Merge branch 'main' into java/experimental/command-injection

2026-04-22 23:35:14 +02:00 · 2023-07-31 19:14:55 +01:00
parent c7084b6d8e df1e8e263b
commit 3bc7cf6ac7
402 changed files with 16556 additions and 4094 deletions
--- a/java/documentation/library-coverage/coverage.csv
+++ b/java/documentation/library-coverage/coverage.csv
@@ -55,7 +55,7 @@ jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
 jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,94,55
 java.awt,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
 java.beans,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
-java.io,50,,45,,,22,,,,,,,,,,,,,,28,,,,,,,,,,,,,,,,,,,43,2
+java.io,50,,46,,,22,,,,,,,,,,,,,,28,,,,,,,,,,,,,,,,,,,44,2
 java.lang,31,,93,,13,,,,,,,,,,,,8,,,5,,,4,,,1,,,,,,,,,,,,,57,36
 java.net,13,3,23,,,,,,,,,,,,,,,,,,,,,,,,,,13,,,,,,,,,3,23,
 java.nio,53,,36,,,5,,,,,,,,,,,,,,47,,,,,,,,,1,,,,,,,,,,36,
--- a/java/documentation/library-coverage/coverage.rst
+++ b/java/documentation/library-coverage/coverage.rst
@@ -18,10 +18,10 @@ Java framework & library support
   `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,730,41,7,,,,,
   JBoss Logging,``org.jboss.logging``,,,324,,,,,,
   `JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
-   Java Standard Library,``java.*``,3,688,205,80,,9,,,18
+   Java Standard Library,``java.*``,3,689,205,80,,9,,,18
   Java extensions,"``javax.*``, ``jakarta.*``",63,672,34,2,4,,1,1,2
   Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
   `Spring <https://spring.io/>`_,``org.springframework.*``,29,483,115,4,,28,14,,35
   Others,"``antlr``, ``cn.hutool.core.codec``, ``com.alibaba.druid.sql``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2.ognl``, ``com.rabbitmq.client``, ``com.thoughtworks.xstream``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.log4j``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.influxdb``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.kohsuke.stapler``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``",126,5237,577,89,6,18,18,,200
-   Totals,,283,13606,2067,290,16,122,33,1,391
+   Totals,,283,13607,2067,290,16,122,33,1,391

--- a/java/kotlin-extractor/src/main/kotlin/utils/Logger.kt
+++ b/java/kotlin-extractor/src/main/kotlin/utils/Logger.kt
@@ -46,12 +46,22 @@ class LogMessage(private val kind: String, private val message: String) {
    private fun escape(str: String): String {
        return str.replace("\\", "\\\\")
                  .replace("\"", "\\\"")
-                  .replace("/", "\\/")
-                  .replace("\b", "\\b")
+                  .replace("\u0000", "\\u0000")
+                  .replace("\u0001", "\\u0001")
+                  .replace("\u0002", "\\u0002")
+                  .replace("\u0003", "\\u0003")
+                  .replace("\u0004", "\\u0004")
+                  .replace("\u0005", "\\u0005")
+                  .replace("\u0006", "\\u0006")
+                  .replace("\u0007", "\\u0007")
+                  .replace("\u0008", "\\b")
+                  .replace("\u0009", "\\t")
+                  .replace("\u000A", "\\n")
+                  .replace("\u000B", "\\u000B")
                  .replace("\u000C", "\\f")
-                  .replace("\n", "\\n")
-                  .replace("\r", "\\r")
-                  .replace("\t", "\\t")
+                  .replace("\u000D", "\\r")
+                  .replace("\u000E", "\\u000E")
+                  .replace("\u000F", "\\u000F")
    }

    fun toJsonLine(): String {
--- a/java/ql/consistency-queries/diags.ql
+++ b/java/ql/consistency-queries/diags.ql
@@ -28,7 +28,8 @@ string diagnosticMessage(Diagnostic d) {
 // something is fixed.
 query predicate unusedDiagnosticException(DiagnosticException de) { not exists(de.getException()) }

-query predicate unexpectedDiagnostic(Diagnostic d, string s) {
+query predicate unexpectedDiagnostic(Compilation c, int f, int i, Diagnostic d, string s) {
+  d.getCompilationInfo(c, f, i) and
  s = diagnosticMessage(d) and
  not d = any(DiagnosticException de).getException()
 }
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,32 @@
+## 0.7.1
+
+### New Features
+
+* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
+  Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+* A `Class.isFileClass()` predicate, to identify Kotlin file classes, has been added.
+
+### Minor Analysis Improvements
+
+* Data flow configurations can now include a predicate `neverSkip(Node node)`
+  in order to ensure inclusion of certain nodes in the path explanations. The
+  predicate defaults to the end-points of the additional flow steps provided in
+  the configuration, which means that such steps now always are visible by
+  default in path explanations.
+* Added models for Apache Commons Lang3 `ToStringBuilder.reflectionToString` method.
+* Added support for the Kotlin method `apply`.
+* Added models for the following packages:
+
+  * java.io
+  * java.lang
+  * java.net
+  * java.nio.channels
+  * java.nio.file
+  * java.util.zip
+  * okhttp3
+  * org.gradle.api.file
+  * retrofit2
+
 ## 0.7.0

 ### Deprecated APIs
--- a/java/ql/lib/change-notes/2023-06-08-new-models.md
+++ b/java/ql/lib/change-notes/2023-06-08-new-models.md
@@ -1,14 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for the following packages:
-
-  * java.io
-  * java.lang
-  * java.net
-  * java.nio.channels
-  * java.nio.file
-  * java.util.zip
-  * okhttp3
-  * org.gradle.api.file
-  * retrofit2
--- a/java/ql/lib/change-notes/2023-07-10-kotlin-apply.md
+++ b/java/ql/lib/change-notes/2023-07-10-kotlin-apply.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added support for the Kotlin method `apply`.
--- a/java/ql/lib/change-notes/2023-07-11-file-classes.md
+++ b/java/ql/lib/change-notes/2023-07-11-file-classes.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* A `Class.isFileClass()` predicate, to identify Kotlin file classes, has been added.
--- a/java/ql/lib/change-notes/2023-07-12-add-models-for-struts2-framework.md
+++ b/java/ql/lib/change-notes/2023-07-12-add-models-for-struts2-framework.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added models for the Struts 2 framework.
+
--- a/java/ql/lib/change-notes/2023-07-12-apache-commons-lang3-tostringbuilder.md
+++ b/java/ql/lib/change-notes/2023-07-12-apache-commons-lang3-tostringbuilder.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added models for Apache Commons Lang3 `ToStringBuilder.reflectionToString` method.
--- a/java/ql/lib/change-notes/2023-07-12-default-stateconfigsig-predicates.md
+++ b/java/ql/lib/change-notes/2023-07-12-default-stateconfigsig-predicates.md
@@ -1,6 +0,0 @@
---
-category: feature
---
-* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
-  Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
-  
--- a/java/ql/lib/change-notes/2023-07-12-improve-sources-for-the-struts2-framework.md
+++ b/java/ql/lib/change-notes/2023-07-12-improve-sources-for-the-struts2-framework.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.
+
--- a/java/ql/lib/change-notes/2023-07-14-getCompilationInfo.md
+++ b/java/ql/lib/change-notes/2023-07-14-getCompilationInfo.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A `Diagnostic.getCompilationInfo()` predicate has been added.
--- a/java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md
+++ b/java/ql/lib/change-notes/2023-07-19-inputstream-dispatch.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Improved the precision of virtual dispatch of `java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of `InputStream` if there is a high-confidence alternative (like a models-as-data summary).
+  
--- a/java/ql/lib/change-notes/2023-07-19-inputstream-wrapper-steps.md
+++ b/java/ql/lib/change-notes/2023-07-19-inputstream-wrapper-steps.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow steps for `java.io.InputStream`s that wrap other `java.io.InputStream`s.
--- a/java/ql/lib/change-notes/released/0.7.1.md
+++ b/java/ql/lib/change-notes/released/0.7.1.md
@@ -0,0 +1,28 @@
+## 0.7.1
+
+### New Features
+
+* The `DataFlow::StateConfigSig` signature module has gained default implementations for `isBarrier/2` and `isAdditionalFlowStep/4`. 
+  Hence it is no longer needed to provide `none()` implementations of these predicates if they are not needed.
+* A `Class.isFileClass()` predicate, to identify Kotlin file classes, has been added.
+
+### Minor Analysis Improvements
+
+* Data flow configurations can now include a predicate `neverSkip(Node node)`
+  in order to ensure inclusion of certain nodes in the path explanations. The
+  predicate defaults to the end-points of the additional flow steps provided in
+  the configuration, which means that such steps now always are visible by
+  default in path explanations.
+* Added models for Apache Commons Lang3 `ToStringBuilder.reflectionToString` method.
+* Added support for the Kotlin method `apply`.
+* Added models for the following packages:
+
+  * java.io
+  * java.lang
+  * java.net
+  * java.nio.channels
+  * java.nio.file
+  * java.util.zip
+  * okhttp3
+  * org.gradle.api.file
+  * retrofit2
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.0
+lastReleaseVersion: 0.7.1
--- a/java/ql/lib/ext/generated/struts2.model.yml
+++ b/java/ql/lib/ext/generated/struts2.model.yml
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -84,6 +84,7 @@ extensions:
      - ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "FilterOutputStream", True, "FilterOutputStream", "(OutputStream)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.io", "InputStream", True, "read", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "InputStream", True, "read", "(byte[])", "", "Argument[this]", "Argument[0]", "taint", "manual"]
      - ["java.io", "InputStream", True, "read", "(byte[],int,int)", "", "Argument[this]", "Argument[0]", "taint", "manual"]
      - ["java.io", "InputStream", True, "readAllBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/java/ql/lib/ext/struts2.model.yml
+++ b/java/ql/lib/ext/struts2.model.yml
@@ -0,0 +1,80 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "setValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "getValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "setParameter", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "trySetValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "getValueUsingOgnl", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "tryFindValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "findValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "findString", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlValueStack", False, "tryFindValueWhenExpressionIsNotNull", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlReflectionProvider", False, "getValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlReflectionProvider", False, "setValue", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlReflectionProvider", False, "setProperty", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlReflectionProvider", False, "setProperties", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlUtil", true, "setProperties", "(Map,Object)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlUtil", true, "setProperties", "(Map,Object,Map)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlUtil", true, "setProperties", "(Map,Object,Map,boolean)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlUtil", true, "setProperties", "(Map,Object,boolean)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlUtil", true, "setProperty", "(String,Object,Object,Map)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.ognl", "OgnlUtil", true, "setProperty", "(String,Object,Object,Map,boolean)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "LocalizedTextUtil", False, "findText", "", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "LocalizedTextUtil", False, "findText", "", "", "Argument[3]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "OgnlTextParser", False, "evaluate", "", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(String,ValueStack)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(String,ValueStack,ParsedValueEvaluator)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(char,String,ValueStack)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(char,String,ValueStack,Class)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(char,String,ValueStack,Class,ParsedValueEvaluator)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(char,String,ValueStack,Class,ParsedValueEvaluator,int)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(char[],String,ValueStack,Class,ParsedValueEvaluator)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariables", "(char[],String,ValueStack,Class,ParsedValueEvaluator,int)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariablesCollection", "(String,ValueStack,boolean,ParsedValueEvaluator)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariablesCollection", "(char[],String,ValueStack,boolean,ParsedValueEvaluator,int)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "ActionSupport", true, "getFormatted", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "ActionSupport", true, "getFormatted", "(String,String)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,List)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,List)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List)", "", "Argument[2]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List)", "", "Argument[this]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List,ValueStack)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List,ValueStack)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List,ValueStack)", "", "Argument[2]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,List,ValueStack)", "", "Argument[this]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String)", "", "Argument[2]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[])", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[])", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[])", "", "Argument[2]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[])", "", "Argument[this]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[],ValueStack)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[],ValueStack)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[],ValueStack)", "", "Argument[2]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String,String[],ValueStack)", "", "Argument[this]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String[])", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String[])", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "hasKey", "(String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2", "TextProvider", true, "hasKey", "(String)", "", "Argument[this]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "findString", "(String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "findValue", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "isTrue", "(String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "makeSelectList", "(String,String,String,String)", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "makeSelectList", "(String,String,String,String)", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "makeSelectList", "(String,String,String,String)", "", "Argument[2]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", true, "makeSelectList", "(String,String,String,String)", "", "Argument[3]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.util", "StrutsUtil", True, "translateVariables", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.views.jsp", "StrutsBodyTagSupport", False, "findPattern", "", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["org.apache.struts2.views.jsp", "StrutsBodyTagSupport", False, "findString", "", "", "Argument[1]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.validator.validators", "ValidatorSupport", False, "parse", "", "", "Argument[0]", "ognl-injection", "manual"]
+      - ["com.opensymphony.xwork2.validator.validators", "ValidatorSupport", False, "getFieldValue", "", "", "Argument[0]", "ognl-injection", "manual"]
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.7.1-dev
+version: 0.7.2-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/lib/semmle/code/java/Diagnostics.qll
+++ b/java/ql/lib/semmle/code/java/Diagnostics.qll
@@ -9,6 +9,11 @@ class Diagnostic extends @diagnostic {
  /** Gets the compilation that generated this diagnostic. */
  Compilation getCompilation() { diagnostic_for(this, result, _, _) }

+  /** Gets the compilation information for this diagnostic. */
+  predicate getCompilationInfo(Compilation c, int fileNumber, int diagnosticNumber) {
+    diagnostic_for(this, c, fileNumber, diagnosticNumber)
+  }
+
  /**
   * Gets the program that generated this diagnostic.
   */
--- a/java/ql/lib/semmle/code/java/JDK.qll
+++ b/java/ql/lib/semmle/code/java/JDK.qll
@@ -177,6 +177,11 @@ class TypeObjectInputStream extends RefType {
  TypeObjectInputStream() { this.hasQualifiedName("java.io", "ObjectInputStream") }
 }

+/** The class `java.io.InputStream`. */
+class TypeInputStream extends RefType {
+  TypeInputStream() { this.hasQualifiedName("java.io", "InputStream") }
+}
+
 /** The class `java.nio.file.Paths`. */
 class TypePaths extends Class {
  TypePaths() { this.hasQualifiedName("java.nio.file", "Paths") }
--- a/java/ql/lib/semmle/code/java/Serializability.qll
+++ b/java/ql/lib/semmle/code/java/Serializability.qll
@@ -6,6 +6,7 @@ import java
 private import frameworks.jackson.JacksonSerializability
 private import frameworks.google.GsonSerializability
 private import frameworks.google.GoogleHttpClientApi
+private import frameworks.struts.Struts2Serializability

 /**
 * A serializable field may be read without code referencing it,
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -143,11 +143,10 @@ private class GuiceRequestParameterSource extends RemoteFlowSource {
  override string getSourceType() { result = "Guice request parameter" }
 }

-private class Struts2ActionSupportClassFieldReadSource extends RemoteFlowSource {
-  Struts2ActionSupportClassFieldReadSource() {
-    exists(Struts2ActionSupportClass c |
-      c.getASetterMethod().getField() = this.asExpr().(FieldRead).getField()
-    )
+private class Struts2ActionSupportClassFieldSource extends RemoteFlowSource {
+  Struts2ActionSupportClassFieldSource() {
+    this.(DataFlow::FieldValueNode).getField() =
+      any(Struts2ActionSupportClass c).getASetterMethod().getField()
  }

  override string getSourceType() { result = "Struts2 ActionSupport field" }
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
@@ -20,11 +20,11 @@ private module Frameworks {
  private import semmle.code.java.frameworks.Guice
  private import semmle.code.java.frameworks.IoJsonWebToken
  private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.InputStream
  private import semmle.code.java.frameworks.Properties
  private import semmle.code.java.frameworks.Protobuf
  private import semmle.code.java.frameworks.ratpack.RatpackExec
  private import semmle.code.java.frameworks.stapler.Stapler
-  private import semmle.code.java.JDK
 }

 /**
--- a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
@@ -757,7 +757,7 @@ private predicate baseBound(Expr e, int b, boolean upper) {
  or
  exists(Method read |
    e.(MethodAccess).getMethod().overrides*(read) and
-    read.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
+    read.getDeclaringType() instanceof TypeInputStream and
    read.hasName("read") and
    read.getNumberOfParameters() = 0
  |
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlow.qll
@@ -46,6 +46,14 @@ signature module ConfigSig {
   */
  default predicate allowImplicitRead(Node node, ContentSet c) { none() }

+  /**
+   * Holds if `node` should never be skipped over in the `PathGraph` and in path
+   * explanations.
+   */
+  default predicate neverSkip(Node node) {
+    isAdditionalFlowStep(node, _) or isAdditionalFlowStep(_, node)
+  }
+
  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
   * This can be overridden to a smaller value to improve performance (a
@@ -141,6 +149,17 @@ signature module StateConfigSig {
   */
  default predicate allowImplicitRead(Node node, ContentSet c) { none() }

+  /**
+   * Holds if `node` should never be skipped over in the `PathGraph` and in path
+   * explanations.
+   */
+  default predicate neverSkip(Node node) {
+    isAdditionalFlowStep(node, _) or
+    isAdditionalFlowStep(_, node) or
+    isAdditionalFlowStep(node, _, _, _) or
+    isAdditionalFlowStep(_, _, node, _)
+  }
+
  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
   * This can be overridden to a smaller value to improve performance (a
@@ -410,5 +429,22 @@ module MergePathGraph3<
  /**
   * Provides the query predicates needed to include a graph in a path-problem query.
   */
-  module PathGraph = Merged::PathGraph;
+  module PathGraph implements PathGraphSig<PathNode> {
+    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+    query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
+
+    /** Holds if `n` is a node in the graph of data flow path explanations. */
+    query predicate nodes(PathNode n, string key, string val) {
+      Merged::PathGraph::nodes(n, key, val)
+    }
+
+    /**
+     * Holds if `(arg, par, ret, out)` forms a subpath-tuple, that is, flow through
+     * a subpath between `par` and `ret` with the connecting edges `arg -> par` and
+     * `ret -> out` is summarized as the edge `arg -> out`.
+     */
+    query predicate subpaths(PathNode arg, PathNode par, PathNode ret, PathNode out) {
+      Merged::PathGraph::subpaths(arg, par, ret, out)
+    }
+  }
 }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -66,6 +66,12 @@ signature module FullStateConfigSig {
   */
  predicate allowImplicitRead(Node node, ContentSet c);

+  /**
+   * Holds if `node` should never be skipped over in the `PathGraph` and in path
+   * explanations.
+   */
+  predicate neverSkip(Node node);
+
  /**
   * Gets the virtual dispatch branching limit when calculating field flow.
   * This can be overridden to a smaller value to improve performance (a
@@ -2024,7 +2030,8 @@ module Impl<FullStateConfigSig Config> {
        castNode(this.asNode()) or
        clearsContentCached(this.asNode(), _) or
        expectsContentCached(this.asNode(), _) or
-        neverSkipInPathGraph(this.asNode())
+        neverSkipInPathGraph(this.asNode()) or
+        Config::neverSkip(this.asNode())
      }
    }

--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
@@ -313,6 +313,8 @@ private module Config implements FullStateConfigSig {
    any(Configuration config).allowImplicitRead(node, c)
  }

+  predicate neverSkip(Node node) { none() }
+
  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -313,6 +313,8 @@ private module Config implements FullStateConfigSig {
    any(Configuration config).allowImplicitRead(node, c)
  }

+  predicate neverSkip(Node node) { none() }
+
  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -313,6 +313,8 @@ private module Config implements FullStateConfigSig {
    any(Configuration config).allowImplicitRead(node, c)
  }

+  predicate neverSkip(Node node) { none() }
+
  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -313,6 +313,8 @@ private module Config implements FullStateConfigSig {
    any(Configuration config).allowImplicitRead(node, c)
  }

+  predicate neverSkip(Node node) { none() }
+
  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -313,6 +313,8 @@ private module Config implements FullStateConfigSig {
    any(Configuration config).allowImplicitRead(node, c)
  }

+  predicate neverSkip(Node node) { none() }
+
  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -313,6 +313,8 @@ private module Config implements FullStateConfigSig {
    any(Configuration config).allowImplicitRead(node, c)
  }

+  predicate neverSkip(Node node) { none() }
+
  int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }

  FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -33,17 +33,17 @@ OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) {
 }

 /**
- * Holds if data can flow from `node1` to `node2` through a static field.
+ * Holds if data can flow from `node1` to `node2` through a field.
 */
-private predicate staticFieldStep(Node node1, Node node2) {
+private predicate fieldStep(Node node1, Node node2) {
  exists(Field f |
+    // Taint fields through assigned values only if they're static
    f.isStatic() and
    f.getAnAssignedValue() = node1.asExpr() and
    node2.(FieldValueNode).getField() = f
  )
  or
  exists(Field f, FieldRead fr |
-    f.isStatic() and
    node1.(FieldValueNode).getField() = f and
    fr.getField() = f and
    fr = node2.asExpr() and
@@ -72,11 +72,11 @@ private predicate variableCaptureStep(Node node1, ExprNode node2) {
 }

 /**
- * Holds if data can flow from `node1` to `node2` through a static field or
+ * Holds if data can flow from `node1` to `node2` through a field or
 * variable capture.
 */
 predicate jumpStep(Node node1, Node node2) {
-  staticFieldStep(node1, node2)
+  fieldStep(node1, node2)
  or
  variableCaptureStep(node1, node2)
  or
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -239,7 +239,7 @@ private class BulkData extends RefType {
    this.(Array).getElementType().(PrimitiveType).hasName(["byte", "char"])
    or
    exists(RefType t | this.getASourceSupertype*() = t |
-      t.hasQualifiedName("java.io", "InputStream") or
+      t instanceof TypeInputStream or
      t.hasQualifiedName("java.nio", "ByteBuffer") or
      t.hasQualifiedName("java.lang", "Readable") or
      t.hasQualifiedName("java.io", "DataInput") or
@@ -259,7 +259,7 @@ private class BulkData extends RefType {
 private predicate inputStreamWrapper(Constructor c, int argi) {
  not c.fromSource() and
  c.getParameterType(argi) instanceof BulkData and
-  c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream")
+  c.getDeclaringType().getASourceSupertype+() instanceof TypeInputStream
 }

 /** An object construction that preserves the data flow status of any of its arguments. */
--- a/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
+++ b/java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll
@@ -102,6 +102,8 @@ private module Dispatch {
    or
    t instanceof Interface and not t.fromSource()
    or
+    t instanceof TypeInputStream
+    or
    t.hasQualifiedName("java.io", "Serializable")
    or
    t.hasQualifiedName("java.lang", "Iterable")
--- a/java/ql/lib/semmle/code/java/frameworks/InputStream.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/InputStream.qll
@@ -0,0 +1,90 @@
+/** Provides definitions related to `java.io.InputStream`. */
+
+import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.SSA
+private import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A jump taint step from an update of the `bytes[]` parameter in an override of the `InputStream.read` method
+ * to a class instance expression of the type extending `InputStream`.
+ *
+ * This models how a subtype of `InputStream` could be tainted by the definition of its methods, which will
+ * normally only happen in nested classes.
+ */
+private class InputStreamWrapperCapturedJumpStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(InputStreamRead m, NestedClass wrapper |
+      m.getDeclaringType() = wrapper and
+      wrapper.getASourceSupertype+() instanceof TypeInputStream
+    |
+      n1.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() = m.getParameter(0).getAnAccess() and
+      n2.asExpr()
+          .(ClassInstanceExpr)
+          .getConstructedType()
+          .getASourceSupertype*()
+          .getSourceDeclaration() = wrapper
+    )
+  }
+}
+
+/**
+ * A local taint step from the definition of a captured variable, the capturer of which
+ * updates the `bytes[]` parameter in an override of the `InputStream.read` method,
+ * to a class instance expression of the type extending `InputStream`.
+ *
+ * This models how a subtype of `InputStream` could be tainted by capturing tainted variables in
+ * the definition of its methods.
+ */
+private class InputStreamWrapperCapturedLocalStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(InputStreamRead m, NestedClass wrapper, SsaVariable captured, SsaImplicitInit capturer |
+      wrapper.getASourceSupertype+() instanceof TypeInputStream and
+      m.getDeclaringType() = wrapper and
+      capturer.captures(captured) and
+      TaintTracking::localTaint(DataFlow::exprNode(capturer.getAFirstUse()),
+        any(DataFlow::PostUpdateNode pun |
+          pun.getPreUpdateNode().asExpr() = m.getParameter(0).getAnAccess()
+        )) and
+      n2.asExpr()
+          .(ClassInstanceExpr)
+          .getConstructedType()
+          .getASourceSupertype*()
+          .getSourceDeclaration() = wrapper
+    |
+      n1.asExpr() = captured.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource()
+      or
+      captured.(SsaImplicitInit).isParameterDefinition(n1.asParameter())
+    )
+  }
+}
+
+/**
+ * A taint step from an `InputStream` argument of the constructor of an `InputStream` subtype
+ * to the call of the constructor, only if the argument is assigned to a class field.
+ *
+ * This models how it's assumed that an `InputStream` wrapper is tainted by the wrapped stream,
+ * and is a workaround to low `fieldFlowBranchLimit`s in dataflow configurations.
+ */
+private class InputStreamWrapperConstructorStep extends AdditionalTaintStep {
+  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
+    exists(ClassInstanceExpr cc, Argument a, AssignExpr ae, int pos |
+      cc.getConstructedType().getASourceSupertype+() instanceof TypeInputStream and
+      cc.getArgument(pragma[only_bind_into](pos)) = a and
+      cc.getCallee().getParameter(pragma[only_bind_into](pos)).getAnAccess() = ae.getRhs() and
+      ae.getDest().(FieldWrite).getField().getType().(RefType).getASourceSupertype*() instanceof
+        TypeInputStream
+    |
+      n1.asExpr() = a and
+      n2.asExpr() = cc
+    )
+  }
+}
+
+private class InputStreamRead extends Method {
+  InputStreamRead() {
+    this.hasName("read") and
+    this.getDeclaringType().getASourceSupertype*() instanceof TypeInputStream
+  }
+}
--- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll
@@ -317,7 +317,7 @@ class SystemSetInputStreamMethod extends Method {
  SystemSetInputStreamMethod() {
    this.hasName("setIn") and
    this.getNumberOfParameters() = 1 and
-    this.getParameter(0).getType().(RefType).hasQualifiedName("java.io", "InputStream") and
+    this.getParameter(0).getType() instanceof TypeInputStream and
    this.getDeclaringType()
        .getAnAncestor()
        .getSourceDeclaration()
--- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll
@@ -237,7 +237,7 @@ class SpringRequestMappingParameter extends Parameter {

  private predicate isExplicitlyTaintedInput() {
    // InputStream or Reader parameters allow access to the body of a request
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("java.io", "InputStream") or
+    this.getType().(RefType).getAnAncestor() instanceof TypeInputStream or
    this.getType().(RefType).getAnAncestor().hasQualifiedName("java.io", "Reader") or
    // The SpringServletInputAnnotations allow access to the URI, request parameters, cookie values and the body of the request
    this.getAnAnnotation() instanceof SpringServletInputAnnotation or
--- a/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll
@@ -0,0 +1,52 @@
+/**
+ * Provides classes and predicates for working with objects bound from Http requests in the context of
+ * the Struts2 web framework.
+ */
+
+import java
+private import semmle.code.java.Serializability
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.frameworks.struts.StrutsActions
+
+/** A type whose values may be unmarshalled from an Http request by the Struts2 framework. */
+abstract class Struts2DeserializableType extends Type { }
+
+/** A type whose values are explicitly unmarshalled by from an Http request by the Struts2 framework. */
+private class ExplicitlyReadStruts2DeserializableType extends Struts2DeserializableType {
+  ExplicitlyReadStruts2DeserializableType() {
+    exists(Struts2ActionSupportClass c |
+      usesType(c.getASetterMethod().getField().getType(), this) and
+      not this instanceof TypeClass and
+      not this instanceof TypeObject
+    )
+  }
+}
+
+/** A type used in a `Struts2ActionField` declaration. */
+private class FieldReferencedStruts2DeserializableType extends Struts2DeserializableType {
+  FieldReferencedStruts2DeserializableType() {
+    exists(Struts2ActionField f | usesType(f.getType(), this))
+  }
+}
+
+/** A field that may be unmarshalled from an Http request using the Struts2 framework. */
+private class Struts2ActionField extends DeserializableField {
+  Struts2ActionField() {
+    exists(Struts2DeserializableType superType |
+      superType = this.getDeclaringType().getAnAncestor() and
+      not superType instanceof TypeObject and
+      superType.fromSource() and
+      (
+        this.isPublic()
+        or
+        exists(SetterMethod setter | setter.getField() = this and setter.isPublic())
+      )
+    )
+  }
+}
+
+/** A field that should convey the taint from its qualifier to itself. */
+private class Struts2ActionFieldInheritTaint extends DataFlow::FieldContent, TaintInheritingContent {
+  Struts2ActionFieldInheritTaint() { this.getField() instanceof Struts2ActionField }
+}
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.7.1
+
+### Minor Analysis Improvements
+
+* The query "Unsafe resource fetching in Android WebView" (`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where `setJavascriptEnabled`, `setAllowFileAccess`, `setAllowUniversalAccessFromFileURLs`, and/or `setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin `apply` function.
+
 ## 0.7.0

 ### Minor Analysis Improvements
--- a/java/ql/src/Telemetry/AutomodelAlertSinkUtil.qll
+++ b/java/ql/src/Telemetry/AutomodelAlertSinkUtil.qll
@@ -0,0 +1,187 @@
+private import java
+private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
+private import semmle.code.java.dataflow.internal.DataFlow
+private import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.RequestForgeryConfig
+private import semmle.code.java.security.CommandLineQuery
+private import semmle.code.java.security.SqlConcatenatedQuery
+private import semmle.code.java.security.SqlInjectionQuery
+private import semmle.code.java.security.UrlRedirectQuery
+private import semmle.code.java.security.TaintedPathQuery
+private import semmle.code.java.security.SqlInjectionQuery
+private import AutomodelJavaUtil
+
+private newtype TSinkModel =
+  MkSinkModel(
+    string package, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string kind, string provenance
+  ) {
+    ExternalFlow::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
+  }
+
+class SinkModel extends TSinkModel {
+  string package;
+  string type;
+  boolean subtypes;
+  string name;
+  string signature;
+  string ext;
+  string input;
+  string kind;
+  string provenance;
+
+  SinkModel() {
+    this = MkSinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)
+  }
+
+  /** Gets the package for this sink model. */
+  string getPackage() { result = package }
+
+  /** Gets the type for this sink model. */
+  string getType() { result = type }
+
+  /** Gets whether this sink model considers subtypes. */
+  boolean getSubtypes() { result = subtypes }
+
+  /** Gets the name for this sink model. */
+  string getName() { result = name }
+
+  /** Gets the signature for this sink model. */
+  string getSignature() { result = signature }
+
+  /** Gets the input for this sink model. */
+  string getInput() { result = input }
+
+  /** Gets the extension for this sink model. */
+  string getExt() { result = ext }
+
+  /** Gets the kind for this sink model. */
+  string getKind() { result = kind }
+
+  /** Gets the provenance for this sink model. */
+  string getProvenance() { result = provenance }
+
+  /** Gets the number of instances of this sink model. */
+  int getInstanceCount() { result = count(PotentialSinkModelExpr p | p.getSinkModel() = this) }
+
+  /** Gets a string representation of this sink model. */
+  string toString() {
+    result =
+      "SinkModel(" + package + ", " + type + ", " + subtypes + ", " + name + ", " + signature + ", "
+        + ext + ", " + input + ", " + kind + ", " + provenance + ")"
+  }
+
+  /** Gets a string representation of this sink model as it would appear in a Models-as-Data file. */
+  string getRepr() {
+    result =
+      "\"" + package + "\", \"" + type + "\", " + pyBool(subtypes) + ", \"" + name + "\", \"" +
+        signature + "\", \"" + ext + "\", \"" + input + "\", \"" + kind + "\", \"" + provenance +
+        "\""
+  }
+}
+
+/** An expression that may correspond to a sink model. */
+class PotentialSinkModelExpr extends Expr {
+  /**
+   *  Holds if this expression has the given signature. The signature should contain enough
+   *  information to determine a corresponding sink model, if one exists.
+   */
+  pragma[nomagic]
+  predicate hasSignature(
+    string package, string type, boolean subtypes, string name, string signature, string input
+  ) {
+    exists(Call call, Callable callable, int argIdx |
+      call.getCallee() = callable and
+      (
+        this = call.getArgument(argIdx)
+        or
+        this = call.getQualifier() and argIdx = -1
+      ) and
+      input = getArgumentForIndex(argIdx) and
+      package = callable.getDeclaringType().getPackage().getName() and
+      type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
+      subtypes = considerSubtypes(callable) and
+      name = callable.getName() and
+      signature = ExternalFlow::paramsString(callable)
+    )
+  }
+
+  /** Gets a sink model that corresponds to this expression. */
+  SinkModel getSinkModel() {
+    this.hasSignature(result.getPackage(), result.getType(), result.getSubtypes(), result.getName(),
+      result.getSignature(), result.getInput())
+  }
+}
+
+private string pyBool(boolean b) {
+  b = true and result = "True"
+  or
+  b = false and result = "False"
+}
+
+/**
+ * Gets a string representation of the existing sink model at the expression `e`, in the format in
+ * which it would appear in a Models-as-Data file. Also restricts the provenance of the sink model
+ * to be `ai-generated`.
+ */
+string getSinkModelRepr(PotentialSinkModelExpr e) {
+  result = e.getSinkModel().getRepr() and
+  e.getSinkModel().getProvenance() = "ai-generated"
+}
+
+/**
+ * Gets the string representation of a sink model in a format suitable for appending to an alert
+ * message.
+ */
+string getSinkModelQueryRepr(PotentialSinkModelExpr e) {
+  result = "\nsinkModel: " + getSinkModelRepr(e)
+}
+
+/**
+ * A parameterised module that takes a dataflow config, and exposes a predicate for counting the
+ * number of AI-generated sink models that appear in alerts for that query.
+ */
+private module SinkTallier<DataFlow::ConfigSig Config> {
+  module ConfigFlow = TaintTracking::Global<Config>;
+
+  predicate getSinkModelCount(int c, SinkModel s) {
+    s = any(ConfigFlow::PathNode sink).getNode().asExpr().(PotentialSinkModelExpr).getSinkModel() and
+    c =
+      strictcount(ConfigFlow::PathNode sink |
+        ConfigFlow::flowPath(_, sink) and
+        s = sink.getNode().asExpr().(PotentialSinkModelExpr).getSinkModel()
+      )
+  }
+}
+
+predicate sinkModelTallyPerQuery(string queryName, int alertCount, SinkModel sinkModel) {
+  queryName = "java/request-forgery" and
+  SinkTallier<RequestForgeryConfig>::getSinkModelCount(alertCount, sinkModel)
+  or
+  queryName = "java/command-line-injection" and
+  exists(int c1, int c2 |
+    SinkTallier<RemoteUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c1, sinkModel) and
+    SinkTallier<LocalUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c2, sinkModel) and
+    alertCount = c1 + c2
+  )
+  or
+  queryName = "java/concatenated-sql-query" and
+  SinkTallier<UncontrolledStringBuilderSourceFlowConfig>::getSinkModelCount(alertCount, sinkModel)
+  or
+  queryName = "java/ssrf" and
+  SinkTallier<RequestForgeryConfig>::getSinkModelCount(alertCount, sinkModel)
+  or
+  queryName = "java/path-injection" and
+  SinkTallier<TaintedPathConfig>::getSinkModelCount(alertCount, sinkModel)
+  or
+  queryName = "java/unvalidated-url-redirection" and
+  SinkTallier<UrlRedirectConfig>::getSinkModelCount(alertCount, sinkModel)
+  or
+  queryName = "java/sql-injection" and
+  SinkTallier<QueryInjectionFlowConfig>::getSinkModelCount(alertCount, sinkModel)
+}
+
+predicate sinkModelTally(int alertCount, SinkModel sinkModel) {
+  sinkModelTallyPerQuery(_, _, sinkModel) and
+  alertCount = sum(int c | sinkModelTallyPerQuery(_, c, sinkModel))
+}
--- a/java/ql/src/Telemetry/AutomodelAlertSinks.ql
+++ b/java/ql/src/Telemetry/AutomodelAlertSinks.ql
@@ -0,0 +1,16 @@
+/**
+ * @name Number of alerts per sink model
+ * @description Counts the number of alerts using `ai-generated` sink models.
+ * @kind table
+ * @id java/ml/metrics-count-alerts-per-sink-model
+ * @tags internal automodel metrics
+ */
+
+private import java
+private import AutomodelAlertSinkUtil
+
+from int alertCount, SinkModel s
+where sinkModelTally(alertCount, s) and s.getProvenance() = "ai-generated"
+select alertCount, s.getPackage() as package, s.getType() as type, s.getSubtypes() as subtypes,
+  s.getName() as name, s.getSignature() as signature, s.getInput() as input, s.getExt() as ext,
+  s.getKind() as kind, s.getProvenance() as provenance order by alertCount desc
--- a/java/ql/src/Telemetry/AutomodelAlertSinksPerQuery.ql
+++ b/java/ql/src/Telemetry/AutomodelAlertSinksPerQuery.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Number of alerts per sink model and query
+ * @description Counts the number of alerts per query using `ai-generated` sink models.
+ * @kind table
+ * @id java/ml/metrics-count-alerts-per-sink-model-and-query
+ * @tags internal automodel metrics
+ */
+
+private import java
+private import AutomodelAlertSinkUtil
+
+from string queryId, int alertCount, SinkModel s
+where
+  sinkModelTallyPerQuery(queryId, alertCount, s) and
+  s.getProvenance() = "ai-generated"
+select queryId, alertCount, s.getPackage() as package, s.getType() as type,
+  s.getSubtypes() as subtypes, s.getName() as name, s.getSignature() as signature,
+  s.getInput() as input, s.getExt() as ext, s.getKind() as kind, s.getProvenance() as provenance
+  order by queryId, alertCount desc
--- a/java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll
+++ b/java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll
@@ -12,7 +12,6 @@ private import semmle.code.java.dataflow.internal.FlowSummaryImpl as FlowSummary
 private import semmle.code.java.security.ExternalAPIs as ExternalAPIs
 private import semmle.code.java.Expr as Expr
 private import semmle.code.java.security.QueryInjection
-private import semmle.code.java.security.RequestForgery
 private import semmle.code.java.dataflow.internal.ModelExclusions as ModelExclusions
 private import AutomodelJavaUtil as AutomodelJavaUtil
 private import semmle.code.java.security.PathSanitizer as PathSanitizer
@@ -26,7 +25,17 @@ newtype JavaRelatedLocationType = CallContext()
 * A class representing nodes that are arguments to calls.
 */
 private class ArgumentNode extends DataFlow::Node {
-  ArgumentNode() { this.asExpr() = [any(Call c).getAnArgument(), any(Call c).getQualifier()] }
+  Call c;
+
+  ArgumentNode() {
+    exists(Argument arg | this.asExpr() = arg and not arg.isVararg() and c = arg.getCall())
+    or
+    this.(DataFlow::ImplicitVarargsArray).getCall() = c
+    or
+    this = DataFlow::getInstanceArgument(c)
+  }
+
+  Call getCall() { result = c }
 }

 /**
@@ -67,13 +76,13 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig

  predicate isKnownKind = AutomodelJavaUtil::isKnownKind/2;

-  predicate isSink(Endpoint e, string kind) {
+  predicate isSink(Endpoint e, string kind, string provenance) {
    exists(string package, string type, string name, string signature, string ext, string input |
      sinkSpec(e, package, type, name, signature, ext, input) and
-      ExternalFlow::sinkModel(package, type, _, name, [signature, ""], ext, input, kind, _)
+      ExternalFlow::sinkModel(package, type, _, name, [signature, ""], ext, input, kind, provenance)
    )
    or
-    isCustomSink(e, kind)
+    isCustomSink(e, kind) and provenance = "custom-sink"
  }

  predicate isNeutral(Endpoint e) {
@@ -136,10 +145,6 @@ private module ApplicationModeGetCallable implements AutomodelSharedGetCallable:
 * should be empty.
 */
 private predicate isCustomSink(Endpoint e, string kind) {
-  e.asExpr() instanceof ArgumentToExec and kind = "command injection"
-  or
-  e instanceof RequestForgerySink and kind = "request forgery"
-  or
  e instanceof QueryInjectionSink and kind = "sql"
 }

@@ -200,7 +205,7 @@ private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASin
  UnexploitableIsCharacteristic() { this = "unexploitable (is-style boolean method)" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not ApplicationCandidatesImpl::isSink(e, _) and
+    not ApplicationCandidatesImpl::isSink(e, _, _) and
    ApplicationModeGetCallable::getCallable(e).getName().matches("is%") and
    ApplicationModeGetCallable::getCallable(e).getReturnType() instanceof BooleanType
  }
@@ -218,7 +223,7 @@ private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::Not
  UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not ApplicationCandidatesImpl::isSink(e, _) and
+    not ApplicationCandidatesImpl::isSink(e, _, _) and
    exists(Callable callable |
      callable = ApplicationModeGetCallable::getCallable(e) and
      callable.getName().toLowerCase() = ["exists", "notexists"] and
@@ -313,7 +318,8 @@ private class NonPublicMethodCharacteristic extends CharacteristicsImpl::Uninter

 /**
 * A negative characteristic that indicates that an endpoint is a non-sink argument to a method whose sinks have already
- * been modeled.
+ * been modeled _manually_. This is restricted to manual sinks only, because only during the manual process do we have
+ * the expectation that all sinks present in a method have been considered.
 *
 * WARNING: These endpoints should not be used as negative samples for training, because some sinks may have been missed
 * when the method was modeled. Specifically, as we start using ATM to merge in new declarations, we can be less sure
@@ -324,14 +330,14 @@ private class NonPublicMethodCharacteristic extends CharacteristicsImpl::Uninter
 private class OtherArgumentToModeledMethodCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic
 {
  OtherArgumentToModeledMethodCharacteristic() {
-    this = "other argument to a method that has already been modeled"
+    this = "other argument to a method that has already been modeled manually"
  }

  override predicate appliesToEndpoint(Endpoint e) {
-    not ApplicationCandidatesImpl::isSink(e, _) and
-    exists(DataFlow::Node otherSink |
-      ApplicationCandidatesImpl::isSink(otherSink, _) and
-      e.asExpr() = otherSink.asExpr().(Argument).getCall().getAnArgument() and
+    not ApplicationCandidatesImpl::isSink(e, _, _) and
+    exists(Endpoint otherSink |
+      ApplicationCandidatesImpl::isSink(otherSink, _, "manual") and
+      e.getCall() = otherSink.getCall() and
      e != otherSink
    )
  }
--- a/java/ql/src/Telemetry/AutomodelApplicationModeExtractCandidates.ql
+++ b/java/ql/src/Telemetry/AutomodelApplicationModeExtractCandidates.ql
@@ -64,7 +64,7 @@ where
  // label it as a sink for one of the sink types of query B, for which it's already a known sink. This would result in
  // overlap between our detected sinks and the pre-existing modeling. We assume that, if a sink has already been
  // modeled in a MaD model, then it doesn't belong to any additional sink types, and we don't need to reexamine it.
-  not CharacteristicsImpl::isSink(endpoint, _) and
+  not CharacteristicsImpl::isSink(endpoint, _, _) and
  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input) and
  // The message is the concatenation of all sink types for which this endpoint is known neither to be a sink nor to be
  // a non-sink, and we surface only endpoints that have at least one such sink type.
--- a/java/ql/src/Telemetry/AutomodelCountGeneratedSinks.ql
+++ b/java/ql/src/Telemetry/AutomodelCountGeneratedSinks.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Number of instances of each sink model
+ * @description Counts the number of instances of `ai-generated` sink models.
+ * @kind table
+ * @id java/ml/metrics-count-instances-per-sink-model
+ * @tags internal automodel metrics
+ */
+
+private import java
+private import AutomodelAlertSinkUtil
+
+from int instanceCount, SinkModel s
+where
+  instanceCount = s.getInstanceCount() and
+  instanceCount > 0 and
+  s.getProvenance() = "ai-generated"
+select instanceCount, s.getPackage() as package, s.getType() as type, s.getSubtypes() as subtypes,
+  s.getName() as name, s.getSignature() as signature, s.getInput() as input, s.getExt() as ext,
+  s.getKind() as kind, s.getProvenance() as provenance order by instanceCount desc
--- a/java/ql/src/Telemetry/AutomodelFrameworkModeCharacteristics.qll
+++ b/java/ql/src/Telemetry/AutomodelFrameworkModeCharacteristics.qll
@@ -23,6 +23,64 @@ newtype JavaRelatedLocationType =
  MethodDoc() or
  ClassDoc()

+newtype TFrameworkModeEndpoint =
+  TExplicitParameter(Parameter p) or
+  TQualifier(Callable c)
+
+/**
+ * A framework mode endpoint.
+ */
+abstract class FrameworkModeEndpoint extends TFrameworkModeEndpoint {
+  /**
+   * Returns the parameter index of the endpoint.
+   */
+  abstract int getIndex();
+
+  /**
+   * Returns the name of the parameter of the endpoint.
+   */
+  abstract string getParamName();
+
+  /**
+   * Returns the callable that contains the endpoint.
+   */
+  abstract Callable getEnclosingCallable();
+
+  abstract Top asTop();
+
+  string toString() { result = this.asTop().toString() }
+
+  Location getLocation() { result = this.asTop().getLocation() }
+}
+
+class ExplicitParameterEndpoint extends FrameworkModeEndpoint, TExplicitParameter {
+  Parameter param;
+
+  ExplicitParameterEndpoint() { this = TExplicitParameter(param) }
+
+  override int getIndex() { result = param.getPosition() }
+
+  override string getParamName() { result = param.getName() }
+
+  override Callable getEnclosingCallable() { result = param.getCallable() }
+
+  override Top asTop() { result = param }
+}
+
+class QualifierEndpoint extends FrameworkModeEndpoint, TQualifier {
+  Callable callable;
+
+  QualifierEndpoint() { this = TQualifier(callable) }
+
+  override int getIndex() { result = -1 }
+
+  override string getParamName() { result = "this" }
+
+  override Callable getEnclosingCallable() { result = callable }
+
+  override Top asTop() { result = callable }
+}
+
 /**
 * A candidates implementation for framework mode.
 *
@@ -33,7 +91,7 @@ newtype JavaRelatedLocationType =
 */
 module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
  // for documentation of the implementations here, see the QLDoc in the CandidateSig signature module.
-  class Endpoint = DataFlow::ParameterNode;
+  class Endpoint = FrameworkModeEndpoint;

  class EndpointType = AutomodelEndpointTypes::EndpointType;

@@ -46,14 +104,14 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
  // Sanitizers are currently not modeled in MaD. TODO: check if this has large negative impact.
  predicate isSanitizer(Endpoint e, EndpointType t) { none() }

-  RelatedLocation asLocation(Endpoint e) { result = e.asParameter() }
+  RelatedLocation asLocation(Endpoint e) { result = e.asTop() }

  predicate isKnownKind = AutomodelJavaUtil::isKnownKind/2;

-  predicate isSink(Endpoint e, string kind) {
+  predicate isSink(Endpoint e, string kind, string provenance) {
    exists(string package, string type, string name, string signature, string ext, string input |
      sinkSpec(e, package, type, name, signature, ext, input) and
-      ExternalFlow::sinkModel(package, type, _, name, [signature, ""], ext, input, kind, _)
+      ExternalFlow::sinkModel(package, type, _, name, [signature, ""], ext, input, kind, provenance)
    )
  }

@@ -70,9 +128,7 @@ module FrameworkCandidatesImpl implements SharedCharacteristics::CandidateSig {
    FrameworkModeGetCallable::getCallable(e).hasQualifiedName(package, type, name) and
    signature = ExternalFlow::paramsString(FrameworkModeGetCallable::getCallable(e)) and
    ext = "" and
-    exists(int paramIdx | e.isParameterOf(_, paramIdx) |
-      input = AutomodelJavaUtil::getArgumentForIndex(paramIdx)
-    )
+    input = AutomodelJavaUtil::getArgumentForIndex(e.getIndex())
  }

  /**
@@ -124,16 +180,13 @@ class FrameworkModeMetadataExtractor extends string {
    Endpoint e, string package, string type, string subtypes, string name, string signature,
    string input, string parameterName
  ) {
-    exists(Callable callable, int paramIdx |
-      e.asParameter() = callable.getParameter(paramIdx) and
-      input = AutomodelJavaUtil::getArgumentForIndex(paramIdx) and
-      package = callable.getDeclaringType().getPackage().getName() and
-      type = callable.getDeclaringType().getErasure().(RefType).nestedName() and
-      subtypes = AutomodelJavaUtil::considerSubtypes(callable).toString() and
-      name = callable.getName() and
-      parameterName = e.asParameter().getName() and
-      signature = ExternalFlow::paramsString(callable)
-    )
+    parameterName = e.getParamName() and
+    name = e.getEnclosingCallable().getName() and
+    input = AutomodelJavaUtil::getArgumentForIndex(e.getIndex()) and
+    package = e.getEnclosingCallable().getDeclaringType().getPackage().getName() and
+    type = e.getEnclosingCallable().getDeclaringType().getErasure().(RefType).nestedName() and
+    subtypes = AutomodelJavaUtil::considerSubtypes(e.getEnclosingCallable()).toString() and
+    signature = ExternalFlow::paramsString(e.getEnclosingCallable())
  }
 }

@@ -154,7 +207,7 @@ private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASin
  UnexploitableIsCharacteristic() { this = "unexploitable (is-style boolean method)" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not FrameworkCandidatesImpl::isSink(e, _) and
+    not FrameworkCandidatesImpl::isSink(e, _, _) and
    FrameworkModeGetCallable::getCallable(e).getName().matches("is%") and
    FrameworkModeGetCallable::getCallable(e).getReturnType() instanceof BooleanType
  }
@@ -172,7 +225,7 @@ private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::Not
  UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not FrameworkCandidatesImpl::isSink(e, _) and
+    not FrameworkCandidatesImpl::isSink(e, _, _) and
    exists(Callable callable |
      callable = FrameworkModeGetCallable::getCallable(e) and
      callable.getName().toLowerCase() = ["exists", "notexists"] and
@@ -201,7 +254,7 @@ private class NotAModelApiParameter extends CharacteristicsImpl::UninterestingTo
  NotAModelApiParameter() { this = "not a model API parameter" }

  override predicate appliesToEndpoint(Endpoint e) {
-    not exists(ModelExclusions::ModelApi api | api.getAParameter() = e.asParameter())
+    not e.getEnclosingCallable() instanceof ModelExclusions::ModelApi
  }
 }

--- a/java/ql/src/Telemetry/AutomodelFrameworkModeExtractCandidates.ql
+++ b/java/ql/src/Telemetry/AutomodelFrameworkModeExtractCandidates.ql
@@ -28,7 +28,7 @@ where
  // label it as a sink for one of the sink types of query B, for which it's already a known sink. This would result in
  // overlap between our detected sinks and the pre-existing modeling. We assume that, if a sink has already been
  // modeled in a MaD model, then it doesn't belong to any additional sink types, and we don't need to reexamine it.
-  not CharacteristicsImpl::isSink(endpoint, _) and
+  not CharacteristicsImpl::isSink(endpoint, _, _) and
  meta.hasMetadata(endpoint, package, type, subtypes, name, signature, input, parameterName) and
  // The message is the concatenation of all sink types for which this endpoint is known neither to be a sink nor to be
  // a non-sink, and we surface only endpoints that have at least one such sink type.
--- a/java/ql/src/Telemetry/AutomodelJavaUtil.qll
+++ b/java/ql/src/Telemetry/AutomodelJavaUtil.qll
@@ -56,6 +56,7 @@ string getArgumentForIndex(int index) {
 * It would technically be ok to always use the value 'true', but this would
 * break convention.
 */
+pragma[nomagic]
 boolean considerSubtypes(Callable callable) {
  if
    callable.isStatic() or
--- a/java/ql/src/Telemetry/AutomodelSharedCharacteristics.qll
+++ b/java/ql/src/Telemetry/AutomodelSharedCharacteristics.qll
@@ -58,9 +58,9 @@ signature module CandidateSig {
  predicate isSanitizer(Endpoint e, EndpointType t);

  /**
-   * Holds if `e` is a sink with the label `kind`.
+   * Holds if `e` is a sink with the label `kind`, and provenance `provenance`.
   */
-  predicate isSink(Endpoint e, string kind);
+  predicate isSink(Endpoint e, string kind, string provenance);

  /**
   * Holds if `e` is not a sink of any kind.
@@ -87,7 +87,7 @@ signature module CandidateSig {
 *   implementations of endpoint characteristics exported by this module.
 */
 module SharedCharacteristics<CandidateSig Candidate> {
-  predicate isSink = Candidate::isSink/2;
+  predicate isSink = Candidate::isSink/3;

  predicate isNeutral = Candidate::isNeutral/1;

@@ -282,7 +282,9 @@ module SharedCharacteristics<CandidateSig Candidate> {
        this = madKind + "-characteristic"
      }

-      override predicate appliesToEndpoint(Candidate::Endpoint e) { Candidate::isSink(e, madKind) }
+      override predicate appliesToEndpoint(Candidate::Endpoint e) {
+        Candidate::isSink(e, madKind, _)
+      }

      override Candidate::EndpointType getSinkType() { result = endpointType }
    }
--- a/java/ql/src/Telemetry/AutomodelSinkModelMrvaQueries.ql
+++ b/java/ql/src/Telemetry/AutomodelSinkModelMrvaQueries.ql
@@ -0,0 +1,62 @@
+/**
+ * This file contains query predicates for use when gathering metrics at scale using Multi Repo
+ * Variant Analysis.
+ */
+
+private import java
+private import AutomodelAlertSinkUtil
+
+/**
+ * Holds if `alertCount` is the number of alerts for the query with ID `queryId` for which the
+ * sinks correspond to the given `ai-generated` sink model.
+ */
+query predicate sinkModelCountPerQuery(
+  string queryId, int alertCount, string package, string type, boolean subtypes, string name,
+  string signature, string input, string ext, string kind, string provenance
+) {
+  exists(SinkModel s |
+    sinkModelTallyPerQuery(queryId, alertCount, s) and
+    s.getProvenance() = "ai-generated" and
+    s.getPackage() = package and
+    s.getType() = type and
+    s.getSubtypes() = subtypes and
+    s.getName() = name and
+    s.getSignature() = signature and
+    s.getInput() = input and
+    s.getExt() = ext and
+    s.getKind() = kind and
+    s.getProvenance() = provenance
+  )
+}
+
+/**
+ * Holds if `instanceCount` is the number of instances corresponding to the given `ai-generated`
+ * sink model (as identified by the `package`, `name`, `input`, etc.).
+ */
+query predicate instanceCount(
+  int instanceCount, string package, string type, boolean subtypes, string name, string signature,
+  string input, string ext, string kind, string provenance
+) {
+  exists(SinkModel s |
+    instanceCount = s.getInstanceCount() and
+    instanceCount > 0 and
+    s.getProvenance() = "ai-generated" and
+    s.getPackage() = package and
+    s.getType() = type and
+    s.getSubtypes() = subtypes and
+    s.getName() = name and
+    s.getSignature() = signature and
+    s.getInput() = input and
+    s.getExt() = ext and
+    s.getKind() = kind and
+    s.getProvenance() = provenance
+  )
+}
+
+// MRVA requires a select clause, so we repurpose it to tell us which query predicates had results.
+from string hadResults
+where
+  sinkModelCountPerQuery(_, _, _, _, _, _, _, _, _, _, _) and hadResults = "sinkModelCountPerQuery"
+  or
+  instanceCount(_, _, _, _, _, _, _, _, _, _) and hadResults = "instanceCount"
+select hadResults
--- a/java/ql/src/change-notes/2023-07-10-unsafe-android-access-apply.md
+++ b/java/ql/src/change-notes/2023-07-10-unsafe-android-access-apply.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 0.7.1
+
+### Minor Analysis Improvements
+
 * The query "Unsafe resource fetching in Android WebView" (`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where `setJavascriptEnabled`, `setAllowFileAccess`, `setAllowUniversalAccessFromFileURLs`, and/or `setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin `apply` function.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.0
+lastReleaseVersion: 0.7.1
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 0.7.1-dev
+version: 0.7.2-dev
 groups: 
  - java
  - queries
--- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
@@ -1,13 +1,19 @@
 edges
-| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) |
+| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:45:15:48 | code : String |
+| BeanShellInjection.java:15:45:15:48 | code : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) |
 | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code |
-| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource |
+| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:29:32:29:35 | code : String |
+| BeanShellInjection.java:29:3:29:20 | staticScriptSource : StaticScriptSource | BeanShellInjection.java:31:22:31:39 | staticScriptSource |
+| BeanShellInjection.java:29:32:29:35 | code : String | BeanShellInjection.java:29:3:29:20 | staticScriptSource : StaticScriptSource |
 nodes
 | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | semmle.label | new StaticScriptSource(...) |
+| BeanShellInjection.java:15:45:15:48 | code : String | semmle.label | code : String |
 | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | BeanShellInjection.java:22:20:22:23 | code | semmle.label | code |
 | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:29:3:29:20 | staticScriptSource : StaticScriptSource | semmle.label | staticScriptSource : StaticScriptSource |
+| BeanShellInjection.java:29:32:29:35 | code : String | semmle.label | code : String |
 | BeanShellInjection.java:31:22:31:39 | staticScriptSource | semmle.label | staticScriptSource |
 subpaths
 #select
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected
@@ -1,13 +1,26 @@
 edges
 | JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input |
 | JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input |
-| JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) |
+| JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:33:37:33:41 | input : String |
+| JShellInjection.java:33:15:33:42 | analyzeCompletion(...) : CompletionInfo | JShellInjection.java:37:16:37:19 | info : CompletionInfo |
+| JShellInjection.java:33:37:33:41 | input : String | JShellInjection.java:33:15:33:42 | analyzeCompletion(...) : CompletionInfo |
+| JShellInjection.java:35:12:35:50 | analyzeCompletion(...) : CompletionInfo | JShellInjection.java:37:16:37:19 | info : CompletionInfo |
+| JShellInjection.java:35:34:35:37 | info : CompletionInfo | JShellInjection.java:35:34:35:49 | remaining(...) : String |
+| JShellInjection.java:35:34:35:49 | remaining(...) : String | JShellInjection.java:35:12:35:50 | analyzeCompletion(...) : CompletionInfo |
+| JShellInjection.java:37:16:37:19 | info : CompletionInfo | JShellInjection.java:35:34:35:37 | info : CompletionInfo |
+| JShellInjection.java:37:16:37:19 | info : CompletionInfo | JShellInjection.java:37:16:37:28 | source(...) |
 nodes
 | JShellInjection.java:12:18:12:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JShellInjection.java:15:15:15:19 | input | semmle.label | input |
 | JShellInjection.java:20:18:20:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JShellInjection.java:24:31:24:35 | input | semmle.label | input |
 | JShellInjection.java:29:18:29:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JShellInjection.java:33:15:33:42 | analyzeCompletion(...) : CompletionInfo | semmle.label | analyzeCompletion(...) : CompletionInfo |
+| JShellInjection.java:33:37:33:41 | input : String | semmle.label | input : String |
+| JShellInjection.java:35:12:35:50 | analyzeCompletion(...) : CompletionInfo | semmle.label | analyzeCompletion(...) : CompletionInfo |
+| JShellInjection.java:35:34:35:37 | info : CompletionInfo | semmle.label | info : CompletionInfo |
+| JShellInjection.java:35:34:35:49 | remaining(...) : String | semmle.label | remaining(...) : String |
+| JShellInjection.java:37:16:37:19 | info : CompletionInfo | semmle.label | info : CompletionInfo |
 | JShellInjection.java:37:16:37:28 | source(...) | semmle.label | source(...) |
 subpaths
 #select
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -13,12 +13,22 @@ edges
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:95:24:95:33 | expression : String |
 | JakartaExpressionInjection.java:32:24:32:33 | expression : String | JakartaExpressionInjection.java:34:28:34:37 | expression |
 | JakartaExpressionInjection.java:40:24:40:33 | expression : String | JakartaExpressionInjection.java:42:32:42:41 | expression |
-| JakartaExpressionInjection.java:48:24:48:33 | expression : String | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression |
+| JakartaExpressionInjection.java:48:24:48:33 | expression : String | JakartaExpressionInjection.java:51:86:51:95 | expression : String |
+| JakartaExpressionInjection.java:51:47:51:110 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:52:89:52:103 | valueExpression : ValueExpression |
+| JakartaExpressionInjection.java:51:86:51:95 | expression : String | JakartaExpressionInjection.java:51:47:51:110 | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:52:49:52:104 | new LambdaExpression(...) : LambdaExpression | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression |
+| JakartaExpressionInjection.java:52:89:52:103 | valueExpression : ValueExpression | JakartaExpressionInjection.java:52:49:52:104 | new LambdaExpression(...) : LambdaExpression |
 | JakartaExpressionInjection.java:59:24:59:33 | expression : String | JakartaExpressionInjection.java:61:32:61:41 | expression |
 | JakartaExpressionInjection.java:67:24:67:33 | expression : String | JakartaExpressionInjection.java:69:43:69:52 | expression |
-| JakartaExpressionInjection.java:75:24:75:33 | expression : String | JakartaExpressionInjection.java:79:13:79:13 | e |
-| JakartaExpressionInjection.java:85:24:85:33 | expression : String | JakartaExpressionInjection.java:89:13:89:13 | e |
-| JakartaExpressionInjection.java:95:24:95:33 | expression : String | JakartaExpressionInjection.java:99:13:99:13 | e |
+| JakartaExpressionInjection.java:75:24:75:33 | expression : String | JakartaExpressionInjection.java:78:72:78:81 | expression : String |
+| JakartaExpressionInjection.java:78:33:78:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:79:13:79:13 | e |
+| JakartaExpressionInjection.java:78:72:78:81 | expression : String | JakartaExpressionInjection.java:78:33:78:96 | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:85:24:85:33 | expression : String | JakartaExpressionInjection.java:88:72:88:81 | expression : String |
+| JakartaExpressionInjection.java:88:33:88:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:89:13:89:13 | e |
+| JakartaExpressionInjection.java:88:72:88:81 | expression : String | JakartaExpressionInjection.java:88:33:88:96 | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:95:24:95:33 | expression : String | JakartaExpressionInjection.java:98:74:98:83 | expression : String |
+| JakartaExpressionInjection.java:98:34:98:112 | createMethodExpression(...) : MethodExpression | JakartaExpressionInjection.java:99:13:99:13 | e |
+| JakartaExpressionInjection.java:98:74:98:83 | expression : String | JakartaExpressionInjection.java:98:34:98:112 | createMethodExpression(...) : MethodExpression |
 nodes
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
@@ -30,16 +40,26 @@ nodes
 | JakartaExpressionInjection.java:40:24:40:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:42:32:42:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:48:24:48:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:51:47:51:110 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:51:86:51:95 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:52:49:52:104 | new LambdaExpression(...) : LambdaExpression | semmle.label | new LambdaExpression(...) : LambdaExpression |
+| JakartaExpressionInjection.java:52:89:52:103 | valueExpression : ValueExpression | semmle.label | valueExpression : ValueExpression |
 | JakartaExpressionInjection.java:53:13:53:28 | lambdaExpression | semmle.label | lambdaExpression |
 | JakartaExpressionInjection.java:59:24:59:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:61:32:61:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:67:24:67:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:69:43:69:52 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:75:24:75:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:78:33:78:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:78:72:78:81 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:79:13:79:13 | e | semmle.label | e |
 | JakartaExpressionInjection.java:85:24:85:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:88:33:88:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
+| JakartaExpressionInjection.java:88:72:88:81 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:89:13:89:13 | e | semmle.label | e |
 | JakartaExpressionInjection.java:95:24:95:33 | expression : String | semmle.label | expression : String |
+| JakartaExpressionInjection.java:98:34:98:112 | createMethodExpression(...) : MethodExpression | semmle.label | createMethodExpression(...) : MethodExpression |
+| JakartaExpressionInjection.java:98:74:98:83 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:99:13:99:13 | e | semmle.label | e |
 subpaths
 #select
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected
@@ -1,6 +1,5 @@
 edges
 | SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String |
-| SensitiveCookieNotHttpOnly.java:24:33:24:43 | "jwt_token" : String | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:31:28:31:36 | jwtCookie |
 | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
@@ -15,7 +14,6 @@ edges
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String |
-| SensitiveCookieNotHttpOnly.java:88:35:88:51 | "Presto-UI-Token" : String | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
 | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie |
 | SensitiveCookieNotHttpOnly.java:89:36:89:51 | PRESTO_UI_COOKIE : String | SensitiveCookieNotHttpOnly.java:89:25:89:57 | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:91:16:91:21 | cookie : Cookie | SensitiveCookieNotHttpOnly.java:110:25:110:64 | createAuthenticationCookie(...) : Cookie |
--- a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
@@ -1,9 +1,19 @@
 edges
-| UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:25:29:25:62 | ...[...] |
+| UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:24:41:24:49 | className : String |
 | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | UnsafeReflection.java:25:76:25:89 | parameterValue |
-| UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:13:39:41 | ...[...] |
-| UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:50:39:55 | object |
+| UnsafeReflection.java:24:27:24:50 | forName(...) : Class | UnsafeReflection.java:25:29:25:33 | clazz : Class |
+| UnsafeReflection.java:24:41:24:49 | className : String | UnsafeReflection.java:24:27:24:50 | forName(...) : Class |
+| UnsafeReflection.java:25:29:25:33 | clazz : Class | UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] |
+| UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] | UnsafeReflection.java:25:29:25:62 | ...[...] |
+| UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:37:49:37:57 | className : String |
 | UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue |
+| UnsafeReflection.java:37:27:37:58 | loadClass(...) : Class | UnsafeReflection.java:38:29:38:33 | clazz : Class |
+| UnsafeReflection.java:37:49:37:57 | className : String | UnsafeReflection.java:37:27:37:58 | loadClass(...) : Class |
+| UnsafeReflection.java:38:29:38:33 | clazz : Class | UnsafeReflection.java:38:29:38:47 | newInstance(...) : Object |
+| UnsafeReflection.java:38:29:38:33 | clazz : Class | UnsafeReflection.java:39:13:39:17 | clazz : Class |
+| UnsafeReflection.java:38:29:38:47 | newInstance(...) : Object | UnsafeReflection.java:39:50:39:55 | object |
+| UnsafeReflection.java:39:13:39:17 | clazz : Class | UnsafeReflection.java:39:13:39:38 | getDeclaredMethods(...) : Method[] |
+| UnsafeReflection.java:39:13:39:38 | getDeclaredMethods(...) : Method[] | UnsafeReflection.java:39:13:39:41 | ...[...] |
 | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String |
 | UnsafeReflection.java:46:132:46:168 | body : Map | UnsafeReflection.java:49:37:49:40 | body : Map |
 | UnsafeReflection.java:49:23:49:59 | (...)... : List | UnsafeReflection.java:53:67:53:73 | rawData : List |
@@ -14,16 +24,33 @@ edges
 | UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | UnsafeReflection.java:68:76:68:89 | parameterValue |
 | UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | UnsafeReflection.java:83:76:83:89 | parameterValue |
 | UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | UnsafeReflection.java:98:76:98:89 | parameterValue |
-| UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:21:119:26 | method |
-| UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:35:119:38 | bean |
+| UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:108:39:108:55 | beanIdOrClassName : String |
 | UnsafeReflection.java:104:102:104:118 | data : List | UnsafeReflection.java:119:41:119:44 | data |
+| UnsafeReflection.java:108:25:108:56 | forName(...) : Class | UnsafeReflection.java:109:31:109:39 | beanClass : Class |
+| UnsafeReflection.java:108:39:108:55 | beanIdOrClassName : String | UnsafeReflection.java:108:25:108:56 | forName(...) : Class |
+| UnsafeReflection.java:109:11:109:40 | getBean(...) : Object | UnsafeReflection.java:113:30:113:33 | bean : Object |
+| UnsafeReflection.java:109:31:109:39 | beanClass : Class | UnsafeReflection.java:109:11:109:40 | getBean(...) : Object |
+| UnsafeReflection.java:113:30:113:33 | bean : Object | UnsafeReflection.java:113:30:113:44 | getClass(...) : Class |
+| UnsafeReflection.java:113:30:113:33 | bean : Object | UnsafeReflection.java:119:35:119:38 | bean |
+| UnsafeReflection.java:113:30:113:44 | getClass(...) : Class | UnsafeReflection.java:113:30:113:57 | getMethods(...) : Method[] |
+| UnsafeReflection.java:113:30:113:57 | getMethods(...) : Method[] | UnsafeReflection.java:119:21:119:26 | method |
 nodes
 | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UnsafeReflection.java:24:27:24:50 | forName(...) : Class | semmle.label | forName(...) : Class |
+| UnsafeReflection.java:24:41:24:49 | className : String | semmle.label | className : String |
+| UnsafeReflection.java:25:29:25:33 | clazz : Class | semmle.label | clazz : Class |
+| UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] | semmle.label | getDeclaredConstructors(...) : Constructor[] |
 | UnsafeReflection.java:25:29:25:62 | ...[...] | semmle.label | ...[...] |
 | UnsafeReflection.java:25:76:25:89 | parameterValue | semmle.label | parameterValue |
 | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UnsafeReflection.java:37:27:37:58 | loadClass(...) : Class | semmle.label | loadClass(...) : Class |
+| UnsafeReflection.java:37:49:37:57 | className : String | semmle.label | className : String |
+| UnsafeReflection.java:38:29:38:33 | clazz : Class | semmle.label | clazz : Class |
+| UnsafeReflection.java:38:29:38:47 | newInstance(...) : Object | semmle.label | newInstance(...) : Object |
+| UnsafeReflection.java:39:13:39:17 | clazz : Class | semmle.label | clazz : Class |
+| UnsafeReflection.java:39:13:39:38 | getDeclaredMethods(...) : Method[] | semmle.label | getDeclaredMethods(...) : Method[] |
 | UnsafeReflection.java:39:13:39:41 | ...[...] | semmle.label | ...[...] |
 | UnsafeReflection.java:39:50:39:55 | object | semmle.label | object |
 | UnsafeReflection.java:39:58:39:71 | parameterValue | semmle.label | parameterValue |
@@ -42,6 +69,13 @@ nodes
 | UnsafeReflection.java:98:76:98:89 | parameterValue | semmle.label | parameterValue |
 | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
 | UnsafeReflection.java:104:102:104:118 | data : List | semmle.label | data : List |
+| UnsafeReflection.java:108:25:108:56 | forName(...) : Class | semmle.label | forName(...) : Class |
+| UnsafeReflection.java:108:39:108:55 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
+| UnsafeReflection.java:109:11:109:40 | getBean(...) : Object | semmle.label | getBean(...) : Object |
+| UnsafeReflection.java:109:31:109:39 | beanClass : Class | semmle.label | beanClass : Class |
+| UnsafeReflection.java:113:30:113:33 | bean : Object | semmle.label | bean : Object |
+| UnsafeReflection.java:113:30:113:44 | getClass(...) : Class | semmle.label | getClass(...) : Class |
+| UnsafeReflection.java:113:30:113:57 | getMethods(...) : Method[] | semmle.label | getMethods(...) : Method[] |
 | UnsafeReflection.java:119:21:119:26 | method | semmle.label | method |
 | UnsafeReflection.java:119:35:119:38 | bean | semmle.label | bean |
 | UnsafeReflection.java:119:41:119:44 | data | semmle.label | data |
--- a/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected
@@ -10,13 +10,23 @@ edges
 | UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | UnsafeResourceGet2.java:19:93:19:99 | loadUrl |
 | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:33:20:33:25 | params : Map |
 | UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String |
-| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:37:20:37:22 | url |
-| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:41:20:41:22 | url |
+| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String |
+| UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | UnsafeResourceGet2.java:37:20:37:22 | url |
+| UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL |
+| UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:39:28:39:37 | requestUrl : String |
+| UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | UnsafeResourceGet.java:41:20:41:22 | url |
+| UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL |
 | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath |
-| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:150:20:150:22 | url |
+| UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:148:36:148:45 | requestUrl : String |
+| UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | UnsafeResourceGet.java:150:20:150:22 | url |
+| UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL |
 | UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | UnsafeResourceGet.java:189:68:189:78 | requestPath |
-| UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | UnsafeResourceGet.java:226:20:226:22 | url |
-| UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | UnsafeResourceGet.java:245:21:245:22 | rs : Resource |
+| UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | UnsafeResourceGet.java:224:53:224:62 | requestUrl : String |
+| UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | UnsafeResourceGet.java:226:20:226:22 | url |
+| UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL |
+| UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | UnsafeResourceGet.java:241:33:241:43 | requestPath : String |
+| UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | UnsafeResourceGet.java:245:21:245:22 | rs : Resource |
+| UnsafeResourceGet.java:241:33:241:43 | requestPath : String | UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource |
 | UnsafeResourceGet.java:245:21:245:22 | rs : Resource | UnsafeResourceGet.java:245:21:245:32 | getPath(...) |
 | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:32:51:32:59 | returnURL |
 | UnsafeServletRequestDispatch.java:42:22:42:54 | getParameter(...) : String | UnsafeServletRequestDispatch.java:48:56:48:64 | returnURL |
@@ -47,18 +57,28 @@ nodes
 | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
 | UnsafeResourceGet2.java:33:20:33:25 | params : Map | semmle.label | params : Map |
 | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | semmle.label | get(...) : String |
+| UnsafeResourceGet2.java:35:13:35:56 | getResource(...) : URL | semmle.label | getResource(...) : URL |
+| UnsafeResourceGet2.java:35:49:35:55 | loadUrl : String | semmle.label | loadUrl : String |
 | UnsafeResourceGet2.java:37:20:37:22 | url | semmle.label | url |
 | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UnsafeResourceGet.java:39:13:39:38 | getResource(...) : URL | semmle.label | getResource(...) : URL |
+| UnsafeResourceGet.java:39:28:39:37 | requestUrl : String | semmle.label | requestUrl : String |
 | UnsafeResourceGet.java:41:20:41:22 | url | semmle.label | url |
 | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeResourceGet.java:115:68:115:78 | requestPath | semmle.label | requestPath |
 | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UnsafeResourceGet.java:148:13:148:46 | getResource(...) : URL | semmle.label | getResource(...) : URL |
+| UnsafeResourceGet.java:148:36:148:45 | requestUrl : String | semmle.label | requestUrl : String |
 | UnsafeResourceGet.java:150:20:150:22 | url | semmle.label | url |
 | UnsafeResourceGet.java:181:24:181:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeResourceGet.java:189:68:189:78 | requestPath | semmle.label | requestPath |
 | UnsafeResourceGet.java:219:23:219:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UnsafeResourceGet.java:224:13:224:63 | getResource(...) : URL | semmle.label | getResource(...) : URL |
+| UnsafeResourceGet.java:224:53:224:62 | requestUrl : String | semmle.label | requestUrl : String |
 | UnsafeResourceGet.java:226:20:226:22 | url | semmle.label | url |
 | UnsafeResourceGet.java:237:24:237:58 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UnsafeResourceGet.java:241:18:241:44 | getResource(...) : Resource | semmle.label | getResource(...) : Resource |
+| UnsafeResourceGet.java:241:33:241:43 | requestPath : String | semmle.label | requestPath : String |
 | UnsafeResourceGet.java:245:21:245:22 | rs : Resource | semmle.label | rs : Resource |
 | UnsafeResourceGet.java:245:21:245:32 | getPath(...) | semmle.label | getPath(...) |
 | UnsafeServletRequestDispatch.java:23:22:23:54 | getParameter(...) : String | semmle.label | getParameter(...) : String |
--- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected
@@ -13,7 +13,8 @@ edges
 | SpringUrlRedirect.java:89:38:89:55 | redirectUrl : String | SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String |
 | SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | SpringUrlRedirect.java:91:27:91:49 | create(...) |
 | SpringUrlRedirect.java:96:39:96:56 | redirectUrl : String | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String |
-| SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | SpringUrlRedirect.java:100:37:100:47 | httpHeaders |
+| SpringUrlRedirect.java:98:9:98:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:100:37:100:47 | httpHeaders |
+| SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | SpringUrlRedirect.java:98:9:98:19 | httpHeaders : HttpHeaders |
 | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI |
 | SpringUrlRedirect.java:104:39:104:56 | redirectUrl : String | SpringUrlRedirect.java:106:37:106:47 | redirectUrl : String |
 | SpringUrlRedirect.java:106:9:106:19 | httpHeaders [post update] : HttpHeaders | SpringUrlRedirect.java:108:68:108:78 | httpHeaders |
@@ -31,7 +32,8 @@ edges
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders |
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | SpringUrlRedirect.java:122:9:122:19 | httpHeaders [post update] : HttpHeaders [<map.value>, <element>] : String |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String |
-| SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | SpringUrlRedirect.java:132:49:132:59 | httpHeaders |
+| SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | SpringUrlRedirect.java:132:49:132:59 | httpHeaders |
+| SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders |
 | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI |
 nodes
 | SpringUrlRedirect.java:17:30:17:47 | redirectUrl : String | semmle.label | redirectUrl : String |
@@ -57,6 +59,7 @@ nodes
 | SpringUrlRedirect.java:91:27:91:49 | create(...) | semmle.label | create(...) |
 | SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:96:39:96:56 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:98:9:98:19 | httpHeaders : HttpHeaders | semmle.label | httpHeaders : HttpHeaders |
 | SpringUrlRedirect.java:98:33:98:55 | create(...) : URI | semmle.label | create(...) : URI |
 | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:100:37:100:47 | httpHeaders | semmle.label | httpHeaders |
@@ -76,6 +79,7 @@ nodes
 | SpringUrlRedirect.java:122:37:122:47 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:124:49:124:59 | httpHeaders | semmle.label | httpHeaders |
 | SpringUrlRedirect.java:128:33:128:50 | redirectUrl : String | semmle.label | redirectUrl : String |
+| SpringUrlRedirect.java:130:9:130:19 | httpHeaders : HttpHeaders | semmle.label | httpHeaders : HttpHeaders |
 | SpringUrlRedirect.java:130:33:130:55 | create(...) : URI | semmle.label | create(...) : URI |
 | SpringUrlRedirect.java:130:44:130:54 | redirectUrl : String | semmle.label | redirectUrl : String |
 | SpringUrlRedirect.java:132:49:132:59 | httpHeaders | semmle.label | httpHeaders |
--- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
@@ -1,14 +1,22 @@
 edges
-| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe |
+| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:50:60:50:64 | query : String |
+| XQueryInjection.java:50:37:50:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:51:35:51:38 | xqpe |
+| XQueryInjection.java:50:60:50:64 | query : String | XQueryInjection.java:50:37:50:65 | prepareExpression(...) : XQPreparedExpression |
 | XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query |
-| XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe |
+| XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:78:60:78:64 | query : String |
+| XQueryInjection.java:78:37:78:65 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:79:35:79:38 | xqpe |
+| XQueryInjection.java:78:60:78:64 | query : String | XQueryInjection.java:78:37:78:65 | prepareExpression(...) : XQPreparedExpression |
 | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query |
-| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe |
+| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:103:60:103:63 | name : ServletInputStream |
+| XQueryInjection.java:103:37:103:64 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:104:35:104:38 | xqpe |
+| XQueryInjection.java:103:60:103:63 | name : ServletInputStream | XQueryInjection.java:103:37:103:64 | prepareExpression(...) : XQPreparedExpression |
 | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name |
 | XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:125:70:125:73 | name : ServletInputStream |
-| XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:129:35:129:38 | xqpe |
+| XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:128:60:128:61 | br : BufferedReader |
 | XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader |
 | XQueryInjection.java:125:70:125:73 | name : ServletInputStream | XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader |
+| XQueryInjection.java:128:37:128:62 | prepareExpression(...) : XQPreparedExpression | XQueryInjection.java:129:35:129:38 | xqpe |
+| XQueryInjection.java:128:60:128:61 | br : BufferedReader | XQueryInjection.java:128:37:128:62 | prepareExpression(...) : XQPreparedExpression |
 | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:138:70:138:73 | name : ServletInputStream |
 | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | XQueryInjection.java:142:53:142:54 | br |
 | XQueryInjection.java:138:48:138:74 | new InputStreamReader(...) : InputStreamReader | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader |
@@ -20,14 +28,20 @@ edges
 | XQueryInjection.java:158:70:158:71 | is : ServletInputStream | XQueryInjection.java:158:48:158:72 | new InputStreamReader(...) : InputStreamReader |
 nodes
 | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| XQueryInjection.java:50:37:50:65 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:50:60:50:64 | query : String | semmle.label | query : String |
 | XQueryInjection.java:51:35:51:38 | xqpe | semmle.label | xqpe |
 | XQueryInjection.java:59:23:59:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | XQueryInjection.java:65:53:65:57 | query | semmle.label | query |
 | XQueryInjection.java:73:32:73:59 | nameStr : String | semmle.label | nameStr : String |
+| XQueryInjection.java:78:37:78:65 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:78:60:78:64 | query : String | semmle.label | query : String |
 | XQueryInjection.java:79:35:79:38 | xqpe | semmle.label | xqpe |
 | XQueryInjection.java:86:33:86:60 | nameStr : String | semmle.label | nameStr : String |
 | XQueryInjection.java:92:53:92:57 | query | semmle.label | query |
 | XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:103:37:103:64 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:103:60:103:63 | name : ServletInputStream | semmle.label | name : ServletInputStream |
 | XQueryInjection.java:104:35:104:38 | xqpe | semmle.label | xqpe |
 | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
 | XQueryInjection.java:116:53:116:56 | name | semmle.label | name |
@@ -35,6 +49,8 @@ nodes
 | XQueryInjection.java:125:29:125:75 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
 | XQueryInjection.java:125:48:125:74 | new InputStreamReader(...) : InputStreamReader | semmle.label | new InputStreamReader(...) : InputStreamReader |
 | XQueryInjection.java:125:70:125:73 | name : ServletInputStream | semmle.label | name : ServletInputStream |
+| XQueryInjection.java:128:37:128:62 | prepareExpression(...) : XQPreparedExpression | semmle.label | prepareExpression(...) : XQPreparedExpression |
+| XQueryInjection.java:128:60:128:61 | br : BufferedReader | semmle.label | br : BufferedReader |
 | XQueryInjection.java:129:35:129:38 | xqpe | semmle.label | xqpe |
 | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
 | XQueryInjection.java:138:29:138:75 | new BufferedReader(...) : BufferedReader | semmle.label | new BufferedReader(...) : BufferedReader |
--- a/java/ql/test/library-tests/dataflow/field-value/A.java
+++ b/java/ql/test/library-tests/dataflow/field-value/A.java
@@ -0,0 +1,25 @@
+import java.io.FilterInputStream;
+import java.io.InputStream;
+
+public class A {
+
+    public String src;
+
+    private static void sink(Object o) {}
+
+    public void test() {
+        sink(src); // $ hasTaintFlow
+    }
+
+    class TestFis extends FilterInputStream {
+
+        protected TestFis(InputStream in) {
+            super(in);
+        }
+
+        public void testOutOfSource() {
+            // out of source field
+            sink(this.in); // $ hasTaintFlow
+        }
+    }
+}
--- a/java/ql/test/library-tests/dataflow/field-value/test.expected
+++ b/java/ql/test/library-tests/dataflow/field-value/test.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/java/ql/test/library-tests/dataflow/field-value/test.ql
+++ b/java/ql/test/library-tests/dataflow/field-value/test.ql
@@ -0,0 +1,10 @@
+import java
+import TestUtilities.InlineFlowTest
+
+module FieldValueConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof DataFlow::FieldValueNode }
+
+  predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
+}
+
+import TaintFlowTest<FieldValueConfig>
--- a/java/ql/test/library-tests/dataflow/partial/test.expected
+++ b/java/ql/test/library-tests/dataflow/partial/test.expected
@@ -1,5 +1,6 @@
 edges
 | A.java:4:16:4:18 | this <constr(this)> [post update] [elem] | A.java:22:17:22:25 | new Box(...) [elem] |
+| A.java:5:19:5:22 | elem | A.java:24:10:24:19 | other.elem |
 | A.java:12:5:12:5 | b [post update] : Box [elem] | A.java:13:12:13:12 | b : Box [elem] |
 | A.java:12:14:12:18 | src(...) : Object | A.java:12:5:12:5 | b [post update] : Box [elem] |
 | A.java:12:14:12:18 | src(...) : Object | A.java:12:5:12:18 | ...=... : Object |
--- a/java/ql/test/library-tests/dataflow/partial/testRev.expected
+++ b/java/ql/test/library-tests/dataflow/partial/testRev.expected
@@ -1,5 +1,6 @@
 edges
 | A.java:4:16:4:18 | this <constr(this)> [post update] [elem] | A.java:22:17:22:25 | new Box(...) [elem] |
+| A.java:5:19:5:22 | elem | A.java:24:10:24:19 | other.elem |
 | A.java:12:5:12:5 | b [post update] : Box [elem] | A.java:13:12:13:12 | b : Box [elem] |
 | A.java:12:14:12:18 | src(...) : Object | A.java:12:5:12:5 | b [post update] : Box [elem] |
 | A.java:12:14:12:18 | src(...) : Object | A.java:12:5:12:18 | ...=... : Object |
@@ -18,5 +19,6 @@ edges
 | 0 | A.java:23:13:23:17 | other [post update] [elem] |
 | 0 | A.java:24:10:24:14 | other [elem] |
 | 1 | A.java:4:16:4:18 | this <constr(this)> [post update] [elem] |
+| 1 | A.java:5:19:5:22 | elem |
 | 1 | A.java:28:5:28:5 | b [post update] [elem] |
 | 1 | A.java:28:14:28:25 | new Object(...) |
--- a/java/ql/test/library-tests/dataflow/stream-read/A.java
+++ b/java/ql/test/library-tests/dataflow/stream-read/A.java
@@ -0,0 +1,139 @@
+import java.io.InputStream;
+import java.io.IOException;
+
+public class A {
+
+    private static InputStream source() {
+        return null;
+    }
+
+    private static void sink(Object s) {}
+
+    static class MyStream extends InputStream {
+        private InputStream wrapped;
+
+        MyStream(InputStream wrapped) {
+            this.wrapped = wrapped;
+        }
+
+        @Override
+        public int read() throws IOException {
+            return 0;
+        }
+
+        @Override
+        public int read(byte[] b) throws IOException {
+            return wrapped.read(b);
+        }
+    }
+
+    public static void testSeveralWrappers() {
+        InputStream src = source();
+        InputStream wrapper1 = new MyStream(src);
+        sink(wrapper1); // $ hasTaintFlow
+        InputStream wrapper2 = new MyStream(wrapper1);
+        sink(wrapper2); // $ hasTaintFlow
+        InputStream wrapper3 = new MyStream(wrapper2);
+        sink(wrapper3); // $ hasTaintFlow
+
+        InputStream wrapper4 = new InputStream() {
+            @Override
+            public int read() throws IOException {
+                return 0;
+            }
+
+            @Override
+            public int read(byte[] b) throws IOException {
+                return wrapper3.read(b);
+
+            }
+        };
+        sink(wrapper4); // $ hasTaintFlow
+    }
+
+    public static void testAnonymous() throws Exception {
+        InputStream wrapper = new InputStream() {
+            @Override
+            public int read() throws IOException {
+                return 0;
+            }
+
+            @Override
+            public int read(byte[] b) throws IOException {
+                InputStream in = source();
+                return in.read(b);
+            }
+        };
+        sink(wrapper); // $ hasTaintFlow
+    }
+
+    public static void testAnonymousVarCapture() throws Exception {
+        InputStream in = source();
+        InputStream wrapper = new InputStream() {
+            @Override
+            public int read() throws IOException {
+                return 0;
+            }
+
+            @Override
+            public int read(byte[] b) throws IOException {
+                return in.read(b);
+
+            }
+        };
+        sink(wrapper); // $ hasTaintFlow
+    }
+
+    public static InputStream wrapStream(InputStream in) {
+        return new InputStream() {
+            @Override
+            public int read() throws IOException {
+                return 0;
+            }
+
+            @Override
+            public int read(byte[] b) throws IOException {
+                return in.read(b);
+            }
+        };
+    }
+
+    public static void testWrapCall() {
+        sink(wrapStream(null)); // $ SPURIOUS: hasTaintFlow
+        sink(wrapStream(source())); // $ hasTaintFlow
+    }
+
+    public static void testLocal() {
+
+        class LocalInputStream extends InputStream {
+            @Override
+            public int read() throws IOException {
+                return 0;
+            }
+
+            @Override
+            public int read(byte[] b) throws IOException {
+                InputStream in = source();
+                return in.read(b);
+            }
+        }
+        sink(new LocalInputStream()); // $ hasTaintFlow
+    }
+
+    public static void testLocalVarCapture() {
+        InputStream in = source();
+
+        class LocalInputStream extends InputStream {
+            @Override
+            public int read() throws IOException {
+                return 0;
+            }
+
+            @Override
+            public int read(byte[] b) throws IOException {
+                return in.read(b);
+            }
+        }
+        sink(new LocalInputStream()); // $ hasTaintFlow
+    }
+}
--- a/java/ql/test/library-tests/dataflow/stream-read/test.expected
+++ b/java/ql/test/library-tests/dataflow/stream-read/test.expected
@@ -0,0 +1,2 @@
+failures
+testFailures
--- a/java/ql/test/library-tests/dataflow/stream-read/test.ql
+++ b/java/ql/test/library-tests/dataflow/stream-read/test.ql
@@ -0,0 +1,2 @@
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest
--- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
+++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.expected
@@ -9,11 +9,16 @@ edges
 | Test.java:80:31:80:32 | br : BufferedReader | Test.java:80:31:80:43 | readLine(...) : String |
 | Test.java:80:31:80:43 | readLine(...) : String | Test.java:82:67:82:81 | ... + ... |
 | Test.java:88:17:88:37 | getHostName(...) : String | Test.java:90:26:90:29 | temp |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:12:97:33 | new URI(...) |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:98:12:98:33 | new URI(...) |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
-| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
+| Test.java:95:14:95:34 | getHostName(...) : String | Test.java:97:26:97:26 | t : String |
+| Test.java:97:26:97:26 | t : String | Test.java:97:12:97:33 | new URI(...) |
+| Test.java:97:26:97:26 | t : String | Test.java:98:23:98:23 | t : String |
+| Test.java:98:23:98:23 | t : String | Test.java:98:12:98:33 | new URI(...) |
+| Test.java:98:23:98:23 | t : String | Test.java:99:29:99:29 | t : String |
+| Test.java:99:29:99:29 | t : String | Test.java:99:12:99:33 | new URI(...) |
+| Test.java:99:29:99:29 | t : String | Test.java:100:32:100:32 | t : String |
+| Test.java:100:32:100:32 | t : String | Test.java:100:12:100:45 | new URI(...) |
+| Test.java:100:32:100:32 | t : String | Test.java:101:41:101:41 | t : String |
+| Test.java:101:41:101:41 | t : String | Test.java:101:12:101:54 | new URI(...) |
 | mad/Test.java:29:16:29:36 | getHostName(...) : String | mad/Test.java:34:61:34:68 | source(...) : String |
 | mad/Test.java:29:16:29:36 | getHostName(...) : String | mad/Test.java:36:41:36:48 | source(...) : String |
 | mad/Test.java:29:16:29:36 | getHostName(...) : String | mad/Test.java:38:56:38:63 | source(...) : String |
@@ -134,10 +139,15 @@ nodes
 | Test.java:90:26:90:29 | temp | semmle.label | temp |
 | Test.java:95:14:95:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:97:12:97:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:97:26:97:26 | t : String | semmle.label | t : String |
 | Test.java:98:12:98:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:98:23:98:23 | t : String | semmle.label | t : String |
 | Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:99:29:99:29 | t : String | semmle.label | t : String |
 | Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:100:32:100:32 | t : String | semmle.label | t : String |
 | Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:101:41:101:41 | t : String | semmle.label | t : String |
 | mad/Test.java:29:16:29:36 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | mad/Test.java:34:52:34:68 | (...)... | semmle.label | (...)... |
 | mad/Test.java:34:61:34:68 | source(...) : String | semmle.label | source(...) : String |
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
@@ -1,6 +1,7 @@
 edges
-| Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) |
+| Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String |
 | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json |
+| Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) |
 | Test.java:29:30:29:42 | args : String[] | Test.java:36:47:36:52 | query1 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:42:57:42:62 | query2 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:50:62:50:67 | query3 |
@@ -19,6 +20,7 @@ edges
 nodes
 | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] |
 | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) |
+| Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String |
 | Mongo.java:21:49:21:52 | json | semmle.label | json |
 | Test.java:29:30:29:42 | args : String[] | semmle.label | args : String[] |
 | Test.java:36:47:36:52 | query1 | semmle.label | query1 |
--- a/java/ql/test/query-tests/security/CWE-090/LdapInjection.expected
+++ b/java/ql/test/query-tests/security/CWE-090/LdapInjection.expected
@@ -2,63 +2,142 @@ edges
 | LdapInjection.java:45:28:45:52 | jBad : String | LdapInjection.java:47:38:47:57 | ... + ... |
 | LdapInjection.java:45:55:45:81 | jBadDN : String | LdapInjection.java:47:16:47:35 | ... + ... |
 | LdapInjection.java:51:28:51:52 | jBad : String | LdapInjection.java:53:56:53:75 | ... + ... |
-| LdapInjection.java:51:55:51:85 | jBadDNName : String | LdapInjection.java:53:16:53:53 | new LdapName(...) |
+| LdapInjection.java:51:55:51:85 | jBadDNName : String | LdapInjection.java:53:29:53:52 | ... + ... : String |
+| LdapInjection.java:53:29:53:52 | ... + ... : String | LdapInjection.java:53:16:53:53 | new LdapName(...) |
 | LdapInjection.java:57:28:57:52 | jBad : String | LdapInjection.java:59:63:59:82 | ... + ... |
 | LdapInjection.java:63:28:63:59 | jBadInitial : String | LdapInjection.java:65:29:65:55 | ... + ... |
 | LdapInjection.java:69:28:69:52 | jBad : String | LdapInjection.java:71:84:71:103 | ... + ... |
-| LdapInjection.java:69:55:69:88 | jBadDNNameAdd : String | LdapInjection.java:71:16:71:81 | addAll(...) |
+| LdapInjection.java:69:55:69:88 | jBadDNNameAdd : String | LdapInjection.java:71:53:71:79 | ... + ... : String |
+| LdapInjection.java:71:40:71:80 | new LdapName(...) : LdapName | LdapInjection.java:71:16:71:81 | addAll(...) |
+| LdapInjection.java:71:53:71:79 | ... + ... : String | LdapInjection.java:71:40:71:80 | new LdapName(...) : LdapName |
 | LdapInjection.java:75:28:75:52 | jBad : String | LdapInjection.java:79:47:79:66 | ... + ... |
-| LdapInjection.java:75:55:75:89 | jBadDNNameAdd2 : String | LdapInjection.java:79:16:79:44 | addAll(...) |
+| LdapInjection.java:75:55:75:89 | jBadDNNameAdd2 : String | LdapInjection.java:78:30:78:57 | ... + ... : String |
+| LdapInjection.java:78:5:78:8 | name : LdapName | LdapInjection.java:79:40:79:43 | name : LdapName |
+| LdapInjection.java:78:17:78:58 | new LdapName(...) : LdapName | LdapInjection.java:78:17:78:68 | getRdns(...) : List |
+| LdapInjection.java:78:17:78:68 | getRdns(...) : List | LdapInjection.java:78:5:78:8 | name : LdapName |
+| LdapInjection.java:78:30:78:57 | ... + ... : String | LdapInjection.java:78:17:78:58 | new LdapName(...) : LdapName |
+| LdapInjection.java:79:40:79:43 | name : LdapName | LdapInjection.java:79:16:79:44 | addAll(...) |
 | LdapInjection.java:83:28:83:52 | jBad : String | LdapInjection.java:85:75:85:94 | ... + ... |
-| LdapInjection.java:83:55:83:93 | jBadDNNameToString : String | LdapInjection.java:85:16:85:72 | toString(...) |
+| LdapInjection.java:83:55:83:93 | jBadDNNameToString : String | LdapInjection.java:85:29:85:60 | ... + ... : String |
+| LdapInjection.java:85:16:85:61 | new LdapName(...) : LdapName | LdapInjection.java:85:16:85:72 | toString(...) |
+| LdapInjection.java:85:29:85:60 | ... + ... : String | LdapInjection.java:85:16:85:61 | new LdapName(...) : LdapName |
 | LdapInjection.java:89:28:89:52 | jBad : String | LdapInjection.java:91:76:91:95 | ... + ... |
-| LdapInjection.java:89:55:89:90 | jBadDNNameClone : String | LdapInjection.java:91:16:91:73 | (...)... |
+| LdapInjection.java:89:55:89:90 | jBadDNNameClone : String | LdapInjection.java:91:36:91:64 | ... + ... : String |
+| LdapInjection.java:91:23:91:65 | new LdapName(...) : LdapName | LdapInjection.java:91:23:91:73 | clone(...) : Object |
+| LdapInjection.java:91:23:91:73 | clone(...) : Object | LdapInjection.java:91:16:91:73 | (...)... |
+| LdapInjection.java:91:36:91:64 | ... + ... : String | LdapInjection.java:91:23:91:65 | new LdapName(...) : LdapName |
 | LdapInjection.java:106:31:106:55 | uBad : String | LdapInjection.java:108:67:108:86 | ... + ... |
 | LdapInjection.java:106:58:106:84 | uBadDN : String | LdapInjection.java:108:20:108:39 | ... + ... |
-| LdapInjection.java:112:31:112:67 | uBadFilterCreate : String | LdapInjection.java:113:58:113:88 | create(...) |
-| LdapInjection.java:117:31:117:70 | uBadROSearchRequest : String | LdapInjection.java:121:14:121:14 | s |
-| LdapInjection.java:117:73:117:103 | uBadROSRDN : String | LdapInjection.java:121:14:121:14 | s |
-| LdapInjection.java:125:31:125:68 | uBadSearchRequest : String | LdapInjection.java:129:14:129:14 | s |
-| LdapInjection.java:125:71:125:99 | uBadSRDN : String | LdapInjection.java:129:14:129:14 | s |
+| LdapInjection.java:112:31:112:67 | uBadFilterCreate : String | LdapInjection.java:113:72:113:87 | uBadFilterCreate : String |
+| LdapInjection.java:113:72:113:87 | uBadFilterCreate : String | LdapInjection.java:113:58:113:88 | create(...) |
+| LdapInjection.java:117:31:117:70 | uBadROSearchRequest : String | LdapInjection.java:120:9:120:43 | ... + ... : String |
+| LdapInjection.java:117:73:117:103 | uBadROSRDN : String | LdapInjection.java:119:55:119:78 | ... + ... : String |
+| LdapInjection.java:119:31:120:44 | new SearchRequest(...) : SearchRequest | LdapInjection.java:121:14:121:14 | s |
+| LdapInjection.java:119:55:119:78 | ... + ... : String | LdapInjection.java:119:31:120:44 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:120:9:120:43 | ... + ... : String | LdapInjection.java:119:31:120:44 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:125:31:125:68 | uBadSearchRequest : String | LdapInjection.java:128:9:128:41 | ... + ... : String |
+| LdapInjection.java:125:71:125:99 | uBadSRDN : String | LdapInjection.java:127:47:127:68 | ... + ... : String |
+| LdapInjection.java:127:23:128:42 | new SearchRequest(...) : SearchRequest | LdapInjection.java:129:14:129:14 | s |
+| LdapInjection.java:127:47:127:68 | ... + ... : String | LdapInjection.java:127:23:128:42 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:128:9:128:41 | ... + ... : String | LdapInjection.java:127:23:128:42 | new SearchRequest(...) : SearchRequest |
 | LdapInjection.java:133:31:133:55 | uBad : String | LdapInjection.java:135:69:135:88 | ... + ... |
 | LdapInjection.java:133:58:133:87 | uBadDNSFR : String | LdapInjection.java:135:22:135:44 | ... + ... |
-| LdapInjection.java:139:31:139:75 | uBadROSearchRequestAsync : String | LdapInjection.java:143:19:143:19 | s |
-| LdapInjection.java:139:78:139:113 | uBadROSRDNAsync : String | LdapInjection.java:143:19:143:19 | s |
-| LdapInjection.java:147:31:147:73 | uBadSearchRequestAsync : String | LdapInjection.java:151:19:151:19 | s |
-| LdapInjection.java:147:76:147:109 | uBadSRDNAsync : String | LdapInjection.java:151:19:151:19 | s |
-| LdapInjection.java:155:31:155:70 | uBadFilterCreateNOT : String | LdapInjection.java:156:58:156:115 | createNOTFilter(...) |
-| LdapInjection.java:160:31:160:75 | uBadFilterCreateToString : String | LdapInjection.java:161:58:161:107 | toString(...) |
-| LdapInjection.java:165:32:165:82 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:168:58:168:58 | b : StringBuilder |
+| LdapInjection.java:139:31:139:75 | uBadROSearchRequestAsync : String | LdapInjection.java:142:9:142:48 | ... + ... : String |
+| LdapInjection.java:139:78:139:113 | uBadROSRDNAsync : String | LdapInjection.java:141:55:141:83 | ... + ... : String |
+| LdapInjection.java:141:31:142:49 | new SearchRequest(...) : SearchRequest | LdapInjection.java:143:19:143:19 | s |
+| LdapInjection.java:141:55:141:83 | ... + ... : String | LdapInjection.java:141:31:142:49 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:142:9:142:48 | ... + ... : String | LdapInjection.java:141:31:142:49 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:147:31:147:73 | uBadSearchRequestAsync : String | LdapInjection.java:150:9:150:46 | ... + ... : String |
+| LdapInjection.java:147:76:147:109 | uBadSRDNAsync : String | LdapInjection.java:149:47:149:73 | ... + ... : String |
+| LdapInjection.java:149:23:150:47 | new SearchRequest(...) : SearchRequest | LdapInjection.java:151:19:151:19 | s |
+| LdapInjection.java:149:47:149:73 | ... + ... : String | LdapInjection.java:149:23:150:47 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:150:9:150:46 | ... + ... : String | LdapInjection.java:149:23:150:47 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:155:31:155:70 | uBadFilterCreateNOT : String | LdapInjection.java:156:95:156:113 | uBadFilterCreateNOT : String |
+| LdapInjection.java:156:81:156:114 | create(...) : Filter | LdapInjection.java:156:58:156:115 | createNOTFilter(...) |
+| LdapInjection.java:156:95:156:113 | uBadFilterCreateNOT : String | LdapInjection.java:156:81:156:114 | create(...) : Filter |
+| LdapInjection.java:160:31:160:75 | uBadFilterCreateToString : String | LdapInjection.java:161:72:161:95 | uBadFilterCreateToString : String |
+| LdapInjection.java:161:58:161:96 | create(...) : Filter | LdapInjection.java:161:58:161:107 | toString(...) |
+| LdapInjection.java:161:72:161:95 | uBadFilterCreateToString : String | LdapInjection.java:161:58:161:96 | create(...) : Filter |
+| LdapInjection.java:165:32:165:82 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:167:19:167:48 | uBadFilterCreateToStringBuffer : String |
+| LdapInjection.java:167:5:167:49 | create(...) : Filter | LdapInjection.java:167:70:167:70 | b : StringBuilder |
+| LdapInjection.java:167:19:167:48 | uBadFilterCreateToStringBuffer : String | LdapInjection.java:167:5:167:49 | create(...) : Filter |
+| LdapInjection.java:167:70:167:70 | b : StringBuilder | LdapInjection.java:168:58:168:58 | b : StringBuilder |
 | LdapInjection.java:168:58:168:58 | b : StringBuilder | LdapInjection.java:168:58:168:69 | toString(...) |
-| LdapInjection.java:172:32:172:78 | uBadSearchRequestDuplicate : String | LdapInjection.java:176:14:176:26 | duplicate(...) |
-| LdapInjection.java:180:32:180:80 | uBadROSearchRequestDuplicate : String | LdapInjection.java:184:14:184:26 | duplicate(...) |
-| LdapInjection.java:188:32:188:74 | uBadSearchRequestSetDN : String | LdapInjection.java:192:14:192:14 | s |
-| LdapInjection.java:196:32:196:78 | uBadSearchRequestSetFilter : String | LdapInjection.java:200:14:200:14 | s |
+| LdapInjection.java:172:32:172:78 | uBadSearchRequestDuplicate : String | LdapInjection.java:175:9:175:50 | ... + ... : String |
+| LdapInjection.java:174:23:175:51 | new SearchRequest(...) : SearchRequest | LdapInjection.java:176:14:176:14 | s : SearchRequest |
+| LdapInjection.java:175:9:175:50 | ... + ... : String | LdapInjection.java:174:23:175:51 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:176:14:176:14 | s : SearchRequest | LdapInjection.java:176:14:176:26 | duplicate(...) |
+| LdapInjection.java:180:32:180:80 | uBadROSearchRequestDuplicate : String | LdapInjection.java:183:9:183:52 | ... + ... : String |
+| LdapInjection.java:182:31:183:53 | new SearchRequest(...) : SearchRequest | LdapInjection.java:184:14:184:14 | s : SearchRequest |
+| LdapInjection.java:183:9:183:52 | ... + ... : String | LdapInjection.java:182:31:183:53 | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:184:14:184:14 | s : SearchRequest | LdapInjection.java:184:14:184:26 | duplicate(...) |
+| LdapInjection.java:188:32:188:74 | uBadSearchRequestSetDN : String | LdapInjection.java:191:17:191:38 | uBadSearchRequestSetDN : String |
+| LdapInjection.java:191:5:191:5 | s : SearchRequest | LdapInjection.java:192:14:192:14 | s |
+| LdapInjection.java:191:17:191:38 | uBadSearchRequestSetDN : String | LdapInjection.java:191:5:191:5 | s : SearchRequest |
+| LdapInjection.java:196:32:196:78 | uBadSearchRequestSetFilter : String | LdapInjection.java:199:17:199:42 | uBadSearchRequestSetFilter : String |
+| LdapInjection.java:199:5:199:5 | s : SearchRequest | LdapInjection.java:200:14:200:14 | s |
+| LdapInjection.java:199:17:199:42 | uBadSearchRequestSetFilter : String | LdapInjection.java:199:5:199:5 | s : SearchRequest |
 | LdapInjection.java:229:30:229:54 | sBad : String | LdapInjection.java:230:36:230:55 | ... + ... |
 | LdapInjection.java:229:57:229:83 | sBadDN : String | LdapInjection.java:230:14:230:33 | ... + ... |
 | LdapInjection.java:234:30:234:54 | sBad : String | LdapInjection.java:235:88:235:107 | ... + ... |
-| LdapInjection.java:234:57:234:92 | sBadDNLNBuilder : String | LdapInjection.java:235:20:235:85 | build(...) |
+| LdapInjection.java:234:57:234:92 | sBadDNLNBuilder : String | LdapInjection.java:235:48:235:76 | ... + ... : String |
+| LdapInjection.java:235:20:235:77 | newInstance(...) : LdapNameBuilder | LdapInjection.java:235:20:235:85 | build(...) |
+| LdapInjection.java:235:48:235:76 | ... + ... : String | LdapInjection.java:235:20:235:77 | newInstance(...) : LdapNameBuilder |
 | LdapInjection.java:239:30:239:54 | sBad : String | LdapInjection.java:240:100:240:119 | ... + ... |
-| LdapInjection.java:239:57:239:95 | sBadDNLNBuilderAdd : String | LdapInjection.java:240:23:240:97 | build(...) |
-| LdapInjection.java:244:30:244:63 | sBadLdapQuery : String | LdapInjection.java:245:15:245:76 | filter(...) |
-| LdapInjection.java:249:30:249:60 | sBadFilter : String | LdapInjection.java:250:66:250:112 | new HardcodedFilter(...) |
-| LdapInjection.java:249:63:249:98 | sBadDNLdapUtils : String | LdapInjection.java:250:12:250:63 | newLdapName(...) |
-| LdapInjection.java:254:30:254:63 | sBadLdapQuery : String | LdapInjection.java:255:24:255:85 | filter(...) |
-| LdapInjection.java:259:30:259:64 | sBadLdapQuery2 : String | LdapInjection.java:261:24:261:24 | q |
-| LdapInjection.java:265:30:265:73 | sBadLdapQueryWithFilter : String | LdapInjection.java:266:24:266:116 | filter(...) |
-| LdapInjection.java:270:30:270:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:272:24:272:57 | filter(...) |
-| LdapInjection.java:276:31:276:68 | sBadLdapQueryBase : String | LdapInjection.java:277:12:277:66 | base(...) |
-| LdapInjection.java:281:31:281:71 | sBadLdapQueryComplex : String | LdapInjection.java:282:24:282:98 | is(...) |
-| LdapInjection.java:286:31:286:69 | sBadFilterToString : String | LdapInjection.java:287:18:287:83 | toString(...) |
-| LdapInjection.java:291:31:291:67 | sBadFilterEncode : String | LdapInjection.java:294:18:294:18 | s : StringBuffer |
+| LdapInjection.java:239:57:239:95 | sBadDNLNBuilderAdd : String | LdapInjection.java:240:57:240:88 | ... + ... : String |
+| LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | LdapInjection.java:240:23:240:97 | build(...) |
+| LdapInjection.java:240:57:240:88 | ... + ... : String | LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder |
+| LdapInjection.java:244:30:244:63 | sBadLdapQuery : String | LdapInjection.java:245:47:245:75 | ... + ... : String |
+| LdapInjection.java:245:47:245:75 | ... + ... : String | LdapInjection.java:245:15:245:76 | filter(...) |
+| LdapInjection.java:249:30:249:60 | sBadFilter : String | LdapInjection.java:250:86:250:111 | ... + ... : String |
+| LdapInjection.java:249:63:249:98 | sBadDNLdapUtils : String | LdapInjection.java:250:34:250:62 | ... + ... : String |
+| LdapInjection.java:250:34:250:62 | ... + ... : String | LdapInjection.java:250:12:250:63 | newLdapName(...) |
+| LdapInjection.java:250:86:250:111 | ... + ... : String | LdapInjection.java:250:66:250:112 | new HardcodedFilter(...) |
+| LdapInjection.java:254:30:254:63 | sBadLdapQuery : String | LdapInjection.java:255:56:255:84 | ... + ... : String |
+| LdapInjection.java:255:56:255:84 | ... + ... : String | LdapInjection.java:255:24:255:85 | filter(...) |
+| LdapInjection.java:259:30:259:64 | sBadLdapQuery2 : String | LdapInjection.java:260:51:260:80 | ... + ... : String |
+| LdapInjection.java:260:19:260:81 | filter(...) : LdapQuery | LdapInjection.java:261:24:261:24 | q |
+| LdapInjection.java:260:51:260:80 | ... + ... : String | LdapInjection.java:260:19:260:81 | filter(...) : LdapQuery |
+| LdapInjection.java:265:30:265:73 | sBadLdapQueryWithFilter : String | LdapInjection.java:266:76:266:114 | ... + ... : String |
+| LdapInjection.java:266:56:266:115 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:266:24:266:116 | filter(...) |
+| LdapInjection.java:266:76:266:114 | ... + ... : String | LdapInjection.java:266:56:266:115 | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:270:30:270:74 | sBadLdapQueryWithFilter2 : String | LdapInjection.java:271:68:271:107 | ... + ... : String |
+| LdapInjection.java:271:48:271:108 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:272:56:272:56 | f : HardcodedFilter |
+| LdapInjection.java:271:68:271:107 | ... + ... : String | LdapInjection.java:271:48:271:108 | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:272:56:272:56 | f : HardcodedFilter | LdapInjection.java:272:24:272:57 | filter(...) |
+| LdapInjection.java:276:31:276:68 | sBadLdapQueryBase : String | LdapInjection.java:277:42:277:58 | sBadLdapQueryBase : String |
+| LdapInjection.java:277:12:277:59 | base(...) : LdapQueryBuilder | LdapInjection.java:277:12:277:66 | base(...) |
+| LdapInjection.java:277:42:277:58 | sBadLdapQueryBase : String | LdapInjection.java:277:12:277:59 | base(...) : LdapQueryBuilder |
+| LdapInjection.java:281:31:281:71 | sBadLdapQueryComplex : String | LdapInjection.java:282:54:282:73 | sBadLdapQueryComplex : String |
+| LdapInjection.java:282:24:282:74 | base(...) : LdapQueryBuilder | LdapInjection.java:282:24:282:87 | where(...) : ConditionCriteria |
+| LdapInjection.java:282:24:282:87 | where(...) : ConditionCriteria | LdapInjection.java:282:24:282:98 | is(...) |
+| LdapInjection.java:282:54:282:73 | sBadLdapQueryComplex : String | LdapInjection.java:282:24:282:74 | base(...) : LdapQueryBuilder |
+| LdapInjection.java:286:31:286:69 | sBadFilterToString : String | LdapInjection.java:287:38:287:71 | ... + ... : String |
+| LdapInjection.java:287:18:287:72 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:287:18:287:83 | toString(...) |
+| LdapInjection.java:287:38:287:71 | ... + ... : String | LdapInjection.java:287:18:287:72 | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:291:31:291:67 | sBadFilterEncode : String | LdapInjection.java:293:25:293:56 | ... + ... : String |
+| LdapInjection.java:293:5:293:57 | new HardcodedFilter(...) : HardcodedFilter | LdapInjection.java:293:66:293:66 | s : StringBuffer |
+| LdapInjection.java:293:25:293:56 | ... + ... : String | LdapInjection.java:293:5:293:57 | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:293:66:293:66 | s : StringBuffer | LdapInjection.java:294:18:294:18 | s : StringBuffer |
 | LdapInjection.java:294:18:294:18 | s : StringBuffer | LdapInjection.java:294:18:294:29 | toString(...) |
 | LdapInjection.java:314:30:314:54 | aBad : String | LdapInjection.java:316:36:316:55 | ... + ... |
 | LdapInjection.java:314:57:314:83 | aBadDN : String | LdapInjection.java:316:14:316:33 | ... + ... |
 | LdapInjection.java:320:30:320:54 | aBad : String | LdapInjection.java:322:65:322:84 | ... + ... |
-| LdapInjection.java:320:57:320:94 | aBadDNObjToString : String | LdapInjection.java:322:14:322:62 | getName(...) |
-| LdapInjection.java:326:30:326:67 | aBadSearchRequest : String | LdapInjection.java:330:14:330:14 | s |
-| LdapInjection.java:334:74:334:103 | aBadDNObj : String | LdapInjection.java:338:14:338:14 | s |
-| LdapInjection.java:342:30:342:72 | aBadDNSearchRequestGet : String | LdapInjection.java:346:14:346:24 | getBase(...) |
+| LdapInjection.java:320:57:320:94 | aBadDNObjToString : String | LdapInjection.java:322:21:322:51 | ... + ... : String |
+| LdapInjection.java:322:14:322:52 | new Dn(...) : Dn | LdapInjection.java:322:14:322:62 | getName(...) |
+| LdapInjection.java:322:21:322:51 | ... + ... : String | LdapInjection.java:322:14:322:52 | new Dn(...) : Dn |
+| LdapInjection.java:326:30:326:67 | aBadSearchRequest : String | LdapInjection.java:329:17:329:49 | ... + ... : String |
+| LdapInjection.java:329:5:329:5 | s : SearchRequestImpl | LdapInjection.java:330:14:330:14 | s |
+| LdapInjection.java:329:17:329:49 | ... + ... : String | LdapInjection.java:329:5:329:5 | s : SearchRequestImpl |
+| LdapInjection.java:334:74:334:103 | aBadDNObj : String | LdapInjection.java:337:22:337:44 | ... + ... : String |
+| LdapInjection.java:337:5:337:5 | s : SearchRequestImpl | LdapInjection.java:338:14:338:14 | s |
+| LdapInjection.java:337:15:337:45 | new Dn(...) : Dn | LdapInjection.java:337:5:337:5 | s : SearchRequestImpl |
+| LdapInjection.java:337:22:337:44 | ... + ... : String | LdapInjection.java:337:15:337:45 | new Dn(...) : Dn |
+| LdapInjection.java:342:30:342:72 | aBadDNSearchRequestGet : String | LdapInjection.java:345:22:345:57 | ... + ... : String |
+| LdapInjection.java:345:5:345:5 | s : SearchRequestImpl | LdapInjection.java:346:14:346:14 | s : SearchRequestImpl |
+| LdapInjection.java:345:15:345:58 | new Dn(...) : Dn | LdapInjection.java:345:5:345:5 | s : SearchRequestImpl |
+| LdapInjection.java:345:22:345:57 | ... + ... : String | LdapInjection.java:345:15:345:58 | new Dn(...) : Dn |
+| LdapInjection.java:346:14:346:14 | s : SearchRequestImpl | LdapInjection.java:346:14:346:24 | getBase(...) |
 nodes
 | LdapInjection.java:45:28:45:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:45:55:45:81 | jBadDN : String | semmle.label | jBadDN : String |
@@ -67,6 +146,7 @@ nodes
 | LdapInjection.java:51:28:51:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:51:55:51:85 | jBadDNName : String | semmle.label | jBadDNName : String |
 | LdapInjection.java:53:16:53:53 | new LdapName(...) | semmle.label | new LdapName(...) |
+| LdapInjection.java:53:29:53:52 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:53:56:53:75 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:57:28:57:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:59:63:59:82 | ... + ... | semmle.label | ... + ... |
@@ -75,18 +155,30 @@ nodes
 | LdapInjection.java:69:28:69:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:69:55:69:88 | jBadDNNameAdd : String | semmle.label | jBadDNNameAdd : String |
 | LdapInjection.java:71:16:71:81 | addAll(...) | semmle.label | addAll(...) |
+| LdapInjection.java:71:40:71:80 | new LdapName(...) : LdapName | semmle.label | new LdapName(...) : LdapName |
+| LdapInjection.java:71:53:71:79 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:71:84:71:103 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:75:28:75:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:75:55:75:89 | jBadDNNameAdd2 : String | semmle.label | jBadDNNameAdd2 : String |
+| LdapInjection.java:78:5:78:8 | name : LdapName | semmle.label | name : LdapName |
+| LdapInjection.java:78:17:78:58 | new LdapName(...) : LdapName | semmle.label | new LdapName(...) : LdapName |
+| LdapInjection.java:78:17:78:68 | getRdns(...) : List | semmle.label | getRdns(...) : List |
+| LdapInjection.java:78:30:78:57 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:79:16:79:44 | addAll(...) | semmle.label | addAll(...) |
+| LdapInjection.java:79:40:79:43 | name : LdapName | semmle.label | name : LdapName |
 | LdapInjection.java:79:47:79:66 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:83:28:83:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:83:55:83:93 | jBadDNNameToString : String | semmle.label | jBadDNNameToString : String |
+| LdapInjection.java:85:16:85:61 | new LdapName(...) : LdapName | semmle.label | new LdapName(...) : LdapName |
 | LdapInjection.java:85:16:85:72 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:85:29:85:60 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:85:75:85:94 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:89:28:89:52 | jBad : String | semmle.label | jBad : String |
 | LdapInjection.java:89:55:89:90 | jBadDNNameClone : String | semmle.label | jBadDNNameClone : String |
 | LdapInjection.java:91:16:91:73 | (...)... | semmle.label | (...)... |
+| LdapInjection.java:91:23:91:65 | new LdapName(...) : LdapName | semmle.label | new LdapName(...) : LdapName |
+| LdapInjection.java:91:23:91:73 | clone(...) : Object | semmle.label | clone(...) : Object |
+| LdapInjection.java:91:36:91:64 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:91:76:91:95 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:106:31:106:55 | uBad : String | semmle.label | uBad : String |
 | LdapInjection.java:106:58:106:84 | uBadDN : String | semmle.label | uBadDN : String |
@@ -94,11 +186,18 @@ nodes
 | LdapInjection.java:108:67:108:86 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:112:31:112:67 | uBadFilterCreate : String | semmle.label | uBadFilterCreate : String |
 | LdapInjection.java:113:58:113:88 | create(...) | semmle.label | create(...) |
+| LdapInjection.java:113:72:113:87 | uBadFilterCreate : String | semmle.label | uBadFilterCreate : String |
 | LdapInjection.java:117:31:117:70 | uBadROSearchRequest : String | semmle.label | uBadROSearchRequest : String |
 | LdapInjection.java:117:73:117:103 | uBadROSRDN : String | semmle.label | uBadROSRDN : String |
+| LdapInjection.java:119:31:120:44 | new SearchRequest(...) : SearchRequest | semmle.label | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:119:55:119:78 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:120:9:120:43 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:121:14:121:14 | s | semmle.label | s |
 | LdapInjection.java:125:31:125:68 | uBadSearchRequest : String | semmle.label | uBadSearchRequest : String |
 | LdapInjection.java:125:71:125:99 | uBadSRDN : String | semmle.label | uBadSRDN : String |
+| LdapInjection.java:127:23:128:42 | new SearchRequest(...) : SearchRequest | semmle.label | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:127:47:127:68 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:128:9:128:41 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:129:14:129:14 | s | semmle.label | s |
 | LdapInjection.java:133:31:133:55 | uBad : String | semmle.label | uBad : String |
 | LdapInjection.java:133:58:133:87 | uBadDNSFR : String | semmle.label | uBadDNSFR : String |
@@ -106,24 +205,47 @@ nodes
 | LdapInjection.java:135:69:135:88 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:139:31:139:75 | uBadROSearchRequestAsync : String | semmle.label | uBadROSearchRequestAsync : String |
 | LdapInjection.java:139:78:139:113 | uBadROSRDNAsync : String | semmle.label | uBadROSRDNAsync : String |
+| LdapInjection.java:141:31:142:49 | new SearchRequest(...) : SearchRequest | semmle.label | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:141:55:141:83 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:142:9:142:48 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:143:19:143:19 | s | semmle.label | s |
 | LdapInjection.java:147:31:147:73 | uBadSearchRequestAsync : String | semmle.label | uBadSearchRequestAsync : String |
 | LdapInjection.java:147:76:147:109 | uBadSRDNAsync : String | semmle.label | uBadSRDNAsync : String |
+| LdapInjection.java:149:23:150:47 | new SearchRequest(...) : SearchRequest | semmle.label | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:149:47:149:73 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:150:9:150:46 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:151:19:151:19 | s | semmle.label | s |
 | LdapInjection.java:155:31:155:70 | uBadFilterCreateNOT : String | semmle.label | uBadFilterCreateNOT : String |
 | LdapInjection.java:156:58:156:115 | createNOTFilter(...) | semmle.label | createNOTFilter(...) |
+| LdapInjection.java:156:81:156:114 | create(...) : Filter | semmle.label | create(...) : Filter |
+| LdapInjection.java:156:95:156:113 | uBadFilterCreateNOT : String | semmle.label | uBadFilterCreateNOT : String |
 | LdapInjection.java:160:31:160:75 | uBadFilterCreateToString : String | semmle.label | uBadFilterCreateToString : String |
+| LdapInjection.java:161:58:161:96 | create(...) : Filter | semmle.label | create(...) : Filter |
 | LdapInjection.java:161:58:161:107 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:161:72:161:95 | uBadFilterCreateToString : String | semmle.label | uBadFilterCreateToString : String |
 | LdapInjection.java:165:32:165:82 | uBadFilterCreateToStringBuffer : String | semmle.label | uBadFilterCreateToStringBuffer : String |
+| LdapInjection.java:167:5:167:49 | create(...) : Filter | semmle.label | create(...) : Filter |
+| LdapInjection.java:167:19:167:48 | uBadFilterCreateToStringBuffer : String | semmle.label | uBadFilterCreateToStringBuffer : String |
+| LdapInjection.java:167:70:167:70 | b : StringBuilder | semmle.label | b : StringBuilder |
 | LdapInjection.java:168:58:168:58 | b : StringBuilder | semmle.label | b : StringBuilder |
 | LdapInjection.java:168:58:168:69 | toString(...) | semmle.label | toString(...) |
 | LdapInjection.java:172:32:172:78 | uBadSearchRequestDuplicate : String | semmle.label | uBadSearchRequestDuplicate : String |
+| LdapInjection.java:174:23:175:51 | new SearchRequest(...) : SearchRequest | semmle.label | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:175:9:175:50 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:176:14:176:14 | s : SearchRequest | semmle.label | s : SearchRequest |
 | LdapInjection.java:176:14:176:26 | duplicate(...) | semmle.label | duplicate(...) |
 | LdapInjection.java:180:32:180:80 | uBadROSearchRequestDuplicate : String | semmle.label | uBadROSearchRequestDuplicate : String |
+| LdapInjection.java:182:31:183:53 | new SearchRequest(...) : SearchRequest | semmle.label | new SearchRequest(...) : SearchRequest |
+| LdapInjection.java:183:9:183:52 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:184:14:184:14 | s : SearchRequest | semmle.label | s : SearchRequest |
 | LdapInjection.java:184:14:184:26 | duplicate(...) | semmle.label | duplicate(...) |
 | LdapInjection.java:188:32:188:74 | uBadSearchRequestSetDN : String | semmle.label | uBadSearchRequestSetDN : String |
+| LdapInjection.java:191:5:191:5 | s : SearchRequest | semmle.label | s : SearchRequest |
+| LdapInjection.java:191:17:191:38 | uBadSearchRequestSetDN : String | semmle.label | uBadSearchRequestSetDN : String |
 | LdapInjection.java:192:14:192:14 | s | semmle.label | s |
 | LdapInjection.java:196:32:196:78 | uBadSearchRequestSetFilter : String | semmle.label | uBadSearchRequestSetFilter : String |
+| LdapInjection.java:199:5:199:5 | s : SearchRequest | semmle.label | s : SearchRequest |
+| LdapInjection.java:199:17:199:42 | uBadSearchRequestSetFilter : String | semmle.label | uBadSearchRequestSetFilter : String |
 | LdapInjection.java:200:14:200:14 | s | semmle.label | s |
 | LdapInjection.java:229:30:229:54 | sBad : String | semmle.label | sBad : String |
 | LdapInjection.java:229:57:229:83 | sBadDN : String | semmle.label | sBadDN : String |
@@ -131,33 +253,58 @@ nodes
 | LdapInjection.java:230:36:230:55 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:234:30:234:54 | sBad : String | semmle.label | sBad : String |
 | LdapInjection.java:234:57:234:92 | sBadDNLNBuilder : String | semmle.label | sBadDNLNBuilder : String |
+| LdapInjection.java:235:20:235:77 | newInstance(...) : LdapNameBuilder | semmle.label | newInstance(...) : LdapNameBuilder |
 | LdapInjection.java:235:20:235:85 | build(...) | semmle.label | build(...) |
+| LdapInjection.java:235:48:235:76 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:235:88:235:107 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:239:30:239:54 | sBad : String | semmle.label | sBad : String |
 | LdapInjection.java:239:57:239:95 | sBadDNLNBuilderAdd : String | semmle.label | sBadDNLNBuilderAdd : String |
+| LdapInjection.java:240:23:240:89 | add(...) : LdapNameBuilder | semmle.label | add(...) : LdapNameBuilder |
 | LdapInjection.java:240:23:240:97 | build(...) | semmle.label | build(...) |
+| LdapInjection.java:240:57:240:88 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:240:100:240:119 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:244:30:244:63 | sBadLdapQuery : String | semmle.label | sBadLdapQuery : String |
 | LdapInjection.java:245:15:245:76 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:245:47:245:75 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:249:30:249:60 | sBadFilter : String | semmle.label | sBadFilter : String |
 | LdapInjection.java:249:63:249:98 | sBadDNLdapUtils : String | semmle.label | sBadDNLdapUtils : String |
 | LdapInjection.java:250:12:250:63 | newLdapName(...) | semmle.label | newLdapName(...) |
+| LdapInjection.java:250:34:250:62 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:250:66:250:112 | new HardcodedFilter(...) | semmle.label | new HardcodedFilter(...) |
+| LdapInjection.java:250:86:250:111 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:254:30:254:63 | sBadLdapQuery : String | semmle.label | sBadLdapQuery : String |
 | LdapInjection.java:255:24:255:85 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:255:56:255:84 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:259:30:259:64 | sBadLdapQuery2 : String | semmle.label | sBadLdapQuery2 : String |
+| LdapInjection.java:260:19:260:81 | filter(...) : LdapQuery | semmle.label | filter(...) : LdapQuery |
+| LdapInjection.java:260:51:260:80 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:261:24:261:24 | q | semmle.label | q |
 | LdapInjection.java:265:30:265:73 | sBadLdapQueryWithFilter : String | semmle.label | sBadLdapQueryWithFilter : String |
 | LdapInjection.java:266:24:266:116 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:266:56:266:115 | new HardcodedFilter(...) : HardcodedFilter | semmle.label | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:266:76:266:114 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:270:30:270:74 | sBadLdapQueryWithFilter2 : String | semmle.label | sBadLdapQueryWithFilter2 : String |
+| LdapInjection.java:271:48:271:108 | new HardcodedFilter(...) : HardcodedFilter | semmle.label | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:271:68:271:107 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:272:24:272:57 | filter(...) | semmle.label | filter(...) |
+| LdapInjection.java:272:56:272:56 | f : HardcodedFilter | semmle.label | f : HardcodedFilter |
 | LdapInjection.java:276:31:276:68 | sBadLdapQueryBase : String | semmle.label | sBadLdapQueryBase : String |
+| LdapInjection.java:277:12:277:59 | base(...) : LdapQueryBuilder | semmle.label | base(...) : LdapQueryBuilder |
 | LdapInjection.java:277:12:277:66 | base(...) | semmle.label | base(...) |
+| LdapInjection.java:277:42:277:58 | sBadLdapQueryBase : String | semmle.label | sBadLdapQueryBase : String |
 | LdapInjection.java:281:31:281:71 | sBadLdapQueryComplex : String | semmle.label | sBadLdapQueryComplex : String |
+| LdapInjection.java:282:24:282:74 | base(...) : LdapQueryBuilder | semmle.label | base(...) : LdapQueryBuilder |
+| LdapInjection.java:282:24:282:87 | where(...) : ConditionCriteria | semmle.label | where(...) : ConditionCriteria |
 | LdapInjection.java:282:24:282:98 | is(...) | semmle.label | is(...) |
+| LdapInjection.java:282:54:282:73 | sBadLdapQueryComplex : String | semmle.label | sBadLdapQueryComplex : String |
 | LdapInjection.java:286:31:286:69 | sBadFilterToString : String | semmle.label | sBadFilterToString : String |
+| LdapInjection.java:287:18:287:72 | new HardcodedFilter(...) : HardcodedFilter | semmle.label | new HardcodedFilter(...) : HardcodedFilter |
 | LdapInjection.java:287:18:287:83 | toString(...) | semmle.label | toString(...) |
+| LdapInjection.java:287:38:287:71 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:291:31:291:67 | sBadFilterEncode : String | semmle.label | sBadFilterEncode : String |
+| LdapInjection.java:293:5:293:57 | new HardcodedFilter(...) : HardcodedFilter | semmle.label | new HardcodedFilter(...) : HardcodedFilter |
+| LdapInjection.java:293:25:293:56 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:293:66:293:66 | s : StringBuffer | semmle.label | s : StringBuffer |
 | LdapInjection.java:294:18:294:18 | s : StringBuffer | semmle.label | s : StringBuffer |
 | LdapInjection.java:294:18:294:29 | toString(...) | semmle.label | toString(...) |
 | LdapInjection.java:314:30:314:54 | aBad : String | semmle.label | aBad : String |
@@ -166,13 +313,24 @@ nodes
 | LdapInjection.java:316:36:316:55 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:320:30:320:54 | aBad : String | semmle.label | aBad : String |
 | LdapInjection.java:320:57:320:94 | aBadDNObjToString : String | semmle.label | aBadDNObjToString : String |
+| LdapInjection.java:322:14:322:52 | new Dn(...) : Dn | semmle.label | new Dn(...) : Dn |
 | LdapInjection.java:322:14:322:62 | getName(...) | semmle.label | getName(...) |
+| LdapInjection.java:322:21:322:51 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:322:65:322:84 | ... + ... | semmle.label | ... + ... |
 | LdapInjection.java:326:30:326:67 | aBadSearchRequest : String | semmle.label | aBadSearchRequest : String |
+| LdapInjection.java:329:5:329:5 | s : SearchRequestImpl | semmle.label | s : SearchRequestImpl |
+| LdapInjection.java:329:17:329:49 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:330:14:330:14 | s | semmle.label | s |
 | LdapInjection.java:334:74:334:103 | aBadDNObj : String | semmle.label | aBadDNObj : String |
+| LdapInjection.java:337:5:337:5 | s : SearchRequestImpl | semmle.label | s : SearchRequestImpl |
+| LdapInjection.java:337:15:337:45 | new Dn(...) : Dn | semmle.label | new Dn(...) : Dn |
+| LdapInjection.java:337:22:337:44 | ... + ... : String | semmle.label | ... + ... : String |
 | LdapInjection.java:338:14:338:14 | s | semmle.label | s |
 | LdapInjection.java:342:30:342:72 | aBadDNSearchRequestGet : String | semmle.label | aBadDNSearchRequestGet : String |
+| LdapInjection.java:345:5:345:5 | s : SearchRequestImpl | semmle.label | s : SearchRequestImpl |
+| LdapInjection.java:345:15:345:58 | new Dn(...) : Dn | semmle.label | new Dn(...) : Dn |
+| LdapInjection.java:345:22:345:57 | ... + ... : String | semmle.label | ... + ... : String |
+| LdapInjection.java:346:14:346:14 | s : SearchRequestImpl | semmle.label | s : SearchRequestImpl |
 | LdapInjection.java:346:14:346:24 | getBase(...) | semmle.label | getBase(...) |
 subpaths
 #select
--- a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected
+++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.expected
@@ -1,26 +1,32 @@
 edges
 | HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:24:21:24:56 | ... + ... : String |
-| HttpsUrlsTest.java:23:23:23:31 | "http://" : String | HttpsUrlsTest.java:28:50:28:50 | u |
 | HttpsUrlsTest.java:24:13:24:57 | new URL(...) : URL | HttpsUrlsTest.java:28:50:28:50 | u |
 | HttpsUrlsTest.java:24:21:24:56 | ... + ... : String | HttpsUrlsTest.java:24:13:24:57 | new URL(...) : URL |
-| HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:41:50:41:50 | u |
+| HttpsUrlsTest.java:36:23:36:28 | "http" : String | HttpsUrlsTest.java:37:21:37:28 | protocol : String |
+| HttpsUrlsTest.java:37:13:37:62 | new URL(...) : URL | HttpsUrlsTest.java:41:50:41:50 | u |
+| HttpsUrlsTest.java:37:21:37:28 | protocol : String | HttpsUrlsTest.java:37:13:37:62 | new URL(...) : URL |
 | HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:51:64:51:98 | ... + ... : String |
-| HttpsUrlsTest.java:49:23:49:31 | "http://" : String | HttpsUrlsTest.java:55:50:55:50 | u |
 | HttpsUrlsTest.java:51:13:51:99 | new URL(...) : URL | HttpsUrlsTest.java:55:50:55:50 | u |
 | HttpsUrlsTest.java:51:64:51:98 | ... + ... : String | HttpsUrlsTest.java:51:13:51:99 | new URL(...) : URL |
-| HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:92:50:92:50 | u |
+| HttpsUrlsTest.java:87:23:87:28 | "http" : String | HttpsUrlsTest.java:88:21:88:28 | protocol : String |
+| HttpsUrlsTest.java:88:13:88:52 | new URL(...) : URL | HttpsUrlsTest.java:92:50:92:50 | u |
+| HttpsUrlsTest.java:88:21:88:28 | protocol : String | HttpsUrlsTest.java:88:13:88:52 | new URL(...) : URL |
 nodes
 | HttpsUrlsTest.java:23:23:23:31 | "http://" : String | semmle.label | "http://" : String |
 | HttpsUrlsTest.java:24:13:24:57 | new URL(...) : URL | semmle.label | new URL(...) : URL |
 | HttpsUrlsTest.java:24:21:24:56 | ... + ... : String | semmle.label | ... + ... : String |
 | HttpsUrlsTest.java:28:50:28:50 | u | semmle.label | u |
 | HttpsUrlsTest.java:36:23:36:28 | "http" : String | semmle.label | "http" : String |
+| HttpsUrlsTest.java:37:13:37:62 | new URL(...) : URL | semmle.label | new URL(...) : URL |
+| HttpsUrlsTest.java:37:21:37:28 | protocol : String | semmle.label | protocol : String |
 | HttpsUrlsTest.java:41:50:41:50 | u | semmle.label | u |
 | HttpsUrlsTest.java:49:23:49:31 | "http://" : String | semmle.label | "http://" : String |
 | HttpsUrlsTest.java:51:13:51:99 | new URL(...) : URL | semmle.label | new URL(...) : URL |
 | HttpsUrlsTest.java:51:64:51:98 | ... + ... : String | semmle.label | ... + ... : String |
 | HttpsUrlsTest.java:55:50:55:50 | u | semmle.label | u |
 | HttpsUrlsTest.java:87:23:87:28 | "http" : String | semmle.label | "http" : String |
+| HttpsUrlsTest.java:88:13:88:52 | new URL(...) : URL | semmle.label | new URL(...) : URL |
+| HttpsUrlsTest.java:88:21:88:28 | protocol : String | semmle.label | protocol : String |
 | HttpsUrlsTest.java:92:50:92:50 | u | semmle.label | u |
 subpaths
 #select