From 407dcea75144aeba01a682df9bef3e705af0b84d Mon Sep 17 00:00:00 2001
From: haby0 <ha_yub@163.com>
Date: Thu, 22 Apr 2021 19:20:54 +0800
Subject: [PATCH] add String type startsWith

---
 .../Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
index 796fa9d3fc3..be2aef5e9c7 100644
--- a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -52,11 +52,13 @@ private class CompareSink extends UseOfLessTrustedSink {
     )
     or
     exists(MethodAccess ma |
-      ma.getMethod().hasName("contains") and
+      ma.getMethod().getName() in ["contains", "startsWith"] and
       ma.getMethod().getDeclaringType() instanceof TypeString and
       ma.getMethod().getNumberOfParameters() = 1 and
       ma.getQualifier() = this.asExpr() and
-      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in ["", "unknown"]
+      not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue().toLowerCase() in [
+          "", "unknown"
+        ]
     )
     or
     exists(MethodAccess ma |