mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
update alert-messsages of java queries
This commit is contained in:
erik-krogh
@@ -34,6 +34,6 @@ where
|
||||
bean1.getBeanIdentifier() < bean2.getBeanIdentifier() and
|
||||
bean1 != bean2
|
||||
select bean1,
|
||||
"Bean $@ has " + similarProps.toString() +
|
||||
"This bean has " + similarProps.toString() +
|
||||
" properties similar to $@. Consider introducing a common parent bean for these two beans.",
|
||||
bean1, bean1.getBeanIdentifier(), bean2, bean2.getBeanIdentifier()
|
||||
bean2, bean2.getBeanIdentifier()
|
||||
|
||||
@@ -26,5 +26,4 @@ class ParentBean extends SpringBean {
|
||||
|
||||
from ParentBean parent
|
||||
where parent.getDeclaredClass().isAbstract()
|
||||
select parent, "Parent bean $@ should not have an abstract class.", parent,
|
||||
parent.getBeanIdentifier()
|
||||
select parent, "This parent bean should not have an abstract class."
|
||||
|
||||
@@ -21,10 +21,11 @@ where
|
||||
e = clearlyNotNullExpr(reason) and
|
||||
(
|
||||
if reason instanceof Guard
|
||||
then msg = "This check is useless, $@ cannot be null here, since it is guarded by $@."
|
||||
then msg = "This check is useless. $@ cannot be null at this check, since it is guarded by $@."
|
||||
else
|
||||
if reason != e
|
||||
then msg = "This check is useless, $@ cannot be null here, since $@ always is non-null."
|
||||
then
|
||||
msg = "This check is useless. $@ cannot be null at this check, since $@ always is non-null."
|
||||
else msg = "This check is useless, since $@ always is non-null."
|
||||
)
|
||||
select guard, msg, e, e.toString(), reason, reason.toString()
|
||||
|
||||
@@ -72,5 +72,5 @@ where
|
||||
remove.getCallee().hasName("remove") and
|
||||
iterOfSpecialCollection(remove.getQualifier(), scc)
|
||||
select remove,
|
||||
"This call may fail when iterating over the collection created $@, since it does not support element removal.",
|
||||
scc, "here"
|
||||
"This call may fail when iterating over $@, since it does not support element removal.", scc,
|
||||
"the collection"
|
||||
|
||||
@@ -77,4 +77,4 @@ where
|
||||
// Exclude `equals` methods that implement reference-equality.
|
||||
not m instanceof ReferenceEquals and
|
||||
not m instanceof UnimplementedEquals
|
||||
select m, "equals() method does not check argument type."
|
||||
select m, "This 'equals()' method does not check argument type."
|
||||
|
||||
@@ -21,4 +21,4 @@ where
|
||||
eq.getAnOperand() = f.getAnAccess() and nanField(f) and f.getDeclaringType().hasName(classname)
|
||||
select eq,
|
||||
"This comparison will always yield the same result since 'NaN != NaN'. Consider using " +
|
||||
classname + ".isNaN instead"
|
||||
classname + ".isNaN instead."
|
||||
|
||||
@@ -23,4 +23,4 @@ where
|
||||
ma.getEnclosingStmt().getEnclosingStmt*() instanceof SynchronizedStmt or
|
||||
ma.getEnclosingCallable().isSynchronized()
|
||||
)
|
||||
select ma, "sleep() with lock held."
|
||||
select ma, "This calls 'Thread.sleep()' with a lock held."
|
||||
|
||||
@@ -27,4 +27,4 @@ where
|
||||
ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Object") and
|
||||
ma.getEnclosingStmt().getEnclosingStmt*() = synch and
|
||||
synch.getEnclosingStmt+() instanceof Synched
|
||||
select ma, "wait() with two locks held."
|
||||
select ma, "This calls 'Object.wait()' with two locks held."
|
||||
|
||||
@@ -46,5 +46,5 @@ predicate contradictoryTypeCheck(Expr e, Variable v, RefType t, RefType sup, Exp
|
||||
|
||||
from Expr e, Variable v, RefType t, RefType sup, Expr cond
|
||||
where contradictoryTypeCheck(e, v, t, sup, cond)
|
||||
select e, "Variable $@ cannot be of type $@ here, since $@ ensures that it is not of type $@.", v,
|
||||
select e, "This access of $@ cannot be of type $@, since $@ ensures that it is not of type $@.", v,
|
||||
v.getName(), t, t.getName(), cond, "this expression", sup, sup.getName()
|
||||
|
||||
@@ -45,5 +45,4 @@ predicate sameVariable(VarAccess left, VarAccess right) {
|
||||
from AssignExpr assign
|
||||
where sameVariable(assign.getDest(), assign.getSource())
|
||||
select assign,
|
||||
"This assigns the variable " + assign.getDest().(VarAccess).getVariable().getName() +
|
||||
" to itself and has no effect."
|
||||
"This expression assigns " + assign.getDest().(VarAccess).getVariable().getName() + " to itself."
|
||||
|
||||
@@ -17,4 +17,5 @@ private import semmle.code.java.dataflow.Nullness
|
||||
|
||||
from VarAccess access, SsaSourceVariable var
|
||||
where alwaysNullDeref(var, access)
|
||||
select access, "Variable $@ is always null here.", var.getVariable(), var.getVariable().getName()
|
||||
select access, "Variable $@ is always null at this access.", var.getVariable(),
|
||||
var.getVariable().getName()
|
||||
|
||||
@@ -24,5 +24,5 @@ where
|
||||
not alwaysNullDeref(var, access) and
|
||||
// Kotlin enforces this already:
|
||||
not access.getLocation().getFile().isKotlinSourceFile()
|
||||
select access, "Variable $@ may be null here " + msg + ".", var.getVariable(),
|
||||
select access, "Variable $@ may be null at this access " + msg + ".", var.getVariable(),
|
||||
var.getVariable().getName(), reason, "this"
|
||||
|
||||
@@ -22,4 +22,4 @@ where
|
||||
not f.getType().hasName("long")
|
||||
) and
|
||||
f.getDeclaringType().getAStrictAncestor() instanceof TypeSerializable
|
||||
select f, "serialVersionUID should be final, static, and of type long."
|
||||
select f, "'serialVersionUID' should be final, static, and of type long."
|
||||
|
||||
@@ -36,5 +36,5 @@ where
|
||||
// This is the case is some dummy implementations.
|
||||
exists(MethodAccess ma | ma.getEnclosingCallable() = m | ma.getMethod().getName() = "write")
|
||||
select c,
|
||||
"This class extends java.io.OutputStream and implements $@, but does not override write(byte[],int,int)",
|
||||
"This class extends 'java.io.OutputStream' and implements $@, but does not override 'write(byte[],int,int)'.",
|
||||
m, m.getName()
|
||||
|
||||
@@ -70,5 +70,5 @@ DataFlow::Node getReportingNode(DataFlow::Node sink) {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select getReportingNode(sink.getNode()), source, sink, "$@ flows to here and is used in a path.",
|
||||
source.getNode(), "User-provided value"
|
||||
select getReportingNode(sink.getNode()), source, sink, "This path depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -41,5 +41,4 @@ where
|
||||
e = p.getAnInput() and
|
||||
conf.hasFlowPath(source, sink) and
|
||||
not guarded(e)
|
||||
select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(),
|
||||
"User-provided value"
|
||||
select p, source, sink, "This path depends on a $@.", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -13,4 +13,4 @@
|
||||
import semmle.code.java.security.PartialPathTraversal
|
||||
|
||||
from PartialPathTraversalMethodAccess ma
|
||||
select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal"
|
||||
select ma, "Partial Path Traversal Vulnerability due to insufficient guard against path traversal."
|
||||
|
||||
@@ -16,4 +16,5 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where any(PartialPathTraversalFromRemoteConfig config).hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Partial Path Traversal Vulnerability due to insufficient guard against path traversal from user-supplied data"
|
||||
"Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@.",
|
||||
source, "user-supplied data"
|
||||
|
||||
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg
|
||||
where execTainted(source, sink, execArg)
|
||||
select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
|
||||
"User-provided value"
|
||||
select execArg, source, sink, "Command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -38,5 +38,5 @@ from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg,
|
||||
LocalUserInputToArgumentToExecFlowConfig conf
|
||||
where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg
|
||||
select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
|
||||
"User-provided value"
|
||||
select execArg, source, sink, "Command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -34,5 +34,5 @@ class XssConfig extends TaintTracking::Configuration {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, XssConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
|
||||
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -19,5 +19,4 @@ import DataFlow::PathGraph
|
||||
|
||||
from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where queryTaintedBy(query, source, sink)
|
||||
select query, source, sink, "This SQL query depends on $@.", source.getNode(),
|
||||
"a user-provided value"
|
||||
select query, source, sink, "This query depends on a $@.", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -36,5 +36,5 @@ class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configurat
|
||||
from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Query might include code from $@.", source.getNode(),
|
||||
"this user input"
|
||||
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -18,5 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, LdapInjectionFlowConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "LDAP query might include code from $@.", source.getNode(),
|
||||
"this user input"
|
||||
select sink.getNode(), source, sink, "LDAP query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, GroovyInjectionConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Groovy Injection from $@.", source.getNode(),
|
||||
"this user input"
|
||||
select sink.getNode(), source, sink, "Groovy script depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -80,5 +80,5 @@ where
|
||||
exists(SetMessageInterpolatorCall c | not c.isSafe())
|
||||
) and
|
||||
cfg.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Custom constraint error message contains unsanitized user data"
|
||||
select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
|
||||
source, "user-provided value"
|
||||
|
||||
@@ -17,4 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"
|
||||
select sink.getNode(), source, sink, "JEXL expression depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,4 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, MvelInjectionFlowConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "MVEL injection from $@.", source.getNode(), "this user input"
|
||||
select sink.getNode(), source, sink, "MVEL expression depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -18,4 +18,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, SpelInjectionConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "SpEL injection from $@.", source.getNode(), "this user input"
|
||||
select sink.getNode(), source, sink, "SpEL expression depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from TemplateInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where config.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
|
||||
source.getNode(), "a template value loaded from a remote source."
|
||||
select sink.getNode(), source, sink, "Template, which may contain code, depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -47,5 +47,6 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.",
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -31,5 +31,6 @@ class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.",
|
||||
select sink.getNode(), source, sink,
|
||||
"This header depends on a $@, which may cause a response-splitting vulnerability.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
select source.getNode(), source, sink, "This user-provided value flows to a $@.", sink.getNode(),
|
||||
"log entry"
|
||||
select sink.getNode(), source, sink, "Log entry depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -33,5 +33,5 @@ where
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
any(Conf conf).hasFlowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"The $@ is accessed here, but the array is initialized using $@ which may be zero.",
|
||||
arrayCreation, "array", source.getNode(), "User-provided value"
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -38,5 +38,5 @@ where
|
||||
boundedsource = source.getNode() and
|
||||
any(BoundedFlowSourceConf conf).hasFlowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"The $@ is accessed here, but the array is initialized using $@ which may be zero.",
|
||||
arrayCreation, "array", boundedsource, boundedsource.getDescription().toLowerCase()
|
||||
"This accesses the $@, but the array is initialized using $@ which may be zero.", arrayCreation,
|
||||
"array", boundedsource, boundedsource.getDescription().toLowerCase()
|
||||
|
||||
@@ -34,5 +34,5 @@ where
|
||||
sizeExpr = sink.getNode().asExpr() and
|
||||
any(Conf conf).hasFlowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"The $@ is accessed here, but the array is initialized using $@ which may be zero.",
|
||||
arrayCreation, "array", source.getNode(), "User-provided value"
|
||||
"This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
|
||||
"array", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -32,5 +32,5 @@ where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
any(Conf conf).hasFlowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.",
|
||||
source.getNode(), "User-provided value"
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -31,5 +31,5 @@ where
|
||||
arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
|
||||
any(Conf conf).hasFlowPath(source, sink)
|
||||
select arrayAccess.getIndexExpr(), source, sink,
|
||||
"$@ flows to here and is used as an index causing an ArrayIndexOutOfBoundsException.",
|
||||
source.getNode(), "User-provided value"
|
||||
"This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -33,5 +33,5 @@ from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
|
||||
ExternallyControlledFormatStringConfig conf
|
||||
where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink,
|
||||
"$@ flows to here and is used in a format string.", source.getNode(), "User-provided value"
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -31,5 +31,5 @@ from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, StringFormat formatCall,
|
||||
ExternallyControlledFormatStringLocalConfig conf
|
||||
where conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = formatCall.getFormatArgument()
|
||||
select formatCall.getFormatArgument(), source, sink,
|
||||
"$@ flows to here and is used in a format string.", source.getNode(), "User-provided value"
|
||||
select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -47,5 +47,5 @@ where
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
source.getNode(), "User-provided value"
|
||||
"This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -47,5 +47,5 @@ where
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
source.getNode(), "User-provided value"
|
||||
"This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -55,5 +55,5 @@ where
|
||||
underflowSink(exp, sink.getNode().asExpr()) and
|
||||
effect = "underflow"
|
||||
select exp, source, sink,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
source.getNode(), "Uncontrolled value"
|
||||
"This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
|
||||
source.getNode(), "uncontrolled value"
|
||||
|
||||
@@ -20,5 +20,6 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where any(IntentUriPermissionManipulationConf c).hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This Intent can be set with arbitrary flags from $@, " +
|
||||
"and used to give access to internal content providers.", source.getNode(), "this user input"
|
||||
"This Intent can be set with arbitrary flags from a $@, " +
|
||||
"and used to give access to internal content providers.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -17,5 +17,6 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
|
||||
select sink, source, sink, "This $@, which is defined $@ and trusts any certificate, is used here.",
|
||||
source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType(), "here"
|
||||
select sink, source, sink, "This uses $@, which is defined in $@ and trusts any certificate.",
|
||||
source, "TrustManager",
|
||||
source.getNode().asExpr().(ClassInstanceExpr).getConstructedType() as type, type.nestedName()
|
||||
|
||||
@@ -21,4 +21,4 @@ where
|
||||
isInsecureMailPropertyConfig(ma.getArgument(0).(VarAccess).getVariable())
|
||||
or
|
||||
enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier().(VarAccess).getVariable())
|
||||
select ma, "Java mailing has insecure SSL configuration"
|
||||
select ma, "Java mailing has insecure SSL configuration."
|
||||
|
||||
@@ -121,5 +121,5 @@ where
|
||||
not isNodeGuardedByFlag(sink.getNode()) and
|
||||
verifier = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
|
||||
select sink, source, sink,
|
||||
"$@ that is defined $@ and accepts any certificate as valid, is used here.", source,
|
||||
"This hostname verifier", verifier, "here"
|
||||
"The $@ defined by $@ always accepts any certificate, even if the hostname does not match.",
|
||||
source, "hostname verifier", verifier, "this type"
|
||||
|
||||
@@ -20,5 +20,5 @@ where
|
||||
input = s.getAnInput() and
|
||||
store = s.getAStore() and
|
||||
data.flowsTo(input)
|
||||
select store, "SQLite database $@ containing $@ is stored $@. Data was added $@.", s, s.toString(),
|
||||
data, "sensitive data", store, "here", input, "here"
|
||||
select store, "This stores data in a SQLite database $@ containing $@ which was $@.", s,
|
||||
s.toString(), data, "sensitive data", input, "previously added"
|
||||
|
||||
@@ -20,5 +20,5 @@ where
|
||||
input = s.getAnInput() and
|
||||
store = s.getAStore() and
|
||||
data.flowsTo(input)
|
||||
select store, "Local file $@ containing $@ is stored $@. Data was added $@.", s, s.toString(), data,
|
||||
"sensitive data", store, "here", input, "here"
|
||||
select store, "This stores the local file $@ containing $@ which was $@.", s, s.toString(), data,
|
||||
"sensitive data", input, "previously added"
|
||||
|
||||
@@ -19,5 +19,5 @@ where
|
||||
input = s.getAnInput() and
|
||||
store = s.getAStore() and
|
||||
data.flowsTo(input)
|
||||
select store, "Storable class $@ containing $@ is stored here. Data was added $@.", s, s.toString(),
|
||||
data, "sensitive data", input, "here"
|
||||
select store, "This stores the storable class $@ containing $@ which was $@.", s, s.toString(),
|
||||
data, "sensitive data", input, "previously added"
|
||||
|
||||
@@ -18,5 +18,5 @@ where
|
||||
input = s.getAnInput() and
|
||||
store = s.getAStore() and
|
||||
data.flowsTo(input)
|
||||
select store, "Cookie $@ containing $@ is stored here. Data was added $@.", s, s.toString(), data,
|
||||
"sensitive data", input, "here"
|
||||
select store, "This stores cookie $@ containing $@ which was $@.", s, s.toString(), data,
|
||||
"sensitive data", input, "added to the cookie"
|
||||
|
||||
@@ -18,5 +18,5 @@ where
|
||||
input = s.getAnInput() and
|
||||
store = s.getAStore() and
|
||||
data.flowsTo(input)
|
||||
select store, "'Properties' class $@ containing $@ is stored here. Data was added $@.", s,
|
||||
s.toString(), data, "sensitive data", input, "here"
|
||||
select store, "This stores 'Properties' class $@ containing $@ which was $@.", s, s.toString(),
|
||||
data, "sensitive data", input, "previously added"
|
||||
|
||||
@@ -20,5 +20,5 @@ where
|
||||
input = s.getAnInput() and
|
||||
store = s.getAStore() and
|
||||
data.flowsTo(input)
|
||||
select store, "'SharedPreferences' class $@ containing $@ is stored $@. Data was added $@.", s,
|
||||
s.toString(), data, "sensitive data", store, "here", input, "here"
|
||||
select store, "This stores the 'SharedPreferences' class $@ containing $@ which $@.", s,
|
||||
s.toString(), data, "sensitive data", input, "was set as a shared preference"
|
||||
|
||||
@@ -17,4 +17,4 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "URL may have been constructed with HTTP protocol, using $@.",
|
||||
source.getNode(), "this source"
|
||||
source.getNode(), "this HTTP URL"
|
||||
|
||||
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, MissingJwtSignatureCheckConf conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "A signing key is set $@, but the signature is not verified.",
|
||||
source.getNode(), "here"
|
||||
select sink.getNode(), source, sink, "This parses a $@, but the signature is not verified.",
|
||||
source.getNode(), "JWT signing key"
|
||||
|
||||
@@ -121,5 +121,5 @@ where
|
||||
// The synchronized methods on `Throwable` are not interesting.
|
||||
not call1.getCallee().getDeclaringType() instanceof TypeThrowable
|
||||
select call2,
|
||||
"The state of $@ is checked $@, and then it is used here. But these are not jointly synchronized.",
|
||||
r, r.getName(), call1, "here"
|
||||
"This uses the state of $@ which is checked $@. But these are not jointly synchronized.", r,
|
||||
r.getName(), call1, "here"
|
||||
|
||||
@@ -17,5 +17,6 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where any(FragmentInjectionTaintConf conf).hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Fragment injection from $@.", source.getNode(),
|
||||
"this user input"
|
||||
select sink.getNode(), source, sink,
|
||||
"Fragment depends on a $@, which may allow a malicious application to bypass access controls.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -18,4 +18,4 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode().(UnsafeDeserializationSink).getMethodAccess(), source, sink,
|
||||
"Unsafe deserialization of $@.", source.getNode(), "user input"
|
||||
"Unsafe deserialization depends on a $@.", source.getNode(), "user-provided value"
|
||||
|
||||
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, BasicAuthFlowConfig config
|
||||
where config.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Insecure basic authentication from $@.", source.getNode(),
|
||||
select sink.getNode(), source, sink, "Insecure basic authentication from a $@.", source.getNode(),
|
||||
"HTTP URL"
|
||||
|
||||
@@ -26,5 +26,5 @@ class UrlRedirectConfig extends TaintTracking::Configuration {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -26,5 +26,5 @@ class UrlRedirectLocalConfig extends TaintTracking::Configuration {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectLocalConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -52,5 +52,5 @@ class XxeConfig extends TaintTracking::Configuration {
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
|
||||
"user-provided value"
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -27,5 +27,5 @@ class XPathInjectionConfiguration extends TaintTracking::Configuration {
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
|
||||
where c.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
|
||||
source.getNode(), "User-provided value"
|
||||
select sink.getNode(), source, sink, "XPath expression depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -44,5 +44,5 @@ where
|
||||
sink.getNode().asExpr() = exp.getExpr() and
|
||||
conf.hasFlowPath(source, sink)
|
||||
select exp, source, sink,
|
||||
"$@ flows to here and is cast to a narrower type, potentially causing truncation.",
|
||||
source.getNode(), "User-provided value"
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -46,5 +46,5 @@ where
|
||||
conf.hasFlowPath(source, sink) and
|
||||
not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
|
||||
select exp, source, sink,
|
||||
"$@ flows to here and is cast to a narrower type, potentially causing truncation.",
|
||||
source.getNode(), "User-provided value"
|
||||
"This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -20,6 +20,6 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, PolynomialBackTrackingTerm regexp
|
||||
where hasPolynomialReDoSResult(source, sink, regexp)
|
||||
select sink, source, sink,
|
||||
"This $@ that depends on $@ may run slow on strings " + regexp.getPrefixMessage() +
|
||||
"This $@ that depends on a $@ may run slow on strings " + regexp.getPrefixMessage() +
|
||||
"with many repetitions of '" + regexp.getPumpString() + "'.", regexp, "regular expression",
|
||||
source.getNode(), "a user-provided value"
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -22,5 +22,5 @@ where
|
||||
fileVariable.getAnAccess() = setWorldWritable.getFileVarAccess() and
|
||||
// If the file variable is a parameter, the result should be reported in the caller.
|
||||
not fileVariable instanceof Parameter
|
||||
select setWorldWritable, "A file is set to be world writable here, but is read from $@.", readFrom,
|
||||
select setWorldWritable, "This sets a file is as world writable, but is read from $@.", readFrom,
|
||||
"statement"
|
||||
|
||||
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select source, source, sink,
|
||||
"This specification is used to initialize an RSA cipher without OAEP padding $@.", sink, "here"
|
||||
select source, source, sink, "This specification is used to $@ without OAEP padding.", sink,
|
||||
"initialize an RSA cipher"
|
||||
|
||||
@@ -25,5 +25,5 @@ where
|
||||
sink.getNode().asExpr() = e and
|
||||
conf.hasFlowPath(source, sink)
|
||||
select m, source, sink,
|
||||
"Sensitive method may not be executed depending on $@, which flows from $@.", e, "this condition",
|
||||
source.getNode(), "user input"
|
||||
"Sensitive method may not be executed depending on a $@, which flows from $@.", e,
|
||||
"this condition", source.getNode(), "user-controlled value"
|
||||
|
||||
@@ -66,4 +66,5 @@ from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, PermissionsConstruction p,
|
||||
TaintedPermissionsCheckFlowConfig conf
|
||||
where sink.getNode().asExpr() = p.getInput() and conf.hasFlowPath(source, sink)
|
||||
select p, source, sink, "Permissions check uses user-controlled $@.", source.getNode(), "data"
|
||||
select p, source, sink, "Permissions check depends on a $@.", source.getNode(),
|
||||
"user-controlled value"
|
||||
|
||||
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, OgnlInjectionFlowConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "OGNL expression might include data from $@.",
|
||||
source.getNode(), "this user input"
|
||||
select sink.getNode(), source, sink, "OGNL Expression Language statement depends on a $@.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -15,5 +15,5 @@ import semmle.code.java.security.ImproperIntentVerificationQuery
|
||||
|
||||
from AndroidReceiverXmlElement reg, Method orm, SystemActionName sa
|
||||
where unverifiedSystemReceiver(reg, orm, sa)
|
||||
select orm, "This reciever doesn't verify intents it receives, and is registered $@ to receive $@.",
|
||||
reg, "here", sa, "the system action " + sa.getName()
|
||||
select orm, "This reciever doesn't verify intents it receives, and $@ to receive $@.", reg,
|
||||
"it is registered", sa, "the system action " + sa.getName()
|
||||
|
||||
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where any(ImplicitPendingIntentStartConf conf).hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"An implicit Intent is created $@ and sent to an unspecified third party through a PendingIntent.",
|
||||
source.getNode(), "here"
|
||||
"$@ and sent to an unspecified third party through a PendingIntent.", source.getNode(),
|
||||
"An implicit Intent is created"
|
||||
|
||||
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from SensitiveCommunicationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This call may leak sensitive information from $@.",
|
||||
source.getNode(), "here"
|
||||
select sink.getNode(), source, sink, "This call may leak $@.", source.getNode(),
|
||||
"sensitive information"
|
||||
|
||||
@@ -20,5 +20,5 @@ import DataFlow::PathGraph
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, IntentRedirectionConfiguration conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"Arbitrary Android activities or services can be started from $@.", source.getNode(),
|
||||
"this user input"
|
||||
"Arbitrary Android activities or services can be started from a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -86,6 +86,5 @@ where
|
||||
) and
|
||||
// Exclude special VM classes.
|
||||
not isVMObserver(f.getDeclaringType())
|
||||
select f,
|
||||
"The field '" + f.getName() + "' is never explicitly assigned a value, yet it is read $@.", fr,
|
||||
"here"
|
||||
select f, "The field '" + f.getName() + "' is never explicitly assigned a value, yet $@.", fr,
|
||||
"the field is read"
|
||||
|
||||
@@ -29,6 +29,4 @@ where
|
||||
// Rules about catch clauses belong in an exception handling query
|
||||
not exceptionVariable(ve) and
|
||||
not enhancedForVariable(ve)
|
||||
select v,
|
||||
"Unused local variable " + v.getName() +
|
||||
". The variable is never read or written to and should be removed."
|
||||
select v, "Variable " + v.getName() + " is not used."
|
||||
|
||||
@@ -23,4 +23,4 @@ where
|
||||
hasNext.getDeclaringType().getSourceDeclaration().getAnAncestor() = i and
|
||||
hasNext.hasName("hasNext")
|
||||
)
|
||||
select m, "next() called from within an Iterator method."
|
||||
select m, "This calls 'next()' from within an Iterator method."
|
||||
|
||||
4
java/ql/src/change-notes/2022-09-23-alert-messages.md
Normal file
4
java/ql/src/change-notes/2022-09-23-alert-messages.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
|
||||
@@ -203,5 +203,5 @@ class Log4jInjectionConfiguration extends TaintTracking::Configuration {
|
||||
|
||||
from Log4jInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This $@ flows to a Log4j log entry.", source.getNode(),
|
||||
select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -53,4 +53,4 @@ where
|
||||
sink.getNode().asExpr() = call.getQualifier() and
|
||||
any(RemoteUrlToOpenStreamFlowConfig c).hasFlowPath(source, sink)
|
||||
select call, source, sink,
|
||||
"URL on which openStream is called may have been constructed from remote source"
|
||||
"URL on which openStream is called may have been constructed from remote source."
|
||||
|
||||
@@ -21,5 +21,5 @@ import DataFlow::PathGraph
|
||||
// This is a clone of query `java/command-line-injection` that also includes experimental sinks.
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg
|
||||
where execTainted(source, sink, execArg)
|
||||
select execArg, source, sink, "$@ flows to here and is used in a command.", source.getNode(),
|
||||
"User-provided value"
|
||||
select execArg, source, sink, "Command line depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -61,4 +61,4 @@ where
|
||||
not m.getAnAnnotation().getType() instanceof SpringResponseBodyAnnotationType and
|
||||
// `@RestController` inherits `@ResponseBody` internally so it should be ignored.
|
||||
not m.getDeclaringType() instanceof SpringRestController
|
||||
select m, "This method may be vulnerable to spring view manipulation vulnerabilities"
|
||||
select m, "This method may be vulnerable to spring view manipulation vulnerabilities."
|
||||
|
||||
@@ -23,4 +23,4 @@ private class HttpOnlyConfig extends WebContextParameter {
|
||||
from HttpOnlyConfig config
|
||||
where config.isHttpOnlySet()
|
||||
select config,
|
||||
"httpOnly should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks"
|
||||
"'httpOnly' should be enabled in tomcat config file to help mitigate cross-site scripting (XSS) attacks."
|
||||
|
||||
@@ -107,4 +107,4 @@ from MethodAccess ma
|
||||
where
|
||||
isInsecureSslEndpoint(ma) and
|
||||
not isTestMethod(ma)
|
||||
select ma, "LDAPS configuration allows insecure endpoint identification"
|
||||
select ma, "LDAPS configuration allows insecure endpoint identification."
|
||||
|
||||
@@ -16,5 +16,4 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, DisabledRevocationCheckingConfig config
|
||||
where config.hasFlowPath(source, sink)
|
||||
select source.getNode(), source, sink, "Revocation checking is disabled $@.", source.getNode(),
|
||||
"here"
|
||||
select source.getNode(), source, sink, "This disables revocation checking."
|
||||
|
||||
@@ -16,5 +16,5 @@ import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeTlsVersionConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "$@ is unsafe", source.getNode(),
|
||||
select sink.getNode(), source, sink, "$@ is unsafe.", source.getNode(),
|
||||
source.getNode().asExpr().(StringLiteral).getValue()
|
||||
|
||||
@@ -21,4 +21,4 @@ where
|
||||
c.getNameValue() = "struts.devMode" and
|
||||
c.getValueValue() = "true" and
|
||||
not isLikelyDemoProject(c.getFile().getRelativePath())
|
||||
select c, "Enabling development mode in production environments is dangerous"
|
||||
select c, "Enabling development mode in production environments is dangerous."
|
||||
|
||||
@@ -55,4 +55,4 @@ private class UnsafeBeanInitMethod extends Method {
|
||||
|
||||
from UnsafeBeanInitMethod method
|
||||
select method,
|
||||
"Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'"
|
||||
"Unsafe deserialization in a Spring exporter bean '" + method.getBeanIdentifier() + "'."
|
||||
|
||||
@@ -17,4 +17,4 @@ import UnsafeSpringExporterLib
|
||||
|
||||
from SpringBean bean
|
||||
where isRemoteInvocationSerializingExporter(bean.getClass())
|
||||
select bean, "Unsafe deserialization in a Spring exporter bean '" + bean.getBeanIdentifier() + "'"
|
||||
select bean, "Unsafe deserialization in a Spring exporter bean '" + bean.getBeanIdentifier() + "'."
|
||||
|
||||
@@ -47,4 +47,4 @@ class DirectoryListingInitParam extends WebXmlElement {
|
||||
|
||||
from DirectoryListingInitParam initp
|
||||
where initp.isListingEnabled()
|
||||
select initp, "Directory listing should be disabled to mitigate filename and path disclosure"
|
||||
select initp, "Directory listing should be disabled to mitigate filename and path disclosure."
|
||||
|
||||
@@ -75,5 +75,5 @@ class UncaughtServletExceptionConfiguration extends TaintTracking::Configuration
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, UncaughtServletExceptionConfiguration c
|
||||
where c.hasFlowPath(source, sink) and not hasErrorPage()
|
||||
select sink.getNode(), source, sink, "$@ flows to here and can throw uncaught exception.",
|
||||
source.getNode(), "User-provided value"
|
||||
select sink.getNode(), source, sink, "This value depends on a $@ and can throw uncaught exception.",
|
||||
source.getNode(), "user-provided value"
|
||||
|
||||
@@ -90,4 +90,4 @@ class HostVerificationMethodAccess extends MethodAccess {
|
||||
|
||||
from UriGetHostMethod um, MethodAccess uma, HostVerificationMethodAccess hma
|
||||
where hma.getQualifier() = uma and uma.getMethod() = um
|
||||
select hma, "Method has potentially $@ ", hma.getArgument(0), "improper URL verification"
|
||||
select hma, "Method has potentially $@.", hma.getArgument(0), "improper URL verification"
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -8,5 +8,5 @@ nodes
|
||||
| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | semmle.label | ... + ... |
|
||||
subpaths
|
||||
#select
|
||||
| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | User-provided value |
|
||||
| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | $@ flows to here and is used in a command. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | User-provided value |
|
||||
| JSchOSInjectionTest.java:27:52:27:68 | ... + ... | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) : String | JSchOSInjectionTest.java:27:52:27:68 | ... + ... | Command line depends on a $@. | JSchOSInjectionTest.java:14:30:14:60 | getParameter(...) | user-provided value |
|
||||
| JSchOSInjectionTest.java:53:36:53:52 | ... + ... | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) : String | JSchOSInjectionTest.java:53:36:53:52 | ... + ... | Command line depends on a $@. | JSchOSInjectionTest.java:40:30:40:60 | getParameter(...) | user-provided value |
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
| InsecureLdapEndpoint.java:19:9:19:92 | setProperty(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:50:9:50:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:68:9:68:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:84:9:84:94 | setProperty(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:102:9:102:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification |
|
||||
| InsecureLdapEndpoint.java:19:9:19:92 | setProperty(...) | LDAPS configuration allows insecure endpoint identification. |
|
||||
| InsecureLdapEndpoint.java:50:9:50:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification. |
|
||||
| InsecureLdapEndpoint.java:68:9:68:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification. |
|
||||
| InsecureLdapEndpoint.java:84:9:84:94 | setProperty(...) | LDAPS configuration allows insecure endpoint identification. |
|
||||
| InsecureLdapEndpoint.java:102:9:102:40 | setProperties(...) | LDAPS configuration allows insecure endpoint identification. |
|
||||
|
||||
@@ -15,4 +15,4 @@ nodes
|
||||
| DisabledRevocationChecking.java:28:33:28:36 | this <.field> [flag] : Boolean | semmle.label | this <.field> [flag] : Boolean |
|
||||
subpaths
|
||||
#select
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false | DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | DisabledRevocationChecking.java:28:33:28:36 | flag | Revocation checking is disabled $@. | DisabledRevocationChecking.java:17:12:17:16 | false | here |
|
||||
| DisabledRevocationChecking.java:17:12:17:16 | false | DisabledRevocationChecking.java:17:12:17:16 | false : Boolean | DisabledRevocationChecking.java:28:33:28:36 | flag | This disables revocation checking. |
|
||||
|
||||
@@ -127,35 +127,35 @@ nodes
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | semmle.label | protocols |
|
||||
subpaths
|
||||
#select
|
||||
| UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | $@ is unsafe | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | SSL |
|
||||
| UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | $@ is unsafe | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | SSLv2 |
|
||||
| UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | $@ is unsafe | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:19:28:19:32 | "TLS" | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | $@ is unsafe | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | $@ is unsafe | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | $@ is unsafe | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:32:39:32:43 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:50:38:50:61 | new String[] | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:51:38:51:59 | new String[] | UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:51:53:51:57 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:52:38:52:61 | new String[] | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:53:38:53:63 | new String[] | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:56:29:56:65 | new String[] | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] | $@ is unsafe | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:69:21:69:25 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:89:27:89:31 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:109:21:109:25 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | $@ is unsafe. | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | SSL |
|
||||
| UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | $@ is unsafe. | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | SSLv2 |
|
||||
| UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | $@ is unsafe. | UnsafeTlsVersion.java:18:28:18:34 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:19:28:19:32 | "TLS" | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | $@ is unsafe. | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | $@ is unsafe. | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | $@ is unsafe. | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:32:39:32:43 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:44:44:44:52 | protocols | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:44:44:44:52 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:50:38:50:61 | new String[] | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] | $@ is unsafe. | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:51:38:51:59 | new String[] | UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] | $@ is unsafe. | UnsafeTlsVersion.java:51:53:51:57 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:52:38:52:61 | new String[] | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] | $@ is unsafe. | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:53:38:53:63 | new String[] | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] | $@ is unsafe. | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:56:29:56:65 | new String[] | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] | $@ is unsafe. | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:69:21:69:25 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:81:32:81:40 | protocols | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:81:32:81:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:89:27:89:31 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:101:32:101:40 | protocols | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:101:32:101:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" | SSLv3 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:109:21:109:25 | "TLS" | TLS |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" | TLSv1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" | TLSv1.1 |
|
||||
| UnsafeTlsVersion.java:121:32:121:40 | protocols | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:121:32:121:40 | protocols | $@ is unsafe. | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" | TLSv1.1 |
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
| SpringExporterUnsafeDeserialization.java:14:24:14:47 | unsafeRmiServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeRmiServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:24:28:24:55 | unsafeHessianServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHessianServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:32:32:32:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:40:41:40:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:56:32:56:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:68:32:68:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
|
||||
| SpringExporterUnsafeDeserialization.java:14:24:14:47 | unsafeRmiServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeRmiServiceExporter'. |
|
||||
| SpringExporterUnsafeDeserialization.java:24:28:24:55 | unsafeHessianServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHessianServiceExporter'. |
|
||||
| SpringExporterUnsafeDeserialization.java:32:32:32:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter'. |
|
||||
| SpringExporterUnsafeDeserialization.java:40:41:40:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter'. |
|
||||
| SpringExporterUnsafeDeserialization.java:56:32:56:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter'. |
|
||||
| SpringExporterUnsafeDeserialization.java:68:32:68:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter'. |
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
| beans.xml:10:5:13:12 | /unsafeBooking | Unsafe deserialization in a Spring exporter bean '/unsafeBooking' |
|
||||
| beans.xml:15:5:18:12 | org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter' |
|
||||
| beans.xml:20:5:24:12 | org.springframework.remoting.rmi.RmiServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.rmi.RmiServiceExporter' |
|
||||
| beans.xml:26:5:29:12 | org.springframework.remoting.caucho.HessianServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.caucho.HessianServiceExporter' |
|
||||
| beans.xml:10:5:13:12 | /unsafeBooking | Unsafe deserialization in a Spring exporter bean '/unsafeBooking'. |
|
||||
| beans.xml:15:5:18:12 | org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter'. |
|
||||
| beans.xml:20:5:24:12 | org.springframework.remoting.rmi.RmiServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.rmi.RmiServiceExporter'. |
|
||||
| beans.xml:26:5:29:12 | org.springframework.remoting.caucho.HessianServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.caucho.HessianServiceExporter'. |
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user