Merge pull request #9002 from atorralba/atorralba/https-urls-improvs

Java: Add OkHttp and Retrofit models

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -14,10 +14,7 @@ import java
 import semmle.code.java.security.HttpsUrlsQuery
 import DataFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, MethodAccess m, HttpStringLiteral s
-where
-  source.getNode().asExpr() = s and
-  sink.getNode().asExpr() = m.getQualifier() and
-  any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
-select m, source, sink, "URL may have been constructed with HTTP protocol, using $@.", s,
-  "this source"
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "URL may have been constructed with HTTP protocol, using $@.",
+  source.getNode(), "this source"

java/ql/src/change-notes/2022-05-02-non-https-urls-simplified.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* The query `java/non-https-urls` has been simplified
+and no longer requires its sinks to be `MethodAccess`es.