Merge branch 'main' into java/merge-5226

java/change-notes/2021-02-17-apache-http.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Http components core library (`org.apache.http.*` and `org.apache.hc.core5.*`); adding additional remote flow sources, sinks for the XSS and Open Redirect queries, and additional taint steps. 

java/change-notes/2021-03-01-fluent-interface-data-flow.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The data-flow library now recognises more side-effects of method chaining (e.g. `someObject.setX(clean).setY(tainted).setZ...` having a side-effect on `someObject`), as well as other related circumstances where a function input is directly passed to its output. All queries that use data-flow analysis, including most security queries, may return more results accordingly.

java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.qhelp

@@ -0,0 +1,4 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <include src="SpringViewManipulation.qhelp" />
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql

@@ -0,0 +1,64 @@
+/**
+ * @name Spring Implicit View Manipulation
+ * @description Untrusted input in a Spring View Controller can lead to RCE.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/spring-view-manipulation-implicit
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import SpringViewManipulationLib
+
+private predicate canResultInImplicitViewConversion(Method m) {
+  m.getReturnType() instanceof VoidType
+  or
+  m.getReturnType() instanceof MapType
+  or
+  m.getReturnType().(RefType).hasQualifiedName("org.springframework.ui", "Model")
+}
+
+private predicate maybeATestMethod(Method m) {
+  exists(string s |
+    s = m.getName() or
+    s = m.getFile().getRelativePath() or
+    s = m.getDeclaringType().getName()
+  |
+    s.matches(["%test%", "%example%", "%exception%"])
+  )
+}
+
+private predicate mayBeExploitable(Method m) {
+  // There should be a attacker controlled parameter in the URI for the attack to be exploitable.
+  // This is possible only when there exists a parameter with the Spring `@PathVariable` annotation
+  // applied to it.
+  exists(Parameter p |
+    p = m.getAParameter() and
+    p.hasAnnotation("org.springframework.web.bind.annotation", "PathVariable") and
+    // Having a parameter of say type `Long` is non exploitable as Java type
+    // checking rules are applied prior to view name resolution, rendering the exploit useless.
+    // hence, here we check for the param type to be a Java `String`.
+    p.getType() instanceof TypeString and
+    // Exclude cases where a regex check is applied on a parameter to prevent false positives.
+    not m.(SpringRequestMappingMethod).getValue().matches("%{%:[%]%}%")
+  ) and
+  not maybeATestMethod(m)
+}
+
+from SpringRequestMappingMethod m
+where
+  thymeleafIsUsed() and
+  mayBeExploitable(m) and
+  canResultInImplicitViewConversion(m) and
+  // If there's a parameter of type`HttpServletResponse`, Spring Framework does not interpret
+  // it as a view name, but just returns this string in HTTP Response preventing exploitation
+  // This also applies to `@ResponseBody` annotation.
+  not m.getParameterType(_) instanceof HttpServletResponse and
+  // A spring request mapping method which does not have response body annotation applied to it
+  m.getAnAnnotation().getType() instanceof SpringRequestMappingAnnotationType and
+  not exists(SpringResponseBodyAnnotationType t | t = m.getAnAnnotation().getType()) and
+  // `@RestController` inherits `@ResponseBody` internally so it should be ignored.
+  not m.getDeclaringType() instanceof SpringRestController
+select m, "This method may be vulnerable to spring view manipulation vulnerabilities"

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewBad.java

@@ -0,0 +1,17 @@
+@Controller
+public class SptingViewManipulationController {
+
+    Logger log = LoggerFactory.getLogger(HelloController.class);
+
+    @GetMapping("/safe/fragment")
+    public String Fragment(@RequestParam String section) {
+        // bad as template path is attacker controlled
+        return "welcome :: " + section;
+    }
+
+    @GetMapping("/doc/{document}")
+    public void getDocument(@PathVariable String document) {
+        // returns void, so view name is taken from URI
+        log.info("Retrieving " + document);
+    }
+}

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewGood.java

@@ -0,0 +1,20 @@
+@Controller
+public class SptingViewManipulationController {
+
+    Logger log = LoggerFactory.getLogger(HelloController.class);
+
+    @GetMapping("/safe/fragment")
+    @ResponseBody
+    public String Fragment(@RequestParam String section) {
+        // good, as `@ResponseBody` annotation tells Spring
+        // to process the return values as body, instead of view name
+        return "welcome :: " + section;
+    }
+
+    @GetMapping("/safe/doc/{document}")
+    public void getDocument(@PathVariable String document, HttpServletResponse response) {
+        // good as `HttpServletResponse param tells Spring that the response is already
+        // processed.
+        log.info("Retrieving " + document); // FP
+    }
+}

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.qhelp

@@ -0,0 +1,50 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>
+      The Spring Expression Language (SpEL) is a powerful expression language
+      provided by Spring Framework. The language offers many features
+      including invocation of methods available in the JVM.
+    </p>
+    <p>
+      An unrestricted view name manipulation vulnerability in Spring Framework could lead to attacker-controlled arbitary SpEL expressions being evaluated using attacker-controlled data, which may in turn allow an attacker to run arbitrary code.
+    </p>
+    <p>
+      Note: two related variants of this problem are detected by different queries, `java/spring-view-manipulation` and `java/spring-view-manipulation-implicit`. The first detects taint flow problems where the return types is always <code>String</code>. While the latter, `java/spring-view-manipulation-implicit` detects cases where the request mapping method has a non-string return type such as <code>void</code>.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      In general, using user input to determine Spring view name should be avoided.
+      If user input must be included in the expression, the controller can be annotated by
+      a <code>@ReponseBody</code> annotation. In this case, Spring Framework does not interpret 
+      it as a view name, but just returns this string in HTTP Response. The same applies to using
+      a <code>@RestController</code> annotation on a class, as internally it inherits <code>@ResponseBody</code>.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      In the following example, the <code>Fragment</code> method uses an externally controlled variable <code>section</code> to generate the view name. Hence, it is vulnerable to Spring View Manipulation attacks.
+    </p>
+    <sample src="SpringViewBad.java" />
+    <p>
+      This can be easily prevented by using the <code>ResponseBody</code> annotation which marks the reponse is already processed preventing exploitation of Spring View Manipulation vulnerabilities. Alternatively, this can also be fixed by adding a <code>HttpServletResponse</code> parameter to the method definition as shown in the example below.
+    </p>
+    <sample src="SpringViewGood.java" />
+  </example>
+
+  <references>
+    <li>
+      Veracode Research : <a href="https://github.com/veracode-research/spring-view-manipulation/">Spring View Manipulation </a>
+    </li>
+    <li>
+      Spring Framework Reference Documentation: <a href="https://docs.spring.io/spring/docs/4.2.x/spring-framework-reference/html/expressions.html">Spring Expression Language (SpEL)</a>
+    </li>
+    <li>
+      OWASP: <a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>
+    </li>
+  </references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Spring View Manipulation
+ * @description Untrusted input in a Spring View can lead to RCE.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/spring-view-manipulation
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import SpringViewManipulationLib
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, SpringViewManipulationConfig conf
+where
+  thymeleafIsUsed() and
+  conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential Spring Expression Language injection from $@.",
+  source.getNode(), "this user input"

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll

@@ -0,0 +1,140 @@
+/**
+ * Provides classes for reasoning about Spring View Manipulation vulnerabilities
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.frameworks.spring.Spring
+import SpringFrameworkLib
+
+/** Holds if `Thymeleaf` templating engine is used in the project. */
+predicate thymeleafIsUsed() {
+  exists(Pom p |
+    p.getADependency().getArtifact().getValue() in [
+        "spring-boot-starter-thymeleaf", "thymeleaf-spring4", "springmvc-xml-thymeleaf",
+        "thymeleaf-spring5"
+      ]
+  )
+  or
+  exists(SpringBean b | b.getClassNameRaw().matches("org.thymeleaf.spring%"))
+}
+
+/** Models methods from the `javax.portlet.RenderState` package which return data from externally controlled sources. */
+class PortletRenderRequestMethod extends Method {
+  PortletRenderRequestMethod() {
+    exists(RefType c, Interface t |
+      c.extendsOrImplements*(t) and
+      t.hasQualifiedName("javax.portlet", "RenderState") and
+      this = c.getAMethod()
+    |
+      this.hasName([
+          "getCookies", "getParameter", "getRenderParameters", "getParameterNames",
+          "getParameterValues", "getParameterMap"
+        ])
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that can lead to Spring View Manipulation vulnerabilities.
+ */
+class SpringViewManipulationConfig extends TaintTracking::Configuration {
+  SpringViewManipulationConfig() { this = "Spring View Manipulation Config" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource or
+    source instanceof WebRequestSource or
+    source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof SpringViewManipulationSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    // Block flows like
+    // ```
+    // a = "redirect:" + taint`
+    // ```
+    exists(AddExpr e, StringLiteral sl |
+      node.asExpr() = e.getControlFlowNode().getASuccessor*() and
+      sl = e.getLeftOperand*() and
+      sl.getRepresentedString().matches(["redirect:%", "ajaxredirect:%", "forward:%"])
+    )
+    or
+    // Block flows like
+    // ```
+    // x.append("redirect:");
+    // x.append(tainted());
+    // return x.toString();
+    //
+    // "redirect:".concat(taint)
+    //
+    // String.format("redirect:%s",taint);
+    // ```
+    exists(Call ca, StringLiteral sl |
+      (
+        sl = ca.getArgument(_)
+        or
+        sl = ca.getQualifier()
+      ) and
+      ca = getAStringCombiningCall() and
+      sl.getRepresentedString().matches(["redirect:%", "ajaxredirect:%", "forward:%"])
+    |
+      exists(Call cc | DataFlow::localExprFlow(ca.getQualifier(), cc.getQualifier()) |
+        cc = node.asExpr()
+      )
+    )
+  }
+}
+
+private Call getAStringCombiningCall() {
+  exists(StringCombiningMethod m | result = m.getAReference())
+}
+
+abstract private class StringCombiningMethod extends Method { }
+
+private class AppendableAppendMethod extends StringCombiningMethod {
+  AppendableAppendMethod() {
+    exists(RefType t |
+      t.hasQualifiedName("java.lang", "Appendable") and
+      this.getDeclaringType().extendsOrImplements*(t) and
+      this.hasName("append")
+    )
+  }
+}
+
+private class StringConcatMethod extends StringCombiningMethod {
+  StringConcatMethod() {
+    this.getDeclaringType() instanceof TypeString and
+    this.hasName("concat")
+  }
+}
+
+private class StringFormatMethod extends StringCombiningMethod {
+  StringFormatMethod() {
+    this.getDeclaringType() instanceof TypeString and
+    this.hasName("format")
+  }
+}
+
+/**
+ * A sink for Spring View Manipulation vulnerabilities,
+ */
+class SpringViewManipulationSink extends DataFlow::ExprNode {
+  SpringViewManipulationSink() {
+    exists(ReturnStmt r, SpringRequestMappingMethod m |
+      r.getResult() = this.asExpr() and
+      m.getBody().getAStmt() = r and
+      not m.isResponseBody() and
+      r.getResult().getType() instanceof TypeString
+    )
+    or
+    exists(ConstructorCall c | c.getConstructedType() instanceof ModelAndView |
+      this.asExpr() = c.getArgument(0) and
+      c.getConstructor().getParameterType(0) instanceof TypeString
+    )
+    or
+    exists(SpringModelAndViewSetViewNameCall c | this.asExpr() = c.getArgument(0))
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql

@@ -9,13 +9,13 @@
 
 import java
 import semmle.code.java.J2EE
-import MainLib
+import TestLib
 
 /** The `main` method in an Enterprise Java Bean. */
 class EnterpriseBeanMainMethod extends Method {
   EnterpriseBeanMainMethod() {
     this.getDeclaringType() instanceof EnterpriseBean and
-    isMainMethod(this) and
+    this instanceof MainMethod and
     not isTestMethod(this)
   }
 }

java/ql/src/experimental/Security/CWE/CWE-489/StrutsBad.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="true" />
+    <constant name="struts.i18n.encoding" value="utf-8" />
+    <include file="login.xml" />
+</struts>

java/ql/src/experimental/Security/CWE/CWE-489/StrutsGood.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+	"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+	"http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+    <constant name="struts.enable.DynamicMethodInvocation" value="true" />
+    <constant name="struts.devMode" value="false" />
+    <constant name="struts.i18n.encoding" value="utf-8"></constant>
+    <include file="login.xml" />
+</struts>

java/ql/src/experimental/Security/CWE/CWE-489/TestLib.qll

@@ -1,17 +1,7 @@
-/** Definitions related to the main method in a test program. */
+/** Definitions related to test methods. */
 
 import java
 
-/** Holds if `m` is the main method of a Java class with the signature `public static void main(String[] args)`. */
-predicate isMainMethod(Method m) {
-  m.hasName("main") and
-  m.isStatic() and
-  m.getReturnType() instanceof VoidType and
-  m.isPublic() and
-  m.getNumberOfParameters() = 1 and
-  m.getParameter(0).getType() instanceof Array
-}
-
 /**
  * Holds if `m` is a test method indicated by:
  *    a) in a test directory such as `src/test/java`

java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql

@@ -9,7 +9,7 @@
 
 import java
 import semmle.code.java.frameworks.Servlets
-import MainLib
+import TestLib
 
 /** The java type `javax.servlet.Filter`. */
 class ServletFilterClass extends Class {
@@ -48,7 +48,7 @@ class WebComponentMainMethod extends Method {
           .getASupertype+()
           .hasQualifiedName("org.springframework.webflow.execution", "Action") // Spring actions
     ) and
-    isMainMethod(this) and
+    this instanceof MainMethod and
     not isTestMethod(this)
   }
 }

java/ql/src/experimental/Security/CWE/CWE-489/devMode.qhelp

@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Turning Apache Struts' development mode configuration on while deploying applications to production environments can lead to remote code execution.</p>
+
+</overview>
+<recommendation>
+
+<p>An application should disable the development mode at the time of deployment.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows a `struts.xml` file with `struts.devmode` enabled.</p>
+
+<sample src="StrutsBad.xml" />
+
+<p>This can be easily corrected by setting the value of the `struts.devmode` parameter to false.</p>
+
+<sample src="StrutsGood.xml" />
+
+</example>
+<references>
+
+<li>
+  Apache Struts:
+  <a href="https://struts.apache.org/core-developers/development-mode.html">Struts development mode configuration</a>
+</li>
+
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Apache Struts development mode enabled
+ * @description Enabling struts development mode in production environment
+ *  can lead to remote code execution.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id java/struts-development-mode
+ * @tags security
+ *       external/cwe/cwe-489
+ */
+
+import java
+import experimental.semmle.code.xml.StrutsXML
+
+bindingset[path]
+predicate isLikelyDemoProject(string path) { path.regexpMatch("(?i).*(demo|test|example).*") }
+
+from ConstantParameter c
+where
+  c.getNameValue() = "struts.devMode" and
+  c.getValueValue() = "true" and
+  not isLikelyDemoProject(c.getFile().getRelativePath())
+select c, "Enabling development mode in production environments is dangerous"

java/ql/src/experimental/semmle/code/xml/StrutsXML.qll

@@ -0,0 +1,40 @@
+import java
+
+/**
+ * A deployment descriptor file, typically called `struts.xml`.
+ */
+class StrutsXMLFile extends XMLFile {
+  StrutsXMLFile() {
+    count(XMLElement e | e = this.getAChild()) = 1 and
+    this.getAChild().getName() = "struts"
+  }
+}
+
+/**
+ * An XML element in a `StrutsXMLFile`.
+ */
+class StrutsXMLElement extends XMLElement {
+  StrutsXMLElement() { this.getFile() instanceof StrutsXMLFile }
+
+  /**
+   * Gets the value for this element, with leading and trailing whitespace trimmed.
+   */
+  string getValue() { result = allCharactersString().trim() }
+}
+
+/**
+ * A `<constant>` element in a `StrutsXMLFile`.
+ */
+class ConstantParameter extends StrutsXMLElement {
+  ConstantParameter() { this.getName() = "constant" }
+
+  /**
+   * Gets the value of the `name` attribute of this `<constant>`.
+   */
+  string getNameValue() { result = getAttributeValue("name") }
+
+  /**
+   * Gets the value of the `value` attribute of this `<constant>`.
+   */
+  string getValueValue() { result = getAttributeValue("value") }
+}

java/ql/src/semmle/code/java/Type.qll

@@ -599,6 +599,13 @@ class Class extends RefType, @class {
   /** Holds if this class is a local class. */
   predicate isLocal() { isLocalClass(this, _) }
 
+  /** Holds if this class is package protected, that is, neither public nor private nor protected. */
+  predicate isPackageProtected() {
+    not isPrivate() and
+    not isProtected() and
+    not isPublic()
+  }
+
   override RefType getSourceDeclaration() { classes(this, _, _, result) }
 
   /**
@@ -816,6 +823,13 @@ class Interface extends RefType, @interface {
     any()
   }
 
+  /** Holds if this interface is package protected, that is, neither public nor private nor protected. */
+  predicate isPackageProtected() {
+    not isPrivate() and
+    not isProtected() and
+    not isPublic()
+  }
+
   override string getAPrimaryQlClass() { result = "Interface" }
 }
 

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -64,6 +64,14 @@ import java
 private import semmle.code.java.dataflow.DataFlow::DataFlow
 private import internal.DataFlowPrivate
 
+/**
+ * A module importing the frameworks that provide external flow data,
+ * ensuring that they are visible to the taint tracking / data flow library.
+ */
+private module Frameworks {
+  private import semmle.code.java.frameworks.ApacheHttp
+}
+
 private predicate sourceModelCsv(string row) {
   row =
     [
@@ -214,7 +222,7 @@ module CsvValidation {
       not name.regexpMatch("[a-zA-Z0-9_]*") and
       msg = "Dubious name \"" + name + "\" in " + pred + " model."
       or
-      not signature.regexpMatch("|\\([a-zA-Z0-9_\\.\\$<>,]*\\)") and
+      not signature.regexpMatch("|\\([a-zA-Z0-9_\\.\\$<>,\\[\\]]*\\)") and
       msg = "Dubious signature \"" + signature + "\" in " + pred + " model."
       or
       not ext.regexpMatch("|Annotated") and

java/ql/src/semmle/code/java/dataflow/FlowSteps.qll

@@ -9,7 +9,7 @@ private import semmle.code.java.dataflow.DataFlow
  * A module importing the frameworks that implement additional flow steps,
  * ensuring that they are visible to the taint tracking library.
  */
-module Frameworks {
+private module Frameworks {
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.android.Intent
   private import semmle.code.java.frameworks.android.SQLite
@@ -17,6 +17,7 @@ module Frameworks {
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.apache.Lang
+  private import semmle.code.java.frameworks.ApacheHttp
 }
 
 /**

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll

@@ -223,7 +223,10 @@ private predicate isAdditionalFlowStep(
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  simpleLocalFlowStep(node1, node2) and
+  (
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  ) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

@@ -223,7 +223,10 @@ private predicate isAdditionalFlowStep(
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  simpleLocalFlowStep(node1, node2) and
+  (
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  ) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll

@@ -223,7 +223,10 @@ private predicate isAdditionalFlowStep(
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  simpleLocalFlowStep(node1, node2) and
+  (
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  ) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll

@@ -223,7 +223,10 @@ private predicate isAdditionalFlowStep(
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  simpleLocalFlowStep(node1, node2) and
+  (
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  ) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll

@@ -223,7 +223,10 @@ private predicate isAdditionalFlowStep(
  * Holds if data can flow in one local step from `node1` to `node2`.
  */
 private predicate localFlowStep(Node node1, Node node2, Configuration config) {
-  simpleLocalFlowStep(node1, node2) and
+  (
+    simpleLocalFlowStep(node1, node2) or
+    reverseStepThroughInputOutputAlias(node1, node2)
+  ) and
   not outBarrier(node1, config) and
   not inBarrier(node2, config) and
   not fullBarrier(node1, config) and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll

@@ -415,6 +415,30 @@ private module Cached {
     store(node1, tc.getContent(), node2, contentType, tc.getContainerType())
   }
 
+  /**
+   * Holds if data can flow from `fromNode` to `toNode` because they are the post-update
+   * nodes of some function output and input respectively, where the output and input
+   * are aliases. A typical example is a function returning `this`, implementing a fluent
+   * interface.
+   */
+  cached
+  predicate reverseStepThroughInputOutputAlias(PostUpdateNode fromNode, PostUpdateNode toNode) {
+    exists(Node fromPre, Node toPre |
+      fromPre = fromNode.getPreUpdateNode() and
+      toPre = toNode.getPreUpdateNode()
+    |
+      exists(DataFlowCall c |
+        // Does the language-specific simpleLocalFlowStep already model flow
+        // from function input to output?
+        fromPre = getAnOutNode(c, _) and
+        toPre.(ArgumentNode).argumentOf(c, _) and
+        simpleLocalFlowStep(toPre.(ArgumentNode), fromPre)
+      )
+      or
+      argumentValueFlowsThrough(toPre, TReadStepTypesNone(), fromPre)
+    )
+  }
+
   /**
    * Holds if the call context `call` either improves virtual dispatch in
    * `callable` or if it allows us to prune unreachable nodes in `callable`.

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -1,8 +1,10 @@
 /**
- * Provides classes and predicates related to `org.apache.http.*`.
+ * Provides classes and predicates related to `org.apache.http.*` and `org.apache.hc.*`.
  */
 
 import java
+private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow
 
 class ApacheHttpGetParams extends Method {
   ApacheHttpGetParams() {
@@ -39,3 +41,192 @@ class TypeApacheHttpRequestBuilder extends Class {
     this.hasQualifiedName("org.apache.http.client.methods", "RequestBuilder")
   }
 }
+
+private class ApacheHttpSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.http.protocol;HttpRequestHandler;true;handle;(HttpRequest,HttpResponse,HttpContext);;Parameter[0];remote",
+        "org.apache.hc.core5.http.io;HttpRequestHandler;true;handle;(ClassicHttpRequest,ClassicHttpResponse,HttpContext);;Parameter[0];remote",
+        "org.apache.hc.core5.http.io;HttpServerRequestHandler;true;handle;(ClassicHttpRequest,ResponseTrigger,HttpContext);;Parameter[0];remote"
+      ]
+  }
+}
+
+/**
+ * A call that sets a header of an `HttpResponse`.
+ */
+class ApacheHttpSetHeader extends Call {
+  ApacheHttpSetHeader() {
+    exists(Method m |
+      this.getCallee().(Method).overrides*(m) and
+      m.getDeclaringType()
+          .hasQualifiedName(["org.apache.http", "org.apache.hc.core5.http"], "HttpMessage") and
+      m.hasName(["addHeader", "setHeader"]) and
+      m.getNumberOfParameters() = 2
+    )
+    or
+    exists(Constructor c |
+      this.getCallee() = c and
+      c.getDeclaringType()
+          .hasQualifiedName(["org.apache.http.message", "org.apache.hc.core5.http.message"],
+            "BasicHeader")
+    )
+  }
+
+  /** Gets the expression used as the name of this header. */
+  Expr getName() { result = this.getArgument(0) }
+
+  /** Gets the expression used as the value of this header. */
+  Expr getValue() { result = this.getArgument(1) }
+}
+
+private class ApacheHttpXssSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.http;HttpResponse;true;setEntity;(HttpEntity);;Argument[0];xss",
+        "org.apache.http.util;EntityUtils;true;updateEntity;(HttpResponse,HttpEntity);;Argument[1];xss",
+        "org.apache.hc.core5.http;HttpEntityContainer;true;setEntity;(HttpEntity);;Argument[0];xss"
+      ]
+  }
+}
+
+private class ApacheHttpFlowStep extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.http;HttpMessage;true;getAllHeaders;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpMessage;true;getFirstHeader;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpMessage;true;getLastHeader;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpMessage;true;getHeaders;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpMessage;true;getParams;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpMessage;true;headerIterator;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpMessage;true;headerIterator;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpRequest;true;getRequestLine;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpEntityEnclosingRequest;true;getEntity;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;Header;true;getElements;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HeaderElement;true;getName;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HeaderElement;true;getValue;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HeaderElement;true;getParameter;(int);;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HeaderElement;true;getParameterByName;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HeaderElement;true;getParameters;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;NameValuePair;true;getName;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;NameValuePair;true;getValue;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HeaderIterator;true;nextHeader;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpEntity;true;getContent;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpEntity;true;getContentEncoding;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;HttpEntity;true;getContentType;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;RequestLine;true;getMethod;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http;RequestLine;true;getUri;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.params;HttpParams;true;getParameter;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.params;HttpParams;true;getDoubleParameter;(String,double);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.params;HttpParams;true;getIntParameter;(String,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.params;HttpParams;true;getLongParameter;(String,long);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.params;HttpParams;true;getDoubleParameter;(String,double);;Argument[1];ReturnValue;value",
+        "org.apache.http.params;HttpParams;true;getIntParameter;(String,int);;Argument[1];ReturnValue;value",
+        "org.apache.http.params;HttpParams;true;getLongParameter;(String,long);;Argument[1];ReturnValue;value",
+        "org.apache.hc.core5.http;MessageHeaders;true;getFirstHeader;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;MessageHeaders;true;getLastHeader;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;MessageHeaders;true;getHeader;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;MessageHeaders;true;getHeaders;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;MessageHeaders;true;getHeaders;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;MessageHeaders;true;headerIterator;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;MessageHeaders;true;headerIterator;(String);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpRequest;true;getAuthority;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpRequest;true;getMethod;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpRequest;true;getPath;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpRequest;true;getUri;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpRequest;true;getRequestUri;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpEntityContainer;true;getEntity;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;NameValuePair;true;getName;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;NameValuePair;true;getValue;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpEntity;true;getContent;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;HttpEntity;true;getTrailers;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;EntityDetails;true;getContentType;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;EntityDetails;true;getContentEncoding;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http;EntityDetails;true;getTrailerNames;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;getMethod;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;getUri;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;toString;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(HttpRequest);;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];ReturnValue;taint",
+        "org.apache.hc.core5.function;Supplier;true;get;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.net;URIAuthority;true;getHostName;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.net;URIAuthority;true;toString;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;EntityUtils;true;toString;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EntityUtils;true;toByteArray;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EntityUtils;true;getContentCharSet;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EntityUtils;true;getContentMimeType;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;EntityUtils;true;toString;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;EntityUtils;true;toByteArray;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;EntityUtils;true;parse;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EncodingUtils;true;getAsciiBytes;(String);;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EncodingUtils;true;getAsciiString;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EncodingUtils;true;getBytes;(String,String);;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;EncodingUtils;true;getString;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;Args;true;containsNoBlanks;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notNull;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notEmpty;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.http.util;Args;true;notBlank;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;containsNoBlanks;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notNull;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notEmpty;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.util;Args;true;notBlank;(T,String);;Argument[0];ReturnValue;value",
+        "org.apache.hc.core5.http.io.entity;HttpEntities;true;create;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;HttpEntities;true;createGzipped;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;HttpEntities;true;createUrlEncoded;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;HttpEntities;true;gzip;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;HttpEntities;true;withTrailers;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;BasicHttpEntity;true;setContent;(InputStream);;Argument[0];Argument[-1];taint",
+        "org.apache.http.entity;BufferedHttpEntity;true;BufferedHttpEntity;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;HttpEntityWrapper;true;HttpEntityWrapper;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;InputStreamEntity;true;InputStreamEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;StringEntity;true;StringEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;BasicHttpEntity;true;BasicHttpEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;BufferedHttpEntity;true;BufferedHttpEntity;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;HttpEntityWrapper;true;HttpEntityWrapper;(HttpEntity);;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;InputStreamEntity;true;InputStreamEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;StringEntity;true;StringEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.util;ByteArrayBuffer;true;append;(byte[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;ByteArrayBuffer;true;append;(char[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;ByteArrayBuffer;true;append;(CharArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;ByteArrayBuffer;true;buffer;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;ByteArrayBuffer;true;toByteArray;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(byte[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(char[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(CharArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(ByteArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(CharArrayBuffer);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(String);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;append;(Object);;Argument[0];Argument[-1];taint",
+        "org.apache.http.util;CharArrayBuffer;true;buffer;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;CharArrayBuffer;true;toCharArray;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;CharArrayBuffer;true;toString;();;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;CharArrayBuffer;true;substring;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;CharArrayBuffer;true;subSequence;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.http.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;ByteArrayBuffer;true;append;(byte[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;ByteArrayBuffer;true;append;(char[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;ByteArrayBuffer;true;append;(CharArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;ByteArrayBuffer;true;array;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;ByteArrayBuffer;true;toByteArray;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(byte[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(char[],int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(CharArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(ByteArrayBuffer,int,int);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(CharArrayBuffer);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(String);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;append;(Object);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;array;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;toCharArray;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;toString;();;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;substring;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;subSequence;(int,int);;Argument[-1];ReturnValue;taint",
+        "org.apache.hc.core5.util;CharArrayBuffer;true;substringTrimmed;(int,int);;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}

java/ql/src/semmle/code/java/frameworks/spring/SpringController.qll

@@ -126,6 +126,11 @@ class SpringRequestMappingMethod extends SpringControllerMethod {
       requestMappingAnnotation.getValue("produces").(CompileTimeConstantExpr).getStringValue()
   }
 
+  /** Gets the "value" @RequestMapping annotation value, if present. */
+  string getValue() {
+    result = requestMappingAnnotation.getValue("value").(CompileTimeConstantExpr).getStringValue()
+  }
+
   /** Holds if this is considered an `@ResponseBody` method. */
   predicate isResponseBody() {
     getAnAnnotation().getType() instanceof SpringResponseBodyAnnotationType or

java/ql/src/semmle/code/java/frameworks/spring/SpringWeb.qll

@@ -17,3 +17,23 @@ class SpringNativeWebRequest extends Class {
     this.hasQualifiedName("org.springframework.web.context.request", "NativeWebRequest")
   }
 }
+
+/**
+ * A Spring `ModelAndView` class. This is either
+ * `org.springframework.web.servlet.ModelAndView` or
+ * `org.springframework.web.portlet.ModelAndView`.
+ */
+class ModelAndView extends Class {
+  ModelAndView() {
+    hasQualifiedName(["org.springframework.web.servlet", "org.springframework.web.portlet"],
+      "ModelAndView")
+  }
+}
+
+/** A call to the Spring `ModelAndView.setViewName` method. */
+class SpringModelAndViewSetViewNameCall extends MethodAccess {
+  SpringModelAndViewSetViewNameCall() {
+    getMethod().getDeclaringType() instanceof ModelAndView and
+    getMethod().hasName("setViewName")
+  }
+}

java/ql/src/semmle/code/java/security/Encryption.qll

@@ -120,13 +120,16 @@ private string algorithmRegex(string algorithmString) {
  * Gets the name of an algorithm that is known to be insecure.
  */
 string getAnInsecureAlgorithmName() {
-  result = "DES" or
-  result = "RC2" or
-  result = "RC4" or
-  result = "RC5" or
-  result = "ARCFOUR" or // a variant of RC4
-  result = "ECB" or // encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks
-  result = "AES/CBC/PKCS[5|7]Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
+  result =
+    [
+      "DES", "RC2", "RC4", "RC5",
+      // ARCFOUR is a variant of RC4
+      "ARCFOUR",
+      // Encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks
+      "ECB",
+      // CBC mode of operation with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks
+      "AES/CBC/PKCS[57]Padding"
+    ]
 }
 
 /**
@@ -163,14 +166,11 @@ string getInsecureAlgorithmRegex() {
  * Gets the name of an algorithm that is known to be secure.
  */
 string getASecureAlgorithmName() {
-  result = "RSA" or
-  result = "SHA256" or
-  result = "SHA512" or
-  result = "CCM" or
-  result = "GCM" or
-  result = "AES([^a-zA-Z](?!ECB|CBC/PKCS[5|7]Padding)).*" or
-  result = "Blowfish" or
-  result = "ECIES"
+  result =
+    [
+      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES([^a-zA-Z](?!ECB|CBC/PKCS[57]Padding)).*",
+      "Blowfish", "ECIES"
+    ]
 }
 
 private string rankedSecureAlgorithm(int i) { result = rank[i](getASecureAlgorithmName()) }

java/ql/src/semmle/code/java/security/UrlRedirect.qll

@@ -3,6 +3,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.frameworks.Servlets
+import semmle.code.java.frameworks.ApacheHttp
 
 /** A URL redirection sink */
 abstract class UrlRedirectSink extends DataFlow::Node { }
@@ -24,3 +25,13 @@ private class ServletUrlRedirectSink extends UrlRedirectSink {
     )
   }
 }
+
+/** A URL redirection sink from Apache Http components. */
+private class ApacheUrlRedirectSink extends UrlRedirectSink {
+  ApacheUrlRedirectSink() {
+    exists(ApacheHttpSetHeader c |
+      c.getName().(CompileTimeConstantExpr).getStringValue() = "Location" and
+      this.asExpr() = c.getValue()
+    )
+  }
+}

java/ql/src/semmle/code/java/security/XSS.qll

@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.spring.SpringController
 import semmle.code.java.frameworks.spring.SpringHttp
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.dataflow.ExternalFlow
 
 /** A sink that represent a method that outputs data without applying contextual output encoding. */
 abstract class XssSink extends DataFlow::Node { }
@@ -31,6 +32,8 @@ class XssAdditionalTaintStep extends Unit {
 /** A default sink representing methods susceptible to XSS attacks. */
 private class DefaultXssSink extends XssSink {
   DefaultXssSink() {
+    sinkNode(this, "xss")
+    or
     exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
       ma.getMethod() = m and
       this.asExpr() = ma.getArgument(1)

java/ql/test/library-tests/dataflow/fluent-methods/Test.java

@@ -0,0 +1,50 @@
+public class Test {
+
+  private String field;
+
+  public Test fluentNoop() {
+    return this;
+  }
+
+  public Test indirectlyFluentNoop() {
+    return this.fluentNoop();
+  }
+
+  public Test fluentSet(String x) {
+    this.field = x;
+    return this;
+  }
+
+  public static Test identity(Test t) {
+    return t;
+  }
+
+  public String get() {
+    return field;
+  }
+
+  public static String source() {
+    return "taint";
+  }
+
+  public static void sink(String s) {}
+
+  public static void test1() {
+    Test t = new Test();
+    t.fluentNoop().fluentSet(source()).fluentNoop();
+    sink(t.get()); // $hasTaintFlow=y
+  }
+
+  public static void test2() {
+    Test t = new Test();
+    Test.identity(t).fluentNoop().fluentSet(source()).fluentNoop();
+    sink(t.get()); // $hasTaintFlow=y
+  }
+
+  public static void test3() {
+    Test t = new Test();
+    t.indirectlyFluentNoop().fluentSet(source()).fluentNoop();
+    sink(t.get()); // $hasTaintFlow=y
+  }
+
+}

java/ql/test/library-tests/dataflow/fluent-methods/flow.ql

@@ -0,0 +1,30 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends DataFlow::Configuration {
+  Conf() { this = "qltest:dataflow:fluent-methods" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = "y"
+    )
+  }
+}

java/ql/test/library-tests/frameworks/apache-http/A.java

@@ -0,0 +1,65 @@
+import org.apache.http.*;
+import org.apache.http.protocol.*;
+import org.apache.http.message.BasicHeader;
+import org.apache.http.util.*;
+import org.apache.http.entity.*;
+import java.io.IOException;
+
+class A {
+    static Object taint() { return null; }
+
+    static void sink(Object o) { }
+
+    class Test1 implements HttpRequestHandler {
+        public void handle(HttpRequest req, HttpResponse res, HttpContext ctx) throws IOException {
+            A.sink(req.getRequestLine()); //$hasTaintFlow=y
+            A.sink(req.getRequestLine().getUri()); //$hasTaintFlow=y
+            A.sink(req.getRequestLine().getMethod()); //$hasTaintFlow=y
+            A.sink(req.getAllHeaders()); //$hasTaintFlow=y
+            HeaderIterator it = req.headerIterator();
+            A.sink(it.next()); //$hasTaintFlow=y
+            A.sink(it.nextHeader()); //$hasTaintFlow=y
+            Header h = req.getHeaders("abc")[3];
+            A.sink(h.getName()); //$hasTaintFlow=y
+            A.sink(h.getValue()); //$hasTaintFlow=y
+            HeaderElement el = h.getElements()[0];
+            A.sink(el.getName()); //$hasTaintFlow=y
+            A.sink(el.getValue()); //$hasTaintFlow=y
+            A.sink(el.getParameters()); //$hasTaintFlow=y
+            A.sink(el.getParameterByName("abc").getValue()); //$hasTaintFlow=y
+            A.sink(el.getParameter(0).getName()); //$hasTaintFlow=y
+            HttpEntity ent = ((HttpEntityEnclosingRequest)req).getEntity();
+            A.sink(ent.getContent()); //$hasTaintFlow=y
+            A.sink(ent.getContentEncoding()); //$hasTaintFlow=y
+            A.sink(ent.getContentType()); //$hasTaintFlow=y
+            A.sink(EntityUtils.toString(ent)); //$hasTaintFlow=y
+            A.sink(EntityUtils.toByteArray(ent)); //$hasTaintFlow=y
+            A.sink(EntityUtils.getContentCharSet(ent)); //$hasTaintFlow=y
+            A.sink(EntityUtils.getContentMimeType(ent)); //$hasTaintFlow=y
+            res.setEntity(new StringEntity("<a href='" + req.getRequestLine().getUri() + "'>a</a>")); //$hasTaintFlow=y
+            EntityUtils.updateEntity(res, new ByteArrayEntity(EntityUtils.toByteArray(ent))); //$hasTaintFlow=y
+            res.setHeader("Location", req.getRequestLine().getUri()); //$hasTaintFlow=y
+            res.setHeader(new BasicHeader("Location", req.getRequestLine().getUri())); //$hasTaintFlow=y
+        }
+    }
+
+    void test2() {
+        ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
+        bbuf.append((byte[]) taint(), 0, 3);
+        sink(bbuf.buffer()); //$hasTaintFlow=y
+        sink(bbuf.toByteArray()); //$hasTaintFlow=y
+
+        CharArrayBuffer cbuf = new CharArrayBuffer(42);
+        cbuf.append(bbuf.toByteArray(), 0, 3);
+        sink(cbuf.toCharArray()); //$hasTaintFlow=y
+        sink(cbuf.toString()); //$hasTaintFlow=y
+        sink(cbuf.subSequence(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substring(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substringTrimmed(0, 3)); //$hasTaintFlow=y
+
+        sink(Args.notNull(taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notEmpty((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notBlank((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notNull("x", (String) taint())); // Good
+    }
+}

java/ql/test/library-tests/frameworks/apache-http/B.java

@@ -0,0 +1,76 @@
+import org.apache.hc.core5.http.*;
+import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.http.io.HttpRequestHandler;
+import org.apache.hc.core5.http.io.HttpServerRequestHandler;
+import org.apache.hc.core5.http.message.*;
+import org.apache.hc.core5.http.io.entity.*;
+import org.apache.hc.core5.util.*;
+import java.io.IOException;
+
+class B {
+    static Object taint() { return null; }
+
+    static void sink(Object o) { }
+
+    class Test1 implements HttpRequestHandler {
+        public void handle(ClassicHttpRequest req, ClassicHttpResponse res, HttpContext ctx) throws IOException, ParseException {
+            B.sink(req.getAuthority().getHostName()); //$hasTaintFlow=y
+            B.sink(req.getAuthority().toString()); //$hasTaintFlow=y
+            B.sink(req.getMethod()); //$hasTaintFlow=y
+            B.sink(req.getPath()); //$hasTaintFlow=y
+            B.sink(req.getScheme()); 
+            B.sink(req.getRequestUri()); //$hasTaintFlow=y
+            RequestLine line = new RequestLine(req);
+            B.sink(line.getUri()); //$hasTaintFlow=y
+            B.sink(line.getMethod()); //$hasTaintFlow=y
+            B.sink(req.getHeaders()); //$hasTaintFlow=y
+            B.sink(req.headerIterator()); //$hasTaintFlow=y
+            Header h = req.getHeaders("abc")[3];
+            B.sink(h.getName()); //$hasTaintFlow=y
+            B.sink(h.getValue()); //$hasTaintFlow=y
+            B.sink(req.getFirstHeader("abc")); //$hasTaintFlow=y
+            B.sink(req.getLastHeader("abc")); //$hasTaintFlow=y
+            HttpEntity ent = req.getEntity();
+            B.sink(ent.getContent()); //$hasTaintFlow=y
+            B.sink(ent.getContentEncoding()); //$hasTaintFlow=y
+            B.sink(ent.getContentType()); //$hasTaintFlow=y
+            B.sink(ent.getTrailerNames()); //$hasTaintFlow=y
+            B.sink(ent.getTrailers().get()); //$hasTaintFlow=y
+            B.sink(EntityUtils.toString(ent)); //$hasTaintFlow=y
+            B.sink(EntityUtils.toByteArray(ent)); //$hasTaintFlow=y
+            B.sink(EntityUtils.parse(ent)); //$hasTaintFlow=y
+            res.setEntity(new StringEntity("<a href='" + req.getRequestUri() + "'>a</a>")); //$hasTaintFlow=y
+            res.setEntity(new ByteArrayEntity(EntityUtils.toByteArray(ent), ContentType.TEXT_HTML)); //$hasTaintFlow=y
+            res.setEntity(HttpEntities.create("<a href='" + req.getRequestUri() + "'>a</a>")); //$hasTaintFlow=y
+            res.setHeader("Location", req.getRequestUri()); //$hasTaintFlow=y
+            res.setHeader(new BasicHeader("Location", req.getRequestUri())); //$hasTaintFlow=y
+        }
+    }
+
+    void test2() {
+        ByteArrayBuffer bbuf = new ByteArrayBuffer(42);
+        bbuf.append((byte[]) taint(), 0, 3); 
+        sink(bbuf.array()); //$hasTaintFlow=y
+        sink(bbuf.toByteArray()); //$hasTaintFlow=y
+        sink(bbuf.toString()); 
+
+        CharArrayBuffer cbuf = new CharArrayBuffer(42);
+        cbuf.append(bbuf.toByteArray(), 0, 3); 
+        sink(cbuf.toCharArray()); //$hasTaintFlow=y
+        sink(cbuf.toString()); //$hasTaintFlow=y
+        sink(cbuf.subSequence(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substring(0, 3)); //$hasTaintFlow=y
+        sink(cbuf.substringTrimmed(0, 3)); //$hasTaintFlow=y
+
+        sink(Args.notNull(taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notEmpty((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notBlank((String) taint(), "x")); //$hasTaintFlow=y
+        sink(Args.notNull("x", (String) taint())); 
+    }
+
+    class Test3 implements HttpServerRequestHandler {
+        public void handle(ClassicHttpRequest req, HttpServerRequestHandler.ResponseTrigger restr, HttpContext ctx) throws HttpException, IOException {
+            B.sink(req.getEntity()); //$hasTaintFlow=y
+        }
+    }
+}

java/ql/test/library-tests/frameworks/apache-http/flow.ql

@@ -0,0 +1,39 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.XSS
+import semmle.code.java.security.UrlRedirect
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:frameworks:apache-http" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+    or
+    n instanceof XssSink
+    or
+    n instanceof UrlRedirectSink
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = "y"
+    )
+  }
+}

java/ql/test/library-tests/frameworks/apache-http/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-http-4.4.13:${testdir}/../../../stubs/apache-http-5

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/Header.java

@@ -1,8 +1,4 @@
 /*
- * $HeadURL: http://svn.apache.org/repos/asf/httpcomponents/httpcore/trunk/module-main/src/main/java/org/apache/http/Header.java $
- * $Revision: 569636 $
- * $Date: 2007-08-25 00:34:47 -0700 (Sat, 25 Aug 2007) $
- *
  * ====================================================================
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
@@ -33,38 +29,25 @@ package org.apache.http;
 
 /**
  * Represents an HTTP header field.
- * 
- * <p>
- * The HTTP header fields follow the same generic format as that given in
- * Section 3.1 of RFC 822. Each header field consists of a name followed by a
- * colon (":") and the field value. Field names are case-insensitive. The field
- * value MAY be preceded by any amount of LWS, though a single SP is preferred.
  *
- * <pre>
+ * <p>The HTTP header fields follow the same generic format as
+ * that given in Section 3.1 of RFC 822. Each header field consists
+ * of a name followed by a colon (":") and the field value. Field names
+ * are case-insensitive. The field value MAY be preceded by any amount
+ * of LWS, though a single SP is preferred.
+ *
+ *<pre>
  *     message-header = field-name ":" [ field-value ]
  *     field-name     = token
  *     field-value    = *( field-content | LWS )
  *     field-content  = &lt;the OCTETs making up the field-value
  *                      and consisting of either *TEXT or combinations
  *                      of token, separators, and quoted-string&gt;
- * </pre>
- * 
- * @author <a href="mailto:remm@apache.org">Remy Maucherat</a>
- * @author <a href="mailto:oleg at ural.ru">Oleg Kalnichevski</a>
- * @version $Revision: 569636 $
+ *</pre>
  *
- * @deprecated Please use {@link java.net.URL#openConnection} instead. Please
- *             visit <a href=
- *             "http://android-developers.blogspot.com/2011/09/androids-http-clients.html">this
- *             webpage</a> for further details.
+ * @since 4.0
  */
-@Deprecated
-public interface Header {
-
-    String getName();
-
-    String getValue();
-
+public interface Header extends NameValuePair {
     HeaderElement[] getElements() throws ParseException;
 
 }

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/HttpResponse.java

@@ -0,0 +1,55 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http;
+
+import java.util.Locale;
+
+public interface HttpResponse extends HttpMessage {
+    // StatusLine getStatusLine();
+
+    // void setStatusLine(StatusLine statusline);
+
+    // void setStatusLine(ProtocolVersion ver, int code);
+
+    // void setStatusLine(ProtocolVersion ver, int code, String reason);
+
+    void setStatusCode(int code)
+        throws IllegalStateException;
+
+    void setReasonPhrase(String reason)
+        throws IllegalStateException;
+
+    HttpEntity getEntity();
+
+    void setEntity(HttpEntity entity);
+
+    Locale getLocale();
+
+    void setLocale(Locale loc);
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/entity/AbstractHttpEntity.java

@@ -0,0 +1,74 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.entity;
+
+import java.io.IOException;
+import org.apache.http.HttpEntity;
+import org.apache.http.Header;
+
+public abstract class AbstractHttpEntity implements HttpEntity {
+    @Override
+    public Header getContentType() {
+      return null;
+    }
+
+    @Override
+    public Header getContentEncoding() {
+      return null;
+    }
+
+    @Override
+    public boolean isChunked() {
+      return false;
+    }
+
+    public void setContentType(final Header contentType) {
+    }
+
+    public void setContentType(final String ctString) {
+    }
+
+    public void setContentEncoding(final Header contentEncoding) {
+    }
+
+    public void setContentEncoding(final String ceString) {
+    }
+
+    public void setChunked(final boolean b) {
+    }
+
+    @Override
+    public void consumeContent() throws IOException {
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/entity/ByteArrayEntity.java

@@ -0,0 +1,78 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.entity;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+
+public class ByteArrayEntity extends AbstractHttpEntity implements Cloneable {
+    public ByteArrayEntity(final byte[] b, final ContentType contentType) {
+    }
+
+    public ByteArrayEntity(final byte[] b, final int off, final int len, final ContentType contentType) {
+    }
+
+    public ByteArrayEntity(final byte[] b) {
+    }
+
+    public ByteArrayEntity(final byte[] b, final int off, final int len) {
+    }
+
+    @Override
+    public boolean isRepeatable() {
+      return false;
+    }
+
+    @Override
+    public long getContentLength() {
+      return 0;
+    }
+
+    @Override
+    public InputStream getContent() {
+      return null;
+    }
+
+    @Override
+    public void writeTo(final OutputStream outStream) throws IOException {
+    }
+
+    @Override
+    public boolean isStreaming() {
+      return false;
+    }
+
+    @Override
+    public Object clone() throws CloneNotSupportedException {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/entity/ContentType.java

@@ -0,0 +1,35 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.entity;
+
+import java.io.Serializable;
+
+
+public final class ContentType implements Serializable {
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/entity/StringEntity.java

@@ -0,0 +1,87 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.entity;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
+import java.nio.charset.Charset;
+import java.nio.charset.UnsupportedCharsetException;
+
+
+public class StringEntity extends AbstractHttpEntity implements Cloneable {
+    public StringEntity(final String string, final ContentType contentType) throws UnsupportedCharsetException {
+    }
+
+    public StringEntity(
+            final String string, final String mimeType, final String charset) throws UnsupportedEncodingException {
+    }
+
+    public StringEntity(final String string, final String charset)
+            throws UnsupportedCharsetException {
+    }
+
+    public StringEntity(final String string, final Charset charset) {
+    }
+
+    public StringEntity(final String string)
+            throws UnsupportedEncodingException {
+    }
+
+    @Override
+    public boolean isRepeatable() {
+      return false;
+    }
+
+    @Override
+    public long getContentLength() {
+      return 0;
+    }
+
+    @Override
+    public InputStream getContent() throws IOException {
+      return null;
+    }
+
+    @Override
+    public void writeTo(final OutputStream outStream) throws IOException {
+    }
+
+    @Override
+    public boolean isStreaming() {
+      return false;
+    }
+
+    @Override
+    public Object clone() throws CloneNotSupportedException {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/message/BasicHeader.java

@@ -0,0 +1,65 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.message;
+
+import java.io.Serializable;
+
+import org.apache.http.Header;
+import org.apache.http.HeaderElement;
+import org.apache.http.ParseException;
+
+public class BasicHeader implements Header, Cloneable, Serializable {
+    public BasicHeader(final String name, final String value) {
+    }
+
+    @Override
+    public Object clone() throws CloneNotSupportedException {
+      return null;
+    }
+
+    @Override
+    public HeaderElement[] getElements() throws ParseException {
+      return null;
+    }
+
+    @Override
+    public String getName() {
+      return null;
+    }
+
+    @Override
+    public String getValue() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/protocol/HttpContext.java

@@ -0,0 +1,37 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.protocol;
+
+public interface HttpContext {
+    Object getAttribute(String id);
+
+    void setAttribute(String id, Object obj);
+
+    Object removeAttribute(String id);
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/protocol/HttpRequestHandler.java

@@ -0,0 +1,38 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.protocol;
+
+import java.io.IOException;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+
+public interface HttpRequestHandler {
+    void handle(HttpRequest request, HttpResponse response, HttpContext context)
+            throws IOException;
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/Args.java

@@ -0,0 +1,78 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.util;
+
+import java.util.Collection;
+
+public class Args {
+    public static void check(final boolean expression, final String message) {
+    }
+
+    public static void check(final boolean expression, final String message, final Object... args) {
+    }
+
+    public static void check(final boolean expression, final String message, final Object arg) {
+    }
+
+    public static <T> T notNull(final T argument, final String name) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T notEmpty(final T argument, final String name) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T notBlank(final T argument, final String name) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T containsNoBlanks(final T argument, final String name) {
+      return null;
+    }
+
+    public static <E, T extends Collection<E>> T notEmpty(final T argument, final String name) {
+      return null;
+    }
+
+    public static int positive(final int n, final String name) {
+      return 0;
+    }
+
+    public static long positive(final long n, final String name) {
+      return 0;
+    }
+
+    public static int notNegative(final int n, final String name) {
+      return 0;
+    }
+
+    public static long notNegative(final long n, final String name) {
+      return 0;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/ByteArrayBuffer.java

@@ -0,0 +1,93 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.util;
+
+import java.io.Serializable;
+
+public final class ByteArrayBuffer implements Serializable {
+    public ByteArrayBuffer(final int capacity) {
+    }
+
+    public void append(final byte[] b, final int off, final int len) {
+    }
+
+    public void append(final int b) {
+    }
+
+    public void append(final char[] b, final int off, final int len) {
+    }
+
+    public void append(final CharArrayBuffer b, final int off, final int len) {
+    }
+
+    public void clear() {
+    }
+
+    public byte[] toByteArray() {
+      return null;
+    }
+
+    public int byteAt(final int i) {
+      return 0;
+    }
+
+    public int capacity() {
+      return 0;
+    }
+
+    public int length() {
+      return 0;
+    }
+
+    public void ensureCapacity(final int required) {
+    }
+
+    public byte[] buffer() {
+      return null;
+    }
+
+    public void setLength(final int len) {
+    }
+
+    public boolean isEmpty() {
+      return false;
+    }
+
+    public boolean isFull() {
+      return false;
+    }
+
+    public int indexOf(final byte b, final int from, final int to) {
+      return 0;
+    }
+
+    public int indexOf(final byte b) {
+      return 0;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/CharArrayBuffer.java

@@ -0,0 +1,127 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.util;
+
+import java.io.Serializable;
+import java.nio.CharBuffer;
+
+
+public final class CharArrayBuffer implements CharSequence, Serializable {
+    public CharArrayBuffer(final int capacity) {
+    }
+
+    public void append(final char[] b, final int off, final int len) {
+    }
+
+    public void append(final String str) {
+    }
+
+    public void append(final CharArrayBuffer b, final int off, final int len) {
+    }
+
+    public void append(final CharArrayBuffer b) {
+    }
+
+    public void append(final char ch) {
+    }
+
+    public void append(final byte[] b, final int off, final int len) {
+    }
+
+    public void append(final ByteArrayBuffer b, final int off, final int len) {
+    }
+
+    public void append(final Object obj) {
+    }
+
+    public void clear() {
+    }
+
+    public char[] toCharArray() {
+      return null;
+    }
+
+    @Override
+    public char charAt(final int i) {
+      return 0;
+    }
+
+    public char[] buffer() {
+      return null;
+    }
+
+    public int capacity() {
+      return 0;
+    }
+
+    @Override
+    public int length() {
+      return 0;
+    }
+
+    public void ensureCapacity(final int required) {
+    }
+
+    public void setLength(final int len) {
+    }
+
+    public boolean isEmpty() {
+      return false;
+    }
+
+    public boolean isFull() {
+      return false;
+    }
+
+    public int indexOf(final int ch, final int from, final int to) {
+      return 0;
+    }
+
+    public int indexOf(final int ch) {
+      return 0;
+    }
+
+    public String substring(final int beginIndex, final int endIndex) {
+      return null;
+    }
+
+    public String substringTrimmed(final int beginIndex, final int endIndex) {
+      return null;
+    }
+
+    @Override
+    public CharSequence subSequence(final int beginIndex, final int endIndex) {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-4.4.13/org/apache/http/util/EntityUtils.java

@@ -0,0 +1,72 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.util;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import org.apache.http.*;
+
+
+public final class EntityUtils {
+    public static void consumeQuietly(final HttpEntity entity) {
+    }
+
+    public static void consume(final HttpEntity entity) throws IOException {
+    }
+
+    public static void updateEntity(
+            final HttpResponse response, final HttpEntity entity) throws IOException {
+    }
+
+    public static byte[] toByteArray(final HttpEntity entity) throws IOException {
+      return null;
+    }
+
+    public static String getContentCharSet(final HttpEntity entity) {
+      return null;
+    }
+
+    public static String getContentMimeType(final HttpEntity entity) {
+      return null;
+    }
+
+    public static String toString(
+            final HttpEntity entity, final Charset defaultCharset) throws IOException {
+      return null;
+    }
+
+    public static String toString(
+            final HttpEntity entity, final String defaultCharset) throws IOException {
+      return null;
+    }
+
+    public static String toString(final HttpEntity entity) throws IOException, ParseException {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/function/Supplier.java

@@ -0,0 +1,33 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.function;
+
+public interface Supplier<T> {
+    T get();
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/ClassicHttpRequest.java

@@ -0,0 +1,36 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * 'Classic' {@link HttpRequest} message that can enclose {@link HttpEntity}.
+ *
+ * @since 5.0
+ */
+public interface ClassicHttpRequest extends HttpRequest, HttpEntityContainer {
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/ClassicHttpResponse.java

@@ -0,0 +1,33 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.io.Closeable;
+
+public interface ClassicHttpResponse extends HttpResponse, HttpEntityContainer, Closeable {
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/ContentType.java

@@ -0,0 +1,159 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+import java.io.Serializable;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.nio.charset.UnsupportedCharsetException;
+
+public final class ContentType implements Serializable {
+    public static final ContentType APPLICATION_ATOM_XML = null;
+
+    public static final ContentType APPLICATION_FORM_URLENCODED = null;
+
+    public static final ContentType APPLICATION_JSON = null;
+
+    public static final ContentType APPLICATION_NDJSON = null;
+
+    public static final ContentType APPLICATION_OCTET_STREAM = null;
+
+    public static final ContentType APPLICATION_PDF = null;
+
+    public static final ContentType APPLICATION_SOAP_XML = null;
+
+    public static final ContentType APPLICATION_SVG_XML = null;
+
+    public static final ContentType APPLICATION_XHTML_XML = null;
+
+    public static final ContentType APPLICATION_XML = null;
+
+    public static final ContentType APPLICATION_PROBLEM_JSON = null;
+
+    public static final ContentType APPLICATION_PROBLEM_XML = null;
+
+    public static final ContentType APPLICATION_RSS_XML = null;
+
+    public static final ContentType IMAGE_BMP = null;
+
+    public static final ContentType IMAGE_GIF = null;
+
+    public static final ContentType IMAGE_JPEG = null;
+
+    public static final ContentType IMAGE_PNG = null;
+
+    public static final ContentType IMAGE_SVG = null;
+
+    public static final ContentType IMAGE_TIFF = null;
+
+    public static final ContentType IMAGE_WEBP = null;
+
+    public static final ContentType MULTIPART_FORM_DATA = null;
+
+    public static final ContentType MULTIPART_MIXED = null;
+
+    public static final ContentType MULTIPART_RELATED = null;
+
+    public static final ContentType TEXT_HTML = null;
+
+    public static final ContentType TEXT_MARKDOWN = null;
+
+    public static final ContentType TEXT_PLAIN = null;
+
+    public static final ContentType TEXT_XML = null;
+
+    public static final ContentType TEXT_EVENT_STREAM = null;
+
+    public static final ContentType WILDCARD = null;
+
+    private static final NameValuePair[] EMPTY_NAME_VALUE_PAIR_ARRAY = new NameValuePair[0];
+
+    public String getMimeType() {
+      return null;
+    }
+
+    public Charset getCharset() {
+      return null;
+    }
+
+    public String getParameter(final String name) {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    public static ContentType create(final String mimeType, final Charset charset) {
+      return null;
+    }
+
+    public static ContentType create(final String mimeType) {
+      return null;
+    }
+
+    public static ContentType create(
+            final String mimeType, final String charset) throws UnsupportedCharsetException {
+      return null;
+    }
+
+    public static ContentType create(
+            final String mimeType, final NameValuePair... params) throws UnsupportedCharsetException {
+      return null;
+    }
+
+    public static ContentType parse(final CharSequence s) throws UnsupportedCharsetException {
+      return null;
+    }
+
+    public static ContentType parseLenient(final CharSequence s) throws UnsupportedCharsetException {
+      return null;
+    }
+
+    public static ContentType getByMimeType(final String mimeType) {
+      return null;
+    }
+
+    public ContentType withCharset(final Charset charset) {
+      return null;
+    }
+
+    public ContentType withCharset(final String charset) {
+      return null;
+    }
+
+    public ContentType withParameters(
+            final NameValuePair... params) throws UnsupportedCharsetException {
+      return null;
+    }
+
+    public boolean isSameMimeType(final ContentType contentType) {
+      return false;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/EntityDetails.java

@@ -0,0 +1,43 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.util.Set;
+
+public interface EntityDetails {
+    long getContentLength();
+
+    String getContentType();
+
+    String getContentEncoding();
+
+    boolean isChunked();
+
+    Set<String> getTrailerNames();
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/Header.java

@@ -0,0 +1,39 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * Represents an HTTP header field consisting of a field name and a field
+ * value.
+ *
+ * @since 4.0
+ */
+public interface Header extends NameValuePair {
+    boolean isSensitive();
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/HttpEntity.java

@@ -0,0 +1,48 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.List;
+
+import org.apache.hc.core5.function.Supplier;
+
+public interface HttpEntity extends EntityDetails, Closeable {
+    boolean isRepeatable();
+
+    InputStream getContent() throws IOException, UnsupportedOperationException;
+
+    void writeTo(OutputStream outStream) throws IOException;
+
+    boolean isStreaming(); 
+    Supplier<List<? extends Header>> getTrailers();
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/HttpEntityContainer.java

@@ -0,0 +1,40 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * Contains an {@link HttpEntity}.
+ *
+ * @since 5.0
+ */
+public interface HttpEntityContainer {
+    HttpEntity getEntity();
+
+    void setEntity(HttpEntity entity);
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/HttpException.java

@@ -0,0 +1,48 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * Signals that an HTTP exception has occurred.
+ *
+ * @since 4.0
+ */
+public class HttpException extends Exception {
+    public HttpException() {
+    }
+
+    public HttpException(final String message) {
+    }
+
+    public HttpException(final String format, final Object... args) {
+    }
+
+    public HttpException(final String message, final Throwable cause) {
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/HttpMessage.java

@@ -0,0 +1,55 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * HTTP messages consist of requests from client to server and responses
+ * from server to client.
+ *
+ * @since 4.0
+ */
+public interface HttpMessage extends MessageHeaders {
+    void setVersion(ProtocolVersion version);
+
+    ProtocolVersion getVersion();
+
+    void addHeader(Header header);
+
+    void addHeader(String name, Object value);
+
+    void setHeader(Header header);
+
+    void setHeader(String name, Object value);
+
+    void setHeaders(Header... headers);
+
+    boolean removeHeader(Header header);
+
+    boolean removeHeaders(String name);
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/HttpRequest.java

@@ -0,0 +1,56 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import org.apache.hc.core5.net.URIAuthority;
+
+public interface HttpRequest extends HttpMessage {
+    String getMethod();
+
+    String getPath();
+
+    void setPath(String path);
+
+    String getScheme();
+
+    void setScheme(String scheme);
+
+    URIAuthority getAuthority();
+
+    void setAuthority(URIAuthority authority);
+
+    String getRequestUri();
+
+    URI getUri() throws URISyntaxException;
+
+    void setUri(final URI requestUri);
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/HttpResponse.java

@@ -0,0 +1,45 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.util.Locale;
+
+public interface HttpResponse extends HttpMessage {
+    int getCode();
+
+    void setCode(int code);
+
+    String getReasonPhrase();
+
+    void setReasonPhrase(String reason);
+
+    Locale getLocale();
+
+    void setLocale(Locale loc);
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/MessageHeaders.java

@@ -0,0 +1,51 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.util.Iterator;
+
+public interface MessageHeaders {
+    boolean containsHeader(String name);
+
+    int countHeaders(String name);
+
+    Header getFirstHeader(String name);
+
+    Header getHeader(String name) throws ProtocolException;
+
+    Header[] getHeaders();
+
+    Header[] getHeaders(String name);
+
+    Header getLastHeader(String name);
+
+    Iterator<Header> headerIterator();
+
+    Iterator<Header> headerIterator(String name);
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/NameValuePair.java

@@ -0,0 +1,40 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * A name-value pair parameter used as an element of HTTP messages.
+ *
+ * @since 4.0
+ */
+public interface NameValuePair {
+    String getName();
+
+    String getValue();
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/ParseException.java

@@ -0,0 +1,52 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * Signals a protocol exception due to failure to parse a message element.
+ *
+ * @since 4.0
+ */
+public class ParseException extends ProtocolException {
+    public ParseException() {
+    }
+
+    public ParseException(final String message) {
+    }
+
+    public ParseException(final String description, final CharSequence text, final int off, final int len, final int errorOffset) {
+    }
+
+    public ParseException(final String description, final CharSequence text, final int off, final int len) {
+    }
+
+    public int getErrorOffset() {
+      return 0;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/ProtocolException.java

@@ -0,0 +1,49 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+/**
+ * Signals that an HTTP protocol violation has occurred.
+ * For example a malformed status line or headers, a missing message body, etc.
+ *
+ * @since 4.0
+ */
+public class ProtocolException extends HttpException {
+    public ProtocolException() {
+    }
+
+    public ProtocolException(final String message) {
+    }
+
+    public ProtocolException(final String format, final Object... args) {
+    }
+
+    public ProtocolException(final String message, final Throwable cause) {
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/ProtocolVersion.java

@@ -0,0 +1,87 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http;
+
+import java.io.Serializable;
+
+public class ProtocolVersion implements Serializable {
+    public ProtocolVersion(final String protocol, final int major, final int minor) {
+    }
+
+    public final String getProtocol() {
+      return null;
+    }
+
+    public final int getMajor() {
+      return 0;
+    }
+
+    public final int getMinor() {
+      return 0;
+    }
+
+    @Override
+    public final int hashCode() {
+      return 0;
+    }
+
+    public final boolean equals(final int major, final int minor) {
+      return false;
+    }
+
+    @Override
+    public final boolean equals(final Object obj) {
+      return false;
+    }
+
+    public String format() {
+      return null;
+    }
+
+    public boolean isComparable(final ProtocolVersion that) {
+      return false;
+    }
+
+    public int compareToVersion(final ProtocolVersion that) {
+      return 0;
+    }
+
+    public final boolean greaterEquals(final ProtocolVersion version) {
+      return false;
+    }
+
+    public final boolean lessEquals(final ProtocolVersion version) {
+      return false;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/HttpRequestHandler.java

@@ -0,0 +1,41 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io;
+
+import java.io.IOException;
+
+import org.apache.hc.core5.http.ClassicHttpRequest;
+import org.apache.hc.core5.http.ClassicHttpResponse;
+import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.protocol.HttpContext;
+
+public interface HttpRequestHandler {
+    void handle(ClassicHttpRequest request, ClassicHttpResponse response, HttpContext context)
+            throws HttpException, IOException;
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/HttpServerRequestHandler.java

@@ -0,0 +1,46 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.hc.core5.http.io;
+import java.io.IOException;
+import org.apache.hc.core5.http.ClassicHttpRequest;
+import org.apache.hc.core5.http.ClassicHttpResponse;
+import org.apache.hc.core5.http.HttpException;
+import org.apache.hc.core5.http.protocol.HttpContext;
+
+public interface HttpServerRequestHandler {
+    interface ResponseTrigger {
+        void sendInformation(ClassicHttpResponse response) throws HttpException, IOException;
+
+        void submitResponse(ClassicHttpResponse response) throws HttpException, IOException;
+
+    }
+    void handle(
+            ClassicHttpRequest request,
+            ResponseTrigger responseTrigger,
+            HttpContext context) throws HttpException, IOException;
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/entity/AbstractHttpEntity.java

@@ -0,0 +1,86 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io.entity;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.hc.core5.function.Supplier;
+import org.apache.hc.core5.http.ContentType;
+import org.apache.hc.core5.http.Header;
+import org.apache.hc.core5.http.HttpEntity;
+import org.apache.hc.core5.util.Args;
+
+public abstract class AbstractHttpEntity implements HttpEntity {
+    public static void writeTo(final HttpEntity entity, final OutputStream outStream) throws IOException {
+    }
+
+    @Override
+    public void writeTo(final OutputStream outStream) throws IOException {
+    }
+
+    @Override
+    public final String getContentType() {
+      return null;
+    }
+
+    @Override
+    public final String getContentEncoding() {
+      return null;
+    }
+
+    @Override
+    public final boolean isChunked() {
+      return false;
+    }
+
+    @Override
+    public boolean isRepeatable() {
+      return false;
+    }
+
+    @Override
+    public Supplier<List<? extends Header>> getTrailers() {
+      return null;
+    }
+
+    @Override
+    public Set<String> getTrailerNames() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/entity/ByteArrayEntity.java

@@ -0,0 +1,92 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io.entity;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import org.apache.hc.core5.http.ContentType;
+
+public class ByteArrayEntity extends AbstractHttpEntity {
+    public ByteArrayEntity(
+            final byte[] b, final int off, final int len, final ContentType contentType, final String contentEncoding,
+            final boolean chunked) {
+    }
+
+    public ByteArrayEntity(
+            final byte[] b, final int off, final int len, final ContentType contentType, final String contentEncoding) {
+    }
+
+    public ByteArrayEntity(
+            final byte[] b, final ContentType contentType, final String contentEncoding, final boolean chunked) {
+    }
+
+    public ByteArrayEntity(final byte[] b, final ContentType contentType, final String contentEncoding) {
+    }
+
+    public ByteArrayEntity(final byte[] b, final ContentType contentType, final boolean chunked) {
+    }
+
+    public ByteArrayEntity(final byte[] b, final ContentType contentType) {
+    }
+
+    public ByteArrayEntity(
+            final byte[] b, final int off, final int len, final ContentType contentType,  final boolean chunked) {
+    }
+
+    public ByteArrayEntity(final byte[] b, final int off, final int len, final ContentType contentType) {
+    }
+
+    @Override
+    public final boolean isRepeatable() {
+      return false;
+    }
+
+    @Override
+    public final long getContentLength() {
+      return 0;
+    }
+
+    @Override
+    public final InputStream getContent() {
+      return null;
+    }
+
+    @Override
+    public final void writeTo(final OutputStream outStream) throws IOException {
+    }
+
+    @Override
+    public final boolean isStreaming() {
+      return false;
+    }
+
+    @Override
+    public final void close() throws IOException {
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/entity/ByteBufferEntity.java

@@ -0,0 +1,65 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io.entity;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.ByteBuffer;
+import org.apache.hc.core5.http.ContentType;
+
+public class ByteBufferEntity extends AbstractHttpEntity {
+    public ByteBufferEntity(final ByteBuffer buffer, final ContentType contentType, final String contentEncoding) {
+    }
+
+    public ByteBufferEntity(final ByteBuffer buffer, final ContentType contentType) {
+    }
+
+    @Override
+    public final boolean isRepeatable() {
+      return false;
+    }
+
+    @Override
+    public final long getContentLength() {
+      return 0;
+    }
+
+    @Override
+    public final InputStream getContent() throws IOException, UnsupportedOperationException {
+      return null;
+    }
+
+    @Override
+    public final boolean isStreaming() {
+      return false;
+    }
+
+    @Override
+    public final void close() throws IOException {
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/entity/EntityUtils.java

@@ -0,0 +1,89 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io.entity;
+
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.List;
+
+import org.apache.hc.core5.http.HttpEntity;
+import org.apache.hc.core5.http.NameValuePair;
+import org.apache.hc.core5.http.ParseException;
+
+public final class EntityUtils {
+    public static void consumeQuietly(final HttpEntity entity) {
+    }
+
+    public static void consume(final HttpEntity entity) throws IOException {
+    }
+
+    public static byte[] toByteArray(final HttpEntity entity) throws IOException {
+      return null;
+    }
+
+    public static byte[] toByteArray(final HttpEntity entity, final int maxResultLength) throws IOException {
+      return null;
+    }
+
+    public static String toString(
+            final HttpEntity entity, final Charset defaultCharset) throws IOException, ParseException {
+      return null;
+    }
+
+    public static String toString(
+            final HttpEntity entity, final Charset defaultCharset, final int maxResultLength) throws IOException, ParseException {
+      return null;
+    }
+
+    public static String toString(
+            final HttpEntity entity, final String defaultCharset) throws IOException, ParseException {
+      return null;
+    }
+
+    public static String toString(
+            final HttpEntity entity, final String defaultCharset, final int maxResultLength) throws IOException, ParseException {
+      return null;
+    }
+
+    public static String toString(final HttpEntity entity) throws IOException, ParseException {
+      return null;
+    }
+
+    public static String toString(final HttpEntity entity, final int maxResultLength) throws IOException, ParseException {
+      return null;
+    }
+
+    public static List<NameValuePair> parse(final HttpEntity entity) throws IOException {
+      return null;
+    }
+
+    public static List<NameValuePair> parse(final HttpEntity entity, final int maxStreamLength) throws IOException {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/entity/HttpEntities.java

@@ -0,0 +1,152 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io.entity;
+import java.io.File;
+import java.io.OutputStream;
+import java.io.Serializable;
+import java.nio.charset.Charset;
+import java.nio.file.Path;
+import org.apache.hc.core5.http.ContentType;
+import org.apache.hc.core5.http.Header;
+import org.apache.hc.core5.http.HttpEntity;
+import org.apache.hc.core5.http.NameValuePair;
+import org.apache.hc.core5.io.IOCallback;
+
+public final class HttpEntities {
+    public static HttpEntity create(final String content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity create(final String content, final Charset charset) {
+      return null;
+    }
+
+    public static HttpEntity create(final String content) {
+      return null;
+    }
+
+    public static HttpEntity create(final byte[] content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity create(final File content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity create(final Serializable serializable, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity createUrlEncoded(
+            final Iterable <? extends NameValuePair> parameters, final Charset charset) {
+      return null;
+    }
+
+    public static HttpEntity create(final IOCallback<OutputStream> callback, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity gzip(final HttpEntity entity) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final String content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final String content, final Charset charset) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final String content) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final byte[] content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final File content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final Serializable serializable, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final IOCallback<OutputStream> callback, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity createGzipped(final Path content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity withTrailers(final HttpEntity entity, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(final String content, final ContentType contentType, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(final String content, final Charset charset, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(final String content, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(final byte[] content, final ContentType contentType, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(final File content, final ContentType contentType, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(
+            final Serializable serializable, final ContentType contentType, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(
+            final IOCallback<OutputStream> callback, final ContentType contentType, final Header... trailers) {
+      return null;
+    }
+
+    public static HttpEntity create(final Path content, final ContentType contentType) {
+      return null;
+    }
+
+    public static HttpEntity create(final Path content, final ContentType contentType, final Header... trailers) {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/io/entity/StringEntity.java

@@ -0,0 +1,83 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.io.entity;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.nio.charset.Charset;
+import org.apache.hc.core5.http.ContentType;
+
+public class StringEntity extends AbstractHttpEntity {
+    public StringEntity(
+            final String string, final ContentType contentType, final String contentEncoding, final boolean chunked) {
+    }
+
+    public StringEntity(final String string, final ContentType contentType, final boolean chunked) {
+    }
+
+    public StringEntity(final String string, final ContentType contentType) {
+    }
+
+    public StringEntity(final String string, final Charset charset) {
+    }
+
+    public StringEntity(final String string, final Charset charset, final boolean chunked) {
+    }
+
+    public StringEntity(final String string) {
+    }
+
+    @Override
+    public final boolean isRepeatable() {
+      return false;
+    }
+
+    @Override
+    public final long getContentLength() {
+      return 0;
+    }
+
+    @Override
+    public final InputStream getContent() throws IOException {
+      return null;
+    }
+
+    @Override
+    public final void writeTo(final OutputStream outStream) throws IOException {
+    }
+
+    @Override
+    public final boolean isStreaming() {
+      return false;
+    }
+
+    @Override
+    public final void close() throws IOException {
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/message/BasicHeader.java

@@ -0,0 +1,59 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.message;
+import java.io.Serializable;
+import org.apache.hc.core5.http.Header;
+
+public class BasicHeader implements Header, Cloneable, Serializable {
+    public BasicHeader(final String name, final Object value) {
+    }
+
+    public BasicHeader(final String name, final Object value, final boolean sensitive) {
+    }
+
+    @Override
+    public String getName() {
+      return null;
+    }
+
+    @Override
+    public String getValue() {
+      return null;
+    }
+
+    @Override
+    public boolean isSensitive() {
+      return false;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/message/RequestLine.java

@@ -0,0 +1,61 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.message;
+
+import java.io.Serializable;
+
+import org.apache.hc.core5.http.HttpRequest;
+import org.apache.hc.core5.http.ProtocolVersion;
+
+public final class RequestLine implements Serializable {
+    public RequestLine(final HttpRequest request) {
+    }
+
+    public RequestLine(final String method,
+                       final String uri,
+                       final ProtocolVersion version) {
+    }
+
+    public String getMethod() {
+      return null;
+    }
+
+    public ProtocolVersion getProtocolVersion() {
+      return null;
+    }
+
+    public String getUri() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/http/protocol/HttpContext.java

@@ -0,0 +1,42 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.http.protocol;
+import org.apache.hc.core5.http.ProtocolVersion;
+
+public interface HttpContext {
+    ProtocolVersion getProtocolVersion();
+
+    void setProtocolVersion(ProtocolVersion version);
+
+    Object getAttribute(String id);
+
+    Object setAttribute(String id, Object obj);
+
+    Object removeAttribute(String id);
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/io/IOCallback.java

@@ -0,0 +1,34 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.io;
+import java.io.IOException;
+
+public interface IOCallback<T> {
+    void execute(T object) throws IOException;
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/net/URIAuthority.java

@@ -0,0 +1,55 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.net;
+
+public final class URIAuthority {
+    public String getUserInfo() {
+      return null;
+    }
+
+    public String getHostName() {
+      return null;
+    }
+
+    public int getPort() {
+      return 0;
+    }
+
+    public String toString() {
+      return null;
+    }
+
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    public int hashCode() {
+      return 0;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/util/Args.java

@@ -0,0 +1,93 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.util;
+
+import org.apache.hc.core5.http.EntityDetails;
+
+import java.util.Collection;
+
+public class Args {
+    public static void check(final boolean expression, final String message) {
+    }
+
+    public static void check(final boolean expression, final String message, final Object... args) {
+    }
+
+    public static void check(final boolean expression, final String message, final Object arg) {
+    }
+
+    public static long checkContentLength(final EntityDetails entityDetails) {
+      return 0;
+    }
+
+    public static int checkRange(final int value, final int lowInclusive, final int highInclusive,
+                    final String message) {
+      return 0;
+    }
+
+    public static long checkRange(final long value, final long lowInclusive, final long highInclusive,
+                    final String message) {
+      return 0;
+    }
+
+    public static <T extends CharSequence> T containsNoBlanks(final T argument, final String name) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T notBlank(final T argument, final String name) {
+      return null;
+    }
+
+    public static <T extends CharSequence> T notEmpty(final T argument, final String name) {
+      return null;
+    }
+
+    public static <E, T extends Collection<E>> T notEmpty(final T argument, final String name) {
+      return null;
+    }
+
+    public static int notNegative(final int n, final String name) {
+      return 0;
+    }
+
+    public static long notNegative(final long n, final String name) {
+      return 0;
+    }
+
+    public static <T> T notNull(final T argument, final String name) {
+      return null;
+    }
+
+    public static int positive(final int n, final String name) {
+      return 0;
+    }
+
+    public static long positive(final long n, final String name) {
+      return 0;
+    }
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/util/ByteArrayBuffer.java

@@ -0,0 +1,97 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.util;
+
+import java.io.Serializable;
+import java.nio.ByteBuffer;
+
+public final class ByteArrayBuffer implements Serializable {
+    public ByteArrayBuffer(final int capacity) {
+    }
+
+    public void append(final byte[] b, final int off, final int len) {
+    }
+
+    public void append(final int b) {
+    }
+
+    public void append(final char[] b, final int off, final int len) {
+    }
+
+    public void append(final CharArrayBuffer b, final int off, final int len) {
+    }
+
+    public void append(final ByteBuffer buffer) {
+    }
+
+    public void clear() {
+    }
+
+    public byte[] toByteArray() {
+      return null;
+    }
+
+    public int byteAt(final int i) {
+      return 0;
+    }
+
+    public int capacity() {
+      return 0;
+    }
+
+    public int length() {
+      return 0;
+    }
+
+    public void ensureCapacity(final int required) {
+    }
+
+    public byte[] array() {
+      return null;
+    }
+
+    public void setLength(final int len) {
+    }
+
+    public boolean isEmpty() {
+      return false;
+    }
+
+    public boolean isFull() {
+      return false;
+    }
+
+    public int indexOf(final byte b, final int from, final int to) {
+      return 0;
+    }
+
+    public int indexOf(final byte b) {
+      return 0;
+    }
+
+}

java/ql/test/stubs/apache-http-5/org/apache/hc/core5/util/CharArrayBuffer.java

@@ -0,0 +1,125 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation.  For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.hc.core5.util;
+
+import java.io.Serializable;
+
+public final class CharArrayBuffer implements CharSequence, Serializable {
+    public CharArrayBuffer(final int capacity) {
+    }
+
+    public void append(final char[] b, final int off, final int len) {
+    }
+
+    public void append(final String str) {
+    }
+
+    public void append(final CharArrayBuffer b, final int off, final int len) {
+    }
+
+    public void append(final CharArrayBuffer b) {
+    }
+
+    public void append(final char ch) {
+    }
+
+    public void append(final byte[] b, final int off, final int len) {
+    }
+
+    public void append(final ByteArrayBuffer b, final int off, final int len) {
+    }
+
+    public void append(final Object obj) {
+    }
+
+    public void clear() {
+    }
+
+    public char[] toCharArray() {
+      return null;
+    }
+
+    @Override
+    public char charAt(final int i) {
+      return 0;
+    }
+
+    public char[] array() {
+      return null;
+    }
+
+    public int capacity() {
+      return 0;
+    }
+
+    @Override
+    public int length() {
+      return 0;
+    }
+
+    public void ensureCapacity(final int required) {
+    }
+
+    public void setLength(final int len) {
+    }
+
+    public boolean isEmpty() {
+      return false;
+    }
+
+    public boolean isFull() {
+      return false;
+    }
+
+    public int indexOf(final int ch, final int from, final int to) {
+      return 0;
+    }
+
+    public int indexOf(final int ch) {
+      return 0;
+    }
+
+    public String substring(final int beginIndex, final int endIndex) {
+      return null;
+    }
+
+    public String substringTrimmed(final int beginIndex, final int endIndex) {
+      return null;
+    }
+
+    @Override
+    public CharSequence subSequence(final int beginIndex, final int endIndex) {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}