        "org.apache.http.client.methods;HttpRequestBase;true;setURI;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;setUri;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;get;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;post;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;put;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;options;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;head;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;delete;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;trace;;;Argument[0];open-url",
+        "org.apache.http.client.methods;RequestBuilder;false;patch;;;Argument[0];open-url"
+      ]
+  }
+}
+
 private class ApacheHttpFlowStep extends SummaryModelCsv {
   override predicate row(string row) {
     row =
@@ -228,7 +261,10 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.hc.core5.util;CharArrayBuffer;true;toString;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.util;CharArrayBuffer;true;substring;(int,int);;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.util;CharArrayBuffer;true;subSequence;(int,int);;Argument[-1];ReturnValue;taint",
-        "org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint"
+        "org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.message;BasicRequestLine;false;BasicRequestLine;;;Argument[1];Argument[-1];taint",
+        "org.apache.http;RequestLine;true;getUri;;;Argument[-1];ReturnValue;taint",
+        "org.apache.http;RequestLine;true;toString;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/Castor.qll b/java/ql/src/semmle/code/java/frameworks/Castor.qll
new file mode 100644
index 00000000000..f1e1b825725
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/Castor.qll
@@ -0,0 +1,20 @@
+/**
+ * Provides classes and predicates for working with the Castor framework.
+ */
+
+import java
+
+/**
+ * The class `org.exolab.castor.xml.Unmarshaller`.
+ */
+class CastorUnmarshaller extends RefType {
+  CastorUnmarshaller() { this.hasQualifiedName("org.exolab.castor.xml", "Unmarshaller") }
+}
+
+/** A method with the name `unmarshal` declared in `org.exolab.castor.xml.Unmarshaller`. */
+class CastorUnmarshalMethod extends Method {
+  CastorUnmarshalMethod() {
+    this.getDeclaringType() instanceof CastorUnmarshaller and
+    this.getName() = "unmarshal"
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll b/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
new file mode 100644
index 00000000000..95803d192a7
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/HessianBurlap.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides classes and predicates for working with the HessianBurlap framework.
+ */
+
+import java
+
+/**
+ * The classes `[com.alibaba.]com.caucho.hessian.io.AbstractHessianInput` or `[com.alibaba.]com.caucho.hessian.io.Hessian2StreamingInput`.
+ */
+class UnsafeHessianInput extends RefType {
+  UnsafeHessianInput() {
+    this.hasQualifiedName(["com.caucho.hessian.io", "com.alibaba.com.caucho.hessian.io"],
+      ["AbstractHessianInput", "Hessian2StreamingInput"])
+  }
+}
+
+/**
+ * A AbstractHessianInput or Hessian2StreamingInput subclass readObject method.
+ * This is either `AbstractHessianInput.readObject` or `Hessian2StreamingInput.readObject`.
+ */
+class UnsafeHessianInputReadObjectMethod extends Method {
+  UnsafeHessianInputReadObjectMethod() {
+    this.getDeclaringType().getASupertype*() instanceof UnsafeHessianInput and
+    this.getName() = "readObject"
+  }
+}
+
+/**
+ * The class `com.caucho.burlap.io.BurlapInput`.
+ */
+class BurlapInput extends RefType {
+  BurlapInput() { this.hasQualifiedName("com.caucho.burlap.io", "BurlapInput") }
+}
+
+/** A method with the name `readObject` declared in `com.caucho.burlap.io.BurlapInput`. */
+class BurlapInputReadObjectMethod extends Method {
+  BurlapInputReadObjectMethod() {
+    this.getDeclaringType() instanceof BurlapInput and
+    this.getName() = "readObject"
+  }
+}
+
+/** A method with the name `init` declared in `com.caucho.burlap.io.BurlapInput`. */
+class BurlapInputInitMethod extends Method {
+  BurlapInputInitMethod() {
+    this.getDeclaringType() instanceof BurlapInput and
+    this.getName() = "init"
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/JYaml.qll b/java/ql/src/semmle/code/java/frameworks/JYaml.qll
new file mode 100644
index 00000000000..9d77b86f6c1
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/JYaml.qll
@@ -0,0 +1,22 @@
+/**
+ * Provides classes and predicates for working with the JYaml framework.
+ */
+
+import java
+
+/**
+ * The class `org.ho.yaml.Yaml` or `org.ho.yaml.YamlConfig`.
+ */
+class JYamlLoader extends RefType {
+  JYamlLoader() { this.hasQualifiedName("org.ho.yaml", ["Yaml", "YamlConfig"]) }
+}
+
+/**
+ * A JYaml unsafe load method, declared on either `Yaml` or `YamlConfig`.
+ */
+class JYamlLoaderUnsafeLoadMethod extends Method {
+  JYamlLoaderUnsafeLoadMethod() {
+    this.getDeclaringType() instanceof JYamlLoader and
+    this.getName() in ["load", "loadType", "loadStream", "loadStreamOfType"]
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll b/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll
index 833db9a9e44..0f5da6c39ea 100644
--- a/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll
+++ b/java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll
@@ -137,6 +137,13 @@ class InterceptorsAnnotation extends Annotation {
  * Annotations in the package `javax.jws`.
  */
 
+/**
+ * A `@javax.jws.WebMethod` annotation.
+ */
+class WebMethodAnnotation extends Annotation {
+  WebMethodAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebMethod") }
+}
+
 /**
  * A `@javax.jws.WebService` annotation.
  */
diff --git a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
index 50471d68fbf..cd773721dfb 100644
--- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
+++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -1,4 +1,22 @@
+/**
+ * Definitions relating to JAX-WS (Java/Jakarta API for XML Web Services) and JAX-RS
+ * (Java/Jakarta API for RESTful Web Services).
+ */
+
 import java
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.XSS
+
+/**
+ * Gets a name for the root package of JAX-RS.
+ */
+string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] }
+
+/**
+ * Gets a name for package `subpackage` within the JAX-RS hierarchy.
+ */
+bindingset[subpackage]
+string getAJaxRsPackage(string subpackage) { result = getAJaxRsPackage() + "." + subpackage }
 
 /**
  * A JAX WS endpoint is constructed by the container, and its methods
@@ -13,6 +31,7 @@ class JaxWsEndpoint extends Class {
     )
   }
 
+  /** Gets a method annotated with `@WebMethod` or `@WebEndpoint`. */
   Callable getARemoteMethod() {
     result = this.getACallable() and
     exists(AnnotationType a | a = result.getAnAnnotation().getType() |
@@ -28,7 +47,7 @@ class JaxWsEndpoint extends Class {
 private predicate hasPathAnnotation(Annotatable annotatable) {
   exists(AnnotationType a |
     a = annotatable.getAnAnnotation().getType() and
-    a.getPackage().getName() = "javax.ws.rs"
+    a.getPackage().getName() = getAJaxRsPackage()
   |
     a.hasName("Path")
   )
@@ -41,7 +60,7 @@ class JaxRsResourceMethod extends Method {
   JaxRsResourceMethod() {
     exists(AnnotationType a |
       a = this.getAnAnnotation().getType() and
-      a.getPackage().getName() = "javax.ws.rs"
+      a.getPackage().getName() = getAJaxRsPackage()
     |
       a.hasName("GET") or
       a.hasName("POST") or
@@ -50,6 +69,27 @@ class JaxRsResourceMethod extends Method {
       a.hasName("OPTIONS") or
       a.hasName("HEAD")
     )
+    or
+    // A JaxRS resource method can also inherit these annotations from a supertype, but only if
+    // there are no JaxRS annotations on the method itself
+    this.getAnOverride() instanceof JaxRsResourceMethod and
+    not exists(this.getAnAnnotation().(JaxRSAnnotation))
+  }
+
+  /** Gets an `@Produces` annotation that applies to this method */
+  JaxRSProducesAnnotation getProducesAnnotation() {
+    result = this.getAnAnnotation()
+    or
+    // No direct annotations
+    not this.getAnAnnotation() instanceof JaxRSProducesAnnotation and
+    (
+      // Annotations on a method we've overridden
+      result = this.getAnOverride().getAnAnnotation()
+      or
+      // No annotations on this method, or a method we've overridden, so look to the class
+      not this.getAnOverride().getAnAnnotation() instanceof JaxRSProducesAnnotation and
+      result = this.getDeclaringType().getAnAnnotation()
+    )
   }
 }
 
@@ -81,7 +121,7 @@ class JaxRsResourceClass extends Class {
    * annotations leading to this resource method.
    */
   JaxRsResourceMethod getAResourceMethod() {
-    isPublic() and
+    this.isPublic() and
     result = this.getACallable()
   }
 
@@ -90,7 +130,7 @@ class JaxRsResourceClass extends Class {
    * but is not a resource method e.g. it is not annotated with `@GET` etc.
    */
   Callable getASubResourceLocator() {
-    result = getAMethod() and
+    result = this.getAMethod() and
     not result instanceof JaxRsResourceMethod and
     hasPathAnnotation(result)
   }
@@ -109,10 +149,10 @@ class JaxRsResourceClass extends Class {
    * (existence of particular parameters).
    */
   Constructor getAnInjectableConstructor() {
-    result = getAConstructor() and
+    result = this.getAConstructor() and
     // JaxRs Spec v2.0 - 3.12
     // Only root resources are constructed by the JaxRS container.
-    isRootResource() and
+    this.isRootResource() and
     // JaxRS can only construct the class using constructors that are public, and where the
     // container can provide all of the parameters. This includes the no-arg constructor.
     result.isPublic() and
@@ -125,29 +165,41 @@ class JaxRsResourceClass extends Class {
    * Gets a Callable that may be executed by the JaxRs container, injecting parameters as required.
    */
   Callable getAnInjectableCallable() {
-    result = getAResourceMethod() or
-    result = getAnInjectableConstructor() or
-    result = getASubResourceLocator()
+    result = this.getAResourceMethod() or
+    result = this.getAnInjectableConstructor() or
+    result = this.getASubResourceLocator()
   }
 
   /**
    * Gets a Field that may be injected with a value by the JaxRs container.
    */
   Field getAnInjectableField() {
-    result = getAField() and
+    result = this.getAField() and
     result.getAnAnnotation() instanceof JaxRsInjectionAnnotation
   }
 }
 
+/**
+ * An annotation from the `javax.ws.rs` or `jakarta.ws.rs` package hierarchy.
+ */
+class JaxRSAnnotation extends Annotation {
+  JaxRSAnnotation() {
+    exists(AnnotationType a |
+      a = this.getType() and
+      a.getPackage().getName().regexpMatch(["javax\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"])
+    )
+  }
+}
+
 /**
  * An annotation that is used by JaxRS containers to determine a value to inject into the annotated
  * element.
  */
-class JaxRsInjectionAnnotation extends Annotation {
+class JaxRsInjectionAnnotation extends JaxRSAnnotation {
   JaxRsInjectionAnnotation() {
     exists(AnnotationType a |
-      a = getType() and
-      a.getPackage().getName() = "javax.ws.rs"
+      a = this.getType() and
+      a.getPackage().getName() = getAJaxRsPackage()
     |
       a.hasName("BeanParam") or
       a.hasName("CookieParam") or
@@ -158,23 +210,31 @@ class JaxRsInjectionAnnotation extends Annotation {
       a.hasName("QueryParam")
     )
     or
-    getType().hasQualifiedName("javax.ws.rs.core", "Context")
+    this.getType().hasQualifiedName(getAJaxRsPackage("core"), "Context")
   }
 }
 
+/**
+ * The class `javax.ws.rs.core.Response`.
+ */
 class JaxRsResponse extends Class {
-  JaxRsResponse() { this.hasQualifiedName("javax.ws.rs.core", "Response") }
+  JaxRsResponse() { this.hasQualifiedName(getAJaxRsPackage("core"), "Response") }
 }
 
+/**
+ * The class `javax.ws.rs.core.Response$ResponseBuilder`.
+ */
 class JaxRsResponseBuilder extends Class {
-  JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
+  JaxRsResponseBuilder() {
+    this.hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder")
+  }
 }
 
 /**
  * The class `javax.ws.rs.client.Client`.
  */
 class JaxRsClient extends RefType {
-  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+  JaxRsClient() { this.hasQualifiedName(getAJaxRsPackage("client"), "Client") }
 }
 
 /**
@@ -184,13 +244,12 @@ class JaxRsClient extends RefType {
 class JaxRsBeanParamConstructor extends Constructor {
   JaxRsBeanParamConstructor() {
     exists(JaxRsResourceClass resourceClass, Callable c, Parameter p |
-      c = resourceClass.getAnInjectableCallable()
-    |
+      c = resourceClass.getAnInjectableCallable() and
       p = c.getAParameter() and
-      p.getAnAnnotation().getType().hasQualifiedName("javax.ws.rs", "BeanParam") and
+      p.getAnAnnotation().getType().hasQualifiedName(getAJaxRsPackage(), "BeanParam") and
       this.getDeclaringType().getSourceDeclaration() = p.getType().(RefType).getSourceDeclaration()
     ) and
-    forall(Parameter p | p = getAParameter() |
+    forall(Parameter p | p = this.getAParameter() |
       p.getAnAnnotation() instanceof JaxRsInjectionAnnotation
     )
   }
@@ -200,7 +259,7 @@ class JaxRsBeanParamConstructor extends Constructor {
  * The class `javax.ws.rs.ext.MessageBodyReader`.
  */
 class MessageBodyReader extends GenericInterface {
-  MessageBodyReader() { this.hasQualifiedName("javax.ws.rs.ext", "MessageBodyReader") }
+  MessageBodyReader() { this.hasQualifiedName(getAJaxRsPackage("ext"), "MessageBodyReader") }
 }
 
 /**
@@ -208,7 +267,7 @@ class MessageBodyReader extends GenericInterface {
  */
 class MessageBodyReaderReadFrom extends Method {
   MessageBodyReaderReadFrom() {
-    this.getDeclaringType() instanceof MessageBodyReader and
+    this.getDeclaringType().getSourceDeclaration() instanceof MessageBodyReader and
     this.hasName("readFrom")
   }
 }
@@ -223,3 +282,517 @@ class MessageBodyReaderRead extends Method {
     )
   }
 }
+
+/** An `@Produces` annotation that describes which content types can be produced by this resource. */
+class JaxRSProducesAnnotation extends JaxRSAnnotation {
+  JaxRSProducesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Produces") }
+
+  /**
+   * Gets a declared content type that can be produced by this resource.
+   */
+  string getADeclaredContentType() {
+    result = this.getAValue().(CompileTimeConstantExpr).getStringValue()
+    or
+    exists(Field jaxMediaType |
+      // Accesses to static fields on `MediaType` class do not have constant strings in the database
+      // so convert the field name to a content type string
+      jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and
+      jaxMediaType.getAnAccess() = this.getAValue() and
+      // e.g. MediaType.TEXT_PLAIN => text/plain
+      result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/")
+    )
+  }
+}
+
+/** An `@Consumes` annotation that describes content types can be consumed by this resource. */
+class JaxRSConsumesAnnotation extends JaxRSAnnotation {
+  JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") }
+}
+
+/** A default sink representing methods susceptible to XSS attacks. */
+private class JaxRSXssSink extends XssSink {
+  JaxRSXssSink() {
+    exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs |
+      resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and
+      rs.getEnclosingCallable() = resourceMethod and
+      this.asExpr() = rs.getResult()
+    |
+      not exists(resourceMethod.getProducesAnnotation())
+      or
+      resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain"
+    )
+  }
+}
+
+/** A URL redirection sink from JAX-RS */
+private class JaxRsUrlRedirectSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
+        "javax.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
+        "javax.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect",
+        "jakarta.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
+        "jakarta.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect"
+      ]
+  }
+}
+
+/**
+ * Model Response:
+ *
+ * - the returned ResponseBuilder gains taint from a tainted entity or existing Response
+ */
+private class ResponseModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model ResponseBuilder:
+ *
+ * - becomes tainted by a tainted entity, but not by metadata, headers etc
+ * - build() method returns taint
+ * - almost all methods are fluent, and so preserve value
+ */
+private class ResponseBuilderModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
+/**
+ * Model HttpHeaders: methods that Date have to be syntax-checked, but those returning MediaType
+ * or Locale are assumed potentially dangerous, as these types do not generally check that the
+ * input data is recognised, only that it conforms to the expected syntax.
+ */
+private class HttpHeadersModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model MultivaluedMap, which extends Map<K, List<V>> and provides a few extra helper methods.
+ */
+private class MultivaluedMapModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value"
+      ]
+  }
+}
+
+/**
+ * Model AbstractMultivaluedMap, which implements MultivaluedMap.
+ */
+private class AbstractMultivaluedMapModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value"
+      ]
+  }
+}
+
+/**
+ * Model MultivaluedHashMap, which extends AbstractMultivaluedMap.
+ */
+private class MultivaluedHashMapModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value"
+      ]
+  }
+}
+
+/**
+ * Model PathSegment, which wraps a path and its associated matrix parameters.
+ */
+private class PathSegmentModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model UriInfo, which provides URI element accessors.
+ */
+private class UriInfoModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model Cookie, a simple tuple type.
+ */
+private class CookieModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint",
+        "javax.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint",
+        "jakarta.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model NewCookie, a simple tuple type.
+ */
+private class NewCookieModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint",
+        "javax.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint",
+        "jakarta.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model Form, a simple container type.
+ */
+private class FormModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;Form;false;Form;;;MapValue of Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint",
+        "javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint",
+        "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;false;Form;;;MapValue of Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
+/**
+ * Model GenericEntity, a wrapper for HTTP entities (e.g., documents).
+ */
+private class GenericEntityModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model MediaType, which provides accessors for elements of Content-Type and similar
+ * media type specifications.
+ */
+private class MediaTypeModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint",
+        "javax.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint",
+        "jakarta.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model UriBuilder, which provides a fluent interface to build a URI from components.
+ */
+private class UriBuilderModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
+private class JaxRsUrlOpenSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.client;Client;true;target;;;Argument[0];open-url",
+        "jakarta.ws.rs.client;Client;true;target;;;Argument[0];open-url"
+      ]
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/JsonIo.qll b/java/ql/src/semmle/code/java/frameworks/JsonIo.qll
new file mode 100644
index 00000000000..ab4c1b115d9
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/JsonIo.qll
@@ -0,0 +1,67 @@
+/**
+ * Provides classes and predicates for working with the Json-io framework.
+ */
+
+import java
+import semmle.code.java.Maps
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow2
+
+/**
+ * The class `com.cedarsoftware.util.io.JsonReader`.
+ */
+class JsonIoJsonReader extends RefType {
+  JsonIoJsonReader() { this.hasQualifiedName("com.cedarsoftware.util.io", "JsonReader") }
+}
+
+/** A method with the name `jsonToJava` declared in `com.cedarsoftware.util.io.JsonReader`. */
+class JsonIoJsonToJavaMethod extends Method {
+  JsonIoJsonToJavaMethod() {
+    this.getDeclaringType() instanceof JsonIoJsonReader and
+    this.getName() = "jsonToJava"
+  }
+}
+
+/** A method with the name `readObject` declared in `com.cedarsoftware.util.io.JsonReader`. */
+class JsonIoReadObjectMethod extends Method {
+  JsonIoReadObjectMethod() {
+    this.getDeclaringType() instanceof JsonIoJsonReader and
+    this.getName() = "readObject"
+  }
+}
+
+/**
+ * A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`.
+ */
+class JsonIoUseMapsSetter extends MethodAccess {
+  JsonIoUseMapsSetter() {
+    this.getMethod().getDeclaringType().getASourceSupertype*() instanceof MapType and
+    this.getMethod().hasName("put") and
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "USE_MAPS" and
+    this.getArgument(1).(CompileTimeConstantExpr).getBooleanValue() = true
+  }
+}
+
+/** A data flow configuration tracing flow from JsonIo safe settings. */
+class SafeJsonIoConfig extends DataFlow2::Configuration {
+  SafeJsonIoConfig() { this = "UnsafeDeserialization::SafeJsonIoConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma |
+      ma instanceof JsonIoUseMapsSetter and
+      src.asExpr() = ma.getQualifier()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      sink.asExpr() = ma.getArgument(1)
+    )
+    or
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      sink.asExpr() = cie.getArgument(1)
+    )
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/YamlBeans.qll b/java/ql/src/semmle/code/java/frameworks/YamlBeans.qll
new file mode 100644
index 00000000000..b5db59926be
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/YamlBeans.qll
@@ -0,0 +1,20 @@
+/**
+ * Provides classes and predicates for working with the YamlBeans framework.
+ */
+
+import java
+
+/**
+ * The class `com.esotericsoftware.yamlbeans.YamlReader`.
+ */
+class YamlBeansReader extends RefType {
+  YamlBeansReader() { this.hasQualifiedName("com.esotericsoftware.yamlbeans", "YamlReader") }
+}
+
+/** A method with the name `read` declared in `com.esotericsoftware.yamlbeans.YamlReader`. */
+class YamlBeansReaderReadMethod extends Method {
+  YamlBeansReaderReadMethod() {
+    this.getDeclaringType() instanceof YamlBeansReader and
+    this.getName() = "read"
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
index 38469bf6b76..bf47d627686 100644
--- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
+++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -789,3 +789,72 @@ private class ApacheToStringBuilderModel extends SummaryModelCsv {
       ]
   }
 }
+
+/**
+ * Value-propagating models for `Pair`, `ImmutablePair` and `MutablePair`.
+ */
+private class ApachePairModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.lang3.tuple;Pair;false;getKey;;;Field[org.apache.commons.lang3.tuple.ImmutablePair.left] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Pair;false;getValue;;;Field[org.apache.commons.lang3.tuple.ImmutablePair.right] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Pair;false;getKey;;;Field[org.apache.commons.lang3.tuple.MutablePair.left] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Pair;false;getValue;;;Field[org.apache.commons.lang3.tuple.MutablePair.right] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Pair;false;of;(java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutablePair.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Pair;false;of;(java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.ImmutablePair.right] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;ImmutablePair;(java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutablePair.left] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;ImmutablePair;(java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.ImmutablePair.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;getLeft;;;Field[org.apache.commons.lang3.tuple.ImmutablePair.left] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;getRight;;;Field[org.apache.commons.lang3.tuple.ImmutablePair.right] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;left;;;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutablePair.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;right;;;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutablePair.right] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;of;(java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutablePair.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutablePair;false;of;(java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.ImmutablePair.right] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;MutablePair;(java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.MutablePair.left] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;MutablePair;(java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.MutablePair.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;getLeft;;;Field[org.apache.commons.lang3.tuple.MutablePair.left] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;getRight;;;Field[org.apache.commons.lang3.tuple.MutablePair.right] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;setLeft;;;Argument[0];Field[org.apache.commons.lang3.tuple.MutablePair.left] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;setRight;;;Argument[0];Field[org.apache.commons.lang3.tuple.MutablePair.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;setValue;;;Argument[0];Field[org.apache.commons.lang3.tuple.MutablePair.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;of;(java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.MutablePair.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutablePair;false;of;(java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.MutablePair.right] of ReturnValue;value"
+      ]
+  }
+}
+
+/**
+ * Value-propagating models for `Triple`, `ImmutableTriple` and `MutableTriple`.
+ */
+private class ApacheTripleModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.lang3.tuple;Triple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutableTriple.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Triple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.ImmutableTriple.middle] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;Triple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[2];Field[org.apache.commons.lang3.tuple.ImmutableTriple.right] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;ImmutableTriple;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutableTriple.left] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;ImmutableTriple;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.ImmutableTriple.middle] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;ImmutableTriple;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[2];Field[org.apache.commons.lang3.tuple.ImmutableTriple.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;getLeft;;;Field[org.apache.commons.lang3.tuple.ImmutableTriple.left] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;getMiddle;;;Field[org.apache.commons.lang3.tuple.ImmutableTriple.middle] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;getRight;;;Field[org.apache.commons.lang3.tuple.ImmutableTriple.right] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.ImmutableTriple.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.ImmutableTriple.middle] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;ImmutableTriple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[2];Field[org.apache.commons.lang3.tuple.ImmutableTriple.right] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;MutableTriple;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.MutableTriple.left] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;MutableTriple;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.MutableTriple.middle] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;MutableTriple;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[2];Field[org.apache.commons.lang3.tuple.MutableTriple.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;getLeft;;;Field[org.apache.commons.lang3.tuple.MutableTriple.left] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;getMiddle;;;Field[org.apache.commons.lang3.tuple.MutableTriple.middle] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;getRight;;;Field[org.apache.commons.lang3.tuple.MutableTriple.right] of Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;setLeft;;;Argument[0];Field[org.apache.commons.lang3.tuple.MutableTriple.left] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;setMiddle;;;Argument[0];Field[org.apache.commons.lang3.tuple.MutableTriple.middle] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;setRight;;;Argument[0];Field[org.apache.commons.lang3.tuple.MutableTriple.right] of Argument[-1];value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[0];Field[org.apache.commons.lang3.tuple.MutableTriple.left] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[1];Field[org.apache.commons.lang3.tuple.MutableTriple.middle] of ReturnValue;value",
+        "org.apache.commons.lang3.tuple;MutableTriple;false;of;(java.lang.Object,java.lang.Object,java.lang.Object);;Argument[2];Field[org.apache.commons.lang3.tuple.MutableTriple.right] of ReturnValue;value"
+      ]
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
index cb34d3da7ed..2e5e37a9bfb 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -7,7 +7,7 @@ private class GuavaBaseCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "com.google.common.base;Strings;false;emptyToNull;(String);;Argument[0];ReturnValue;value",
         "com.google.common.base;Strings;false;nullToEmpty;(String);;Argument[0];ReturnValue;value",
         "com.google.common.base;Strings;false;padStart;(String,int,char);;Argument[0];ReturnValue;taint",
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
index 305b4fbcfb7..60720a941ca 100644
--- a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
+++ b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
@@ -7,7 +7,7 @@ private class GuavaIoCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "com.google.common.io;BaseEncoding;true;decode;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.io;BaseEncoding;true;decodingStream;(Reader);;Argument[0];ReturnValue;taint",
         "com.google.common.io;BaseEncoding;true;decodingSource;(CharSource);;Argument[0];ReturnValue;taint",
@@ -89,7 +89,7 @@ private class GuavaIoSinkCsv extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
         "com.google.common.io;Resources;false;asByteSource;(URL);;Argument[0];url-open-stream",
         "com.google.common.io;Resources;false;asCharSource;(URL,Charset);;Argument[0];url-open-stream",
         "com.google.common.io;Resources;false;copy;(URL,OutputStream);;Argument[0];url-open-stream",
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
index 59016df25f8..63c58e4f2b5 100644
--- a/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
+++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringHttp.qll
@@ -4,6 +4,7 @@
  */
 
 import java
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** The class `org.springframework.http.HttpEntity` or an instantiation of it. */
 class SpringHttpEntity extends Class {
@@ -38,3 +39,25 @@ class SpringResponseEntityBodyBuilder extends Interface {
 class SpringHttpHeaders extends Class {
   SpringHttpHeaders() { this.hasQualifiedName("org.springframework.http", "HttpHeaders") }
 }
+
+private class UrlOpenSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.http;RequestEntity;false;get;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;post;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;head;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;delete;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;options;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;patch;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;put;;;Argument[0];open-url",
+        "org.springframework.http;RequestEntity;false;method;;;Argument[1];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(HttpMethod,URI);;Argument[1];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(MultiValueMap,HttpMethod,URI);;Argument[2];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(Object,HttpMethod,URI);;Argument[2];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(Object,HttpMethod,URI,Type);;Argument[2];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(Object,MultiValueMap,HttpMethod,URI);;Argument[3];open-url",
+        "org.springframework.http;RequestEntity;false;RequestEntity;(Object,MultiValueMap,HttpMethod,URI,Type);;Argument[3];open-url"
+      ]
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
index 3a8d4bb084a..cb5391257d8 100644
--- a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
+++ b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebClient.qll
@@ -4,6 +4,7 @@
 
 import java
 import SpringHttp
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** The class `org.springframework.web.client.RestTemplate`. */
 class SpringRestTemplate extends Class {
@@ -27,3 +28,24 @@ class SpringWebClient extends Interface {
     this.hasQualifiedName("org.springframework.web.reactive.function.client", "WebClient")
   }
 }
+
+private class UrlOpenSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.springframework.web.client;RestTemplate;false;delete;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;doExecute;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;exchange;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;execute;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;getForEntity;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;getForObject;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;headForHeaders;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;optionsForAllow;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;patchForObject;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;postForEntity;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;postForLocation;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;postForObject;;;Argument[0];open-url",
+        "org.springframework.web.client;RestTemplate;false;put;;;Argument[0];open-url"
+      ]
+  }
+}
diff --git a/java/ql/src/semmle/code/java/security/RequestForgery.qll b/java/ql/src/semmle/code/java/security/RequestForgery.qll
new file mode 100644
index 00000000000..4ac9e6232ef
--- /dev/null
+++ b/java/ql/src/semmle/code/java/security/RequestForgery.qll
@@ -0,0 +1,213 @@
+/** Provides classes to reason about server-side request forgery (SSRF) attacks. */
+
+import java
+import semmle.code.java.frameworks.Networking
+import semmle.code.java.frameworks.ApacheHttp
+import semmle.code.java.frameworks.spring.Spring
+import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.frameworks.javase.Http
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.StringFormat
+private import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * A unit class for adding additional taint steps that are specific to server-side request forgery (SSRF) attacks.
+ *
+ * Extend this class to add additional taint steps to the SSRF query.
+ */
+class RequestForgeryAdditionalTaintStep extends Unit {
+  /**
+   * Holds if the step from `pred` to `succ` should be considered a taint
+   * step for server-side request forgery.
+   */
+  abstract predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ);
+}
+
+private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
+  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
+    // propagate to a URI when its host is assigned to
+    exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
+    or
+    // propagate to a URL when its host is assigned to
+    exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c)
+  }
+}
+
+/** A data flow sink for server-side request forgery (SSRF) vulnerabilities. */
+abstract class RequestForgerySink extends DataFlow::Node { }
+
+private class UrlOpenSinkAsRequestForgerySink extends RequestForgerySink {
+  UrlOpenSinkAsRequestForgerySink() { sinkNode(this, "open-url") }
+}
+
+/** A sanitizer for request forgery vulnerabilities. */
+abstract class RequestForgerySanitizer extends DataFlow::Node { }
+
+private class PrimitiveSanitizer extends RequestForgerySanitizer {
+  PrimitiveSanitizer() {
+    this.getType() instanceof PrimitiveType or
+    this.getType() instanceof BoxedType or
+    this.getType() instanceof NumberType
+  }
+}
+
+private class HostnameSanitizingConstantPrefix extends CompileTimeConstantExpr {
+  int offset;
+
+  HostnameSanitizingConstantPrefix() {
+    // Matches strings that look like when prepended to untrusted input, they will restrict
+    // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that
+    // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically
+    // the string "/".
+    exists(
+      this.getStringValue()
+          .regexpFind(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*|^/$", 0, offset)
+    )
+  }
+
+  /**
+   * Gets the offset in this constant string where a sanitizing substring begins.
+   */
+  int getOffset() { result = offset }
+}
+
+private Expr getAHostnameSanitizingPrefix() {
+  result instanceof HostnameSanitizingConstantPrefix
+  or
+  result.(AddExpr).getAnOperand() = getAHostnameSanitizingPrefix()
+}
+
+private class StringBuilderAppend extends MethodAccess {
+  StringBuilderAppend() {
+    this.getMethod().getDeclaringType() instanceof StringBuildingType and
+    this.getMethod().hasName("append")
+  }
+}
+
+private class StringBuilderConstructorOrAppend extends Call {
+  StringBuilderConstructorOrAppend() {
+    this instanceof StringBuilderAppend or
+    this.(ClassInstanceExpr).getConstructedType() instanceof StringBuildingType
+  }
+}
+
+private Expr getQualifier(Expr e) { result = e.(MethodAccess).getQualifier() }
+
+/**
+ * An extension of `StringBuilderVar` that also accounts for strings appended in StringBuilder/Buffer's constructor
+ * and in `append` calls chained onto the constructor call.
+ *
+ * The original `StringBuilderVar` doesn't care about these because it is designed to model taint, and
+ * in taint rules terms these are not needed, as the connection between construction, appends and the
+ * eventual `toString` is more obvious.
+ */
+private class StringBuilderVarExt extends StringBuilderVar {
+  /**
+   * Returns a first assignment after this StringBuilderVar is first assigned.
+   *
+   * For example, for `StringBuilder sbv = new StringBuilder("1").append("2"); sbv.append("3").append("4");`
+   * this returns the append of `"3"`.
+   */
+  private StringBuilderAppend getAFirstAppendAfterAssignment() {
+    result = this.getAnAppend() and not result = this.getNextAppend(_)
+  }
+
+  /**
+   * Gets the next `append` after `prev`, where `prev` is, perhaps after some more `append` or other
+   * chained calls, assigned to this `StringBuilderVar`.
+   */
+  private StringBuilderAppend getNextAssignmentChainedAppend(StringBuilderConstructorOrAppend prev) {
+    getQualifier*(result) = this.getAnAssignedValue() and
+    result.getQualifier() = prev
+  }
+
+  /**
+   * Get a constructor call or `append` call that contributes a string to this string builder.
+   */
+  StringBuilderConstructorOrAppend getAConstructorOrAppend() {
+    exists(this.getNextAssignmentChainedAppend(result)) or
+    result = this.getAnAssignedValue() or
+    result = this.getAnAppend()
+  }
+
+  /**
+   * Like `StringBuilderVar.getNextAppend`, except including appends and constructors directly
+   * assigned to this `StringBuilderVar`.
+   */
+  private StringBuilderAppend getNextAppendIncludingAssignmentChains(
+    StringBuilderConstructorOrAppend prev
+  ) {
+    result = getNextAssignmentChainedAppend(prev)
+    or
+    prev = this.getAnAssignedValue() and
+    result = this.getAFirstAppendAfterAssignment()
+    or
+    result = this.getNextAppend(prev)
+  }
+
+  /**
+   * Implements `StringBuilderVarExt.getNextAppendIncludingAssignmentChains+(prev)`.
+   */
+  StringBuilderAppend getSubsequentAppendIncludingAssignmentChains(
+    StringBuilderConstructorOrAppend prev
+  ) {
+    result = this.getNextAppendIncludingAssignmentChains(prev) or
+    result =
+      this.getSubsequentAppendIncludingAssignmentChains(this.getNextAppendIncludingAssignmentChains(prev))
+  }
+}
+
+/**
+ * An expression that is sanitized because it is concatenated onto a string that looks like
+ * a hostname or a URL separator, preventing the appended string from arbitrarily controlling
+ * the addressed server.
+ */
+private class HostnameSanitizedExpr extends Expr {
+  HostnameSanitizedExpr() {
+    // Sanitize expressions that come after a sanitizing prefix in a tree of string additions:
+    this =
+      any(AddExpr add | add.getLeftOperand() = getAHostnameSanitizingPrefix()).getRightOperand()
+    or
+    // Sanitize expressions that come after a sanitizing prefix in a sequence of StringBuilder operations:
+    exists(
+      StringBuilderConstructorOrAppend appendSanitizingConstant,
+      StringBuilderAppend subsequentAppend, StringBuilderVarExt v
+    |
+      appendSanitizingConstant = v.getAConstructorOrAppend() and
+      appendSanitizingConstant.getArgument(0) = getAHostnameSanitizingPrefix() and
+      v.getSubsequentAppendIncludingAssignmentChains(appendSanitizingConstant) = subsequentAppend and
+      this = subsequentAppend.getArgument(0)
+    )
+    or
+    // Sanitize expressions that come after a sanitizing prefix in the args to a format call:
+    exists(
+      FormattingCall formatCall, FormatString formatString, HostnameSanitizingConstantPrefix prefix,
+      int sanitizedFromOffset, int laterOffset, int sanitizedArg
+    |
+      formatString = unique(FormatString fs | fs = formatCall.getAFormatString()) and
+      (
+        // A sanitizing argument comes before this:
+        exists(int argIdx |
+          formatCall.getArgumentToBeFormatted(argIdx) = prefix and
+          sanitizedFromOffset = formatString.getAnArgUsageOffset(argIdx)
+        )
+        or
+        // The format string itself sanitizes subsequent arguments:
+        formatString = prefix.getStringValue() and
+        sanitizedFromOffset = prefix.getOffset()
+      ) and
+      laterOffset > sanitizedFromOffset and
+      laterOffset = formatString.getAnArgUsageOffset(sanitizedArg) and
+      this = formatCall.getArgumentToBeFormatted(sanitizedArg)
+    )
+  }
+}
+
+/**
+ * A value that is the result of prepending a string that prevents any value from controlling the
+ * host of a URL.
+ */
+private class HostnameSantizer extends RequestForgerySanitizer {
+  HostnameSantizer() { this.asExpr() instanceof HostnameSanitizedExpr }
+}
diff --git a/java/ql/src/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/src/semmle/code/java/security/RequestForgeryConfig.qll
new file mode 100644
index 00000000000..c93d3089dc9
--- /dev/null
+++ b/java/ql/src/semmle/code/java/security/RequestForgeryConfig.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides a taint-tracking configuration characterising request-forgery risks.
+ *
+ * Only import this directly from .ql files, to avoid the possibility of polluting the Configuration hierarchy accidentally.
+ */
+
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.RequestForgery
+
+/**
+ * A taint-tracking configuration characterising request-forgery risks.
+ */
+class RequestForgeryConfiguration extends TaintTracking::Configuration {
+  RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    // Exclude results of remote HTTP requests: fetching something else based on that result
+    // is no worse than following a redirect returned by the remote server, and typically
+    // we're requesting a resource via https which we trust to only send us to safe URLs.
+    not source.asExpr().(MethodAccess).getCallee() instanceof URLConnectionGetInputStreamMethod
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
+}
diff --git a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
index a1561c0e6cd..d035837ad6a 100644
--- a/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
+++ b/java/ql/src/semmle/code/java/security/UnsafeDeserialization.qll
@@ -2,6 +2,11 @@ import semmle.code.java.frameworks.Kryo
 import semmle.code.java.frameworks.XStream
 import semmle.code.java.frameworks.SnakeYaml
 import semmle.code.java.frameworks.FastJson
+import semmle.code.java.frameworks.JYaml
+import semmle.code.java.frameworks.JsonIo
+import semmle.code.java.frameworks.YamlBeans
+import semmle.code.java.frameworks.HessianBurlap
+import semmle.code.java.frameworks.Castor
 import semmle.code.java.frameworks.apache.Lang
 
 class ObjectInputStreamReadObjectMethod extends Method {
@@ -140,6 +145,23 @@ predicate unsafeDeserialization(MethodAccess ma, Expr sink) {
     ma.getMethod() instanceof FastJsonParseMethod and
     not fastJsonLooksSafe() and
     sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof JYamlLoaderUnsafeLoadMethod and
+    sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+    sink = ma.getArgument(0)
+    or
+    ma.getMethod() instanceof JsonIoReadObjectMethod and
+    sink = ma.getQualifier()
+    or
+    ma.getMethod() instanceof YamlBeansReaderReadMethod and sink = ma.getQualifier()
+    or
+    ma.getMethod() instanceof UnsafeHessianInputReadObjectMethod and sink = ma.getQualifier()
+    or
+    ma.getMethod() instanceof CastorUnmarshalMethod and sink = ma.getAnArgument()
+    or
+    ma.getMethod() instanceof BurlapInputReadObjectMethod and sink = ma.getQualifier()
   )
 }
 
diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll
index d2be51d2fae..254ea873fcc 100644
--- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll
+++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll
@@ -2,12 +2,19 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.ApacheHttp
+private import semmle.code.java.frameworks.JaxWS
 
-/** A URL redirection sink */
+/** A URL redirection sink. */
 abstract class UrlRedirectSink extends DataFlow::Node { }
 
+/** A default sink represeting methods susceptible to URL redirection attacks. */
+private class DefaultUrlRedirectSink extends UrlRedirectSink {
+  DefaultUrlRedirectSink() { sinkNode(this, "url-redirect") }
+}
+
 /** A Servlet URL redirection sink. */
 private class ServletUrlRedirectSink extends UrlRedirectSink {
   ServletUrlRedirectSink() {
diff --git a/java/ql/test/TestUtilities/InlineExpectationsTest.qll b/java/ql/test/TestUtilities/InlineExpectationsTest.qll
index e086b810478..d351bac89a8 100644
--- a/java/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/java/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -181,14 +181,14 @@ private int getEndOfColumnPosition(int start, string content) {
     min(string name, int cand |
       exists(TNamedColumn(name)) and
       cand = content.indexOf(name + ":") and
-      cand > start
+      cand >= start
     |
       cand
     )
   or
   not exists(string name |
     exists(TNamedColumn(name)) and
-    content.indexOf(name + ":") > start
+    content.indexOf(name + ":") >= start
   ) and
   result = content.length()
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
new file mode 100644
index 00000000000..9f792d49990
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
@@ -0,0 +1,15 @@
+edges
+| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) |
+| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code |
+| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource |
+nodes
+| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | semmle.label | new StaticScriptSource(...) |
+| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:22:20:22:23 | code | semmle.label | code |
+| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:31:22:31:39 | staticScriptSource | semmle.label | staticScriptSource |
+#select
+| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShell injection from $@. | BeanShellInjection.java:13:17:13:44 | getParameter(...) | this user input |
+| BeanShellInjection.java:22:20:22:23 | code | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | BeanShell injection from $@. | BeanShellInjection.java:20:17:20:44 | getParameter(...) | this user input |
+| BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShell injection from $@. | BeanShellInjection.java:27:17:27:44 | getParameter(...) | this user input |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java
new file mode 100644
index 00000000000..ee98929312b
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java
@@ -0,0 +1,33 @@
+import bsh.Interpreter;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.scripting.bsh.BshScriptEvaluator;
+import org.springframework.scripting.support.StaticScriptSource;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class BeanShellInjection {
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		BshScriptEvaluator evaluator = new BshScriptEvaluator();
+		evaluator.evaluate(new StaticScriptSource(code)); //bad
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) throws Exception {
+		String code = request.getParameter("code");
+		Interpreter interpreter = new Interpreter();
+		interpreter.eval(code);  //bad
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		StaticScriptSource staticScriptSource = new StaticScriptSource("test");
+		staticScriptSource.setScript(code);
+		BshScriptEvaluator evaluator = new BshScriptEvaluator();
+		evaluator.evaluate(staticScriptSource);  //bad
+	}
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref
new file mode 100644
index 00000000000..a54b26a62fd
--- /dev/null
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/BeanShellInjection.ql
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/options b/java/ql/test/experimental/query-tests/security/CWE-094/options
index 75905d00a27..1fc637be50f 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
index 6c23f5d44e9..946932400c8 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -5,8 +5,12 @@ edges
 | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
 | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
-| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) |
-| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr |
+| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie |
+| SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie |
+| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie |
+| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String |
+| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr |
 | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
@@ -24,9 +28,13 @@ nodes
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | semmle.label | "token=" : String |
 | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | semmle.label | ... + ... : String |
 | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | semmle.label | toString(...) |
 | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | semmle.label | accessKeyCookie : NewCookie |
+| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | semmle.label | toString(...) : String |
 | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | semmle.label | keyStr |
 | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | semmle.label | "token=" : String |
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | semmle.label | ... + ... : String |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
index 6a4ee5fdddd..e8e30825203 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureBasicAuth.expected
@@ -11,7 +11,9 @@ edges
 | InsecureBasicAuth.java:62:21:62:26 | uriStr : String | InsecureBasicAuth.java:62:13:62:27 | new URI(...) : URI |
 | InsecureBasicAuth.java:78:47:78:52 | "http" : String | InsecureBasicAuth.java:86:3:86:6 | post |
 | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:102:3:102:6 | post |
-| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:119:3:119:6 | post |
+| InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:110:58:110:63 | uriStr : String |
+| InsecureBasicAuth.java:110:29:110:70 | new BasicRequestLine(...) : BasicRequestLine | InsecureBasicAuth.java:119:3:119:6 | post |
+| InsecureBasicAuth.java:110:58:110:63 | uriStr : String | InsecureBasicAuth.java:110:29:110:70 | new BasicRequestLine(...) : BasicRequestLine |
 | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection |
 | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | InsecureBasicAuth.java:133:3:133:6 | conn |
 | InsecureBasicAuth.java:145:21:145:28 | protocol : String | InsecureBasicAuth.java:146:28:146:67 | (...)... : URLConnection |
@@ -34,6 +36,8 @@ nodes
 | InsecureBasicAuth.java:93:19:93:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
 | InsecureBasicAuth.java:102:3:102:6 | post | semmle.label | post |
 | InsecureBasicAuth.java:109:19:109:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
+| InsecureBasicAuth.java:110:29:110:70 | new BasicRequestLine(...) : BasicRequestLine | semmle.label | new BasicRequestLine(...) : BasicRequestLine |
+| InsecureBasicAuth.java:110:58:110:63 | uriStr : String | semmle.label | uriStr : String |
 | InsecureBasicAuth.java:119:3:119:6 | post | semmle.label | post |
 | InsecureBasicAuth.java:126:19:126:68 | "http://www.example.com/rest/getuser.do?uid=abcdx" : String | semmle.label | "http://www.example.com/rest/getuser.do?uid=abcdx" : String |
 | InsecureBasicAuth.java:130:28:130:67 | (...)... : URLConnection | semmle.label | (...)... : URLConnection |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected
deleted file mode 100644
index f6c7072a519..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.expected
+++ /dev/null
@@ -1,77 +0,0 @@
-edges
-| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:25:31:25:34 | sink : String |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 |
-| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | RequestForgery2.java:64:59:64:61 | uri |
-| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | RequestForgery2.java:67:43:67:45 | uri |
-| RequestForgery2.java:25:31:25:34 | sink : String | RequestForgery2.java:25:23:25:35 | new URI(...) : URI |
-| RequestForgery.java:19:23:19:58 | new URI(...) : URI | RequestForgery.java:22:52:22:54 | uri |
-| RequestForgery.java:19:23:19:58 | new URI(...) : URI | RequestForgery.java:27:57:27:59 | uri |
-| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:19:23:19:58 | new URI(...) : URI |
-| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri |
-| RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:82:58:95 | fooResourceUrl : String |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl |
-| SpringSSRF.java:58:82:58:95 | fooResourceUrl : String | SpringSSRF.java:58:74:58:96 | new URI(...) |
-nodes
-| JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JaxWsSSRF.java:22:23:22:25 | url | semmle.label | url |
-| RequestForgery2.java:23:27:23:53 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RequestForgery2.java:25:23:25:35 | new URI(...) : URI | semmle.label | new URI(...) : URI |
-| RequestForgery2.java:25:31:25:34 | sink : String | semmle.label | sink : String |
-| RequestForgery2.java:55:32:55:35 | url1 | semmle.label | url1 |
-| RequestForgery2.java:58:32:58:35 | url1 | semmle.label | url1 |
-| RequestForgery2.java:59:30:59:33 | url1 | semmle.label | url1 |
-| RequestForgery2.java:63:65:63:68 | uri2 | semmle.label | uri2 |
-| RequestForgery2.java:64:59:64:61 | uri | semmle.label | uri |
-| RequestForgery2.java:67:43:67:45 | uri | semmle.label | uri |
-| RequestForgery2.java:69:29:69:32 | uri2 | semmle.label | uri2 |
-| RequestForgery.java:19:23:19:58 | new URI(...) : URI | semmle.label | new URI(...) : URI |
-| RequestForgery.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| RequestForgery.java:22:52:22:54 | uri | semmle.label | uri |
-| RequestForgery.java:27:57:27:59 | uri | semmle.label | uri |
-| SpringSSRF.java:26:33:26:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| SpringSSRF.java:32:47:32:67 | ... + ... | semmle.label | ... + ... |
-| SpringSSRF.java:37:43:37:56 | fooResourceUrl | semmle.label | fooResourceUrl |
-| SpringSSRF.java:41:42:41:55 | fooResourceUrl | semmle.label | fooResourceUrl |
-| SpringSSRF.java:45:47:45:60 | fooResourceUrl | semmle.label | fooResourceUrl |
-| SpringSSRF.java:54:59:54:72 | fooResourceUrl | semmle.label | fooResourceUrl |
-| SpringSSRF.java:58:74:58:96 | new URI(...) | semmle.label | new URI(...) |
-| SpringSSRF.java:58:82:58:95 | fooResourceUrl : String | semmle.label | fooResourceUrl : String |
-| SpringSSRF.java:62:57:62:70 | fooResourceUrl | semmle.label | fooResourceUrl |
-| SpringSSRF.java:66:48:66:61 | fooResourceUrl | semmle.label | fooResourceUrl |
-| SpringSSRF.java:69:30:69:43 | fooResourceUrl | semmle.label | fooResourceUrl |
-#select
-| JaxWsSSRF.java:22:23:22:25 | url | JaxWsSSRF.java:21:22:21:48 | getParameter(...) : String | JaxWsSSRF.java:22:23:22:25 | url | Potential server side request forgery due to $@. | JaxWsSSRF.java:21:22:21:48 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:55:32:55:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:55:32:55:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:58:32:58:35 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:58:32:58:35 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:59:30:59:33 | url1 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:59:30:59:33 | url1 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:63:65:63:68 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:63:65:63:68 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:64:59:64:61 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:64:59:64:61 | uri | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:67:43:67:45 | uri | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:67:43:67:45 | uri | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery2.java:69:29:69:32 | uri2 | RequestForgery2.java:23:27:23:53 | getParameter(...) : String | RequestForgery2.java:69:29:69:32 | uri2 | Potential server side request forgery due to $@. | RequestForgery2.java:23:27:23:53 | getParameter(...) | a user-provided value |
-| RequestForgery.java:22:52:22:54 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:22:52:22:54 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
-| RequestForgery.java:27:57:27:59 | uri | RequestForgery.java:19:31:19:57 | getParameter(...) : String | RequestForgery.java:27:57:27:59 | uri | Potential server side request forgery due to $@. | RequestForgery.java:19:31:19:57 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:32:47:32:67 | ... + ... | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:32:47:32:67 | ... + ... | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:37:43:37:56 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:37:43:37:56 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:41:42:41:55 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:41:42:41:55 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:45:47:45:60 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:45:47:45:60 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:54:59:54:72 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:54:59:54:72 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:58:74:58:96 | new URI(...) | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:58:74:58:96 | new URI(...) | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:62:57:62:70 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:62:57:62:70 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:66:48:66:61 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:66:48:66:61 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
-| SpringSSRF.java:69:30:69:43 | fooResourceUrl | SpringSSRF.java:26:33:26:60 | getParameter(...) : String | SpringSSRF.java:69:30:69:43 | fooResourceUrl | Potential server side request forgery due to $@. | SpringSSRF.java:26:33:26:60 | getParameter(...) | a user-provided value |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.java b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.java
deleted file mode 100644
index a9e41a8172f..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.java
+++ /dev/null
@@ -1,34 +0,0 @@
-import java.io.IOException;
-import java.net.URI;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class RequestForgery extends HttpServlet {
-    private static final String VALID_URI = "http://lgtm.com";
-    private HttpClient client = HttpClient.newHttpClient();
-
-    protected void doGet(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        try {
-
-            URI uri = new URI(request.getParameter("uri"));
-            // BAD: a request parameter is incorporated without validation into a Http
-            // request
-            HttpRequest r = HttpRequest.newBuilder(uri).build();
-            client.send(r, null);
-
-            // GOOD: the request parameter is validated against a known fixed string
-            if (VALID_URI.equals(request.getParameter("uri"))) {
-                HttpRequest r2 = HttpRequest.newBuilder(uri).build();
-                client.send(r2, null);
-            }
-        } catch (Exception e) {
-            // TODO: handle exception
-        }
-    }
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref
deleted file mode 100644
index 3e35024c212..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery.qlref
+++ /dev/null
@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-918/RequestForgery.ql
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery2.java b/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery2.java
deleted file mode 100644
index eb910bedd36..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/RequestForgery2.java
+++ /dev/null
@@ -1,84 +0,0 @@
-import java.io.IOException;
-import java.net.URI;
-import java.net.*;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.Proxy.Type;
-import java.io.InputStream;
-
-import org.apache.http.client.methods.HttpGet;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class RequestForgery2 extends HttpServlet {
-    private static final String VALID_URI = "http://lgtm.com";
-    private HttpClient client = HttpClient.newHttpClient();
-
-    protected void doGet(HttpServletRequest request, HttpServletResponse response)
-            throws ServletException, IOException {
-        try {
-
-            String sink = request.getParameter("uri");
-            // URI(String str)
-            URI uri = new URI(sink);
-
-            // URI(String scheme, String ssp, String fragment)
-            URI uri2 = new URI("http", sink, "fragement");
-
-            // URI(String scheme, String userInfo, String host, int port, String path,
-            // String query, String fragment)
-            URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
-            // URI(String scheme, String host, String path, String fragment)
-            URI uri4 = new URI("http", "host", "path", "fragment");
-            // URI(String scheme, String authority, String path, String query, String
-            // fragment)
-            URI uri5 = new URI("http", "authority", "path", "query", "fragment");
-            URI uri6 = URI.create("http://foo.com/");
-
-            // URL(String spec)
-            URL url1 = new URL(sink);
-            // URL(String protocol, String host, int port, String file)
-            URL url2 = new URL("http", "host", 1, "file");
-            // URL(String protocol, String host, String file)
-            URL url3 = new URL("http", "host", "file");
-            // URL(URL context, String spec)
-            URL url4 = new URL(url3, "http");
-            // URL(String protocol, String host, int port, String file, URLStreamHandler
-            // handler)
-            URL url5 = new URL("http", "host", 1, "file", new Helper2());
-
-            // URL(URL context, String spec, URLStreamHandler handler)
-            URL url6 = new URL(url3, "spec", new Helper2());
-
-            URLConnection c1 = url1.openConnection();
-            SocketAddress sa = new SocketAddress() {
-            };
-            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
-            InputStream c3 = url1.openStream();
-
-            // java.net.http
-            HttpClient client = HttpClient.newHttpClient();
-            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
-            HttpRequest request3 = HttpRequest.newBuilder(uri).build();
-
-            // Apache HTTPlib
-            HttpGet httpGet = new HttpGet(uri);
-            HttpGet httpGet2 = new HttpGet();
-            httpGet2.setURI(uri2);
-        } catch (Exception e) {
-            // TODO: handle exception
-        }
-    }
-}
-
-
-class Helper2 extends URLStreamHandler {
-    Helper2() {
-    }
-
-    protected URLConnection openConnection(URL u) throws IOException {
-        return null;
-    }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/Sinks.java b/java/ql/test/experimental/query-tests/security/CWE-918/Sinks.java
deleted file mode 100644
index f5d686c9af2..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/Sinks.java
+++ /dev/null
@@ -1,72 +0,0 @@
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.Proxy;
-import java.net.SocketAddress;
-import java.net.URI;
-import java.net.URL;
-import java.net.URLConnection;
-import java.net.URLStreamHandler;
-import java.net.Proxy.Type;
-import org.apache.http.client.methods.HttpGet;
-// import java.net.http.HttpClient;
-// import java.net.http.HttpRequest;
-
-public class Sinks {
-    public static void main(String[] args) throws Exception {
-        // URI(String str)
-        URI uri = new URI("uri1");
-
-        // URI(String scheme, String ssp, String fragment)
-        URI uri2 = new URI("http", "ssp", "fragement");
-
-        // URI(String scheme, String userInfo, String host, int port, String path,
-        // String query, String fragment)
-        URI uri3 = new URI("http", "userinfo", "host", 1, "path", "query", "fragment");
-        // URI(String scheme, String host, String path, String fragment)
-        URI uri4 = new URI("http", "host", "path", "fragment");
-        // URI(String scheme, String authority, String path, String query, String
-        // fragment)
-        URI uri5 = new URI("http", "authority", "path", "query", "fragment");
-        URI uri6 = URI.create("http://foo.com/");
-
-        // URL(String spec)
-        URL url1 = new URL("spec");
-        // URL(String protocol, String host, int port, String file)
-        URL url2 = new URL("http", "host", 1, "file");
-        // URL(String protocol, String host, String file)
-        URL url3 = new URL("http", "host", "file");
-        // URL(URL context, String spec)
-        URL url4 = new URL(url3, "http");
-        // URL(String protocol, String host, int port, String file, URLStreamHandler
-        // handler)
-        URL url5 = new URL("http", "host", 1, "file", new Helper());
-
-        // URL(URL context, String spec, URLStreamHandler handler)
-        URL url6 = new URL(url3, "spec", new Helper());
-
-        URLConnection c1 = url1.openConnection();
-        SocketAddress sa = new SocketAddress() {
-        };
-        URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa));
-        InputStream c3 = url1.openStream();
-
-        // java.net.http
-        // HttpClient client = HttpClient.newHttpClient();
-        // HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build();
-        // HttpRequest request3 = HttpRequest.newBuilder(uri).build();
-
-        // Apache HTTPlib
-        HttpGet httpGet = new HttpGet(uri);
-        HttpGet httpGet2 = new HttpGet();
-        httpGet2.setURI(uri2);
-
-    }
-
-}
-
-class Helper extends URLStreamHandler {
-    @Override
-    protected URLConnection openConnection(URL arg0) throws IOException {
-        return null;
-    }
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
deleted file mode 100644
index a7d3cb32b87..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/SpringSSRF.java
+++ /dev/null
@@ -1,73 +0,0 @@
-import org.springframework.web.client.RestTemplate;
-import org.springframework.http.RequestEntity;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.HttpEntity;
-import org.springframework.http.HttpStatus;
-import java.net.URI;
-import org.springframework.http.HttpMethod;
-import java.io.IOException;
-import java.net.URI;
-import java.net.*;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.Proxy.Type;
-import java.io.InputStream;
-
-import org.apache.http.client.methods.HttpGet;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-public class SpringSSRF extends HttpServlet {
-
-    protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
-            throws ServletException, IOException {
-        String fooResourceUrl = request2.getParameter("uri");;
-        RestTemplate restTemplate = new RestTemplate();
-        HttpEntity<String> request = new HttpEntity<>(new String("bar"));
-        try {
-        {
-            ResponseEntity<String> response =
-                    restTemplate.getForEntity(fooResourceUrl + "/1", String.class);
-        }
-
-        {
-            ResponseEntity<String> response =
-                    restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class);
-        }
-        {
-            ResponseEntity<String> response =
-                    restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test");
-        }
-        {
-            ResponseEntity<String> response =
-                    restTemplate.getForEntity(fooResourceUrl, String.class, "test");
-        }
-        {
-            String body = new String("body");
-            RequestEntity<String> requestEntity =
-                    RequestEntity.post(new URI(fooResourceUrl)).body(body);
-            ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
-        }
-        {
-            String response = restTemplate.patchForObject(fooResourceUrl, new String("object"),
-                    String.class, "hi");
-        }
-        {
-            ResponseEntity<String> response = restTemplate.postForEntity(new URI(fooResourceUrl),
-                    new String("object"), String.class);
-        }
-        {
-            URI response = restTemplate.postForLocation(fooResourceUrl, new String("object"));
-        }
-        {
-            String response =
-                    restTemplate.postForObject(fooResourceUrl, new String("object"), String.class);
-        }
-        {
-            restTemplate.put(fooResourceUrl, new String("object"));
-        }
-        } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
-    }
-}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/options b/java/ql/test/experimental/query-tests/security/CWE-918/options
deleted file mode 100644
index 1f5354b3f8d..00000000000
--- a/java/ql/test/experimental/query-tests/security/CWE-918/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4/
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java b/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java
deleted file mode 100644
index cddcf668d14..00000000000
--- a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java
+++ /dev/null
@@ -1,12 +0,0 @@
-package javax.ws.rs.client;
-
-public abstract interface Client extends javax.ws.rs.core.Configurable {
-
-    public abstract javax.ws.rs.client.WebTarget target(java.lang.String arg0);
-
-    public abstract javax.ws.rs.client.WebTarget target(java.net.URI arg0);
-
-    public abstract javax.ws.rs.client.WebTarget target(javax.ws.rs.core.UriBuilder arg0);
-
-    public abstract javax.ws.rs.client.WebTarget target(javax.ws.rs.core.Link arg0);
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java b/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java
deleted file mode 100644
index e132dd5b418..00000000000
--- a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java
+++ /dev/null
@@ -1,6 +0,0 @@
-package javax.ws.rs.core;
-
-public abstract interface Configurable<C extends javax.ws.rs.core.Configurable> {
-
-    public abstract javax.ws.rs.core.Configuration getConfiguration();
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java b/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java
deleted file mode 100644
index 38ed9572dca..00000000000
--- a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java
+++ /dev/null
@@ -1,61 +0,0 @@
-package javax.ws.rs.core;
-
-public abstract class Link {
-
-    public static final java.lang.String TITLE = "title";
-
-    public static final java.lang.String REL = "rel";
-
-    public static final java.lang.String TYPE = "type";
-
-    public Link() {
-    }
-
-    public abstract java.net.URI getUri();
-
-    public abstract javax.ws.rs.core.UriBuilder getUriBuilder();
-
-    public abstract java.lang.String getRel();
-
-    public abstract java.util.List<java.lang.String> getRels();
-
-    public abstract java.lang.String getTitle();
-
-    public abstract java.lang.String getType();
-
-    public abstract java.util.Map<java.lang.String, java.lang.String> getParams();
-
-    public abstract java.lang.String toString();
-
-    public static javax.ws.rs.core.Link valueOf(java.lang.String value) {
-        return null;
-    }
-
-    // public static javax.ws.rs.core.Link.Builder fromUri(java.net.URI uri) {
-    //     return null;
-    // }
-
-    // public static javax.ws.rs.core.Link.Builder fromUri(java.lang.String uri) {
-    //     return null;
-    // }
-
-    // public static javax.ws.rs.core.Link.Builder fromUriBuilder(javax.ws.rs.core.UriBuilder uriBuilder) {
-    //     return null;
-    // }
-
-    // public static javax.ws.rs.core.Link.Builder fromLink(javax.ws.rs.core.Link link) {
-    //     return null;
-    // }
-
-    // public static javax.ws.rs.core.Link.Builder fromPath(java.lang.String path) {
-    //     return null;
-    // }
-
-    // public static javax.ws.rs.core.Link.Builder fromResource(java.lang.Class<?> resource) {
-    //     return null;
-    // }
-
-    // public static javax.ws.rs.core.Link.Builder fromMethod(java.lang.Class<?> resource, java.lang.String method) {
-    //     return null;
-    // }
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java b/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java
deleted file mode 100644
index d32f96c5043..00000000000
--- a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java
+++ /dev/null
@@ -1,62 +0,0 @@
-// Failed to get sources. Instead, stub sources have been generated by the disassembler.
-// Implementation of methods is unavailable.
-package javax.ws.rs.core;
-
-public abstract class UriBuilder {
-
-    protected UriBuilder() {
-    }
-
-    protected static javax.ws.rs.core.UriBuilder newInstance() {
-        return null;
-    }
-
-    public static javax.ws.rs.core.UriBuilder fromUri(java.net.URI uri) {
-        return null;
-    }
-
-    public static javax.ws.rs.core.UriBuilder fromUri(java.lang.String uriTemplate) {
-        return null;
-    }
-
-    public static javax.ws.rs.core.UriBuilder fromLink(javax.ws.rs.core.Link link) {
-        return null;
-    }
-
-    public static javax.ws.rs.core.UriBuilder fromPath(java.lang.String path)
-            throws java.lang.IllegalArgumentException {
-        return null;
-    }
-
-    public static javax.ws.rs.core.UriBuilder fromResource(java.lang.Class<?> resource) {
-        return null;
-    }
-
-    public static javax.ws.rs.core.UriBuilder fromMethod(java.lang.Class<?> resource, java.lang.String method) {
-        return null;
-    }
-
-    public abstract javax.ws.rs.core.UriBuilder clone();
-
-    public abstract javax.ws.rs.core.UriBuilder uri(java.net.URI arg0);
-
-    public abstract javax.ws.rs.core.UriBuilder uri(java.lang.String arg0);
-
-    public abstract java.net.URI buildFromMap(java.util.Map<java.lang.String, ?> arg0);
-
-    public abstract java.net.URI buildFromMap(java.util.Map<java.lang.String, ?> arg0, boolean arg1)
-            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
-
-    public abstract java.net.URI buildFromEncodedMap(java.util.Map<java.lang.String, ?> arg0)
-            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
-
-    public abstract java.net.URI build(java.lang.Object... arg0)
-            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
-
-    public abstract java.net.URI build(java.lang.Object[] arg0, boolean arg1)
-            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
-
-    public abstract java.net.URI buildFromEncoded(java.lang.Object... arg0)
-            throws java.lang.IllegalArgumentException, javax.ws.rs.core.UriBuilderException;
-
-}
\ No newline at end of file
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java b/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java
deleted file mode 100644
index 55aad43d041..00000000000
--- a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java
+++ /dev/null
@@ -1,18 +0,0 @@
-package javax.ws.rs.core;
-
-public class UriBuilderException extends java.lang.RuntimeException {
-
-    private static final long serialVersionUID = 956255913370721193L;
-
-    public UriBuilderException() {
-    }
-
-    public UriBuilderException(java.lang.String msg) {
-    }
-
-    public UriBuilderException(java.lang.String msg, java.lang.Throwable cause) {
-    }
-
-    public UriBuilderException(java.lang.Throwable cause) {
-    }
-}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/dataflow/external-models/sinks.ql b/java/ql/test/library-tests/dataflow/external-models/sinks.ql
index eb7388fc289..cda440ff4e7 100644
--- a/java/ql/test/library-tests/dataflow/external-models/sinks.ql
+++ b/java/ql/test/library-tests/dataflow/external-models/sinks.ql
@@ -7,7 +7,7 @@ class SinkModelTest extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;spec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
         "my.qltest;B;false;sink1;(Object);;Argument[0];qltest",
         "my.qltest;B;false;sinkMethod;();;ReturnValue;qltest",
         "my.qltest;B$Tag;false;;;Annotated;ReturnValue;qltest-retval",
diff --git a/java/ql/test/library-tests/dataflow/external-models/srcs.ql b/java/ql/test/library-tests/dataflow/external-models/srcs.ql
index daa3440d940..4ec1d6d3c83 100644
--- a/java/ql/test/library-tests/dataflow/external-models/srcs.ql
+++ b/java/ql/test/library-tests/dataflow/external-models/srcs.ql
@@ -7,7 +7,7 @@ class SourceModelTest extends SourceModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;spec;kind",
+        //`namespace; type; subtypes; name; signature; ext; output; kind`
         "my.qltest;A;false;src1;();;ReturnValue;qltest",
         "my.qltest;A;false;src1;(String);;ReturnValue;qltest",
         "my.qltest;A;false;src1;(java.lang.String);;ReturnValue;qltest-alt",
diff --git a/java/ql/test/library-tests/dataflow/external-models/steps.ql b/java/ql/test/library-tests/dataflow/external-models/steps.ql
index 58edd018587..5909f1e5222 100644
--- a/java/ql/test/library-tests/dataflow/external-models/steps.ql
+++ b/java/ql/test/library-tests/dataflow/external-models/steps.ql
@@ -8,7 +8,7 @@ class SummaryModelTest extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "my.qltest;C;false;stepArgRes;(Object);;Argument[0];ReturnValue;taint",
         "my.qltest;C;false;stepArgArg;(Object,Object);;Argument[0];Argument[1];taint",
         "my.qltest;C;false;stepArgQual;(Object);;Argument[0];Argument[-1];taint",
diff --git a/java/ql/test/library-tests/format-strings/Test.java b/java/ql/test/library-tests/format-strings/Test.java
new file mode 100644
index 00000000000..fe58a2b975c
--- /dev/null
+++ b/java/ql/test/library-tests/format-strings/Test.java
@@ -0,0 +1,17 @@
+public class Test {
+
+  public static void test () {
+    String.format("%s", "", "");
+    String.format("s", "");
+    String.format("%2$s %2$s", "", "");
+    String.format("%2$s %1$s", "", "");
+    String.format("%2$s %s", "");
+    String.format("%s%<s", "", "");
+    String.format("%s%%%%%%%%s%n", "", "");
+    String.format("%s%%%%%%%%s%n", "");
+    String.format("%s%%%%%%%s%n", "", "");
+    String.format("%s%%%%%%%s%n", "");
+    String.format("%2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s", "", "");
+  }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/format-strings/test.expected b/java/ql/test/library-tests/format-strings/test.expected
new file mode 100644
index 00000000000..0dd4eb9de04
--- /dev/null
+++ b/java/ql/test/library-tests/format-strings/test.expected
@@ -0,0 +1,22 @@
+| %2$s %1$s | 1 | 5 |
+| %2$s %1$s | 2 | 0 |
+| %2$s %2$s | 2 | 0 |
+| %2$s %2$s | 2 | 5 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 11 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 16 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 20 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 23 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 27 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 38 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 1 | 43 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 2 | 0 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 2 | 31 |
+| %2$s %% %n %1$s %<s %s %<s %<s %s %<s %1$s %<s | 2 | 34 |
+| %2$s %s | 1 | 5 |
+| %2$s %s | 2 | 0 |
+| %s | 1 | 0 |
+| %s%%%%%%%%s%n | 1 | 0 |
+| %s%%%%%%%s%n | 1 | 0 |
+| %s%%%%%%%s%n | 2 | 8 |
+| %s%<s | 1 | 0 |
+| %s%<s | 1 | 2 |
diff --git a/java/ql/test/library-tests/format-strings/test.ql b/java/ql/test/library-tests/format-strings/test.ql
new file mode 100644
index 00000000000..65172d957e4
--- /dev/null
+++ b/java/ql/test/library-tests/format-strings/test.ql
@@ -0,0 +1,6 @@
+import java
+import semmle.code.java.StringFormat
+
+from FormatString f, int argNo, int offset
+where offset = f.getAnArgUsageOffset(argNo)
+select f, argNo, offset
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java
new file mode 100644
index 00000000000..271f3594eb0
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java
@@ -0,0 +1,215 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.DELETE;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.OPTIONS;
+import jakarta.ws.rs.HEAD;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.BeanParam;
+import jakarta.ws.rs.CookieParam;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.HeaderParam;
+import jakarta.ws.rs.MatrixParam;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+public class JakartaRs1 { // $ RootResourceClass
+  public JakartaRs1() { // $ InjectableConstructor
+  }
+
+  @GET
+  int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+    return 0; // $ XssSink
+  }
+
+  @POST
+  void Post() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Produces("text/plain") // $ ProducesAnnotation=text/plain
+  @DELETE
+  double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+    return 0.0; // $ XssSink
+  }
+
+  @Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html
+  @PUT
+  void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+  }
+
+  @OPTIONS
+  void Options() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @HEAD
+  void Head() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Path("")
+  NonRootResourceClassJakarta subResourceLocator() { // $ SubResourceLocator
+    return null;
+  }
+
+  public class NonRootResourceClassJakarta { // $ NonRootResourceClass
+    @GET
+    int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return 0; // $ XssSink
+    }
+
+    @Produces("text/html") // $ ProducesAnnotation=text/html
+    @POST
+    boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+      return false;
+    }
+
+    @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain
+    @DELETE
+    double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+      return 0.0; // $ XssSink
+    }
+
+    @Path("")
+    AnotherNonRootResourceClassJakarta subResourceLocator1() { // $ SubResourceLocator
+      return null;
+    }
+
+    @GET
+    @Path("")
+    NotAResourceClass1Jakarta NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    @GET
+    NotAResourceClass2Jakarta NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    NotAResourceClass2Jakarta NotASubResourceLocator3() {
+      return null;
+    }
+  }
+}
+
+class AnotherNonRootResourceClassJakarta { // $ NonRootResourceClass
+  public AnotherNonRootResourceClassJakarta() {
+  }
+
+  public AnotherNonRootResourceClassJakarta(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  @Path("")
+  public void resourceMethodWithBeanParamParameter(@BeanParam FooJakarta FooJakarta) { // $ SubResourceLocator InjectionAnnotation
+  }
+}
+
+class FooJakarta {
+  FooJakarta() { // $ BeanParamConstructor
+  }
+
+  public FooJakarta( // $ BeanParamConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public FooJakarta(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+}
+
+class NotAResourceClass1Jakarta {
+}
+
+class NotAResourceClass2Jakarta {
+}
+
+class ExtendsJakartaRs1 extends JakartaRs1 {
+  @Override
+  int Get() { // $ ResourceMethod
+    return 1;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 1.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Produces("application/json") // $ ProducesAnnotation=application/json
+  @Override
+  void Options() {
+  }
+
+  @Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+  @Override
+  void Head() {
+  }
+
+}
+
+@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+class ExtendsJakartaRs1WithProducesAnnotation extends JakartaRs1 {
+  @Override
+  int Get() { // $ ResourceMethod=text/xml
+    return 2;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 2.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Override
+  void Options() { // $ ResourceMethod=text/xml
+  }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java
new file mode 100644
index 00000000000..26537bae815
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java
@@ -0,0 +1,98 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.DELETE;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.OPTIONS;
+import jakarta.ws.rs.HEAD;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.BeanParam;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.CookieParam;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.HeaderParam;
+import jakarta.ws.rs.MatrixParam;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+class JakartaRs2 { // $ RootResourceClass
+  JakartaRs2() {
+  }
+
+  public JakartaRs2(// $ InjectableConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public JakartaRs2(@BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+
+  @BeanParam // $ InjectionAnnotation
+  int beanField; // $ InjectableField
+  @CookieParam("") // $ InjectionAnnotation
+  int cookieField; // $ InjectableField
+  @FormParam("") // $ InjectionAnnotation
+  int formField; // $ InjectableField
+  @HeaderParam("") // $ InjectionAnnotation
+  int headerField; // $ InjectableField
+  @MatrixParam("") // $ InjectionAnnotation
+  int matrixField; // $ InjectableField
+  @PathParam("") // $ InjectionAnnotation
+  int pathField; // $ InjectableField
+  @QueryParam("") // $ InjectionAnnotation
+  int queryField; // $ InjectableField
+  @Context // $ InjectionAnnotation
+  int context; // $ InjectableField
+  int fieldWithoutAnnotation;
+}
+
+class CustomUnmarshallerJakarta implements MessageBodyReader {
+
+  @Override
+  public boolean isReadable(Class aClass, Type type, Annotation[] annotations, MediaType mediaType) {
+    return true;
+  }
+
+
+  @Override
+  public Object readFrom(Class aClass, Type type, Annotation[] annotations, MediaType mediaType, MultivaluedMap multivaluedMap, InputStream inputStream) {
+    return null;
+  }
+}
+
+class MiscellaneousJakarta {
+  @Consumes("") // $ ConsumesAnnotation
+  public static void miscellaneousJakarta() throws IOException {
+    Response.ResponseBuilder responseBuilder = Response.accepted(); // $ ResponseBuilderDeclaration
+    Response response = responseBuilder.build(); // $ ResponseDeclaration
+    Client client; // $ ClientDeclaration
+    MessageBodyReader<String> messageBodyReader = null; // $ MessageBodyReaderDeclaration
+    messageBodyReader.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadFromCall MessageBodyReaderReadCall
+    CustomUnmarshallerJakarta CustomUnmarshallerJakarta = null;
+    CustomUnmarshallerJakarta.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadCall
+  }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
new file mode 100644
index 00000000000..f534e59b854
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
@@ -0,0 +1,410 @@
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import jakarta.ws.rs.core.AbstractMultivaluedMap;
+import jakarta.ws.rs.core.CacheControl;
+import jakarta.ws.rs.core.Cookie;
+import jakarta.ws.rs.core.EntityTag;
+import jakarta.ws.rs.core.Form;
+import jakarta.ws.rs.core.GenericEntity;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.Link;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedHashMap;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.NewCookie;
+import jakarta.ws.rs.core.PathSegment;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriBuilder;
+import jakarta.ws.rs.core.UriInfo;
+import jakarta.ws.rs.core.Variant;
+
+public class JakartaRsFlow {
+  String taint() { return "tainted"; }
+
+  private static class ResponseSource {
+    static Response taint() { return null; }
+  }
+
+  private static class ResponseBuilderSource {
+    static Response.ResponseBuilder taint() { return Response.noContent(); }
+  }
+
+  private static class IntSource {
+    static int taint() { return 0; }
+  }
+
+  private static class BooleanSource {
+    static boolean taint() { return false; }
+  }
+
+  private static class DateSource {
+    static Date taint() { return null; }
+  }
+
+  private static class SetStringSource {
+    static Set<String> taint() { return new HashSet<String>(); }
+  }
+
+  static HttpHeaders taint(HttpHeaders h) { return h; }
+
+  static PathSegment taint(PathSegment ps) { return ps; }
+
+  static UriInfo taint(UriInfo ui) { return ui; }
+  
+  static Map taint(Map m) { return m; }
+  
+  static Link taint(Link l) { return l; }
+  
+  static Class taint(Class c) { return c; }
+
+  private static class UriSource {
+    static URI taint() throws Exception { return new URI(""); }
+  }
+
+  void sink(Object o) {}
+
+  void testResponse() {
+    sink(Response.accepted(taint())); // $ hasTaintFlow
+    sink(Response.fromResponse(ResponseSource.taint())); // $ hasTaintFlow
+    sink(Response.ok(taint())); // $ hasTaintFlow
+    sink(Response.ok(taint(), new MediaType())); // $ hasTaintFlow
+    sink(Response.ok(taint(), "type")); // $ hasTaintFlow
+    sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $ hasTaintFlow
+  }
+
+  void testResponseBuilder(MultivaluedMap<String,Object> multivaluedMap, List<Variant> list) throws Exception {
+    sink(ResponseBuilderSource.taint().build()); // $ hasTaintFlow
+    sink(Response.noContent().entity(taint())); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().allow(new HashSet<String>())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().clone()); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cookie()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().encoding("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().entity("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().expires(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().header("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().language("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().lastModified(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().links()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().location(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().status(400)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().type("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants(list)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants()); // $ hasValueFlow
+  }
+
+  void testHttpHeaders(HttpHeaders h) {
+    sink(taint(h).getAcceptableLanguages()); // $ hasTaintFlow
+    sink(taint(h).getAcceptableMediaTypes()); // $ hasTaintFlow
+    sink(taint(h).getCookies()); // $ hasTaintFlow
+    sink(taint(h).getHeaderString("")); // $ hasTaintFlow
+    sink(taint(h).getLanguage()); // $ hasTaintFlow
+    sink(taint(h).getMediaType()); // $ hasTaintFlow
+    sink(taint(h).getRequestHeader("")); // $ hasTaintFlow
+    sink(taint(h).getRequestHeaders()); // $ hasTaintFlow
+  }
+
+  void testMultivaluedMapAdd(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.add(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.add("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddAll(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2, MultivaluedMap<String, String> mm3) {
+    mm1.addAll(taint(), "a", "b");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    List<String> l = new ArrayList<String>();
+    l.add(taint());
+    mm2.addAll("key", l);
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    mm3.addAll("key", "a", taint());
+    sink(mm3.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddFirst(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.addFirst(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.addFirst("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    sink(mm2.getFirst("key")); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapputSingle(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.putSingle(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.putSingle("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  class MyAbstractMultivaluedMapJak<K, V> extends AbstractMultivaluedMap<K, V> {
+    public MyAbstractMultivaluedMapJak(Map<K, List<V>> map) {
+        super(map);
+    }
+  }
+
+  void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List<String>> map2, List<String> list) {
+    map1.put(taint(), list);
+    AbstractMultivaluedMap<String, String> amm1 = new MyAbstractMultivaluedMapJak<String, String>(map1);
+    sink(amm1.keySet().iterator().next()); // $  MISSING: hasValueFlow
+
+    list.add(taint());
+    map2.put("key", list);
+    AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMapJak<String, String>(map2);
+    sink(amm2.get("key").get(0)); // $  MISSING: hasValueFlow SPURIOUS: hasTaintFlow
+  }
+
+  void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,
+      MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    map1.put(taint(), "value");
+    MultivaluedHashMap<String, String> mhm1 = new MultivaluedHashMap<String, String>(map1);
+    sink(mhm1.keySet().iterator().next()); // $ hasValueFlow
+
+    map2.put("key", taint());
+    MultivaluedHashMap<String, String> mhm2 = new MultivaluedHashMap<String, String>(map2);
+    sink(mhm2.get("key").get(0)); // $ hasValueFlow
+
+    mm1.add(taint(), "value");
+    MultivaluedHashMap<String, String> mhm3 = new MultivaluedHashMap<String, String>(mm1);
+    sink(mhm3.keySet().iterator().next()); // $ hasValueFlow
+
+    mm2.add("key", taint());
+    MultivaluedHashMap<String, String> mhm4 = new MultivaluedHashMap<String, String>(mm2);
+    sink(mhm4.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testPathSegment(PathSegment ps1, PathSegment ps2) {
+    sink(taint(ps1).getMatrixParameters()); // $ hasTaintFlow
+    sink(taint(ps2).getPath()); // $ hasTaintFlow
+  }
+
+  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
+    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
+    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  }
+
+  void testCookie() {
+    sink(new Cookie(taint(), "", "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint(), 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", "", IntSource.taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "", "", "")); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "")); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getDomain()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getName()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getPath()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getValue()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getVersion()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).toString()); // $ hasTaintFlow
+  }
+
+  void testNewCookie() {
+    sink(new NewCookie(Cookie.valueOf(taint()))); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "")); // $ hasTaintFlow
+    sink(new NewCookie("", taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(NewCookie.valueOf(taint()).getComment()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getExpiry()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getMaxAge()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).toCookie()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testForm(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    sink(new Form(taint(), "")); // $ hasTaintFlow
+    sink(new Form("", taint())); // $ hasTaintFlow
+    mm1.add(taint(), "value");
+    sink(new Form(mm1)); // $ hasTaintFlow
+    mm2.add("key", taint());
+    sink(new Form(mm2)); // $ hasTaintFlow
+    Form f1 = new Form(taint(), "");
+    sink(f1.asMap()); // $ hasTaintFlow
+    Form f2 = new Form();
+    sink(f2.param(taint(), "b")); // $ hasTaintFlow
+    Form f3 = new Form();
+    sink(f3.param("a", taint())); // $ hasTaintFlow
+    Form f4 = new Form(taint(), "");
+    sink(f4.param("a", "b")); // $ hasTaintFlow
+  }
+
+  void testGenericEntity() {
+    Method m = DummyJakarta.class.getMethods()[0];
+    GenericEntity<Set<String>> ge = new GenericEntity<Set<String>>(SetStringSource.taint(), m.getGenericReturnType());
+    sink(ge); // $ hasTaintFlow
+    sink(ge.getEntity()); // $ hasTaintFlow
+  }
+
+  void testMediaType(Map<String, String> m) {
+    sink(new MediaType(taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", taint())); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", m)); // $ hasTaintFlow
+    sink(new MediaType("", taint(), m)); // $ hasTaintFlow
+    sink(new MediaType("", "", taint(m))); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", "")); // $ hasTaintFlow
+    sink(new MediaType("", taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", "", taint())); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getParameters()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getSubtype()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getType()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testUriBuilder() throws Exception {
+    sink(UriBuilder.fromPath("").build(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build(taint(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("", false)); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap<String, String>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
+    
+    sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow
+    sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromUri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").host(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).host("")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(taint(DummyJakarta.class))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(DummyJakarta.class, taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).path(DummyJakarta.class)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replacePath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replacePath("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQuery(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap<String, Object>())); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").scheme(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).scheme("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).segment("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).toTemplate()); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").uri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").userInfo(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).userInfo("")); // $ hasTaintFlow
+  }
+}
+
+class DummyJakarta {
+  private static Set<String> foo() { return null; }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.expected b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql
new file mode 100644
index 00000000000..721d46672e9
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql
@@ -0,0 +1,155 @@
+import java
+import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.security.XSS
+import TestUtilities.InlineExpectationsTest
+
+class JaxRsTest extends InlineExpectationsTest {
+  JaxRsTest() { this = "JaxRsTest" }
+
+  override string getARelevantTag() {
+    result =
+      [
+        "ResourceMethod", "RootResourceClass", "NonRootResourceClass",
+        "ResourceMethodOnResourceClass", "InjectableConstructor", "InjectableField",
+        "InjectionAnnotation", "ResponseDeclaration", "ResponseBuilderDeclaration",
+        "ClientDeclaration", "BeanParamConstructor", "MessageBodyReaderDeclaration",
+        "MessageBodyReaderReadFromCall", "MessageBodyReaderReadCall", "ProducesAnnotation",
+        "ConsumesAnnotation"
+      ]
+  }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "ResourceMethod" and
+    exists(JaxRsResourceMethod resourceMethod |
+      resourceMethod.getLocation() = location and
+      element = resourceMethod.toString() and
+      if exists(resourceMethod.getProducesAnnotation())
+      then value = resourceMethod.getProducesAnnotation().getADeclaredContentType()
+      else value = ""
+    )
+    or
+    tag = "RootResourceClass" and
+    exists(JaxRsResourceClass resourceClass |
+      resourceClass.isRootResource() and
+      resourceClass.getLocation() = location and
+      element = resourceClass.toString() and
+      value = ""
+    )
+    or
+    tag = "NonRootResourceClass" and
+    exists(JaxRsResourceClass resourceClass |
+      not resourceClass.isRootResource() and
+      resourceClass.getLocation() = location and
+      element = resourceClass.toString() and
+      value = ""
+    )
+    or
+    tag = "ResourceMethodOnResourceClass" and
+    exists(JaxRsResourceMethod resourceMethod |
+      resourceMethod = any(JaxRsResourceClass ResourceClass).getAResourceMethod()
+    |
+      resourceMethod.getLocation() = location and
+      element = resourceMethod.toString() and
+      value = ""
+    )
+    or
+    tag = "InjectableConstructor" and
+    exists(Constructor cons |
+      cons = any(JaxRsResourceClass resourceClass).getAnInjectableConstructor()
+    |
+      cons.getLocation() = location and
+      element = cons.toString() and
+      value = ""
+    )
+    or
+    tag = "InjectableField" and
+    exists(Field field | field = any(JaxRsResourceClass resourceClass).getAnInjectableField() |
+      field.getLocation() = location and
+      element = field.toString() and
+      value = ""
+    )
+    or
+    tag = "InjectionAnnotation" and
+    exists(JaxRsInjectionAnnotation injectionAnnotation |
+      injectionAnnotation.getLocation() = location and
+      element = injectionAnnotation.toString() and
+      value = ""
+    )
+    or
+    tag = "ResponseDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType() instanceof JaxRsResponse and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "ResponseBuilderDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType() instanceof JaxRsResponseBuilder and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "ClientDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType() instanceof JaxRsClient and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "BeanParamConstructor" and
+    exists(JaxRsBeanParamConstructor cons |
+      cons.getLocation() = location and
+      element = cons.toString() and
+      value = ""
+    )
+    or
+    tag = "MessageBodyReaderDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "MessageBodyReaderReadFromCall" and
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MessageBodyReaderReadFrom and
+      ma.getLocation() = location and
+      element = ma.toString() and
+      value = ""
+    )
+    or
+    tag = "MessageBodyReaderReadCall" and
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MessageBodyReaderRead and
+      ma.getLocation() = location and
+      element = ma.toString() and
+      value = ""
+    )
+    or
+    tag = "ProducesAnnotation" and
+    exists(JaxRSProducesAnnotation producesAnnotation |
+      producesAnnotation.getLocation() = location and
+      element = producesAnnotation.toString() and
+      value = producesAnnotation.getADeclaredContentType()
+    )
+    or
+    tag = "ConsumesAnnotation" and
+    exists(JaxRSConsumesAnnotation consumesAnnotation |
+      consumesAnnotation.getLocation() = location and
+      element = consumesAnnotation.toString() and
+      value = ""
+    )
+    or
+    tag = "XssSink" and
+    exists(XssSink xssSink |
+      xssSink.getLocation() = location and
+      element = xssSink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java
new file mode 100644
index 00000000000..ba21f36069b
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java
@@ -0,0 +1,215 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.PUT;
+import javax.ws.rs.OPTIONS;
+import javax.ws.rs.HEAD;
+import javax.ws.rs.Path;
+import javax.ws.rs.BeanParam;
+import javax.ws.rs.CookieParam;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.HeaderParam;
+import javax.ws.rs.MatrixParam;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+public class JaxRs1 { // $ RootResourceClass
+  public JaxRs1() { // $ InjectableConstructor
+  }
+
+  @GET
+  int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+    return 0; // $ XssSink
+  }
+
+  @POST
+  void Post() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Produces("text/plain") // $ ProducesAnnotation=text/plain
+  @DELETE
+  double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+    return 0.0; // $ XssSink
+  }
+
+  @Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html
+  @PUT
+  void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+  }
+
+  @OPTIONS
+  void Options() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @HEAD
+  void Head() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Path("")
+  NonRootResourceClass subResourceLocator() { // $ SubResourceLocator
+    return null;
+  }
+
+  public class NonRootResourceClass { // $ NonRootResourceClass
+    @GET
+    int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return 0; // $ XssSink
+    }
+
+    @Produces("text/html") // $ ProducesAnnotation=text/html
+    @POST
+    boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+      return false;
+    }
+
+    @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain
+    @DELETE
+    double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+      return 0.0; // $ XssSink
+    }
+
+    @Path("")
+    AnotherNonRootResourceClass subResourceLocator1() { // $ SubResourceLocator
+      return null;
+    }
+
+    @GET
+    @Path("")
+    NotAResourceClass1 NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    @GET
+    NotAResourceClass2 NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    NotAResourceClass2 NotASubResourceLocator3() {
+      return null;
+    }
+  }
+}
+
+class AnotherNonRootResourceClass { // $ NonRootResourceClass
+  public AnotherNonRootResourceClass() {
+  }
+
+  public AnotherNonRootResourceClass(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  @Path("")
+  public void resourceMethodWithBeanParamParameter(@BeanParam Foo foo) { // $ SubResourceLocator InjectionAnnotation
+  }
+}
+
+class Foo {
+  Foo() { // $ BeanParamConstructor
+  }
+
+  public Foo( // $ BeanParamConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public Foo(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+}
+
+class NotAResourceClass1 {
+}
+
+class NotAResourceClass2 {
+}
+
+class ExtendsJaxRs1 extends JaxRs1 {
+  @Override
+  int Get() { // $ ResourceMethod
+    return 1;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 1.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Produces("application/json") // $ ProducesAnnotation=application/json
+  @Override
+  void Options() {
+  }
+
+  @Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+  @Override
+  void Head() {
+  }
+
+}
+
+@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 {
+  @Override
+  int Get() { // $ ResourceMethod=text/xml
+    return 2;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 2.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Override
+  void Options() { // $ ResourceMethod=text/xml
+  }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java
new file mode 100644
index 00000000000..7fa0413e841
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java
@@ -0,0 +1,99 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.PUT;
+import javax.ws.rs.OPTIONS;
+import javax.ws.rs.HEAD;
+import javax.ws.rs.Path;
+import javax.ws.rs.BeanParam;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.CookieParam;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.HeaderParam;
+import javax.ws.rs.MatrixParam;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+class JaxRs2 { // $ RootResourceClass
+  JaxRs2() {
+  }
+
+  public JaxRs2(// $ InjectableConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public JaxRs2(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+
+  @BeanParam // $ InjectionAnnotation
+  int beanField; // $ InjectableField
+  @CookieParam("") // $ InjectionAnnotation
+  int cookieField; // $ InjectableField
+  @FormParam("") // $ InjectionAnnotation
+  int formField; // $ InjectableField
+  @HeaderParam("") // $ InjectionAnnotation
+  int headerField; // $ InjectableField
+  @MatrixParam("") // $ InjectionAnnotation
+  int matrixField; // $ InjectableField
+  @PathParam("") // $ InjectionAnnotation
+  int pathField; // $ InjectableField
+  @QueryParam("") // $ InjectionAnnotation
+  int queryField; // $ InjectableField
+  @Context // $ InjectionAnnotation
+  int context; // $ InjectableField
+  int fieldWithoutAnnotation;
+}
+
+class CustomUnmarshaller implements MessageBodyReader {
+
+  @Override
+  public boolean isReadable(Class aClass, Type type, Annotation[] annotations, MediaType mediaType) {
+    return true;
+  }
+
+
+  @Override
+  public Object readFrom(Class aClass, Type type, Annotation[] annotations, MediaType mediaType, MultivaluedMap multivaluedMap, InputStream inputStream) {
+    return null;
+  }
+}
+
+class Miscellaneous {
+  @Consumes("") // $ ConsumesAnnotation
+  public static void miscellaneous() throws IOException {
+    Response.ResponseBuilder responseBuilder = Response.accepted(); // $ ResponseBuilderDeclaration
+    Response response = responseBuilder.build(); // $ ResponseDeclaration
+    Client client; // $ ClientDeclaration
+    MessageBodyReader<String> messageBodyReader = null; // $ MessageBodyReaderDeclaration
+    messageBodyReader.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadFromCall MessageBodyReaderReadCall
+    CustomUnmarshaller customUnmarshaller = null;
+    customUnmarshaller.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadCall
+  }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.expected b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
new file mode 100644
index 00000000000..eecc3e444c9
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
@@ -0,0 +1,410 @@
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.ws.rs.core.AbstractMultivaluedMap;
+import javax.ws.rs.core.CacheControl;
+import javax.ws.rs.core.Cookie;
+import javax.ws.rs.core.EntityTag;
+import javax.ws.rs.core.Form;
+import javax.ws.rs.core.GenericEntity;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Link;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedHashMap;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.NewCookie;
+import javax.ws.rs.core.PathSegment;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriBuilder;
+import javax.ws.rs.core.UriInfo;
+import javax.ws.rs.core.Variant;
+
+public class JaxRsFlow {
+  String taint() { return "tainted"; }
+
+  private static class ResponseSource {
+    static Response taint() { return null; }
+  }
+
+  private static class ResponseBuilderSource {
+    static Response.ResponseBuilder taint() { return Response.noContent(); }
+  }
+
+  private static class IntSource {
+    static int taint() { return 0; }
+  }
+
+  private static class BooleanSource {
+    static boolean taint() { return false; }
+  }
+
+  private static class DateSource {
+    static Date taint() { return null; }
+  }
+
+  private static class SetStringSource {
+    static Set<String> taint() { return new HashSet<String>(); }
+  }
+
+  static HttpHeaders taint(HttpHeaders h) { return h; }
+
+  static PathSegment taint(PathSegment ps) { return ps; }
+
+  static UriInfo taint(UriInfo ui) { return ui; }
+  
+  static Map taint(Map m) { return m; }
+  
+  static Link taint(Link l) { return l; }
+  
+  static Class taint(Class c) { return c; }
+
+  private static class UriSource {
+    static URI taint() throws Exception { return new URI(""); }
+  }
+
+  void sink(Object o) {}
+
+  void testResponse() {
+    sink(Response.accepted(taint())); // $ hasTaintFlow
+    sink(Response.fromResponse(ResponseSource.taint())); // $ hasTaintFlow
+    sink(Response.ok(taint())); // $ hasTaintFlow
+    sink(Response.ok(taint(), new MediaType())); // $ hasTaintFlow
+    sink(Response.ok(taint(), "type")); // $ hasTaintFlow
+    sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $ hasTaintFlow
+  }
+
+  void testResponseBuilder(MultivaluedMap<String,Object> multivaluedMap, List<Variant> list) throws Exception {
+    sink(ResponseBuilderSource.taint().build()); // $ hasTaintFlow
+    sink(Response.noContent().entity(taint())); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().allow(new HashSet<String>())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().clone()); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cookie()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().encoding("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().entity("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().expires(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().header("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().language("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().lastModified(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().links()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().location(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().status(400)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().type("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants(list)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants()); // $ hasValueFlow
+  }
+
+  void testHttpHeaders(HttpHeaders h) {
+    sink(taint(h).getAcceptableLanguages()); // $ hasTaintFlow
+    sink(taint(h).getAcceptableMediaTypes()); // $ hasTaintFlow
+    sink(taint(h).getCookies()); // $ hasTaintFlow
+    sink(taint(h).getHeaderString("")); // $ hasTaintFlow
+    sink(taint(h).getLanguage()); // $ hasTaintFlow
+    sink(taint(h).getMediaType()); // $ hasTaintFlow
+    sink(taint(h).getRequestHeader("")); // $ hasTaintFlow
+    sink(taint(h).getRequestHeaders()); // $ hasTaintFlow
+  }
+
+  void testMultivaluedMapAdd(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.add(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.add("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddAll(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2, MultivaluedMap<String, String> mm3) {
+    mm1.addAll(taint(), "a", "b");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    List<String> l = new ArrayList<String>();
+    l.add(taint());
+    mm2.addAll("key", l);
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    mm3.addAll("key", "a", taint());
+    sink(mm3.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddFirst(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.addFirst(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.addFirst("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    sink(mm2.getFirst("key")); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapputSingle(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.putSingle(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.putSingle("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  class MyAbstractMultivaluedMap<K, V> extends AbstractMultivaluedMap<K, V> {
+    public MyAbstractMultivaluedMap(Map<K, List<V>> map) {
+        super(map);
+    }
+  }
+
+  void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List<String>> map2, List<String> list) {
+    map1.put(taint(), list);
+    AbstractMultivaluedMap<String, String> amm1 = new MyAbstractMultivaluedMap<String, String>(map1);
+    sink(amm1.keySet().iterator().next()); // $  MISSING: hasValueFlow
+
+    list.add(taint());
+    map2.put("key", list);
+    AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMap<String, String>(map2);
+    sink(amm2.get("key").get(0)); // $  MISSING: hasValueFlow SPURIOUS: hasTaintFlow
+  }
+
+  void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,
+      MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    map1.put(taint(), "value");
+    MultivaluedHashMap<String, String> mhm1 = new MultivaluedHashMap<String, String>(map1);
+    sink(mhm1.keySet().iterator().next()); // $ hasValueFlow
+
+    map2.put("key", taint());
+    MultivaluedHashMap<String, String> mhm2 = new MultivaluedHashMap<String, String>(map2);
+    sink(mhm2.get("key").get(0)); // $ hasValueFlow
+
+    mm1.add(taint(), "value");
+    MultivaluedHashMap<String, String> mhm3 = new MultivaluedHashMap<String, String>(mm1);
+    sink(mhm3.keySet().iterator().next()); // $ hasValueFlow
+
+    mm2.add("key", taint());
+    MultivaluedHashMap<String, String> mhm4 = new MultivaluedHashMap<String, String>(mm2);
+    sink(mhm4.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testPathSegment(PathSegment ps1, PathSegment ps2) {
+    sink(taint(ps1).getMatrixParameters()); // $ hasTaintFlow
+    sink(taint(ps2).getPath()); // $ hasTaintFlow
+  }
+
+  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
+    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
+    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  }
+
+  void testCookie() {
+    sink(new Cookie(taint(), "", "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint(), 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", "", IntSource.taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "", "", "")); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "")); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getDomain()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getName()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getPath()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getValue()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getVersion()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).toString()); // $ hasTaintFlow
+  }
+
+  void testNewCookie() {
+    sink(new NewCookie(Cookie.valueOf(taint()))); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "")); // $ hasTaintFlow
+    sink(new NewCookie("", taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(NewCookie.valueOf(taint()).getComment()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getExpiry()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getMaxAge()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).toCookie()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testForm(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    sink(new Form(taint(), "")); // $ hasTaintFlow
+    sink(new Form("", taint())); // $ hasTaintFlow
+    mm1.add(taint(), "value");
+    sink(new Form(mm1)); // $ hasTaintFlow
+    mm2.add("key", taint());
+    sink(new Form(mm2)); // $ hasTaintFlow
+    Form f1 = new Form(taint(), "");
+    sink(f1.asMap()); // $ hasTaintFlow
+    Form f2 = new Form();
+    sink(f2.param(taint(), "b")); // $ hasTaintFlow
+    Form f3 = new Form();
+    sink(f3.param("a", taint())); // $ hasTaintFlow
+    Form f4 = new Form(taint(), "");
+    sink(f4.param("a", "b")); // $ hasTaintFlow
+  }
+
+  void testGenericEntity() {
+    Method m = Dummy.class.getMethods()[0];
+    GenericEntity<Set<String>> ge = new GenericEntity<Set<String>>(SetStringSource.taint(), m.getGenericReturnType());
+    sink(ge); // $ hasTaintFlow
+    sink(ge.getEntity()); // $ hasTaintFlow
+  }
+
+  void testMediaType(Map<String, String> m) {
+    sink(new MediaType(taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", taint())); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", m)); // $ hasTaintFlow
+    sink(new MediaType("", taint(), m)); // $ hasTaintFlow
+    sink(new MediaType("", "", taint(m))); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", "")); // $ hasTaintFlow
+    sink(new MediaType("", taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", "", taint())); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getParameters()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getSubtype()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getType()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testUriBuilder() throws Exception {
+    sink(UriBuilder.fromPath("").build(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build(taint(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("", false)); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap<String, String>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
+    
+    sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow
+    sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromUri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").host(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).host("")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(taint(Dummy.class))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(Dummy.class, taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).path(Dummy.class)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replacePath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replacePath("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQuery(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap<String, Object>())); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").scheme(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).scheme("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).segment("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).toTemplate()); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").uri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").userInfo(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).userInfo("")); // $ hasTaintFlow
+  }
+}
+
+class Dummy {
+  private static Set<String> foo() { return null; }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql
new file mode 100644
index 00000000000..d3b1db90764
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql
@@ -0,0 +1,50 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:jax-rs-taint" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:jax-rs-value" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasTaintFlow", "hasValueFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.expected b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java
new file mode 100644
index 00000000000..511508cd774
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java
@@ -0,0 +1,44 @@
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+import javax.xml.ws.WebEndpoint;
+import javax.xml.ws.WebServiceClient;
+import javax.xml.ws.WebServiceProvider;
+
+@WebService
+class WebServiceClass { // $ JaxWsEndpoint
+
+  @WebMethod
+  void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+  @WebEndpoint
+  void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+}
+
+@WebServiceProvider
+class WebServiceProviderClass { // $ JaxWsEndpoint
+
+  @WebMethod
+  void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+  @WebEndpoint
+  void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+}
+
+@WebServiceClient
+class WebServiceClientClass { // $ JaxWsEndpoint
+
+  @WebMethod
+  void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+  @WebEndpoint
+  void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+}
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql
new file mode 100644
index 00000000000..6ebd597bb0a
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql
@@ -0,0 +1,27 @@
+import java
+import semmle.code.java.frameworks.JaxWS
+import TestUtilities.InlineExpectationsTest
+
+class JaxWsEndpointTest extends InlineExpectationsTest {
+  JaxWsEndpointTest() { this = "JaxWsEndpointTest" }
+
+  override string getARelevantTag() { result = ["JaxWsEndpoint", "JaxWsEndpointRemoteMethod"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "JaxWsEndpoint" and
+    exists(JaxWsEndpoint jaxWsEndpoint |
+      jaxWsEndpoint.getLocation() = location and
+      element = jaxWsEndpoint.toString() and
+      value = ""
+    )
+    or
+    tag = "JaxWsEndpointRemoteMethod" and
+    exists(Callable remoteMethod |
+      remoteMethod = any(JaxWsEndpoint jaxWsEndpoint).getARemoteMethod()
+    |
+      remoteMethod.getLocation() = location and
+      element = remoteMethod.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected
new file mode 100644
index 00000000000..a3557062441
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected
@@ -0,0 +1,19 @@
+edges
+| UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJakarta.java:10:24:10:62 | new URI(...) |
+| UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJakarta.java:13:33:13:71 | new URI(...) |
+| UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJax.java:10:24:10:62 | new URI(...) |
+| UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJax.java:13:33:13:71 | new URI(...) |
+nodes
+| UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UrlRedirectJax.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UrlRedirectJax.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+#select
+| UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) | user-provided value |
+| UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) | user-provided value |
+| UrlRedirectJax.java:10:24:10:62 | new URI(...) | UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJax.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJax.java:10:32:10:61 | getParameter(...) | user-provided value |
+| UrlRedirectJax.java:13:33:13:71 | new URI(...) | UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJax.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJax.java:13:41:13:70 | getParameter(...) | user-provided value |
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref
new file mode 100644
index 00000000000..b4772fb438f
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-601/UrlRedirect.ql
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java
new file mode 100644
index 00000000000..897ee7890bd
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java
@@ -0,0 +1,15 @@
+import java.io.IOException;
+import java.net.URI;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.core.Response;
+
+public class UrlRedirectJakarta extends HttpServlet {
+	protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception {
+		// BAD
+		jaxResponse.seeOther(new URI(request.getParameter("target")));
+
+		// BAD
+		jaxResponse.temporaryRedirect(new URI(request.getParameter("target")));
+	}
+}
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java
new file mode 100644
index 00000000000..4ba3d1f1331
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java
@@ -0,0 +1,15 @@
+import java.io.IOException;
+import java.net.URI;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.Response;
+
+public class UrlRedirectJax extends HttpServlet {
+	protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception {
+		// BAD
+		jaxResponse.seeOther(new URI(request.getParameter("target")));
+
+		// BAD
+		jaxResponse.temporaryRedirect(new URI(request.getParameter("target")));
+	}
+}
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/options b/java/ql/test/library-tests/frameworks/JaxWs/options
new file mode 100644
index 00000000000..a2050069049
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/JaxWs/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/servlet-api-2.4
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/PairTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/PairTest.java
new file mode 100644
index 00000000000..6db15beb181
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/PairTest.java
@@ -0,0 +1,150 @@
+import org.apache.commons.lang3.tuple.Pair;
+import org.apache.commons.lang3.tuple.ImmutablePair;
+import org.apache.commons.lang3.tuple.MutablePair;
+
+class PairTest {
+    String taint() { return "tainted"; }
+
+    private static class IntSource {
+      static int taint() { return 0; }
+    }
+
+    void sink(Object o) {}
+
+    void test() throws Exception {
+
+      ImmutablePair<String, String> taintedLeft = ImmutablePair.of(taint(), "clean-right");
+      ImmutablePair<String, String> taintedRight = ImmutablePair.of("clean-left", taint());
+      Pair<String, String> taintedLeft2_ = ImmutablePair.left(taint());
+      ImmutablePair<String, String> taintedLeft2 = (ImmutablePair)taintedLeft2_;
+      Pair<String, String> taintedRight2_ = ImmutablePair.right(taint());
+      ImmutablePair<String, String> taintedRight2 = (ImmutablePair)taintedRight2_;
+      Pair<String, String> taintedLeft3 = Pair.of(taint(), "clean-right");
+      Pair<String, String> taintedRight3 = Pair.of("clean-left", taint());
+      ImmutablePair<String, String> taintedLeft4 = new ImmutablePair(taint(), "clean-right");
+      ImmutablePair<String, String> taintedRight4 = new ImmutablePair("clean-left", taint());
+
+      // Check flow through ImmutablePairs:
+      sink(taintedLeft.getLeft()); // $hasValueFlow
+      sink(taintedLeft.getRight());
+      sink(taintedLeft.getKey()); // $hasValueFlow
+      sink(taintedLeft.getValue());
+      sink(taintedLeft.left); // $hasValueFlow
+      sink(taintedLeft.right);
+      sink(taintedRight.getLeft());
+      sink(taintedRight.getRight()); // $hasValueFlow
+      sink(taintedRight.getKey());
+      sink(taintedRight.getValue()); // $hasValueFlow
+      sink(taintedRight.left);
+      sink(taintedRight.right); // $hasValueFlow
+      sink(taintedLeft2.getLeft()); // $hasValueFlow
+      sink(taintedLeft2.getRight());
+      sink(taintedLeft2.getKey()); // $hasValueFlow
+      sink(taintedLeft2.getValue());
+      sink(taintedLeft2.left); // $hasValueFlow
+      sink(taintedLeft2.right);
+      sink(taintedRight2.getLeft());
+      sink(taintedRight2.getRight()); // $hasValueFlow
+      sink(taintedRight2.getKey());
+      sink(taintedRight2.getValue()); // $hasValueFlow
+      sink(taintedRight2.left);
+      sink(taintedRight2.right); // $hasValueFlow
+      sink(taintedLeft3.getLeft()); // $hasValueFlow
+      sink(taintedLeft3.getRight());
+      sink(taintedLeft3.getKey()); // $hasValueFlow
+      sink(taintedLeft3.getValue());
+      sink(taintedRight3.getLeft());
+      sink(taintedRight3.getRight()); // $hasValueFlow
+      sink(taintedRight3.getKey());
+      sink(taintedRight3.getValue()); // $hasValueFlow
+      sink(taintedLeft4.getLeft()); // $hasValueFlow
+      sink(taintedLeft4.getRight());
+      sink(taintedLeft4.getKey()); // $hasValueFlow
+      sink(taintedLeft4.getValue());
+      sink(taintedLeft4.left); // $hasValueFlow
+      sink(taintedLeft4.right);
+      sink(taintedRight4.getLeft());
+      sink(taintedRight4.getRight()); // $hasValueFlow
+      sink(taintedRight4.getKey());
+      sink(taintedRight4.getValue()); // $hasValueFlow
+      sink(taintedRight4.left);
+      sink(taintedRight4.right); // $hasValueFlow
+
+      // Check flow also works via an alias of type Pair:
+      sink(taintedLeft2_.getLeft()); // $hasValueFlow
+      sink(taintedLeft2_.getRight());
+      sink(taintedLeft2_.getKey()); // $hasValueFlow
+      sink(taintedLeft2_.getValue());
+      sink(taintedRight2_.getLeft());
+      sink(taintedRight2_.getRight()); // $hasValueFlow
+      sink(taintedRight2_.getKey());
+      sink(taintedRight2_.getValue()); // $hasValueFlow
+
+      // Check flow through MutablePairs:
+      MutablePair<String, String> taintedLeftMutable = MutablePair.of(taint(), "clean-right");
+      MutablePair<String, String> taintedRightMutable = MutablePair.of("clean-left", taint());
+      MutablePair<String, String> setTaintLeft = MutablePair.of("clean-left", "clean-right");
+      setTaintLeft.setLeft(taint());
+      MutablePair<String, String> setTaintRight = MutablePair.of("clean-left", "clean-right");
+      setTaintRight.setRight(taint());
+      MutablePair<String, String> setTaintValue = MutablePair.of("clean-left", "clean-right");
+      setTaintValue.setValue(taint());
+      MutablePair<String, String> taintedLeftMutableConstructed = new MutablePair(taint(), "clean-right");
+      MutablePair<String, String> taintedRightMutableConstructed = new MutablePair("clean-left", taint());
+
+      sink(taintedLeftMutable.getLeft()); // $hasValueFlow
+      sink(taintedLeftMutable.getRight());
+      sink(taintedLeftMutable.getKey()); // $hasValueFlow
+      sink(taintedLeftMutable.getValue());
+      sink(taintedLeftMutable.left); // $hasValueFlow
+      sink(taintedLeftMutable.right);
+      sink(taintedRightMutable.getLeft());
+      sink(taintedRightMutable.getRight()); // $hasValueFlow
+      sink(taintedRightMutable.getKey());
+      sink(taintedRightMutable.getValue()); // $hasValueFlow
+      sink(taintedRightMutable.left);
+      sink(taintedRightMutable.right); // $hasValueFlow
+      sink(setTaintLeft.getLeft()); // $hasValueFlow
+      sink(setTaintLeft.getRight());
+      sink(setTaintLeft.getKey()); // $hasValueFlow
+      sink(setTaintLeft.getValue());
+      sink(setTaintLeft.left); // $hasValueFlow
+      sink(setTaintLeft.right);
+      sink(setTaintRight.getLeft());
+      sink(setTaintRight.getRight()); // $hasValueFlow
+      sink(setTaintRight.getKey());
+      sink(setTaintRight.getValue()); // $hasValueFlow
+      sink(setTaintRight.left);
+      sink(setTaintRight.right); // $hasValueFlow
+      sink(setTaintValue.getLeft());
+      sink(setTaintValue.getRight()); // $hasValueFlow
+      sink(setTaintValue.getKey());
+      sink(setTaintValue.getValue()); // $hasValueFlow
+      sink(setTaintValue.left);
+      sink(setTaintValue.right); // $hasValueFlow
+      sink(taintedLeftMutableConstructed.getLeft()); // $hasValueFlow
+      sink(taintedLeftMutableConstructed.getRight());
+      sink(taintedLeftMutableConstructed.getKey()); // $hasValueFlow
+      sink(taintedLeftMutableConstructed.getValue());
+      sink(taintedLeftMutableConstructed.left); // $hasValueFlow
+      sink(taintedLeftMutableConstructed.right);
+      sink(taintedRightMutableConstructed.getLeft());
+      sink(taintedRightMutableConstructed.getRight()); // $hasValueFlow
+      sink(taintedRightMutableConstructed.getKey());
+      sink(taintedRightMutableConstructed.getValue()); // $hasValueFlow
+      sink(taintedRightMutableConstructed.left);
+      sink(taintedRightMutableConstructed.right); // $hasValueFlow
+
+      // Check flow also works via an alias of type Pair:
+      Pair<String, String> taintedLeftMutableAlias = taintedLeftMutable;
+      Pair<String, String> taintedRightMutableAlias = taintedRightMutable;
+      sink(taintedLeftMutableAlias.getLeft()); // $hasValueFlow
+      sink(taintedLeftMutableAlias.getRight());
+      sink(taintedLeftMutableAlias.getKey()); // $hasValueFlow
+      sink(taintedLeftMutableAlias.getValue());
+      sink(taintedRightMutableAlias.getLeft());
+      sink(taintedRightMutableAlias.getRight()); // $hasValueFlow
+      sink(taintedRightMutableAlias.getKey());
+      sink(taintedRightMutableAlias.getValue()); // $hasValueFlow
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/TripleTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TripleTest.java
new file mode 100644
index 00000000000..b6f9c53cc7e
--- /dev/null
+++ b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TripleTest.java
@@ -0,0 +1,181 @@
+import org.apache.commons.lang3.tuple.Triple;
+import org.apache.commons.lang3.tuple.ImmutableTriple;
+import org.apache.commons.lang3.tuple.MutableTriple;
+
+class TripleTest {
+    String taint() { return "tainted"; }
+
+    private static class IntSource {
+      static int taint() { return 0; }
+    }
+
+    void sink(Object o) {}
+
+    void test() throws Exception {
+
+      ImmutableTriple<String, String, String> taintedLeft = ImmutableTriple.of(taint(), "clean-middle", "clean-right");
+      ImmutableTriple<String, String, String> taintedMiddle = ImmutableTriple.of("clean-left", taint(), "clean-right");
+      ImmutableTriple<String, String, String> taintedRight = ImmutableTriple.of("clean-left", "clean-middle", taint());
+
+      // Check flow through ImmutableTriples:
+      sink(taintedLeft.getLeft()); // $hasValueFlow
+      sink(taintedLeft.getMiddle());
+      sink(taintedLeft.getRight());
+      sink(taintedLeft.left); // $hasValueFlow
+      sink(taintedLeft.middle);
+      sink(taintedLeft.right);
+      sink(taintedMiddle.getLeft());
+      sink(taintedMiddle.getMiddle()); // $hasValueFlow
+      sink(taintedMiddle.getRight());
+      sink(taintedMiddle.left);
+      sink(taintedMiddle.middle); // $hasValueFlow
+      sink(taintedMiddle.right);
+      sink(taintedRight.getLeft());
+      sink(taintedRight.getMiddle());
+      sink(taintedRight.getRight()); // $hasValueFlow
+      sink(taintedRight.left);
+      sink(taintedRight.middle);
+      sink(taintedRight.right); // $hasValueFlow
+
+      Triple<String, String, String> taintedLeft2 = taintedLeft;
+      Triple<String, String, String> taintedMiddle2 = taintedMiddle;
+      Triple<String, String, String> taintedRight2 = taintedRight;
+
+      // Check flow also works via an alias of type Triple:
+      sink(taintedLeft2.getLeft()); // $hasValueFlow
+      sink(taintedLeft2.getMiddle());
+      sink(taintedLeft2.getRight());
+      sink(taintedMiddle2.getLeft());
+      sink(taintedMiddle2.getMiddle()); // $hasValueFlow
+      sink(taintedMiddle2.getRight());
+      sink(taintedRight2.getLeft());
+      sink(taintedRight2.getMiddle());
+      sink(taintedRight2.getRight()); // $hasValueFlow
+
+      // Check flow via Triple.of:
+      Triple<String, String, String> taintedLeft3 = Triple.of(taint(), "clean-middle", "clean-right");
+      Triple<String, String, String> taintedMiddle3 = Triple.of("clean-left", taint(), "clean-right");
+      Triple<String, String, String> taintedRight3 = Triple.of("clean-left", "clean-middle", taint());
+
+      sink(taintedLeft3.getLeft()); // $hasValueFlow
+      sink(taintedLeft3.getMiddle());
+      sink(taintedLeft3.getRight());
+      sink(taintedMiddle3.getLeft());
+      sink(taintedMiddle3.getMiddle()); // $hasValueFlow
+      sink(taintedMiddle3.getRight());
+      sink(taintedRight3.getLeft());
+      sink(taintedRight3.getMiddle());
+      sink(taintedRight3.getRight()); // $hasValueFlow
+
+      // Check flow via constructor:
+      ImmutableTriple<String, String, String> taintedLeft4 = new ImmutableTriple(taint(), "clean-middle", "clean-right");
+      ImmutableTriple<String, String, String> taintedMiddle4 = new ImmutableTriple("clean-left", taint(), "clean-right");
+      ImmutableTriple<String, String, String> taintedRight4 = new ImmutableTriple("clean-left", "clean-middle", taint());
+
+      sink(taintedLeft4.getLeft()); // $hasValueFlow
+      sink(taintedLeft4.getMiddle());
+      sink(taintedLeft4.getRight());
+      sink(taintedMiddle4.getLeft());
+      sink(taintedMiddle4.getMiddle()); // $hasValueFlow
+      sink(taintedMiddle4.getRight());
+      sink(taintedRight4.getLeft());
+      sink(taintedRight4.getMiddle());
+      sink(taintedRight4.getRight()); // $hasValueFlow
+
+      MutableTriple<String, String, String> mutableTaintedLeft = MutableTriple.of(taint(), "clean-middle", "clean-right");
+      MutableTriple<String, String, String> mutableTaintedMiddle = MutableTriple.of("clean-left", taint(), "clean-right");
+      MutableTriple<String, String, String> mutableTaintedRight = MutableTriple.of("clean-left", "clean-middle", taint());
+      MutableTriple<String, String, String> setTaintedLeft = MutableTriple.of("clean-left", "clean-middle", "clean-right");
+      setTaintedLeft.setLeft(taint());
+      MutableTriple<String, String, String> setTaintedMiddle = MutableTriple.of("clean-left", "clean-middle", "clean-right");
+      setTaintedMiddle.setMiddle(taint());
+      MutableTriple<String, String, String> setTaintedRight = MutableTriple.of("clean-left", "clean-middle", "clean-right");
+      setTaintedRight.setRight(taint());
+      MutableTriple<String, String, String> mutableTaintedLeftConstructed = new MutableTriple(taint(), "clean-middle", "clean-right");
+      MutableTriple<String, String, String> mutableTaintedMiddleConstructed = new MutableTriple("clean-left", taint(), "clean-right");
+      MutableTriple<String, String, String> mutableTaintedRightConstructed = new MutableTriple("clean-left", "clean-middle", taint());
+
+      // Check flow through MutableTriples:
+      sink(mutableTaintedLeft.getLeft()); // $hasValueFlow
+      sink(mutableTaintedLeft.getMiddle());
+      sink(mutableTaintedLeft.getRight());
+      sink(mutableTaintedLeft.left); // $hasValueFlow
+      sink(mutableTaintedLeft.middle);
+      sink(mutableTaintedLeft.right);
+      sink(mutableTaintedMiddle.getLeft());
+      sink(mutableTaintedMiddle.getMiddle()); // $hasValueFlow
+      sink(mutableTaintedMiddle.getRight());
+      sink(mutableTaintedMiddle.left);
+      sink(mutableTaintedMiddle.middle); // $hasValueFlow
+      sink(mutableTaintedMiddle.right);
+      sink(mutableTaintedRight.getLeft());
+      sink(mutableTaintedRight.getMiddle());
+      sink(mutableTaintedRight.getRight()); // $hasValueFlow
+      sink(mutableTaintedRight.left);
+      sink(mutableTaintedRight.middle);
+      sink(mutableTaintedRight.right); // $hasValueFlow
+      sink(setTaintedLeft.getLeft()); // $hasValueFlow
+      sink(setTaintedLeft.getMiddle());
+      sink(setTaintedLeft.getRight());
+      sink(setTaintedLeft.left); // $hasValueFlow
+      sink(setTaintedLeft.middle);
+      sink(setTaintedLeft.right);
+      sink(setTaintedMiddle.getLeft());
+      sink(setTaintedMiddle.getMiddle()); // $hasValueFlow
+      sink(setTaintedMiddle.getRight());
+      sink(setTaintedMiddle.left);
+      sink(setTaintedMiddle.middle); // $hasValueFlow
+      sink(setTaintedMiddle.right);
+      sink(setTaintedRight.getLeft());
+      sink(setTaintedRight.getMiddle());
+      sink(setTaintedRight.getRight()); // $hasValueFlow
+      sink(setTaintedRight.left);
+      sink(setTaintedRight.middle);
+      sink(setTaintedRight.right); // $hasValueFlow
+      sink(mutableTaintedLeftConstructed.getLeft()); // $hasValueFlow
+      sink(mutableTaintedLeftConstructed.getMiddle());
+      sink(mutableTaintedLeftConstructed.getRight());
+      sink(mutableTaintedLeftConstructed.left); // $hasValueFlow
+      sink(mutableTaintedLeftConstructed.middle);
+      sink(mutableTaintedLeftConstructed.right);
+      sink(mutableTaintedMiddleConstructed.getLeft());
+      sink(mutableTaintedMiddleConstructed.getMiddle()); // $hasValueFlow
+      sink(mutableTaintedMiddleConstructed.getRight());
+      sink(mutableTaintedMiddleConstructed.left);
+      sink(mutableTaintedMiddleConstructed.middle); // $hasValueFlow
+      sink(mutableTaintedMiddleConstructed.right);
+      sink(mutableTaintedRightConstructed.getLeft());
+      sink(mutableTaintedRightConstructed.getMiddle());
+      sink(mutableTaintedRightConstructed.getRight()); // $hasValueFlow
+      sink(mutableTaintedRightConstructed.left);
+      sink(mutableTaintedRightConstructed.middle);
+      sink(mutableTaintedRightConstructed.right); // $hasValueFlow
+
+      Triple<String, String, String> mutableTaintedLeft2 = mutableTaintedLeft;
+      Triple<String, String, String> mutableTaintedMiddle2 = mutableTaintedMiddle;
+      Triple<String, String, String> mutableTaintedRight2 = mutableTaintedRight;
+      Triple<String, String, String> setTaintedLeft2 = setTaintedLeft;
+      Triple<String, String, String> setTaintedMiddle2 = setTaintedMiddle;
+      Triple<String, String, String> setTaintedRight2 = setTaintedRight;
+
+      // Check flow also works via an alias of type Triple:
+      sink(mutableTaintedLeft2.getLeft()); // $hasValueFlow
+      sink(mutableTaintedLeft2.getMiddle());
+      sink(mutableTaintedLeft2.getRight());
+      sink(mutableTaintedMiddle2.getLeft());
+      sink(mutableTaintedMiddle2.getMiddle()); // $hasValueFlow
+      sink(mutableTaintedMiddle2.getRight());
+      sink(mutableTaintedRight2.getLeft());
+      sink(mutableTaintedRight2.getMiddle());
+      sink(mutableTaintedRight2.getRight()); // $hasValueFlow
+      sink(setTaintedLeft2.getLeft()); // $hasValueFlow
+      sink(setTaintedLeft2.getMiddle());
+      sink(setTaintedLeft2.getRight());
+      sink(setTaintedMiddle2.getLeft());
+      sink(setTaintedMiddle2.getMiddle()); // $hasValueFlow
+      sink(setTaintedMiddle2.getRight());
+      sink(setTaintedRight2.getLeft());
+      sink(setTaintedRight2.getMiddle());
+      sink(setTaintedRight2.getRight()); // $hasValueFlow
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected
new file mode 100644
index 00000000000..35595b1bfc3
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected
@@ -0,0 +1,19 @@
+edges
+| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u |
+| HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u |
+| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u |
+| HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u |
+nodes
+| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | semmle.label | "http://" : String |
+| HttpsUrlsTest.java:28:50:28:50 | u | semmle.label | u |
+| HttpsUrlsTest.java:36:23:36:28 | "http" : String | semmle.label | "http" : String |
+| HttpsUrlsTest.java:41:50:41:50 | u | semmle.label | u |
+| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | semmle.label | "http://" : String |
+| HttpsUrlsTest.java:55:50:55:50 | u | semmle.label | u |
+| HttpsUrlsTest.java:87:23:87:28 | "http" : String | semmle.label | "http" : String |
+| HttpsUrlsTest.java:92:50:92:50 | u | semmle.label | u |
+#select
+| HttpsUrlsTest.java:28:50:28:67 | openConnection(...) | HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:23:23:23:31 | "http://" | this source |
+| HttpsUrlsTest.java:41:50:41:67 | openConnection(...) | HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:36:23:36:28 | "http" | this source |
+| HttpsUrlsTest.java:55:50:55:67 | openConnection(...) | HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:49:23:49:31 | "http://" | this source |
+| HttpsUrlsTest.java:92:50:92:67 | openConnection(...) | HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u | URL may have been constructed with HTTP protocol, using $@. | HttpsUrlsTest.java:87:23:87:28 | "http" | this source |
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref
new file mode 100644
index 00000000000..bd936a400c0
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-319/HttpsUrls.ql
\ No newline at end of file
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java
new file mode 100644
index 00000000000..900718904d2
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java
@@ -0,0 +1,119 @@
+// Semmle test case for CWE-319: Cleartext Transmission of Sensitive Data
+// http://cwe.mitre.org/data/definitions/319.html
+package test.cwe319.cwe.examples;
+
+import java.net.URL;
+import java.io.*;
+import java.rmi.*;
+import java.rmi.server.*;
+import java.rmi.registry.*;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.rmi.ssl.*;
+
+interface Hello extends java.rmi.Remote {
+	String sayHello() throws java.rmi.RemoteException;
+}
+
+class HelloImpl implements Hello {
+	public static void main(String[] args) {
+		try {	
+			// HttpsUrls
+			{
+				String protocol = "http://";
+				URL u = new URL(protocol + "www.secret.example.org/");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// BAD: this will give a ClassCastException at runtime, as the
+				// http URL cannot be used to make an HttpsURLConnection
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "http";
+				URL u = new URL(protocol, "www.secret.example.org", "foo");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// BAD: this will give a ClassCastException at runtime, as the
+				// http URL cannot be used to make an HttpsURLConnection
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "http://";
+				// the second URL overwrites the first, as it has a protocol
+				URL u = new URL(new URL("https://www.secret.example.org"), protocol + "www.secret.example.org");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// BAD: this will give a ClassCastException at runtime, as the
+				// http URL cannot be used to make an HttpsURLConnection
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "https://";
+				URL u = new URL(protocol + "www.secret.example.org/");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// GOOD: open connection to URL using HTTPS
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "https";
+				URL u = new URL(protocol, "www.secret.example.org", "foo");
+				// using HttpsURLConnections to enforce SSL is desirable
+				// GOOD: open connection to URL using HTTPS
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String protocol = "http";
+				URL u = new URL(protocol, "internal-url", "foo");
+				// FALSE POSITIVE: the query has no way of knowing whether the url will
+				// resolve to somewhere outside the internal network, where there
+				// are unlikely to be interception attempts
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+			
+			{
+				String input = "URL is: http://www.secret-example.org";
+				String url = input.substring(8);
+				URL u = new URL(url);
+				// FALSE NEGATIVE: we cannot tell that the substring results in a url
+				// string
+				HttpsURLConnection hu = (HttpsURLConnection) u.openConnection();
+				hu.setRequestMethod("PUT");
+				hu.connect();
+				OutputStream os = hu.getOutputStream();
+				hu.disconnect();
+			}
+		} catch (Exception e) {
+			// fail
+		}
+	}
+
+	public String sayHello() {
+		return "Hello";
+	}
+}
\ No newline at end of file
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
index d7769378f72..40f76e3bb10 100644
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.expected
@@ -1 +1 @@
-| Test.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
+| UseSSLTest.java:11:15:11:41 | getInputStream(...) | Stream using vulnerable non-SSL connection. |
diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java
similarity index 95%
rename from java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
rename to java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java
index 9e2f3f923e8..b6ff8b57fbf 100644
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/Test.java
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java
@@ -2,7 +2,7 @@ import java.net.HttpURLConnection;
 import javax.net.ssl.HttpsURLConnection;
 import java.io.*;
 
-class Test {
+class UseSSLTest {
   public void m1(HttpURLConnection connection) throws java.io.IOException {
     InputStream input;
     if (connection instanceof HttpsURLConnection) {
diff --git a/java/ql/test/query-tests/security/CWE-502/C.java b/java/ql/test/query-tests/security/CWE-502/C.java
new file mode 100644
index 00000000000..bae0ca8ceae
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-502/C.java
@@ -0,0 +1,114 @@
+import java.util.HashMap;
+import java.io.StringReader;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import com.cedarsoftware.util.io.JsonReader;
+import com.esotericsoftware.yamlbeans.YamlReader;
+import org.ho.yaml.Yaml;
+import org.ho.yaml.YamlConfig;
+import org.exolab.castor.xml.Unmarshaller;
+import com.caucho.hessian.io.Hessian2Input;
+import com.caucho.hessian.io.HessianInput;
+import com.caucho.burlap.io.BurlapInput;
+import com.caucho.hessian.io.Hessian2Input;
+import com.caucho.hessian.io.HessianInput;
+import java.io.ByteArrayInputStream;
+
+@Controller
+public class C {
+
+	@GetMapping(value = "jyaml")
+	public void bad1(HttpServletRequest request) throws Exception {
+		String data = request.getParameter("data");
+		Yaml.load(data);  //bad
+		Yaml.loadStream(data);  //bad
+		Yaml.loadStreamOfType(data, Object.class);  //bad
+		Yaml.loadType(data, Object.class);  //bad
+
+		org.ho.yaml.YamlConfig yamlConfig = new YamlConfig();
+		yamlConfig.load(data);  //bad
+		yamlConfig.loadStream(data);  //bad
+		yamlConfig.loadStreamOfType(data, Object.class);  //bad
+		yamlConfig.loadType(data, Object.class);  //bad
+	}
+
+	@GetMapping(value = "jsonio")
+	public void bad2(HttpServletRequest request) {
+		String data = request.getParameter("data");
+
+		HashMap hashMap = new HashMap();
+		hashMap.put("USE_MAPS", true);
+
+		JsonReader.jsonToJava(data); //bad
+
+		JsonReader jr = new JsonReader(data, null); //bad
+		jr.readObject();
+	}
+
+	@GetMapping(value = "yamlbeans")
+	public void bad3(HttpServletRequest request) throws Exception {
+		String data = request.getParameter("data");
+		YamlReader r = new YamlReader(data);
+		r.read(); //bad
+		r.read(Object.class); //bad
+		r.read(Object.class, Object.class); //bad
+	}
+
+        @GetMapping(value = "hessian")
+	public void bad4(HttpServletRequest request) throws Exception {
+		byte[] bytes = request.getParameter("data").getBytes();
+		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
+		HessianInput hessianInput = new HessianInput(bis);
+		hessianInput.readObject(); //bad
+		hessianInput.readObject(Object.class); //bad
+	}
+
+	@GetMapping(value = "hessian2")
+	public void bad5(HttpServletRequest request) throws Exception {
+		byte[] bytes = request.getParameter("data").getBytes();
+		ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
+		Hessian2Input hessianInput = new Hessian2Input(bis);
+		hessianInput.readObject(); //bad
+		hessianInput.readObject(Object.class); //bad
+	}
+
+    @GetMapping(value = "castor")
+	public void bad6(HttpServletRequest request) throws Exception {
+		Unmarshaller unmarshaller = new Unmarshaller();
+		unmarshaller.unmarshal(new StringReader(request.getParameter("data"))); //bad
+	}
+
+    @GetMapping(value = "burlap")
+	public void bad7(HttpServletRequest request) throws Exception {
+		byte[] serializedData = request.getParameter("data").getBytes();
+		ByteArrayInputStream is = new ByteArrayInputStream(serializedData);
+		BurlapInput burlapInput = new BurlapInput(is);
+		burlapInput.readObject(); //bad
+
+        BurlapInput burlapInput1 = new BurlapInput();
+		burlapInput1.init(is);
+		burlapInput1.readObject(); //bad
+	}
+
+	@GetMapping(value = "jsonio1")
+	public void good1(HttpServletRequest request) {
+		String data = request.getParameter("data");
+
+		HashMap hashMap = new HashMap();
+		hashMap.put("USE_MAPS", true);
+
+		JsonReader.jsonToJava(data, hashMap); //good
+	}
+
+	@GetMapping(value = "jsonio2")
+	public void good2(HttpServletRequest request) {
+		String data = request.getParameter("data");
+
+		HashMap hashMap = new HashMap();
+		hashMap.put("USE_MAPS", true);
+
+		JsonReader jr1 = new JsonReader(data, hashMap); //good
+		jr1.readObject();
+	}
+}
diff --git a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
index 2af8369c111..7b02131cd73 100644
--- a/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
+++ b/java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected
@@ -48,6 +48,38 @@ edges
 | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:29:5:29:15 | inputStream : InputStream |
 | B.java:29:5:29:15 | inputStream : InputStream | B.java:29:22:29:26 | bytes [post update] : byte[] |
 | B.java:29:22:29:26 | bytes [post update] : byte[] | B.java:31:23:31:23 | s |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data |
+| C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data |
+| C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data |
+| C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r |
+| C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:61:55:61:59 | bytes : byte[] |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput |
+| C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:63:3:63:14 | hessianInput |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:64:3:64:14 | hessianInput |
+| C.java:61:55:61:59 | bytes : byte[] | C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:70:55:70:59 | bytes : byte[] |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:72:3:72:14 | hessianInput |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:73:3:73:14 | hessianInput |
+| C.java:70:55:70:59 | bytes : byte[] | C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:85:54:85:67 | serializedData : byte[] |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput |
+| C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:87:3:87:13 | burlapInput |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | C.java:91:3:91:14 | burlapInput1 |
+| C.java:85:54:85:67 | serializedData : byte[] | C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream |
 | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) |
@@ -111,6 +143,39 @@ nodes
 | B.java:29:5:29:15 | inputStream : InputStream | semmle.label | inputStream : InputStream |
 | B.java:29:22:29:26 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
 | B.java:31:23:31:23 | s | semmle.label | s |
+| C.java:23:17:23:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:24:13:24:16 | data | semmle.label | data |
+| C.java:25:19:25:22 | data | semmle.label | data |
+| C.java:26:25:26:28 | data | semmle.label | data |
+| C.java:27:17:27:20 | data | semmle.label | data |
+| C.java:30:19:30:22 | data | semmle.label | data |
+| C.java:31:25:31:28 | data | semmle.label | data |
+| C.java:32:31:32:34 | data | semmle.label | data |
+| C.java:33:23:33:26 | data | semmle.label | data |
+| C.java:38:17:38:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:43:25:43:28 | data | semmle.label | data |
+| C.java:46:3:46:4 | jr | semmle.label | jr |
+| C.java:51:17:51:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:53:3:53:3 | r | semmle.label | r |
+| C.java:54:3:54:3 | r | semmle.label | r |
+| C.java:55:3:55:3 | r | semmle.label | r |
+| C.java:60:18:60:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:61:30:61:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:61:55:61:59 | bytes : byte[] | semmle.label | bytes : byte[] |
+| C.java:63:3:63:14 | hessianInput | semmle.label | hessianInput |
+| C.java:64:3:64:14 | hessianInput | semmle.label | hessianInput |
+| C.java:69:18:69:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:70:30:70:60 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:70:55:70:59 | bytes : byte[] | semmle.label | bytes : byte[] |
+| C.java:72:3:72:14 | hessianInput | semmle.label | hessianInput |
+| C.java:73:3:73:14 | hessianInput | semmle.label | hessianInput |
+| C.java:79:26:79:71 | new StringReader(...) | semmle.label | new StringReader(...) |
+| C.java:79:43:79:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:84:27:84:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| C.java:85:29:85:68 | new ByteArrayInputStream(...) : ByteArrayInputStream | semmle.label | new ByteArrayInputStream(...) : ByteArrayInputStream |
+| C.java:85:54:85:67 | serializedData : byte[] | semmle.label | serializedData : byte[] |
+| C.java:87:3:87:13 | burlapInput | semmle.label | burlapInput |
+| C.java:91:3:91:14 | burlapInput1 | semmle.label | burlapInput1 |
 | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | semmle.label | entityStream : InputStream |
 | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | semmle.label | new ObjectInputStream(...) |
 | TestMessageBodyReader.java:22:40:22:51 | entityStream : InputStream | semmle.label | entityStream : InputStream |
@@ -141,4 +206,24 @@ nodes
 | B.java:15:12:15:28 | parse(...) | B.java:12:31:12:51 | getInputStream(...) : InputStream | B.java:15:23:15:27 | bytes | Unsafe deserialization of $@. | B.java:12:31:12:51 | getInputStream(...) | user input |
 | B.java:23:12:23:30 | parseObject(...) | B.java:19:31:19:51 | getInputStream(...) : InputStream | B.java:23:29:23:29 | s | Unsafe deserialization of $@. | B.java:19:31:19:51 | getInputStream(...) | user input |
 | B.java:31:12:31:24 | parse(...) | B.java:27:31:27:51 | getInputStream(...) : InputStream | B.java:31:23:31:23 | s | Unsafe deserialization of $@. | B.java:27:31:27:51 | getInputStream(...) | user input |
+| C.java:24:3:24:17 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:24:13:24:16 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:25:3:25:23 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:25:19:25:22 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:26:3:26:43 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:26:25:26:28 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:27:3:27:35 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:27:17:27:20 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:30:3:30:23 | load(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:30:19:30:22 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:31:3:31:29 | loadStream(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:31:25:31:28 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:32:3:32:49 | loadStreamOfType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:32:31:32:34 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:33:3:33:41 | loadType(...) | C.java:23:17:23:44 | getParameter(...) : String | C.java:33:23:33:26 | data | Unsafe deserialization of $@. | C.java:23:17:23:44 | getParameter(...) | user input |
+| C.java:43:3:43:29 | jsonToJava(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:43:25:43:28 | data | Unsafe deserialization of $@. | C.java:38:17:38:44 | getParameter(...) | user input |
+| C.java:46:3:46:17 | readObject(...) | C.java:38:17:38:44 | getParameter(...) : String | C.java:46:3:46:4 | jr | Unsafe deserialization of $@. | C.java:38:17:38:44 | getParameter(...) | user input |
+| C.java:53:3:53:10 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:53:3:53:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:54:3:54:22 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:54:3:54:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:55:3:55:36 | read(...) | C.java:51:17:51:44 | getParameter(...) : String | C.java:55:3:55:3 | r | Unsafe deserialization of $@. | C.java:51:17:51:44 | getParameter(...) | user input |
+| C.java:63:3:63:27 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:63:3:63:14 | hessianInput | Unsafe deserialization of $@. | C.java:60:18:60:45 | getParameter(...) | user input |
+| C.java:64:3:64:39 | readObject(...) | C.java:60:18:60:45 | getParameter(...) : String | C.java:64:3:64:14 | hessianInput | Unsafe deserialization of $@. | C.java:60:18:60:45 | getParameter(...) | user input |
+| C.java:72:3:72:27 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:72:3:72:14 | hessianInput | Unsafe deserialization of $@. | C.java:69:18:69:45 | getParameter(...) | user input |
+| C.java:73:3:73:39 | readObject(...) | C.java:69:18:69:45 | getParameter(...) : String | C.java:73:3:73:14 | hessianInput | Unsafe deserialization of $@. | C.java:69:18:69:45 | getParameter(...) | user input |
+| C.java:79:3:79:72 | unmarshal(...) | C.java:79:43:79:70 | getParameter(...) : String | C.java:79:26:79:71 | new StringReader(...) | Unsafe deserialization of $@. | C.java:79:43:79:70 | getParameter(...) | user input |
+| C.java:87:3:87:26 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:87:3:87:13 | burlapInput | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
+| C.java:91:3:91:27 | readObject(...) | C.java:84:27:84:54 | getParameter(...) : String | C.java:91:3:91:14 | burlapInput1 | Unsafe deserialization of $@. | C.java:84:27:84:54 | getParameter(...) | user input |
 | TestMessageBodyReader.java:22:18:22:65 | readObject(...) | TestMessageBodyReader.java:20:55:20:78 | entityStream : InputStream | TestMessageBodyReader.java:22:18:22:52 | new ObjectInputStream(...) | Unsafe deserialization of $@. | TestMessageBodyReader.java:20:55:20:78 | entityStream | user input |
diff --git a/java/ql/test/query-tests/security/CWE-502/options b/java/ql/test/query-tests/security/CWE-502/options
index 6df0c9374c2..ebf1581cc8a 100644
--- a/java/ql/test/query-tests/security/CWE-502/options
+++ b/java/ql/test/query-tests/security/CWE-502/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/snakeyaml-1.21:${testdir}/../../../stubs/xstream-1.4.10:${testdir}/../../../stubs/kryo-4.0.2:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/fastjson-1.2.74:${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/jyaml-1.3:${testdir}/../../../stubs/json-io-4.10.0:${testdir}/../../../stubs/yamlbeans-1.09:${testdir}/../../../stubs/hessian-4.0.38:${testdir}/../../../stubs/castor-1.4.1
diff --git a/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java b/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java
new file mode 100644
index 00000000000..a3f476ccfec
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/ApacheHttpSSRF.java
@@ -0,0 +1,64 @@
+import java.io.IOException;
+import java.net.URI;
+
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.client.methods.HttpPut;
+import org.apache.http.client.methods.HttpDelete;
+import org.apache.http.client.methods.HttpHead;
+import org.apache.http.client.methods.HttpOptions;
+import org.apache.http.client.methods.HttpTrace;
+import org.apache.http.client.methods.HttpPatch;
+import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.message.BasicHttpRequest;
+import org.apache.http.message.BasicHttpEntityEnclosingRequest;
+import org.apache.http.message.BasicRequestLine;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class ApacheHttpSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String sink = request.getParameter("uri");
+            URI uri = new URI(sink);
+
+            HttpGet httpGet = new HttpGet(uri); // $ SSRF
+            HttpGet httpGet2 = new HttpGet();
+            httpGet2.setURI(uri); // $ SSRF
+
+            new HttpHead(uri); // $ SSRF
+            new HttpPost(uri); // $ SSRF
+            new HttpPut(uri); // $ SSRF
+            new HttpDelete(uri); // $ SSRF
+            new HttpOptions(uri); // $ SSRF
+            new HttpTrace(uri); // $ SSRF
+            new HttpPatch(uri); // $ SSRF
+
+            new BasicHttpRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
+            new BasicHttpRequest("GET", uri.toString()); // $ SSRF
+            new BasicHttpRequest("GET", uri.toString(), null); // $ SSRF
+
+            new BasicHttpEntityEnclosingRequest(new BasicRequestLine("GET", uri.toString(), null)); // $ SSRF
+            new BasicHttpEntityEnclosingRequest("GET", uri.toString()); // $ SSRF
+            new BasicHttpEntityEnclosingRequest("GET", uri.toString(), null); // $ SSRF
+
+            RequestBuilder.get(uri); // $ SSRF
+            RequestBuilder.post(uri); // $ SSRF
+            RequestBuilder.put(uri); // $ SSRF
+            RequestBuilder.delete(uri); // $ SSRF
+            RequestBuilder.options(uri); // $ SSRF
+            RequestBuilder.head(uri); // $ SSRF
+            RequestBuilder.trace(uri); // $ SSRF
+            RequestBuilder.patch(uri); // $ SSRF
+            RequestBuilder.get("").setUri(uri); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java b/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java
new file mode 100644
index 00000000000..ced25365211
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/JakartaWsSSRF.java
@@ -0,0 +1,18 @@
+import jakarta.ws.rs.client.*;
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JakartaWsSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        Client client = ClientBuilder.newClient();
+        String url = request.getParameter("url");
+        client.target(url); // $ SSRF
+    }
+
+}
diff --git a/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java b/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java
new file mode 100644
index 00000000000..7cc5578ebf3
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/JavaNetHttpSSRF.java
@@ -0,0 +1,45 @@
+import java.io.IOException;
+import java.net.Proxy;
+import java.net.SocketAddress;
+import java.net.URI;
+import java.net.URL;
+import java.net.URLConnection;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JavaNetHttpSSRF extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String sink = request.getParameter("uri");
+            URI uri = new URI(sink);
+            URI uri2 = new URI("http", sink, "fragement");
+            URL url1 = new URL(sink);
+
+            URLConnection c1 = url1.openConnection(); // $ SSRF
+            SocketAddress sa = new SocketAddress() {
+            };
+            URLConnection c2 = url1.openConnection(new Proxy(Type.HTTP, sa)); // $ SSRF
+            InputStream c3 = url1.openStream(); // $ SSRF
+
+            // java.net.http
+            HttpClient client = HttpClient.newHttpClient();
+            HttpRequest request2 = HttpRequest.newBuilder().uri(uri2).build(); // $ SSRF
+            HttpRequest request3 = HttpRequest.newBuilder(uri).build(); // $ SSRF
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java b/java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java
similarity index 68%
rename from java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java
rename to java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java
index cb774b8c44a..da650e2de6c 100644
--- a/java/ql/test/experimental/query-tests/security/CWE-918/JaxWsSSRF.java
+++ b/java/ql/test/query-tests/security/CWE-918/JaxWsSSRF.java
@@ -1,13 +1,6 @@
 import javax.ws.rs.client.*;
 import java.io.IOException;
-import java.net.URI;
-import java.net.*;
-import java.net.http.HttpClient;
-import java.net.http.HttpRequest;
-import java.net.Proxy.Type;
-import java.io.InputStream;
 
-import org.apache.http.client.methods.HttpGet;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
@@ -19,7 +12,7 @@ public class JaxWsSSRF extends HttpServlet {
             throws ServletException, IOException {
         Client client = ClientBuilder.newClient();
         String url = request.getParameter("url");
-        client.target(url);
+        client.target(url); // $ SSRF
     }
 
 }
diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql b/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
new file mode 100644
index 00000000000..d7e481ce618
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
@@ -0,0 +1,18 @@
+import java
+import semmle.code.java.security.RequestForgeryConfig
+import TestUtilities.InlineExpectationsTest
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "SSRF" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "SSRF" and
+    exists(RequestForgeryConfiguration conf, DataFlow::Node sink | conf.hasFlowTo(sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
new file mode 100644
index 00000000000..9a65374024c
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
@@ -0,0 +1,123 @@
+import java.io.IOException;
+import java.net.URI;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class SanitizationTests extends HttpServlet {
+    private static final String VALID_URI = "http://lgtm.com";
+    private HttpClient client = HttpClient.newHttpClient();
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            URI uri = new URI(request.getParameter("uri"));
+            // BAD: a request parameter is incorporated without validation into a Http
+            // request
+            HttpRequest r = HttpRequest.newBuilder(uri).build(); // $ SSRF
+            client.send(r, null);
+
+            // GOOD: sanitisation by concatenation with a prefix that prevents targeting an arbitrary host.
+            // We test a few different ways of sanitisation: via string conctentation (perhaps nested),
+            // via a stringbuilder (for which we consider appends done in the constructor, chained onto
+            // the constructor and applied in subsequent statements) and via String.format.
+            String safeUri3 = "https://example.com/" + request.getParameter("uri3");
+            HttpRequest r3 = HttpRequest.newBuilder(new URI(safeUri3)).build();
+            client.send(r3, null);
+
+            String safeUri4 = "https://example.com/" + ("someprefix" + request.getParameter("uri4"));
+            HttpRequest r4 = HttpRequest.newBuilder(new URI(safeUri4)).build();
+            client.send(r4, null);
+
+            StringBuilder safeUri5 = new StringBuilder();
+            safeUri5.append("https://example.com/").append(request.getParameter("uri5"));
+            HttpRequest r5 = HttpRequest.newBuilder(new URI(safeUri5.toString())).build();
+            client.send(r5, null);
+
+            StringBuilder safeUri5a = new StringBuilder("https://example.com/");
+            safeUri5a.append(request.getParameter("uri5a"));
+            HttpRequest r5a = HttpRequest.newBuilder(new URI(safeUri5a.toString())).build();
+            client.send(r5a, null);
+
+            StringBuilder safeUri5b = (new StringBuilder("https://example.com/")).append("dir/");
+            safeUri5b.append(request.getParameter("uri5b"));
+            HttpRequest r5b = HttpRequest.newBuilder(new URI(safeUri5b.toString())).build();
+            client.send(r5b, null);
+
+            StringBuilder safeUri5c = (new StringBuilder("prefix")).append("https://example.com/dir/");
+            safeUri5c.append(request.getParameter("uri5c"));
+            HttpRequest r5c = HttpRequest.newBuilder(new URI(safeUri5c.toString())).build();
+            client.send(r5c, null);
+
+            String safeUri6 = String.format("https://example.com/%s", request.getParameter("uri6"));
+            HttpRequest r6 = HttpRequest.newBuilder(new URI(safeUri6)).build();
+            client.send(r6, null);
+
+            String safeUri7 = String.format("%s/%s", "https://example.com", request.getParameter("uri7"));
+            HttpRequest r7 = HttpRequest.newBuilder(new URI(safeUri7)).build();
+            client.send(r7, null);
+
+            String safeUri8 = String.format("%s%s", "https://example.com/", request.getParameter("uri8"));
+            HttpRequest r8 = HttpRequest.newBuilder(new URI(safeUri8)).build();
+            client.send(r8, null);
+
+            String safeUri9 = String.format("http://%s", "myserver.com") + "/" + request.getParameter("uri9");
+            HttpRequest r9 = HttpRequest.newBuilder(new URI(safeUri9)).build();
+            client.send(r9, null);
+
+            // BAD: cases where a string that would sanitise is used, but occurs in the wrong
+            // place to sanitise user input:
+            String unsafeUri3 = request.getParameter("baduri3") + "https://example.com/";
+            HttpRequest unsafer3 = HttpRequest.newBuilder(new URI(unsafeUri3)).build();  // $ SSRF
+            client.send(unsafer3, null);
+
+            String unsafeUri4 = ("someprefix" + request.getParameter("baduri4")) + "https://example.com/";
+            HttpRequest unsafer4 = HttpRequest.newBuilder(new URI(unsafeUri4)).build(); // $ SSRF
+            client.send(unsafer4, null);
+
+            StringBuilder unsafeUri5 = new StringBuilder();
+            unsafeUri5.append(request.getParameter("baduri5")).append("https://example.com/");
+            HttpRequest unsafer5 = HttpRequest.newBuilder(new URI(unsafeUri5.toString())).build(); // $ SSRF
+            client.send(unsafer5, null);
+
+            StringBuilder unafeUri5a = new StringBuilder(request.getParameter("uri5a"));
+            unafeUri5a.append("https://example.com/");
+            HttpRequest unsafer5a = HttpRequest.newBuilder(new URI(unafeUri5a.toString())).build(); // $ SSRF
+            client.send(unsafer5a, null);
+
+            StringBuilder unsafeUri5b = (new StringBuilder(request.getParameter("uri5b"))).append("dir/");
+            unsafeUri5b.append("https://example.com/");
+            HttpRequest unsafer5b = HttpRequest.newBuilder(new URI(unsafeUri5b.toString())).build(); // $ SSRF
+            client.send(unsafer5b, null);
+
+            StringBuilder unsafeUri5c = (new StringBuilder("https")).append(request.getParameter("uri5c"));
+            unsafeUri5c.append("://example.com/dir/");
+            HttpRequest unsafer5c = HttpRequest.newBuilder(new URI(unsafeUri5c.toString())).build(); // $ SSRF
+            client.send(unsafer5c, null);
+
+            String unsafeUri6 = String.format("%shttps://example.com/", request.getParameter("baduri6"));
+            HttpRequest unsafer6 = HttpRequest.newBuilder(new URI(unsafeUri6)).build(); // $ SSRF
+            client.send(unsafer6, null);
+
+            String unsafeUri7 = String.format("%s/%s", request.getParameter("baduri7"), "https://example.com");
+            HttpRequest unsafer7 = HttpRequest.newBuilder(new URI(unsafeUri7)).build(); // $ SSRF
+            client.send(unsafer7, null);
+
+            String unsafeUri8 = String.format("%s%s", request.getParameter("baduri8"), "https://example.com/");
+            HttpRequest unsafer8 = HttpRequest.newBuilder(new URI(unsafeUri8)).build(); // $ SSRF
+            client.send(unsafer8, null);
+
+            String unsafeUri9 = request.getParameter("baduri9") + "/" + String.format("http://%s", "myserver.com");
+            HttpRequest unsafer9 = HttpRequest.newBuilder(new URI(unsafeUri9)).build(); // $ SSRF
+            client.send(unsafer9, null);
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
new file mode 100644
index 00000000000..6af4829ba02
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/SpringSSRF.java
@@ -0,0 +1,70 @@
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpStatus;
+import java.net.URI;
+import org.springframework.http.HttpMethod;
+import java.io.IOException;
+import java.net.URI;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.Proxy.Type;
+import java.io.InputStream;
+
+import org.apache.http.client.methods.HttpGet;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class SpringSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request2, HttpServletResponse response2)
+            throws ServletException, IOException {
+        String fooResourceUrl = request2.getParameter("uri");;
+        RestTemplate restTemplate = new RestTemplate();
+        HttpEntity<String> request = new HttpEntity<>(new String("bar"));
+        try {
+            restTemplate.getForEntity(fooResourceUrl + "/1", String.class); // $ SSRF
+            restTemplate.exchange(fooResourceUrl, HttpMethod.POST, request, String.class); // $ SSRF
+            restTemplate.execute(fooResourceUrl, HttpMethod.POST, null, null, "test"); // $ SSRF
+            restTemplate.getForObject(fooResourceUrl, String.class, "test"); // $ SSRF
+            restTemplate.patchForObject(fooResourceUrl, new String("object"), String.class, "hi"); // $ SSRF
+            restTemplate.postForEntity(new URI(fooResourceUrl), new String("object"), String.class); // $ SSRF
+            restTemplate.postForLocation(fooResourceUrl, new String("object")); // $ SSRF
+            restTemplate.postForObject(fooResourceUrl, new String("object"), String.class); // $ SSRF
+            restTemplate.put(fooResourceUrl, new String("object")); // $ SSRF
+            restTemplate.delete(fooResourceUrl); // $ SSRF
+            restTemplate.headForHeaders(fooResourceUrl); // $ SSRF
+            restTemplate.optionsForAllow(fooResourceUrl); // $ SSRF
+            {
+                String body = new String("body");
+                URI uri = new URI(fooResourceUrl);
+                RequestEntity<String> requestEntity =
+                        RequestEntity.post(uri).body(body); // $ SSRF
+                ResponseEntity<String> response = restTemplate.exchange(requestEntity, String.class);
+                RequestEntity.get(uri); // $ SSRF
+                RequestEntity.put(uri); // $ SSRF
+                RequestEntity.delete(uri); // $ SSRF
+                RequestEntity.options(uri); // $ SSRF
+                RequestEntity.patch(uri); // $ SSRF
+                RequestEntity.head(uri); // $ SSRF
+                RequestEntity.method(null, uri); // $ SSRF
+            }
+            {
+                URI uri = new URI(fooResourceUrl);
+                MultiValueMap<String, String> headers = null;
+                java.lang.reflect.Type type = null;
+                new RequestEntity<String>(null, uri); // $ SSRF
+                new RequestEntity<String>(headers, null, uri); // $ SSRF
+                new RequestEntity<String>("body", null, uri); // $ SSRF
+                new RequestEntity<String>("body", headers, null, uri); // $ SSRF
+                new RequestEntity<String>("body", null, uri, type); // $ SSRF
+                new RequestEntity<String>("body", headers, null, uri, type); // $ SSRF
+            }
+        } catch (org.springframework.web.client.RestClientException | java.net.URISyntaxException e) {}
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-918/options b/java/ql/test/query-tests/security/CWE-918/options
new file mode 100644
index 00000000000..79224345b48
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-918/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/servlet-api-2.4/
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/ImmutablePair.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/ImmutablePair.java
new file mode 100644
index 00000000000..ee4cacd78a6
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/ImmutablePair.java
@@ -0,0 +1,195 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.tuple;
+
+import java.util.Map;
+
+/**
+ * <p>An immutable pair consisting of two {@code Object} elements.</p>
+ *
+ * <p>Although the implementation is immutable, there is no restriction on the objects
+ * that may be stored. If mutable objects are stored in the pair, then the pair
+ * itself effectively becomes mutable. The class is also {@code final}, so a subclass
+ * can not add undesirable behavior.</p>
+ *
+ * <p>#ThreadSafe# if both paired objects are thread-safe</p>
+ *
+ * @param <L> the left element type
+ * @param <R> the right element type
+ *
+ * @since 3.0
+ */
+public final class ImmutablePair<L, R> extends Pair<L, R> {
+
+    /**
+     * An empty array.
+     * <p>
+     * Consider using {@link #emptyArray()} to avoid generics warnings.
+     * </p>
+     *
+     * @since 3.10.
+     */
+    public static final ImmutablePair<?, ?>[] EMPTY_ARRAY = null;
+
+    /**
+     * An immutable pair of nulls.
+     */
+    // This is not defined with generics to avoid warnings in call sites.
+    @SuppressWarnings("rawtypes")
+    private static final ImmutablePair NULL = null;
+
+    /** Serialization version */
+    private static final long serialVersionUID = 4954918890077093841L;
+
+    /**
+     * Returns the empty array singleton that can be assigned without compiler warning.
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @return the empty array singleton that can be assigned without compiler warning.
+     *
+     * @since 3.10.
+     */
+    @SuppressWarnings("unchecked")
+    public static <L, R> ImmutablePair<L, R>[] emptyArray() {
+        return null;
+    }
+
+    /**
+     * <p>Creates an immutable pair of two objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @return a pair formed from the two parameters, not null
+     * @since 3.11
+     */
+    public static <L, R> Pair<L, R> left(final L left) {
+        return null;
+    }
+
+    /**
+     * Returns an immutable pair of nulls.
+     *
+     * @param <L> the left element of this pair. Value is {@code null}.
+     * @param <R> the right element of this pair. Value is {@code null}.
+     * @return an immutable pair of nulls.
+     * @since 3.6
+     */
+    public static <L, R> ImmutablePair<L, R> nullPair() {
+        return null;
+    }
+
+    /**
+     * <p>Creates an immutable pair of two objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @param right  the right element, may be null
+     * @return a pair formed from the two parameters, not null
+     */
+    public static <L, R> ImmutablePair<L, R> of(final L left, final R right) {
+        return null;
+    }
+
+    /**
+     * <p>Creates an immutable pair from an existing pair.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param pair the existing pair.
+     * @return a pair formed from the two parameters, not null
+     * @since 3.10
+     */
+    public static <L, R> ImmutablePair<L, R> of(final Map.Entry<L, R> pair) {
+        return null;
+    }
+
+    /**
+     * <p>Creates an immutable pair of two objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param right  the right element, may be null
+     * @return a pair formed from the two parameters, not null
+     * @since 3.11
+     */
+    public static <L, R> Pair<L, R> right(final R right) {
+        return null;
+    }
+
+    /** Left object */
+    public final L left;
+
+    /** Right object */
+    public final R right;
+
+    /**
+     * Create a new pair instance.
+     *
+     * @param left  the left value, may be null
+     * @param right  the right value, may be null
+     */
+    public ImmutablePair(final L left, final R right) {
+      this.left = null;
+      this.right = null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public L getLeft() {
+        return null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public R getRight() {
+        return null;
+    }
+
+    /**
+     * <p>Throws {@code UnsupportedOperationException}.</p>
+     *
+     * <p>This pair is immutable, so this operation is not supported.</p>
+     *
+     * @param value  the value to set
+     * @return never
+     * @throws UnsupportedOperationException as this operation is not supported
+     */
+    @Override
+    public R setValue(final R value) {
+        return null;
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/ImmutableTriple.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/ImmutableTriple.java
new file mode 100644
index 00000000000..846fcbd9052
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/ImmutableTriple.java
@@ -0,0 +1,137 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.tuple;
+
+/**
+ * <p>An immutable triple consisting of three {@code Object} elements.</p>
+ *
+ * <p>Although the implementation is immutable, there is no restriction on the objects
+ * that may be stored. If mutable objects are stored in the triple, then the triple
+ * itself effectively becomes mutable. The class is also {@code final}, so a subclass
+ * can not add undesirable behavior.</p>
+ *
+ * <p>#ThreadSafe# if all three objects are thread-safe</p>
+ *
+ * @param <L> the left element type
+ * @param <M> the middle element type
+ * @param <R> the right element type
+ *
+ * @since 3.2
+ */
+public final class ImmutableTriple<L, M, R> extends Triple<L, M, R> {
+
+    /**
+     * An empty array.
+     * <p>
+     * Consider using {@link #emptyArray()} to avoid generics warnings.
+     * </p>
+     *
+     * @since 3.10.
+     */
+    public static final ImmutableTriple<?, ?, ?>[] EMPTY_ARRAY = null;
+
+    /**
+     * Returns the empty array singleton that can be assigned without compiler warning.
+     *
+     * @param <L> the left element type
+     * @param <M> the middle element type
+     * @param <R> the right element type
+     * @return the empty array singleton that can be assigned without compiler warning.
+     *
+     * @since 3.10.
+     */
+    @SuppressWarnings("unchecked")
+    public static <L, M, R> ImmutableTriple<L, M, R>[] emptyArray() {
+        return null;
+    }
+
+    /**
+     * Returns an immutable triple of nulls.
+     *
+     * @param <L> the left element of this triple. Value is {@code null}.
+     * @param <M> the middle element of this triple. Value is {@code null}.
+     * @param <R> the right element of this triple. Value is {@code null}.
+     * @return an immutable triple of nulls.
+     * @since 3.6
+     */
+    public static <L, M, R> ImmutableTriple<L, M, R> nullTriple() {
+        return null;
+    }
+
+    /**
+     * <p>Obtains an immutable triple of three objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the triple to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <M> the middle element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @param middle  the middle element, may be null
+     * @param right  the right element, may be null
+     * @return a triple formed from the three parameters, not null
+     */
+    public static <L, M, R> ImmutableTriple<L, M, R> of(final L left, final M middle, final R right) {
+        return null;
+    }
+    /** Left object */
+    public final L left;
+    /** Middle object */
+    public final M middle;
+
+    /** Right object */
+    public final R right;
+
+    /**
+     * Create a new triple instance.
+     *
+     * @param left  the left value, may be null
+     * @param middle the middle value, may be null
+     * @param right  the right value, may be null
+     */
+    public ImmutableTriple(final L left, final M middle, final R right) {
+        this.left = null;
+        this.middle = null;
+        this.right = null;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public L getLeft() {
+        return null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public M getMiddle() {
+        return null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public R getRight() {
+        return null;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/MutablePair.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/MutablePair.java
new file mode 100644
index 00000000000..5826a2145fc
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/MutablePair.java
@@ -0,0 +1,158 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.tuple;
+
+import java.util.Map;
+
+/**
+ * <p>A mutable pair consisting of two {@code Object} elements.</p>
+ *
+ * <p>Not #ThreadSafe#</p>
+ *
+ * @param <L> the left element type
+ * @param <R> the right element type
+ *
+ * @since 3.0
+ */
+public class MutablePair<L, R> extends Pair<L, R> {
+
+    /**
+     * An empty array.
+     * <p>
+     * Consider using {@link #emptyArray()} to avoid generics warnings.
+     * </p>
+     *
+     * @since 3.10.
+     */
+    public static final MutablePair<?, ?>[] EMPTY_ARRAY = null;
+
+    /**
+     * Returns the empty array singleton that can be assigned without compiler warning.
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @return the empty array singleton that can be assigned without compiler warning.
+     *
+     * @since 3.10.
+     */
+    @SuppressWarnings("unchecked")
+    public static <L, R> MutablePair<L, R>[] emptyArray() {
+        return null;
+    }
+
+    /**
+     * <p>Creates a mutable pair of two objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @param right  the right element, may be null
+     * @return a pair formed from the two parameters, not null
+     */
+    public static <L, R> MutablePair<L, R> of(final L left, final R right) {
+        return null;
+    }
+
+    /**
+     * <p>Creates a mutable pair from an existing pair.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param pair the existing pair.
+     * @return a pair formed from the two parameters, not null
+     */
+    public static <L, R> MutablePair<L, R> of(final Map.Entry<L, R> pair) {
+        return null;
+    }
+
+    /** Left object */
+    public L left;
+
+    /** Right object */
+    public R right;
+
+    /**
+     * Create a new pair instance of two nulls.
+     */
+    public MutablePair() {
+    }
+
+    /**
+     * Create a new pair instance.
+     *
+     * @param left  the left value, may be null
+     * @param right  the right value, may be null
+     */
+    public MutablePair(final L left, final R right) {
+        this.left = null;
+        this.right = null;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public L getLeft() {
+        return null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public R getRight() {
+        return null;
+    }
+
+    /**
+     * Sets the left element of the pair.
+     *
+     * @param left  the new value of the left element, may be null
+     */
+    public void setLeft(final L left) {
+
+    }
+
+    /**
+     * Sets the right element of the pair.
+     *
+     * @param right  the new value of the right element, may be null
+     */
+    public void setRight(final R right) {
+
+    }
+
+    /**
+     * Sets the {@code Map.Entry} value.
+     * This sets the right element of the pair.
+     *
+     * @param value  the right value to set, not null
+     * @return the old value for the right element
+     */
+    @Override
+    public R setValue(final R value) {
+        return null;
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/MutableTriple.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/MutableTriple.java
new file mode 100644
index 00000000000..dc489c44293
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/MutableTriple.java
@@ -0,0 +1,152 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.tuple;
+
+/**
+ * <p>A mutable triple consisting of three {@code Object} elements.</p>
+ *
+ * <p>Not #ThreadSafe#</p>
+ *
+ * @param <L> the left element type
+ * @param <M> the middle element type
+ * @param <R> the right element type
+ *
+ * @since 3.2
+ */
+public class MutableTriple<L, M, R> extends Triple<L, M, R> {
+
+    /**
+     * The empty array singleton.
+     * <p>
+     * Consider using {@link #emptyArray()} to avoid generics warnings.
+     * </p>
+     *
+     * @since 3.10.
+     */
+    public static final MutableTriple<?, ?, ?>[] EMPTY_ARRAY = null;
+
+    /**
+     * Returns the empty array singleton that can be assigned without compiler warning.
+     *
+     * @param <L> the left element type
+     * @param <M> the middle element type
+     * @param <R> the right element type
+     * @return the empty array singleton that can be assigned without compiler warning.
+     *
+     * @since 3.10.
+     */
+    @SuppressWarnings("unchecked")
+    public static <L, M, R> MutableTriple<L, M, R>[] emptyArray() {
+        return null;
+    }
+
+    /**
+     * <p>Obtains a mutable triple of three objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the triple to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <M> the middle element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @param middle  the middle element, may be null
+     * @param right  the right element, may be null
+     * @return a triple formed from the three parameters, not null
+     */
+    public static <L, M, R> MutableTriple<L, M, R> of(final L left, final M middle, final R right) {
+        return null;
+    }
+    /** Left object */
+    public L left;
+    /** Middle object */
+    public M middle;
+
+    /** Right object */
+    public R right;
+
+    /**
+     * Create a new triple instance of three nulls.
+     */
+    public MutableTriple() {
+    }
+
+    /**
+     * Create a new triple instance.
+     *
+     * @param left  the left value, may be null
+     * @param middle  the middle value, may be null
+     * @param right  the right value, may be null
+     */
+    public MutableTriple(final L left, final M middle, final R right) {
+        this.left = null;
+        this.middle = null;
+        this.right = null;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public L getLeft() {
+        return null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public M getMiddle() {
+        return null;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public R getRight() {
+        return null;
+    }
+
+    /**
+     * Sets the left element of the triple.
+     *
+     * @param left  the new value of the left element, may be null
+     */
+    public void setLeft(final L left) {
+
+    }
+
+    /**
+     * Sets the middle element of the triple.
+     *
+     * @param middle  the new value of the middle element, may be null
+     */
+    public void setMiddle(final M middle) {
+
+    }
+
+    /**
+     * Sets the right element of the triple.
+     *
+     * @param right  the new value of the right element, may be null
+     */
+    public void setRight(final R right) {
+
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/Pair.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/Pair.java
new file mode 100644
index 00000000000..1f23f886e5b
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/Pair.java
@@ -0,0 +1,204 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.tuple;
+
+import java.io.Serializable;
+import java.util.Map;
+
+/**
+ * <p>A pair consisting of two elements.</p>
+ *
+ * <p>This class is an abstract implementation defining the basic API.
+ * It refers to the elements as 'left' and 'right'. It also implements the
+ * {@code Map.Entry} interface where the key is 'left' and the value is 'right'.</p>
+ *
+ * <p>Subclass implementations may be mutable or immutable.
+ * However, there is no restriction on the type of the stored objects that may be stored.
+ * If mutable objects are stored in the pair, then the pair itself effectively becomes mutable.</p>
+ *
+ * @param <L> the left element type
+ * @param <R> the right element type
+ *
+ * @since 3.0
+ */
+public abstract class Pair<L, R> implements Map.Entry<L, R>, Comparable<Pair<L, R>>, Serializable {
+
+    /** Serialization version */
+    private static final long serialVersionUID = 4954918890077093841L;
+
+    /**
+     * An empty array.
+     * <p>
+     * Consider using {@link #emptyArray()} to avoid generics warnings.
+     * </p>
+     *
+     * @since 3.10.
+     */
+    public static final Pair<?, ?>[] EMPTY_ARRAY = null;
+
+    /**
+     * Returns the empty array singleton that can be assigned without compiler warning.
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @return the empty array singleton that can be assigned without compiler warning.
+     *
+     * @since 3.10.
+     */
+    @SuppressWarnings("unchecked")
+    public static <L, R> Pair<L, R>[] emptyArray() {
+        return null;
+    }
+
+    /**
+     * <p>Creates an immutable pair of two objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @param right  the right element, may be null
+     * @return a pair formed from the two parameters, not null
+     */
+    public static <L, R> Pair<L, R> of(final L left, final R right) {
+        return null;
+    }
+
+    /**
+     * <p>Creates an immutable pair from an existing pair.</p>
+     *
+     * <p>This factory allows the pair to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <R> the right element type
+     * @param pair the existing pair.
+     * @return a pair formed from the two parameters, not null
+     * @since 3.10
+     */
+    public static <L, R> Pair<L, R> of(final Map.Entry<L, R> pair) {
+        return null;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * <p>Compares the pair based on the left element followed by the right element.
+     * The types must be {@code Comparable}.</p>
+     *
+     * @param other  the other pair, not null
+     * @return negative if this is less, zero if equal, positive if greater
+     */
+    @Override
+    public int compareTo(final Pair<L, R> other) {
+      return 0;
+    }
+
+    /**
+     * <p>Compares this pair to another based on the two elements.</p>
+     *
+     * @param obj  the object to compare to, null returns false
+     * @return true if the elements of the pair are equal
+     */
+    @Override
+    public boolean equals(final Object obj) {
+        return false;
+    }
+
+    /**
+     * <p>Gets the key from this pair.</p>
+     *
+     * <p>This method implements the {@code Map.Entry} interface returning the
+     * left element as the key.</p>
+     *
+     * @return the left element as the key, may be null
+     */
+    @Override
+    public final L getKey() {
+        return null;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * <p>Gets the left element from this pair.</p>
+     *
+     * <p>When treated as a key-value pair, this is the key.</p>
+     *
+     * @return the left element, may be null
+     */
+    public abstract L getLeft();
+
+    /**
+     * <p>Gets the right element from this pair.</p>
+     *
+     * <p>When treated as a key-value pair, this is the value.</p>
+     *
+     * @return the right element, may be null
+     */
+    public abstract R getRight();
+
+    /**
+     * <p>Gets the value from this pair.</p>
+     *
+     * <p>This method implements the {@code Map.Entry} interface returning the
+     * right element as the value.</p>
+     *
+     * @return the right element as the value, may be null
+     */
+    @Override
+    public R getValue() {
+        return null;
+    }
+
+    /**
+     * <p>Returns a suitable hash code.
+     * The hash code follows the definition in {@code Map.Entry}.</p>
+     *
+     * @return the hash code
+     */
+    @Override
+    public int hashCode() {
+        return 0;
+    }
+
+    /**
+     * <p>Returns a String representation of this pair using the format {@code ($left,$right)}.</p>
+     *
+     * @return a string describing this object, not null
+     */
+    @Override
+    public String toString() {
+        return "";
+    }
+
+    /**
+     * <p>Formats the receiver using the given format.</p>
+     *
+     * <p>This uses {@link java.util.Formattable} to perform the formatting. Two variables may
+     * be used to embed the left and right elements. Use {@code %1$s} for the left
+     * element (key) and {@code %2$s} for the right element (value).
+     * The default format used by {@code toString()} is {@code (%1$s,%2$s)}.</p>
+     *
+     * @param format  the format string, optionally containing {@code %1$s} and {@code %2$s}, not null
+     * @return the formatted string, not null
+     */
+    public String toString(final String format) {
+        return "";
+    }
+
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/Triple.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/Triple.java
new file mode 100644
index 00000000000..d8453f7e3cd
--- /dev/null
+++ b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/tuple/Triple.java
@@ -0,0 +1,164 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.tuple;
+
+import java.io.Serializable;
+
+/**
+ * <p>A triple consisting of three elements.</p>
+ *
+ * <p>This class is an abstract implementation defining the basic API.
+ * It refers to the elements as 'left', 'middle' and 'right'.</p>
+ *
+ * <p>Subclass implementations may be mutable or immutable.
+ * However, there is no restriction on the type of the stored objects that may be stored.
+ * If mutable objects are stored in the triple, then the triple itself effectively becomes mutable.</p>
+ *
+ * @param <L> the left element type
+ * @param <M> the middle element type
+ * @param <R> the right element type
+ *
+ * @since 3.2
+ */
+public abstract class Triple<L, M, R> implements Comparable<Triple<L, M, R>>, Serializable {
+
+    /**
+     * An empty array.
+     * <p>
+     * Consider using {@link #emptyArray()} to avoid generics warnings.
+     * </p>
+     *
+     * @since 3.10.
+     */
+    public static final Triple<?, ?, ?>[] EMPTY_ARRAY = null;
+
+    /**
+     * Returns the empty array singleton that can be assigned without compiler warning.
+     *
+     * @param <L> the left element type
+     * @param <M> the middle element type
+     * @param <R> the right element type
+     * @return the empty array singleton that can be assigned without compiler warning.
+     *
+     * @since 3.10.
+     */
+    @SuppressWarnings("unchecked")
+    public static <L, M, R> Triple<L, M, R>[] emptyArray() {
+        return null;
+    }
+
+    /**
+     * <p>Obtains an immutable triple of three objects inferring the generic types.</p>
+     *
+     * <p>This factory allows the triple to be created using inference to
+     * obtain the generic types.</p>
+     *
+     * @param <L> the left element type
+     * @param <M> the middle element type
+     * @param <R> the right element type
+     * @param left  the left element, may be null
+     * @param middle the middle element, may be null
+     * @param right  the right element, may be null
+     * @return a triple formed from the three parameters, not null
+     */
+    public static <L, M, R> Triple<L, M, R> of(final L left, final M middle, final R right) {
+        return null;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * <p>Compares the triple based on the left element, followed by the middle element,
+     * finally the right element.
+     * The types must be {@code Comparable}.</p>
+     *
+     * @param other  the other triple, not null
+     * @return negative if this is less, zero if equal, positive if greater
+     */
+    @Override
+    public int compareTo(final Triple<L, M, R> other) {
+      return 0;
+    }
+
+    /**
+     * <p>Compares this triple to another based on the three elements.</p>
+     *
+     * @param obj  the object to compare to, null returns false
+     * @return true if the elements of the triple are equal
+     */
+    @Override
+    public boolean equals(final Object obj) {
+        return false;
+    }
+
+    //-----------------------------------------------------------------------
+    /**
+     * <p>Gets the left element from this triple.</p>
+     *
+     * @return the left element, may be null
+     */
+    public abstract L getLeft();
+
+    /**
+     * <p>Gets the middle element from this triple.</p>
+     *
+     * @return the middle element, may be null
+     */
+    public abstract M getMiddle();
+
+    /**
+     * <p>Gets the right element from this triple.</p>
+     *
+     * @return the right element, may be null
+     */
+    public abstract R getRight();
+
+    /**
+     * <p>Returns a suitable hash code.</p>
+     *
+     * @return the hash code
+     */
+    @Override
+    public int hashCode() {
+        return 0;
+    }
+
+    /**
+     * <p>Returns a String representation of this triple using the format {@code ($left,$middle,$right)}.</p>
+     *
+     * @return a string describing this object, not null
+     */
+    @Override
+    public String toString() {
+        return "";
+    }
+
+    /**
+     * <p>Formats the receiver using the given format.</p>
+     *
+     * <p>This uses {@link java.util.Formattable} to perform the formatting. Three variables may
+     * be used to embed the left and right elements. Use {@code %1$s} for the left
+     * element, {@code %2$s} for the middle and {@code %3$s} for the right element.
+     * The default format used by {@code toString()} is {@code (%1$s,%2$s,%3$s)}.</p>
+     *
+     * @param format  the format string, optionally containing {@code %1$s}, {@code %2$s} and {@code %3$s}, not null
+     * @return the formatted string, not null
+     */
+    public String toString(final String format) {
+        return "";
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/Contract.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/Contract.java
new file mode 100644
index 00000000000..f268a145763
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/Contract.java
@@ -0,0 +1,45 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * This annotation defines behavioral contract enforced at runtime by instances of annotated classes.
+ */
+@Documented
+@Target(ElementType.TYPE)
+@Retention(RetentionPolicy.CLASS)
+public @interface Contract {
+
+    ThreadingBehavior threading() default ThreadingBehavior.UNSAFE;
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/HttpHost.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/HttpHost.java
new file mode 100644
index 00000000000..aef2fa44720
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/HttpHost.java
@@ -0,0 +1,233 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http;
+
+import java.io.Serializable;
+import java.net.InetAddress;
+
+import org.apache.http.annotation.ThreadingBehavior;
+import org.apache.http.annotation.Contract;
+
+/**
+ * Holds all of the variables needed to describe an HTTP connection to a host.
+ * This includes remote host name, port and scheme.
+ *
+ * @since 4.0
+ */
+@Contract(threading = ThreadingBehavior.IMMUTABLE)
+public final class HttpHost implements Cloneable, Serializable {
+
+    /** The default scheme is "http". */
+    public static final String DEFAULT_SCHEME_NAME = "http";
+
+    /**
+     * Creates {@code HttpHost} instance with the given scheme, hostname and port.
+     *
+     * @param hostname  the hostname (IP or DNS name)
+     * @param port      the port number.
+     *                  {@code -1} indicates the scheme default port.
+     * @param scheme    the name of the scheme.
+     *                  {@code null} indicates the
+     *                  {@link #DEFAULT_SCHEME_NAME default scheme}
+     */
+    public HttpHost(final String hostname, final int port, final String scheme) {
+    }
+
+    /**
+     * Creates {@code HttpHost} instance with the default scheme and the given hostname and port.
+     *
+     * @param hostname  the hostname (IP or DNS name)
+     * @param port      the port number.
+     *                  {@code -1} indicates the scheme default port.
+     */
+    public HttpHost(final String hostname, final int port) {
+    }
+
+    /**
+     * Creates {@code HttpHost} instance from string. Text may not contain any blanks.
+     *
+     * @since 4.4
+     */
+    public static HttpHost create(final String s) {
+        return null;
+    }
+
+    /**
+     * Creates {@code HttpHost} instance with the default scheme and port and the given hostname.
+     *
+     * @param hostname  the hostname (IP or DNS name)
+     */
+    public HttpHost(final String hostname) {
+    }
+
+    /**
+     * Creates {@code HttpHost} instance with the given scheme, inet address and port.
+     *
+     * @param address   the inet address.
+     * @param port      the port number.
+     *                  {@code -1} indicates the scheme default port.
+     * @param scheme    the name of the scheme.
+     *                  {@code null} indicates the
+     *                  {@link #DEFAULT_SCHEME_NAME default scheme}
+     *
+     * @since 4.3
+     */
+    public HttpHost(final InetAddress address, final int port, final String scheme) {
+    }
+    /**
+     * Creates a new {@link HttpHost HttpHost}, specifying all values.
+     * Constructor for HttpHost.
+     *
+     * @param address   the inet address.
+     * @param hostname   the hostname (IP or DNS name)
+     * @param port      the port number.
+     *                  {@code -1} indicates the scheme default port.
+     * @param scheme    the name of the scheme.
+     *                  {@code null} indicates the
+     *                  {@link #DEFAULT_SCHEME_NAME default scheme}
+     *
+     * @since 4.4
+     */
+    public HttpHost(final InetAddress address, final String hostname, final int port, final String scheme) {
+    }
+
+    /**
+     * Creates {@code HttpHost} instance with the default scheme and the given inet address
+     * and port.
+     *
+     * @param address   the inet address.
+     * @param port      the port number.
+     *                  {@code -1} indicates the scheme default port.
+     *
+     * @since 4.3
+     */
+    public HttpHost(final InetAddress address, final int port) {
+    }
+
+    /**
+     * Creates {@code HttpHost} instance with the default scheme and port and the given inet
+     * address.
+     *
+     * @param address   the inet address.
+     *
+     * @since 4.3
+     */
+    public HttpHost(final InetAddress address) {
+    }
+
+    /**
+     * Copy constructor for {@link HttpHost HttpHost}.
+     *
+     * @param httphost the HTTP host to copy details from
+     */
+    public HttpHost (final HttpHost httphost) {
+    }
+
+    /**
+     * Returns the host name.
+     *
+     * @return the host name (IP or DNS name)
+     */
+    public String getHostName() {
+        return null;
+    }
+
+    /**
+     * Returns the port.
+     *
+     * @return the host port, or {@code -1} if not set
+     */
+    public int getPort() {
+        return 0;
+    }
+
+    /**
+     * Returns the scheme name.
+     *
+     * @return the scheme name
+     */
+    public String getSchemeName() {
+        return null;
+    }
+
+    /**
+     * Returns the inet address if explicitly set by a constructor,
+     *   {@code null} otherwise.
+     * @return the inet address
+     *
+     * @since 4.3
+     */
+    public InetAddress getAddress() {
+        return null;
+    }
+
+    /**
+     * Return the host URI, as a string.
+     *
+     * @return the host URI
+     */
+    public String toURI() {
+        return null;
+    }
+
+
+    /**
+     * Obtains the host string, without scheme prefix.
+     *
+     * @return  the host string, for example {@code localhost:8080}
+     */
+    public String toHostString() {
+        return null;
+    }
+
+
+    @Override
+    public String toString() {
+        return null;
+    }
+
+
+    @Override
+    public boolean equals(final Object obj) {
+        return false;
+    }
+
+    /**
+     * @see java.lang.Object#hashCode()
+     */
+    @Override
+    public int hashCode() {
+        return 0;
+    }
+
+    @Override
+    public Object clone() throws CloneNotSupportedException {
+        return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/annotation/Contract.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/annotation/Contract.java
new file mode 100644
index 00000000000..f268a145763
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/annotation/Contract.java
@@ -0,0 +1,45 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.annotation;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * This annotation defines behavioral contract enforced at runtime by instances of annotated classes.
+ */
+@Documented
+@Target(ElementType.TYPE)
+@Retention(RetentionPolicy.CLASS)
+public @interface Contract {
+
+    ThreadingBehavior threading() default ThreadingBehavior.UNSAFE;
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/annotation/ThreadingBehavior.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/annotation/ThreadingBehavior.java
new file mode 100644
index 00000000000..55e80d59a13
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/annotation/ThreadingBehavior.java
@@ -0,0 +1,63 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.http.annotation;
+
+/**
+ Defines types of threading behavior enforced at runtime.
+ */
+public enum ThreadingBehavior {
+
+    /**
+     * Instances of classes with the given contract are expected to be fully immutable
+     * and thread-safe.
+     */
+    IMMUTABLE,
+
+    /**
+     * Instances of classes with the given contract are expected to be immutable if their
+     * dependencies injected at construction time are immutable and are expected to be thread-safe
+     * if their dependencies are thread-safe.
+     */
+    IMMUTABLE_CONDITIONAL,
+
+    /**
+     * Instances of classes with the given contract are expected to be fully thread-safe.
+     */
+    SAFE,
+
+    /**
+     * Instances of classes with the given contract are expected to be thread-safe if their
+     * dependencies injected at construction time are thread-safe.
+     */
+    SAFE_CONDITIONAL,
+
+    /**
+     * Instances of classes with the given contract are expected to be non thread-safe.
+     */
+    UNSAFE
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/config/RequestConfig.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/config/RequestConfig.java
new file mode 100644
index 00000000000..fb1037188fd
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/config/RequestConfig.java
@@ -0,0 +1,423 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.config;
+
+import java.net.InetAddress;
+import java.util.Collection;
+
+import org.apache.http.HttpHost;
+import org.apache.http.annotation.Contract;
+import org.apache.http.annotation.ThreadingBehavior;
+
+/**
+ *  Immutable class encapsulating request configuration items.
+ *  The default setting for stale connection checking changed
+ *  to false, and the feature was deprecated starting with version 4.4.
+ */
+@Contract(threading = ThreadingBehavior.IMMUTABLE)
+public class RequestConfig implements Cloneable {
+
+    public static final RequestConfig DEFAULT = null;
+
+    /**
+     * Intended for CDI compatibility
+    */
+    protected RequestConfig() {
+    }
+
+    RequestConfig(
+            final boolean expectContinueEnabled,
+            final HttpHost proxy,
+            final InetAddress localAddress,
+            final boolean staleConnectionCheckEnabled,
+            final String cookieSpec,
+            final boolean redirectsEnabled,
+            final boolean relativeRedirectsAllowed,
+            final boolean circularRedirectsAllowed,
+            final int maxRedirects,
+            final boolean authenticationEnabled,
+            final Collection<String> targetPreferredAuthSchemes,
+            final Collection<String> proxyPreferredAuthSchemes,
+            final int connectionRequestTimeout,
+            final int connectTimeout,
+            final int socketTimeout,
+            final boolean contentCompressionEnabled,
+            final boolean normalizeUri) {
+    }
+
+    /**
+     * Determines whether the 'Expect: 100-Continue' handshake is enabled
+     * for entity enclosing methods. The purpose of the 'Expect: 100-Continue'
+     * handshake is to allow a client that is sending a request message with
+     * a request body to determine if the origin server is willing to
+     * accept the request (based on the request headers) before the client
+     * sends the request body.
+     * <p>
+     * The use of the 'Expect: 100-continue' handshake can result in
+     * a noticeable performance improvement for entity enclosing requests
+     * (such as POST and PUT) that require the target server's
+     * authentication.
+     * </p>
+     * <p>
+     * 'Expect: 100-continue' handshake should be used with caution, as it
+     * may cause problems with HTTP servers and proxies that do not support
+     * HTTP/1.1 protocol.
+     * </p>
+     * <p>
+     * Default: {@code false}
+     * </p>
+     */
+    public boolean isExpectContinueEnabled() {
+        return false;
+    }
+
+    /**
+     * Returns HTTP proxy to be used for request execution.
+     * <p>
+     * Default: {@code null}
+     * </p>
+     */
+    public HttpHost getProxy() {
+        return null;
+    }
+
+    /**
+     * Returns local address to be used for request execution.
+     * <p>
+     * On machines with multiple network interfaces, this parameter
+     * can be used to select the network interface from which the
+     * connection originates.
+     * </p>
+     * <p>
+     * Default: {@code null}
+     * </p>
+     */
+    public InetAddress getLocalAddress() {
+        return null;
+    }
+
+    /**
+     * Determines whether stale connection check is to be used. The stale
+     * connection check can cause up to 30 millisecond overhead per request and
+     * should be used only when appropriate. For performance critical
+     * operations this check should be disabled.
+     * <p>
+     * Default: {@code false} since 4.4
+     * </p>
+     *
+     * @deprecated (4.4) Use {@link
+     *   org.apache.http.impl.conn.PoolingHttpClientConnectionManager#getValidateAfterInactivity()}
+     */
+    @Deprecated
+    public boolean isStaleConnectionCheckEnabled() {
+        return false;
+    }
+
+    /**
+     * Determines the name of the cookie specification to be used for HTTP state
+     * management.
+     * <p>
+     * Default: {@code null}
+     * </p>
+     */
+    public String getCookieSpec() {
+        return null;
+    }
+
+    /**
+     * Determines whether redirects should be handled automatically.
+     * <p>
+     * Default: {@code true}
+     * </p>
+     */
+    public boolean isRedirectsEnabled() {
+        return false;
+    }
+
+    /**
+     * Determines whether relative redirects should be rejected. HTTP specification
+     * requires the location value be an absolute URI.
+     * <p>
+     * Default: {@code true}
+     * </p>
+     */
+    public boolean isRelativeRedirectsAllowed() {
+        return false;
+    }
+
+    /**
+     * Determines whether circular redirects (redirects to the same location) should
+     * be allowed. The HTTP spec is not sufficiently clear whether circular redirects
+     * are permitted, therefore optionally they can be enabled
+     * <p>
+     * Default: {@code false}
+     * </p>
+     */
+    public boolean isCircularRedirectsAllowed() {
+        return false;
+    }
+
+    /**
+     * Returns the maximum number of redirects to be followed. The limit on number
+     * of redirects is intended to prevent infinite loops.
+     * <p>
+     * Default: {@code 50}
+     * </p>
+     */
+    public int getMaxRedirects() {
+        return 0;
+    }
+
+    /**
+     * Determines whether authentication should be handled automatically.
+     * <p>
+     * Default: {@code true}
+     * </p>
+     */
+    public boolean isAuthenticationEnabled() {
+        return false;
+    }
+
+    /**
+     * Determines the order of preference for supported authentication schemes
+     * when authenticating with the target host.
+     * <p>
+     * Default: {@code null}
+     * </p>
+     */
+    public Collection<String> getTargetPreferredAuthSchemes() {
+        return null;
+    }
+
+    /**
+     * Determines the order of preference for supported authentication schemes
+     * when authenticating with the proxy host.
+     * <p>
+     * Default: {@code null}
+     * </p>
+     */
+    public Collection<String> getProxyPreferredAuthSchemes() {
+        return null;
+    }
+
+    /**
+     * Returns the timeout in milliseconds used when requesting a connection
+     * from the connection manager.
+     * <p>
+     * A timeout value of zero is interpreted as an infinite timeout.
+     * A negative value is interpreted as undefined (system default if applicable).
+     * </p>
+     * <p>
+     * Default: {@code -1}
+     * </p>
+     */
+    public int getConnectionRequestTimeout() {
+        return 0;
+    }
+
+    /**
+     * Determines the timeout in milliseconds until a connection is established.
+     * <p>
+     * A timeout value of zero is interpreted as an infinite timeout.
+     * A negative value is interpreted as undefined (system default if applicable).
+     * </p>
+     * <p>
+     * Default: {@code -1}
+     * </p>
+     */
+    public int getConnectTimeout() {
+        return 0;
+    }
+
+    /**
+     * Defines the socket timeout ({@code SO_TIMEOUT}) in milliseconds,
+     * which is the timeout for waiting for data or, put differently,
+     * a maximum period inactivity between two consecutive data packets).
+     * <p>
+     * A timeout value of zero is interpreted as an infinite timeout.
+     * A negative value is interpreted as undefined (system default if applicable).
+     * </p>
+     * <p>
+     * Default: {@code -1}
+     * </p>
+     */
+    public int getSocketTimeout() {
+        return 0;
+    }
+
+    /**
+     * Determines whether compressed entities should be decompressed automatically.
+     * <p>
+     * Default: {@code true}
+     * </p>
+     *
+     * @since 4.4
+     * @deprecated (4.5) Use {@link #isContentCompressionEnabled()}
+     */
+    @Deprecated
+    public boolean isDecompressionEnabled() {
+        return false;
+    }
+
+    /**
+     * Determines whether the target server is requested to compress content.
+     * <p>
+     * Default: {@code true}
+     * </p>
+     *
+     * @since 4.5
+     */
+    public boolean isContentCompressionEnabled() {
+        return false;
+    }
+
+    /**
+     * Determines whether client should normalize URIs in requests or not.
+     * <p>
+     * Default: {@code true}
+     * </p>
+     *
+     * @since 4.5.8
+     */
+    public boolean isNormalizeUri() {
+        return false;
+    }
+
+    @Override
+    protected RequestConfig clone() throws CloneNotSupportedException {
+        return null;
+    }
+
+    @Override
+    public String toString() {
+        return null;
+    }
+
+    public static RequestConfig.Builder custom() {
+        return null;
+    }
+
+    @SuppressWarnings("deprecation")
+    public static RequestConfig.Builder copy(final RequestConfig config) {
+        return null;
+    }
+
+    public static class Builder {
+
+        Builder() {
+        }
+
+        public Builder setExpectContinueEnabled(final boolean expectContinueEnabled) {
+            return null;
+        }
+
+        public Builder setProxy(final HttpHost proxy) {
+            return null;
+        }
+
+        public Builder setLocalAddress(final InetAddress localAddress) {
+            return null;
+        }
+
+        /**
+         * @deprecated (4.4) Use {@link
+         *   org.apache.http.impl.conn.PoolingHttpClientConnectionManager#setValidateAfterInactivity(int)}
+         */
+        @Deprecated
+        public Builder setStaleConnectionCheckEnabled(final boolean staleConnectionCheckEnabled) {
+            return null;
+        }
+
+        public Builder setCookieSpec(final String cookieSpec) {
+            return null;
+        }
+
+        public Builder setRedirectsEnabled(final boolean redirectsEnabled) {
+            return null;
+        }
+
+        public Builder setRelativeRedirectsAllowed(final boolean relativeRedirectsAllowed) {
+            return null;
+        }
+
+        public Builder setCircularRedirectsAllowed(final boolean circularRedirectsAllowed) {
+            return null;
+        }
+
+        public Builder setMaxRedirects(final int maxRedirects) {
+            return null;
+        }
+
+        public Builder setAuthenticationEnabled(final boolean authenticationEnabled) {
+            return null;
+        }
+
+        public Builder setTargetPreferredAuthSchemes(final Collection<String> targetPreferredAuthSchemes) {
+            return null;
+        }
+
+        public Builder setProxyPreferredAuthSchemes(final Collection<String> proxyPreferredAuthSchemes) {
+            return null;
+        }
+
+        public Builder setConnectionRequestTimeout(final int connectionRequestTimeout) {
+            return null;
+        }
+
+        public Builder setConnectTimeout(final int connectTimeout) {
+            return null;
+        }
+
+        public Builder setSocketTimeout(final int socketTimeout) {
+            return null;
+        }
+
+        /**
+         * @deprecated (4.5) Set {@link #setContentCompressionEnabled(boolean)} to {@code false} and
+         * add the {@code Accept-Encoding} request header.
+         */
+        @Deprecated
+        public Builder setDecompressionEnabled(final boolean decompressionEnabled) {
+            return null;
+        }
+
+        public Builder setContentCompressionEnabled(final boolean contentCompressionEnabled) {
+            return null;
+        }
+
+        public Builder setNormalizeUri(final boolean normalizeUri) {
+            return null;
+        }
+
+        public RequestConfig build() {
+            return null;
+        }
+
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpDelete.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpDelete.java
new file mode 100644
index 00000000000..cde9b50443f
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpDelete.java
@@ -0,0 +1,69 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+
+/**
+ * HTTP DELETE method
+ * <p>
+ * The HTTP DELETE method is defined in section 9.7 of
+ * <a href="http://www.ietf.org/rfc/rfc2616.txt">RFC2616</a>:
+ * <blockquote>
+ * The DELETE method requests that the origin server delete the resource
+ * identified by the Request-URI. [...] The client cannot
+ * be guaranteed that the operation has been carried out, even if the
+ * status code returned from the origin server indicates that the action
+ * has been completed successfully.
+ * </blockquote>
+ *
+ * @since 4.0
+ */
+public class HttpDelete extends HttpRequestBase {
+
+    public final static String METHOD_NAME = "DELETE";
+
+
+    public HttpDelete() {
+    }
+
+    public HttpDelete(final URI uri) {
+    }
+
+    /**
+     * @throws IllegalArgumentException if the uri is invalid.
+     */
+    public HttpDelete(final String uri) {
+    }
+
+    @Override
+    public String getMethod() {
+        return METHOD_NAME;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpHead.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpHead.java
new file mode 100644
index 00000000000..ad9cb1c19c6
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpHead.java
@@ -0,0 +1,72 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+
+/**
+ * HTTP HEAD method.
+ * <p>
+ * The HTTP HEAD method is defined in section 9.4 of
+ * <a href="http://www.ietf.org/rfc/rfc2616.txt">RFC2616</a>:
+ * </p>
+ * <blockquote>
+ * The HEAD method is identical to GET except that the server MUST NOT
+ * return a message-body in the response. The metainformation contained
+ * in the HTTP headers in response to a HEAD request SHOULD be identical
+ * to the information sent in response to a GET request. This method can
+ * be used for obtaining metainformation about the entity implied by the
+ * request without transferring the entity-body itself. This method is
+ * often used for testing hypertext links for validity, accessibility,
+ * and recent modification.
+ * </blockquote>
+ *
+ * @since 4.0
+ */
+public class HttpHead extends HttpRequestBase {
+
+    public final static String METHOD_NAME = "HEAD";
+
+    public HttpHead() {
+    }
+
+    public HttpHead(final URI uri) {
+    }
+
+    /**
+     * @throws IllegalArgumentException if the uri is invalid.
+     */
+    public HttpHead(final String uri) {
+    }
+
+    @Override
+    public String getMethod() {
+        return METHOD_NAME;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpOptions.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpOptions.java
new file mode 100644
index 00000000000..078bacf8f7f
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpOptions.java
@@ -0,0 +1,82 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.http.Header;
+import org.apache.http.HeaderElement;
+import org.apache.http.HeaderIterator;
+import org.apache.http.HttpResponse;
+import org.apache.http.util.Args;
+
+/**
+ * HTTP OPTIONS method.
+ * <p>
+ * The HTTP OPTIONS method is defined in section 9.2 of
+ * <a href="http://www.ietf.org/rfc/rfc2616.txt">RFC2616</a>:
+ * </p>
+ * <blockquote>
+ *  The OPTIONS method represents a request for information about the
+ *  communication options available on the request/response chain
+ *  identified by the Request-URI. This method allows the client to
+ *  determine the options and/or requirements associated with a resource,
+ *  or the capabilities of a server, without implying a resource action
+ *  or initiating a resource retrieval.
+ * </blockquote>
+ *
+ * @since 4.0
+ */
+public class HttpOptions extends HttpRequestBase {
+
+    public final static String METHOD_NAME = "OPTIONS";
+
+    public HttpOptions() {
+    }
+
+    public HttpOptions(final URI uri) {
+    }
+
+    /**
+     * @throws IllegalArgumentException if the uri is invalid.
+     */
+    public HttpOptions(final String uri) {
+    }
+
+    @Override
+    public String getMethod() {
+        return null;
+    }
+
+    public Set<String> getAllowedMethods(final HttpResponse response) {
+        return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpPatch.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpPatch.java
new file mode 100644
index 00000000000..6c4a26a76f9
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpPatch.java
@@ -0,0 +1,69 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+
+/**
+ * HTTP PATCH method.
+ * <p>
+ * The HTTP PATCH method is defined in <a
+ * href="http://tools.ietf.org/html/rfc5789">RF5789</a>:
+ * </p>
+ * <blockquote> The PATCH
+ * method requests that a set of changes described in the request entity be
+ * applied to the resource identified by the Request- URI. Differs from the PUT
+ * method in the way the server processes the enclosed entity to modify the
+ * resource identified by the Request-URI. In a PUT request, the enclosed entity
+ * origin server, and the client is requesting that the stored version be
+ * replaced. With PATCH, however, the enclosed entity contains a set of
+ * instructions describing how a resource currently residing on the origin
+ * server should be modified to produce a new version.
+ * </blockquote>
+ *
+ * @since 4.2
+ */
+public class HttpPatch extends HttpEntityEnclosingRequestBase {
+
+    public final static String METHOD_NAME = "PATCH";
+
+    public HttpPatch() {
+    }
+
+    public HttpPatch(final URI uri) {
+    }
+
+    public HttpPatch(final String uri) {
+    }
+
+    @Override
+    public String getMethod() {
+        return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpTrace.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpTrace.java
new file mode 100644
index 00000000000..0860c8e3ec4
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpTrace.java
@@ -0,0 +1,71 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+
+/**
+ * HTTP TRACE method.
+ * <p>
+ * The HTTP TRACE method is defined in section 9.6 of
+ * <a href="http://www.ietf.org/rfc/rfc2616.txt">RFC2616</a>:
+ * </p>
+ * <blockquote>
+ *  The TRACE method is used to invoke a remote, application-layer loop-
+ *  back of the request message. The final recipient of the request
+ *  SHOULD reflect the message received back to the client as the
+ *  entity-body of a 200 (OK) response. The final recipient is either the
+ *  origin server or the first proxy or gateway to receive a Max-Forwards
+ *  value of zero (0) in the request (see section 14.31). A TRACE request
+ *  MUST NOT include an entity.
+ * </blockquote>
+ *
+ * @since 4.0
+ */
+public class HttpTrace extends HttpRequestBase {
+
+    public final static String METHOD_NAME = "TRACE";
+
+    public HttpTrace() {
+    }
+
+    public HttpTrace(final URI uri) {
+    }
+
+    /**
+     * @throws IllegalArgumentException if the uri is invalid.
+     */
+    public HttpTrace(final String uri) {
+    }
+
+    @Override
+    public String getMethod() {
+        return METHOD_NAME;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpUriRequest.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpUriRequest.java
new file mode 100644
index 00000000000..56de260424a
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/HttpUriRequest.java
@@ -0,0 +1,85 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+
+import org.apache.http.HttpRequest;
+
+/**
+ * Extended version of the {@link HttpRequest} interface that provides
+ * convenience methods to access request properties such as request URI
+ * and method type.
+ *
+ * @since 4.0
+ */
+public interface HttpUriRequest extends HttpRequest {
+
+    /**
+     * Returns the HTTP method this request uses, such as {@code GET},
+     * {@code PUT}, {@code POST}, or other.
+     */
+    String getMethod();
+
+    /**
+     * Returns the URI this request uses, such as
+     * {@code http://example.org/path/to/file}.
+     * <p>
+     * Note that the URI may be absolute URI (as above) or may be a relative URI.
+     * </p>
+     * <p>
+     * Implementations are encouraged to return
+     * the URI that was initially requested.
+     * </p>
+     * <p>
+     * To find the final URI after any redirects have been processed,
+     * please see the section entitled
+     * <a href="http://hc.apache.org/httpcomponents-client-ga/tutorial/html/fundamentals.html#d4e205">HTTP execution context</a>
+     * in the
+     * <a href="http://hc.apache.org/httpcomponents-client-ga/tutorial/html">HttpClient Tutorial</a>
+     * </p>
+     */
+    URI getURI();
+
+    /**
+     * Aborts execution of the request.
+     *
+     * @throws UnsupportedOperationException if the abort operation
+     *   is not supported / cannot be implemented.
+     */
+    void abort() throws UnsupportedOperationException;
+
+    /**
+     * Tests if the request execution has been aborted.
+     *
+     * @return {@code true} if the request execution has been aborted,
+     *   {@code false} otherwise.
+     */
+    boolean isAborted();
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/RequestBuilder.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/RequestBuilder.java
new file mode 100644
index 00000000000..b22b3e36733
--- /dev/null
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/client/methods/RequestBuilder.java
@@ -0,0 +1,369 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.client.methods;
+
+import java.net.URI;
+import java.nio.charset.Charset;
+import java.util.List;
+
+import org.apache.http.Header;
+import org.apache.http.HttpEntity;
+import org.apache.http.HttpEntityEnclosingRequest;
+import org.apache.http.HttpRequest;
+import org.apache.http.NameValuePair;
+import org.apache.http.ProtocolVersion;
+import org.apache.http.client.config.RequestConfig;
+
+/**
+ * Builder for {@link HttpUriRequest} instances.
+ * <p>
+ * Please note that this class treats parameters differently depending on composition
+ * of the request: if the request has a content entity explicitly set with
+ * {@link #setEntity(org.apache.http.HttpEntity)} or it is not an entity enclosing method
+ * (such as POST or PUT), parameters will be added to the query component of the request URI.
+ * Otherwise, parameters will be added as a URL encoded {@link UrlEncodedFormEntity entity}.
+ * </p>
+ *
+ * @since 4.3
+ */
+public class RequestBuilder {
+
+    RequestBuilder(final String method) {
+    }
+
+    RequestBuilder(final String method, final URI uri) {
+    }
+
+    RequestBuilder(final String method, final String uri) {
+    }
+
+    RequestBuilder() {
+    }
+
+    public static RequestBuilder create(final String method) {
+        return null;
+    }
+
+    public static RequestBuilder get() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder get(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder get(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder head() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder head(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder head(final String uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder patch() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder patch(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder patch(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder post() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder post(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder post(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder put() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder put(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder put(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder delete() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder delete(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder delete(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder trace() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder trace(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder trace(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder options() {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder options(final URI uri) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public static RequestBuilder options(final String uri) {
+        return null;
+    }
+
+    public static RequestBuilder copy(final HttpRequest request) {
+        return null;
+    }
+
+    private RequestBuilder doCopy(final HttpRequest request) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public RequestBuilder setCharset(final Charset charset) {
+        return null;
+    }
+
+    /**
+     * @since 4.4
+     */
+    public Charset getCharset() {
+        return null;
+    }
+
+    public String getMethod() {
+        return null;
+    }
+
+    public ProtocolVersion getVersion() {
+        return null;
+    }
+
+    public RequestBuilder setVersion(final ProtocolVersion version) {
+        return null;
+    }
+
+    public URI getUri() {
+        return null;
+    }
+
+    public RequestBuilder setUri(final URI uri) {
+        return null;
+    }
+
+    public RequestBuilder setUri(final String uri) {
+        return null;
+    }
+
+    public Header getFirstHeader(final String name) {
+        return null;
+    }
+
+    public Header getLastHeader(final String name) {
+        return null;
+    }
+
+    public Header[] getHeaders(final String name) {
+        return null;
+    }
+
+    public RequestBuilder addHeader(final Header header) {
+        return null;
+    }
+
+    public RequestBuilder addHeader(final String name, final String value) {
+        return null;
+    }
+
+    public RequestBuilder removeHeader(final Header header) {
+        return null;
+    }
+
+    public RequestBuilder removeHeaders(final String name) {
+        return null;
+    }
+
+    public RequestBuilder setHeader(final Header header) {
+        return null;
+    }
+
+    public RequestBuilder setHeader(final String name, final String value) {
+        return null;
+    }
+
+    public HttpEntity getEntity() {
+        return null;
+    }
+
+    public RequestBuilder setEntity(final HttpEntity entity) {
+        return null;
+    }
+
+    public List<NameValuePair> getParameters() {
+        return null;
+    }
+
+    public RequestBuilder addParameter(final NameValuePair nvp) {
+        return null;
+    }
+
+    public RequestBuilder addParameter(final String name, final String value) {
+        return null;
+    }
+
+    public RequestBuilder addParameters(final NameValuePair... nvps) {
+        return null;
+    }
+
+    public RequestConfig getConfig() {
+        return null;
+    }
+
+    public RequestBuilder setConfig(final RequestConfig config) {
+        return null;
+    }
+
+    public HttpUriRequest build() {
+        return null;
+    }
+
+    static class InternalRequest extends HttpRequestBase {
+
+        InternalRequest(final String method) {
+
+        }
+
+        @Override
+        public String getMethod() {
+            return null;
+        }
+
+    }
+
+    static class InternalEntityEclosingRequest extends HttpEntityEnclosingRequestBase {
+
+        InternalEntityEclosingRequest(final String method) {
+
+        }
+
+        @Override
+        public String getMethod() {
+            return null;
+        }
+
+    }
+
+    @Override
+    public String toString() {
+        return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHttpEntityEnclosingRequest.java b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHttpEntityEnclosingRequest.java
index 108518371a2..b9b0a4fd777 100644
--- a/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHttpEntityEnclosingRequest.java
+++ b/java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHttpEntityEnclosingRequest.java
@@ -43,7 +43,7 @@ import org.apache.http.RequestLine;
  * @author <a href="mailto:oleg at ural.ru">Oleg Kalnichevski</a>
  *
  * @version $Revision: 618017 $
- * 
+ *
  * @since 4.0
  *
  * @deprecated Please use {@link java.net.URL#openConnection} instead. Please
@@ -54,15 +54,15 @@ import org.apache.http.RequestLine;
 @Deprecated
 public class BasicHttpEntityEnclosingRequest extends BasicHttpRequest implements HttpEntityEnclosingRequest {
     public BasicHttpEntityEnclosingRequest(final String method, final String uri) {
-        super(method, uri);
+        super(null);
     }
 
     public BasicHttpEntityEnclosingRequest(final String method, final String uri, final ProtocolVersion ver) {
-        super(method, uri, ver);
+        super(null);
     }
 
     public BasicHttpEntityEnclosingRequest(final RequestLine requestline) {
-        super(requestline);
+        super(null);
     }
 
     public HttpEntity getEntity() {
diff --git a/java/ql/test/stubs/bsh-2.0b5/bsh/ConsoleInterface.java b/java/ql/test/stubs/bsh-2.0b5/bsh/ConsoleInterface.java
new file mode 100644
index 00000000000..e0f7f1db898
--- /dev/null
+++ b/java/ql/test/stubs/bsh-2.0b5/bsh/ConsoleInterface.java
@@ -0,0 +1,18 @@
+package bsh;
+
+import java.io.PrintStream;
+import java.io.Reader;
+
+public interface ConsoleInterface {
+    Reader getIn();
+
+    PrintStream getOut();
+
+    PrintStream getErr();
+
+    void println(Object var1);
+
+    void print(Object var1);
+
+    void error(Object var1);
+}
diff --git a/java/ql/test/stubs/bsh-2.0b5/bsh/EvalError.java b/java/ql/test/stubs/bsh-2.0b5/bsh/EvalError.java
new file mode 100644
index 00000000000..af995eb4c3e
--- /dev/null
+++ b/java/ql/test/stubs/bsh-2.0b5/bsh/EvalError.java
@@ -0,0 +1,5 @@
+package bsh;
+
+public class EvalError extends Exception {
+    
+}
diff --git a/java/ql/test/stubs/bsh-2.0b5/bsh/Interpreter.java b/java/ql/test/stubs/bsh-2.0b5/bsh/Interpreter.java
new file mode 100644
index 00000000000..47de8ee6402
--- /dev/null
+++ b/java/ql/test/stubs/bsh-2.0b5/bsh/Interpreter.java
@@ -0,0 +1,125 @@
+package bsh;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.FileReader;
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.ObjectInputStream;
+import java.io.PrintStream;
+import java.io.Reader;
+import java.io.Serializable;
+import java.io.StringReader;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+
+public class Interpreter implements Runnable, ConsoleInterface, Serializable {
+
+    public Interpreter(Reader in, PrintStream out, PrintStream err, boolean interactive, NameSpace namespace, Interpreter parent, String sourceFileInfo) { }
+
+    public Interpreter(Reader in, PrintStream out, PrintStream err, boolean interactive, NameSpace namespace) { }
+
+    public Interpreter(Reader in, PrintStream out, PrintStream err, boolean interactive) { }
+
+    public Interpreter(ConsoleInterface console, NameSpace globalNameSpace) { }
+
+    public Interpreter(ConsoleInterface console) { }
+
+    public Interpreter() { }
+
+    public void setConsole(ConsoleInterface console) { }
+
+    private void initRootSystemObject() { }
+
+    public void setNameSpace(NameSpace globalNameSpace) { }
+
+    public NameSpace getNameSpace() {
+        return null;
+    }
+
+    public static void main(String[] args) { }
+
+    public static void invokeMain(Class clas, String[] args) throws Exception { }
+
+    public void run() { }
+
+    public Object source(String filename, NameSpace nameSpace) throws FileNotFoundException, IOException, EvalError {
+        return null;
+    }
+
+    public Object source(String filename) throws FileNotFoundException, IOException, EvalError {
+        return null;
+    }
+
+    public Object eval(Reader in, NameSpace nameSpace, String sourceFileInfo) throws EvalError {
+        return null;
+    }
+
+    public Object eval(Reader in) throws EvalError {
+        return null;
+    }
+
+    public Object eval(String statements) throws EvalError {
+        return null;
+    }
+
+    public Object eval(String statements, NameSpace nameSpace) throws EvalError {
+        return null;
+    }
+
+    private String showEvalString(String s) {
+        return null;
+    }
+
+    public final void error(Object o) { }
+
+    public Reader getIn() {
+        return null;
+    }
+
+    public PrintStream getOut() {
+        return null;
+    }
+
+    public PrintStream getErr() {
+        return null;
+    }
+
+    public final void println(Object o) { }
+
+    public final void print(Object o) { }
+
+    public static final void debug(String s) { }
+
+    public Object get(String name) throws EvalError {
+        return null;
+    }
+
+    Object getu(String name) {
+        return null;
+    }
+
+    public void set(String name, Object value) throws EvalError { }
+
+    void setu(String name, Object value) { }
+
+    public void set(String name, long value) throws EvalError { }
+
+    public void set(String name, int value) throws EvalError { }
+
+    public void set(String name, double value) throws EvalError { }
+
+    public void set(String name, float value) throws EvalError { }
+
+    public void set(String name, boolean value) throws EvalError { }
+
+    public void unset(String name) throws EvalError { }
+
+    public Object getInterface(Class interf) throws EvalError {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/bsh-2.0b5/bsh/NameSpace.java b/java/ql/test/stubs/bsh-2.0b5/bsh/NameSpace.java
new file mode 100644
index 00000000000..b803c48d01b
--- /dev/null
+++ b/java/ql/test/stubs/bsh-2.0b5/bsh/NameSpace.java
@@ -0,0 +1,7 @@
+package bsh;
+
+import java.io.Serializable;
+
+public class NameSpace implements Serializable {
+
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/types/AnyNode.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/types/AnyNode.java
new file mode 100644
index 00000000000..f29270d2521
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/types/AnyNode.java
@@ -0,0 +1,11 @@
+package org.exolab.castor.types;
+
+import java.io.Serializable;
+
+public final class AnyNode implements Serializable {
+
+    private static final long serialVersionUID = -4104117996051705975L;
+
+    public AnyNode() { }
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/EventProducer.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/EventProducer.java
new file mode 100644
index 00000000000..08893c95a48
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/EventProducer.java
@@ -0,0 +1,12 @@
+package org.exolab.castor.xml;
+
+import org.xml.sax.DocumentHandler;
+import org.xml.sax.SAXException;
+
+/** @deprecated */
+public interface EventProducer {
+    void setDocumentHandler(DocumentHandler var1);
+
+    void start() throws SAXException;
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventAndErrorProducer.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventAndErrorProducer.java
new file mode 100644
index 00000000000..77978b53f01
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventAndErrorProducer.java
@@ -0,0 +1,8 @@
+package org.exolab.castor.xml;
+
+import org.xml.sax.ErrorHandler;
+
+public interface SAX2EventAndErrorProducer extends SAX2EventProducer {
+    void setErrorHandler(ErrorHandler var1);
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventProducer.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventProducer.java
new file mode 100644
index 00000000000..66b2cf8259f
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/SAX2EventProducer.java
@@ -0,0 +1,11 @@
+package org.exolab.castor.xml;
+
+import org.xml.sax.ContentHandler;
+import org.xml.sax.SAXException;
+
+public interface SAX2EventProducer {
+    void setContentHandler(ContentHandler var1);
+
+    void start() throws SAXException;
+}
+
diff --git a/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/Unmarshaller.java b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/Unmarshaller.java
new file mode 100644
index 00000000000..cc76c2c5e6a
--- /dev/null
+++ b/java/ql/test/stubs/castor-1.4.1/org/exolab/castor/xml/Unmarshaller.java
@@ -0,0 +1,74 @@
+package org.exolab.castor.xml;
+
+import java.io.Reader;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.Source;
+import org.exolab.castor.types.AnyNode;
+import org.w3c.dom.Node;
+import org.xml.sax.InputSource;
+import org.xml.sax.Parser;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+
+public class Unmarshaller {
+
+    public Unmarshaller() { }
+
+    public Object unmarshal(Reader reader) {
+        return null;
+    }
+
+    public Object unmarshal(EventProducer eventProducer) {
+        return null;
+    }
+
+    public Object unmarshal(SAX2EventProducer eventProducer) {
+        return null;
+    }
+
+    public Object unmarshal(AnyNode anyNode) {
+        return null;
+    }
+
+    public Object unmarshal(InputSource source) {
+        return null;
+    }
+
+    public Object unmarshal(Node node) {
+        return null;
+    }
+
+    public Object unmarshal(XMLEventReader eventReader) {
+        return null;
+    }
+
+    public Object unmarshal(XMLStreamReader streamReader) {
+        return null;
+    }
+
+    public Object unmarshal(SAX2EventAndErrorProducer eventProducer) {
+        return null;
+    }
+
+    public Object unmarshal(Source source) {
+        return null;
+    }
+
+    public static Object unmarshal(Class c, Reader reader) {
+        return null;
+    }
+
+    private static Unmarshaller createUnmarshaller(Class clazz) {
+        return null;
+    }
+
+    public static Object unmarshal(Class c, InputSource source) {
+        return null;
+    }
+
+    public static Object unmarshal(Class c, Node node) {
+        return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractBurlapInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractBurlapInput.java
new file mode 100644
index 00000000000..9bf1892ea5b
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractBurlapInput.java
@@ -0,0 +1,9 @@
+package com.caucho.burlap.io;
+
+import com.caucho.hessian.io.AbstractHessianInput;
+
+public abstract class AbstractBurlapInput extends AbstractHessianInput {
+    public AbstractBurlapInput() {
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractHessianInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractHessianInput.java
new file mode 100644
index 00000000000..aff9f533850
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractHessianInput.java
@@ -0,0 +1,110 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import org.w3c.dom.Node;
+
+public abstract class AbstractHessianInput {
+
+    public AbstractHessianInput() {
+    }
+
+    public void init(InputStream is) {
+    }
+
+    public abstract String getMethod();
+
+    public void setSerializerFactory(SerializerFactory ser) {
+    }
+
+    public abstract int readCall() throws IOException;
+
+    public void skipOptionalCall() throws IOException {
+    }
+
+    public abstract String readHeader() throws IOException;
+
+    public abstract String readMethod() throws IOException;
+
+    public int readMethodArgLength() throws IOException {
+        return -1;
+    }
+
+    public abstract void startCall() throws IOException;
+
+    public abstract void completeCall() throws IOException;
+
+    public abstract Object readReply(Class var1) throws Throwable;
+
+    public abstract void startReply() throws Throwable;
+
+    public void startReplyBody() throws Throwable {
+    }
+
+    public abstract void completeReply() throws IOException;
+
+    public abstract boolean readBoolean() throws IOException;
+
+    public abstract void readNull() throws IOException;
+
+    public abstract int readInt() throws IOException;
+
+    public abstract long readLong() throws IOException;
+
+    public abstract double readDouble() throws IOException;
+
+    public abstract long readUTCDate() throws IOException;
+
+    public abstract String readString() throws IOException;
+
+    public Node readNode() throws IOException {
+        return null;
+    }
+
+    public abstract Reader getReader() throws IOException;
+
+    public abstract InputStream readInputStream() throws IOException;
+
+    public boolean readToOutputStream(OutputStream os) throws IOException {
+        return true;
+    }
+
+    public abstract byte[] readBytes() throws IOException;
+
+    public abstract Object readObject(Class var1) throws IOException;
+
+    public abstract Object readObject() throws IOException;
+
+    public abstract Object readRemote() throws IOException;
+
+    public abstract Object readRef() throws IOException;
+
+    public abstract int addRef(Object var1) throws IOException;
+
+    public abstract void setRef(int var1, Object var2) throws IOException;
+
+    public void resetReferences() {
+    }
+
+    public abstract int readListStart() throws IOException;
+
+    public abstract int readLength() throws IOException;
+
+    public abstract int readMapStart() throws IOException;
+
+    public abstract String readType() throws IOException;
+
+    public abstract boolean isEnd() throws IOException;
+
+    public abstract void readEnd() throws IOException;
+
+    public abstract void readMapEnd() throws IOException;
+
+    public abstract void readListEnd() throws IOException;
+
+    public void close() throws IOException {
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractSerializerFactory.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractSerializerFactory.java
new file mode 100644
index 00000000000..d4bc523ec87
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/AbstractSerializerFactory.java
@@ -0,0 +1,11 @@
+package com.caucho.hessian.io;
+
+public abstract class AbstractSerializerFactory {
+    public AbstractSerializerFactory() {
+    }
+
+    public abstract Serializer getSerializer(Class var1) throws HessianProtocolException;
+
+    public abstract Deserializer getDeserializer(Class var1) throws HessianProtocolException;
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/BurlapInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/BurlapInput.java
new file mode 100644
index 00000000000..ec02d2f302b
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/BurlapInput.java
@@ -0,0 +1,274 @@
+package com.caucho.burlap.io;
+
+import com.caucho.hessian.io.SerializerFactory;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.TimeZone;
+import org.w3c.dom.Node;
+
+public class BurlapInput extends AbstractBurlapInput {
+
+    public BurlapInput() { }
+
+    public BurlapInput(InputStream is) { }
+
+    public void setSerializerFactory(SerializerFactory factory) { }
+
+    public SerializerFactory getSerializerFactory() {
+        return null;
+    }
+
+    public void init(InputStream is) { }
+
+    public String getMethod() {
+        return null;
+    }
+
+    public Throwable getReplyFault() {
+        return null;
+    }
+
+    public void startCall() throws IOException { }
+
+    public int readCall() throws IOException {
+        return 1;
+    }
+
+    public String readMethod() throws IOException {
+        return null;
+    }
+
+    public void completeCall() throws IOException { }
+
+    public Object readReply(Class expectedClass) throws Throwable {
+        return null;
+    }
+
+    public void startReply() throws Throwable { }
+
+    private Throwable prepareFault() throws IOException {
+        return null;
+    }
+
+    public void completeReply() throws IOException { }
+
+    public String readHeader() throws IOException {
+        return null;
+    }
+
+    public void readNull() throws IOException { }
+
+    public boolean readBoolean() throws IOException {
+        return true;
+    }
+
+    public byte readByte() throws IOException {
+        return 1;
+    }
+
+    public short readShort() throws IOException {
+        return 1;
+    }
+
+    public int readInt() throws IOException {
+        return 1;
+    }
+
+    public long readLong() throws IOException {
+        return 1L;
+    }
+
+    public float readFloat() throws IOException {
+        return 1.1F;
+    }
+
+    public double readDouble() throws IOException {
+        return 1.1;
+    }
+
+    public long readUTCDate() throws IOException {
+        return 1L;
+    }
+
+    public long readLocalDate() throws IOException {
+        return 1L;
+    }
+
+    public String readString() throws IOException {
+        return null;
+    }
+
+    public Node readNode() throws IOException {
+        return null;
+    }
+
+    public byte[] readBytes() throws IOException {
+        return null;
+    }
+
+    public int readLength() throws IOException {
+        return 1;
+    }
+
+    private HashMap readFault() throws IOException {
+        return null;
+    }
+
+    public Object readObject(Class cl) throws IOException {
+        return null;
+    }
+
+    public Object readObject() throws IOException {
+        return null;
+    }
+
+    public Object readRemote() throws IOException {
+        return null;
+    }
+
+    public Object readRef() throws IOException {
+        return null;
+    }
+
+    public int readListStart() throws IOException {
+        return 1;
+    }
+
+    public int readMapStart() throws IOException {
+        return 1;
+    }
+
+    public boolean isEnd() throws IOException {
+        return true;
+    }
+
+    public void readEnd() throws IOException { }
+
+    public void readMapEnd() throws IOException { }
+
+    public void readListEnd() throws IOException { }
+
+    public int addRef(Object ref) {
+        return 1;
+    }
+
+    public void setRef(int i, Object ref) { }
+
+    public Object resolveRemote(String type, String url) throws IOException {
+        return null;
+    }
+
+    public String readType() throws IOException {
+        return null;
+    }
+
+    private int parseInt() throws IOException {
+        return 1;
+    }
+
+    private long parseLong() throws IOException {
+        return 1L;
+    }
+
+    private double parseDouble() throws IOException {
+        return 1.1;
+    }
+
+    protected long parseDate() throws IOException {
+        return 1L;
+    }
+
+    protected long parseDate(Calendar calendar) throws IOException {
+        return 1L;
+    }
+
+    protected String parseString() throws IOException {
+        return null;
+    }
+
+    protected StringBuffer parseString(StringBuffer sbuf) throws IOException {
+        return null;
+    }
+
+    Node parseXML() throws IOException {
+        return null;
+    }
+
+    int readChar() throws IOException {
+        return 1;
+    }
+
+    protected byte[] parseBytes() throws IOException {
+        return null;
+    }
+
+    protected ByteArrayOutputStream parseBytes(ByteArrayOutputStream bos) throws IOException {
+        return null;
+    }
+
+    public void expectTag(int expectTag) throws IOException { }
+
+    protected int parseTag() throws IOException {
+        return 1;
+    }
+
+    private boolean isTagChar(int ch) {
+        return true;
+    }
+
+    protected int skipWhitespace() throws IOException {
+        return 1;
+    }
+
+    protected boolean isWhitespace(int ch) throws IOException {
+        return true;
+    }
+
+    int read(byte[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    int read() throws IOException {
+        return 1;
+    }
+
+    public Reader getReader() {
+        return null;
+    }
+
+    public InputStream readInputStream() {
+        return null;
+    }
+
+    public InputStream getInputStream() {
+        return null;
+    }
+
+    protected IOException expectBeginTag(String expect, String tag) {
+        return null;
+    }
+
+    protected IOException expectedChar(String expect, int ch) {
+        return null;
+    }
+
+    protected IOException expectedTag(String expect, int tag) {
+        return null;
+    }
+
+    protected IOException error(String message) {
+        return null;
+    }
+
+    protected static String tagName(int tag) {
+        return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Deserializer.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Deserializer.java
new file mode 100644
index 00000000000..2a96e53c397
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Deserializer.java
@@ -0,0 +1,26 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public interface Deserializer {
+    Class<?> getType();
+
+    boolean isReadResolve();
+
+    Object readObject(AbstractHessianInput var1) throws IOException;
+
+    Object readList(AbstractHessianInput var1, int var2) throws IOException;
+
+    Object readLengthList(AbstractHessianInput var1, int var2) throws IOException;
+
+    Object readMap(AbstractHessianInput var1) throws IOException;
+
+    Object[] createFields(int var1);
+
+    Object createField(String var1);
+
+    Object readObject(AbstractHessianInput var1, Object[] var2) throws IOException;
+
+    Object readObject(AbstractHessianInput var1, String[] var2) throws IOException;
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/HessianProtocolException.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/HessianProtocolException.java
new file mode 100644
index 00000000000..173d5876c03
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/HessianProtocolException.java
@@ -0,0 +1,24 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public class HessianProtocolException extends IOException {
+
+    public HessianProtocolException() {
+    }
+
+    public HessianProtocolException(String message) { }
+
+    public HessianProtocolException(String message, Throwable rootCause) { }
+
+    public HessianProtocolException(Throwable rootCause) { }
+
+    public Throwable getRootCause() {
+        return null;
+    }
+
+    public Throwable getCause() {
+        return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Serializer.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Serializer.java
new file mode 100644
index 00000000000..fbd3f5bc9c8
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/Serializer.java
@@ -0,0 +1,8 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public interface Serializer {
+
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/SerializerFactory.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/SerializerFactory.java
new file mode 100644
index 00000000000..96716eca3ae
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/burlap/io/SerializerFactory.java
@@ -0,0 +1,12 @@
+package com.caucho.hessian.io;
+
+public class SerializerFactory extends AbstractSerializerFactory {
+
+   public Serializer getSerializer(Class cl) throws HessianProtocolException {
+       return null;
+   }
+
+   public Deserializer getDeserializer(Class cl) throws HessianProtocolException {
+       return null;
+   }
+}
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/AbstractHessianInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/AbstractHessianInput.java
new file mode 100644
index 00000000000..4b9d3b7ad44
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/AbstractHessianInput.java
@@ -0,0 +1,111 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+
+public abstract class AbstractHessianInput {
+
+    public AbstractHessianInput() {
+    }
+
+    public void init(InputStream is) {
+    }
+
+    public abstract String getMethod();
+
+    public void setRemoteResolver(HessianRemoteResolver resolver) { }
+
+    public HessianRemoteResolver getRemoteResolver() {
+        return null;
+    }
+
+    public void setSerializerFactory(SerializerFactory ser) {
+    }
+
+    public abstract int readCall() throws IOException;
+
+    public void skipOptionalCall() throws IOException {
+    }
+
+    public abstract String readHeader() throws IOException;
+
+    public abstract String readMethod() throws IOException;
+
+    public int readMethodArgLength() throws IOException {
+        return -1;
+    }
+
+    public abstract void startCall() throws IOException;
+
+    public abstract void completeCall() throws IOException;
+
+    public abstract Object readReply(Class var1) throws Throwable;
+
+    public abstract void startReply() throws Throwable;
+
+    public void startReplyBody() throws Throwable {
+    }
+
+    public abstract void completeReply() throws IOException;
+
+    public abstract boolean readBoolean() throws IOException;
+
+    public abstract void readNull() throws IOException;
+
+    public abstract int readInt() throws IOException;
+
+    public abstract long readLong() throws IOException;
+
+    public abstract double readDouble() throws IOException;
+
+    public abstract long readUTCDate() throws IOException;
+
+    public abstract String readString() throws IOException;
+
+    public abstract Reader getReader() throws IOException;
+
+    public abstract InputStream readInputStream() throws IOException;
+
+    public boolean readToOutputStream(OutputStream os) throws IOException {
+        return true;
+    }
+
+    public abstract byte[] readBytes() throws IOException;
+
+    public abstract Object readObject(Class var1) throws IOException;
+
+    public abstract Object readObject() throws IOException;
+
+    public abstract Object readRemote() throws IOException;
+
+    public abstract Object readRef() throws IOException;
+
+    public abstract int addRef(Object var1) throws IOException;
+
+    public abstract void setRef(int var1, Object var2) throws IOException;
+
+    public void resetReferences() {
+    }
+
+    public abstract int readListStart() throws IOException;
+
+    public abstract int readLength() throws IOException;
+
+    public abstract int readMapStart() throws IOException;
+
+    public abstract String readType() throws IOException;
+
+    public abstract boolean isEnd() throws IOException;
+
+    public abstract void readEnd() throws IOException;
+
+    public abstract void readMapEnd() throws IOException;
+
+    public abstract void readListEnd() throws IOException;
+
+    public void close() throws IOException {
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/Hessian2Input.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/Hessian2Input.java
new file mode 100644
index 00000000000..1ed011945e1
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/Hessian2Input.java
@@ -0,0 +1,297 @@
+package com.caucho.hessian.io;
+
+import java.io.ByteArrayOutputStream;
+import java.io.EOFException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+public class Hessian2Input extends AbstractHessianInput {
+
+    public Hessian2Input() { }
+
+    public Hessian2Input(InputStream is) { }
+
+    public String getMethod() {
+        return null;
+    }
+
+    public Throwable getReplyFault() {
+        return null;
+    }
+
+    public int readCall() throws IOException {
+        return 1;
+    }
+
+    public int readEnvelope() throws IOException {
+        return 1;
+    }
+
+    public void completeEnvelope() throws IOException { }
+
+    public String readMethod() throws IOException {
+        return null;
+    }
+
+    public int readMethodArgLength() throws IOException {
+        return 1;
+    }
+
+    public void startCall() throws IOException { }
+
+    public Object[] readArguments() throws IOException {
+        return null;
+    }
+
+    public void completeCall() throws IOException { }
+
+    public Object readReply(Class expectedClass) throws Throwable {
+        return null;
+    }
+
+    public void startReply() throws Throwable { }
+
+    private Throwable prepareFault(HashMap fault) throws IOException {
+        return null;
+    }
+
+    public void completeReply() throws IOException { }
+
+    public void completeValueReply() throws IOException { }
+
+    public String readHeader() throws IOException {
+        return null;
+    }
+
+    public int startMessage() throws IOException {
+        return 1;
+    }
+
+    public void completeMessage() throws IOException { }
+
+    public void readNull() throws IOException { }
+
+    public boolean readBoolean() throws IOException {
+        return true;
+    }
+
+    public short readShort() throws IOException {
+        return 11111;
+    }
+
+    public final int readInt() throws IOException {
+        return 1;
+    }
+
+    public long readLong() throws IOException {
+        return 1L;
+    }
+
+    public float readFloat() throws IOException {
+        return 1.1F;
+    }
+
+    public double readDouble() throws IOException {
+        return 1.1;
+    }
+
+    public long readUTCDate() throws IOException {
+        return 1L;
+    }
+
+    public int readChar() throws IOException {
+        return 1;
+    }
+
+    public int readString(char[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    public String readString() throws IOException {
+        return null;
+    }
+
+    public byte[] readBytes() throws IOException {
+        return null;
+    }
+
+    public int readByte() throws IOException {
+        return 1;
+    }
+
+    public int readBytes(byte[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    private HashMap readFault() throws IOException {
+        return null;
+    }
+
+    public Object readObject(Class cl) throws IOException {
+        return null;
+    }
+
+    public Object readObject() throws IOException {
+        return null;
+    }
+
+    private void readObjectDefinition(Class<?> cl) throws IOException { }
+
+    private Object readObjectInstance(Class<?> cl, Hessian2Input.ObjectDefinition def) throws IOException {
+        return null;
+    }
+
+    public Object readRemote() throws IOException {
+        return null;
+    }
+
+    public Object readRef() throws IOException {
+        return null;
+    }
+
+    public int readListStart() throws IOException {
+        return 1;
+    }
+
+    public int readMapStart() throws IOException {
+        return 1;
+    }
+
+    public boolean isEnd() throws IOException {
+        return true;
+    }
+
+    public void readEnd() throws IOException { }
+
+    public void readMapEnd() throws IOException { }
+
+    public void readListEnd() throws IOException { }
+
+    public int addRef(Object ref) {
+        return 1;
+    }
+
+    public void setRef(int i, Object ref) { }
+
+    public void resetReferences() { }
+
+    public void reset() { }
+
+    public void resetBuffer() { }
+
+    public Object readStreamingObject() throws IOException {
+        return null;
+    }
+
+    public Object resolveRemote(String type, String url) throws IOException {
+        return null;
+    }
+
+    public String readType() throws IOException {
+        return null;
+    }
+
+    public int readLength() throws IOException {
+        return 1;
+    }
+
+    private int parseInt() throws IOException {
+        return 1;
+    }
+
+    private long parseLong() throws IOException {
+        return 1L;
+    }
+
+    private double parseDouble() throws IOException {
+        return 1.1;
+    }
+
+    private void parseString(StringBuilder sbuf) throws IOException { }
+
+    private int parseChar() throws IOException {
+        return 1;
+    }
+
+    private boolean parseChunkLength() throws IOException {
+        return true;
+    }
+
+    private int parseUTF8Char() throws IOException {
+        return 1;
+    }
+
+    private int parseByte() throws IOException {
+        return 1;
+    }
+
+    public InputStream readInputStream() throws IOException {
+        return null;
+    }
+
+    int read(byte[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    public final int read() throws IOException {
+        return 1;
+    }
+
+    protected void unread() { }
+
+    private final boolean readBuffer() throws IOException {
+        return true;
+    }
+
+    public Reader getReader() {
+        return null;
+    }
+
+    protected IOException expect(String expect, int ch) throws IOException {
+        return null;
+    }
+
+    private String buildDebugContext(byte[] buffer, int offset, int length, int errorOffset) {
+        return null;
+    }
+
+    private void addDebugChar(StringBuilder sb, int ch) { }
+
+    protected String codeName(int ch) {
+        return null;
+    }
+
+    protected IOException error(String message) {
+        return null;
+    }
+
+    public void free() { }
+
+    public void close() throws IOException { }
+
+    static final class ObjectDefinition {
+    }
+
+    class ReadInputStream extends InputStream {
+
+        ReadInputStream() { }
+
+        public int read() throws IOException {
+            return 1;
+        }
+
+        public int read(byte[] buffer, int offset, int length) throws IOException {
+            return 1;
+        }
+
+        public void close() throws IOException { }
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianInput.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianInput.java
new file mode 100644
index 00000000000..e10a11ad706
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianInput.java
@@ -0,0 +1,229 @@
+package com.caucho.hessian.io;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.lang.reflect.Field;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+
+public class HessianInput extends AbstractHessianInput {
+
+    public HessianInput() {
+    }
+
+    public HessianInput(InputStream is) { }
+
+    public void init(InputStream is) { }
+
+    public String getMethod() {
+        return null;
+    }
+
+    public Throwable getReplyFault() {
+        return null;
+    }
+
+    public int readCall() throws IOException {
+        return 0;
+    }
+
+    public void skipOptionalCall() throws IOException { }
+
+    public String readMethod() throws IOException {
+        return null;
+    }
+
+    public void startCall() throws IOException { }
+
+    public void completeCall() throws IOException { }
+
+    public Object readReply(Class expectedClass) throws Throwable {
+        return null;
+    }
+
+    public void startReply() throws Throwable { }
+
+    public void startReplyBody() throws Throwable { }
+
+    private Throwable prepareFault() throws IOException {
+        return null;
+    }
+
+    public void completeReply() throws IOException { }
+
+    public void completeValueReply() throws IOException { }
+
+    public String readHeader() throws IOException {
+        return null;
+    }
+
+    public void readNull() throws IOException { }
+
+    public boolean readBoolean() throws IOException {
+        return true;
+    }
+
+    public short readShort() throws IOException {
+        return 11111;
+    }
+
+    public int readInt() throws IOException {
+        return 1;
+    }
+
+    public long readLong() throws IOException {
+        return 1L;
+    }
+
+    public float readFloat() throws IOException {
+        return 1.1F;
+    }
+
+    public double readDouble() throws IOException {
+        return 1.1;
+    }
+
+    public long readUTCDate() throws IOException {
+        return 1L;
+    }
+
+    public int readChar() throws IOException {
+        return 1;
+    }
+
+    public int readString(char[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    public String readString() throws IOException {
+        return null;
+    }
+
+    public byte[] readBytes() throws IOException {
+        return null;
+    }
+
+    public int readByte() throws IOException {
+        return 1;
+    }
+
+    public int readBytes(byte[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    private HashMap readFault() throws IOException {
+        return null;
+    }
+
+    public Object readObject(Class cl) throws IOException {
+        return null;
+    }
+
+    public Object readObject() throws IOException {
+        return null;
+    }
+
+    public Object readRemote() throws IOException {
+        return null;
+    }
+
+    public Object readRef() throws IOException {
+        return null;
+    }
+
+    public int readListStart() throws IOException {
+        return 1;
+    }
+
+    public int readMapStart() throws IOException {
+        return 1;
+    }
+
+    public boolean isEnd() throws IOException {
+        return true;
+    }
+
+    public void readEnd() throws IOException { }
+
+    public void readMapEnd() throws IOException { }
+
+    public void readListEnd() throws IOException { }
+
+    public int addRef(Object ref) {
+        return 1;
+    }
+
+    public void setRef(int i, Object ref) { }
+
+    public void resetReferences() { }
+
+    public Object resolveRemote(String type, String url) throws IOException {
+        return null;
+    }
+
+    public String readType() throws IOException {
+        return null;
+    }
+
+    public int readLength() throws IOException {
+        return 1;
+    }
+
+    private int parseInt() throws IOException {
+        return 1;
+    }
+
+    private long parseLong() throws IOException {
+        return 1L;
+    }
+
+    private double parseDouble() throws IOException {
+        return 1.1;
+    }
+
+    private int parseChar() throws IOException {
+        return 1;
+    }
+
+    private int parseUTF8Char() throws IOException {
+        return 1;
+    }
+
+    private int parseByte() throws IOException {
+        return 1;
+    }
+
+    public InputStream readInputStream() throws IOException {
+        return null;
+    }
+
+    int read(byte[] buffer, int offset, int length) throws IOException {
+        return 1;
+    }
+
+    final int read() throws IOException {
+        return 1;
+    }
+
+    public void close() { }
+
+    public Reader getReader() {
+        return null;
+    }
+
+    protected IOException expect(String expect, int ch) {
+        return null;
+    }
+
+    protected String codeName(int ch) {
+        return null;
+    }
+
+    protected IOException error(String message) {
+        return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianRemoteResolver.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianRemoteResolver.java
new file mode 100644
index 00000000000..3a6b7f86604
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/HessianRemoteResolver.java
@@ -0,0 +1,8 @@
+package com.caucho.hessian.io;
+
+import java.io.IOException;
+
+public interface HessianRemoteResolver {
+    Object lookup(String var1, String var2) throws IOException;
+}
+
diff --git a/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/SerializerFactory.java b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/SerializerFactory.java
new file mode 100644
index 00000000000..2e87899e6dd
--- /dev/null
+++ b/java/ql/test/stubs/hessian-4.0.38/com/caucho/hessian/io/SerializerFactory.java
@@ -0,0 +1,5 @@
+package com.caucho.hessian.io;
+
+public class SerializerFactory {
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java
new file mode 100644
index 00000000000..9d0e62bf127
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2012, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface BeanParam {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java
new file mode 100644
index 00000000000..9aef14670fd
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface Consumes {
+    String[] value() default "*/*";
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java
new file mode 100644
index 00000000000..d8c9ced5ae0
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface CookieParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java
new file mode 100644
index 00000000000..a0db648c970
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface DELETE {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java
new file mode 100644
index 00000000000..f811e756462
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface FormParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java
new file mode 100644
index 00000000000..da2fae0883d
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface GET {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java
new file mode 100644
index 00000000000..300d85bdd06
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface HEAD {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java
new file mode 100644
index 00000000000..4d91be981d3
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface HeaderParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java
new file mode 100644
index 00000000000..193fdaccfae
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface MatrixParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java
new file mode 100644
index 00000000000..6f796d32300
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface OPTIONS {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java
new file mode 100644
index 00000000000..b7069865714
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface POST {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java
new file mode 100644
index 00000000000..68f6ecfc66e
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface PUT {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java
new file mode 100644
index 00000000000..506a7140d27
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface Path {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java
new file mode 100644
index 00000000000..cf363361b48
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface PathParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java
new file mode 100644
index 00000000000..2cf426effaa
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface Produces {
+    String[] value() default "*/*";
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java
new file mode 100644
index 00000000000..81b2143902a
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface QueryParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java
new file mode 100644
index 00000000000..87b2ac266ae
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.client;
+import java.net.URI;
+import javax.ws.rs.core.Configurable;
+import javax.ws.rs.core.Link;
+import javax.ws.rs.core.UriBuilder;
+// import javax.net.ssl.HostnameVerifier;
+// import javax.net.ssl.SSLContext;
+
+public interface Client extends Configurable<Client> {
+    public void close();
+
+    public WebTarget target(String uri);
+
+    public WebTarget target(URI uri);
+
+    public WebTarget target(UriBuilder uriBuilder);
+
+    public WebTarget target(Link link);
+
+    // public Invocation.Builder invocation(Link link);
+
+    // public SSLContext getSslContext();
+
+    // public HostnameVerifier getHostnameVerifier();
+
+}
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/ClientBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/ClientBuilder.java
similarity index 100%
rename from java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/ClientBuilder.java
rename to java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/ClientBuilder.java
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/WebTarget.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/WebTarget.java
similarity index 100%
rename from java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/WebTarget.java
rename to java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/WebTarget.java
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java
new file mode 100644
index 00000000000..99b50cd9f99
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2012, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class AbstractMultivaluedMap<K, V> implements MultivaluedMap<K, V> {
+    public AbstractMultivaluedMap(Map<K, List<V>> store) {
+    }
+
+    @Override
+    public final void putSingle(K key, V value) {
+    }
+
+    @Override
+    public final void add(K key, V value) {
+    }
+
+    @Override
+    public final void addAll(K key, V... newValues) {
+    }
+
+    @Override
+    public final void addAll(K key, List<V> valueList) {
+    }
+
+    @Override
+    public final V getFirst(K key) {
+      return null;
+    }
+
+    @Override
+    public final void addFirst(K key, V value) {
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+      return false;
+    }
+
+    @Override
+    public Collection<List<V>> values() {
+      return null;
+    }
+
+    @Override
+    public int size() {
+      return 0;
+    }
+
+    @Override
+    public List<V> remove(Object key) {
+      return null;
+    }
+
+    @Override
+    public void putAll(Map<? extends K, ? extends List<V>> m) {
+    }
+
+    @Override
+    public List<V> put(K key, List<V> value) {
+      return null;
+    }
+
+    @Override
+    public Set<K> keySet() {
+      return null;
+    }
+
+    @Override
+    public boolean isEmpty() {
+      return false;
+    }
+
+    @Override
+    public List<V> get(Object key) {
+      return null;
+    }
+
+    @Override
+    public Set<Entry<K, List<V>>> entrySet() {
+      return null;
+    }
+
+    @Override
+    public boolean containsValue(Object value) {
+      return false;
+    }
+
+    @Override
+    public boolean containsKey(Object key) {
+      return false;
+    }
+
+    @Override
+    public void clear() {
+    }
+
+    @Override
+    public boolean equalsIgnoreValueOrder(MultivaluedMap<K, V> omap) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java
new file mode 100644
index 00000000000..21f6f14b343
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public class CacheControl {
+    public CacheControl() {
+    }
+
+    public static CacheControl valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isMustRevalidate() {
+      return false;
+    }
+
+    public void setMustRevalidate(final boolean mustRevalidate) {
+    }
+
+    public boolean isProxyRevalidate() {
+      return false;
+    }
+
+    public void setProxyRevalidate(final boolean proxyRevalidate) {
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public void setMaxAge(final int maxAge) {
+    }
+
+    public int getSMaxAge() {
+      return 0;
+    }
+
+    public void setSMaxAge(final int sMaxAge) {
+    }
+
+    public List<String> getNoCacheFields() {
+      return null;
+    }
+
+    public void setNoCache(final boolean noCache) {
+    }
+
+    public boolean isNoCache() {
+      return false;
+    }
+
+    public boolean isPrivate() {
+      return false;
+    }
+
+    public List<String> getPrivateFields() {
+      return null;
+    }
+
+    public void setPrivate(final boolean flag) {
+    }
+
+    public boolean isNoTransform() {
+      return false;
+    }
+
+    public void setNoTransform(final boolean noTransform) {
+    }
+
+    public boolean isNoStore() {
+      return false;
+    }
+
+    public void setNoStore(final boolean noStore) {
+    }
+
+    public Map<String, String> getCacheExtension() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java
new file mode 100644
index 00000000000..fdf0a85e55e
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Map;
+
+public interface Configurable<C extends Configurable> {
+    // public Configuration getConfiguration();
+
+    public C property(String name, Object value);
+
+    public C register(Class<?> componentClass);
+
+    public C register(Class<?> componentClass, int priority);
+
+    public C register(Class<?> componentClass, Class<?>... contracts);
+
+    public C register(Class<?> componentClass, Map<Class<?>, Integer> contracts);
+
+    public C register(Object component);
+
+    public C register(Object component, int priority);
+
+    public C register(Object component, Class<?>... contracts);
+
+    public C register(Object component, Map<Class<?>, Integer> contracts);
+
+}
diff --git a/java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configuration.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configuration.java
similarity index 100%
rename from java/ql/test/experimental/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configuration.java
rename to java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configuration.java
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java
new file mode 100644
index 00000000000..765e0bb7301
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public @interface Context {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java
new file mode 100644
index 00000000000..7d69fb2bf9a
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class Cookie {
+    public Cookie(final String name, final String value, final String path, final String domain, final int version)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value, final String path, final String domain)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value)
+            throws IllegalArgumentException {
+    }
+
+    public static Cookie valueOf(final String value) {
+      return null;
+    }
+
+    public String getName() {
+      return null;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    public int getVersion() {
+      return 0;
+    }
+
+    public String getDomain() {
+      return null;
+    }
+
+    public String getPath() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java
new file mode 100644
index 00000000000..7d21487c774
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class EntityTag {
+    public EntityTag(final String value) {
+    }
+
+    public EntityTag(final String value, final boolean weak) {
+    }
+
+    public static EntityTag valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isWeak() {
+      return false;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java
new file mode 100644
index 00000000000..e14c6f30b13
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class Form {
+    public Form() {
+    }
+
+    public Form(final String parameterName, final String parameterValue) {
+    }
+
+    public Form(final MultivaluedMap<String, String> store) {
+    }
+
+    public Form param(final String name, final String value) {
+      return null;
+    }
+
+    public MultivaluedMap<String, String> asMap() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java
new file mode 100644
index 00000000000..b3ea7c8553f
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * Copyright (c) 2006 Google Inc.
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package javax.ws.rs.core;
+import java.lang.reflect.Type;
+
+public class GenericEntity<T> {
+    public GenericEntity(final T entity, final Type genericType) {
+    }
+
+    public final Class<?> getRawType() {
+      return null;
+    }
+
+    public final Type getType() {
+      return null;
+    }
+
+    public final T getEntity() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java
new file mode 100644
index 00000000000..f375bcb2a9a
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+public interface HttpHeaders {
+    public List<String> getRequestHeader(String name);
+
+    public String getHeaderString(String name);
+
+    public MultivaluedMap<String, String> getRequestHeaders();
+
+    public List<MediaType> getAcceptableMediaTypes();
+
+    public List<Locale> getAcceptableLanguages();
+
+    public MediaType getMediaType();
+
+    public Locale getLanguage();
+
+    public Map<String, Cookie> getCookies();
+
+    public Date getDate();
+
+    public int getLength();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java
new file mode 100644
index 00000000000..d6586ecb759
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+// import javax.xml.bind.annotation.adapters.XmlAdapter;
+// import javax.xml.namespace.QName;
+
+public abstract class Link {
+    public abstract URI getUri();
+
+    public abstract UriBuilder getUriBuilder();
+
+    public abstract String getRel();
+
+    public abstract List<String> getRels();
+
+    public abstract String getTitle();
+
+    public abstract String getType();
+
+    public abstract Map<String, String> getParams();
+
+    @Override
+    public abstract String toString();
+
+    public static Link valueOf(String value) {
+      return null;
+    }
+
+    public static Builder fromUri(URI uri) {
+      return null;
+    }
+
+    public static Builder fromUri(String uri) {
+      return null;
+    }
+
+    public static Builder fromUriBuilder(UriBuilder uriBuilder) {
+      return null;
+    }
+
+    public static Builder fromLink(Link link) {
+      return null;
+    }
+
+    public static Builder fromPath(String path) {
+      return null;
+    }
+
+    public static Builder fromResource(Class<?> resource) {
+      return null;
+    }
+
+    public static Builder fromMethod(Class<?> resource, String method) {
+      return null;
+    }
+
+    public interface Builder {
+        public Builder link(Link link);
+
+        public Builder link(String link);
+
+        public Builder uri(URI uri);
+
+        public Builder uri(String uri);
+
+        public Builder baseUri(URI uri);
+
+        public Builder baseUri(String uri);
+
+        public Builder uriBuilder(UriBuilder uriBuilder);
+
+        public Builder rel(String rel);
+
+        public Builder title(String title);
+
+        public Builder type(String type);
+
+        public Builder param(String name, String value);
+
+        public Link build(Object... values);
+
+        public Link buildRelativized(URI uri, Object... values);
+
+    }
+    public static class JaxbLink {
+        public JaxbLink() {
+        }
+
+        public JaxbLink(URI uri) {
+        }
+
+        // public JaxbLink(URI uri, Map<QName, Object> params) {
+        // }
+
+        public URI getUri() {
+          return null;
+        }
+
+        // public Map<QName, Object> getParams() {
+        //   return null;
+        // }
+
+        @Override
+        public boolean equals(Object o) {
+          return false;
+        }
+
+        @Override
+        public int hashCode() {
+          return 0;
+        }
+
+    }
+    // public static class JaxbAdapter extends XmlAdapter<JaxbLink, Link> {
+    //     @Override
+    //     public Link unmarshal(JaxbLink v) {
+    //       return null;
+    //     }
+
+    //     @Override
+    //     public JaxbLink marshal(Link v) {
+    //       return null;
+    //     }
+
+    // }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java
new file mode 100644
index 00000000000..7a026fa016a
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Map;
+
+public class MediaType {
+    public final static MediaType WILDCARD_TYPE = new MediaType();
+
+    public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml");
+
+    public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml");
+
+    public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml");
+
+    public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml");
+
+    public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json");
+
+    public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded");
+
+    public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data");
+
+    public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream");
+
+    public final static String TEXT_PLAIN = "text/plain";
+
+    public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain");
+
+    public final static String TEXT_XML = "text/xml";
+    
+    public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml");
+
+    public final static String TEXT_HTML = "text/html";
+
+    public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html");
+
+    public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream");
+
+    public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json");
+
+    public static MediaType valueOf(String type){
+      return null;
+    }
+
+    public MediaType(String type, String subtype, Map<String, String> parameters) {
+    }
+
+    public MediaType(String type, String subtype) {
+    }
+
+    public MediaType(String type, String subtype, String charset) {
+    }
+
+    public MediaType() {
+    }
+
+    public String getType() {
+      return null;
+    }
+
+    public boolean isWildcardType() {
+      return false;
+    }
+
+    public String getSubtype() {
+      return null;
+    }
+
+    public boolean isWildcardSubtype() {
+      return false;
+    }
+
+    public Map<String, String> getParameters() {
+      return null;
+    }
+
+    public MediaType withCharset(String charset) {
+      return null;
+    }
+
+    public boolean isCompatible(MediaType other) {
+      return false;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java
new file mode 100644
index 00000000000..b545e5f8577
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class MultivaluedHashMap<K, V> extends AbstractMultivaluedMap<K, V> implements Serializable {
+    // public MultivaluedHashMap() {
+    // }
+
+    // public MultivaluedHashMap(int initialCapacity) {
+    // }
+
+    // public MultivaluedHashMap(int initialCapacity, float loadFactor) {
+    // }
+
+    public MultivaluedHashMap(MultivaluedMap<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+    public MultivaluedHashMap(Map<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java
new file mode 100644
index 00000000000..e34f32328cc
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public interface MultivaluedMap<K, V> extends Map<K, List<V>> {
+    void putSingle(K key, V value);
+
+    void add(K key, V value);
+
+    V getFirst(K key);
+
+    void addAll(K key, V... newValues);
+
+    void addAll(K key, List<V> valueList);
+
+    void addFirst(K key, V value);
+
+    boolean equalsIgnoreValueOrder(MultivaluedMap<K, V> otherMap);
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java
new file mode 100644
index 00000000000..570757baf23
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Date;
+
+public class NewCookie extends Cookie {
+    public NewCookie(String name, String value) {
+      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     String comment,
+                     int maxAge,
+                     boolean secure) {
+                      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     String comment,
+                     int maxAge,
+                     boolean secure,
+                     boolean httpOnly) {
+                      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     int version,
+                     String comment,
+                     int maxAge,
+                     boolean secure) {
+                      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     int version,
+                     String comment,
+                     int maxAge,
+                     Date expiry,
+                     boolean secure,
+                     boolean httpOnly) {
+                      super("", "");
+    }
+
+    public NewCookie(Cookie cookie) {
+      super("", "");
+    }
+
+    public NewCookie(Cookie cookie, String comment, int maxAge, boolean secure) {
+      super("", "");
+    }
+
+    public NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) {
+      super("", "");
+    }
+
+    public static NewCookie valueOf(String value) {
+      return null;
+    }
+
+    public String getComment() {
+      return null;
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public Date getExpiry() {
+      return null;
+    }
+
+    public boolean isSecure() {
+      return false;
+    }
+
+    public boolean isHttpOnly() {
+      return false;
+    }
+
+    public Cookie toCookie() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java
new file mode 100644
index 00000000000..b34e059e68e
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public interface PathSegment {
+    String getPath();
+
+    MultivaluedMap<String, String> getMatrixParameters();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java
new file mode 100644
index 00000000000..a0e6b700c86
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java
@@ -0,0 +1,285 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.lang.annotation.Annotation;
+import java.net.URI;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class Response implements AutoCloseable {
+    public abstract int getStatus();
+
+    public abstract StatusType getStatusInfo();
+
+    public abstract Object getEntity();
+
+    public abstract <T> T readEntity(Class<T> entityType);
+
+    // public abstract <T> T readEntity(GenericType<T> entityType);
+
+    public abstract <T> T readEntity(Class<T> entityType, Annotation[] annotations);
+
+    // public abstract <T> T readEntity(GenericType<T> entityType, Annotation[] annotations);
+
+    public abstract boolean hasEntity();
+
+    public abstract boolean bufferEntity();
+
+    @Override
+    public abstract void close();
+
+    public abstract MediaType getMediaType();
+
+    public abstract Locale getLanguage();
+
+    public abstract int getLength();
+
+    public abstract Set<String> getAllowedMethods();
+
+    // public abstract Map<String, NewCookie> getCookies();
+
+    // public abstract EntityTag getEntityTag();
+
+    public abstract Date getDate();
+
+    public abstract Date getLastModified();
+
+    public abstract URI getLocation();
+
+    // public abstract Set<Link> getLinks();
+
+    public abstract boolean hasLink(String relation);
+
+    // public abstract Link getLink(String relation);
+
+    // public abstract Link.Builder getLinkBuilder(String relation);
+
+    public abstract MultivaluedMap<String, Object> getMetadata();
+
+    public MultivaluedMap<String, Object> getHeaders() {
+      return null;
+    }
+
+    public abstract MultivaluedMap<String, String> getStringHeaders();
+
+    public abstract String getHeaderString(String name);
+
+    public static ResponseBuilder fromResponse(Response response) {
+      return null;
+    }
+
+    public static ResponseBuilder status(StatusType status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(Status status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(int status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(int status, String reasonPhrase) {
+      return null;
+    }
+
+    public static ResponseBuilder ok() {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity, MediaType type) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity, String type) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity, Variant variant) {
+      return null;
+    }
+
+    public static ResponseBuilder serverError() {
+      return null;
+    }
+
+    public static ResponseBuilder created(URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder accepted() {
+      return null;
+    }
+
+    public static ResponseBuilder accepted(Object entity) {
+      return null;
+    }
+
+    public static ResponseBuilder noContent() {
+      return null;
+    }
+
+    public static ResponseBuilder notModified() {
+      return null;
+    }
+
+    // public static ResponseBuilder notModified(EntityTag tag) {
+    //   return null;
+    // }
+
+    public static ResponseBuilder notModified(String tag) {
+      return null;
+    }
+
+    public static ResponseBuilder seeOther(URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder temporaryRedirect(URI location) {
+      return null;
+    }
+
+    // public static ResponseBuilder notAcceptable(List<Variant> variants) {
+    //   return null;
+    // }
+
+    public static abstract class ResponseBuilder {
+        public abstract Response build();
+
+        @Override
+        public abstract ResponseBuilder clone();
+
+        public abstract ResponseBuilder status(int status);
+
+        public abstract ResponseBuilder status(int status, String reasonPhrase);
+
+        public ResponseBuilder status(StatusType status) {
+          return null;
+        }
+
+        public ResponseBuilder status(Status status) {
+          return null;
+        }
+
+        public abstract ResponseBuilder entity(Object entity);
+
+        public abstract ResponseBuilder entity(Object entity, Annotation[] annotations);
+
+        public abstract ResponseBuilder allow(String... methods);
+
+        public abstract ResponseBuilder allow(Set<String> methods);
+
+        public abstract ResponseBuilder cacheControl(CacheControl cacheControl);
+
+        public abstract ResponseBuilder encoding(String encoding);
+
+        public abstract ResponseBuilder header(String name, Object value);
+
+        public abstract ResponseBuilder replaceAll(MultivaluedMap<String, Object> headers);
+
+        public abstract ResponseBuilder language(String language);
+
+        public abstract ResponseBuilder language(Locale language);
+
+        public abstract ResponseBuilder type(MediaType type);
+
+        public abstract ResponseBuilder type(String type);
+
+        public abstract ResponseBuilder variant(Variant variant);
+
+        public abstract ResponseBuilder contentLocation(URI location);
+
+        public abstract ResponseBuilder cookie(NewCookie... cookies);
+
+        public abstract ResponseBuilder expires(Date expires);
+
+        public abstract ResponseBuilder lastModified(Date lastModified);
+
+        public abstract ResponseBuilder location(URI location);
+
+        public abstract ResponseBuilder tag(EntityTag tag);
+
+        public abstract ResponseBuilder tag(String tag);
+
+        public abstract ResponseBuilder variants(Variant... variants);
+
+        public abstract ResponseBuilder variants(List<Variant> variants);
+
+        public abstract ResponseBuilder links(Link... links);
+
+        public abstract ResponseBuilder link(URI uri, String rel);
+
+        public abstract ResponseBuilder link(String uri, String rel);
+
+    }
+    public interface StatusType {
+        public int getStatusCode();
+
+        public Status.Family getFamily();
+
+        public String getReasonPhrase();
+
+        public default Status toEnum() {
+          return null;
+        }
+
+    }
+    public enum Status implements StatusType {
+        DUMMY_STATUS;
+
+        public enum Family {
+            DUMMY_FAMILY;
+
+            public static Family familyOf(final int statusCode) {
+              return null;
+            }
+
+        }
+        @Override
+        public Family getFamily() {
+          return null;
+        }
+
+        @Override
+        public int getStatusCode() {
+          return 0;
+        }
+
+        @Override
+        public String getReasonPhrase() {
+          return null;
+        }
+
+        @Override
+        public String toString() {
+          return null;
+        }
+
+        public static Status fromStatusCode(final int statusCode) {
+          return null;
+        }
+
+    }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java
new file mode 100644
index 00000000000..0a5685c32c0
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.Map;
+
+public abstract class UriBuilder {
+    public static UriBuilder fromUri(URI uri) {
+      return null;
+    }
+
+    public static UriBuilder fromUri(String uriTemplate) {
+      return null;
+    }
+
+    public static UriBuilder fromLink(Link link) {
+      return null;
+    }
+
+    public static UriBuilder fromPath(String path) throws IllegalArgumentException {
+      return null;
+    }
+
+    public static UriBuilder fromResource(Class<?> resource) {
+      return null;
+    }
+
+    public static UriBuilder fromMethod(Class<?> resource, String method) {
+      return null;
+    }
+
+    @Override
+    public abstract UriBuilder clone();
+
+    public abstract UriBuilder uri(URI uri);
+
+    public abstract UriBuilder uri(String uriTemplate);
+
+    public abstract UriBuilder scheme(String scheme);
+
+    public abstract UriBuilder schemeSpecificPart(String ssp);
+
+    public abstract UriBuilder userInfo(String ui);
+
+    public abstract UriBuilder host(String host);
+
+    public abstract UriBuilder port(int port);
+
+    public abstract UriBuilder replacePath(String path);
+
+    public abstract UriBuilder path(String path);
+
+    public abstract UriBuilder path(Class resource);
+
+    public abstract UriBuilder path(Class resource, String method);
+
+    public abstract UriBuilder path(Method method);
+
+    public abstract UriBuilder segment(String... segments);
+
+    public abstract UriBuilder replaceMatrix(String matrix);
+
+    public abstract UriBuilder matrixParam(String name, Object... values);
+
+    public abstract UriBuilder replaceMatrixParam(String name, Object... values);
+
+    public abstract UriBuilder replaceQuery(String query);
+
+    public abstract UriBuilder queryParam(String name, Object... values);
+
+    public abstract UriBuilder replaceQueryParam(String name, Object... values);
+
+    public abstract UriBuilder fragment(String fragment);
+
+    public abstract UriBuilder resolveTemplate(String name, Object value);
+
+    public abstract UriBuilder resolveTemplate(String name, Object value, boolean encodeSlashInPath);
+
+    public abstract UriBuilder resolveTemplateFromEncoded(String name, Object value);
+
+    public abstract UriBuilder resolveTemplates(Map<String, Object> templateValues);
+
+    public abstract UriBuilder resolveTemplates(Map<String, Object> templateValues, boolean encodeSlashInPath)
+            throws IllegalArgumentException;
+
+    public abstract UriBuilder resolveTemplatesFromEncoded(Map<String, Object> templateValues);
+
+    public abstract URI buildFromMap(Map<String, ?> values);
+
+    public abstract URI buildFromMap(Map<String, ?> values, boolean encodeSlashInPath)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI buildFromEncodedMap(Map<String, ?> values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI build(Object... values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI build(Object[] values, boolean encodeSlashInPath)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI buildFromEncoded(Object... values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract String toTemplate();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java
new file mode 100644
index 00000000000..05f6ad1a4bc
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class UriBuilderException extends java.lang.RuntimeException {
+    public UriBuilderException() {
+    }
+
+    public UriBuilderException(String msg) {
+    }
+
+    public UriBuilderException(String msg, Throwable cause) {
+    }
+
+    public UriBuilderException(Throwable cause) {
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java
new file mode 100644
index 00000000000..9903e7f6b97
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+
+public interface UriInfo {
+    public String getPath();
+
+    public String getPath(boolean decode);
+
+    public List<PathSegment> getPathSegments();
+
+    public List<PathSegment> getPathSegments(boolean decode);
+
+    public URI getRequestUri();
+
+    public UriBuilder getRequestUriBuilder();
+
+    public URI getAbsolutePath();
+
+    public UriBuilder getAbsolutePathBuilder();
+
+    public URI getBaseUri();
+
+    public UriBuilder getBaseUriBuilder();
+
+    public MultivaluedMap<String, String> getPathParameters();
+
+    public MultivaluedMap<String, String> getPathParameters(boolean decode);
+
+    public MultivaluedMap<String, String> getQueryParameters();
+
+    public MultivaluedMap<String, String> getQueryParameters(boolean decode);
+
+    public List<String> getMatchedURIs();
+
+    public List<String> getMatchedURIs(boolean decode);
+
+    public List<Object> getMatchedResources();
+
+    public URI resolve(URI uri);
+
+    public URI relativize(URI uri);
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java
new file mode 100644
index 00000000000..59aa203d67f
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.List;
+import java.util.Locale;
+
+public class Variant {
+    public Variant(MediaType mediaType, String language, String encoding) {
+    }
+
+    public Variant(MediaType mediaType, String language, String country, String encoding) {
+    }
+
+    public Variant(MediaType mediaType, String language, String country, String languageVariant, String encoding) {
+    }
+
+    public Variant(MediaType mediaType, Locale language, String encoding) {
+    }
+
+    public Locale getLanguage() {
+      return null;
+    }
+
+    public String getLanguageString() {
+      return null;
+    }
+
+    public MediaType getMediaType() {
+      return null;
+    }
+
+    public String getEncoding() {
+      return null;
+    }
+
+    public static VariantListBuilder mediaTypes(MediaType... mediaTypes) {
+      return null;
+    }
+
+    public static VariantListBuilder languages(Locale... languages) {
+      return null;
+    }
+
+    public static VariantListBuilder encodings(String... encodings) {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    public static abstract class VariantListBuilder {
+        public static VariantListBuilder newInstance() {
+          return null;
+        }
+
+        public abstract List<Variant> build();
+
+        public abstract VariantListBuilder add();
+
+        public abstract VariantListBuilder languages(Locale... languages);
+
+        public abstract VariantListBuilder encodings(String... encodings);
+
+        public abstract VariantListBuilder mediaTypes(MediaType... mediaTypes);
+
+    }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java
new file mode 100644
index 00000000000..5d590ace407
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.ext;
+import java.io.InputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+
+public interface MessageBodyReader<T> {
+    public boolean isReadable(Class<?> type, Type genericType,
+                              Annotation[] annotations, MediaType mediaType);
+
+    public T readFrom(Class<T> type, Type genericType,
+                      Annotation[] annotations, MediaType mediaType,
+                      MultivaluedMap<String, String> httpHeaders,
+                      InputStream entityStream) throws java.io.IOException /*, javax.ws.rs.WebApplicationException */;
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java
new file mode 100644
index 00000000000..a98eeaf615c
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface BeanParam {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java
new file mode 100644
index 00000000000..9fbebafe020
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface Consumes {
+    String[] value() default "*/*";
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java
new file mode 100644
index 00000000000..a9d28569904
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface CookieParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java
new file mode 100644
index 00000000000..4295e567f88
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface DELETE {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java
new file mode 100644
index 00000000000..173c5b5def3
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface FormParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java
new file mode 100644
index 00000000000..d42fd28595c
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface GET {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java
new file mode 100644
index 00000000000..72a6bd34e81
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface HEAD {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java
new file mode 100644
index 00000000000..3fb97bb4d16
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface HeaderParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java
new file mode 100644
index 00000000000..2a5d855ae7f
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface MatrixParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java
new file mode 100644
index 00000000000..82067e5e3da
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface OPTIONS {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java
new file mode 100644
index 00000000000..95bfc315d48
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface POST {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java
new file mode 100644
index 00000000000..4f16d5174ea
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface PUT {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java
new file mode 100644
index 00000000000..2874d78ddfe
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface Path {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java
new file mode 100644
index 00000000000..9cd934afccf
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface PathParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java
new file mode 100644
index 00000000000..6c85c91a83c
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface Produces {
+    String[] value() default "*/*";
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java
new file mode 100644
index 00000000000..b64e357c028
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java
@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface QueryParam {
+    String value();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java
new file mode 100644
index 00000000000..f09cb7606c9
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.client;
+import java.net.URI;
+// import javax.net.ssl.HostnameVerifier;
+// import javax.net.ssl.SSLContext;
+import jakarta.ws.rs.core.Configurable;
+import jakarta.ws.rs.core.Link;
+import jakarta.ws.rs.core.UriBuilder;
+
+public interface Client extends Configurable<Client> {
+    public void close();
+
+    public WebTarget target(String uri);
+
+    public WebTarget target(URI uri);
+
+    public WebTarget target(UriBuilder uriBuilder);
+
+    public WebTarget target(Link link);
+
+    // public Invocation.Builder invocation(Link link);
+
+    // public SSLContext getSslContext();
+
+    // public HostnameVerifier getHostnameVerifier();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/ClientBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/ClientBuilder.java
new file mode 100644
index 00000000000..0d775f55738
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/ClientBuilder.java
@@ -0,0 +1,19 @@
+package jakarta.ws.rs.client;
+
+public abstract class ClientBuilder implements jakarta.ws.rs.core.Configurable {
+
+    protected ClientBuilder() {
+    }
+
+    public static jakarta.ws.rs.client.ClientBuilder newBuilder() {
+        return null;
+    }
+
+    public static jakarta.ws.rs.client.Client newClient() {
+        return null;
+    }
+
+    public static jakarta.ws.rs.client.Client newClient(jakarta.ws.rs.core.Configuration configuration) {
+        return null;
+    }
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/WebTarget.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/WebTarget.java
new file mode 100644
index 00000000000..9b309cd8e50
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/WebTarget.java
@@ -0,0 +1,4 @@
+package jakarta.ws.rs.client;
+
+public abstract interface WebTarget extends jakarta.ws.rs.core.Configurable {
+}
\ No newline at end of file
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java
new file mode 100644
index 00000000000..5af9c11cac3
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java
@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.io.Serializable;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class AbstractMultivaluedMap<K, V> implements MultivaluedMap<K, V>, Serializable {
+    public AbstractMultivaluedMap(final Map<K, List<V>> store) {
+    }
+
+    @Override
+    public final void putSingle(final K key, final V value) {
+    }
+
+    @Override
+    public final void add(final K key, final V value) {
+    }
+
+    @Override
+    public final void addAll(final K key, final V... newValues) {
+    }
+
+    @Override
+    public final void addAll(final K key, final List<V> valueList) {
+    }
+
+    @Override
+    public final V getFirst(final K key) {
+      return null;
+    }
+
+    @Override
+    public final void addFirst(final K key, final V value) {
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object o) {
+      return false;
+    }
+
+    @Override
+    public Collection<List<V>> values() {
+      return null;
+    }
+
+    @Override
+    public int size() {
+      return 0;
+    }
+
+    @Override
+    public List<V> remove(final Object key) {
+      return null;
+    }
+
+    @Override
+    public void putAll(final Map<? extends K, ? extends List<V>> m) {
+    }
+
+    @Override
+    public List<V> put(final K key, final List<V> value) {
+      return null;
+    }
+
+    @Override
+    public Set<K> keySet() {
+      return null;
+    }
+
+    @Override
+    public boolean isEmpty() {
+      return false;
+    }
+
+    @Override
+    public List<V> get(final Object key) {
+      return null;
+    }
+
+    @Override
+    public Set<Entry<K, List<V>>> entrySet() {
+      return null;
+    }
+
+    @Override
+    public boolean containsValue(final Object value) {
+      return false;
+    }
+
+    @Override
+    public boolean containsKey(final Object key) {
+      return false;
+    }
+
+    @Override
+    public void clear() {
+    }
+
+    @Override
+    public boolean equalsIgnoreValueOrder(final MultivaluedMap<K, V> omap) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java
new file mode 100644
index 00000000000..2e8134e6d57
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public class CacheControl {
+    public CacheControl() {
+    }
+
+    public static CacheControl valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isMustRevalidate() {
+      return false;
+    }
+
+    public void setMustRevalidate(final boolean mustRevalidate) {
+    }
+
+    public boolean isProxyRevalidate() {
+      return false;
+    }
+
+    public void setProxyRevalidate(final boolean proxyRevalidate) {
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public void setMaxAge(final int maxAge) {
+    }
+
+    public int getSMaxAge() {
+      return 0;
+    }
+
+    public void setSMaxAge(final int sMaxAge) {
+    }
+
+    public List<String> getNoCacheFields() {
+      return null;
+    }
+
+    public void setNoCache(final boolean noCache) {
+    }
+
+    public boolean isNoCache() {
+      return false;
+    }
+
+    public boolean isPrivate() {
+      return false;
+    }
+
+    public List<String> getPrivateFields() {
+      return null;
+    }
+
+    public void setPrivate(final boolean flag) {
+    }
+
+    public boolean isNoTransform() {
+      return false;
+    }
+
+    public void setNoTransform(final boolean noTransform) {
+    }
+
+    public boolean isNoStore() {
+      return false;
+    }
+
+    public void setNoStore(final boolean noStore) {
+    }
+
+    public Map<String, String> getCacheExtension() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java
new file mode 100644
index 00000000000..ba83791d6db
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Map;
+
+public interface Configurable<C extends Configurable> {
+    // public Configuration getConfiguration();
+
+    public C property(String name, Object value);
+
+    public C register(Class<?> componentClass);
+
+    public C register(Class<?> componentClass, int priority);
+
+    public C register(Class<?> componentClass, Class<?>... contracts);
+
+    public C register(Class<?> componentClass, Map<Class<?>, Integer> contracts);
+
+    public C register(Object component);
+
+    public C register(Object component, int priority);
+
+    public C register(Object component, Class<?>... contracts);
+
+    public C register(Object component, Map<Class<?>, Integer> contracts);
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configuration.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configuration.java
new file mode 100644
index 00000000000..7dfbca11b79
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configuration.java
@@ -0,0 +1,3 @@
+package jakarta.ws.rs.core;
+
+public abstract interface Configuration {}
\ No newline at end of file
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java
new file mode 100644
index 00000000000..cb4923f70e6
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public @interface Context {
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java
new file mode 100644
index 00000000000..b8639e0c1e6
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class Cookie {
+    public Cookie(final String name, final String value, final String path, final String domain, final int version)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value, final String path, final String domain)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value)
+            throws IllegalArgumentException {
+    }
+
+    public static Cookie valueOf(final String value) {
+      return null;
+    }
+
+    public String getName() {
+      return null;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    public int getVersion() {
+      return 0;
+    }
+
+    public String getDomain() {
+      return null;
+    }
+
+    public String getPath() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java
new file mode 100644
index 00000000000..9e447119d4d
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class EntityTag {
+    public EntityTag(final String value) {
+    }
+
+    public EntityTag(final String value, final boolean weak) {
+    }
+
+    public static EntityTag valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isWeak() {
+      return false;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java
new file mode 100644
index 00000000000..c94aa9a4a34
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class Form {
+    public Form() {
+    }
+
+    public Form(final String parameterName, final String parameterValue) {
+    }
+
+    public Form(final MultivaluedMap<String, String> store) {
+    }
+
+    public Form param(final String name, final String value) {
+      return null;
+    }
+
+    public MultivaluedMap<String, String> asMap() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java
new file mode 100644
index 00000000000..d9d06f3fb95
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * Copyright (c) 2006 Google Inc.
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package jakarta.ws.rs.core;
+import java.lang.reflect.Type;
+
+public class GenericEntity<T> {
+    public GenericEntity(final T entity, final Type genericType) {
+    }
+
+    public final Class<?> getRawType() {
+      return null;
+    }
+
+    public final Type getType() {
+      return null;
+    }
+
+    public final T getEntity() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java
new file mode 100644
index 00000000000..b5fc3e612f6
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+public interface HttpHeaders {
+    public List<String> getRequestHeader(String name);
+
+    public String getHeaderString(String name);
+
+    public MultivaluedMap<String, String> getRequestHeaders();
+
+    public List<MediaType> getAcceptableMediaTypes();
+
+    public List<Locale> getAcceptableLanguages();
+
+    public MediaType getMediaType();
+
+    public Locale getLanguage();
+
+    public Map<String, Cookie> getCookies();
+
+    public Date getDate();
+
+    public int getLength();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java
new file mode 100644
index 00000000000..c7c66a7cdee
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+// import javax.xml.namespace.QName;
+// import jakarta.xml.bind.annotation.adapters.XmlAdapter;
+
+public abstract class Link {
+    public abstract URI getUri();
+
+    public abstract UriBuilder getUriBuilder();
+
+    public abstract String getRel();
+
+    public abstract List<String> getRels();
+
+    public abstract String getTitle();
+
+    public abstract String getType();
+
+    public abstract Map<String, String> getParams();
+
+    @Override
+    public abstract String toString();
+
+    public static Link valueOf(final String value) {
+      return null;
+    }
+
+    public static Builder fromUri(final URI uri) {
+      return null;
+    }
+
+    public static Builder fromUri(final String uri) {
+      return null;
+    }
+
+    public static Builder fromUriBuilder(final UriBuilder uriBuilder) {
+      return null;
+    }
+
+    public static Builder fromLink(final Link link) {
+      return null;
+    }
+
+    public static Builder fromPath(final String path) {
+      return null;
+    }
+
+    public static Builder fromResource(final Class<?> resource) {
+      return null;
+    }
+
+    public static Builder fromMethod(final Class<?> resource, final String method) {
+      return null;
+    }
+
+    public interface Builder {
+        public Builder link(Link link);
+
+        public Builder link(String link);
+
+        public Builder uri(URI uri);
+
+        public Builder uri(String uri);
+
+        public Builder baseUri(URI uri);
+
+        public Builder baseUri(String uri);
+
+        public Builder uriBuilder(UriBuilder uriBuilder);
+
+        public Builder rel(String rel);
+
+        public Builder title(String title);
+
+        public Builder type(String type);
+
+        public Builder param(String name, String value);
+
+        public Link build(Object... values);
+
+        public Link buildRelativized(URI uri, Object... values);
+
+    }
+    public static class JaxbLink {
+        public JaxbLink() {
+        }
+
+        public JaxbLink(final URI uri) {
+        }
+
+        // public JaxbLink(final URI uri, final Map<QName, Object> params) {
+        // }
+
+        public URI getUri() {
+          return null;
+        }
+
+        // public Map<QName, Object> getParams() {
+        //   return null;
+        // }
+
+        @Override
+        public boolean equals(final Object o) {
+          return false;
+        }
+
+        @Override
+        public int hashCode() {
+          return 0;
+        }
+
+    }
+    // public static class JaxbAdapter extends XmlAdapter<JaxbLink, Link> {
+    //     @Override
+    //     public Link unmarshal(final JaxbLink v) {
+    //       return null;
+    //     }
+
+    //     @Override
+    //     public JaxbLink marshal(final Link v) {
+    //       return null;
+    //     }
+
+    // }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java
new file mode 100644
index 00000000000..0bd6e214ce7
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Map;
+
+public class MediaType {
+    public final static MediaType WILDCARD_TYPE = new MediaType();
+
+    public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml");
+
+    public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml");
+
+    public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml");
+
+    public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml");
+
+    public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json");
+
+    public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded");
+
+    public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data");
+
+    public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream");
+
+    public final static String TEXT_PLAIN = "text/plain";
+
+    public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain");
+
+    public final static String TEXT_XML = "text/xml";
+
+    public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml");
+
+    public final static String TEXT_HTML = "text/html";
+
+    public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html");
+
+    public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream");
+
+    public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json");
+
+    public static MediaType valueOf(final String type) {
+      return null;
+    }
+
+    public MediaType(final String type, final String subtype, final Map<String, String> parameters) {
+    }
+
+    public MediaType(final String type, final String subtype) {
+    }
+
+    public MediaType(final String type, final String subtype, final String charset) {
+    }
+
+    public MediaType() {
+    }
+
+    public String getType() {
+      return null;
+    }
+
+    public boolean isWildcardType() {
+      return false;
+    }
+
+    public String getSubtype() {
+      return null;
+    }
+
+    public boolean isWildcardSubtype() {
+      return false;
+    }
+
+    public Map<String, String> getParameters() {
+      return null;
+    }
+
+    public MediaType withCharset(final String charset) {
+      return null;
+    }
+
+    public boolean isCompatible(final MediaType other) {
+      return false;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java
new file mode 100644
index 00000000000..94a825421da
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class MultivaluedHashMap<K, V> extends AbstractMultivaluedMap<K, V> implements Serializable {
+    // public MultivaluedHashMap() {
+    // }
+
+    // public MultivaluedHashMap(final int initialCapacity) {
+    // }
+
+    // public MultivaluedHashMap(final int initialCapacity, final float loadFactor) {
+    // }
+
+    public MultivaluedHashMap(final MultivaluedMap<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+    public MultivaluedHashMap(final Map<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java
new file mode 100644
index 00000000000..e26a5a38256
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public interface MultivaluedMap<K, V> extends Map<K, List<V>> {
+    void putSingle(K key, V value);
+
+    void add(K key, V value);
+
+    V getFirst(K key);
+
+    void addAll(K key, V... newValues);
+
+    void addAll(K key, List<V> valueList);
+
+    void addFirst(K key, V value);
+
+    boolean equalsIgnoreValueOrder(MultivaluedMap<K, V> otherMap);
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java
new file mode 100644
index 00000000000..949db1e1674
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Date;
+
+public class NewCookie extends Cookie {
+    public NewCookie(final String name, final String value) {
+      super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final String comment,
+            final int maxAge,
+            final boolean secure) {
+              super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final String comment,
+            final int maxAge,
+            final boolean secure,
+            final boolean httpOnly) {
+              super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final int version,
+            final String comment,
+            final int maxAge,
+            final boolean secure) {
+              super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final int version,
+            final String comment,
+            final int maxAge,
+            final Date expiry,
+            final boolean secure,
+            final boolean httpOnly) {
+              super("", "");
+            }
+
+    public NewCookie(final Cookie cookie) {
+      super("", "");
+    }
+
+    public NewCookie(final Cookie cookie, final String comment, final int maxAge, final boolean secure) {
+      super("", "");
+    }
+
+    public NewCookie(final Cookie cookie, final String comment, final int maxAge, final Date expiry, final boolean secure, final boolean httpOnly) {
+      super("", "");
+    }
+
+    public static NewCookie valueOf(final String value) {
+      return null;
+    }
+
+    public String getComment() {
+      return null;
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public Date getExpiry() {
+      return null;
+    }
+
+    public boolean isSecure() {
+      return false;
+    }
+
+    public boolean isHttpOnly() {
+      return false;
+    }
+
+    public Cookie toCookie() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java
new file mode 100644
index 00000000000..5b7c70af044
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public interface PathSegment {
+    String getPath();
+
+    MultivaluedMap<String, String> getMatrixParameters();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java
new file mode 100644
index 00000000000..e056b757358
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Response.java
@@ -0,0 +1,285 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.lang.annotation.Annotation;
+import java.net.URI;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class Response implements AutoCloseable {
+    public abstract int getStatus();
+
+    public abstract StatusType getStatusInfo();
+
+    public abstract Object getEntity();
+
+    public abstract <T> T readEntity(Class<T> entityType);
+
+    // public abstract <T> T readEntity(GenericType<T> entityType);
+
+    public abstract <T> T readEntity(Class<T> entityType, Annotation[] annotations);
+
+    // public abstract <T> T readEntity(GenericType<T> entityType, Annotation[] annotations);
+
+    public abstract boolean hasEntity();
+
+    public abstract boolean bufferEntity();
+
+    @Override
+    public abstract void close();
+
+    public abstract MediaType getMediaType();
+
+    public abstract Locale getLanguage();
+
+    public abstract int getLength();
+
+    public abstract Set<String> getAllowedMethods();
+
+    public abstract Map<String, NewCookie> getCookies();
+
+    public abstract EntityTag getEntityTag();
+
+    public abstract Date getDate();
+
+    public abstract Date getLastModified();
+
+    public abstract URI getLocation();
+
+    public abstract Set<Link> getLinks();
+
+    public abstract boolean hasLink(String relation);
+
+    public abstract Link getLink(String relation);
+
+    public abstract Link.Builder getLinkBuilder(String relation);
+
+    public abstract MultivaluedMap<String, Object> getMetadata();
+
+    public MultivaluedMap<String, Object> getHeaders() {
+      return null;
+    }
+
+    public abstract MultivaluedMap<String, String> getStringHeaders();
+
+    public abstract String getHeaderString(String name);
+
+    public static ResponseBuilder fromResponse(final Response response) {
+      return null;
+    }
+
+    public static ResponseBuilder status(final StatusType status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(final Status status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(final int status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(final int status, final String reasonPhrase) {
+      return null;
+    }
+
+    public static ResponseBuilder ok() {
+      return null;
+    }
+
+    public static ResponseBuilder ok(final Object entity) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(final Object entity, final MediaType type) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(final Object entity, final String type) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(final Object entity, final Variant variant) {
+      return null;
+    }
+
+    public static ResponseBuilder serverError() {
+      return null;
+    }
+
+    public static ResponseBuilder created(final URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder accepted() {
+      return null;
+    }
+
+    public static ResponseBuilder accepted(final Object entity) {
+      return null;
+    }
+
+    public static ResponseBuilder noContent() {
+      return null;
+    }
+
+    public static ResponseBuilder notModified() {
+      return null;
+    }
+
+    public static ResponseBuilder notModified(final EntityTag tag) {
+      return null;
+    }
+
+    public static ResponseBuilder notModified(final String tag) {
+      return null;
+    }
+
+    public static ResponseBuilder seeOther(final URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder temporaryRedirect(final URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder notAcceptable(final List<Variant> variants) {
+      return null;
+    }
+
+    public static abstract class ResponseBuilder {
+        public abstract Response build();
+
+        @Override
+        public abstract ResponseBuilder clone();
+
+        public abstract ResponseBuilder status(int status);
+
+        public abstract ResponseBuilder status(int status, String reasonPhrase);
+
+        public ResponseBuilder status(final StatusType status) {
+          return null;
+        }
+
+        public ResponseBuilder status(final Status status) {
+          return null;
+        }
+
+        public abstract ResponseBuilder entity(Object entity);
+
+        public abstract ResponseBuilder entity(Object entity, Annotation[] annotations);
+
+        public abstract ResponseBuilder allow(String... methods);
+
+        public abstract ResponseBuilder allow(Set<String> methods);
+
+        public abstract ResponseBuilder cacheControl(CacheControl cacheControl);
+
+        public abstract ResponseBuilder encoding(String encoding);
+
+        public abstract ResponseBuilder header(String name, Object value);
+
+        public abstract ResponseBuilder replaceAll(MultivaluedMap<String, Object> headers);
+
+        public abstract ResponseBuilder language(String language);
+
+        public abstract ResponseBuilder language(Locale language);
+
+        public abstract ResponseBuilder type(MediaType type);
+
+        public abstract ResponseBuilder type(String type);
+
+        public abstract ResponseBuilder variant(Variant variant);
+
+        public abstract ResponseBuilder contentLocation(URI location);
+
+        public abstract ResponseBuilder cookie(NewCookie... cookies);
+
+        public abstract ResponseBuilder expires(Date expires);
+
+        public abstract ResponseBuilder lastModified(Date lastModified);
+
+        public abstract ResponseBuilder location(URI location);
+
+        public abstract ResponseBuilder tag(EntityTag tag);
+
+        public abstract ResponseBuilder tag(String tag);
+
+        public abstract ResponseBuilder variants(Variant... variants);
+
+        public abstract ResponseBuilder variants(List<Variant> variants);
+
+        public abstract ResponseBuilder links(Link... links);
+
+        public abstract ResponseBuilder link(URI uri, String rel);
+
+        public abstract ResponseBuilder link(String uri, String rel);
+
+    }
+    public interface StatusType {
+        public int getStatusCode();
+
+        public Status.Family getFamily();
+
+        public String getReasonPhrase();
+
+        public default Status toEnum() {
+          return null;
+        }
+
+    }
+    public enum Status implements StatusType {
+        DUMMY_STATUS;
+
+        public enum Family {
+            DUMMY_FAMILY;
+
+            public static Family familyOf(final int statusCode) {
+              return null;
+            }
+
+        }
+        @Override
+        public Family getFamily() {
+          return null;
+        }
+
+        @Override
+        public int getStatusCode() {
+          return 0;
+        }
+
+        @Override
+        public String getReasonPhrase() {
+          return null;
+        }
+
+        @Override
+        public String toString() {
+          return null;
+        }
+
+        public static Status fromStatusCode(final int statusCode) {
+          return null;
+        }
+
+    }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java
new file mode 100644
index 00000000000..befa54c24b5
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilder.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.Map;
+
+public abstract class UriBuilder {
+    public static UriBuilder newInstance() {
+      return null;
+    }
+
+    public static UriBuilder fromUri(final URI uri) {
+      return null;
+    }
+
+    public static UriBuilder fromUri(final String uriTemplate) {
+      return null;
+    }
+
+    public static UriBuilder fromLink(final Link link) {
+      return null;
+    }
+
+    public static UriBuilder fromPath(final String path) throws IllegalArgumentException {
+      return null;
+    }
+
+    public static UriBuilder fromResource(final Class<?> resource) {
+      return null;
+    }
+
+    public static UriBuilder fromMethod(final Class<?> resource, final String method) {
+      return null;
+    }
+
+    @Override
+    public abstract UriBuilder clone();
+
+    public abstract UriBuilder uri(URI uri);
+
+    public abstract UriBuilder uri(String uriTemplate);
+
+    public abstract UriBuilder scheme(String scheme);
+
+    public abstract UriBuilder schemeSpecificPart(String ssp);
+
+    public abstract UriBuilder userInfo(String ui);
+
+    public abstract UriBuilder host(String host);
+
+    public abstract UriBuilder port(int port);
+
+    public abstract UriBuilder replacePath(String path);
+
+    public abstract UriBuilder path(String path);
+
+    public abstract UriBuilder path(Class resource);
+
+    public abstract UriBuilder path(Class resource, String method);
+
+    public abstract UriBuilder path(Method method);
+
+    public abstract UriBuilder segment(String... segments);
+
+    public abstract UriBuilder replaceMatrix(String matrix);
+
+    public abstract UriBuilder matrixParam(String name, Object... values);
+
+    public abstract UriBuilder replaceMatrixParam(String name, Object... values);
+
+    public abstract UriBuilder replaceQuery(String query);
+
+    public abstract UriBuilder queryParam(String name, Object... values);
+
+    public abstract UriBuilder replaceQueryParam(String name, Object... values);
+
+    public abstract UriBuilder fragment(String fragment);
+
+    public abstract UriBuilder resolveTemplate(String name, Object value);
+
+    public abstract UriBuilder resolveTemplate(String name, Object value, boolean encodeSlashInPath);
+
+    public abstract UriBuilder resolveTemplateFromEncoded(String name, Object value);
+
+    public abstract UriBuilder resolveTemplates(Map<String, Object> templateValues);
+
+    public abstract UriBuilder resolveTemplates(Map<String, Object> templateValues, boolean encodeSlashInPath)
+            throws IllegalArgumentException;
+
+    public abstract UriBuilder resolveTemplatesFromEncoded(Map<String, Object> templateValues);
+
+    public abstract URI buildFromMap(Map<String, ?> values);
+
+    public abstract URI buildFromMap(Map<String, ?> values, boolean encodeSlashInPath)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI buildFromEncodedMap(Map<String, ?> values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI build(Object... values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI build(Object[] values, boolean encodeSlashInPath)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI buildFromEncoded(Object... values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract String toTemplate();
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java
new file mode 100644
index 00000000000..08e257c161d
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriBuilderException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class UriBuilderException extends java.lang.RuntimeException {
+    public UriBuilderException() {
+    }
+
+    public UriBuilderException(final String msg) {
+    }
+
+    public UriBuilderException(final String msg, final Throwable cause) {
+    }
+
+    public UriBuilderException(final Throwable cause) {
+    }
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java
new file mode 100644
index 00000000000..1822f0253cd
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/UriInfo.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+
+public interface UriInfo {
+    public String getPath();
+
+    public String getPath(boolean decode);
+
+    public List<PathSegment> getPathSegments();
+
+    public List<PathSegment> getPathSegments(boolean decode);
+
+    public URI getRequestUri();
+
+    public UriBuilder getRequestUriBuilder();
+
+    public URI getAbsolutePath();
+
+    public UriBuilder getAbsolutePathBuilder();
+
+    public URI getBaseUri();
+
+    public UriBuilder getBaseUriBuilder();
+
+    public MultivaluedMap<String, String> getPathParameters();
+
+    public MultivaluedMap<String, String> getPathParameters(boolean decode);
+
+    public MultivaluedMap<String, String> getQueryParameters();
+
+    public MultivaluedMap<String, String> getQueryParameters(boolean decode);
+
+    public List<String> getMatchedURIs();
+
+    public List<String> getMatchedURIs(boolean decode);
+
+    public List<Object> getMatchedResources();
+
+    public URI resolve(URI uri);
+
+    public URI relativize(URI uri);
+
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java
new file mode 100644
index 00000000000..f87d15020f5
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Variant.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.List;
+import java.util.Locale;
+
+public class Variant {
+    public Variant(final MediaType mediaType, final String language, final String encoding) {
+    }
+
+    public Variant(final MediaType mediaType, final String language, final String country, final String encoding) {
+    }
+
+    public Variant(final MediaType mediaType, final String language, final String country, final String languageVariant, final String encoding) {
+    }
+
+    public Variant(final MediaType mediaType, final Locale language, final String encoding) {
+    }
+
+    public Locale getLanguage() {
+      return null;
+    }
+
+    public String getLanguageString() {
+      return null;
+    }
+
+    public MediaType getMediaType() {
+      return null;
+    }
+
+    public String getEncoding() {
+      return null;
+    }
+
+    public static VariantListBuilder mediaTypes(final MediaType... mediaTypes) {
+      return null;
+    }
+
+    public static VariantListBuilder languages(final Locale... languages) {
+      return null;
+    }
+
+    public static VariantListBuilder encodings(final String... encodings) {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    public static abstract class VariantListBuilder {
+        public static VariantListBuilder newInstance() {
+          return null;
+        }
+
+        public abstract List<Variant> build();
+
+        public abstract VariantListBuilder add();
+
+        public abstract VariantListBuilder languages(Locale... languages);
+
+        public abstract VariantListBuilder encodings(String... encodings);
+
+        public abstract VariantListBuilder mediaTypes(MediaType... mediaTypes);
+
+    }
+}
diff --git a/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java
new file mode 100644
index 00000000000..11213118bea
--- /dev/null
+++ b/java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/ext/MessageBodyReader.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.ext;
+import java.io.InputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+
+public interface MessageBodyReader<T> {
+    public boolean isReadable(Class<?> type, Type genericType,
+            Annotation[] annotations, MediaType mediaType);
+
+    public T readFrom(Class<T> type, Type genericType,
+            Annotation[] annotations, MediaType mediaType,
+            MultivaluedMap<String, String> httpHeaders,
+            InputStream entityStream) throws java.io.IOException /*, jakarta.ws.rs.WebApplicationException */;
+
+}
diff --git a/java/ql/test/stubs/jaxws-api-2.0/LICENSE.md b/java/ql/test/stubs/jaxws-api-2.0/LICENSE.md
new file mode 100644
index 00000000000..1c4d55ea74f
--- /dev/null
+++ b/java/ql/test/stubs/jaxws-api-2.0/LICENSE.md
@@ -0,0 +1,761 @@
+---
+---
+
+##    COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.1
+ 
+    1. Definitions.
+ 
+      1.1. "Contributor" means each individual or entity that creates or
+      contributes to the creation of Modifications.
+
+      1.2. "Contributor Version" means the combination of the Original
+      Software, prior Modifications used by a Contributor (if any), and
+      the Modifications made by that particular Contributor.
+
+      1.3. "Covered Software" means (a) the Original Software, or (b)
+      Modifications, or (c) the combination of files containing Original
+      Software with files containing Modifications, in each case including
+      portions thereof.
+
+      1.4. "Executable" means the Covered Software in any form other than
+      Source Code.
+
+      1.5. "Initial Developer" means the individual or entity that first
+      makes Original Software available under this License.
+
+      1.6. "Larger Work" means a work which combines Covered Software or
+      portions thereof with code not governed by the terms of this License.
+
+      1.7. "License" means this document.
+
+      1.8. "Licensable" means having the right to grant, to the maximum
+      extent possible, whether at the time of the initial grant or
+      subsequently acquired, any and all of the rights conveyed herein.
+
+      1.9. "Modifications" means the Source Code and Executable form of
+      any of the following:
+
+      A. Any file that results from an addition to, deletion from or
+      modification of the contents of a file containing Original Software
+      or previous Modifications;
+
+      B. Any new file that contains any part of the Original Software or
+      previous Modification; or
+
+      C. Any new file that is contributed or otherwise made available
+      under the terms of this License.
+
+      1.10. "Original Software" means the Source Code and Executable form
+      of computer software code that is originally released under this
+      License.
+
+      1.11. "Patent Claims" means any patent claim(s), now owned or
+      hereafter acquired, including without limitation, method, process,
+      and apparatus claims, in any patent Licensable by grantor.
+
+      1.12. "Source Code" means (a) the common form of computer software
+      code in which modifications are made and (b) associated
+      documentation included in or with such code.
+
+      1.13. "You" (or "Your") means an individual or a legal entity
+      exercising rights under, and complying with all of the terms of,
+      this License. For legal entities, "You" includes any entity which
+      controls, is controlled by, or is under common control with You. For
+      purposes of this definition, "control" means (a) the power, direct
+      or indirect, to cause the direction or management of such entity,
+      whether by contract or otherwise, or (b) ownership of more than
+      fifty percent (50%) of the outstanding shares or beneficial
+      ownership of such entity.
+
+    2. License Grants.
+
+      2.1. The Initial Developer Grant.
+
+      Conditioned upon Your compliance with Section 3.1 below and subject
+      to third party intellectual property claims, the Initial Developer
+      hereby grants You a world-wide, royalty-free, non-exclusive license:
+
+      (a) under intellectual property rights (other than patent or
+      trademark) Licensable by Initial Developer, to use, reproduce,
+      modify, display, perform, sublicense and distribute the Original
+      Software (or portions thereof), with or without Modifications,
+      and/or as part of a Larger Work; and
+
+      (b) under Patent Claims infringed by the making, using or selling of
+      Original Software, to make, have made, use, practice, sell, and
+      offer for sale, and/or otherwise dispose of the Original Software
+      (or portions thereof).
+
+      (c) The licenses granted in Sections 2.1(a) and (b) are effective on
+      the date Initial Developer first distributes or otherwise makes the
+      Original Software available to a third party under the terms of this
+      License.
+
+      (d) Notwithstanding Section 2.1(b) above, no patent license is
+      granted: (1) for code that You delete from the Original Software, or
+      (2) for infringements caused by: (i) the modification of the
+      Original Software, or (ii) the combination of the Original Software
+      with other software or devices.
+
+      2.2. Contributor Grant.
+
+      Conditioned upon Your compliance with Section 3.1 below and subject
+      to third party intellectual property claims, each Contributor hereby
+      grants You a world-wide, royalty-free, non-exclusive license:
+
+      (a) under intellectual property rights (other than patent or
+      trademark) Licensable by Contributor to use, reproduce, modify,
+      display, perform, sublicense and distribute the Modifications
+      created by such Contributor (or portions thereof), either on an
+      unmodified basis, with other Modifications, as Covered Software
+      and/or as part of a Larger Work; and
+
+      (b) under Patent Claims infringed by the making, using, or selling
+      of Modifications made by that Contributor either alone and/or in
+      combination with its Contributor Version (or portions of such
+      combination), to make, use, sell, offer for sale, have made, and/or
+      otherwise dispose of: (1) Modifications made by that Contributor (or
+      portions thereof); and (2) the combination of Modifications made by
+      that Contributor with its Contributor Version (or portions of such
+      combination).
+
+      (c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective
+      on the date Contributor first distributes or otherwise makes the
+      Modifications available to a third party.
+
+      (d) Notwithstanding Section 2.2(b) above, no patent license is
+      granted: (1) for any code that Contributor has deleted from the
+      Contributor Version; (2) for infringements caused by: (i) third
+      party modifications of Contributor Version, or (ii) the combination
+      of Modifications made by that Contributor with other software
+      (except as part of the Contributor Version) or other devices; or (3)
+      under Patent Claims infringed by Covered Software in the absence of
+      Modifications made by that Contributor.
+
+    3. Distribution Obligations.
+
+      3.1. Availability of Source Code.
+
+      Any Covered Software that You distribute or otherwise make available
+      in Executable form must also be made available in Source Code form
+      and that Source Code form must be distributed only under the terms
+      of this License. You must include a copy of this License with every
+      copy of the Source Code form of the Covered Software You distribute
+      or otherwise make available. You must inform recipients of any such
+      Covered Software in Executable form as to how they can obtain such
+      Covered Software in Source Code form in a reasonable manner on or
+      through a medium customarily used for software exchange.
+
+      3.2. Modifications.
+
+      The Modifications that You create or to which You contribute are
+      governed by the terms of this License. You represent that You
+      believe Your Modifications are Your original creation(s) and/or You
+      have sufficient rights to grant the rights conveyed by this License.
+
+      3.3. Required Notices.
+
+      You must include a notice in each of Your Modifications that
+      identifies You as the Contributor of the Modification. You may not
+      remove or alter any copyright, patent or trademark notices contained
+      within the Covered Software, or any notices of licensing or any
+      descriptive text giving attribution to any Contributor or the
+      Initial Developer.
+
+      3.4. Application of Additional Terms.
+
+      You may not offer or impose any terms on any Covered Software in
+      Source Code form that alters or restricts the applicable version of
+      this License or the recipients' rights hereunder. You may choose to
+      offer, and to charge a fee for, warranty, support, indemnity or
+      liability obligations to one or more recipients of Covered Software.
+      However, you may do so only on Your own behalf, and not on behalf of
+      the Initial Developer or any Contributor. You must make it
+      absolutely clear that any such warranty, support, indemnity or
+      liability obligation is offered by You alone, and You hereby agree
+      to indemnify the Initial Developer and every Contributor for any
+      liability incurred by the Initial Developer or such Contributor as a
+      result of warranty, support, indemnity or liability terms You offer.
+
+      3.5. Distribution of Executable Versions.
+
+      You may distribute the Executable form of the Covered Software under
+      the terms of this License or under the terms of a license of Your
+      choice, which may contain terms different from this License,
+      provided that You are in compliance with the terms of this License
+      and that the license for the Executable form does not attempt to
+      limit or alter the recipient's rights in the Source Code form from
+      the rights set forth in this License. If You distribute the Covered
+      Software in Executable form under a different license, You must make
+      it absolutely clear that any terms which differ from this License
+      are offered by You alone, not by the Initial Developer or
+      Contributor. You hereby agree to indemnify the Initial Developer and
+      every Contributor for any liability incurred by the Initial
+      Developer or such Contributor as a result of any such terms You offer.
+
+      3.6. Larger Works.
+
+      You may create a Larger Work by combining Covered Software with
+      other code not governed by the terms of this License and distribute
+      the Larger Work as a single product. In such a case, You must make
+      sure the requirements of this License are fulfilled for the Covered
+      Software.
+
+    4. Versions of the License.
+
+      4.1. New Versions.
+
+      Oracle is the initial license steward and may publish revised and/or
+      new versions of this License from time to time. Each version will be
+      given a distinguishing version number. Except as provided in Section
+      4.3, no one other than the license steward has the right to modify
+      this License.
+
+      4.2. Effect of New Versions.
+
+      You may always continue to use, distribute or otherwise make the
+      Covered Software available under the terms of the version of the
+      License under which You originally received the Covered Software. If
+      the Initial Developer includes a notice in the Original Software
+      prohibiting it from being distributed or otherwise made available
+      under any subsequent version of the License, You must distribute and
+      make the Covered Software available under the terms of the version
+      of the License under which You originally received the Covered
+      Software. Otherwise, You may also choose to use, distribute or
+      otherwise make the Covered Software available under the terms of any
+      subsequent version of the License published by the license steward.
+
+      4.3. Modified Versions.
+
+      When You are an Initial Developer and You want to create a new
+      license for Your Original Software, You may create and use a
+      modified version of this License if You: (a) rename the license and
+      remove any references to the name of the license steward (except to
+      note that the license differs from this License); and (b) otherwise
+      make it clear that the license contains terms which differ from this
+      License.
+
+    5. DISCLAIMER OF WARRANTY.
+
+      COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS,
+      WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+      INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED SOFTWARE
+      IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR
+      NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF
+      THE COVERED SOFTWARE IS WITH YOU. SHOULD ANY COVERED SOFTWARE PROVE
+      DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY
+      OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING,
+      REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN
+      ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS
+      AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
+
+    6. TERMINATION.
+
+      6.1. This License and the rights granted hereunder will terminate
+      automatically if You fail to comply with terms herein and fail to
+      cure such breach within 30 days of becoming aware of the breach.
+      Provisions which, by their nature, must remain in effect beyond the
+      termination of this License shall survive.
+
+      6.2. If You assert a patent infringement claim (excluding
+      declaratory judgment actions) against Initial Developer or a
+      Contributor (the Initial Developer or Contributor against whom You
+      assert such claim is referred to as "Participant") alleging that the
+      Participant Software (meaning the Contributor Version where the
+      Participant is a Contributor or the Original Software where the
+      Participant is the Initial Developer) directly or indirectly
+      infringes any patent, then any and all rights granted directly or
+      indirectly to You by such Participant, the Initial Developer (if the
+      Initial Developer is not the Participant) and all Contributors under
+      Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice
+      from Participant terminate prospectively and automatically at the
+      expiration of such 60 day notice period, unless if within such 60
+      day period You withdraw Your claim with respect to the Participant
+      Software against such Participant either unilaterally or pursuant to
+      a written agreement with Participant.
+
+      6.3. If You assert a patent infringement claim against Participant
+      alleging that the Participant Software directly or indirectly
+      infringes any patent where such claim is resolved (such as by
+      license or settlement) prior to the initiation of patent
+      infringement litigation, then the reasonable value of the licenses
+      granted by such Participant under Sections 2.1 or 2.2 shall be taken
+      into account in determining the amount or value of any payment or
+      license.
+
+      6.4. In the event of termination under Sections 6.1 or 6.2 above,
+      all end user licenses that have been validly granted by You or any
+      distributor hereunder prior to termination (excluding licenses
+      granted to You by any distributor) shall survive termination.
+
+    7. LIMITATION OF LIABILITY.
+
+      UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT
+      (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE
+      INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF
+      COVERED SOFTWARE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE
+      TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
+      CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT
+      LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER
+      FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR
+      LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE
+      POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT
+      APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH
+      PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH
+      LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR
+      LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION
+      AND LIMITATION MAY NOT APPLY TO YOU.
+
+    8. U.S. GOVERNMENT END USERS.
+
+      The Covered Software is a "commercial item," as that term is defined
+      in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer
+      software" (as that term is defined at 48 C.F.R. §
+      252.227-7014(a)(1)) and "commercial computer software documentation"
+      as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent
+      with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4
+      (June 1995), all U.S. Government End Users acquire Covered Software
+      with only those rights set forth herein. This U.S. Government Rights
+      clause is in lieu of, and supersedes, any other FAR, DFAR, or other
+      clause or provision that addresses Government rights in computer
+      software under this License.
+
+    9. MISCELLANEOUS.
+
+      This License represents the complete agreement concerning subject
+      matter hereof. If any provision of this License is held to be
+      unenforceable, such provision shall be reformed only to the extent
+      necessary to make it enforceable. This License shall be governed by
+      the law of the jurisdiction specified in a notice contained within
+      the Original Software (except to the extent applicable law, if any,
+      provides otherwise), excluding such jurisdiction's conflict-of-law
+      provisions. Any litigation relating to this License shall be subject
+      to the jurisdiction of the courts located in the jurisdiction and
+      venue specified in a notice contained within the Original Software,
+      with the losing party responsible for costs, including, without
+      limitation, court costs and reasonable attorneys' fees and expenses.
+      The application of the United Nations Convention on Contracts for
+      the International Sale of Goods is expressly excluded. Any law or
+      regulation which provides that the language of a contract shall be
+      construed against the drafter shall not apply to this License. You
+      agree that You alone are responsible for compliance with the United
+      States export administration regulations (and the export control
+      laws and regulation of any other countries) when You use, distribute
+      or otherwise make available any Covered Software.
+
+    10. RESPONSIBILITY FOR CLAIMS.
+
+      As between Initial Developer and the Contributors, each party is
+      responsible for claims and damages arising, directly or indirectly,
+      out of its utilization of rights under this License and You agree to
+      work with Initial Developer and Contributors to distribute such
+      responsibility on an equitable basis. Nothing herein is intended or
+      shall be deemed to constitute any admission of liability.
+
+---
+
+##    NOTICE PURSUANT TO SECTION 9 OF THE COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL)
+
+    The code released under the CDDL shall be governed by the laws of the
+    State of California (excluding conflict-of-law provisions). Any
+    litigation relating to this License shall be subject to the jurisdiction
+    of the Federal Courts of the Northern District of California and the
+    state courts of the State of California, with venue lying in Santa Clara
+    County, California.
+
+---
+
+##    The GNU General Public License (GPL) Version 2, June 1991
+
+    Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+    51 Franklin Street, Fifth Floor
+    Boston, MA 02110-1335
+    USA
+
+    Everyone is permitted to copy and distribute verbatim copies
+    of this license document, but changing it is not allowed.
+
+    Preamble
+
+    The licenses for most software are designed to take away your freedom to
+    share and change it. By contrast, the GNU General Public License is
+    intended to guarantee your freedom to share and change free software--to
+    make sure the software is free for all its users. This General Public
+    License applies to most of the Free Software Foundation's software and
+    to any other program whose authors commit to using it. (Some other Free
+    Software Foundation software is covered by the GNU Library General
+    Public License instead.) You can apply it to your programs, too.
+
+    When we speak of free software, we are referring to freedom, not price.
+    Our General Public Licenses are designed to make sure that you have the
+    freedom to distribute copies of free software (and charge for this
+    service if you wish), that you receive source code or can get it if you
+    want it, that you can change the software or use pieces of it in new
+    free programs; and that you know you can do these things.
+
+    To protect your rights, we need to make restrictions that forbid anyone
+    to deny you these rights or to ask you to surrender the rights. These
+    restrictions translate to certain responsibilities for you if you
+    distribute copies of the software, or if you modify it.
+
+    For example, if you distribute copies of such a program, whether gratis
+    or for a fee, you must give the recipients all the rights that you have.
+    You must make sure that they, too, receive or can get the source code.
+    And you must show them these terms so they know their rights.
+
+    We protect your rights with two steps: (1) copyright the software, and
+    (2) offer you this license which gives you legal permission to copy,
+    distribute and/or modify the software.
+
+    Also, for each author's protection and ours, we want to make certain
+    that everyone understands that there is no warranty for this free
+    software. If the software is modified by someone else and passed on, we
+    want its recipients to know that what they have is not the original, so
+    that any problems introduced by others will not reflect on the original
+    authors' reputations.
+
+    Finally, any free program is threatened constantly by software patents.
+    We wish to avoid the danger that redistributors of a free program will
+    individually obtain patent licenses, in effect making the program
+    proprietary. To prevent this, we have made it clear that any patent must
+    be licensed for everyone's free use or not licensed at all.
+
+    The precise terms and conditions for copying, distribution and
+    modification follow.
+
+    TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+    0. This License applies to any program or other work which contains a
+    notice placed by the copyright holder saying it may be distributed under
+    the terms of this General Public License. The "Program", below, refers
+    to any such program or work, and a "work based on the Program" means
+    either the Program or any derivative work under copyright law: that is
+    to say, a work containing the Program or a portion of it, either
+    verbatim or with modifications and/or translated into another language.
+    (Hereinafter, translation is included without limitation in the term
+    "modification".) Each licensee is addressed as "you".
+
+    Activities other than copying, distribution and modification are not
+    covered by this License; they are outside its scope. The act of running
+    the Program is not restricted, and the output from the Program is
+    covered only if its contents constitute a work based on the Program
+    (independent of having been made by running the Program). Whether that
+    is true depends on what the Program does.
+
+    1. You may copy and distribute verbatim copies of the Program's source
+    code as you receive it, in any medium, provided that you conspicuously
+    and appropriately publish on each copy an appropriate copyright notice
+    and disclaimer of warranty; keep intact all the notices that refer to
+    this License and to the absence of any warranty; and give any other
+    recipients of the Program a copy of this License along with the Program.
+
+    You may charge a fee for the physical act of transferring a copy, and
+    you may at your option offer warranty protection in exchange for a fee.
+
+    2. You may modify your copy or copies of the Program or any portion of
+    it, thus forming a work based on the Program, and copy and distribute
+    such modifications or work under the terms of Section 1 above, provided
+    that you also meet all of these conditions:
+
+        a) You must cause the modified files to carry prominent notices
+        stating that you changed the files and the date of any change.
+
+        b) You must cause any work that you distribute or publish, that in
+        whole or in part contains or is derived from the Program or any part
+        thereof, to be licensed as a whole at no charge to all third parties
+        under the terms of this License.
+
+        c) If the modified program normally reads commands interactively
+        when run, you must cause it, when started running for such
+        interactive use in the most ordinary way, to print or display an
+        announcement including an appropriate copyright notice and a notice
+        that there is no warranty (or else, saying that you provide a
+        warranty) and that users may redistribute the program under these
+        conditions, and telling the user how to view a copy of this License.
+        (Exception: if the Program itself is interactive but does not
+        normally print such an announcement, your work based on the Program
+        is not required to print an announcement.)
+
+    These requirements apply to the modified work as a whole. If
+    identifiable sections of that work are not derived from the Program, and
+    can be reasonably considered independent and separate works in
+    themselves, then this License, and its terms, do not apply to those
+    sections when you distribute them as separate works. But when you
+    distribute the same sections as part of a whole which is a work based on
+    the Program, the distribution of the whole must be on the terms of this
+    License, whose permissions for other licensees extend to the entire
+    whole, and thus to each and every part regardless of who wrote it.
+
+    Thus, it is not the intent of this section to claim rights or contest
+    your rights to work written entirely by you; rather, the intent is to
+    exercise the right to control the distribution of derivative or
+    collective works based on the Program.
+
+    In addition, mere aggregation of another work not based on the Program
+    with the Program (or with a work based on the Program) on a volume of a
+    storage or distribution medium does not bring the other work under the
+    scope of this License.
+
+    3. You may copy and distribute the Program (or a work based on it,
+    under Section 2) in object code or executable form under the terms of
+    Sections 1 and 2 above provided that you also do one of the following:
+
+        a) Accompany it with the complete corresponding machine-readable
+        source code, which must be distributed under the terms of Sections 1
+        and 2 above on a medium customarily used for software interchange; or,
+
+        b) Accompany it with a written offer, valid for at least three
+        years, to give any third party, for a charge no more than your cost
+        of physically performing source distribution, a complete
+        machine-readable copy of the corresponding source code, to be
+        distributed under the terms of Sections 1 and 2 above on a medium
+        customarily used for software interchange; or,
+
+        c) Accompany it with the information you received as to the offer to
+        distribute corresponding source code. (This alternative is allowed
+        only for noncommercial distribution and only if you received the
+        program in object code or executable form with such an offer, in
+        accord with Subsection b above.)
+
+    The source code for a work means the preferred form of the work for
+    making modifications to it. For an executable work, complete source code
+    means all the source code for all modules it contains, plus any
+    associated interface definition files, plus the scripts used to control
+    compilation and installation of the executable. However, as a special
+    exception, the source code distributed need not include anything that is
+    normally distributed (in either source or binary form) with the major
+    components (compiler, kernel, and so on) of the operating system on
+    which the executable runs, unless that component itself accompanies the
+    executable.
+
+    If distribution of executable or object code is made by offering access
+    to copy from a designated place, then offering equivalent access to copy
+    the source code from the same place counts as distribution of the source
+    code, even though third parties are not compelled to copy the source
+    along with the object code.
+
+    4. You may not copy, modify, sublicense, or distribute the Program
+    except as expressly provided under this License. Any attempt otherwise
+    to copy, modify, sublicense or distribute the Program is void, and will
+    automatically terminate your rights under this License. However, parties
+    who have received copies, or rights, from you under this License will
+    not have their licenses terminated so long as such parties remain in
+    full compliance.
+
+    5. You are not required to accept this License, since you have not
+    signed it. However, nothing else grants you permission to modify or
+    distribute the Program or its derivative works. These actions are
+    prohibited by law if you do not accept this License. Therefore, by
+    modifying or distributing the Program (or any work based on the
+    Program), you indicate your acceptance of this License to do so, and all
+    its terms and conditions for copying, distributing or modifying the
+    Program or works based on it.
+
+    6. Each time you redistribute the Program (or any work based on the
+    Program), the recipient automatically receives a license from the
+    original licensor to copy, distribute or modify the Program subject to
+    these terms and conditions. You may not impose any further restrictions
+    on the recipients' exercise of the rights granted herein. You are not
+    responsible for enforcing compliance by third parties to this License.
+
+    7. If, as a consequence of a court judgment or allegation of patent
+    infringement or for any other reason (not limited to patent issues),
+    conditions are imposed on you (whether by court order, agreement or
+    otherwise) that contradict the conditions of this License, they do not
+    excuse you from the conditions of this License. If you cannot distribute
+    so as to satisfy simultaneously your obligations under this License and
+    any other pertinent obligations, then as a consequence you may not
+    distribute the Program at all. For example, if a patent license would
+    not permit royalty-free redistribution of the Program by all those who
+    receive copies directly or indirectly through you, then the only way you
+    could satisfy both it and this License would be to refrain entirely from
+    distribution of the Program.
+
+    If any portion of this section is held invalid or unenforceable under
+    any particular circumstance, the balance of the section is intended to
+    apply and the section as a whole is intended to apply in other
+    circumstances.
+
+    It is not the purpose of this section to induce you to infringe any
+    patents or other property right claims or to contest validity of any
+    such claims; this section has the sole purpose of protecting the
+    integrity of the free software distribution system, which is implemented
+    by public license practices. Many people have made generous
+    contributions to the wide range of software distributed through that
+    system in reliance on consistent application of that system; it is up to
+    the author/donor to decide if he or she is willing to distribute
+    software through any other system and a licensee cannot impose that choice.
+
+    This section is intended to make thoroughly clear what is believed to be
+    a consequence of the rest of this License.
+
+    8. If the distribution and/or use of the Program is restricted in
+    certain countries either by patents or by copyrighted interfaces, the
+    original copyright holder who places the Program under this License may
+    add an explicit geographical distribution limitation excluding those
+    countries, so that distribution is permitted only in or among countries
+    not thus excluded. In such case, this License incorporates the
+    limitation as if written in the body of this License.
+
+    9. The Free Software Foundation may publish revised and/or new
+    versions of the General Public License from time to time. Such new
+    versions will be similar in spirit to the present version, but may
+    differ in detail to address new problems or concerns.
+
+    Each version is given a distinguishing version number. If the Program
+    specifies a version number of this License which applies to it and "any
+    later version", you have the option of following the terms and
+    conditions either of that version or of any later version published by
+    the Free Software Foundation. If the Program does not specify a version
+    number of this License, you may choose any version ever published by the
+    Free Software Foundation.
+
+    10. If you wish to incorporate parts of the Program into other free
+    programs whose distribution conditions are different, write to the
+    author to ask for permission. For software which is copyrighted by the
+    Free Software Foundation, write to the Free Software Foundation; we
+    sometimes make exceptions for this. Our decision will be guided by the
+    two goals of preserving the free status of all derivatives of our free
+    software and of promoting the sharing and reuse of software generally.
+
+    NO WARRANTY
+
+    11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
+    WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+    EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+    OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND,
+    EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+    ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH
+    YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
+    NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+    12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+    WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+    AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
+    DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
+    DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM
+    (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
+    INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF
+    THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR
+    OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+    END OF TERMS AND CONDITIONS
+
+    How to Apply These Terms to Your New Programs
+
+    If you develop a new program, and you want it to be of the greatest
+    possible use to the public, the best way to achieve this is to make it
+    free software which everyone can redistribute and change under these terms.
+
+    To do so, attach the following notices to the program. It is safest to
+    attach them to the start of each source file to most effectively convey
+    the exclusion of warranty; and each file should have at least the
+    "copyright" line and a pointer to where the full notice is found.
+
+        One line to give the program's name and a brief idea of what it does.
+        Copyright (C) <year> <name of author>
+
+        This program is free software; you can redistribute it and/or modify
+        it under the terms of the GNU General Public License as published by
+        the Free Software Foundation; either version 2 of the License, or
+        (at your option) any later version.
+
+        This program is distributed in the hope that it will be useful, but
+        WITHOUT ANY WARRANTY; without even the implied warranty of
+        MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+        General Public License for more details.
+
+        You should have received a copy of the GNU General Public License
+        along with this program; if not, write to the Free Software
+        Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA
+
+    Also add information on how to contact you by electronic and paper mail.
+
+    If the program is interactive, make it output a short notice like this
+    when it starts in an interactive mode:
+
+        Gnomovision version 69, Copyright (C) year name of author
+        Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type
+        `show w'. This is free software, and you are welcome to redistribute
+        it under certain conditions; type `show c' for details.
+
+    The hypothetical commands `show w' and `show c' should show the
+    appropriate parts of the General Public License. Of course, the commands
+    you use may be called something other than `show w' and `show c'; they
+    could even be mouse-clicks or menu items--whatever suits your program.
+
+    You should also get your employer (if you work as a programmer) or your
+    school, if any, to sign a "copyright disclaimer" for the program, if
+    necessary. Here is a sample; alter the names:
+
+        Yoyodyne, Inc., hereby disclaims all copyright interest in the
+        program `Gnomovision' (which makes passes at compilers) written by
+        James Hacker.
+
+        signature of Ty Coon, 1 April 1989
+        Ty Coon, President of Vice
+
+    This General Public License does not permit incorporating your program
+    into proprietary programs. If your program is a subroutine library, you
+    may consider it more useful to permit linking proprietary applications
+    with the library. If this is what you want to do, use the GNU Library
+    General Public License instead of this License.
+
+---
+
+    Certain source files distributed by Oracle America, Inc. and/or its
+    affiliates are subject to the following clarification and special
+    exception to the GPLv2, based on the GNU Project exception for its
+    Classpath libraries, known as the GNU Classpath Exception, but only
+    where Oracle has expressly included in the particular source file's
+    header the words "Oracle designates this particular file as subject to
+    the "Classpath" exception as provided by Oracle in the LICENSE file
+    that accompanied this code."
+
+    You should also note that Oracle includes multiple, independent
+    programs in this software package. Some of those programs are provided
+    under licenses deemed incompatible with the GPLv2 by the Free Software
+    Foundation and others.  For example, the package includes programs
+    licensed under the Apache License, Version 2.0.  Such programs are
+    licensed to you under their original licenses.
+
+    Oracle facilitates your further distribution of this package by adding
+    the Classpath Exception to the necessary parts of its GPLv2 code, which
+    permits you to use that code in combination with other independent
+    modules not licensed under the GPLv2.  However, note that this would
+    not permit you to commingle code under an incompatible license with
+    Oracle's GPLv2 licensed code by, for example, cutting and pasting such
+    code into a file also containing Oracle's GPLv2 licensed code and then
+    distributing the result.  Additionally, if you were to remove the
+    Classpath Exception from any of the files to which it applies and
+    distribute the result, you would likely be required to license some or
+    all of the other code in that distribution under the GPLv2 as well, and
+    since the GPLv2 is incompatible with the license terms of some items
+    included in the distribution by Oracle, removing the Classpath
+    Exception could therefore effectively compromise your ability to
+    further distribute the package.
+
+    Proceed with caution and we recommend that you obtain the advice of a
+    lawyer skilled in open source matters before removing the Classpath
+    Exception or making modifications to this package which may
+    subsequently be redistributed and/or involve the use of third party
+    software.
+
+    CLASSPATH EXCEPTION
+    Linking this library statically or dynamically with other modules is
+    making a combined work based on this library.  Thus, the terms and
+    conditions of the GNU General Public License version 2 cover the whole
+    combination.
+
+    As a special exception, the copyright holders of this library give you
+    permission to link this library with independent modules to produce an
+    executable, regardless of the license terms of these independent
+    modules, and to copy and distribute the resulting executable under
+    terms of your choice, provided that you also meet, for each linked
+    independent module, the terms and conditions of the license of that
+    module.  An independent module is a module which is not derived from or
+    based on this library.  If you modify this library, you may extend this
+    exception to your version of the library, but you are not obligated to
+    do so.  If you do not wish to do so, delete this exception statement
+    from your version.
diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java
new file mode 100644
index 00000000000..9a149cde585
--- /dev/null
+++ b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebEndpoint.java
@@ -0,0 +1,73 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2005-2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.xml.ws;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Target;
+import java.lang.annotation.Retention;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.RetentionPolicy;
+
+/**
+ *  Used to annotate the <code>get<em>PortName</em>()</code>
+ *  methods of a generated service interface.
+ *
+ *  <p>The information specified in this annotation is sufficient
+ *  to uniquely identify a {@code wsdl:port} element
+ *  inside a {@code wsdl:service}. The latter is
+ *  determined based on the value of the {@code WebServiceClient}
+ *  annotation on the generated service interface itself.
+ *
+ *  @since 1.6, JAX-WS 2.0
+ *
+ *  @see javax.xml.ws.WebServiceClient
+**/
+@Target({ElementType.METHOD})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface WebEndpoint {
+  /**
+   *  The local name of the endpoint.
+   *
+   * @return ocal name of the endpoint
+  **/
+  String name() default "";
+}
diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java
new file mode 100644
index 00000000000..635a86440da
--- /dev/null
+++ b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceClient.java
@@ -0,0 +1,84 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2005-2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.xml.ws;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Target;
+import java.lang.annotation.Retention;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.RetentionPolicy;
+
+/**
+ *  Used to annotate a generated service interface.
+ *
+ *  <p>The information specified in this annotation is sufficient
+ *  to uniquely identify a {@code wsdl:service}
+ *  element inside a WSDL document. This {@code wsdl:service}
+ *  element represents the Web service for which the generated
+ *  service interface provides a client view.
+ *
+ *  @since 1.6, JAX-WS 2.0
+**/
+@Target({ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface WebServiceClient {
+    /**
+     * The local name of the Web service.
+     *
+     * @return local name
+     */
+    String name() default "";
+
+    /**
+     * The namespace for the Web service.
+     *
+     * @return target namespace name
+     */
+    String targetNamespace() default "";
+
+    /**
+     * The location of the WSDL document for the service (a URL).
+     *
+     * @return location of the WSDL document (a URL)
+     */
+    String wsdlLocation() default "";
+}
diff --git a/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java
new file mode 100644
index 00000000000..f54713fed23
--- /dev/null
+++ b/java/ql/test/stubs/jaxws-api-2.0/javax/xml/ws/WebServiceProvider.java
@@ -0,0 +1,85 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2005-2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://oss.oracle.com/licenses/CDDL+GPL-1.1
+ * or LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+
+package javax.xml.ws;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.Target;
+import java.lang.annotation.Retention;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.RetentionPolicy;
+/**
+ * Used to annotate a Provider implementation class.
+ *
+ * @since 1.6, JAX-WS 2.0
+ * @see javax.xml.ws.Provider
+ */
+@Target(ElementType.TYPE)
+@Retention(RetentionPolicy.RUNTIME)
+@Documented
+public @interface WebServiceProvider {
+    /**
+     * Location of the WSDL description for the service.
+     *
+     * @return location of the WSDL description
+     */
+    String wsdlLocation() default "";
+
+    /**
+     * Service name.
+     *
+     * @return service name
+     */
+    String serviceName() default "";
+
+    /**
+     * Target namespace for the service
+     *
+     * @return target namespace
+     */
+    String targetNamespace() default "";
+
+    /**
+     * Port name.
+     *
+     * @return port name
+     */
+    String portName() default "";
+}
diff --git a/java/ql/test/stubs/json-io-4.10.0/com/cedarsoftware/util/io/JsonReader.java b/java/ql/test/stubs/json-io-4.10.0/com/cedarsoftware/util/io/JsonReader.java
new file mode 100644
index 00000000000..75bfce50eeb
--- /dev/null
+++ b/java/ql/test/stubs/json-io-4.10.0/com/cedarsoftware/util/io/JsonReader.java
@@ -0,0 +1,41 @@
+package com.cedarsoftware.util.io;
+
+import java.io.Closeable;
+import java.io.InputStream;
+import java.util.Map;
+
+public class JsonReader implements Closeable {
+
+    public static Object jsonToJava(String json) {
+        return null;
+    }
+
+    public static Object jsonToJava(String json, Map<String, Object> optionalArgs) {
+        return null;
+    }
+
+    public static Object jsonToJava(InputStream inputStream, Map<String, Object> optionalArgs) {
+        return null;
+    }
+
+    public JsonReader() { }
+
+    public JsonReader(InputStream inp) { }
+
+    public JsonReader(Map<String, Object> optionalArgs) { }
+
+    public JsonReader(InputStream inp, boolean useMaps) { }
+
+    public JsonReader(InputStream inp, Map<String, Object> optionalArgs) { }
+
+    public JsonReader(String inp, Map<String, Object> optionalArgs) { }
+
+    public JsonReader(byte[] inp, Map<String, Object> optionalArgs) { }
+
+    public Object readObject() {
+        return null;
+    }
+
+    public void close() { }
+}
+
diff --git a/java/ql/test/stubs/jsr181-api/LICENSE b/java/ql/test/stubs/jsr181-api/LICENSE
new file mode 100644
index 00000000000..b1c74f95ede
--- /dev/null
+++ b/java/ql/test/stubs/jsr181-api/LICENSE
@@ -0,0 +1,759 @@
+COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.1
+
+1. Definitions.
+
+    1.1. "Contributor" means each individual or entity that creates or
+    contributes to the creation of Modifications.
+
+    1.2. "Contributor Version" means the combination of the Original
+    Software, prior Modifications used by a Contributor (if any), and
+    the Modifications made by that particular Contributor.
+
+    1.3. "Covered Software" means (a) the Original Software, or (b)
+    Modifications, or (c) the combination of files containing Original
+    Software with files containing Modifications, in each case including
+    portions thereof.
+
+    1.4. "Executable" means the Covered Software in any form other than
+    Source Code.
+
+    1.5. "Initial Developer" means the individual or entity that first
+    makes Original Software available under this License.
+
+    1.6. "Larger Work" means a work which combines Covered Software or
+    portions thereof with code not governed by the terms of this License.
+
+    1.7. "License" means this document.
+
+    1.8. "Licensable" means having the right to grant, to the maximum
+    extent possible, whether at the time of the initial grant or
+    subsequently acquired, any and all of the rights conveyed herein.
+
+    1.9. "Modifications" means the Source Code and Executable form of
+    any of the following:
+
+    A. Any file that results from an addition to, deletion from or
+    modification of the contents of a file containing Original Software
+    or previous Modifications;
+
+    B. Any new file that contains any part of the Original Software or
+    previous Modification; or
+
+    C. Any new file that is contributed or otherwise made available
+    under the terms of this License.
+
+    1.10. "Original Software" means the Source Code and Executable form
+    of computer software code that is originally released under this
+    License.
+
+    1.11. "Patent Claims" means any patent claim(s), now owned or
+    hereafter acquired, including without limitation, method, process,
+    and apparatus claims, in any patent Licensable by grantor.
+
+    1.12. "Source Code" means (a) the common form of computer software
+    code in which modifications are made and (b) associated
+    documentation included in or with such code.
+
+    1.13. "You" (or "Your") means an individual or a legal entity
+    exercising rights under, and complying with all of the terms of,
+    this License. For legal entities, "You" includes any entity which
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants.
+
+    2.1. The Initial Developer Grant.
+
+    Conditioned upon Your compliance with Section 3.1 below and subject
+    to third party intellectual property claims, the Initial Developer
+    hereby grants You a world-wide, royalty-free, non-exclusive license:
+
+    (a) under intellectual property rights (other than patent or
+    trademark) Licensable by Initial Developer, to use, reproduce,
+    modify, display, perform, sublicense and distribute the Original
+    Software (or portions thereof), with or without Modifications,
+    and/or as part of a Larger Work; and
+
+    (b) under Patent Claims infringed by the making, using or selling of
+    Original Software, to make, have made, use, practice, sell, and
+    offer for sale, and/or otherwise dispose of the Original Software
+    (or portions thereof).
+
+    (c) The licenses granted in Sections 2.1(a) and (b) are effective on
+    the date Initial Developer first distributes or otherwise makes the
+    Original Software available to a third party under the terms of this
+    License.
+
+    (d) Notwithstanding Section 2.1(b) above, no patent license is
+    granted: (1) for code that You delete from the Original Software, or
+    (2) for infringements caused by: (i) the modification of the
+    Original Software, or (ii) the combination of the Original Software
+    with other software or devices.
+
+    2.2. Contributor Grant.
+
+    Conditioned upon Your compliance with Section 3.1 below and subject
+    to third party intellectual property claims, each Contributor hereby
+    grants You a world-wide, royalty-free, non-exclusive license:
+
+    (a) under intellectual property rights (other than patent or
+    trademark) Licensable by Contributor to use, reproduce, modify,
+    display, perform, sublicense and distribute the Modifications
+    created by such Contributor (or portions thereof), either on an
+    unmodified basis, with other Modifications, as Covered Software
+    and/or as part of a Larger Work; and
+
+    (b) under Patent Claims infringed by the making, using, or selling
+    of Modifications made by that Contributor either alone and/or in
+    combination with its Contributor Version (or portions of such
+    combination), to make, use, sell, offer for sale, have made, and/or
+    otherwise dispose of: (1) Modifications made by that Contributor (or
+    portions thereof); and (2) the combination of Modifications made by
+    that Contributor with its Contributor Version (or portions of such
+    combination).
+
+    (c) The licenses granted in Sections 2.2(a) and 2.2(b) are effective
+    on the date Contributor first distributes or otherwise makes the
+    Modifications available to a third party.
+
+    (d) Notwithstanding Section 2.2(b) above, no patent license is
+    granted: (1) for any code that Contributor has deleted from the
+    Contributor Version; (2) for infringements caused by: (i) third
+    party modifications of Contributor Version, or (ii) the combination
+    of Modifications made by that Contributor with other software
+    (except as part of the Contributor Version) or other devices; or (3)
+    under Patent Claims infringed by Covered Software in the absence of
+    Modifications made by that Contributor.
+
+3. Distribution Obligations.
+
+    3.1. Availability of Source Code.
+
+    Any Covered Software that You distribute or otherwise make available
+    in Executable form must also be made available in Source Code form
+    and that Source Code form must be distributed only under the terms
+    of this License. You must include a copy of this License with every
+    copy of the Source Code form of the Covered Software You distribute
+    or otherwise make available. You must inform recipients of any such
+    Covered Software in Executable form as to how they can obtain such
+    Covered Software in Source Code form in a reasonable manner on or
+    through a medium customarily used for software exchange.
+
+    3.2. Modifications.
+
+    The Modifications that You create or to which You contribute are
+    governed by the terms of this License. You represent that You
+    believe Your Modifications are Your original creation(s) and/or You
+    have sufficient rights to grant the rights conveyed by this License.
+
+    3.3. Required Notices.
+
+    You must include a notice in each of Your Modifications that
+    identifies You as the Contributor of the Modification. You may not
+    remove or alter any copyright, patent or trademark notices contained
+    within the Covered Software, or any notices of licensing or any
+    descriptive text giving attribution to any Contributor or the
+    Initial Developer.
+
+    3.4. Application of Additional Terms.
+
+    You may not offer or impose any terms on any Covered Software in
+    Source Code form that alters or restricts the applicable version of
+    this License or the recipients' rights hereunder. You may choose to
+    offer, and to charge a fee for, warranty, support, indemnity or
+    liability obligations to one or more recipients of Covered Software.
+    However, you may do so only on Your own behalf, and not on behalf of
+    the Initial Developer or any Contributor. You must make it
+    absolutely clear that any such warranty, support, indemnity or
+    liability obligation is offered by You alone, and You hereby agree
+    to indemnify the Initial Developer and every Contributor for any
+    liability incurred by the Initial Developer or such Contributor as a
+    result of warranty, support, indemnity or liability terms You offer.
+
+    3.5. Distribution of Executable Versions.
+
+    You may distribute the Executable form of the Covered Software under
+    the terms of this License or under the terms of a license of Your
+    choice, which may contain terms different from this License,
+    provided that You are in compliance with the terms of this License
+    and that the license for the Executable form does not attempt to
+    limit or alter the recipient's rights in the Source Code form from
+    the rights set forth in this License. If You distribute the Covered
+    Software in Executable form under a different license, You must make
+    it absolutely clear that any terms which differ from this License
+    are offered by You alone, not by the Initial Developer or
+    Contributor. You hereby agree to indemnify the Initial Developer and
+    every Contributor for any liability incurred by the Initial
+    Developer or such Contributor as a result of any such terms You offer.
+
+    3.6. Larger Works.
+
+    You may create a Larger Work by combining Covered Software with
+    other code not governed by the terms of this License and distribute
+    the Larger Work as a single product. In such a case, You must make
+    sure the requirements of this License are fulfilled for the Covered
+    Software.
+
+4. Versions of the License.
+
+    4.1. New Versions.
+
+    Oracle is the initial license steward and may publish revised and/or
+    new versions of this License from time to time. Each version will be
+    given a distinguishing version number. Except as provided in Section
+    4.3, no one other than the license steward has the right to modify
+    this License.
+
+    4.2. Effect of New Versions.
+
+    You may always continue to use, distribute or otherwise make the
+    Covered Software available under the terms of the version of the
+    License under which You originally received the Covered Software. If
+    the Initial Developer includes a notice in the Original Software
+    prohibiting it from being distributed or otherwise made available
+    under any subsequent version of the License, You must distribute and
+    make the Covered Software available under the terms of the version
+    of the License under which You originally received the Covered
+    Software. Otherwise, You may also choose to use, distribute or
+    otherwise make the Covered Software available under the terms of any
+    subsequent version of the License published by the license steward.
+
+    4.3. Modified Versions.
+
+    When You are an Initial Developer and You want to create a new
+    license for Your Original Software, You may create and use a
+    modified version of this License if You: (a) rename the license and
+    remove any references to the name of the license steward (except to
+    note that the license differs from this License); and (b) otherwise
+    make it clear that the license contains terms which differ from this
+    License.
+
+5. DISCLAIMER OF WARRANTY.
+
+    COVERED SOFTWARE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS,
+    WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+    INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT THE COVERED SOFTWARE
+    IS FREE OF DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR
+    NON-INFRINGING. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF
+    THE COVERED SOFTWARE IS WITH YOU. SHOULD ANY COVERED SOFTWARE PROVE
+    DEFECTIVE IN ANY RESPECT, YOU (NOT THE INITIAL DEVELOPER OR ANY
+    OTHER CONTRIBUTOR) ASSUME THE COST OF ANY NECESSARY SERVICING,
+    REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN
+    ESSENTIAL PART OF THIS LICENSE. NO USE OF ANY COVERED SOFTWARE IS
+    AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
+
+6. TERMINATION.
+
+    6.1. This License and the rights granted hereunder will terminate
+    automatically if You fail to comply with terms herein and fail to
+    cure such breach within 30 days of becoming aware of the breach.
+    Provisions which, by their nature, must remain in effect beyond the
+    termination of this License shall survive.
+
+    6.2. If You assert a patent infringement claim (excluding
+    declaratory judgment actions) against Initial Developer or a
+    Contributor (the Initial Developer or Contributor against whom You
+    assert such claim is referred to as "Participant") alleging that the
+    Participant Software (meaning the Contributor Version where the
+    Participant is a Contributor or the Original Software where the
+    Participant is the Initial Developer) directly or indirectly
+    infringes any patent, then any and all rights granted directly or
+    indirectly to You by such Participant, the Initial Developer (if the
+    Initial Developer is not the Participant) and all Contributors under
+    Sections 2.1 and/or 2.2 of this License shall, upon 60 days notice
+    from Participant terminate prospectively and automatically at the
+    expiration of such 60 day notice period, unless if within such 60
+    day period You withdraw Your claim with respect to the Participant
+    Software against such Participant either unilaterally or pursuant to
+    a written agreement with Participant.
+
+    6.3. If You assert a patent infringement claim against Participant
+    alleging that the Participant Software directly or indirectly
+    infringes any patent where such claim is resolved (such as by
+    license or settlement) prior to the initiation of patent
+    infringement litigation, then the reasonable value of the licenses
+    granted by such Participant under Sections 2.1 or 2.2 shall be taken
+    into account in determining the amount or value of any payment or
+    license.
+
+    6.4. In the event of termination under Sections 6.1 or 6.2 above,
+    all end user licenses that have been validly granted by You or any
+    distributor hereunder prior to termination (excluding licenses
+    granted to You by any distributor) shall survive termination.
+
+7. LIMITATION OF LIABILITY.
+
+    UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT
+    (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE
+    INITIAL DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF
+    COVERED SOFTWARE, OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE
+    TO ANY PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR
+    CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT
+    LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER
+    FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR
+    LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE
+    POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL NOT
+    APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY RESULTING FROM SUCH
+    PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW PROHIBITS SUCH
+    LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR
+    LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION
+    AND LIMITATION MAY NOT APPLY TO YOU.
+
+8. U.S. GOVERNMENT END USERS.
+
+    The Covered Software is a "commercial item," as that term is defined
+    in 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer
+    software" (as that term is defined at 48 C.F.R. §
+    252.227-7014(a)(1)) and "commercial computer software documentation"
+    as such terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent
+    with 48 C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4
+    (June 1995), all U.S. Government End Users acquire Covered Software
+    with only those rights set forth herein. This U.S. Government Rights
+    clause is in lieu of, and supersedes, any other FAR, DFAR, or other
+    clause or provision that addresses Government rights in computer
+    software under this License.
+
+9. MISCELLANEOUS.
+
+    This License represents the complete agreement concerning subject
+    matter hereof. If any provision of this License is held to be
+    unenforceable, such provision shall be reformed only to the extent
+    necessary to make it enforceable. This License shall be governed by
+    the law of the jurisdiction specified in a notice contained within
+    the Original Software (except to the extent applicable law, if any,
+    provides otherwise), excluding such jurisdiction's conflict-of-law
+    provisions. Any litigation relating to this License shall be subject
+    to the jurisdiction of the courts located in the jurisdiction and
+    venue specified in a notice contained within the Original Software,
+    with the losing party responsible for costs, including, without
+    limitation, court costs and reasonable attorneys' fees and expenses.
+    The application of the United Nations Convention on Contracts for
+    the International Sale of Goods is expressly excluded. Any law or
+    regulation which provides that the language of a contract shall be
+    construed against the drafter shall not apply to this License. You
+    agree that You alone are responsible for compliance with the United
+    States export administration regulations (and the export control
+    laws and regulation of any other countries) when You use, distribute
+    or otherwise make available any Covered Software.
+
+10. RESPONSIBILITY FOR CLAIMS.
+
+    As between Initial Developer and the Contributors, each party is
+    responsible for claims and damages arising, directly or indirectly,
+    out of its utilization of rights under this License and You agree to
+    work with Initial Developer and Contributors to distribute such
+    responsibility on an equitable basis. Nothing herein is intended or
+    shall be deemed to constitute any admission of liability.
+
+------------------------------------------------------------------------
+
+NOTICE PURSUANT TO SECTION 9 OF THE COMMON DEVELOPMENT AND DISTRIBUTION
+LICENSE (CDDL)
+
+The code released under the CDDL shall be governed by the laws of the
+State of California (excluding conflict-of-law provisions). Any
+litigation relating to this License shall be subject to the jurisdiction
+of the Federal Courts of the Northern District of California and the
+state courts of the State of California, with venue lying in Santa Clara
+County, California.
+
+
+
+  The GNU General Public License (GPL) Version 2, June 1991
+
+Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+51 Franklin Street, Fifth Floor
+Boston, MA 02110-1335
+USA
+
+Everyone is permitted to copy and distribute verbatim copies
+of this license document, but changing it is not allowed.
+
+Preamble
+
+The licenses for most software are designed to take away your freedom to
+share and change it. By contrast, the GNU General Public License is
+intended to guarantee your freedom to share and change free software--to
+make sure the software is free for all its users. This General Public
+License applies to most of the Free Software Foundation's software and
+to any other program whose authors commit to using it. (Some other Free
+Software Foundation software is covered by the GNU Library General
+Public License instead.) You can apply it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not price.
+Our General Public Licenses are designed to make sure that you have the
+freedom to distribute copies of free software (and charge for this
+service if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs; and that you know you can do these things.
+
+To protect your rights, we need to make restrictions that forbid anyone
+to deny you these rights or to ask you to surrender the rights. These
+restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+For example, if you distribute copies of such a program, whether gratis
+or for a fee, you must give the recipients all the rights that you have.
+You must make sure that they, too, receive or can get the source code.
+And you must show them these terms so they know their rights.
+
+We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+Finally, any free program is threatened constantly by software patents.
+We wish to avoid the danger that redistributors of a free program will
+individually obtain patent licenses, in effect making the program
+proprietary. To prevent this, we have made it clear that any patent must
+be licensed for everyone's free use or not licensed at all.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+0. This License applies to any program or other work which contains a
+notice placed by the copyright holder saying it may be distributed under
+the terms of this General Public License. The "Program", below, refers
+to any such program or work, and a "work based on the Program" means
+either the Program or any derivative work under copyright law: that is
+to say, a work containing the Program or a portion of it, either
+verbatim or with modifications and/or translated into another language.
+(Hereinafter, translation is included without limitation in the term
+"modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of running
+the Program is not restricted, and the output from the Program is
+covered only if its contents constitute a work based on the Program
+(independent of having been made by running the Program). Whether that
+is true depends on what the Program does.
+
+1. You may copy and distribute verbatim copies of the Program's source
+code as you receive it, in any medium, provided that you conspicuously
+and appropriately publish on each copy an appropriate copyright notice
+and disclaimer of warranty; keep intact all the notices that refer to
+this License and to the absence of any warranty; and give any other
+recipients of the Program a copy of this License along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+2. You may modify your copy or copies of the Program or any portion of
+it, thus forming a work based on the Program, and copy and distribute
+such modifications or work under the terms of Section 1 above, provided
+that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any part
+    thereof, to be licensed as a whole at no charge to all third parties
+    under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a notice
+    that there is no warranty (or else, saying that you provide a
+    warranty) and that users may redistribute the program under these
+    conditions, and telling the user how to view a copy of this License.
+    (Exception: if the Program itself is interactive but does not
+    normally print such an announcement, your work based on the Program
+    is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program, and
+can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based on
+the Program, the distribution of the whole must be on the terms of this
+License, whose permissions for other licensees extend to the entire
+whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of a
+storage or distribution medium does not bring the other work under the
+scope of this License.
+
+3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections 1
+    and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your cost
+    of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer to
+    distribute corresponding source code. (This alternative is allowed
+    only for noncommercial distribution and only if you received the
+    program in object code or executable form with such an offer, in
+    accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source code
+means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to control
+compilation and installation of the executable. However, as a special
+exception, the source code distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies the
+executable.
+
+If distribution of executable or object code is made by offering access
+to copy from a designated place, then offering equivalent access to copy
+the source code from the same place counts as distribution of the source
+code, even though third parties are not compelled to copy the source
+along with the object code.
+
+4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt otherwise
+to copy, modify, sublicense or distribute the Program is void, and will
+automatically terminate your rights under this License. However, parties
+who have received copies, or rights, from you under this License will
+not have their licenses terminated so long as such parties remain in
+full compliance.
+
+5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and all
+its terms and conditions for copying, distributing or modifying the
+Program or works based on it.
+
+6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further restrictions
+on the recipients' exercise of the rights granted herein. You are not
+responsible for enforcing compliance by third parties to this License.
+
+7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot distribute
+so as to satisfy simultaneously your obligations under this License and
+any other pertinent obligations, then as a consequence you may not
+distribute the Program at all. For example, if a patent license would
+not permit royalty-free redistribution of the Program by all those who
+receive copies directly or indirectly through you, then the only way you
+could satisfy both it and this License would be to refrain entirely from
+distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is implemented
+by public license practices. Many people have made generous
+contributions to the wide range of software distributed through that
+system in reliance on consistent application of that system; it is up to
+the author/donor to decide if he or she is willing to distribute
+software through any other system and a licensee cannot impose that choice.
+
+This section is intended to make thoroughly clear what is believed to be
+a consequence of the rest of this License.
+
+8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License may
+add an explicit geographical distribution limitation excluding those
+countries, so that distribution is permitted only in or among countries
+not thus excluded. In such case, this License incorporates the
+limitation as if written in the body of this License.
+
+9. The Free Software Foundation may publish revised and/or new
+versions of the General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation. If the Program does not specify a version
+number of this License, you may choose any version ever published by the
+Free Software Foundation.
+
+10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the
+author to ask for permission. For software which is copyrighted by the
+Free Software Foundation, write to the Free Software Foundation; we
+sometimes make exceptions for this. Our decision will be guided by the
+two goals of preserving the free status of all derivatives of our free
+software and of promoting the sharing and reuse of software generally.
+
+NO WARRANTY
+
+11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND,
+EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH
+YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
+NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
+DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
+DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM
+(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
+INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF
+THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR
+OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+END OF TERMS AND CONDITIONS
+
+How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+To do so, attach the following notices to the program. It is safest to
+attach them to the start of each source file to most effectively convey
+the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+    One line to give the program's name and a brief idea of what it does.
+    Copyright (C) <year> <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful, but
+    WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+    General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335 USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type
+    `show w'. This is free software, and you are welcome to redistribute
+    it under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the
+appropriate parts of the General Public License. Of course, the commands
+you use may be called something other than `show w' and `show c'; they
+could even be mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+    Yoyodyne, Inc., hereby disclaims all copyright interest in the
+    program `Gnomovision' (which makes passes at compilers) written by
+    James Hacker.
+
+    signature of Ty Coon, 1 April 1989
+    Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications
+with the library. If this is what you want to do, use the GNU Library
+General Public License instead of this License.
+
+#
+
+Certain source files distributed by Oracle America, Inc. and/or its
+affiliates are subject to the following clarification and special
+exception to the GPLv2, based on the GNU Project exception for its
+Classpath libraries, known as the GNU Classpath Exception, but only
+where Oracle has expressly included in the particular source file's
+header the words "Oracle designates this particular file as subject to
+the "Classpath" exception as provided by Oracle in the LICENSE file
+that accompanied this code."
+
+You should also note that Oracle includes multiple, independent
+programs in this software package. Some of those programs are provided
+under licenses deemed incompatible with the GPLv2 by the Free Software
+Foundation and others.  For example, the package includes programs
+licensed under the Apache License, Version 2.0.  Such programs are
+licensed to you under their original licenses.
+
+Oracle facilitates your further distribution of this package by adding
+the Classpath Exception to the necessary parts of its GPLv2 code, which
+permits you to use that code in combination with other independent
+modules not licensed under the GPLv2.  However, note that this would
+not permit you to commingle code under an incompatible license with
+Oracle's GPLv2 licensed code by, for example, cutting and pasting such
+code into a file also containing Oracle's GPLv2 licensed code and then
+distributing the result.  Additionally, if you were to remove the
+Classpath Exception from any of the files to which it applies and
+distribute the result, you would likely be required to license some or
+all of the other code in that distribution under the GPLv2 as well, and
+since the GPLv2 is incompatible with the license terms of some items
+included in the distribution by Oracle, removing the Classpath
+Exception could therefore effectively compromise your ability to
+further distribute the package.
+
+Proceed with caution and we recommend that you obtain the advice of a
+lawyer skilled in open source matters before removing the Classpath
+Exception or making modifications to this package which may
+subsequently be redistributed and/or involve the use of third party
+software.
+
+CLASSPATH EXCEPTION
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License version 2 cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from or
+based on this library.  If you modify this library, you may extend this
+exception to your version of the library, but you are not obligated to
+do so.  If you do not wish to do so, delete this exception statement
+from your version.
diff --git a/java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java b/java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java
new file mode 100644
index 00000000000..92813b5a255
--- /dev/null
+++ b/java/ql/test/stubs/jsr181-api/javax/jws/WebMethod.java
@@ -0,0 +1,48 @@
+package javax.jws;
+
+import java.lang.annotation.Target;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+/**
+ * Customizes a method that is exposed as a Web Service operation.
+ * The associated method must be public and its parameters return value,
+ * and exceptions must follow the rules defined in JAX-RPC 1.1, section 5.
+ *
+ *  The method is not required to throw java.rmi.RemoteException.
+ *
+ * @author Copyright (c) 2004 by BEA Systems, Inc. All Rights Reserved.
+ *
+ * @since 1.6
+ */
+@Retention(value = RetentionPolicy.RUNTIME)
+@Target({ElementType.METHOD})
+public @interface WebMethod {
+
+    /**
+     * Name of the wsdl:operation matching this method.
+     *
+     * @specdefault Name of the Java method.
+     */
+    String operationName() default "";
+
+    /**
+     * The action for this operation.
+     * <p>
+     * For SOAP bindings, this determines the value of the soap action.
+     */
+    String action() default "";
+
+    /**
+     * Marks a method to NOT be exposed as a web method.
+     * <p>
+     * Used to stop an inherited method from being exposed as part of this web service.
+     * If this element is specified, other elements MUST NOT be specified for the @WebMethod.
+     * <p>
+     * <i>This member-value is not allowed on endpoint interfaces.</i>
+     *
+     * @since 2.0
+     */
+    boolean exclude() default false;
+};
diff --git a/java/ql/test/stubs/jsr181-api/javax/jws/WebService.java b/java/ql/test/stubs/jsr181-api/javax/jws/WebService.java
new file mode 100644
index 00000000000..67eebee9ca3
--- /dev/null
+++ b/java/ql/test/stubs/jsr181-api/javax/jws/WebService.java
@@ -0,0 +1,97 @@
+package javax.jws;
+
+import java.lang.annotation.Target;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.ElementType;
+
+/**
+ * Marks a Java class as implementing a Web Service, or a Java interface as defining a Web Service interface.
+ *
+ * @author Copyright (c) 2004 by BEA Systems, Inc. All Rights Reserved.
+ *
+ * @since 1.6
+ */
+@Retention(value = RetentionPolicy.RUNTIME)
+@Target(value = {ElementType.TYPE})
+public @interface WebService {
+
+    /**
+     * The name of the Web Service.
+     * <p>
+     * Used as the name of the wsdl:portType when mapped to WSDL 1.1.
+     *
+     * @specdefault The simple name of the Java class or interface.
+     */
+    String name() default "";
+
+    /**
+     * If the @WebService.targetNamespace annotation is on a service endpoint interface, the targetNamespace is used
+     * for the namespace for the wsdl:portType (and associated XML elements).
+     * <p>
+     * If the @WebService.targetNamespace annotation is on a service implementation bean that does NOT reference a
+     * service endpoint interface (through the endpointInterface attribute), the targetNamespace is used for both the
+     * wsdl:portType and the wsdl:service (and associated XML elements).
+     * <p>
+     * If the @WebService.targetNamespace annotation is on a service implementation bean that does reference a service
+     * endpoint interface (through the endpointInterface attribute), the targetNamespace is used for only the
+     * wsdl:service (and associated XML elements).
+     *
+     * @specdefault Implementation-defined, as described in JAX-WS 2.0 [5], section 3.2.
+     */
+    String targetNamespace() default "";
+
+    /**
+     * The service name of the Web Service.
+     * <p>
+     * Used as the name of the wsdl:service when mapped to WSDL 1.1.
+     * <p>
+     * <i>This member-value is not allowed on endpoint interfaces.</i>
+     *
+     * @specdefault The simple name of the Java class + Service".
+     */
+    String serviceName() default "";
+
+    /**
+     * The port name of the Web Service.
+     * <p>
+     * Used as the name of the wsdl:port when mapped to WSDL 1.1.
+     * <p>
+     * <i>This member-value is not allowed on endpoint interfaces.</i>
+     *
+     * @specdefault {@code @WebService.name}+Port.
+     *
+     * @since 2.0
+     */
+    String portName() default "";
+
+    /**
+     * The location of a pre-defined WSDL describing the service.
+     * <p>
+     * The wsdlLocation is a URL (relative or absolute) that refers to a pre-existing WSDL file.  The presence of a
+     * wsdlLocation value indicates that the service implementation bean is implementing a pre-defined WSDL contract.
+     * The JSR-181 tool MUST provide feedback if the service implementation bean is inconsistent with the portType and
+     * bindings declared in this WSDL. Note that a single WSDL file might contain multiple portTypes and multiple
+     * bindings.  The annotations on the service implementation bean determine the specific portType and bindings that
+     * correspond to the Web Service.
+     */
+    String wsdlLocation() default "";
+
+    /**
+     * The complete name of the service endpoint interface defining the service's abstract Web Service contract.
+     * <p>
+     * This annotation allows the developer to separate the interface contract from the implementation.  If this
+     * annotation is present, the service endpoint interface is used to determine the abstract WSDL contract (portType
+     * and bindings). The service endpoint interface MAY include JSR-181 annotations to customize the mapping from
+     * Java to WSDL.
+     * <br>
+     * The service implementation bean MAY implement the service endpoint interface, but is not REQUIRED to do so.
+     * <br>
+     * If this member-value is not present, the Web Service contract is generated from annotations on the service
+     * implementation bean.  If a service endpoint interface is required by the target environment, it will be
+     * generated into an implementation-defined package with an implementation- defined name
+     * <p>
+     * <i>This member-value is not allowed on endpoint interfaces.</i>
+     */
+    String endpointInterface() default "";
+};
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/Yaml.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/Yaml.java
new file mode 100644
index 00000000000..43c10a12142
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/Yaml.java
@@ -0,0 +1,77 @@
+package org.ho.yaml;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.Reader;
+
+public class Yaml {
+
+    public Yaml() {
+    }
+
+    public static Object load(Reader var0) {
+        return null;
+    }
+
+    public static Object load(InputStream var0) {
+        return null;
+    }
+
+    public static Object load(File var0) throws FileNotFoundException {
+        return null;
+    }
+
+    public static Object load(String var0) {
+        return null;
+    }
+
+    public static <T> T loadType(Reader var0, Class<T> var1) {
+        return null;
+    }
+
+    public static <T> T loadType(InputStream var0, Class<T> var1) throws FileNotFoundException {
+        return null;
+    }
+
+    public static <T> T loadType(File var0, Class<T> var1) throws FileNotFoundException {
+        return null;
+    }
+
+    public static <T> T loadType(String var0, Class<T> var1) {
+        return null;
+    }
+
+    public static YamlStream loadStream(Reader var0) {
+        return null;
+    }
+
+    public static YamlStream loadStream(InputStream var0) {
+        return null;
+    }
+
+    public static YamlStream loadStream(File var0) throws FileNotFoundException {
+        return null;
+    }
+
+    public static YamlStream loadStream(String var0) {
+        return null;
+    }
+
+    public static <T> YamlStream<T> loadStreamOfType(Reader var0, Class<T> var1) {
+        return null;
+    }
+
+    public static <T> YamlStream<T> loadStreamOfType(InputStream var0, Class<T> var1) {
+        return null;
+    }
+
+    public static <T> YamlStream<T> loadStreamOfType(File var0, Class<T> var1) throws FileNotFoundException {
+        return null;
+    }
+
+    public static <T> YamlStream<T> loadStreamOfType(String var0, Class<T> var1) throws FileNotFoundException {
+        return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlConfig.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlConfig.java
new file mode 100644
index 00000000000..bdf3059eec7
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlConfig.java
@@ -0,0 +1,122 @@
+package org.ho.yaml;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.util.Iterator;
+
+public class YamlConfig implements YamlOperations, Cloneable {
+
+    public YamlConfig() { }
+
+    public Object load(YamlDecoder var1) {
+        return null;
+    }
+
+    public Object load(InputStream var1) {
+        return null;
+    }
+
+    public Object load(Reader var1) {
+        return null;
+    }
+
+    public Object load(File var1) throws FileNotFoundException {
+        return null;
+    }
+
+    public Object load(String var1) {
+        return null;
+    }
+
+    public <T> T loadType(YamlDecoder var1, Class<T> var2) {
+        return null;
+    }
+
+    public <T> T loadType(InputStream var1, Class<T> var2) {
+        return null;
+    }
+
+    public <T> T loadType(Reader var1, Class<T> var2) {
+        return null;
+    }
+
+    public <T> T loadType(File var1, Class<T> var2) throws FileNotFoundException {
+        return null;
+    }
+
+    public <T> T loadType(String var1, Class<T> var2) {
+        return null;
+    }
+
+    public YamlStream loadStream(YamlDecoder var1) {
+        return null;
+    }
+
+    public YamlStream loadStream(Reader var1) {
+        return null;
+    }
+
+    public YamlStream loadStream(InputStream var1) {
+        return null;
+    }
+
+    public YamlStream loadStream(File var1) throws FileNotFoundException {
+        return null;
+    }
+
+    public YamlStream loadStream(String var1) {
+        return null;
+    }
+
+    public <T> YamlStream<T> loadStreamOfType(YamlDecoder var1, Class<T> var2) {
+        return null;
+    }
+
+    public <T> YamlStream<T> loadStreamOfType(Reader var1, Class<T> var2) {
+        return null;
+    }
+
+    public <T> YamlStream<T> loadStreamOfType(InputStream var1, Class<T> var2) {
+        return null;
+    }
+
+    public <T> YamlStream<T> loadStreamOfType(File var1, Class<T> var2) throws FileNotFoundException {
+        return null;
+    }
+
+    public <T> YamlStream<T> loadStreamOfType(String var1, Class<T> var2) {
+        return null;
+    }
+
+    public void dump(Object var1, File var2) throws FileNotFoundException { }
+
+    public void dump(Object var1, File var2, boolean var3) throws FileNotFoundException { }
+
+    public String dump(Object var1) {
+        return null;
+    }
+
+    public String dump(Object var1, boolean var2) {
+        return null;
+    }
+
+    public void dump(Object var1, OutputStream var2, boolean var3) { }
+
+    public void dump(Object var1, OutputStream var2) { }
+
+    public void dumpStream(Iterator var1, File var2, boolean var3) throws FileNotFoundException { }
+
+    public void dumpStream(Iterator var1, File var2) throws FileNotFoundException { }
+
+    public String dumpStream(Iterator var1) {
+        return null;
+    }
+
+    public String dumpStream(Iterator var1, boolean var2) {
+        return null;
+    }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlDecoder.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlDecoder.java
new file mode 100644
index 00000000000..b3bd4982a77
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlDecoder.java
@@ -0,0 +1,16 @@
+package org.ho.yaml;
+
+import java.io.InputStream;
+import java.io.Reader;
+
+public class YamlDecoder {
+    
+    YamlDecoder(InputStream var1, YamlConfig var2) { }
+
+    public YamlDecoder(InputStream var1) { }
+
+    public YamlDecoder(Reader var1) { }
+
+    public YamlDecoder(Reader var1, YamlConfig var2) { }
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlOperations.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlOperations.java
new file mode 100644
index 00000000000..b4af6ee7125
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlOperations.java
@@ -0,0 +1,63 @@
+package org.ho.yaml;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Reader;
+import java.util.Iterator;
+
+public interface YamlOperations {
+    Object load(InputStream var1);
+
+    Object load(Reader var1);
+
+    Object load(File var1) throws FileNotFoundException;
+
+    Object load(String var1);
+
+    <T> T loadType(InputStream var1, Class<T> var2);
+
+    <T> T loadType(Reader var1, Class<T> var2);
+
+    <T> T loadType(File var1, Class<T> var2) throws FileNotFoundException;
+
+    <T> T loadType(String var1, Class<T> var2);
+
+    YamlStream loadStream(InputStream var1);
+
+    YamlStream loadStream(Reader var1);
+
+    YamlStream loadStream(File var1) throws FileNotFoundException;
+
+    YamlStream loadStream(String var1);
+
+    <T> YamlStream<T> loadStreamOfType(InputStream var1, Class<T> var2);
+
+    <T> YamlStream<T> loadStreamOfType(Reader var1, Class<T> var2);
+
+    <T> YamlStream<T> loadStreamOfType(File var1, Class<T> var2) throws FileNotFoundException;
+
+    <T> YamlStream<T> loadStreamOfType(String var1, Class<T> var2);
+
+    void dump(Object var1, File var2) throws FileNotFoundException;
+
+    void dump(Object var1, File var2, boolean var3) throws FileNotFoundException;
+
+    String dump(Object var1);
+
+    String dump(Object var1, boolean var2);
+
+    void dumpStream(Iterator var1, File var2) throws FileNotFoundException;
+
+    void dumpStream(Iterator var1, File var2, boolean var3) throws FileNotFoundException;
+
+    String dumpStream(Iterator var1);
+
+    String dumpStream(Iterator var1, boolean var2);
+
+    void dump(Object var1, OutputStream var2);
+
+    void dump(Object var1, OutputStream var2, boolean var3);
+}
+
diff --git a/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlStream.java b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlStream.java
new file mode 100644
index 00000000000..53f0ddf144e
--- /dev/null
+++ b/java/ql/test/stubs/jyaml-1.3/org/ho/yaml/YamlStream.java
@@ -0,0 +1,7 @@
+package org.ho.yaml;
+
+import java.util.Iterator;
+
+public interface YamlStream<T> extends Iterable<T>, Iterator<T> {
+}
+
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/Aware.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/Aware.java
new file mode 100644
index 00000000000..2a632c4b7b3
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/Aware.java
@@ -0,0 +1,4 @@
+package org.springframework.beans.factory;
+
+public interface Aware {
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanClassLoaderAware.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanClassLoaderAware.java
new file mode 100644
index 00000000000..666ca3a0b42
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/beans/factory/BeanClassLoaderAware.java
@@ -0,0 +1,5 @@
+package org.springframework.beans.factory;
+
+public interface BeanClassLoaderAware extends Aware {
+    void setBeanClassLoader(ClassLoader var1);
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/ScriptEvaluator.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/ScriptEvaluator.java
new file mode 100644
index 00000000000..0f6c2c381b8
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/ScriptEvaluator.java
@@ -0,0 +1,12 @@
+package org.springframework.scripting;
+
+import java.util.Map;
+import org.springframework.lang.Nullable;
+
+public interface ScriptEvaluator {
+    @Nullable
+    Object evaluate(ScriptSource var1) ;
+
+    @Nullable
+    Object evaluate(ScriptSource var1, @Nullable Map<String, Object> var2) ;
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/ScriptSource.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/ScriptSource.java
new file mode 100644
index 00000000000..0c75507020e
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/ScriptSource.java
@@ -0,0 +1,13 @@
+package org.springframework.scripting;
+
+import java.io.IOException;
+import org.springframework.lang.Nullable;
+
+public interface ScriptSource {
+    String getScriptAsString() throws IOException;
+
+    boolean isModified();
+
+    @Nullable
+    String suggestedClassName();
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/bsh/BshScriptEvaluator.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/bsh/BshScriptEvaluator.java
new file mode 100644
index 00000000000..c1e076a6c41
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/bsh/BshScriptEvaluator.java
@@ -0,0 +1,26 @@
+package org.springframework.scripting.bsh;
+
+import java.util.Map;
+import org.springframework.beans.factory.BeanClassLoaderAware;
+import org.springframework.lang.Nullable;
+import org.springframework.scripting.ScriptEvaluator;
+import org.springframework.scripting.ScriptSource;
+
+public class BshScriptEvaluator implements ScriptEvaluator, BeanClassLoaderAware {
+
+    public BshScriptEvaluator() { }
+
+    public BshScriptEvaluator(ClassLoader classLoader) { }
+
+    public void setBeanClassLoader(ClassLoader classLoader) { }
+
+    @Nullable
+    public Object evaluate(ScriptSource script) {
+        return null;
+    }
+
+    @Nullable
+    public Object evaluate(ScriptSource script, @Nullable Map<String, Object> arguments) {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/support/StaticScriptSource.java b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/support/StaticScriptSource.java
new file mode 100644
index 00000000000..5b22cf4b1ab
--- /dev/null
+++ b/java/ql/test/stubs/springframework-5.2.3/org/springframework/scripting/support/StaticScriptSource.java
@@ -0,0 +1,30 @@
+package org.springframework.scripting.support;
+
+import org.springframework.lang.Nullable;
+import org.springframework.scripting.ScriptSource;
+
+public class StaticScriptSource implements ScriptSource {
+
+    public StaticScriptSource(String script) { }
+
+    public StaticScriptSource(String script, @Nullable String className) { }
+
+    public synchronized void setScript(String script) { }
+
+    public synchronized String getScriptAsString() {
+        return null;
+    }
+
+    public synchronized boolean isModified() {
+        return true;
+    }
+
+    @Nullable
+    public String suggestedClassName() {
+        return null;
+    }
+
+    public String toString() {
+        return null;
+    }
+}
diff --git a/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlConfig.java b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlConfig.java
new file mode 100644
index 00000000000..3488ef83dab
--- /dev/null
+++ b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlConfig.java
@@ -0,0 +1,7 @@
+package com.esotericsoftware.yamlbeans;
+
+public class YamlConfig {
+
+    public YamlConfig() { }
+}
+
diff --git a/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlException.java b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlException.java
new file mode 100644
index 00000000000..cb2e54f97e0
--- /dev/null
+++ b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlException.java
@@ -0,0 +1,18 @@
+package com.esotericsoftware.yamlbeans;
+
+import java.io.IOException;
+
+public class YamlException extends IOException {
+    public YamlException() {
+    }
+
+    public YamlException(String message, Throwable cause) {
+    }
+
+    public YamlException(String message) {
+    }
+
+    public YamlException(Throwable cause) {
+    }
+}
+
diff --git a/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlReader.java b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlReader.java
new file mode 100644
index 00000000000..edaeeb911e0
--- /dev/null
+++ b/java/ql/test/stubs/yamlbeans-1.09/com/esotericsoftware/yamlbeans/YamlReader.java
@@ -0,0 +1,28 @@
+package com.esotericsoftware.yamlbeans;
+
+
+import java.io.Reader;
+
+public class YamlReader {
+
+    public YamlReader(Reader reader) { }
+
+    public YamlReader(Reader reader, YamlConfig config) { }
+
+    public YamlReader(String yaml) { }
+
+    public YamlReader(String yaml, YamlConfig config) { }
+
+    public Object read() throws YamlException {
+        return null;
+    }
+
+    public <T> T read(Class<T> type) throws YamlException {
+        return null;
+    }
+
+    public <T> T read(Class<T> type, Class elementType) throws YamlException {
+        return null;
+    }
+}
+
diff --git a/javascript/change-notes/2021-06-09-graphql.md b/javascript/change-notes/2021-06-09-graphql.md
new file mode 100644
index 00000000000..b747906a982
--- /dev/null
+++ b/javascript/change-notes/2021-06-09-graphql.md
@@ -0,0 +1,9 @@
+lgtm,codescanning
+* The `js/sql-injection` query now recognizes graphql injections. 
+  Affected packages are
+    [@octokit/core](https://npmjs.com/package/@octokit/core),
+    [@octokit/rest](https://npmjs.com/package/@octokit/rest),
+    [@octokit/graphql](https://npmjs.com/package/@octokit/graphql),
+    [@octokit/request](https://npmjs.com/package/@octokit/request), 
+    [@actions/github](https://npmjs.com/package/@actions/github), and
+    [graphql](https://npmjs.com/package/graphql)
\ No newline at end of file
diff --git a/javascript/change-notes/2021-06-11-knex.md b/javascript/change-notes/2021-06-11-knex.md
new file mode 100644
index 00000000000..2aea58b0aec
--- /dev/null
+++ b/javascript/change-notes/2021-06-11-knex.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* SQL injection sinks from the `knex` library are now recognized.
diff --git a/javascript/ql/src/AngularJS/DisablingSce.ql b/javascript/ql/src/AngularJS/DisablingSce.ql
index eae9a924a2c..7ec1b5405b2 100644
--- a/javascript/ql/src/AngularJS/DisablingSce.ql
+++ b/javascript/ql/src/AngularJS/DisablingSce.ql
@@ -3,7 +3,7 @@
  * @description Disabling strict contextual escaping (SCE) can cause security vulnerabilities.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision very-high
  * @id js/angular/disabling-sce
  * @tags security
diff --git a/javascript/ql/src/AngularJS/DoubleCompilation.ql b/javascript/ql/src/AngularJS/DoubleCompilation.ql
index e81351ea0d4..95f088d20ce 100644
--- a/javascript/ql/src/AngularJS/DoubleCompilation.ql
+++ b/javascript/ql/src/AngularJS/DoubleCompilation.ql
@@ -4,7 +4,7 @@
  *              unexpected behavior of directives, performance problems, and memory leaks.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @id js/angular/double-compilation
  * @tags reliability
  *       frameworks/angularjs
diff --git a/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql b/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
index b17c3188328..ac4c4772f11 100644
--- a/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
+++ b/javascript/ql/src/AngularJS/InsecureUrlWhitelist.ql
@@ -3,7 +3,7 @@
  * @description URL whitelists that are too permissive can cause security vulnerabilities.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision very-high
  * @id js/angular/insecure-url-whitelist
  * @tags security
diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
index 588552c9bff..8d16a60bc83 100644
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -4,7 +4,7 @@
  *              link type 'noopener' or 'noreferrer' are a potential security risk.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @id js/unsafe-external-link
  * @tags maintainability
  *       security
diff --git a/javascript/ql/src/Electron/AllowRunningInsecureContent.ql b/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
index 8a4535992d9..327caf9a4bd 100644
--- a/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
+++ b/javascript/ql/src/Electron/AllowRunningInsecureContent.ql
@@ -3,7 +3,7 @@
  * @description Enabling allowRunningInsecureContent can allow remote code execution.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision very-high
  * @tags security
  *       frameworks/electron
diff --git a/javascript/ql/src/Electron/DisablingWebSecurity.ql b/javascript/ql/src/Electron/DisablingWebSecurity.ql
index 07b4d98ad3c..a2b0c0a8a01 100644
--- a/javascript/ql/src/Electron/DisablingWebSecurity.ql
+++ b/javascript/ql/src/Electron/DisablingWebSecurity.ql
@@ -3,7 +3,7 @@
  * @description Disabling webSecurity can cause critical security vulnerabilities.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision very-high
  * @tags security
  *       frameworks/electron
diff --git a/javascript/ql/src/Electron/EnablingNodeIntegration.ql b/javascript/ql/src/Electron/EnablingNodeIntegration.ql
index 6bf424d52e9..074470b6a64 100644
--- a/javascript/ql/src/Electron/EnablingNodeIntegration.ql
+++ b/javascript/ql/src/Electron/EnablingNodeIntegration.ql
@@ -3,7 +3,7 @@
  * @description Enabling `nodeIntegration` or `nodeIntegrationInWorker` can expose the application to remote code execution.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision low
  * @id js/enabling-electron-renderer-node-integration
  * @tags security
diff --git a/javascript/ql/src/Performance/PolynomialReDoS.ql b/javascript/ql/src/Performance/PolynomialReDoS.ql
index d463b450bfe..5f46b36b5e1 100644
--- a/javascript/ql/src/Performance/PolynomialReDoS.ql
+++ b/javascript/ql/src/Performance/PolynomialReDoS.ql
@@ -4,7 +4,7 @@
  *              to match may be vulnerable to denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/polynomial-redos
  * @tags security
diff --git a/javascript/ql/src/Performance/ReDoS.ql b/javascript/ql/src/Performance/ReDoS.ql
index 39b8dbce9b3..804e59fe813 100644
--- a/javascript/ql/src/Performance/ReDoS.ql
+++ b/javascript/ql/src/Performance/ReDoS.ql
@@ -5,7 +5,7 @@
  *              attacks.
  * @kind problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/redos
  * @tags security
diff --git a/javascript/ql/src/RegExp/IdentityReplacement.ql b/javascript/ql/src/RegExp/IdentityReplacement.ql
index 8d74e735053..0949423aa8b 100644
--- a/javascript/ql/src/RegExp/IdentityReplacement.ql
+++ b/javascript/ql/src/RegExp/IdentityReplacement.ql
@@ -3,7 +3,7 @@
  * @description Replacing a substring with itself has no effect and may indicate a mistake.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @id js/identity-replacement
  * @precision very-high
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
index ba4db85c448..bd095887011 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -3,7 +3,7 @@
  * @description Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/incomplete-hostname-regexp
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql b/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
index a40924a1311..81276ff98aa 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSchemeCheck.ql
@@ -4,7 +4,7 @@
  *              and "data:" suggests a logic error or even a security vulnerability.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/incomplete-url-scheme-check
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
index a9e2366c4a2..56ab631d1e1 100644
--- a/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+++ b/javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
@@ -3,7 +3,7 @@
  * @description Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/incomplete-url-substring-sanitization
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
index 640f0f5ed34..e6ec89da534 100644
--- a/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
+++ b/javascript/ql/src/Security/CWE-020/IncorrectSuffixCheck.ql
@@ -3,7 +3,7 @@
  * @description Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/incorrect-suffix-check
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
index 4cbd92613e8..cd71f5c6a49 100644
--- a/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
+++ b/javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
@@ -3,7 +3,7 @@
  * @description Regular expressions without anchors can be vulnerable to bypassing.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id js/regex/missing-regexp-anchor
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql b/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
index 3c87f57f3df..898e3b616cc 100644
--- a/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/javascript/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql b/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
index a48fbbb84b9..29933de7848 100644
--- a/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
+++ b/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
@@ -5,7 +5,7 @@
  *              behave unexpectedly.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/useless-regexp-character-escape
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-022/TaintedPath.ql b/javascript/ql/src/Security/CWE-022/TaintedPath.ql
index cda0074aa86..a9b197a28de 100644
--- a/javascript/ql/src/Security/CWE-022/TaintedPath.ql
+++ b/javascript/ql/src/Security/CWE-022/TaintedPath.ql
@@ -4,7 +4,7 @@
  *              unexpected resources.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id js/path-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-022/ZipSlip.ql b/javascript/ql/src/Security/CWE-022/ZipSlip.ql
index 4282de76742..8fcb9d7edaa 100644
--- a/javascript/ql/src/Security/CWE-022/ZipSlip.ql
+++ b/javascript/ql/src/Security/CWE-022/ZipSlip.ql
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id js/zipslip
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-022
diff --git a/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql b/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
index 7f413152df1..17d65433b54 100644
--- a/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
+++ b/javascript/ql/src/Security/CWE-073/TemplateObjectInjection.ql
@@ -3,7 +3,7 @@
  * @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id js/template-object-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-078/CommandInjection.ql b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
index aa9b3920e06..59ebd7cc1ee 100644
--- a/javascript/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/javascript/ql/src/Security/CWE-078/CommandInjection.ql
@@ -4,7 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/command-line-injection
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
index ae665a250e7..31bf6cfdf85 100644
--- a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
+++ b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
@@ -5,7 +5,7 @@
  *              command-line injection vulnerabilities.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id js/indirect-command-line-injection
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
index cccb26ec545..a1c3f879961 100644
--- a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
+++ b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
@@ -4,7 +4,7 @@
  *              environment may cause subtle bugs or vulnerabilities.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/shell-command-injection-from-environment
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
index d0d0129e214..a1dafda3921 100644
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
@@ -4,7 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/shell-command-constructed-from-input
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
index 81134d6bb5b..fd29399546a 100644
--- a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
+++ b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
@@ -3,7 +3,7 @@
  * @description Using the  `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/unnecessary-use-of-cat
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-079/ExceptionXss.ql b/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
index b82676dca61..3723bfc99f8 100644
--- a/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
+++ b/javascript/ql/src/Security/CWE-079/ExceptionXss.ql
@@ -4,7 +4,7 @@
  *              can lead to a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/xss-through-exception
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
index 958d5296e71..9a102fcc57f 100644
--- a/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/javascript/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/reflected-xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/StoredXss.ql b/javascript/ql/src/Security/CWE-079/StoredXss.ql
index df674173c28..ed9aac39bd9 100644
--- a/javascript/ql/src/Security/CWE-079/StoredXss.ql
+++ b/javascript/ql/src/Security/CWE-079/StoredXss.ql
@@ -4,7 +4,7 @@
  *              a stored cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/stored-xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
index ca4564a5968..cc85e07f61a 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
+++ b/javascript/ql/src/Security/CWE-079/UnsafeHtmlConstruction.ql
@@ -4,7 +4,7 @@
  *              user to perform a cross-site scripting attack.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/html-constructed-from-input
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
index fdbdc74f2a5..24db75323df 100644
--- a/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
+++ b/javascript/ql/src/Security/CWE-079/UnsafeJQueryPlugin.ql
@@ -3,7 +3,7 @@
  * @description A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/unsafe-jquery-plugin
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/Xss.ql b/javascript/ql/src/Security/CWE-079/Xss.ql
index 7ae8268ca0f..20aaa86e61a 100644
--- a/javascript/ql/src/Security/CWE-079/Xss.ql
+++ b/javascript/ql/src/Security/CWE-079/Xss.ql
@@ -4,7 +4,7 @@
  *              a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/xss
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
index 9e3b1231346..3b15e6def61 100644
--- a/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
+++ b/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
@@ -4,7 +4,7 @@
  *              can lead to a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/xss-through-dom
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-089/SqlInjection.ql b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
index 43e7ef9f5de..4aac9d9a1b7 100644
--- a/javascript/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/javascript/ql/src/Security/CWE-089/SqlInjection.ql
@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id js/sql-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-094/CodeInjection.ql b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
index df22801f530..4c233079f44 100644
--- a/javascript/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -4,7 +4,7 @@
  *              code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/code-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql b/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
index e33a2ff38fa..7a8aedcb8c5 100644
--- a/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
+++ b/javascript/ql/src/Security/CWE-094/ImproperCodeSanitization.ql
@@ -3,7 +3,7 @@
  * @description Escaping code as HTML does not provide protection against code injection.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/bad-code-sanitization
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
index bae55692732..918f09496af 100644
--- a/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
+++ b/javascript/ql/src/Security/CWE-094/UnsafeDynamicMethodAccess.ql
@@ -3,7 +3,7 @@
  * @description Invoking user-controlled methods on certain objects can lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id js/unsafe-dynamic-method-access
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
index 84053c9767e..6a647db75cd 100644
--- a/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
+++ b/javascript/ql/src/Security/CWE-116/DoubleEscaping.ql
@@ -5,7 +5,7 @@
  *              and conversely it has to be unescaped last to avoid double-unescaping.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/double-escaping
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
index a38cc7be61d..ecfe0f63ea1 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteHtmlAttributeSanitization.ql
@@ -5,7 +5,7 @@
  *              scripting vulnerability.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id js/incomplete-html-attribute-sanitization
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
index 326d7c0e335..1cd23ea4432 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteMultiCharacterSanitization.ql
@@ -3,7 +3,7 @@
  * @description A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/incomplete-multi-character-sanitization
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
index 1894326a989..08bb355799a 100644
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -4,7 +4,7 @@
  *              meta-character may be ineffective.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/incomplete-sanitization
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql b/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
index 5141e3403ef..1ef9e434339 100644
--- a/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
+++ b/javascript/ql/src/Security/CWE-116/UnsafeHtmlExpansion.ql
@@ -4,7 +4,7 @@
  *              tags may lead to cross-site scripting vulnerabilities.
  * @kind problem
  * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision very-high
  * @id js/unsafe-html-expansion
  * @tags correctness
diff --git a/javascript/ql/src/Security/CWE-117/LogInjection.ql b/javascript/ql/src/Security/CWE-117/LogInjection.ql
index 038992e0876..bcdd80ec543 100644
--- a/javascript/ql/src/Security/CWE-117/LogInjection.ql
+++ b/javascript/ql/src/Security/CWE-117/LogInjection.ql
@@ -4,7 +4,7 @@
  *              insertion of forged log entries by a malicious user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id js/log-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
index fff23183a9a..00b7ea626e5 100644
--- a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
+++ b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
@@ -3,7 +3,7 @@
  * @description Using external input in format strings can lead to garbled output.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id js/tainted-format-string
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
index d13c5218349..928b22fdff4 100644
--- a/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
+++ b/javascript/ql/src/Security/CWE-200/FileAccessToHttp.ql
@@ -3,7 +3,7 @@
  * @description Directly sending file data in an outbound network request can indicate unauthorized information disclosure.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @precision medium
  * @id js/file-access-to-http
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
index 5ea4fbc6a3a..45e6ab2572c 100644
--- a/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
+++ b/javascript/ql/src/Security/CWE-200/PrivateFileExposure.ql
@@ -4,7 +4,7 @@
  *              of private information.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @id js/exposure-of-private-files
  * @tags security
  *       external/cwe/cwe-200
diff --git a/javascript/ql/src/Security/CWE-201/PostMessageStar.ql b/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
index 991eaa3c6e3..cbb3df5cf5d 100644
--- a/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
+++ b/javascript/ql/src/Security/CWE-201/PostMessageStar.ql
@@ -5,7 +5,7 @@
  *              information leaks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 1.4
+ * @security-severity 4.3
  * @precision high
  * @id js/cross-window-information-leak
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
index 1ff12bae7cb..a5e05eab0bb 100644
--- a/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
+++ b/javascript/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -5,7 +5,7 @@
  *              to an attacker for developing a subsequent exploit.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 5.4
  * @precision very-high
  * @id js/stack-trace-exposure
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
index a17d41dffc9..2f785bace35 100644
--- a/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
+++ b/javascript/ql/src/Security/CWE-295/DisablingCertificateValidation.ql
@@ -3,7 +3,7 @@
  * @description Disabling cryptographic certificate validation can cause security vulnerabilities.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision very-high
  * @id js/disabling-certificate-validation
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql b/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
index e2b9f3a9b84..e99c8076678 100644
--- a/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
+++ b/javascript/ql/src/Security/CWE-312/BuildArtifactLeak.ql
@@ -4,7 +4,7 @@
  *              expose it to an attacker.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id js/build-artifact-leak
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
index 99933087daa..7a3626b4860 100644
--- a/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/javascript/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -4,7 +4,7 @@
  *              expose it to an attacker.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id js/clear-text-logging
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
index 6d2fbe2c6a5..ee9944c9b8d 100644
--- a/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
+++ b/javascript/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -4,7 +4,7 @@
  *              attacker.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id js/clear-text-storage-of-sensitive-data
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
index df6cb0d6046..4d534248f45 100644
--- a/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
+++ b/javascript/ql/src/Security/CWE-313/PasswordInConfigurationFile.ql
@@ -3,7 +3,7 @@
  * @description Storing unencrypted passwords in configuration files is unsafe.
  * @kind problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision medium
  * @id js/password-in-configuration-file
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-327/BadRandomness.ql b/javascript/ql/src/Security/CWE-327/BadRandomness.ql
index b6ef62f3eea..41b0602da65 100644
--- a/javascript/ql/src/Security/CWE-327/BadRandomness.ql
+++ b/javascript/ql/src/Security/CWE-327/BadRandomness.ql
@@ -4,7 +4,7 @@
  *              the results and compromise security.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id js/biased-cryptographic-random
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
index f79c59d9ccc..32625d62f77 100644
--- a/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/javascript/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can compromise security.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id js/weak-cryptographic-algorithm
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
index 16b32b409ba..66e86f65ffd 100644
--- a/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
+++ b/javascript/ql/src/Security/CWE-338/InsecureRandomness.ql
@@ -5,7 +5,7 @@
  *              be generated.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id js/insecure-randomness
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
index 1a7d592498b..185533f93fb 100644
--- a/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
+++ b/javascript/ql/src/Security/CWE-346/CorsMisconfigurationForCredentials.ql
@@ -3,7 +3,7 @@
  * @description Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id js/cors-misconfiguration-for-credentials
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
index d18fae34091..4aed89d69f7 100644
--- a/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
+++ b/javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.ql
@@ -4,7 +4,7 @@
  *              submit requests on behalf of the user.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id js/missing-token-validation
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql b/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
index 9c18a5fe686..3e2ab24f70d 100644
--- a/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
+++ b/javascript/ql/src/Security/CWE-400/DeepObjectResourceExhaustion.ql
@@ -3,7 +3,7 @@
  * @description Processing user-controlled object hierarchies inefficiently can lead to denial of service.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/resource-exhaustion-from-deep-object-traversal
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
index 1cb5511cda3..4bfbbd85d23 100644
--- a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
+++ b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
@@ -4,7 +4,7 @@
  *              denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision medium
  * @id js/remote-property-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql b/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
index e21bffa6498..316af8d4a36 100644
--- a/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
+++ b/javascript/ql/src/Security/CWE-451/MissingXFrameOptions.ql
@@ -4,7 +4,7 @@
  *              overlay their own UI on top of the site by using an iframe.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision low
  * @id js/missing-x-frame-options
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
index 795c9372527..89302f775f2 100644
--- a/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/javascript/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -4,7 +4,7 @@
  *              execute arbitrary code.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/unsafe-deserialization
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql b/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
index e1e68854227..f0dfe833b06 100644
--- a/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
+++ b/javascript/ql/src/Security/CWE-506/HardcodedDataInterpretedAsCode.ql
@@ -5,7 +5,7 @@
  *              be avoided.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 9.1
  * @precision medium
  * @id js/hardcoded-data-interpreted-as-code
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
index a93dfd8dc34..9e2987c966f 100644
--- a/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
+++ b/javascript/ql/src/Security/CWE-601/ClientSideUrlRedirect.ql
@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id js/client-side-unvalidated-url-redirection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
index d0d68278ff0..3440d9ee405 100644
--- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
+++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.ql
@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 2.7
+ * @security-severity 6.1
  * @id js/server-side-unvalidated-url-redirection
  * @tags security
  *       external/cwe/cwe-601
diff --git a/javascript/ql/src/Security/CWE-611/Xxe.ql b/javascript/ql/src/Security/CWE-611/Xxe.ql
index 42ff8cc2338..b2733d068a2 100644
--- a/javascript/ql/src/Security/CWE-611/Xxe.ql
+++ b/javascript/ql/src/Security/CWE-611/Xxe.ql
@@ -4,7 +4,7 @@
  *              entity expansion is vulnerable to XXE attacks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.1
  * @precision high
  * @id js/xxe
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
index 332d29e0cb7..a2e24a9dd42 100644
--- a/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
+++ b/javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql
@@ -4,7 +4,7 @@
  *              attacks and leak password reset tokens.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/host-header-forgery-in-email-generation
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-643/XpathInjection.ql b/javascript/ql/src/Security/CWE-643/XpathInjection.ql
index 675b078a5d6..5aa4142cde7 100644
--- a/javascript/ql/src/Security/CWE-643/XpathInjection.ql
+++ b/javascript/ql/src/Security/CWE-643/XpathInjection.ql
@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/xpath-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
index cd7ee8a2509..4278df33f8a 100644
--- a/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
+++ b/javascript/ql/src/Security/CWE-730/RegExpInjection.ql
@@ -5,7 +5,7 @@
  *              exponential time on certain inputs.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/regex-injection
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-730/ServerCrash.ql b/javascript/ql/src/Security/CWE-730/ServerCrash.ql
index a05351f851f..7c16287d48c 100644
--- a/javascript/ql/src/Security/CWE-730/ServerCrash.ql
+++ b/javascript/ql/src/Security/CWE-730/ServerCrash.ql
@@ -4,7 +4,7 @@
  *              attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/server-crash
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql b/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
index f21382d68d9..088d98bbbcb 100644
--- a/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
+++ b/javascript/ql/src/Security/CWE-754/UnvalidatedDynamicMethodCall.ql
@@ -4,7 +4,7 @@
  *              an unexpected target, which could cause an exception.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 4.2
+ * @security-severity 7.5
  * @precision high
  * @id js/unvalidated-dynamic-method-call
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql b/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
index 6827b23d067..9ed860fd169 100644
--- a/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
+++ b/javascript/ql/src/Security/CWE-770/MissingRateLimiting.ql
@@ -5,7 +5,7 @@
  *              to denial-of-service attacks.
  * @kind problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/missing-rate-limiting
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-776/XmlBomb.ql b/javascript/ql/src/Security/CWE-776/XmlBomb.ql
index 26c16a37bf0..5320236421c 100644
--- a/javascript/ql/src/Security/CWE-776/XmlBomb.ql
+++ b/javascript/ql/src/Security/CWE-776/XmlBomb.ql
@@ -4,7 +4,7 @@
  *              entity expansion is vulnerable to denial-of-service attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
  * @precision high
  * @id js/xml-bomb
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
index c17bfac7836..60269e8a634 100644
--- a/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/javascript/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -4,7 +4,7 @@
  *              to gain unauthorized access.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/hardcoded-credentials
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
index a94780bec1e..ee88eec03d2 100644
--- a/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
+++ b/javascript/ql/src/Security/CWE-807/ConditionalBypass.ql
@@ -3,7 +3,7 @@
  * @description Conditions that the user controls are not suited for making security-related decisions.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id js/user-controlled-bypass
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql b/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
index d8cf7ef3716..20cd6446683 100644
--- a/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
+++ b/javascript/ql/src/Security/CWE-807/DifferentKindsComparisonBypass.ql
@@ -3,7 +3,7 @@
  * @description Comparing different kinds of HTTP request data may be a symptom of an insufficient security check.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision low
  * @id js/different-kinds-comparison-bypass
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp b/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
index 2f79bde1a37..807f6be401e 100644
--- a/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
+++ b/javascript/ql/src/Security/CWE-829/InsecureDownload.qhelp
@@ -29,7 +29,7 @@
 		<p>
 			The issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.
 		</p>
-		<sample src="examples/insecure-download.js" />
+		<sample src="examples/secure-download.js" />
 	</example>
 
 	<references>
diff --git a/javascript/ql/src/Security/CWE-829/InsecureDownload.ql b/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
index 2df6d29f038..41fea83ef1f 100644
--- a/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
+++ b/javascript/ql/src/Security/CWE-829/InsecureDownload.ql
@@ -4,7 +4,7 @@
  *              opens up for potential man-in-the-middle attacks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.1
  * @precision high
  * @id js/insecure-download
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
index 726f88272fc..bbbd4da1e9a 100644
--- a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
+++ b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
@@ -4,7 +4,7 @@
  *              property can cause indefinite looping.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
  * @id js/loop-bound-injection
  * @tags security
  *       external/cwe/cwe-834
diff --git a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
index 218cb70f571..8dbef4a8cce 100644
--- a/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
+++ b/javascript/ql/src/Security/CWE-843/TypeConfusionThroughParameterTampering.ql
@@ -3,7 +3,7 @@
  * @description Sanitizing an HTTP request parameter may be ineffective if the user controls its type.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id js/type-confusion-through-parameter-tampering
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
index 72393fd4f5a..3bed7d8c190 100644
--- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
+++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -3,7 +3,7 @@
  * @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id js/http-to-file-access
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
index 4447eef043a..cdcc474ef92 100644
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingAssignment.ql
@@ -5,7 +5,7 @@
  *              and possibly escalate to remote code execution or cross-site scripting.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id js/prototype-polluting-assignment
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
index 3980557174b..b279c6cbe12 100644
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingFunction.ql
@@ -4,7 +4,7 @@
  *              the cause of accidental modification of a built-in prototype object.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id js/prototype-pollution-utility
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql b/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
index 2bc625bcedd..53b6378fad8 100644
--- a/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
+++ b/javascript/ql/src/Security/CWE-915/PrototypePollutingMergeCall.ql
@@ -5,7 +5,7 @@
  *              and possibly escalate to remote code execution or cross-site scripting.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id js/prototype-pollution
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
index 995ede73f38..61c341bba02 100644
--- a/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
+++ b/javascript/ql/src/Security/CWE-916/InsufficientPasswordHash.ql
@@ -3,7 +3,7 @@
  * @description Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision high
  * @id js/insufficient-password-hash
  * @tags security
diff --git a/javascript/ql/src/Security/CWE-918/RequestForgery.ql b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
index 8d56a477177..9697904ce0e 100644
--- a/javascript/ql/src/Security/CWE-918/RequestForgery.ql
+++ b/javascript/ql/src/Security/CWE-918/RequestForgery.ql
@@ -3,7 +3,7 @@
  * @description Sending network requests with user-controlled data allows for request forgery attacks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.1
  * @precision medium
  * @id js/request-forgery
  * @tags security
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
index 83e9ffc3232..aa2e66acc18 100644
--- a/javascript/ql/src/javascript.qll
+++ b/javascript/ql/src/javascript.qll
@@ -90,11 +90,13 @@ import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
 import semmle.javascript.frameworks.FormParsers
+import semmle.javascript.frameworks.GraphQL
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars
 import semmle.javascript.frameworks.History
 import semmle.javascript.frameworks.Immutable
+import semmle.javascript.frameworks.Knex
 import semmle.javascript.frameworks.LazyCache
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging
diff --git a/javascript/ql/src/semmle/javascript/frameworks/GraphQL.qll b/javascript/ql/src/semmle/javascript/frameworks/GraphQL.qll
new file mode 100644
index 00000000000..6193f68f99d
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/GraphQL.qll
@@ -0,0 +1,119 @@
+/**
+ * Provides classes for working with GraphQL connectors.
+ */
+
+import javascript
+
+/** Provides classes modelling concepts of GraphQL connectors. */
+module GraphQL {
+  /** A string-valued expression that is interpreted as a GraphQL query. */
+  abstract class GraphQLString extends DataFlow::Node { }
+}
+
+/**
+ * Provides classes modelling the octokit packages [@octokit/core](https://npmjs.com/package/@octokit/core),
+ * [@octokit/graphql](https://npmjs.com/package/@octokit/graphql), [@octokit/rest](https://npmjs.com/package/@octokit/rest),
+ * and [@octokit/request](https://npmjs.com/package/@octokit/request).
+ */
+private module Octokit {
+  /** Get an instanceof of `Octokit` */
+  private API::Node octokit() {
+    result =
+      API::moduleImport(["@octokit/core", "@octokit/rest"]).getMember("Octokit").getInstance()
+    or
+    result = API::moduleImport("@actions/github").getMember("getOctokit").getReturn()
+  }
+
+  /**
+   * Gets a reference to a `graphql` function from a `octokit` package.
+   */
+  private API::Node graphQLCallee() {
+    result = API::moduleImport(["@octokit/graphql", "@octokit/core"]).getMember("graphql")
+    or
+    result = octokit().getMember("graphql")
+    or
+    result = API::moduleImport("@octokit/graphql").getMember("withCustomRequest").getReturn()
+    or
+    result = graphQLCallee().getMember("defaults").getReturn()
+  }
+
+  /**
+   * Gets a reference to a `request` function from a `octokit` package.
+   */
+  private API::Node requestCallee() {
+    result =
+      API::moduleImport(["@octokit/core", "@octokit/request", "@octokit/graphql"])
+          .getMember("request")
+    or
+    result = octokit().getMember("request")
+    or
+    result = requestCallee().getMember("defaults").getReturn()
+  }
+
+  /** A string that is interpreted as a GraphQL query by a `octokit` package. */
+  private class GraphQLString extends GraphQL::GraphQLString {
+    GraphQLString() { this = graphQLCallee().getACall().getArgument(0) }
+  }
+
+  /**
+   * A call to `request` seen as a client request.
+   * E.g. `await request("POST /graphql", { query: {...data} });`
+   */
+  private class RequestClientRequest extends ClientRequest::Range, API::CallNode {
+    RequestClientRequest() { this = requestCallee().getACall() }
+
+    override DataFlow::Node getUrl() {
+      result = this.getArgument(0) // contains both the method and the URL, but it's close enough
+    }
+
+    override DataFlow::Node getHost() { none() }
+
+    override DataFlow::Node getADataNode() { result = this.getArgument(1) }
+  }
+}
+
+/**
+ * Provides classes modelling [graphql](https://npmjs.com/package/graphql).
+ */
+private module GraphQLLib {
+  /** A string that is interpreted as a GraphQL query by a `graphql` package. */
+  private class GraphQLString extends GraphQL::GraphQLString {
+    GraphQLString() {
+      this = API::moduleImport("graphql").getMember("graphql").getACall().getArgument(1)
+    }
+  }
+
+  /**
+   * A client request that appears to be a GraphQL query.
+   * Using a client-request in this way to execute GraphQL is documented by e.g:
+   *  - [graphql](https://graphql.org/graphql-js/graphql-clients/)
+   *  - [shopify](https://shopify.dev/tutorials/graphql-with-node-and-express)
+   *  - [@octokit/request](https://npmjs.com/package/@octokit/request)
+   */
+  private class GraphQLRequest extends GraphQL::GraphQLString {
+    GraphQLRequest() {
+      exists(ClientRequest req |
+        this =
+          [req.getADataNode(), req.getADataNode().(JsonStringifyCall).getInput()]
+              .getALocalSource()
+              .getAPropertyWrite("query")
+              .getRhs()
+      |
+        containsGraphQLIndicator(req.getUrl())
+      )
+    }
+  }
+
+  /**
+   * Holds if `node` is a node that likely contains an URL to a GraphQL endpoint.
+   */
+  private predicate containsGraphQLIndicator(DataFlow::Node node) {
+    node.getStringValue().regexpMatch("(?i).*graphql.*")
+    or
+    node.(DataFlow::PropRead).getPropertyName().regexpMatch("(?i).*graphql.*")
+    or
+    containsGraphQLIndicator(node.(StringOps::Concatenation).getAnOperand())
+    or
+    containsGraphQLIndicator(node.getAPredecessor())
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Knex.qll b/javascript/ql/src/semmle/javascript/frameworks/Knex.qll
new file mode 100644
index 00000000000..41d54afde82
--- /dev/null
+++ b/javascript/ql/src/semmle/javascript/frameworks/Knex.qll
@@ -0,0 +1,62 @@
+/**
+ * Provides classes and predicates for working with [knex](https://knexjs.org).
+ */
+
+private import javascript
+
+/**
+ * Provides classes and predicates for working with [knex](https://knexjs.org).
+ */
+module Knex {
+  /** Gets an API node referring to the `knex` library. */
+  API::Node knexLibrary() { result = API::moduleImport("knex") }
+
+  /** Gets a method name on Knex objects which return a Knex object. */
+  bindingset[result]
+  private string chainableKnexMethod() {
+    not result in [
+        "toString", "valueOf", "then", "catch", "finally", "toSQL", "asCallback", "stream"
+      ]
+  }
+
+  /** Gets an API node referring to a `knex` object, such as `knex.from('foo')`. */
+  API::Node knexObject() {
+    result = knexLibrary().getReturn()
+    or
+    result = knexObject().getReturn()
+    or
+    result = knexObject().getMember("schema")
+    or
+    result = knexObject().getMember(chainableKnexMethod()).getReturn()
+    or
+    // callback for building inner queries, such as `knex.join(function() { this.on('blah') })`
+    result = knexObject().getMember(chainableKnexMethod()).getParameter(0).getReceiver()
+    or
+    // knex.transaction(trx => { ... })
+    result = knexObject().getMember("transaction").getParameter(0).getParameter(0)
+  }
+
+  /** A call to a Knex method that takes a raw SQL string as input. */
+  class RawKnexCall extends DataFlow::CallNode {
+    RawKnexCall() { this = knexObject().getMember(["raw", any(string s) + "Raw"]).getACall() }
+  }
+
+  /** A SQL string passed to a raw Knex method. */
+  private class RawKnexSqlString extends SQL::SqlString {
+    RawKnexSqlString() { this = any(RawKnexCall call).getArgument(0).asExpr() }
+  }
+
+  /** A call that triggers a SQL query submission. */
+  private class KnexDatabaseAccess extends DatabaseAccess {
+    KnexDatabaseAccess() {
+      this = knexObject().getMember(["then", "stream", "asCallback"]).getACall()
+      or
+      exists(AwaitExpr await |
+        this = await.flow() and
+        await.getOperand() = knexObject().getAUse().asExpr()
+      )
+    }
+
+    override DataFlow::Node getAQueryArgument() { none() }
+  }
+}
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjection.qll b/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjection.qll
index 3c87a2c0619..51ec162f4d8 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjection.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjection.qll
@@ -1,6 +1,6 @@
 /**
- * Provides a taint tracking configuration for reasoning about SQL
- * injection vulnerabilities
+ * Provides a taint tracking configuration for reasoning about string based
+ * query injection vulnerabilities
  *
  * Note, for performance reasons: only import this file if
  * `SqlInjection::Configuration` is needed, otherwise
@@ -13,7 +13,7 @@ module SqlInjection {
   import SqlInjectionCustomizations::SqlInjection
 
   /**
-   * A taint-tracking configuration for reasoning about SQL injection vulnerabilities.
+   * A taint-tracking configuration for reasoning about string based query injection vulnerabilities.
    */
   class Configuration extends TaintTracking::Configuration {
     Configuration() { this = "SqlInjection" }
diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll b/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
index 30323ac8d6e..4c40ac4d2a5 100644
--- a/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/SqlInjectionCustomizations.qll
@@ -1,28 +1,28 @@
 /**
  * Provides default sources, sinks and sanitizers for reasoning about
- * SQL injection vulnerabilities, as well as extension points for
- * adding your own.
+ * string based query injection vulnerabilities, as well as extension
+ * points for adding your own.
  */
 
 import javascript
 
 module SqlInjection {
   /**
-   * A data flow source for SQL injection vulnerabilities.
+   * A data flow source for string based query injection vulnerabilities.
    */
   abstract class Source extends DataFlow::Node { }
 
   /**
-   * A data flow sink for SQL injection vulnerabilities.
+   * A data flow sink for string based query injection vulnerabilities.
    */
   abstract class Sink extends DataFlow::Node { }
 
   /**
-   * A sanitizer for SQL injection vulnerabilities.
+   * A sanitizer for string based query injection vulnerabilities.
    */
   abstract class Sanitizer extends DataFlow::Node { }
 
-  /** A source of remote user input, considered as a flow source for SQL injection. */
+  /** A source of remote user input, considered as a flow source for string based query injection. */
   class RemoteFlowSourceAsSource extends Source {
     RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
   }
@@ -32,8 +32,13 @@ module SqlInjection {
     override SQL::SqlString astNode;
   }
 
-  /** An expression that sanitizes a value for the purposes of SQL injection. */
+  /** An expression that sanitizes a value for the purposes of string based query injection. */
   class SanitizerExpr extends Sanitizer, DataFlow::ValueNode {
     SanitizerExpr() { astNode = any(SQL::SqlSanitizer ss).getOutput() }
   }
+
+  /** An GraphQL expression passed to an API call that executes GraphQL. */
+  class GraphqlInjectionSink extends Sink {
+    GraphqlInjectionSink() { this instanceof GraphQL::GraphQLString }
+  }
 }
diff --git a/javascript/ql/test/library-tests/frameworks/Knex/test.expected b/javascript/ql/test/library-tests/frameworks/Knex/test.expected
new file mode 100644
index 00000000000..b76370ae4f4
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Knex/test.expected
@@ -0,0 +1,232 @@
+rawCall
+| tst.js:5:1:10:52 | knex({  ... mn_2']) |
+| tst.js:25:25:25:84 | knex.ra ... 'Test') |
+| tst.js:100:3:100:78 | this.se ... ts.id') |
+| tst.js:103:27:103:102 | knex.se ... ts.id') |
+| tst.js:106:3:106:78 | this.se ... ts.id') |
+| tst.js:113:1:113:37 | knex('u ... ', [1]) |
+| tst.js:134:66:134:89 | knex.ra ... dmin']) |
+| tst.js:150:1:150:69 | knex.se ... able1') |
+| tst.js:162:1:162:89 | knex.se ... OLLUP') |
+| tst.js:162:21:162:43 | knex.ra ... ofit)') |
+| tst.js:166:1:166:64 | knex.se ...  LAST') |
+| tst.js:175:1:178:32 | knex('u ...  [100]) |
+sqlString
+| tst.js:10:13:10:21 | '?? = ??' |
+| tst.js:25:34:25:75 | 'select ... r" = ?' |
+| tst.js:100:46:100:77 | 'users. ... nts.id' |
+| tst.js:103:70:103:101 | 'users. ... nts.id' |
+| tst.js:106:46:106:77 | 'users. ... nts.id' |
+| tst.js:113:24:113:31 | 'id = ?' |
+| tst.js:134:75:134:77 | '?' |
+| tst.js:150:43:150:68 | 'natura ... table1' |
+| tst.js:162:30:162:42 | 'SUM(profit)' |
+| tst.js:162:71:162:88 | 'year WITH ROLLUP' |
+| tst.js:166:43:166:63 | 'col DE ... S LAST' |
+| tst.js:178:14:178:24 | 'count > ?' |
+knexLibrary
+| file://:0:0:0:0 | use (member exports (module knex)) |
+knexObject
+| tst.js:3:14:3:30 | use (return (member exports (module knex))) |
+| tst.js:5:1:5:32 | use (return (return (member exports (module knex)))) |
+| tst.js:5:1:9:4 | use (return (member select (return (return (member exports (module knex)))))) |
+| tst.js:5:1:10:52 | use (return (member whereRaw (return (member select (return (return (member exports (module knex)))))))) |
+| tst.js:12:1:12:48 | use (return (member withUserParams (return (member exports (module knex))))) |
+| tst.js:12:1:12:59 | use (return (member table (return (member withUserParams (return (member exports (module knex))))))) |
+| tst.js:12:1:12:71 | use (return (member select (return (member table (return (member withUserParams (return (member exports (module knex))))))))) |
+| tst.js:14:1:14:13 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:14:1:14:27 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:14:1:14:41 | use (return (member timeout (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:15:1:15:38 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:15:1:15:52 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:17:1:17:23 | use (return (member avg (return (member exports (module knex))))) |
+| tst.js:17:1:19:4 | use (return (member from (return (member avg (return (member exports (module knex))))))) |
+| tst.js:17:1:19:24 | use (return (member as (return (member from (return (member avg (return (member exports (module knex))))))))) |
+| tst.js:17:30:17:29 | use (parameter -1 (parameter 0 (member from (return (member avg (return (member exports (module knex)))))))) |
+| tst.js:18:5:18:38 | use (return (member sum (parameter -1 (parameter 0 (member from (return (member avg (return (member exports (module knex)))))))))) |
+| tst.js:18:5:18:49 | use (return (member from (return (member sum (parameter -1 (parameter 0 (member from (return (member avg (return (member exports (module knex)))))))))))) |
+| tst.js:18:5:18:68 | use (return (member groupBy (return (member from (return (member sum (parameter -1 (parameter 0 (member from (return (member avg (return (member exports (module knex)))))))))))))) |
+| tst.js:18:5:18:77 | use (return (member as (return (member groupBy (return (member from (return (member sum (parameter -1 (parameter 0 (member from (return (member avg (return (member exports (module knex)))))))))))))))) |
+| tst.js:21:1:21:38 | use (return (member column (return (member exports (module knex))))) |
+| tst.js:21:1:21:47 | use (return (member select (return (member column (return (member exports (module knex))))))) |
+| tst.js:21:1:21:61 | use (return (member from (return (member select (return (member column (return (member exports (module knex))))))))) |
+| tst.js:23:1:23:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:23:1:23:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:25:1:25:85 | use (return (member with (return (member exports (module knex))))) |
+| tst.js:25:1:25:97 | use (return (member select (return (member with (return (member exports (module knex))))))) |
+| tst.js:25:1:25:116 | use (return (member from (return (member select (return (member with (return (member exports (module knex))))))))) |
+| tst.js:25:25:25:84 | use (return (member raw (return (member exports (module knex))))) |
+| tst.js:27:1:31:4 | use (return (member withRecursive (return (member exports (module knex))))) |
+| tst.js:27:1:31:16 | use (return (member select (return (member withRecursive (return (member exports (module knex))))))) |
+| tst.js:27:1:31:34 | use (return (member from (return (member select (return (member withRecursive (return (member exports (module knex))))))))) |
+| tst.js:33:1:33:25 | use (return (member withSchema (return (member exports (module knex))))) |
+| tst.js:33:1:33:37 | use (return (member select (return (member withSchema (return (member exports (module knex))))))) |
+| tst.js:33:1:33:51 | use (return (member from (return (member select (return (member withSchema (return (member exports (module knex))))))))) |
+| tst.js:35:1:35:13 | use (return (return (member exports (module knex)))) |
+| tst.js:35:1:38:4 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:35:1:38:17 | use (return (member select (return (member where (return (return (member exports (module knex)))))))) |
+| tst.js:40:1:40:13 | use (return (return (member exports (module knex)))) |
+| tst.js:40:1:40:28 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:42:1:42:13 | use (return (return (member exports (module knex)))) |
+| tst.js:42:1:45:3 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:42:1:48:4 | use (return (member andWhere (return (member where (return (return (member exports (module knex)))))))) |
+| tst.js:46:13:46:12 | use (parameter -1 (parameter 0 (member andWhere (return (member where (return (return (member exports (module knex))))))))) |
+| tst.js:47:5:47:29 | use (return (member where (parameter -1 (parameter 0 (member andWhere (return (member where (return (return (member exports (module knex))))))))))) |
+| tst.js:50:1:50:13 | use (return (return (member exports (module knex)))) |
+| tst.js:50:1:52:2 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:50:1:52:28 | use (return (member orWhere (return (member where (return (return (member exports (module knex)))))))) |
+| tst.js:50:21:50:20 | use (parameter -1 (parameter 0 (member where (return (return (member exports (module knex))))))) |
+| tst.js:51:3:51:21 | use (return (member where (parameter -1 (parameter 0 (member where (return (return (member exports (module knex))))))))) |
+| tst.js:51:3:51:44 | use (return (member orWhere (return (member where (parameter -1 (parameter 0 (member where (return (return (member exports (module knex))))))))))) |
+| tst.js:54:1:54:13 | use (return (return (member exports (module knex)))) |
+| tst.js:54:1:54:56 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:56:1:56:13 | use (return (return (member exports (module knex)))) |
+| tst.js:56:1:56:38 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:58:18:58:30 | use (return (return (member exports (module knex)))) |
+| tst.js:58:18:58:55 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:58:18:58:84 | use (return (member andWhere (return (member where (return (return (member exports (module knex)))))))) |
+| tst.js:58:18:58:108 | use (return (member orWhere (return (member andWhere (return (member where (return (return (member exports (module knex)))))))))) |
+| tst.js:58:18:58:121 | use (return (member select (return (member orWhere (return (member andWhere (return (member where (return (return (member exports (module knex)))))))))))) |
+| tst.js:59:1:59:16 | use (return (return (member exports (module knex)))) |
+| tst.js:59:1:59:44 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:61:1:61:13 | use (return (return (member exports (module knex)))) |
+| tst.js:61:1:61:28 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:61:1:61:64 | use (return (member orWhere (return (member where (return (return (member exports (module knex)))))))) |
+| tst.js:63:1:63:13 | use (return (return (member exports (module knex)))) |
+| tst.js:63:1:66:2 | use (return (member whereNot (return (return (member exports (module knex)))))) |
+| tst.js:63:1:66:15 | use (return (member select (return (member whereNot (return (return (member exports (module knex)))))))) |
+| tst.js:68:1:68:13 | use (return (return (member exports (module knex)))) |
+| tst.js:68:1:68:31 | use (return (member whereNot (return (return (member exports (module knex)))))) |
+| tst.js:70:1:70:13 | use (return (return (member exports (module knex)))) |
+| tst.js:70:1:72:2 | use (return (member whereNot (return (return (member exports (module knex)))))) |
+| tst.js:70:1:72:31 | use (return (member orWhereNot (return (member whereNot (return (return (member exports (module knex)))))))) |
+| tst.js:70:24:70:23 | use (parameter -1 (parameter 0 (member whereNot (return (return (member exports (module knex))))))) |
+| tst.js:71:3:71:21 | use (return (member where (parameter -1 (parameter 0 (member whereNot (return (return (member exports (module knex))))))))) |
+| tst.js:71:3:71:47 | use (return (member orWhereNot (return (member where (parameter -1 (parameter 0 (member whereNot (return (return (member exports (module knex))))))))))) |
+| tst.js:74:19:74:31 | use (return (return (member exports (module knex)))) |
+| tst.js:74:19:75:30 | use (return (member whereNot (return (return (member exports (module knex)))))) |
+| tst.js:74:19:76:31 | use (return (member andWhere (return (member whereNot (return (return (member exports (module knex)))))))) |
+| tst.js:74:19:77:26 | use (return (member orWhere (return (member andWhere (return (member whereNot (return (return (member exports (module knex)))))))))) |
+| tst.js:74:19:78:15 | use (return (member select (return (member orWhere (return (member andWhere (return (member whereNot (return (return (member exports (module knex)))))))))))) |
+| tst.js:80:1:80:16 | use (return (return (member exports (module knex)))) |
+| tst.js:80:1:80:49 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:82:1:82:19 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:82:1:82:33 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:82:1:83:27 | use (return (member whereIn (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:82:1:84:29 | use (return (member orWhereIn (return (member whereIn (return (member from (return (member select (return (member exports (module knex))))))))))) |
+| tst.js:86:1:86:19 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:86:1:86:33 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:86:1:89:4 | use (return (member whereIn (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:91:1:91:13 | use (return (return (member exports (module knex)))) |
+| tst.js:91:1:91:41 | use (return (member whereNotIn (return (return (member exports (module knex)))))) |
+| tst.js:93:1:93:13 | use (return (return (member exports (module knex)))) |
+| tst.js:93:1:93:45 | use (return (member where (return (return (member exports (module knex)))))) |
+| tst.js:93:1:93:75 | use (return (member orWhereNotIn (return (member where (return (return (member exports (module knex)))))))) |
+| tst.js:95:1:95:13 | use (return (return (member exports (module knex)))) |
+| tst.js:95:1:95:37 | use (return (member whereNull (return (return (member exports (module knex)))))) |
+| tst.js:97:1:97:13 | use (return (return (member exports (module knex)))) |
+| tst.js:97:1:97:40 | use (return (member whereNotNull (return (return (member exports (module knex)))))) |
+| tst.js:99:1:99:13 | use (return (return (member exports (module knex)))) |
+| tst.js:99:1:101:2 | use (return (member whereExists (return (return (member exports (module knex)))))) |
+| tst.js:99:27:99:26 | use (parameter -1 (parameter 0 (member whereExists (return (return (member exports (module knex))))))) |
+| tst.js:100:3:100:18 | use (return (member select (parameter -1 (parameter 0 (member whereExists (return (return (member exports (module knex))))))))) |
+| tst.js:100:3:100:35 | use (return (member from (return (member select (parameter -1 (parameter 0 (member whereExists (return (return (member exports (module knex))))))))))) |
+| tst.js:100:3:100:78 | use (return (member whereRaw (return (member from (return (member select (parameter -1 (parameter 0 (member whereExists (return (return (member exports (module knex))))))))))))) |
+| tst.js:103:1:103:13 | use (return (return (member exports (module knex)))) |
+| tst.js:103:1:103:103 | use (return (member whereExists (return (return (member exports (module knex)))))) |
+| tst.js:103:27:103:42 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:103:27:103:59 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:103:27:103:102 | use (return (member whereRaw (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:105:1:105:13 | use (return (return (member exports (module knex)))) |
+| tst.js:105:1:107:2 | use (return (member whereNotExists (return (return (member exports (module knex)))))) |
+| tst.js:105:30:105:29 | use (parameter -1 (parameter 0 (member whereNotExists (return (return (member exports (module knex))))))) |
+| tst.js:106:3:106:18 | use (return (member select (parameter -1 (parameter 0 (member whereNotExists (return (return (member exports (module knex))))))))) |
+| tst.js:106:3:106:35 | use (return (member from (return (member select (parameter -1 (parameter 0 (member whereNotExists (return (return (member exports (module knex))))))))))) |
+| tst.js:106:3:106:78 | use (return (member whereRaw (return (member from (return (member select (parameter -1 (parameter 0 (member whereNotExists (return (return (member exports (module knex))))))))))))) |
+| tst.js:109:1:109:13 | use (return (return (member exports (module knex)))) |
+| tst.js:109:1:109:45 | use (return (member whereBetween (return (return (member exports (module knex)))))) |
+| tst.js:111:1:111:13 | use (return (return (member exports (module knex)))) |
+| tst.js:111:1:111:48 | use (return (member whereNotBetween (return (return (member exports (module knex)))))) |
+| tst.js:113:1:113:13 | use (return (return (member exports (module knex)))) |
+| tst.js:113:1:113:37 | use (return (member whereRaw (return (return (member exports (module knex)))))) |
+| tst.js:115:1:115:13 | use (return (return (member exports (module knex)))) |
+| tst.js:115:1:116:56 | use (return (member join (return (return (member exports (module knex)))))) |
+| tst.js:115:1:117:39 | use (return (member select (return (member join (return (return (member exports (module knex)))))))) |
+| tst.js:119:1:119:13 | use (return (return (member exports (module knex)))) |
+| tst.js:119:1:120:51 | use (return (member join (return (return (member exports (module knex)))))) |
+| tst.js:119:1:121:39 | use (return (member select (return (member join (return (return (member exports (module knex)))))))) |
+| tst.js:123:1:123:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:123:1:123:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:123:1:125:2 | use (return (member join (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:127:1:127:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:127:1:127:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:127:1:132:2 | use (return (member join (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:134:1:134:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:134:1:134:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:134:1:134:90 | use (return (member join (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:134:66:134:89 | use (return (member raw (return (member exports (module knex))))) |
+| tst.js:136:1:136:18 | use (return (member from (return (member exports (module knex))))) |
+| tst.js:136:1:136:72 | use (return (member innerJoin (return (member from (return (member exports (module knex))))))) |
+| tst.js:138:1:138:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:138:1:138:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:138:1:138:83 | use (return (member leftJoin (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:140:1:140:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:140:1:140:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:140:1:140:88 | use (return (member leftOuterJoin (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:142:1:142:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:142:1:142:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:142:1:142:84 | use (return (member rightJoin (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:144:1:144:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:144:1:144:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:144:1:144:89 | use (return (member rightOuterJoin (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:146:1:146:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:146:1:146:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:146:1:146:88 | use (return (member fullOuterJoin (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:148:1:148:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:148:1:148:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:148:1:148:52 | use (return (member crossJoin (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:150:1:150:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:150:1:150:33 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:150:1:150:69 | use (return (member joinRaw (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:150:1:150:84 | use (return (member where (return (member joinRaw (return (member from (return (member select (return (member exports (module knex))))))))))) |
+| tst.js:152:1:152:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:152:1:152:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:152:1:154:2 | use (return (member join (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:156:1:156:28 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:156:1:156:42 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:156:1:156:63 | use (return (member where (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:156:1:156:79 | use (return (member clear (return (member where (return (member from (return (member select (return (member exports (module knex))))))))))) |
+| tst.js:156:1:156:94 | use (return (member clear (return (member clear (return (member where (return (member from (return (member select (return (member exports (module knex))))))))))))) |
+| tst.js:158:1:158:17 | use (return (return (member exports (module knex)))) |
+| tst.js:158:1:158:53 | use (return (member distinct (return (return (member exports (module knex)))))) |
+| tst.js:160:1:160:13 | use (return (return (member exports (module knex)))) |
+| tst.js:160:1:160:31 | use (return (member distinctOn (return (return (member exports (module knex)))))) |
+| tst.js:162:1:162:44 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:162:1:162:58 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:162:1:162:89 | use (return (member groupByRaw (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:162:21:162:43 | use (return (member raw (return (member exports (module knex))))) |
+| tst.js:164:1:164:13 | use (return (return (member exports (module knex)))) |
+| tst.js:164:1:164:30 | use (return (member orderBy (return (return (member exports (module knex)))))) |
+| tst.js:166:1:166:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:166:1:166:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:166:1:166:64 | use (return (member orderByRaw (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:168:1:168:13 | use (return (return (member exports (module knex)))) |
+| tst.js:168:1:169:19 | use (return (member groupBy (return (return (member exports (module knex)))))) |
+| tst.js:168:1:170:26 | use (return (member orderBy (return (member groupBy (return (return (member exports (module knex)))))))) |
+| tst.js:168:1:171:28 | use (return (member having (return (member orderBy (return (member groupBy (return (return (member exports (module knex)))))))))) |
+| tst.js:173:1:173:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:173:1:173:30 | use (return (member from (return (member select (return (member exports (module knex))))))) |
+| tst.js:173:1:173:61 | use (return (member havingIn (return (member from (return (member select (return (member exports (module knex))))))))) |
+| tst.js:175:1:175:13 | use (return (return (member exports (module knex)))) |
+| tst.js:175:1:176:19 | use (return (member groupBy (return (return (member exports (module knex)))))) |
+| tst.js:175:1:177:26 | use (return (member orderBy (return (member groupBy (return (return (member exports (module knex)))))))) |
+| tst.js:175:1:178:32 | use (return (member havingRaw (return (member orderBy (return (member groupBy (return (return (member exports (module knex)))))))))) |
+| tst.js:180:1:180:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:181:1:181:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:182:1:182:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:183:1:183:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:184:1:184:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:185:1:185:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:186:1:186:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:187:1:187:16 | use (return (member select (return (member exports (module knex))))) |
+| tst.js:188:1:188:16 | use (return (member select (return (member exports (module knex))))) |
diff --git a/javascript/ql/test/library-tests/frameworks/Knex/test.ql b/javascript/ql/test/library-tests/frameworks/Knex/test.ql
new file mode 100644
index 00000000000..86125aae2fe
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Knex/test.ql
@@ -0,0 +1,9 @@
+import javascript
+
+query predicate knexLibrary = Knex::knexLibrary/0;
+
+query predicate knexObject = Knex::knexObject/0;
+
+query Knex::RawKnexCall rawCall() { any() }
+
+query SQL::SqlString sqlString() { any() }
diff --git a/javascript/ql/test/library-tests/frameworks/Knex/tst.js b/javascript/ql/test/library-tests/frameworks/Knex/tst.js
new file mode 100644
index 00000000000..8317fe9f0bc
--- /dev/null
+++ b/javascript/ql/test/library-tests/frameworks/Knex/tst.js
@@ -0,0 +1,188 @@
+// Based on example code from https://knexjs.org
+
+const knex = require('knex')();
+
+knex({ a: 'table', b: 'table' })
+  .select({
+    aTitle: 'a.title',
+    bTitle: 'b.title'
+  })
+  .whereRaw('?? = ??', ['a.column_1', 'b.column_2']);
+
+knex.withUserParams({customUserParam: 'table1'}).table('t').select('x');
+
+knex.select().from('books').timeout(1000);
+knex.select('title', 'author', 'year').from('books');
+
+knex.avg('sum_column1').from(function() {
+    this.sum('column1 as sum_column1').from('t1').groupBy('column1').as('t1')
+  }).as('ignored_alias');
+
+knex.column('title', 'author', 'year').select().from('books');
+
+knex.select('*').from('users');
+
+knex.with('with_alias', knex.raw('select * from "books" where "author" = ?', 'Test')).select('*').from('with_alias');
+
+knex.withRecursive('ancestors', (qb) => {
+    qb.select('*').from('people').where('people.id', 1).union((qb) => {
+      qb.select('*').from('people').join('ancestors', 'ancestors.parentId', 'people.id')
+    })
+  }).select('*').from('ancestors');
+
+knex.withSchema('public').select('*').from('users');
+
+knex('users').where({
+    first_name: 'Test',
+    last_name:  'User'
+  }).select('id');
+
+knex('users').where('id', 1);
+
+knex('users')
+  .where((builder) =>
+    builder.whereIn('id', [1, 11, 15]).whereNotIn('id', [17, 19])
+  )
+  .andWhere(function() {
+    this.where('id', '>', 10)
+  });
+
+knex('users').where(function() {
+  this.where('id', 1).orWhere('id', '>', 10)
+}).orWhere({name: 'Tester'});
+
+knex('users').where('columnName', 'like', '%rowlikeme%');
+
+knex('users').where('votes', '>', 100);
+
+const subquery = knex('users').where('votes', '>', 100).andWhere('status', 'active').orWhere('name', 'John').select('id');
+knex('accounts').where('id', 'in', subquery);
+
+knex('users').where('id', 1).orWhere({votes: 100, user: 'knex'});
+
+knex('users').whereNot({
+  first_name: 'Test',
+  last_name:  'User'
+}).select('id');
+
+knex('users').whereNot('id', 1);
+
+knex('users').whereNot(function() {
+  this.where('id', 1).orWhereNot('id', '>', 10)
+}).orWhereNot({name: 'Tester'});
+
+const subquery2 = knex('users')
+  .whereNot('votes', '>', 100)
+  .andWhere('status', 'active')
+  .orWhere('name', 'John')
+  .select('id');
+
+knex('accounts').where('id', 'not in', subquery2);
+
+knex.select('name').from('users')
+  .whereIn('id', [1, 2, 3])
+  .orWhereIn('id', [4, 5, 6]);
+
+knex.select('name').from('users')
+  .whereIn('account_id', function() {
+    this.select('id').from('accounts');
+  });
+
+knex('users').whereNotIn('id', [1, 2, 3]);
+
+knex('users').where('name', 'like', '%Test%').orWhereNotIn('id', [1, 2, 3]);
+
+knex('users').whereNull('updated_at');
+
+knex('users').whereNotNull('created_at');
+
+knex('users').whereExists(function() {
+  this.select('*').from('accounts').whereRaw('users.account_id = accounts.id');
+});
+
+knex('users').whereExists(knex.select('*').from('accounts').whereRaw('users.account_id = accounts.id'));
+
+knex('users').whereNotExists(function() {
+  this.select('*').from('accounts').whereRaw('users.account_id = accounts.id');
+});
+
+knex('users').whereBetween('votes', [1, 100]);
+
+knex('users').whereNotBetween('votes', [1, 100]);
+
+knex('users').whereRaw('id = ?', [1]);
+
+knex('users')
+  .join('contacts', 'users.id', '=', 'contacts.user_id')
+  .select('users.id', 'contacts.phone');
+
+knex('users')
+  .join('contacts', 'users.id', 'contacts.user_id')
+  .select('users.id', 'contacts.phone');
+
+knex.select('*').from('users').join('accounts', function() {
+  this.on('accounts.id', '=', 'users.account_id').orOn('accounts.owner_id', '=', 'users.id')
+});
+
+knex.select('*').from('users').join('accounts', function() {
+  this.on(function() {
+    this.on('accounts.id', '=', 'users.account_id')
+    this.orOn('accounts.owner_id', '=', 'users.id')
+  })
+});
+
+knex.select('*').from('users').join('accounts', 'accounts.type', knex.raw('?', ['admin']));
+
+knex.from('users').innerJoin('accounts', 'users.id', 'accounts.user_id');
+
+knex.select('*').from('users').leftJoin('accounts', 'users.id', 'accounts.user_id');
+
+knex.select('*').from('users').leftOuterJoin('accounts', 'users.id', 'accounts.user_id');
+
+knex.select('*').from('users').rightJoin('accounts', 'users.id', 'accounts.user_id');
+
+knex.select('*').from('users').rightOuterJoin('accounts', 'users.id', 'accounts.user_id');
+
+knex.select('*').from('users').fullOuterJoin('accounts', 'users.id', 'accounts.user_id');
+
+knex.select('*').from('users').crossJoin('accounts');
+
+knex.select('*').from('accounts').joinRaw('natural full join table1').where('id', 1);
+
+knex.select('*').from('users').join('contacts', function() {
+  this.on('users.id', '=', 'contacts.id').onNotNull('contacts.email')
+});
+
+knex.select('email', 'name').from('users').where('id', '<', 10).clear('select').clear('where');
+
+knex('customers').distinct('first_name', 'last_name');
+
+knex('users').distinctOn('age');
+
+knex.select('year', knex.raw('SUM(profit)')).from('sales').groupByRaw('year WITH ROLLUP');
+
+knex('users').orderBy('email');
+
+knex.select('*').from('table').orderByRaw('col DESC NULLS LAST');
+
+knex('users')
+  .groupBy('count')
+  .orderBy('name', 'desc')
+  .having('count', '>', 100);
+
+knex.select('*').from('users').havingIn('id', [5, 3, 10, 17]);
+
+knex('users')
+  .groupBy('count')
+  .orderBy('name', 'desc')
+  .havingRaw('count > ?', [100]);
+
+knex.select('x').toString();
+knex.select('x').valueOf();
+knex.select('x').toSQL();
+knex.select('x').then();
+knex.select('x').catch();
+knex.select('x').finally();
+knex.select('x').asCallback();
+knex.select('x').stream();
+knex.select('x').stream(stream => { });
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
index e62af9b5c5e..daed7f03e20 100644
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -1,4 +1,55 @@
 nodes
+| graphql.js:8:11:8:28 | id |
+| graphql.js:8:16:8:28 | req.params.id |
+| graphql.js:8:16:8:28 | req.params.id |
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:12:46:12:47 | id |
+| graphql.js:26:11:26:28 | id |
+| graphql.js:26:16:26:28 | req.params.id |
+| graphql.js:26:16:26:28 | req.params.id |
+| graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:27:37:27:38 | id |
+| graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:30:39:30:40 | id |
+| graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:33:25:33:26 | id |
+| graphql.js:39:11:39:28 | id |
+| graphql.js:39:16:39:28 | req.params.id |
+| graphql.js:39:16:39:28 | req.params.id |
+| graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:44:21:44:22 | id |
+| graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:48:51:48:52 | id |
+| graphql.js:55:11:55:28 | id |
+| graphql.js:55:16:55:28 | req.params.id |
+| graphql.js:55:16:55:28 | req.params.id |
+| graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:56:46:56:47 | id |
+| graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:58:73:58:74 | id |
+| graphql.js:74:9:74:25 | id |
+| graphql.js:74:14:74:25 | req.query.id |
+| graphql.js:74:14:74:25 | req.query.id |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:75:56:75:57 | id |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:88:13:88:14 | id |
+| graphql.js:119:11:119:28 | id |
+| graphql.js:119:16:119:28 | req.params.id |
+| graphql.js:119:16:119:28 | req.params.id |
+| graphql.js:120:38:120:48 | `foo ${id}` |
+| graphql.js:120:38:120:48 | `foo ${id}` |
+| graphql.js:120:45:120:46 | id |
 | json-schema-validator.js:25:15:25:48 | query |
 | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:25:34:25:47 | req.query.data |
@@ -332,6 +383,51 @@ nodes
 | tst.js:10:46:10:58 | req.params.id |
 | tst.js:10:46:10:58 | req.params.id |
 edges
+| graphql.js:8:11:8:28 | id | graphql.js:12:46:12:47 | id |
+| graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id |
+| graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id |
+| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:26:11:26:28 | id | graphql.js:27:37:27:38 | id |
+| graphql.js:26:11:26:28 | id | graphql.js:30:39:30:40 | id |
+| graphql.js:26:11:26:28 | id | graphql.js:33:25:33:26 | id |
+| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id |
+| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id |
+| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:39:11:39:28 | id | graphql.js:44:21:44:22 | id |
+| graphql.js:39:11:39:28 | id | graphql.js:48:51:48:52 | id |
+| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id |
+| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id |
+| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:55:11:55:28 | id | graphql.js:56:46:56:47 | id |
+| graphql.js:55:11:55:28 | id | graphql.js:58:73:58:74 | id |
+| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id |
+| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id |
+| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:74:9:74:25 | id | graphql.js:75:56:75:57 | id |
+| graphql.js:74:9:74:25 | id | graphql.js:88:13:88:14 | id |
+| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id |
+| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id |
+| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:119:11:119:28 | id | graphql.js:120:45:120:46 | id |
+| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id |
+| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id |
+| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` |
+| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query |
@@ -740,6 +836,17 @@ edges
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 #select
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | This query depends on $@. | graphql.js:8:16:8:28 | req.params.id | a user-provided value |
+| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query depends on $@. | graphql.js:26:16:26:28 | req.params.id | a user-provided value |
+| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query depends on $@. | graphql.js:26:16:26:28 | req.params.id | a user-provided value |
+| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query depends on $@. | graphql.js:26:16:26:28 | req.params.id | a user-provided value |
+| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query depends on $@. | graphql.js:39:16:39:28 | req.params.id | a user-provided value |
+| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query depends on $@. | graphql.js:39:16:39:28 | req.params.id | a user-provided value |
+| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query depends on $@. | graphql.js:55:16:55:28 | req.params.id | a user-provided value |
+| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query depends on $@. | graphql.js:55:16:55:28 | req.params.id | a user-provided value |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query depends on $@. | graphql.js:74:14:74:25 | req.query.id | a user-provided value |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n     ...      }` | This query depends on $@. | graphql.js:74:14:74:25 | req.query.id | a user-provided value |
+| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query depends on $@. | graphql.js:119:16:119:28 | req.params.id | a user-provided value |
 | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js
new file mode 100644
index 00000000000..723348daf57
--- /dev/null
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js
@@ -0,0 +1,121 @@
+var express = require('express');
+var app = express();
+
+import { Octokit } from "@octokit/core";
+const kit = new Octokit();
+
+app.get('/post/:id', function(req, res) {
+    const id = req.params.id;
+    // NOT OK
+    const response = kit.graphql(`
+      query {
+        repository(owner: "github", name: "${id}") {
+          object(expression: "master:foo") {
+            ... on Blob {
+              text
+            }
+          }
+        }
+      }
+    `);
+});
+
+import { graphql, withCustomRequest } from "@octokit/graphql";
+
+app.get('/user/:id/', function(req, res) {
+    const id = req.params.id;
+    const response = graphql(`foo ${id}`); // NOT OK
+
+    const myGraphql = withCustomRequest(request);
+    const response = myGraphql(`foo ${id}`); // NOT OK
+
+    const withDefaults = graphql.defaults({});
+    withDefaults(`foo ${id}`); // NOT OK
+});
+
+const { request } = require("@octokit/request");
+
+app.get('/article/:id/', async function(req, res) {
+    const id = req.params.id;
+    const result = await request("POST /graphql", {
+      headers: {
+        authorization: "token 0000000000000000000000000000000000000001",
+      },
+      query: `foo ${id}`, // NOT OK
+    });
+
+    const withDefaults = request.defaults({});
+    withDefaults("POST /graphql", { query: `foo ${id}` }); // NOT OK
+});
+
+import { Octokit as Core } from "@octokit/rest";
+const kit2 = new Core();
+
+app.get('/event/:id/', async function(req, res) {
+    const id = req.params.id;
+    const result = await kit2.graphql(`foo ${id}`); // NOT OK
+
+    const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // NOT OK
+});
+
+import { graphql as nativeGraphql, buildSchema }  from 'graphql';
+var schema = buildSchema(`
+  type Query {
+    hello: String
+  }
+`);
+var root = {
+  hello: () => {
+    return 'Hello world!';
+  },
+};
+
+app.get('/thing/:id', async function(req, res) {
+  const id = req.query.id;
+  const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // NOT OK
+  
+  fetch("https://my-grpahql-server.com/graphql", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      // NOT OK
+      query: `{
+        thing {
+          name
+          url
+          ${id}
+        }
+      }`
+    })
+  })
+
+  fetch("https://my-grpahql-server.com/graphql", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      // OK
+      query: `{
+        thing {
+          name
+          url
+          $id
+        }
+      }`,
+      variables: {
+        id: id
+      }
+    })
+  })
+});
+
+const github = require('@actions/github');
+app.get('/event/:id/', async function(req, res) {
+    const kit = github.getOctokit("foo")
+
+    const id = req.params.id;
+    const result = await kit.graphql(`foo ${id}`); // NOT OK
+});
diff --git a/misc/scripts/library-coverage/compare-files-comment-pr.py b/misc/scripts/library-coverage/compare-files-comment-pr.py
new file mode 100644
index 00000000000..dec7cd3cf14
--- /dev/null
+++ b/misc/scripts/library-coverage/compare-files-comment-pr.py
@@ -0,0 +1,129 @@
+import sys
+import os
+import settings
+import difflib
+import utils
+
+"""
+This script compares the generated CSV coverage files with the ones in the codebase.
+"""
+
+
+def check_file_exists(file):
+    if not os.path.exists(file):
+        print("Expected file '" + file + "' doesn't exist.", file=sys.stderr)
+        return False
+    return True
+
+
+def ignore_line_ending(ch):
+    return difflib.IS_CHARACTER_JUNK(ch, ws=" \r\n")
+
+
+def compare_files(file1, file2):
+    messages = compare_files_str(file1, file2)
+    if messages == "":
+        return True
+
+    print(messages, end="", file=sys.stderr)
+
+    return False
+
+
+def compare_files_str(file1, file2):
+    diff = difflib.ndiff(open(file1).readlines(),
+                         open(file2).readlines(), None, ignore_line_ending)
+    ret = ""
+    for line in diff:
+        if line.startswith("+") or line.startswith("-"):
+            ret += line
+
+    return ret
+
+
+def comment_pr(folder1, folder2, output_file, repo, pr_number, run_id):
+    compare_folders(folder1, folder2, output_file)
+    size = os.path.getsize(output_file)
+    if size == 0:
+        print("No difference in the coverage reports")
+        return
+
+    comment = ":warning: The head of this PR and the base branch were compared for differences in the framework coverage reports. " + \
+        "The generated reports are available in the [artifacts of this workflow run](https://github.com/" + repo + "/actions/runs/" + run_id + "). " + \
+        "The differences will be picked up by the nightly job after the PR gets merged. "
+
+    if size < 2000:
+        print("There's a small change in the CSV framework coverage reports")
+        comment += "The following differences were found: \n\n"
+        with open(output_file, 'r') as file:
+            comment += file.read()
+    else:
+        print("There's a large change in the CSV framework coverage reports")
+        comment += "The differences can be found in the " + \
+            output_file + " artifact of this job."
+
+    post_comment(comment, repo, pr_number)
+
+
+def post_comment(comment, repo, pr_number):
+    print("Posting comment to PR #" + str(pr_number))
+    utils.subprocess_run(["gh", "pr", "comment", pr_number,
+                         "--repo", repo, "--body", comment])
+
+
+def compare_folders(folder1, folder2, output_file):
+    languages = ['java']
+
+    return_md = ""
+
+    for lang in languages:
+        expected_files = ""
+
+        generated_output_rst = settings.generated_output_rst.format(
+            language=lang)
+        generated_output_csv = settings.generated_output_csv.format(
+            language=lang)
+
+        # check if files exist in both folder1 and folder 2
+        if not check_file_exists(folder1 + "/" + generated_output_rst):
+            expected_files += "- " + generated_output_rst + \
+                " doesn't exist in folder " + folder1 + "\n"
+        if not check_file_exists(folder2 + "/" + generated_output_rst):
+            expected_files += "- " + generated_output_rst + \
+                " doesn't exist in folder " + folder2 + "\n"
+        if not check_file_exists(folder1 + "/" + generated_output_csv):
+            expected_files += "- " + generated_output_csv + \
+                " doesn't exist in folder " + folder1 + "\n"
+        if not check_file_exists(folder2 + "/" + generated_output_csv):
+            expected_files += "- " + generated_output_csv + \
+                " doesn't exist in folder " + folder2 + "\n"
+
+        if expected_files != "":
+            print("Expected files are missing", file=sys.stderr)
+            return_md += "\n### " + lang + "\n\n#### Expected files are missing for " + \
+                lang + "\n" + expected_files + "\n"
+            continue
+
+        # compare contents of files
+        cmp1 = compare_files_str(
+            folder1 + "/" + generated_output_rst, folder2 + "/" + generated_output_rst)
+        cmp2 = compare_files_str(
+            folder1 + "/" + generated_output_csv, folder2 + "/" + generated_output_csv)
+
+        if cmp1 != "" or cmp2 != "":
+            print("Generated file contents are not matching", file=sys.stderr)
+            return_md += "\n### " + lang + "\n\n#### Generated file changes for " + \
+                lang + "\n\n"
+            if cmp1 != "":
+                return_md += "- Changes to " + generated_output_rst + \
+                    ":\n```diff\n" + cmp1 + "```\n\n"
+            if cmp2 != "":
+                return_md += "- Changes to " + generated_output_csv + \
+                    ":\n```diff\n" + cmp2 + "```\n\n"
+
+    with open(output_file, 'w', newline='') as out:
+        out.write(return_md)
+
+
+comment_pr(sys.argv[1], sys.argv[2], sys.argv[3],
+           sys.argv[4], sys.argv[5], sys.argv[6])
diff --git a/misc/scripts/library-coverage/compare-files.py b/misc/scripts/library-coverage/compare-files.py
deleted file mode 100644
index ae1f2dac42b..00000000000
--- a/misc/scripts/library-coverage/compare-files.py
+++ /dev/null
@@ -1,69 +0,0 @@
-import sys
-import os
-import settings
-import difflib
-
-"""
-This script compares the generated CSV coverage files with the ones in the codebase.
-"""
-
-
-def check_file_exists(file):
-    if not os.path.exists(file):
-        print("Expected file '" + file + "' doesn't exist.", file=sys.stderr)
-        sys.exit(1)
-
-
-def ignore_line_ending(ch):
-    return difflib.IS_CHARACTER_JUNK(ch, ws=" \r\n")
-
-
-def compare_files(file1, file2, path_to_report):
-    has_differences = False
-    diff = difflib.ndiff(open(file1).readlines(),
-                         open(file2).readlines(), None, ignore_line_ending)
-    for line in diff:
-        if line.startswith("+") or line.startswith("-"):
-            print(line, end="", file=sys.stderr)
-            has_differences = True
-
-    if has_differences:
-        print("The generated file doesn't match the one in the codebase. Please check and fix file '" +
-              path_to_report + "'.", file=sys.stderr)
-        return False
-    return True
-
-
-languages = ['java']
-
-all_ok = True
-
-for lang in languages:
-    repo_output_rst = settings.repo_output_rst.format(language=lang)
-    repo_output_csv = settings.repo_output_csv.format(language=lang)
-
-    generated_output_rst = settings.generated_output_rst.format(language=lang)
-    generated_output_csv = settings.generated_output_csv.format(language=lang)
-
-    check_file_exists(repo_output_rst)
-    check_file_exists(repo_output_csv)
-    check_file_exists(generated_output_rst)
-    check_file_exists(generated_output_csv)
-
-    docs_folder = settings.documentation_folder_no_prefix.format(language=lang)
-
-    rst_ok = compare_files(repo_output_rst, generated_output_rst,
-                           docs_folder + settings.output_rst_file_name)
-    csv_ok = compare_files(repo_output_csv, generated_output_csv,
-                           docs_folder + settings.output_csv_file_name)
-
-    if not rst_ok or not csv_ok:
-        print("The generated CSV coverage report files for '" + lang + "' don't match the ones in the codebase. Please update the files in '" +
-              docs_folder + "'. The new files can be downloaded from the artifacts of this job.", file=sys.stderr)
-        all_ok = False
-    else:
-        print("The generated files for '" + lang +
-              "' match the ones in the codebase.")
-
-if not all_ok:
-    sys.exit(1)
diff --git a/misc/scripts/library-coverage/frameworks.py b/misc/scripts/library-coverage/frameworks.py
new file mode 100644
index 00000000000..d37e59ddb74
--- /dev/null
+++ b/misc/scripts/library-coverage/frameworks.py
@@ -0,0 +1,75 @@
+import csv
+import sys
+import packages
+
+
+class Framework:
+    """
+    Frameworks are the aggregation units in the RST and timeseries report. These are read from the frameworks.csv file.
+    """
+
+    def __init__(self, name, url, package_pattern):
+        self.name = name
+        self.url = url
+        self.package_pattern = package_pattern
+
+
+class FrameworkCollection:
+    """
+    A (sorted) list of frameworks.
+    """
+
+    def __init__(self, path):
+        self.frameworks: list[Framework] = []
+        self.package_patterns = set()
+
+        with open(path) as csvfile:
+            reader = csv.reader(csvfile)
+            next(reader)
+            for row in reader:
+                # row: Hibernate,https://hibernate.org/,org.hibernate
+                self.__add(Framework(row[0], row[1], row[2]))
+        self.__sort()
+
+    def __add(self, framework: Framework):
+        if framework.package_pattern not in self.package_patterns:
+            self.package_patterns.add(framework.package_pattern)
+            self.frameworks.append(framework)
+        else:
+            print("Package pattern already exists: " +
+                  framework.package_pattern, file=sys.stderr)
+
+    def __sort(self):
+        self.frameworks.sort(key=lambda f: f.name)
+
+    def get(self, framework_name):
+        for framework in self.frameworks:
+            if framework.name == framework_name:
+                return framework
+        return None
+
+    def get_frameworks(self):
+        return self.frameworks
+
+    def __package_match_single(self, package: packages.Package, pattern):
+        return (pattern.endswith("*") and package.name.startswith(pattern[:-1])) or (not pattern.endswith("*") and pattern == package.name)
+
+    def __package_match(self, package: packages.Package, pattern):
+        patterns = pattern.split(" ")
+        return any(self.__package_match_single(package, pattern) for pattern in patterns)
+
+    def get_package_filter(self, framework: Framework):
+        """
+        Returns a lambda filter that holds for packages that match the current framework.
+
+        The pattern is either full name, such as "org.hibernate", or a prefix, such as "java.*".
+        Patterns can also contain a space separated list of patterns, such as "java.sql javax.swing".
+
+        Package patterns might overlap, in case of 'org.apache.commons.io' and 'org.apache.*', the statistics for
+        the latter will not include the statistics for the former.
+        """
+        return lambda p: \
+            self.__package_match(p, framework.package_pattern) and \
+            all(
+                len(framework.package_pattern) >= len(pattern) or
+                not self.__package_match(p, pattern) for pattern in self.package_patterns)
diff --git a/misc/scripts/library-coverage/generate-report.py b/misc/scripts/library-coverage/generate-report.py
index ffcc654a728..bb5dc694fd5 100644
--- a/misc/scripts/library-coverage/generate-report.py
+++ b/misc/scripts/library-coverage/generate-report.py
@@ -1,9 +1,11 @@
-import subprocess
 import csv
 import sys
 import os
 import shutil
 import settings
+import utils
+import packages as pack
+import frameworks as fr
 
 """
 This script runs the CSV coverage report QL query, and transforms it to a more readable format.
@@ -12,30 +14,6 @@ data.
  """
 
 
-def subprocess_run(cmd):
-    """Runs a command through subprocess.run, with a few tweaks. Raises an Exception if exit code != 0."""
-    return subprocess.run(cmd, capture_output=True, text=True, env=os.environ.copy(), check=True)
-
-
-def create_empty_database(lang, extension, database):
-    """Creates an empty database for the given language."""
-    subprocess_run(["codeql", "database", "init", "--language=" + lang,
-                   "--source-root=/tmp/empty", "--allow-missing-source-root", database])
-    subprocess_run(["mkdir", "-p", database + "/src/tmp/empty"])
-    subprocess_run(["touch", database + "/src/tmp/empty/empty" + extension])
-    subprocess_run(["codeql", "database", "finalize",
-                   database, "--no-pre-finalize"])
-
-
-def run_codeql_query(query, database, output):
-    """Runs a codeql query on the given database."""
-    subprocess_run(["codeql", "query", "run", query,
-                   "--database", database, "--output", output + ".bqrs"])
-    subprocess_run(["codeql", "bqrs", "decode", output + ".bqrs",
-                   "--format=csv", "--no-titles", "--output", output])
-    os.remove(output + ".bqrs")
-
-
 def append_csv_number(list, value):
     """Adds a number to the list or None if the value is not greater than 0."""
     if value > 0:
@@ -52,14 +30,7 @@ def append_csv_dict_item(list, dictionary, key):
         list.append(None)
 
 
-def increment_dict_item(value, dictionary, key):
-    """Increments the value of the dictionary[key] by value."""
-    if key not in dictionary:
-        dictionary[key] = 0
-    dictionary[key] += int(value)
-
-
-def collect_package_stats(packages, cwes, filter):
+def collect_package_stats(packages: pack.PackageCollection, cwes, filter):
     """
     Collects coverage statistics for packages matching the given filter. `filter` is a `lambda` that for example (i) matches
     packages to frameworks, or (2) matches packages that were previously not processed.
@@ -72,20 +43,21 @@ def collect_package_stats(packages, cwes, filter):
     framework_cwes = {}
     processed_packages = set()
 
-    for package in packages:
+    for package in packages.get_packages():
+        package: pack.Package = package
         if filter(package):
             processed_packages.add(package)
-            sources += int(packages[package]["kind"].get("source:remote", 0))
-            steps += int(packages[package]["part"].get("summary", 0))
-            sinks += int(packages[package]["part"].get("sink", 0))
+            sources += package.get_kind_count("source:remote")
+            steps += package.get_part_count("summary")
+            sinks += package.get_part_count("sink")
 
             for cwe in cwes:
                 sink = "sink:" + cwes[cwe]["sink"]
-                if sink in packages[package]["kind"]:
+                count = package.get_kind_count(sink)
+                if count > 0:
                     if cwe not in framework_cwes:
                         framework_cwes[cwe] = 0
-                    framework_cwes[cwe] += int(
-                        packages[package]["kind"][sink])
+                    framework_cwes[cwe] += count
 
     return sources, steps, sinks, framework_cwes, processed_packages
 
@@ -108,16 +80,8 @@ def add_package_stats_to_row(row, sorted_cwes, collect):
     return row, processed_packages
 
 
-class LanguageConfig:
-    def __init__(self, lang, capitalized_lang, ext, ql_path):
-        self.lang = lang
-        self.capitalized_lang = capitalized_lang
-        self.ext = ext
-        self.ql_path = ql_path
-
-
 try:  # Check for `codeql` on path
-    subprocess_run(["codeql", "--version"])
+    utils.subprocess_run(["codeql", "--version"])
 except Exception as e:
     print("Error: couldn't invoke CodeQL CLI 'codeql'. Is it on the path? Aborting.", file=sys.stderr)
     raise e
@@ -145,7 +109,7 @@ if len(sys.argv) > 2:
 
 # Languages for which we want to generate coverage reports.
 configs = [
-    LanguageConfig(
+    utils.LanguageConfig(
         "java", "Java", ".java", query_prefix + "java/ql/src/meta/frameworks/Coverage.ql")
 ]
 
@@ -165,41 +129,16 @@ for config in configs:
     lang = config.lang
     db = "empty-" + lang
     ql_output = output_ql_csv.format(language=lang)
-    create_empty_database(lang, config.ext, db)
-    run_codeql_query(config.ql_path, db, ql_output)
+    utils.create_empty_database(lang, config.ext, db)
+    utils.run_codeql_query(config.ql_path, db, ql_output)
     shutil.rmtree(db)
 
-    packages = {}
-    parts = set()
-    kinds = set()
-
-    # Read the generated CSV file, and collect package statistics.
-    with open(ql_output) as csvfile:
-        reader = csv.reader(csvfile)
-        for row in reader:
-            # row: "android.util",1,"remote","source",16
-            package = row[0]
-            if package not in packages:
-                packages[package] = {
-                    "count": row[1],
-                    # part: "summary", "sink", or "source"
-                    "part": {},
-                    # kind: "source:remote", "sink:create-file", ...
-                    "kind": {}
-                }
-
-            part = row[3]
-            parts.add(part)
-            increment_dict_item(row[4], packages[package]["part"], part)
-
-            kind = part + ":" + row[2]
-            kinds.add(kind)
-            increment_dict_item(row[4], packages[package]["kind"], kind)
+    packages = pack.PackageCollection(ql_output)
 
     os.remove(ql_output)
 
-    parts = sorted(parts)
-    kinds = sorted(kinds)
+    parts = packages.get_parts()
+    kinds = packages.get_kinds()
 
     # Write the denormalized package statistics to a CSV file.
     with open(output_csv.format(language=lang), 'w', newline='') as csvfile:
@@ -211,44 +150,21 @@ for config in configs:
 
         csvwriter.writerow(headers)
 
-        for package in sorted(packages):
-            row = [package]
+        for package in packages.get_packages():
+            package: pack.Package = package
+            row = [package.name]
             for part in parts:
-                append_csv_dict_item(row, packages[package]["part"], part)
+                append_csv_number(row, package.get_part_count(part))
             for kind in kinds:
-                append_csv_dict_item(row, packages[package]["kind"], kind)
+                append_csv_number(row, package.get_kind_count(kind))
             csvwriter.writerow(row)
 
     # Read the additional framework data, such as URL, friendly name
-    frameworks = {}
-
-    with open(input_framework_csv.format(language=lang)) as csvfile:
-        reader = csv.reader(csvfile)
-        next(reader)
-        for row in reader:
-            # row: Hibernate,https://hibernate.org/,org.hibernate
-            framwork = row[0]
-            if framwork not in frameworks:
-                frameworks[framwork] = {
-                    "package": row[2],
-                    "url": row[1]
-                }
+    frameworks = fr.FrameworkCollection(
+        input_framework_csv.format(language=lang))
 
     # Read the additional CWE data
-    cwes = {}
-
-    with open(input_cwe_sink_csv.format(language=lang)) as csvfile:
-        reader = csv.reader(csvfile)
-        next(reader)
-        for row in reader:
-            # row: CWE-89,sql,SQL injection
-            cwe = row[0]
-            if cwe not in cwes:
-                cwes[cwe] = {
-                    "sink": row[1],
-                    "label": row[2]
-                }
-
+    cwes = utils.read_cwes(input_cwe_sink_csv.format(language=lang))
     sorted_cwes = sorted(cwes)
 
     with open(output_rst.format(language=lang), 'w', newline='') as rst_file:
@@ -278,34 +194,25 @@ for config in configs:
 
         processed_packages = set()
 
-        all_package_patterns = set(
-            (frameworks[fr]["package"] for fr in frameworks))
-
         # Write a row for each framework.
-        for framework in sorted(frameworks):
+        for framework in frameworks.get_frameworks():
+            framework: fr.Framework = framework
             row = []
 
             # Add the framework name to the row
-            if not frameworks[framework]["url"]:
-                row.append(row_prefix + framework)
+            if not framework.url:
+                row.append(row_prefix + framework.name)
             else:
                 row.append(
-                    row_prefix + "`" + framework + " <" + frameworks[framework]["url"] + ">`_")
+                    row_prefix + "`" + framework.name + " <" + framework.url + ">`_")
 
             # Add the package name to the row
-            row.append("``" + frameworks[framework]["package"] + "``")
-
-            current_package_pattern = frameworks[framework]["package"]
+            row.append(", ".join("``{0}``".format(p)
+                       for p in framework.package_pattern.split(" ")))
 
             # Collect statistics on the current framework
-            # current_package_pattern is either full name, such as "org.hibernate", or a prefix, such as "java.*"
-            # Package patterns might overlap, in case of 'org.apache.commons.io' and 'org.apache.*', the statistics for
-            # the latter will not include the statistics for the former.
-            def package_match(package_name, pattern): return (pattern.endswith(
-                "*") and package_name.startswith(pattern[:-1])) or (not pattern.endswith("*") and pattern == package_name)
-
             def collect_framework(): return collect_package_stats(
-                packages, cwes, lambda p: package_match(p, current_package_pattern) and all(len(current_package_pattern) >= len(pattern) or not package_match(p, pattern) for pattern in all_package_patterns))
+                packages, cwes, frameworks.get_package_filter(framework))
 
             row, f_processed_packages = add_package_stats_to_row(
                 row, sorted_cwes, collect_framework)
@@ -322,8 +229,8 @@ for config in configs:
         row, other_packages = add_package_stats_to_row(
             row, sorted_cwes, collect_others)
 
-        row[1] = ", ".join("``{0}``".format(p)
-                           for p in sorted(other_packages))
+        row[1] = ", ".join("``{0}``".format(p.name)
+                           for p in sorted(other_packages, key=lambda x: x.name))
 
         csvwriter.writerow(row)
 
diff --git a/misc/scripts/library-coverage/generate-timeseries.py b/misc/scripts/library-coverage/generate-timeseries.py
new file mode 100644
index 00000000000..a05b0ae298c
--- /dev/null
+++ b/misc/scripts/library-coverage/generate-timeseries.py
@@ -0,0 +1,173 @@
+import subprocess
+import csv
+import sys
+import os
+import shutil
+from datetime import date
+import datetime
+import utils
+import settings
+import packages as pack
+import frameworks as fr
+
+"""
+Gets the sink/source/summary statistics for different days.
+"""
+
+# the distance between commits to include in the output
+day_distance = 1
+
+
+class Git:
+    def get_output(arr):
+        r = subprocess.check_output(arr, text=True, env=os.environ.copy())
+        return r.strip("\n'")
+
+    def get_date(sha):
+        d = Git.get_output(
+            ["git", "show",  "--no-patch",  "--no-notes", "--pretty='%cd'",  "--date=short", sha])
+        return date.fromisoformat(d)
+
+    def get_parent(sha):
+        parent_sha = Git.get_output(
+            ["git", "rev-parse",  sha + "^"])
+        parent_date = Git.get_date(parent_sha)
+        return (parent_sha, parent_date)
+
+    def get_previous_sha(sha, date):
+        parent_sha, parent_date = Git.get_parent(sha)
+        while parent_date > date + datetime.timedelta(days=-1 * day_distance):
+            parent_sha, parent_date = Git.get_parent(parent_sha)
+
+        return (parent_sha, parent_date)
+
+
+def get_packages(lang, query):
+    try:
+        db = "empty_" + lang
+        ql_output = "output-" + lang + ".csv"
+        if os.path.isdir(db):
+            shutil.rmtree(db)
+        utils.create_empty_database(lang, ".java", db)
+        utils.run_codeql_query(query, db, ql_output)
+
+        return pack.PackageCollection(ql_output)
+    except:
+        print("Unexpected error:", sys.exc_info()[0])
+        raise Exception()
+    finally:
+        if os.path.isfile(ql_output):
+            os.remove(ql_output)
+
+        if os.path.isdir(db):
+            shutil.rmtree(db)
+
+
+working_dir = ""
+if len(sys.argv) > 1:
+    working_dir = sys.argv[1]
+else:
+    print("Working directory is not specified")
+    exit(1)
+
+configs = [
+    utils.LanguageConfig(
+        "java", "Java", ".java", "java/ql/src/meta/frameworks/Coverage.ql")
+]
+
+# todo: change this when we cover multiple languages. We should compute the SHAs
+# only once and not per language
+output_prefix = "framework-coverage-timeseries-"
+for config in configs:
+    with open(output_prefix + config.lang + ".csv", 'w', newline='') as csvfile_total:
+        with open(output_prefix + config.lang + "-packages.csv", 'w', newline='') as csvfile_packages:
+            csvwriter_total = csv.writer(csvfile_total)
+            csvwriter_packages = csv.writer(csvfile_packages)
+            csvwriter_total.writerow(
+                ["SHA", "Date", "Sources", "Sinks", "Summaries"])
+            csvwriter_packages.writerow(
+                ["SHA", "Date", "Framework", "Package", "Sources", "Sinks", "Summaries"])
+
+            os.chdir(working_dir)
+
+            utils.subprocess_run(["git", "checkout", "main"])
+
+            current_sha = Git.get_output(["git", "rev-parse", "HEAD"])
+            current_date = Git.get_date(current_sha)
+
+            # Read the additional framework data, such as URL, friendly name from the latest commit
+            input_framework_csv = settings.documentation_folder_no_prefix + "frameworks.csv"
+            frameworks = fr.FrameworkCollection(
+                input_framework_csv.format(language=config.lang))
+
+            while True:
+                print("Getting stats for " + current_sha)
+                utils.subprocess_run(["git", "checkout", current_sha])
+
+                try:
+                    packages = get_packages(config.lang, config.ql_path)
+
+                    csvwriter_total.writerow([
+                        current_sha,
+                        current_date,
+                        packages.get_part_count("source"),
+                        packages.get_part_count("sink"),
+                        packages.get_part_count("summary")])
+
+                    matched_packages = set()
+
+                    for framework in frameworks.get_frameworks():
+                        framework: fr.Framework = framework
+
+                        row = [current_sha, current_date,
+                               framework.name, framework.package_pattern]
+
+                        sources = 0
+                        sinks = 0
+                        summaries = 0
+
+                        for package in packages.get_packages():
+                            if frameworks.get_package_filter(framework)(package):
+                                sources += package.get_part_count("source")
+                                sinks += package.get_part_count("sink")
+                                summaries += package.get_part_count("summary")
+                                matched_packages.add(package.name)
+
+                        row.append(sources)
+                        row.append(sinks)
+                        row.append(summaries)
+
+                        csvwriter_packages.writerow(row)
+
+                    row = [current_sha, current_date, "Others"]
+
+                    sources = 0
+                    sinks = 0
+                    summaries = 0
+                    other_packages = set()
+
+                    for package in packages.get_packages():
+                        if not package.name in matched_packages:
+                            sources += package.get_part_count("source")
+                            sinks += package.get_part_count("sink")
+                            summaries += package.get_part_count("summary")
+                            other_packages.add(package.name)
+
+                    row.append(", ".join(sorted(other_packages)))
+                    row.append(sources)
+                    row.append(sinks)
+                    row.append(summaries)
+
+                    csvwriter_packages.writerow(row)
+
+                    print("Collected stats for " + current_sha +
+                          " at " + current_date.isoformat())
+                except:
+                    print("Error getting stats for " +
+                          current_sha + ". Stopping iteration.")
+                    break
+
+                current_sha, current_date = Git.get_previous_sha(
+                    current_sha, current_date)
+
+    utils.subprocess_run(["git", "checkout", "main"])
diff --git a/misc/scripts/library-coverage/packages.py b/misc/scripts/library-coverage/packages.py
new file mode 100644
index 00000000000..f0292b867cf
--- /dev/null
+++ b/misc/scripts/library-coverage/packages.py
@@ -0,0 +1,110 @@
+import csv
+
+
+class PackagePart:
+    """
+    Represents a single package part with its count returned from the QL query, such as:
+    "android.util",1,"remote","source",16
+    """
+
+    def __init__(self, package, kind, part, count):
+        self.package = package
+        # "summary", "sink", or "source"
+        self.part = part
+        # "source:remote", "sink:create-file", ...
+        self.kind = part + ":" + kind
+        self.count = int(count)
+
+
+class Package:
+    """
+    Represents an entire package with multiple parts returned from the QL query.
+    """
+
+    def __init__(self, name, package_count):
+        self.parts: list[PackagePart] = []
+
+        self.name = name
+        self.package_count = int(package_count)
+
+    def add_part(self, part: PackagePart):
+        self.parts.append(part)
+
+    def get_part_count(self, p):
+        count = 0
+        for part in self.parts:
+            if part.part == p:
+                count += part.count
+        return count
+
+    def get_kind_count(self, k):
+        count = 0
+        for part in self.parts:
+            if part.kind == k:
+                count += part.count
+        return count
+
+
+class PackageCollection:
+    """
+    A (sorted) list of packages. Packages are returned by the QL query in the form:
+    "android.util",1,"remote","source",16
+
+    And then the denormalized rows are aggregated by packages.
+    """
+
+    def __init__(self, ql_output_path):
+        self.packages: list[Package] = []
+        self.package_names = set()
+
+        # Read the generated CSV file, and collect package statistics.
+        with open(ql_output_path) as csvfile:
+            reader = csv.reader(csvfile)
+            for row in reader:
+                # row: "android.util",1,"remote","source",16
+
+                package = self.__get_or_create_package(row[0], row[1])
+
+                packagePart = PackagePart(
+                    package, row[2], row[3], row[4])
+
+                package.add_part(packagePart)
+        self.__sort()
+
+    def __sort(self):
+        self.packages.sort(key=lambda f: f.name)
+
+    def get_packages(self):
+        return self.packages
+
+    def __get_or_create_package(self, package_name, package_count):
+        if package_name not in self.package_names:
+            self.package_names.add(package_name)
+            package = Package(package_name, package_count)
+            self.packages.append(package)
+            return package
+        else:
+            for package in self.packages:
+                if package.name == package_name:
+                    return package
+            return None
+
+    def get_parts(self):
+        parts = set()
+        for package in self.packages:
+            for part in package.parts:
+                parts.add(part.part)
+        return sorted(parts)
+
+    def get_kinds(self):
+        kinds = set()
+        for package in self.packages:
+            for part in package.parts:
+                kinds.add(part.kind)
+        return sorted(kinds)
+
+    def get_part_count(self, p):
+        count = 0
+        for package in self.packages:
+            count += package.get_part_count(p)
+        return count
diff --git a/misc/scripts/library-coverage/settings.py b/misc/scripts/library-coverage/settings.py
index 787f7253bba..ae43a0666da 100644
--- a/misc/scripts/library-coverage/settings.py
+++ b/misc/scripts/library-coverage/settings.py
@@ -1,7 +1,7 @@
 import sys
 
-generated_output_rst = "flow-model-coverage-{language}.rst"
-generated_output_csv = "flow-model-coverage-{language}.csv"
+generated_output_rst = "framework-coverage-{language}.rst"
+generated_output_csv = "framework-coverage-{language}.csv"
 
 # The CI job checks out the codebase to a subfolder
 data_prefix = ""
@@ -16,7 +16,7 @@ if len(sys.argv) > index:
 documentation_folder_no_prefix = "{language}/documentation/library-coverage/"
 documentation_folder = data_prefix + documentation_folder_no_prefix
 
-output_rst_file_name = "flow-model-coverage.rst"
-output_csv_file_name = "flow-model-coverage.csv"
+output_rst_file_name = "coverage.rst"
+output_csv_file_name = "coverage.csv"
 repo_output_rst = documentation_folder + output_rst_file_name
 repo_output_csv = documentation_folder + output_csv_file_name
diff --git a/misc/scripts/library-coverage/utils.py b/misc/scripts/library-coverage/utils.py
new file mode 100644
index 00000000000..85765185557
--- /dev/null
+++ b/misc/scripts/library-coverage/utils.py
@@ -0,0 +1,54 @@
+import subprocess
+import os
+import csv
+import sys
+import shlex
+
+
+def subprocess_run(cmd):
+    """Runs a command through subprocess.run, with a few tweaks. Raises an Exception if exit code != 0."""
+    print(shlex.join(cmd))
+    return subprocess.run(cmd, capture_output=True, text=True, env=os.environ.copy(), check=True)
+
+
+def create_empty_database(lang, extension, database):
+    """Creates an empty database for the given language."""
+    subprocess_run(["codeql", "database", "init", "--language=" + lang,
+                   "--source-root=/tmp/empty", "--allow-missing-source-root", database])
+    subprocess_run(["mkdir", "-p", database + "/src/tmp/empty"])
+    subprocess_run(["touch", database + "/src/tmp/empty/empty" + extension])
+    subprocess_run(["codeql", "database", "finalize",
+                   database, "--no-pre-finalize"])
+
+
+def run_codeql_query(query, database, output):
+    """Runs a codeql query on the given database."""
+    subprocess_run(["codeql", "query", "run", query,
+                   "--database", database, "--output", output + ".bqrs"])
+    subprocess_run(["codeql", "bqrs", "decode", output + ".bqrs",
+                   "--format=csv", "--no-titles", "--output", output])
+    os.remove(output + ".bqrs")
+
+
+class LanguageConfig:
+    def __init__(self, lang, capitalized_lang, ext, ql_path):
+        self.lang = lang
+        self.capitalized_lang = capitalized_lang
+        self.ext = ext
+        self.ql_path = ql_path
+
+
+def read_cwes(path):
+    cwes = {}
+    with open(path) as csvfile:
+        reader = csv.reader(csvfile)
+        next(reader)
+        for row in reader:
+            # row: CWE-89,sql,SQL injection
+            cwe = row[0]
+            if cwe not in cwes:
+                cwes[cwe] = {
+                    "sink": row[1],
+                    "label": row[2]
+                }
+    return cwes
diff --git a/python/change-notes/2021-05-21-api-graph-await.md b/python/change-notes/2021-05-21-api-graph-await.md
new file mode 100644
index 00000000000..81463fb7517
--- /dev/null
+++ b/python/change-notes/2021-05-21-api-graph-await.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* API graph nodes now contain a `getAwaited()` member predicate, for getting the result of awaiting an item, such as `await foo`.
diff --git a/python/change-notes/2021-05-25-add-ClickHouse-sql-libs.md b/python/change-notes/2021-05-25-add-ClickHouse-sql-libs.md
new file mode 100644
index 00000000000..4638180f8c5
--- /dev/null
+++ b/python/change-notes/2021-05-25-add-ClickHouse-sql-libs.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added model of SQL execution in `clickhouse-driver` and `aioch` PyPI packages, resulting in additional sinks for the SQL Injection query (`py/sql-injection`). This modeling was originally [submitted as a contribution by @japroc](https://github.com/github/codeql/pull/5889).
diff --git a/python/ql/src/Expressions/UseofInput.ql b/python/ql/src/Expressions/UseofInput.ql
index 68566ab0f95..8d95ce6b241 100644
--- a/python/ql/src/Expressions/UseofInput.ql
+++ b/python/ql/src/Expressions/UseofInput.ql
@@ -6,7 +6,7 @@
  *       correctness
  *       security/cwe/cwe-78
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @sub-severity high
  * @precision high
  * @id py/use-of-input
diff --git a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
index e5cc90196d1..9baa6e17775 100644
--- a/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
+++ b/python/ql/src/Security/CVE-2018-1281/BindToAllInterfaces.ql
@@ -6,7 +6,7 @@
  * @tags security
  *       external/cwe/cwe-200
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.5
  * @sub-severity low
  * @precision high
  * @id py/bind-socket-all-network-interfaces
diff --git a/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql b/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
index 17af70d836f..c1298ed9998 100644
--- a/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
+++ b/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 
diff --git a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
index be44f462d53..7f32419261c 100644
--- a/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
+++ b/python/ql/src/Security/CWE-020/IncompleteHostnameRegExp.ql
@@ -3,7 +3,7 @@
  * @description Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id py/incomplete-hostname-regexp
  * @tags correctness
diff --git a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
index 5b25f8fe595..7db2b972da0 100644
--- a/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
+++ b/python/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
@@ -3,7 +3,7 @@
  * @description Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id py/incomplete-url-substring-sanitization
  * @tags correctness
diff --git a/python/ql/src/Security/CWE-022/PathInjection.ql b/python/ql/src/Security/CWE-022/PathInjection.ql
index 7083f12ab2b..ed4d9fc6a32 100644
--- a/python/ql/src/Security/CWE-022/PathInjection.ql
+++ b/python/ql/src/Security/CWE-022/PathInjection.ql
@@ -3,7 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @sub-severity high
  * @precision high
  * @id py/path-injection
diff --git a/python/ql/src/Security/CWE-022/TarSlip.ql b/python/ql/src/Security/CWE-022/TarSlip.ql
index cb6faccd1e2..f671072a6ef 100644
--- a/python/ql/src/Security/CWE-022/TarSlip.ql
+++ b/python/ql/src/Security/CWE-022/TarSlip.ql
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id py/tarslip
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @tags security
  *       external/cwe/cwe-022
diff --git a/python/ql/src/Security/CWE-078/CommandInjection.ql b/python/ql/src/Security/CWE-078/CommandInjection.ql
index 5a2a475ea10..8eaadf3b642 100755
--- a/python/ql/src/Security/CWE-078/CommandInjection.ql
+++ b/python/ql/src/Security/CWE-078/CommandInjection.ql
@@ -4,7 +4,7 @@
  *              user to change the meaning of the command.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @sub-severity high
  * @precision high
  * @id py/command-line-injection
diff --git a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
index fb443d15d2c..1ab93ae4a2b 100644
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -4,7 +4,7 @@
  *              cause a cross-site scripting vulnerability.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision medium
  * @id py/jinja2/autoescape-false
  * @tags security
diff --git a/python/ql/src/Security/CWE-079/ReflectedXss.ql b/python/ql/src/Security/CWE-079/ReflectedXss.ql
index ca81f589b0e..ae037e5aa67 100644
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @sub-severity high
  * @precision high
  * @id py/reflective-xss
diff --git a/python/ql/src/Security/CWE-089/SqlInjection.ql b/python/ql/src/Security/CWE-089/SqlInjection.ql
index c7ce0ebd4a7..1d34b1a58f2 100644
--- a/python/ql/src/Security/CWE-089/SqlInjection.ql
+++ b/python/ql/src/Security/CWE-089/SqlInjection.ql
@@ -4,7 +4,7 @@
  *              malicious SQL code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id py/sql-injection
  * @tags security
diff --git a/python/ql/src/Security/CWE-094/CodeInjection.ql b/python/ql/src/Security/CWE-094/CodeInjection.ql
index 7f7a391db81..980b9bde040 100644
--- a/python/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/python/ql/src/Security/CWE-094/CodeInjection.ql
@@ -4,7 +4,7 @@
  *              code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @sub-severity high
  * @precision high
  * @id py/code-injection
diff --git a/python/ql/src/Security/CWE-209/StackTraceExposure.ql b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
index c092f399055..03ebdc84442 100644
--- a/python/ql/src/Security/CWE-209/StackTraceExposure.ql
+++ b/python/ql/src/Security/CWE-209/StackTraceExposure.ql
@@ -5,7 +5,7 @@
  *              developing a subsequent exploit.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 5.4
  * @precision high
  * @id py/stack-trace-exposure
  * @tags security
diff --git a/python/ql/src/Security/CWE-215/FlaskDebug.ql b/python/ql/src/Security/CWE-215/FlaskDebug.ql
index f55844ae1b5..0bca0cd2c31 100644
--- a/python/ql/src/Security/CWE-215/FlaskDebug.ql
+++ b/python/ql/src/Security/CWE-215/FlaskDebug.ql
@@ -3,7 +3,7 @@
  * @description Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id py/flask-debug
  * @tags security
diff --git a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
index adc04dc2984..89548d714ce 100644
--- a/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
+++ b/python/ql/src/Security/CWE-295/MissingHostKeyValidation.ql
@@ -3,7 +3,7 @@
  * @description Accepting unknown host keys can allow man-in-the-middle attacks.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id py/paramiko-missing-host-key-validation
  * @tags security
diff --git a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
index 97711bacbbb..5a3819f498e 100644
--- a/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
+++ b/python/ql/src/Security/CWE-295/RequestWithoutValidation.ql
@@ -3,7 +3,7 @@
  * @description Making a request without certificate validation can allow man-in-the-middle attacks.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id py/request-without-cert-validation
  * @tags security
diff --git a/python/ql/src/Security/CWE-312/CleartextLogging.ql b/python/ql/src/Security/CWE-312/CleartextLogging.ql
index c5f4c334557..61fb693aafb 100644
--- a/python/ql/src/Security/CWE-312/CleartextLogging.ql
+++ b/python/ql/src/Security/CWE-312/CleartextLogging.ql
@@ -4,7 +4,7 @@
  *              expose it to an attacker.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id py/clear-text-logging-sensitive-data
  * @tags security
diff --git a/python/ql/src/Security/CWE-312/CleartextStorage.ql b/python/ql/src/Security/CWE-312/CleartextStorage.ql
index 8ae5af8ef35..d54fbd94d50 100644
--- a/python/ql/src/Security/CWE-312/CleartextStorage.ql
+++ b/python/ql/src/Security/CWE-312/CleartextStorage.ql
@@ -4,7 +4,7 @@
  *              attacker.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id py/clear-text-storage-sensitive-data
  * @tags security
diff --git a/python/ql/src/Security/CWE-326/WeakCryptoKey.ql b/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
index 0f48dc91a88..cb62940cc26 100644
--- a/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
+++ b/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
@@ -3,7 +3,7 @@
  * @description Use of a cryptographic key that is too small may allow the encryption to be broken.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id py/weak-crypto-key
  * @tags security
diff --git a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
index 9c64ece8b11..9ee3e49a0a1 100644
--- a/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/python/ql/src/Security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can compromise security.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id py/weak-cryptographic-algorithm
  * @tags security
diff --git a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
index 07dfe9e412a..5d9c72a3cb1 100644
--- a/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql
@@ -5,7 +5,7 @@
  * @id py/insecure-default-protocol
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-327
diff --git a/python/ql/src/Security/CWE-327/InsecureProtocol.ql b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
index 20c361edbca..755cf0d43ab 100644
--- a/python/ql/src/Security/CWE-327/InsecureProtocol.ql
+++ b/python/ql/src/Security/CWE-327/InsecureProtocol.ql
@@ -4,7 +4,7 @@
  * @id py/insecure-protocol
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-327
diff --git a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
index e5bc4b95c82..846abd78eaf 100644
--- a/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
+++ b/python/ql/src/Security/CWE-327/WeakSensitiveDataHashing.ql
@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic hashing algorithms can compromise security.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision high
  * @id py/weak-sensitive-data-hashing
  * @tags security
diff --git a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
index d224d35e2f6..05905cda960 100644
--- a/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
+++ b/python/ql/src/Security/CWE-377/InsecureTemporaryFile.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id py/insecure-temporary-file
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.0
  * @sub-severity high
  * @precision high
  * @tags external/cwe/cwe-377
diff --git a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
index 7994431d940..c054a3706d0 100644
--- a/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
+++ b/python/ql/src/Security/CWE-502/UnsafeDeserialization.ql
@@ -4,7 +4,7 @@
  * @kind path-problem
  * @id py/unsafe-deserialization
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @sub-severity high
  * @precision high
  * @tags external/cwe/cwe-502
diff --git a/python/ql/src/Security/CWE-601/UrlRedirect.ql b/python/ql/src/Security/CWE-601/UrlRedirect.ql
index 77948b01779..ace3e9bf98d 100644
--- a/python/ql/src/Security/CWE-601/UrlRedirect.ql
+++ b/python/ql/src/Security/CWE-601/UrlRedirect.ql
@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.7
+ * @security-severity 6.1
  * @sub-severity low
  * @id py/url-redirection
  * @tags security
diff --git a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
index e964df073df..033083ceeb0 100644
--- a/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
+++ b/python/ql/src/Security/CWE-732/WeakFilePermissions.ql
@@ -4,7 +4,7 @@
  * @kind problem
  * @id py/overly-permissive-file
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
  * @sub-severity high
  * @precision medium
  * @tags external/cwe/cwe-732
diff --git a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
index 84bf1e2f16e..cd00908fe05 100644
--- a/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
+++ b/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
@@ -3,7 +3,7 @@
  * @description Credentials are hard coded in the source code of the application.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id py/hardcoded-credentials
  * @tags security
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
deleted file mode 100644
index 6668d8eb15f..00000000000
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.py
+++ /dev/null
@@ -1,28 +0,0 @@
-from django.conf.urls import url
-from clickhouse_driver import Client
-from clickhouse_driver import connect
-from aioch import Client as aiochClient
-
-class MyClient(Client):
-    def dummy(self):
-        return None
-
-def show_user(request, username):
-
-    # BAD -- Untrusted user input is directly injected into the sql query using async library 'aioch'
-    aclient = aiochClient("localhost")
-    progress = await aclient.execute_with_progress("SELECT * FROM users WHERE username = '%s'" % username)
-
-    # BAD -- Untrusted user input is directly injected into the sql query using native client of library 'clickhouse_driver'
-    Client('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
-
-    # GOOD -- query uses prepared statements
-    query = "SELECT * FROM users WHERE username = %(username)s"
-    Client('localhost').execute(query, {"username": username})
-
-    # BAD -- PEP249 interface
-    conn = connect('clickhouse://localhost')
-    cursor = conn.cursor()
-    cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
-
-urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
deleted file mode 100644
index be007545632..00000000000
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.qhelp
+++ /dev/null
@@ -1,59 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-
-<overview>
-<p>
-If a database query (such as a SQL or NoSQL query) is built from
-user-provided data without sufficient sanitization, a user
-may be able to run malicious database queries.
-</p>
-</overview>
-
-<recommendation>
-<p>
-Most database connector libraries offer a way of safely
-embedding untrusted data into a query by means of query parameters
-or prepared statements.
-</p>
-</recommendation>
-
-<example>
-<p>
-In the following snippet, a user is fetched from a <code>ClickHouse</code> database
-using five different queries. In the "BAD" cases the query is built directly from user-controlled data.
-In the "GOOD" case the user-controlled data is safely embedded into the query by using query parameters.
-</p>
-
-<p>
-In the first case, the query executed via aioch Client. aioch - is a module
-for asynchronous queries to database.
-</p>
-
-<p>
-In the second and third cases, the connection is established via `Client` class.
-This class implement different method to execute a query.
-</p>
-
-<p>
-In the forth case, good pattern is presented. Query parameters are send through
-second dict-like argument.
-</p>
-
-<p>
-In the fifth case, there is example of PEP249 interface usage.
-</p>
-
-<p>
-In the sixth case, there is custom Class usge which is a subclass of default Client.
-</p>
-
-<sample src="ClickHouseSQLInjection.py" />
-</example>
-
-<references>
-<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
-<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">SQL Injection Prevention Cheat Sheet</a>.</li>
-</references>
-</qhelp>
diff --git a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql b/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql
deleted file mode 100644
index f0efb523756..00000000000
--- a/python/ql/src/experimental/Security/CWE-089/ClickHouseSQLInjection.ql
+++ /dev/null
@@ -1,22 +0,0 @@
-/**
- * @id py/yandex/clickhouse-sql-injection
- * @name Clickhouse SQL query built from user-controlled sources
- * @description Building a SQL query from user-controlled sources is vulnerable to insertion of
- *              malicious SQL code by the user.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @tags security
- *       external/cwe/cwe-089
- *       external/owasp/owasp-a1
- */
-
-import python
-import experimental.semmle.python.frameworks.ClickHouseDriver
-import semmle.python.security.dataflow.SqlInjection
-import DataFlow::PathGraph
-
-from SQLInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
-  "a user-provided value"
diff --git a/python/ql/src/semmle/python/ApiGraphs.qll b/python/ql/src/semmle/python/ApiGraphs.qll
index 61c9f4c1c7f..2969d317576 100644
--- a/python/ql/src/semmle/python/ApiGraphs.qll
+++ b/python/ql/src/semmle/python/ApiGraphs.qll
@@ -97,6 +97,11 @@ module API {
      */
     Node getASubclass() { result = getASuccessor(Label::subclass()) }
 
+    /**
+     * Gets a node representing the result from awaiting this node.
+     */
+    Node getAwaited() { result = getASuccessor(Label::await()) }
+
     /**
      * Gets a string representation of the lexicographically least among all shortest access paths
      * from the root to this node.
@@ -469,6 +474,14 @@ module API {
         exists(DataFlow::Node superclass | pred.flowsTo(superclass) |
           ref.asExpr().(ClassExpr).getABase() = superclass.asExpr()
         )
+        or
+        // awaiting
+        exists(Await await, DataFlow::Node awaitedValue |
+          lbl = Label::await() and
+          ref.asExpr() = await and
+          await.getValue() = awaitedValue.asExpr() and
+          pred.flowsTo(awaitedValue)
+        )
       )
       or
       // Built-ins, treated as members of the module `builtins`
@@ -585,5 +598,9 @@ private module Label {
   /** Gets the `return` edge label. */
   string return() { result = "getReturn()" }
 
+  /** Gets the `subclass` edge label. */
   string subclass() { result = "getASubclass()" }
+
+  /** Gets the `await` edge label. */
+  string await() { result = "getAwaited()" }
 }
diff --git a/python/ql/src/semmle/python/Frameworks.qll b/python/ql/src/semmle/python/Frameworks.qll
index 0eed2efaf77..7b836c24c7c 100644
--- a/python/ql/src/semmle/python/Frameworks.qll
+++ b/python/ql/src/semmle/python/Frameworks.qll
@@ -4,7 +4,9 @@
 
 // If you add modeling of a new framework/library, remember to add it it to the docs in
 // `docs/codeql/support/reusables/frameworks.rst`
+private import semmle.python.frameworks.Aioch
 private import semmle.python.frameworks.Aiohttp
+private import semmle.python.frameworks.ClickhouseDriver
 private import semmle.python.frameworks.Cryptodome
 private import semmle.python.frameworks.Cryptography
 private import semmle.python.frameworks.Dill
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll
index 4e1cd281488..a55e65a81f6 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll
@@ -168,7 +168,13 @@ module Consistency {
     msg = "ArgumentNode is missing PostUpdateNode."
   }
 
-  query predicate postWithInFlow(PostUpdateNode n, string msg) {
+  // This predicate helps the compiler forget that in some languages
+  // it is impossible for a `PostUpdateNode` to be the target of
+  // `simpleLocalFlowStep`.
+  private predicate isPostUpdateNode(Node n) { n instanceof PostUpdateNode or none() }
+
+  query predicate postWithInFlow(Node n, string msg) {
+    isPostUpdateNode(n) and
     simpleLocalFlowStep(_, n) and
     msg = "PostUpdateNode should not be the target of local flow."
   }
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll b/python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll
index 48627668fb3..8b917edc60b 100644
--- a/python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll
+++ b/python/ql/src/semmle/python/dataflow/new/internal/TypeTracker.qll
@@ -23,15 +23,57 @@ class OptionalContentName extends string {
   OptionalContentName() { this instanceof ContentName or this = "" }
 }
 
-/**
- * A description of a step on an inter-procedural data flow path.
- */
-private newtype TStepSummary =
-  LevelStep() or
-  CallStep() or
-  ReturnStep() or
-  StoreStep(ContentName content) or
-  LoadStep(ContentName content)
+cached
+private module Cached {
+  /**
+   * A description of a step on an inter-procedural data flow path.
+   */
+  cached
+  newtype TStepSummary =
+    LevelStep() or
+    CallStep() or
+    ReturnStep() or
+    StoreStep(ContentName content) or
+    LoadStep(ContentName content)
+
+  /** Gets the summary resulting from appending `step` to type-tracking summary `tt`. */
+  cached
+  TypeTracker append(TypeTracker tt, StepSummary step) {
+    exists(Boolean hasCall, OptionalContentName content | tt = MkTypeTracker(hasCall, content) |
+      step = LevelStep() and result = tt
+      or
+      step = CallStep() and result = MkTypeTracker(true, content)
+      or
+      step = ReturnStep() and hasCall = false and result = tt
+      or
+      step = LoadStep(content) and result = MkTypeTracker(hasCall, "")
+      or
+      exists(string p | step = StoreStep(p) and content = "" and result = MkTypeTracker(hasCall, p))
+    )
+  }
+
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * heap and/or intra-procedural step from `nodeFrom` to `nodeTo`.
+   *
+   * Steps contained in this predicate should _not_ depend on the call graph.
+   */
+  cached
+  predicate stepNoCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    exists(Node mid | nodeFrom.flowsTo(mid) and smallstepNoCall(mid, nodeTo, summary))
+  }
+
+  /**
+   * Gets the summary that corresponds to having taken a forwards
+   * inter-procedural step from `nodeFrom` to `nodeTo`.
+   */
+  cached
+  predicate stepCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+    exists(Node mid | nodeFrom.flowsTo(mid) and smallstepCall(mid, nodeTo, summary))
+  }
+}
+
+private import Cached
 
 /**
  * INTERNAL: Use `TypeTracker` or `TypeBackTracker` instead.
@@ -53,28 +95,29 @@ class StepSummary extends TStepSummary {
   }
 }
 
+pragma[noinline]
+private predicate smallstepNoCall(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+  jumpStep(nodeFrom, nodeTo) and
+  summary = LevelStep()
+  or
+  exists(string content |
+    StepSummary::localSourceStoreStep(nodeFrom, nodeTo, content) and
+    summary = StoreStep(content)
+    or
+    basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content)
+  )
+}
+
+pragma[noinline]
+private predicate smallstepCall(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
+  callStep(nodeFrom, nodeTo) and summary = CallStep()
+  or
+  returnStep(nodeFrom, nodeTo) and
+  summary = ReturnStep()
+}
+
 /** Provides predicates for updating step summaries (`StepSummary`s). */
 module StepSummary {
-  /**
-   * Gets the summary that corresponds to having taken a forwards
-   * heap and/or intra-procedural step from `nodeFrom` to `nodeTo`.
-   *
-   * Steps contained in this predicate should _not_ depend on the call graph.
-   */
-  cached
-  private predicate stepNoCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    exists(Node mid | nodeFrom.flowsTo(mid) and smallstepNoCall(mid, nodeTo, summary))
-  }
-
-  /**
-   * Gets the summary that corresponds to having taken a forwards
-   * inter-procedural step from `nodeFrom` to `nodeTo`.
-   */
-  cached
-  private predicate stepCall(LocalSourceNode nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    exists(Node mid | nodeFrom.flowsTo(mid) and smallstepCall(mid, nodeTo, summary))
-  }
-
   /**
    * Gets the summary that corresponds to having taken a forwards
    * heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
@@ -92,27 +135,6 @@ module StepSummary {
     stepCall(nodeFrom, nodeTo, summary)
   }
 
-  pragma[noinline]
-  private predicate smallstepNoCall(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    jumpStep(nodeFrom, nodeTo) and
-    summary = LevelStep()
-    or
-    exists(string content |
-      localSourceStoreStep(nodeFrom, nodeTo, content) and
-      summary = StoreStep(content)
-      or
-      basicLoadStep(nodeFrom, nodeTo, content) and summary = LoadStep(content)
-    )
-  }
-
-  pragma[noinline]
-  private predicate smallstepCall(Node nodeFrom, LocalSourceNode nodeTo, StepSummary summary) {
-    callStep(nodeFrom, nodeTo) and summary = CallStep()
-    or
-    returnStep(nodeFrom, nodeTo) and
-    summary = ReturnStep()
-  }
-
   /**
    * Gets the summary that corresponds to having taken a forwards
    * local, heap and/or inter-procedural step from `nodeFrom` to `nodeTo`.
@@ -193,18 +215,7 @@ class TypeTracker extends TTypeTracker {
   TypeTracker() { this = MkTypeTracker(hasCall, content) }
 
   /** Gets the summary resulting from appending `step` to this type-tracking summary. */
-  cached
-  TypeTracker append(StepSummary step) {
-    step = LevelStep() and result = this
-    or
-    step = CallStep() and result = MkTypeTracker(true, content)
-    or
-    step = ReturnStep() and hasCall = false and result = this
-    or
-    step = LoadStep(content) and result = MkTypeTracker(hasCall, "")
-    or
-    exists(string p | step = StoreStep(p) and content = "" and result = MkTypeTracker(hasCall, p))
-  }
+  TypeTracker append(StepSummary step) { result = append(this, step) }
 
   /** Gets a textual representation of this summary. */
   string toString() {
diff --git a/python/ql/src/semmle/python/frameworks/Aioch.qll b/python/ql/src/semmle/python/frameworks/Aioch.qll
new file mode 100644
index 00000000000..ede732e35dc
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/Aioch.qll
@@ -0,0 +1,52 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `aioch` PyPI package (an
+ * async-io version of the `clickhouse-driver` PyPI package).
+ *
+ * See https://pypi.org/project/aioch/
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+private import semmle.python.frameworks.ClickhouseDriver
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for `aioch` PyPI package (an async-io version of the
+ * `clickhouse-driver` PyPI package).
+ *
+ * See https://pypi.org/project/aioch/
+ */
+module Aioch {
+  /** Provides models for `aioch.Client` class and subclasses. */
+  module Client {
+    /** Gets a reference to the `aioch.Client` class or any subclass. */
+    API::Node subclassRef() {
+      result = API::moduleImport("aioch").getMember("Client").getASubclass*()
+    }
+
+    /** Gets a reference to an instance of `clickhouse_driver.Client` or any subclass. */
+    API::Node instance() { result = subclassRef().getReturn() }
+  }
+
+  /**
+   * A call to any of the the execute methods on a `aioch.Client`, which are just async
+   * versions of the methods in the `clickhouse-driver` PyPI package.
+   *
+   * See
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_iter
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_with_progress
+   */
+  class ClientExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ClientExecuteCall() {
+      exists(string methodName | methodName = ClickhouseDriver::getExecuteMethodName() |
+        this = Client::instance().getMember(methodName).getACall()
+      )
+    }
+
+    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
+  }
+}
diff --git a/python/ql/src/semmle/python/frameworks/ClickhouseDriver.qll b/python/ql/src/semmle/python/frameworks/ClickhouseDriver.qll
new file mode 100644
index 00000000000..8863b1dbe66
--- /dev/null
+++ b/python/ql/src/semmle/python/frameworks/ClickhouseDriver.qll
@@ -0,0 +1,65 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `clickhouse-driver` PyPI package.
+ * See
+ * - https://pypi.org/project/clickhouse-driver/
+ * - https://clickhouse-driver.readthedocs.io/en/latest/
+ */
+
+private import python
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.frameworks.PEP249
+
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides models for `clickhouse-driver` PyPI package (imported as `clickhouse_driver`).
+ * See
+ * - https://pypi.org/project/clickhouse-driver/
+ * - https://clickhouse-driver.readthedocs.io/en/latest/
+ */
+module ClickhouseDriver {
+  /**
+   * `clickhouse_driver` implements PEP249,
+   * providing ways to execute SQL statements against a database.
+   */
+  class ClickHouseDriverPEP249 extends PEP249ModuleApiNode {
+    ClickHouseDriverPEP249() { this = API::moduleImport("clickhouse_driver") }
+  }
+
+  /** Provides models for `clickhouse_driver.Client` class and subclasses. */
+  module Client {
+    /** Gets a reference to the `clickhouse_driver.Client` class or any subclass. */
+    API::Node subclassRef() {
+      exists(API::Node classRef |
+        // canonical definition
+        classRef = API::moduleImport("clickhouse_driver").getMember("client").getMember("Client")
+        or
+        // commonly used alias
+        classRef = API::moduleImport("clickhouse_driver").getMember("Client")
+      |
+        result = classRef.getASubclass*()
+      )
+    }
+
+    /** Gets a reference to an instance of `clickhouse_driver.Client` or any subclass. */
+    API::Node instance() { result = subclassRef().getReturn() }
+  }
+
+  /** `clickhouse_driver.Client` execute method names */
+  string getExecuteMethodName() { result in ["execute_with_progress", "execute", "execute_iter"] }
+
+  /**
+   * A call to any of the the execute methods on a `clickhouse_driver.Client` method
+   *
+   * See
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_iter
+   * - https://clickhouse-driver.readthedocs.io/en/latest/api.html#clickhouse_driver.Client.execute_with_progress
+   */
+  class ClientExecuteCall extends SqlExecution::Range, DataFlow::CallCfgNode {
+    ClientExecuteCall() { this = Client::instance().getMember(getExecuteMethodName()).getACall() }
+
+    override DataFlow::Node getSql() { result in [this.getArg(0), this.getArgByName("query")] }
+  }
+}
diff --git a/python/ql/test/TestUtilities/InlineExpectationsTest.qll b/python/ql/test/TestUtilities/InlineExpectationsTest.qll
index e086b810478..d351bac89a8 100644
--- a/python/ql/test/TestUtilities/InlineExpectationsTest.qll
+++ b/python/ql/test/TestUtilities/InlineExpectationsTest.qll
@@ -181,14 +181,14 @@ private int getEndOfColumnPosition(int start, string content) {
     min(string name, int cand |
       exists(TNamedColumn(name)) and
       cand = content.indexOf(name + ":") and
-      cand > start
+      cand >= start
     |
       cand
     )
   or
   not exists(string name |
     exists(TNamedColumn(name)) and
-    content.indexOf(name + ":") > start
+    content.indexOf(name + ":") >= start
   ) and
   result = content.length()
 }
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/async_test.py b/python/ql/test/experimental/dataflow/ApiGraphs/async_test.py
new file mode 100644
index 00000000000..85b14c86644
--- /dev/null
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/async_test.py
@@ -0,0 +1,17 @@
+import pkg # $ use=moduleImport("pkg")
+
+async def foo():
+    coro = pkg.async_func() # $ use=moduleImport("pkg").getMember("async_func").getReturn()
+    coro # $ use=moduleImport("pkg").getMember("async_func").getReturn()
+    result = await coro # $ use=moduleImport("pkg").getMember("async_func").getReturn().getAwaited()
+    result # $ use=moduleImport("pkg").getMember("async_func").getReturn().getAwaited()
+    return result # $ use=moduleImport("pkg").getMember("async_func").getReturn().getAwaited()
+
+async def bar():
+    result = await pkg.async_func() # $ use=moduleImport("pkg").getMember("async_func").getReturn().getAwaited()
+    return result # $ use=moduleImport("pkg").getMember("async_func").getReturn().getAwaited()
+
+def check_annotations():
+    # Just to make sure how annotations should look like :)
+    result = pkg.sync_func() # $ use=moduleImport("pkg").getMember("sync_func").getReturn()
+    return result # $ use=moduleImport("pkg").getMember("sync_func").getReturn()
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/options b/python/ql/test/experimental/dataflow/ApiGraphs/options
index 1099600818b..89369a90996 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/options
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/options
@@ -1 +1 @@
-semmle-extractor-options: --lang=3
\ No newline at end of file
+semmle-extractor-options: --lang=3 --max-import-depth=1
diff --git a/python/ql/test/experimental/dataflow/ApiGraphs/use.ql b/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
index 2bcc05d443b..4e56fc3ff44 100644
--- a/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
+++ b/python/ql/test/experimental/dataflow/ApiGraphs/use.ql
@@ -13,7 +13,8 @@ class ApiUseTest extends InlineExpectationsTest {
     l = n.getLocation() and
     // Module variable nodes have no suitable location, so it's best to simply exclude them entirely
     // from the inline tests.
-    not n instanceof DataFlow::ModuleVariableNode
+    not n instanceof DataFlow::ModuleVariableNode and
+    exists(l.getFile().getRelativePath())
   }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected
deleted file mode 100644
index 52aa30cb8c1..00000000000
--- a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.expected
+++ /dev/null
@@ -1,5 +0,0 @@
-| ClickHouseDriver.py:15:22:15:106 | ControlFlowNode for Attribute() | ClickHouseDriver.py:15:52:15:105 | ControlFlowNode for BinaryExpr |
-| ClickHouseDriver.py:18:5:18:87 | ControlFlowNode for Attribute() | ClickHouseDriver.py:18:33:18:86 | ControlFlowNode for BinaryExpr |
-| ClickHouseDriver.py:22:5:22:62 | ControlFlowNode for Attribute() | ClickHouseDriver.py:22:33:22:37 | ControlFlowNode for query |
-| ClickHouseDriver.py:27:5:27:74 | ControlFlowNode for Attribute() | ClickHouseDriver.py:27:20:27:73 | ControlFlowNode for BinaryExpr |
-| ClickHouseDriver.py:30:5:30:89 | ControlFlowNode for Attribute() | ClickHouseDriver.py:30:35:30:88 | ControlFlowNode for BinaryExpr |
diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py
deleted file mode 100644
index 7684f3df795..00000000000
--- a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.py
+++ /dev/null
@@ -1,32 +0,0 @@
-from django.conf.urls import url
-from clickhouse_driver import Client
-from clickhouse_driver import connect
-from aioch import Client as aiochClient
-
-# Dummy Client subclass
-class MyClient(Client):
-    def dummy(self):
-        return None
-
-def show_user(request, username):
-
-    # BAD -- Untrusted user input is directly injected into the sql query using async library 'aioch'
-    aclient = aiochClient("localhost")
-    progress = await aclient.execute_with_progress("SELECT * FROM users WHERE username = '%s'" % username)
-
-    # BAD -- Untrusted user input is directly injected into the sql query using native client of library 'clickhouse_driver'
-    Client('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
-
-    # GOOD -- query uses prepared statements
-    query = "SELECT * FROM users WHERE username = %(username)s"
-    Client('localhost').execute(query, {"username": username})
-
-    # BAD -- Untrusted user input is directly injected into the sql query using PEP249 interface
-    conn = connect('clickhouse://localhost')
-    cursor = conn.cursor()
-    cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
-
-    # BAD -- Untrusted user input is directly injected into the sql query using MyClient, which is a subclass of Client
-    MyClient('localhost').execute("SELECT * FROM users WHERE username = '%s'" % username)
-
-urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql b/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
deleted file mode 100644
index bedd47c0af6..00000000000
--- a/python/ql/test/experimental/semmle/python/frameworks/clickhouse-driver/ClickHouseDriver.ql
+++ /dev/null
@@ -1,6 +0,0 @@
-import python
-import experimental.semmle.python.frameworks.ClickHouseDriver
-import semmle.python.Concepts
-
-from SqlExecution s
-select s, s.getSql()
diff --git a/python/ql/test/library-tests/frameworks/aioch/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/aioch/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/aioch/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/aioch/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aioch/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/aioch/options b/python/ql/test/library-tests/frameworks/aioch/options
new file mode 100644
index 00000000000..cfef58cf2b2
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aioch/options
@@ -0,0 +1 @@
+semmle-extractor-options: --max-import-depth=1 --lang=3
diff --git a/python/ql/test/library-tests/frameworks/aioch/sql_test.py b/python/ql/test/library-tests/frameworks/aioch/sql_test.py
new file mode 100644
index 00000000000..de6b018b0d4
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/aioch/sql_test.py
@@ -0,0 +1,30 @@
+import aioch
+
+
+SQL = "SOME SQL"
+
+
+async def aioch_test():
+    client = aioch.Client("localhost")
+
+    await client.execute(SQL) # $ getSql=SQL
+    await client.execute(query=SQL) # $ getSql=SQL
+
+    await client.execute_with_progress(SQL) # $ getSql=SQL
+    await client.execute_with_progress(query=SQL) # $ getSql=SQL
+
+    await client.execute_iter(SQL) # $ getSql=SQL
+    await client.execute_iter(query=SQL) # $ getSql=SQL
+
+
+# Using custom client (this has been seen done for the blocking version in
+# `clickhouse_driver` PyPI package)
+
+
+class MyClient(aioch.Client):
+    pass
+
+
+async def test_custom_client():
+    client = MyClient("localhost")
+    await client.execute(SQL) # $ getSql=SQL
diff --git a/python/ql/test/library-tests/frameworks/clickhouse_driver/ConceptsTest.expected b/python/ql/test/library-tests/frameworks/clickhouse_driver/ConceptsTest.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/python/ql/test/library-tests/frameworks/clickhouse_driver/ConceptsTest.ql b/python/ql/test/library-tests/frameworks/clickhouse_driver/ConceptsTest.ql
new file mode 100644
index 00000000000..b557a0bccb6
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/clickhouse_driver/ConceptsTest.ql
@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest
diff --git a/python/ql/test/library-tests/frameworks/clickhouse_driver/sql_test.py b/python/ql/test/library-tests/frameworks/clickhouse_driver/sql_test.py
new file mode 100644
index 00000000000..36d4966c186
--- /dev/null
+++ b/python/ql/test/library-tests/frameworks/clickhouse_driver/sql_test.py
@@ -0,0 +1,42 @@
+import clickhouse_driver
+
+
+SQL = "SOME SQL"
+
+
+# Normal operation
+client = clickhouse_driver.client.Client("localhost")
+
+client.execute(SQL) # $ getSql=SQL
+client.execute(query=SQL) # $ getSql=SQL
+
+client.execute_with_progress(SQL) # $ getSql=SQL
+client.execute_with_progress(query=SQL) # $ getSql=SQL
+
+client.execute_iter(SQL) # $ getSql=SQL
+client.execute_iter(query=SQL) # $ getSql=SQL
+
+
+# commonly used alias
+client = clickhouse_driver.Client("localhost")
+client.execute(SQL) # $ getSql=SQL
+
+
+# Using PEP249 interface
+conn = clickhouse_driver.connect('clickhouse://localhost')
+cursor = conn.cursor()
+cursor.execute(SQL) # $ getSql=SQL
+
+
+# Using custom client
+#
+# examples from real world code
+# https://github.com/Altinity/clickhouse-mysql-data-reader/blob/3b1b7088751b05e5bbf45890c5949b58208c2343/clickhouse_mysql/dbclient/chclient.py#L10
+# https://github.com/Felixoid/clickhouse-plantuml/blob/d8b2ba7d164a836770ec21f5e4035dfb04c41d9c/clickhouse_plantuml/client.py#L9
+
+
+class MyClient(clickhouse_driver.Client):
+    pass
+
+
+MyClient("localhost").execute(SQL) # $ getSql=SQL