Java: Deprecate the content of SqlTaintedLocalQuery and remove the local query variant.

2026-03-01 21:34:50 +01:00 · 2024-05-01 10:33:46 +02:00
parent b68abab12a
commit 5b89bd23c7
7 changed files with 11 additions and 32 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="SqlTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -1,24 +0,0 @@
-/**
- * @name Query built from local-user-controlled sources
- * @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of
- *              malicious code by the user.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 8.8
- * @precision medium
- * @id java/sql-injection-local
- * @tags security
- *       external/cwe/cwe-089
- *       external/cwe/cwe-564
- */
-
-import java
-import semmle.code.java.security.SqlTaintedLocalQuery
-import LocalUserInputToQueryInjectionFlow::PathGraph
-
-from
-  LocalUserInputToQueryInjectionFlow::PathNode source,
-  LocalUserInputToQueryInjectionFlow::PathNode sink
-where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
-  "user-provided value"