Merge branch 'github:main' into amammad-python-WebAppsConstatntSecretKeys

java/ql/consistency-queries/qlpack.yml

@@ -2,3 +2,4 @@ name: codeql-java-consistency-queries
 version: 0.0.0
 dependencies:
   codeql/java-all: '*'
+warnOnImplicitThis: true

java/ql/examples/qlpack.yml

@@ -4,3 +4,4 @@ groups:
   - examples
 dependencies:
   codeql/java-all: ${workspace}
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/java/android-sample-old-style-kotlin-build-script-no-wrapper/project/build.gradle.kts

@@ -54,6 +54,9 @@ android {
         versionName = "1.0"
     }
 
+    lintOptions {
+        disable("Instantiatable")
+    }
 }
 
 androidComponents {

java/ql/integration-tests/all-platforms/java/android-sample-old-style-kotlin-build-script-no-wrapper/test.expected

@@ -13,6 +13,7 @@ xmlFiles
 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml |
+| project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml:0:0:0:0 | project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml |
 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml |
 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml |
 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml |

java/ql/integration-tests/all-platforms/java/android-sample-old-style-kotlin-build-script/project/build.gradle.kts

@@ -54,6 +54,9 @@ android {
         versionName = "1.0"
     }
 
+    lintOptions {
+        disable("Instantiatable")
+    }
 }
 
 androidComponents {

java/ql/integration-tests/all-platforms/java/android-sample-old-style-kotlin-build-script/test.expected

@@ -13,6 +13,7 @@ xmlFiles
 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml |
+| project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml:0:0:0:0 | project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml |
 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml |
 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml |
 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml |

java/ql/integration-tests/all-platforms/java/android-sample-old-style-no-wrapper/project/build.gradle

@@ -55,4 +55,8 @@ android {
     }
 
     variantFilter { variant -> if (variant.buildType.name == "debug") { setIgnore(true) } }
+
+    lintOptions {
+        disable "Instantiatable"
+    }
 }

java/ql/integration-tests/all-platforms/java/android-sample-old-style-no-wrapper/test.expected

@@ -13,6 +13,7 @@ xmlFiles
 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml |
+| project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml:0:0:0:0 | project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml |
 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml |
 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml |
 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml |

java/ql/integration-tests/all-platforms/java/android-sample-old-style/project/build.gradle

@@ -55,4 +55,8 @@ android {
     }
 
     variantFilter { variant -> if (variant.buildType.name == "debug") { setIgnore(true) } }
+
+    lintOptions {
+        disable "Instantiatable"
+    }
 }

java/ql/integration-tests/all-platforms/java/android-sample-old-style/test.expected

@@ -13,6 +13,7 @@ xmlFiles
 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseJniLibFolders/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseResources/merger.xml |
 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml:0:0:0:0 | project/build/intermediates/incremental/mergeReleaseShaders/merger.xml |
+| project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml:0:0:0:0 | project/build/intermediates/lint_vital_partial_results/release/out/lint-issues-release.xml |
 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifest/release/AndroidManifest.xml |
 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/merged_manifests/release/AndroidManifest.xml |
 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml:0:0:0:0 | project/build/intermediates/packaged_manifests/release/AndroidManifest.xml |

java/ql/integration-tests/all-platforms/java/qlpack.yml

@@ -2,3 +2,4 @@ dependencies:
   codeql/java-all: '*'
   codeql/java-tests: '*'
   codeql/java-queries: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/kotlin/annotation-id-consistency/qlpack.yml

@@ -5,3 +5,4 @@ dependencies:
   codeql/java-queries: '*'
 dataExtensions:
   ext/*.model.yml
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/qlpack.yml

@@ -5,3 +5,4 @@ dependencies:
   codeql/java-queries: '*'
 dataExtensions:
   ext/*.model.yml
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/kotlin/gradle_kotlinx_serialization/qlpack.yml

@@ -3,3 +3,4 @@ dependencies:
   codeql/java-all: '*'
   codeql/java-tests: '*'
   codeql/java-queries: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/kotlin/kotlin-interface-inherited-default/qlpack.yml

@@ -3,3 +3,4 @@ dependencies:
   codeql/java-all: '*'
   codeql/java-tests: '*'
   codeql/java-queries: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/kotlin/kotlin_java_static_fields/qlpack.yml

@@ -3,3 +3,4 @@ dependencies:
   codeql/java-all: '*'
   codeql/java-tests: '*'
   codeql/java-queries: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/all-platforms/kotlin/qlpack.yml

@@ -2,3 +2,4 @@ dependencies:
   codeql/java-all: '*'
   codeql/java-tests: '*'
   codeql/java-queries: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/linux-only/kotlin/custom_plugin/qlpack.yml

@@ -1,3 +1,4 @@
 name: integrationtest-custom-plugin
 dependencies:
   codeql/java-all: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/linux-only/kotlin/qlpack.yml

@@ -1,2 +1,3 @@
 dependencies:
   codeql/java-all: '*'
+warnOnImplicitThis: true

java/ql/integration-tests/posix-only/kotlin/qlpack.yml

@@ -2,4 +2,4 @@ dependencies:
   codeql/java-all: '*'
   codeql/java-tests: '*'
   codeql/java-queries: '*'
-
+warnOnImplicitThis: true

java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The `ExecCallable` class in `ExternalProcess.qll` has been deprecated.

java/ql/lib/change-notes/2023-06-22-url-tostring-model.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a missing summary model for the method `java.net.URL.toString`.

java/ql/lib/change-notes/2023-06-28-javax-portlet-autogenerated-models.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added automatically-generated dataflow models for `javax.portlet`.

java/ql/lib/ext/experimental/com.jcraft.jsch.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: experimentalSinkModel
+    data: 
+      - ["com.jcraft.jsch", "ChannelExec", True, "setCommand", "", "", "Argument[0]", "command-injection", "manual", "jsch-os-injection"]

java/ql/lib/ext/generated/javax.portlet.model.yml

@@ -0,0 +1,190 @@
+# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT.
+# Definitions of models for the Java Portlet framework.
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["javax.portlet.filter", "ActionRequestWrapper", true, "ActionRequestWrapper", "(ActionRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ActionRequestWrapper", true, "setRequest", "(ActionRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ActionResponseWrapper", true, "ActionResponseWrapper", "(ActionResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ActionResponseWrapper", true, "setResponse", "(ActionResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventRequestWrapper", true, "EventRequestWrapper", "(EventRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventRequestWrapper", true, "setRequest", "(EventRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventResponseWrapper", true, "EventResponseWrapper", "(EventResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "EventResponseWrapper", true, "setResponse", "(EventResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletRequestWrapper", true, "PortletRequestWrapper", "(PortletRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletRequestWrapper", true, "getRequest", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletRequestWrapper", true, "setRequest", "(PortletRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletResponseWrapper", true, "PortletResponseWrapper", "(PortletResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletResponseWrapper", true, "getResponse", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet.filter", "PortletResponseWrapper", true, "setResponse", "(PortletResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderRequestWrapper", true, "RenderRequestWrapper", "(RenderRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderRequestWrapper", true, "setRequest", "(RenderRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderResponseWrapper", true, "RenderResponseWrapper", "(RenderResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "RenderResponseWrapper", true, "setResponse", "(RenderResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceRequestWrapper", true, "ResourceRequestWrapper", "(ResourceRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceRequestWrapper", true, "setRequest", "(ResourceRequest)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceResponseWrapper", true, "ResourceResponseWrapper", "(ResourceResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet.filter", "ResourceResponseWrapper", true, "setResponse", "(ResourceResponse)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "GenericPortlet", true, "getPortletConfig", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "Portlet", true, "init", "(PortletConfig)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletException", true, "PortletException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletException", true, "PortletException", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletException", true, "PortletException", "(String,Throwable)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletMode", true, "PortletMode", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletMode", true, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,PortletMode)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,PortletMode)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,Throwable,PortletMode)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,Throwable,PortletMode)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(String,Throwable,PortletMode)", "", "Argument[2]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "PortletModeException", "(Throwable,PortletMode)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletModeException", true, "getMode", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", true, "PortletSecurityException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", true, "PortletSecurityException", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", true, "PortletSecurityException", "(String,Throwable)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "PortletSessionUtil", true, "decodeAttributeName", "(String)", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", true, "ReadOnlyException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", true, "ReadOnlyException", "(String,Throwable)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", true, "ReadOnlyException", "(String,Throwable)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "UnavailableException", true, "UnavailableException", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "UnavailableException", true, "UnavailableException", "(String,int)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Collection)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Collection)", "", "Argument[1].Element", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Throwable,Collection)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Throwable,Collection)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(String,Throwable,Collection)", "", "Argument[2].Element", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "ValidatorException", "(Throwable,Collection)", "", "Argument[1].Element", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "ValidatorException", true, "getFailedKeys", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "WindowState", true, "WindowState", "(String)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowState", true, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,Throwable,WindowState)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,Throwable,WindowState)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,Throwable,WindowState)", "", "Argument[2]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,WindowState)", "", "Argument[0]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(String,WindowState)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "WindowStateException", "(Throwable,WindowState)", "", "Argument[1]", "Argument[this]", "taint", "df-generated"]
+      - ["javax.portlet", "WindowStateException", true, "getState", "()", "", "Argument[this]", "ReturnValue", "taint", "df-generated"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["javax.portlet", "ActionResponse", "sendRedirect", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ActionResponse", "sendRedirect", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getCharacterEncoding", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getContentLength", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getContentType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getMethod", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getPortletInputStream", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "getReader", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ClientDataRequest", "setCharacterEncoding", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "EventPortlet", "processEvent", "(EventRequest,EventResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "EventRequest", "getEvent", "()", "summary", "df-generated"]
+      - ["javax.portlet", "EventRequest", "getMethod", "()", "summary", "df-generated"]
+      - ["javax.portlet", "EventResponse", "setRenderParameters", "(EventRequest)", "summary", "df-generated"]
+      - ["javax.portlet", "GenericPortlet", "init", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "createActionURL", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "createRenderURL", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "createResourceURL", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "flushBuffer", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getBufferSize", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getCacheControl", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getCharacterEncoding", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getContentType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getLocale", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getPortletOutputStream", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "getWriter", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "isCommitted", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "reset", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "resetBuffer", "()", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "setBufferSize", "(int)", "summary", "df-generated"]
+      - ["javax.portlet", "MimeResponse", "setContentType", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "Portlet", "destroy", "()", "summary", "df-generated"]
+      - ["javax.portlet", "Portlet", "processAction", "(ActionRequest,ActionResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "Portlet", "render", "(RenderRequest,RenderResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getContainerRuntimeOptions", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getDefaultNamespace", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getInitParameter", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getInitParameterNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPortletContext", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPortletName", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getProcessingEventQNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPublicRenderParameterNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getPublishingEventQNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getResourceBundle", "(Locale)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletConfig", "getSupportedLocales", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletException", "PortletException", "(Throwable)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest$P3PUserInfos", "toString", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getAttribute", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getAttributeNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getAuthType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getContextPath", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getCookies", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getLocale", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getLocales", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameter", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameterNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getParameterValues", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortalContext", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortletMode", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortletSession", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPortletSession", "(boolean)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPreferences", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPrivateParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getProperties", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getProperty", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPropertyNames", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getPublicParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getRemoteUser", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getRequestedSessionId", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getResponseContentType", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getResponseContentTypes", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getScheme", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getServerName", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getServerPort", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getUserPrincipal", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getWindowID", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "getWindowState", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isPortletModeAllowed", "(PortletMode)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isRequestedSessionIdValid", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isSecure", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isUserInRole", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "isWindowStateAllowed", "(WindowState)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "removeAttribute", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletRequest", "setAttribute", "(String,Object)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "addProperty", "(Cookie)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "addProperty", "(String,Element)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "addProperty", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "createElement", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "encodeURL", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "getNamespace", "()", "summary", "df-generated"]
+      - ["javax.portlet", "PortletResponse", "setProperty", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletSecurityException", "PortletSecurityException", "(Throwable)", "summary", "df-generated"]
+      - ["javax.portlet", "PortletSessionUtil", "decodeScope", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ReadOnlyException", "ReadOnlyException", "(Throwable)", "summary", "df-generated"]
+      - ["javax.portlet", "RenderRequest", "getETag", "()", "summary", "df-generated"]
+      - ["javax.portlet", "RenderResponse", "setNextPossiblePortletModes", "(Collection)", "summary", "df-generated"]
+      - ["javax.portlet", "RenderResponse", "setTitle", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getCacheability", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getETag", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getPrivateRenderParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceRequest", "getResourceID", "()", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceResponse", "setCharacterEncoding", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceResponse", "setContentLength", "(int)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceResponse", "setLocale", "(Locale)", "summary", "df-generated"]
+      - ["javax.portlet", "ResourceServingPortlet", "serveResource", "(ResourceRequest,ResourceResponse)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "getPortletMode", "()", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "getRenderParameterMap", "()", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "getWindowState", "()", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "removePublicRenderParameter", "(String)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setEvent", "(QName,Serializable)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setEvent", "(String,Serializable)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setPortletMode", "(PortletMode)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setRenderParameter", "(String,String)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setRenderParameter", "(String,String[])", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setRenderParameters", "(Map)", "summary", "df-generated"]
+      - ["javax.portlet", "StateAwareResponse", "setWindowState", "(WindowState)", "summary", "df-generated"]
+      - ["javax.portlet", "UnavailableException", "getUnavailableSeconds", "()", "summary", "df-generated"]
+      - ["javax.portlet", "UnavailableException", "isPermanent", "()", "summary", "df-generated"]

java/ql/lib/ext/java.lang.model.yml

@@ -8,30 +8,30 @@ extensions:
       - ["java.lang", "ClassLoader", True, "getSystemResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "ClassLoader", True, "getSystemResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.lang", "Module", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "command", "(List)", "", "Argument[0]", "command-injection", "manual"]
+      - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
+      - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
       # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
       # - ["java.lang", "Runtime", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       # - ["java.lang", "Runtime", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # These are modeled in plain CodeQL. TODO: migrate them.
-      # - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
-      # - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "String", False, "matches", "(String)", "", "Argument[0]", "regex-use[f-1]", "manual"]
       - ["java.lang", "String", False, "replaceAll", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "replaceFirst", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "split", "(String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "split", "(String,int)", "", "Argument[0]", "regex-use[-1]", "manual"]
-      # These are modeled in plain CodeQL. TODO: migrate them.
-      # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library.
-      # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library.
+      # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
+      # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
+      # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,Object)", "", "Argument[1]", "log-injection", "manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Object[])", "", "Argument[2..3]", "log-injection", "manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Throwable)", "", "Argument[2]", "log-injection", "manual"]

java/ql/lib/ext/java.net.model.yml

@@ -45,7 +45,8 @@ extensions:
       - ["java.net", "URI", False, "toURL", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.net", "URL", False, "URL", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
-      - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[1]", "Argument[this]", "taint", "ai-manual"] # @atorralba: review for consistency
+      - ["java.net", "URL", False, "URL", "(URL,String)", "", "Argument[1]", "Argument[this]", "taint", "ai-manual"]
       - ["java.net", "URL", False, "toExternalForm", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.net", "URL", False, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.net", "URL", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.net", "URLDecoder", False, "decode", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/org.apache.commons.exec.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.commons.exec", "CommandLine", True, "parse", "(String)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "parse", "(String,Map)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String,boolean)", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String[])", "", "Argument[0]", "command-injection", "manual"]
+      - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String[],boolean)", "", "Argument[0]", "command-injection", "manual"]

java/ql/lib/semmle/code/java/JDK.qll

@@ -199,18 +199,18 @@ class TypeFile extends Class {
 
 // --- Standard methods ---
 /**
- * Any constructor of class `java.lang.ProcessBuilder`.
+ * DEPRECATED: Any constructor of class `java.lang.ProcessBuilder`.
  */
-class ProcessBuilderConstructor extends Constructor, ExecCallable {
+deprecated class ProcessBuilderConstructor extends Constructor, ExecCallable {
   ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
 
   override int getAnExecutedArgument() { result = 0 }
 }
 
 /**
- * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
+ * DEPRECATED: Any of the methods named `command` on class `java.lang.ProcessBuilder`.
  */
-class MethodProcessBuilderCommand extends Method, ExecCallable {
+deprecated class MethodProcessBuilderCommand extends Method, ExecCallable {
   MethodProcessBuilderCommand() {
     this.hasName("command") and
     this.getDeclaringType() instanceof TypeProcessBuilder
@@ -220,9 +220,9 @@ class MethodProcessBuilderCommand extends Method, ExecCallable {
 }
 
 /**
- * Any method named `exec` on class `java.lang.Runtime`.
+ * DEPRECATED: Any method named `exec` on class `java.lang.Runtime`.
  */
-class MethodRuntimeExec extends Method, ExecCallable {
+deprecated class MethodRuntimeExec extends Method, ExecCallable {
   MethodRuntimeExec() {
     this.hasName("exec") and
     this.getDeclaringType() instanceof TypeRuntime

java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll

@@ -1,29 +0,0 @@
-/** Definitions related to the Apache Commons Exec library. */
-
-import semmle.code.java.Type
-import semmle.code.java.security.ExternalProcess
-
-/** The class `org.apache.commons.exec.CommandLine`. */
-private class TypeCommandLine extends Class {
-  TypeCommandLine() { this.hasQualifiedName("org.apache.commons.exec", "CommandLine") }
-}
-
-/** The `parse()` method of the class `org.apache.commons.exec.CommandLine`. */
-private class MethodCommandLineParse extends Method, ExecCallable {
-  MethodCommandLineParse() {
-    this.getDeclaringType() instanceof TypeCommandLine and
-    this.hasName("parse")
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}
-
-/** The `addArguments()` method of the class `org.apache.commons.exec.CommandLine`. */
-private class MethodCommandLineAddArguments extends Method, ExecCallable {
-  MethodCommandLineAddArguments() {
-    this.getDeclaringType() instanceof TypeCommandLine and
-    this.hasName("addArguments")
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -10,8 +10,8 @@
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
-private import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.security.CommandArguments
+private import semmle.code.java.security.ExternalProcess
 
 /** A sink for command injection vulnerabilities. */
 abstract class CommandInjectionSink extends DataFlow::Node { }
@@ -33,9 +33,7 @@ class CommandInjectionAdditionalTaintStep extends Unit {
 }
 
 private class DefaultCommandInjectionSink extends CommandInjectionSink {
-  DefaultCommandInjectionSink() {
-    this.asExpr() instanceof ArgumentToExec or sinkNode(this, "command-injection")
-  }
+  DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
 }
 
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
@@ -100,7 +98,7 @@ predicate execIsTainted(
   RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
 ) {
   RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = execArg
+  argumentToExec(execArg, sink.getNode())
 }
 
 /**
@@ -112,7 +110,7 @@ predicate execIsTainted(
  */
 deprecated predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, Expr execArg) {
   exists(RemoteUserInputToArgumentToExecFlowConfig conf |
-    conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg
+    conf.hasFlowPath(source, sink) and argumentToExec(execArg, sink.getNode())
   )
 }
 

java/ql/lib/semmle/code/java/security/ExternalProcess.qll

@@ -1,16 +1,13 @@
 /** Definitions related to external processes. */
 
 import semmle.code.java.Member
-
-private module Instances {
-  private import semmle.code.java.JDK
-  private import semmle.code.java.frameworks.apache.Exec
-}
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.security.CommandLineQuery
 
 /**
- * A callable that executes a command.
+ * DEPRECATED: A callable that executes a command.
  */
-abstract class ExecCallable extends Callable {
+abstract deprecated class ExecCallable extends Callable {
   /**
    * Gets the index of an argument that will be part of the command that is executed.
    */
@@ -23,13 +20,19 @@ abstract class ExecCallable extends Callable {
  * to be executed.
  */
 class ArgumentToExec extends Expr {
-  ArgumentToExec() {
-    exists(Call execCall, ExecCallable execCallable, int i |
-      execCall.getArgument(pragma[only_bind_into](i)) = this and
-      execCallable = execCall.getCallee() and
-      i = execCallable.getAnExecutedArgument()
-    )
-  }
+  ArgumentToExec() { argumentToExec(this, _) }
+}
+
+/**
+ * Holds if `e` is an expression used as an argument to a call that executes an external command.
+ * For calls to varargs method calls, this only includes the first argument, which will be the command
+ * to be executed.
+ */
+predicate argumentToExec(Expr e, CommandInjectionSink s) {
+  s.asExpr() = e
+  or
+  e.(Argument).isNthVararg(0) and
+  s.(DataFlow::ImplicitVarargsArray).getCall() = e.(Argument).getCall()
 }
 
 /**

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql

@@ -14,11 +14,14 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ExternalProcess
 import LocalUserInputToArgumentToExecFlow::PathGraph
 
 from
   LocalUserInputToArgumentToExecFlow::PathNode source,
-  LocalUserInputToArgumentToExecFlow::PathNode sink
-where LocalUserInputToArgumentToExecFlow::flowPath(source, sink)
-select sink.getNode().asExpr(), source, sink, "This command line depends on a $@.",
-  source.getNode(), "user-provided value"
+  LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e
+where
+  LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
+  argumentToExec(e, sink.getNode())
+select e, source, sink, "This command line depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

@@ -14,6 +14,7 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ExternalProcess
 
 /**
  * Strings that are known to be sane by some simple local analysis. Such strings

java/ql/src/Telemetry/ExternalApi.qll

@@ -27,8 +27,9 @@ class ExternalApi extends Callable {
    */
   string getApiName() {
     result =
-      this.getDeclaringType().getPackage() + "." + this.getDeclaringType().getSourceDeclaration() +
-        "#" + this.getName() + paramsString(this)
+      this.getDeclaringType().getPackage() + "." +
+        this.getDeclaringType().getSourceDeclaration().nestedName() + "#" + this.getName() +
+        paramsString(this)
   }
 
   private string getJarName() {

java/ql/src/change-notes/2023-06-23-apache-commons-lang.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* New models have been added for `org.apache.commons.lang`.

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql

@@ -15,7 +15,11 @@
 import java
 import semmle.code.java.security.CommandLineQuery
 import RemoteUserInputToArgumentToExecFlow::PathGraph
-import JSchOSInjection
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class ActivateModels extends ActiveExperimentalModels {
+  ActivateModels() { this = "jsch-os-injection" }
+}
 
 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
 from

java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll

@@ -1,20 +0,0 @@
-/**
- * Provides classes for JSch OS command injection detection
- */
-
-import java
-
-/** The class `com.jcraft.jsch.ChannelExec`. */
-private class JSchChannelExec extends RefType {
-  JSchChannelExec() { this.hasQualifiedName("com.jcraft.jsch", "ChannelExec") }
-}
-
-/** A method to set an OS Command for the execution. */
-private class ChannelExecSetCommandMethod extends Method, ExecCallable {
-  ChannelExecSetCommandMethod() {
-    this.hasName("setCommand") and
-    this.getDeclaringType() instanceof JSchChannelExec
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}

java/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.expected

@@ -7,5 +7,9 @@
 | java.net.URL#openStream() | 1 |
 | java.net.URLConnection#getInputStream() | 1 |
 | java.time.Duration#ofMillis(long) | 1 |
+| java.util.Iterator#next() | 1 |
+| java.util.Map#entrySet() | 1 |
 | java.util.Map#put(Object,Object) | 1 |
+| java.util.Map$Entry#getKey() | 1 |
+| java.util.Set#iterator() | 1 |
 | org.apache.commons.io.FileUtils#deleteDirectory(File) | 1 |

java/ql/test/query-tests/Telemetry/SupportedExternalApis/SupportedExternalApis.java

@@ -15,6 +15,7 @@ class SupportedExternalApis {
 
 		Map<String, Object> map = new HashMap<>(); // uninteresting (parameterless constructor)
 		map.put("foo", new Object()); // supported summary
+		map.entrySet().iterator().next().getKey(); // nested class (Map.Entry), supported summaries (entrySet, iterator, next, getKey)
 
 		Duration d = java.time.Duration.ofMillis(1000); // supported neutral
 

java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected

@@ -1,22 +1,28 @@
 edges
-| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... |
+| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... : String |
 | Test.java:6:35:6:44 | arg : String | Test.java:10:61:10:73 | ... + ... : String |
 | Test.java:6:35:6:44 | arg : String | Test.java:16:13:16:25 | ... + ... : String |
 | Test.java:6:35:6:44 | arg : String | Test.java:22:15:22:27 | ... + ... : String |
+| Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | Test.java:7:25:7:70 | new ..[] { .. } |
+| Test.java:7:44:7:69 | ... + ... : String | Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String |
 | Test.java:10:29:10:74 | {...} : String[] [[]] : String | Test.java:10:29:10:74 | new String[] |
 | Test.java:10:61:10:73 | ... + ... : String | Test.java:10:29:10:74 | {...} : String[] [[]] : String |
 | Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | Test.java:18:29:18:31 | cmd |
 | Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String |
 | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | Test.java:24:29:24:32 | cmd1 |
 | Test.java:22:15:22:27 | ... + ... : String | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String |
-| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... |
+| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... : String |
+| Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | Test.java:29:25:29:65 | new ..[] { .. } |
+| Test.java:29:44:29:64 | ... + ... : String | Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String |
 | Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String |
 | Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String |
 | Test.java:60:20:60:22 | arg : String | Test.java:6:35:6:44 | arg : String |
 | Test.java:61:23:61:25 | arg : String | Test.java:28:38:28:47 | arg : String |
 nodes
 | Test.java:6:35:6:44 | arg : String | semmle.label | arg : String |
-| Test.java:7:44:7:69 | ... + ... | semmle.label | ... + ... |
+| Test.java:7:25:7:70 | new ..[] { .. } | semmle.label | new ..[] { .. } |
+| Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | semmle.label | new ..[] { .. } : String[] [[]] : String |
+| Test.java:7:44:7:69 | ... + ... : String | semmle.label | ... + ... : String |
 | Test.java:10:29:10:74 | new String[] | semmle.label | new String[] |
 | Test.java:10:29:10:74 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
 | Test.java:10:61:10:73 | ... + ... : String | semmle.label | ... + ... : String |
@@ -27,14 +33,16 @@ nodes
 | Test.java:22:15:22:27 | ... + ... : String | semmle.label | ... + ... : String |
 | Test.java:24:29:24:32 | cmd1 | semmle.label | cmd1 |
 | Test.java:28:38:28:47 | arg : String | semmle.label | arg : String |
-| Test.java:29:44:29:64 | ... + ... | semmle.label | ... + ... |
+| Test.java:29:25:29:65 | new ..[] { .. } | semmle.label | new ..[] { .. } |
+| Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | semmle.label | new ..[] { .. } : String[] [[]] : String |
+| Test.java:29:44:29:64 | ... + ... : String | semmle.label | ... + ... : String |
 | Test.java:57:27:57:39 | args : String[] | semmle.label | args : String[] |
 | Test.java:60:20:60:22 | arg : String | semmle.label | arg : String |
 | Test.java:61:23:61:25 | arg : String | semmle.label | arg : String |
 subpaths
 #select
-| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:44:7:69 | ... + ... | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
+| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:25:7:70 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
 | Test.java:10:29:10:74 | new String[] | Test.java:57:27:57:39 | args : String[] | Test.java:10:29:10:74 | new String[] | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
 | Test.java:18:29:18:31 | cmd | Test.java:57:27:57:39 | args : String[] | Test.java:18:29:18:31 | cmd | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
 | Test.java:24:29:24:32 | cmd1 | Test.java:57:27:57:39 | args : String[] | Test.java:24:29:24:32 | cmd1 | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
-| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:44:29:64 | ... + ... | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |
+| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:25:29:65 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |