Merge branch 'main' into jcogs33/java/do-not-use-finalizers

java/ql/integration-tests/java/buildless-gradle-boms/build.gradle

@@ -0,0 +1,18 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * This is a general purpose Gradle build.
+ * To learn more about Gradle by exploring our Samples at https://docs.gradle.org/8.3/samples
+ */
+
+apply plugin: 'java-library'
+
+repositories {
+  mavenCentral()
+}
+
+dependencies {
+  api 'org.apache.commons:commons-math3:3.6.1'
+
+  api 'org.junit.jupiter:junit-jupiter-api:5.12.1'
+}

java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected

@@ -0,0 +1,5 @@
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar

java/ql/integration-tests/java/buildless-gradle-boms/diagnostics.expected

@@ -0,0 +1,70 @@
+{
+  "markdownMessage": "Java analysis used build tool Gradle to pick a JDK version and/or to recommend external dependencies.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/using-build-tool-advice",
+    "name": "Java analysis used build tool Gradle to pick a JDK version and/or to recommend external dependencies"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis used the system default JDK.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/jdk-system-default",
+    "name": "Java analysis used the system default JDK"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis with build-mode 'none' completed.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/complete",
+    "name": "Java analysis with build-mode 'none' completed"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java was extracted with build-mode set to 'none'. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/mode-active",
+    "name": "Java was extracted with build-mode set to 'none'"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Reading the dependency graph from build files provided 5 classpath entries",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/depgraph-provided-by-gradle",
+    "name": "Java analysis extracted precise dependency graph information from tool Gradle"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/java/buildless-gradle-boms/settings.gradle

@@ -0,0 +1,8 @@
+/*
+ * This file was generated by the Gradle 'init' task.
+ *
+ * The settings file is used to specify which projects to include in your build.
+ * For more detailed information on multi-project builds, please refer to https://docs.gradle.org/8.3/userguide/building_swift_projects.html in the Gradle documentation.
+ */
+
+rootProject.name = 'buildless-gradle'

java/ql/integration-tests/java/buildless-gradle-boms/source_archive.expected

@@ -0,0 +1,6 @@
+.gradle/8.3/dependencies-accessors/gc.properties
+.gradle/8.3/gc.properties
+.gradle/buildOutputCleanup/cache.properties
+.gradle/vcs-1/gc.properties
+gradle/wrapper/gradle-wrapper.properties
+src/main/java/com/fractestexample/Test.java

java/ql/integration-tests/java/buildless-gradle-boms/src/main/java/com/fractestexample/Test.java

@@ -0,0 +1,9 @@
+package com.fractestexample;
+
+import org.apache.commons.math3.fraction.Fraction;
+
+public class Test {
+
+  public Fraction test(org.junit.jupiter.api.Test t) { return Fraction.ONE; }
+
+}

java/ql/integration-tests/java/buildless-gradle-boms/test.py

@@ -0,0 +1,7 @@
+def test(codeql, java, gradle_8_3):
+    codeql.database.create(
+        _env={
+            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
+            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
+        }
+    )

java/ql/integration-tests/java/buildless-inherit-trust-store/test.py

@@ -1,10 +1,16 @@
 import subprocess
 import os
+import runs_on
 
 
 def test(codeql, java, cwd):
     # This serves the "repo" directory on https://locahost:4443
-    repo_server_process = subprocess.Popen(["python3", "../server.py"], cwd="repo")
+    command = ["python3", "../server.py"]
+    if runs_on.github_actions and runs_on.posix:
+        # On GitHub Actions, we saw the server timing out while running in parallel with other tests
+        # we work around that by running it with higher permissions
+        command = ["sudo"] + command
+    repo_server_process = subprocess.Popen(command, cwd="repo")
     certspath = cwd / "jdk8_shipped_cacerts_plus_cert_pem"
     # If we override MAVEN_OPTS, we'll break cross-test maven isolation, so we need to append to it instead
     maven_opts = os.environ["MAVEN_OPTS"] + f" -Djavax.net.ssl.trustStore={certspath}"

java/ql/integration-tests/java/buildless-maven-mirrorof/buildless-fetches.expected

@@ -0,0 +1,26 @@
+https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
+https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
+https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
+https://repo.maven.apache.org/maven2/com/intuit/benten/benten-examples/0.1.5/benten-examples-0.1.5.jar
+https://repo.maven.apache.org/maven2/com/jakewharton/twirl/sample-runtime/1.2.0/sample-runtime-1.2.0.jar
+https://repo.maven.apache.org/maven2/com/mattunderscore/code/generation/specky/plugin-example/0.8.0/plugin-example-0.8.0.jar
+https://repo.maven.apache.org/maven2/com/microsoft/tang/tang-test-jarAB/0.9/tang-test-jarAB-0.9.jar
+https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/rx-redis-example_2.11-0.1.2.jar
+https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
+https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
+https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
+https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-mustache/0.5.10/minijax-example-mustache-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-petclinic/0.5.10/minijax-example-petclinic-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-security/0.5.10/minijax-example-security-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-ssl/0.5.10/minijax-example-ssl-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-todo-backend/0.5.10/minijax-example-todo-backend-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/minijax/minijax-example-websocket/0.5.10/minijax-example-websocket-0.5.10.jar
+https://repo.maven.apache.org/maven2/org/scalamock/scalamock-examples_2.10/3.6.0/scalamock-examples_2.10-3.6.0.jar
+https://repo.maven.apache.org/maven2/org/somda/sdc/glue-examples/4.0.0/glue-examples-4.0.0.jar
+https://repo.maven.apache.org/maven2/us/fatehi/schemacrawler-examplecode/16.20.2/schemacrawler-examplecode-16.20.2.jar
+https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.jar
+https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar

java/ql/integration-tests/java/buildless-maven-mirrorof/diagnostics.expected

@@ -0,0 +1,70 @@
+{
+  "markdownMessage": "Java analysis used build tool Maven to pick a JDK version and/or to recommend external dependencies.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/using-build-tool-advice",
+    "name": "Java analysis used build tool Maven to pick a JDK version and/or to recommend external dependencies"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis used the system default JDK.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/jdk-system-default",
+    "name": "Java analysis used the system default JDK"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java analysis with build-mode 'none' completed.",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/complete",
+    "name": "Java analysis with build-mode 'none' completed"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Java was extracted with build-mode set to 'none'. This means that all Java source in the working directory will be scanned, with build tools such as Maven and Gradle only contributing information about external dependencies.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/mode-active",
+    "name": "Java was extracted with build-mode set to 'none'"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Reading the dependency graph from build files provided 2 classpath entries",
+  "severity": "unknown",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/depgraph-provided-by-maven",
+    "name": "Java analysis extracted precise dependency graph information from tool Maven"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": false,
+    "telemetry": true
+  }
+}

java/ql/integration-tests/java/buildless-maven-mirrorof/maven-fetches.expected

@@ -0,0 +1,77 @@
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-annotations/2.14.1/jackson-annotations-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/core/jackson-databind/2.14.1/jackson-databind-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-base/2.14.1/jackson-base-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-bom/2.14.1/jackson-bom-2.14.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/jackson/jackson-parent/2.14/jackson-parent-2.14.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/fasterxml/oss-parent/48/oss-parent-48.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/github/ferstl/depgraph-maven-plugin/4.0.3-CodeQL/depgraph-maven-plugin-4.0.3-CodeQL.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/errorprone/error_prone_parent/2.36.0/error_prone_parent-2.36.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/failureaccess/1.0.2/failureaccess-1.0.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/26.0-android/guava-parent-26.0-android.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava-parent/33.4.0-jre/guava-parent-33.4.0-jre.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/33.4.0-jre/guava-33.4.0-jre.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/guava/33.4.0-jre/guava-33.4.0-jre.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava/listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/net/java/jvnet-parent/3/jvnet-parent-3.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/19/apache-19.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/25/apache-25.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/apache/27/apache-27.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-lang3/3.8.1/commons-lang3-3.8.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/commons/commons-parent/47/commons-parent-47.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-artifact/3.8.6/maven-artifact-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-artifact/3.8.6/maven-artifact-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-model/3.8.6/maven-model-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-model/3.8.6/maven-model-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-parent/35/maven-parent-35.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-parent/37/maven-parent-37.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-plugin-api/3.8.6/maven-plugin-api-3.8.6.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven-plugin-api/3.8.6/maven-plugin-api-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/maven/3.8.6/maven-3.8.6.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-common-artifact-filters/3.3.2/maven-common-artifact-filters-3.3.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/apache/maven/shared/maven-shared-components/37/maven-shared-components-37.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.43.0/checker-qual-3.43.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/checkerframework/checker-qual/3.43.0/checker-qual-3.43.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.5.2/plexus-classworlds-2.5.2.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-classworlds/2.6.0/plexus-classworlds-2.6.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-containers/1.5.5/plexus-containers-1.5.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.3.1/plexus-utils-3.3.1.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus-utils/3.3.1/plexus-utils-3.3.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/2.0.7/plexus-2.0.7.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/3.3.1/plexus-3.3.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/4.0/plexus-4.0.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/codehaus/plexus/plexus/5.1/plexus-5.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.5/org.eclipse.sisu.inject-0.3.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.inject/0.3.5/org.eclipse.sisu.inject-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.jar
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/org.eclipse.sisu.plexus/0.3.5/org.eclipse.sisu.plexus-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/sisu-inject/0.3.5/sisu-inject-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/eclipse/sisu/sisu-plexus/0.3.5/sisu-plexus-0.3.5.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/junit/junit-bom/5.9.1/junit-bom-5.9.1.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/forge/forge-parent/10/forge-parent-10.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/oss/oss-parent/9/oss-parent-9.pom
+Downloaded from codeql-depgraph-plugin-repo: file://[dist-root]/java/tools/ferstl-depgraph-dependencies/org/sonatype/spice/spice-parent/17/spice-parent-17.pom
+Downloaded from mirror-force-central: https://repo1.maven.org/maven2/junit/junit/4.11/junit-4.11.pom
+Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.pom
+Downloaded from mirror-force-central: https://repo1.maven.org/maven2/org/hamcrest/hamcrest-parent/1.3/hamcrest-parent-1.3.pom

java/ql/integration-tests/java/buildless-maven-mirrorof/pom.xml

@@ -0,0 +1,114 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>com.example</groupId>
+  <artifactId>maven-sample</artifactId>
+  <version>1.0-SNAPSHOT</version>
+
+  <name>maven-sample</name>
+  <!-- FIXME change it to the project's website -->
+  <url>http://www.example.com</url>
+
+  <properties>
+    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <maven.compiler.source>1.7</maven.compiler.source>
+    <maven.compiler.target>1.7</maven.compiler.target>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.11</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>exec-maven-plugin</artifactId>
+        <groupId>org.codehaus.mojo</groupId>
+        <version>1.1.1</version>
+        <executions>
+          <execution>
+            <id>check-maven-version</id>
+            <phase>package</phase>
+            <goals>
+              <goal>java</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <mainClass>com.example.App</mainClass>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>com.diffplug.spotless</groupId>
+        <artifactId>spotless-maven-plugin</artifactId>
+        <version>2.19.1</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>check</goal>
+            </goals>
+            <phase>compile</phase>
+          </execution>
+        </executions>
+        <configuration>
+          <java>
+            <licenseHeader>
+              <content>/* FAIL ME */</content>
+            </licenseHeader>
+          </java>
+        </configuration>
+      </plugin>
+    </plugins>
+    <pluginManagement>
+      <!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
+      <plugins>
+        <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
+        <plugin>
+          <artifactId>maven-clean-plugin</artifactId>
+          <version>3.1.0</version>
+        </plugin>
+        <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>3.8.0</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.22.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>3.0.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-install-plugin</artifactId>
+          <version>2.5.2</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-deploy-plugin</artifactId>
+          <version>2.8.2</version>
+        </plugin>
+        <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
+        <plugin>
+          <artifactId>maven-site-plugin</artifactId>
+          <version>3.7.1</version>
+        </plugin>
+        <plugin>
+          <artifactId>maven-project-info-reports-plugin</artifactId>
+          <version>3.0.0</version>
+        </plugin>
+      </plugins>
+    </pluginManagement>
+  </build>
+</project>

java/ql/integration-tests/java/buildless-maven-mirrorof/settings-xml.expected

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<settings>
+      
+    <mirrors>
+            
+        <mirror>
+                  
+            <id>mirror-force-central</id>
+                  
+            <name>Mirror Repository</name>
+                  
+            <url>https://repo1.maven.org/maven2</url>
+                  
+            <mirrorOf>*,!codeql-depgraph-plugin-repo</mirrorOf>
+                
+        </mirror>
+          
+    </mirrors>
+    
+    <profiles>
+        <profile>
+            <id>codeql-depgraph-plugin-repo</id>
+            <pluginRepositories>
+                <pluginRepository>
+                    <id>codeql-depgraph-plugin-repo</id>
+                    <name>CodeQL Dependency Graph Plugin Repository</name>
+                    <url>file://[dist-root]/java/tools/ferstl-depgraph-dependencies/</url>
+                </pluginRepository>
+            </pluginRepositories>
+        </profile>
+    </profiles>
+    <activeProfiles>
+        <activeProfile>codeql-depgraph-plugin-repo</activeProfile>
+    </activeProfiles>
+</settings>

java/ql/integration-tests/java/buildless-maven-mirrorof/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>mirror-force-central</id>
+      <name>Mirror Repository</name>
+      <url>https://repo1.maven.org/maven2</url>
+      <mirrorOf>*</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-maven-mirrorof/source_archive.expected

@@ -0,0 +1,8 @@
+pom.xml
+settings.xml
+src/main/java/com/example/App.java
+src/main/resources/my-app.properties
+src/main/resources/page.xml
+src/main/resources/struts.xml
+src/test/java/com/example/AppTest.java
+test-db/working/settings.xml

java/ql/integration-tests/java/buildless-maven-mirrorof/src/main/java/com/example/App.java

@@ -0,0 +1,30 @@
+package com.example;
+
+import java.util.regex.Pattern;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+/**
+ * Hello world!
+ *
+ */
+public class App 
+{
+    public static void main( String[] args )
+    {
+        System.out.println( "Hello World!" );
+        String expectedVersion = System.getenv("EXPECT_MAVEN");
+        Path mavenHome = Paths.get(System.getProperty("maven.home")).normalize();
+        String observedVersion = mavenHome.getFileName().toString();
+        if (expectedVersion != null && !expectedVersion.equals(observedVersion)) {
+                System.err.println("Wrong maven version, expected '" + expectedVersion + "' but got '" + observedVersion + "'" + mavenHome);
+                System.exit(1);
+        }
+        String commandMatcher = System.getenv("EXPECT_COMMAND_REGEX");
+        String command = System.getProperty("sun.java.command");
+        if (commandMatcher != null && !Pattern.matches(commandMatcher, command)) {
+                System.err.println("Wrong command line, '" + command + "' does not match '" + commandMatcher + "'");
+                System.exit(1);
+        }
+    }
+}

java/ql/integration-tests/java/buildless-maven-mirrorof/src/main/resources/my-app.properties

@@ -0,0 +1 @@
+version=1.0

java/ql/integration-tests/java/buildless-maven-mirrorof/src/main/resources/page.xml

@@ -0,0 +1,8 @@
+<html>
+<head>
+<title>A sample</title>
+</head>
+<body>
+<p>Hello world!</p>
+</body>
+</html>

java/ql/integration-tests/java/buildless-maven-mirrorof/src/main/resources/struts.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<struts>
+This is a sample file
+</struts>

java/ql/integration-tests/java/buildless-maven-mirrorof/src/test/java/com/example/AppTest.java

@@ -0,0 +1,20 @@
+package com.example;
+
+import static org.junit.Assert.assertTrue;
+
+import org.junit.Test;
+
+/**
+ * Unit test for simple App.
+ */
+public class AppTest 
+{
+    /**
+     * Rigorous Test :-)
+     */
+    @Test
+    public void shouldAnswerWithTrue()
+    {
+        assertTrue( true );
+    }
+}

java/ql/integration-tests/java/buildless-maven-mirrorof/test.py

@@ -0,0 +1,10 @@
+import os
+import os.path
+
+def test(codeql, java):
+    codeql.database.create(build_mode = "none",
+        _env={
+            "_JAVA_OPTIONS": "-Duser.home=" + os.path.join(os.getcwd(), "empty-home"),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml")
+        }
+    )

java/ql/integration-tests/java/buildless-snapshot-repository/test.py

@@ -1,11 +1,16 @@
 import subprocess
-import sys
+import runs_on
 
 
 def test(codeql, java):
     # This serves the "repo" directory on http://localhost:9427
+    command = ["python3", "-m", "http.server", "9427", "-b", "localhost"]
+    if runs_on.github_actions and runs_on.posix:
+        # On GitHub Actions, we saw the server timing out while running in parallel with other tests
+        # we work around that by running it with higher permissions
+        command = ["sudo"] + command
     repo_server_process = subprocess.Popen(
-        [sys.executable, "-m", "http.server", "9427"], cwd="repo"
+        command, cwd="repo"
     )
     try:
         codeql.database.create(

java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/diagnostics.expected

@@ -1,10 +1,10 @@
 {
-  "markdownMessage": "Build tool(s) should have been able to provide a recommended classpath but the attempt failed. Extraction will continue, but external dependencies will be inferred from the Java package names used. Consider troubleshooting the build tool error or using a build mode other than 'none'.",
-  "severity": "note",
+  "markdownMessage": "Analyzed a Gradle project without the [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html). This may use an incompatible version of Gradle.",
+  "severity": "warning",
   "source": {
     "extractorName": "java",
-    "id": "java/autobuilder/buildless/classpath-from-tool-failed",
-    "name": "Failed to extract dependency information from build tool tool Gradle"
+    "id": "java/autobuilder/guessed-gradle-version",
+    "name": "Required Gradle version not specified"
   },
   "visibility": {
     "cliSummaryTable": true,
@@ -13,12 +13,12 @@
   }
 }
 {
-  "markdownMessage": "Built a Gradle project without the [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html). This may use an incompatible version of Gradle.",
-  "severity": "warning",
+  "markdownMessage": "Build tool(s) should have been able to provide a recommended classpath but the attempt failed. Extraction will continue, but external dependencies will be inferred from the Java package names used. Consider troubleshooting the build tool error or using a build mode other than 'none'.",
+  "severity": "note",
   "source": {
     "extractorName": "java",
-    "id": "java/autobuilder/guessed-gradle-version",
-    "name": "Required Gradle version not specified"
+    "id": "java/autobuilder/buildless/classpath-from-tool-failed",
+    "name": "Failed to extract dependency information from build tool tool Gradle"
   },
   "visibility": {
     "cliSummaryTable": true,

java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected

@@ -0,0 +1,12 @@
+ql/java/ql/src/Language Abuse/TypeVariableHidesType.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/java/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
+ql/java/ql/src/Likely Bugs/Comparison/IncomparableEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/InconsistentEqualsHashCode.ql
+ql/java/ql/src/Likely Bugs/Comparison/MissingInstanceofInEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/RefEqBoxed.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
+ql/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql

java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected

@@ -0,0 +1,79 @@
+ql/java/ql/src/Diagnostics/ExtractionErrors.ql
+ql/java/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeJava.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
+ql/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
+ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+ql/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
+ql/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+ql/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+ql/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+ql/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
+ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+ql/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+ql/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+ql/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+ql/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
+ql/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
+ql/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+ql/java/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+ql/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+ql/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+ql/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+ql/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
+ql/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+ql/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
+ql/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql
+ql/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/java/ql/src/Telemetry/ExtractorInformation.ql
+ql/java/ql/src/Telemetry/SupportedExternalApis.ql
+ql/java/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/java/ql/src/Telemetry/SupportedExternalSources.ql
+ql/java/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql

java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected

@@ -0,0 +1,243 @@
+ql/java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql
+ql/java/ql/src/Advisory/Deprecated Code/AvoidDeprecatedCallableAccess.ql
+ql/java/ql/src/Advisory/Documentation/ImpossibleJavadocThrows.ql
+ql/java/ql/src/Advisory/Documentation/SpuriousJavadocParam.ql
+ql/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql
+ql/java/ql/src/Compatibility/JDK9/UnderscoreIdentifier.ql
+ql/java/ql/src/DeadCode/UselessParameter.ql
+ql/java/ql/src/Diagnostics/ExtractionErrors.ql
+ql/java/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+ql/java/ql/src/Language Abuse/ChainedInstanceof.ql
+ql/java/ql/src/Language Abuse/IterableIterator.ql
+ql/java/ql/src/Language Abuse/OverridePackagePrivate.ql
+ql/java/ql/src/Language Abuse/TypeVarExtendsFinalType.ql
+ql/java/ql/src/Language Abuse/TypeVariableHidesType.ql
+ql/java/ql/src/Language Abuse/UselessNullCheck.ql
+ql/java/ql/src/Language Abuse/UselessTypeTest.ql
+ql/java/ql/src/Language Abuse/WrappedIterator.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/BadAbsOfRandom.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/LShiftLargerThanTypeWidth.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/MultiplyRemainder.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
+ql/java/ql/src/Likely Bugs/Cloning/MissingCallToSuperClone.ql
+ql/java/ql/src/Likely Bugs/Cloning/MissingMethodClone.ql
+ql/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql
+ql/java/ql/src/Likely Bugs/Collections/ContainsTypeMismatch.ql
+ql/java/ql/src/Likely Bugs/Collections/IteratorRemoveMayFail.ql
+ql/java/ql/src/Likely Bugs/Collections/ReadOnlyContainer.ql
+ql/java/ql/src/Likely Bugs/Collections/RemoveTypeMismatch.ql
+ql/java/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
+ql/java/ql/src/Likely Bugs/Comparison/CompareIdenticalValues.ql
+ql/java/ql/src/Likely Bugs/Comparison/CovariantCompareTo.ql
+ql/java/ql/src/Likely Bugs/Comparison/CovariantEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/EqualsArray.ql
+ql/java/ql/src/Likely Bugs/Comparison/HashedButNoHash.ql
+ql/java/ql/src/Likely Bugs/Comparison/IncomparableEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/InconsistentCompareTo.ql
+ql/java/ql/src/Likely Bugs/Comparison/InconsistentEqualsHashCode.ql
+ql/java/ql/src/Likely Bugs/Comparison/MissingInstanceofInEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/RefEqBoxed.ql
+ql/java/ql/src/Likely Bugs/Comparison/StringComparison.ql
+ql/java/ql/src/Likely Bugs/Comparison/UselessComparisonTest.ql
+ql/java/ql/src/Likely Bugs/Comparison/WrongNanComparison.ql
+ql/java/ql/src/Likely Bugs/Concurrency/CallsToConditionWait.ql
+ql/java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.ql
+ql/java/ql/src/Likely Bugs/Concurrency/DateFormatThreadUnsafe.ql
+ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLocking.ql
+ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql
+ql/java/ql/src/Likely Bugs/Concurrency/FutileSynchOnField.ql
+ql/java/ql/src/Likely Bugs/Concurrency/NonSynchronizedOverride.ql
+ql/java/ql/src/Likely Bugs/Concurrency/NotifyNotNotifyAll.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SleepWithLock.ql
+ql/java/ql/src/Likely Bugs/Concurrency/StartInConstructor.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SynchOnBoxedType.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SynchWriteObject.ql
+ql/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql
+ql/java/ql/src/Likely Bugs/Finalization/NullifiedSuperFinalize.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/BadSuiteMethod.ql
+ql/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
+ql/java/ql/src/Likely Bugs/Inheritance/NoNonFinalInConstructor.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ContainerSizeCmpZero.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/DangerousNonCircuitLogic.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/EqualsTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/HashCodeTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/MissingFormatArg.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/MissingSpaceTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/SelfAssignment.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/StringBufferCharInit.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ToStringTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/UnusedFormatArg.ql
+ql/java/ql/src/Likely Bugs/Nullness/NullAlways.ql
+ql/java/ql/src/Likely Bugs/Nullness/NullExprDeref.ql
+ql/java/ql/src/Likely Bugs/Nullness/NullMaybe.ql
+ql/java/ql/src/Likely Bugs/Reflection/AnnotationPresentCheck.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseSql.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
+ql/java/ql/src/Likely Bugs/Serialization/IncorrectSerialVersionUID.ql
+ql/java/ql/src/Likely Bugs/Serialization/IncorrectSerializableMethods.ql
+ql/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorOnExternalizable.ql
+ql/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql
+ql/java/ql/src/Likely Bugs/Serialization/NonSerializableInnerClass.ql
+ql/java/ql/src/Likely Bugs/Serialization/ReadResolveObject.ql
+ql/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.ql
+ql/java/ql/src/Likely Bugs/Statements/MissingEnumInSwitch.ql
+ql/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql
+ql/java/ql/src/Likely Bugs/Statements/UseBraces.ql
+ql/java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql
+ql/java/ql/src/Likely Bugs/Termination/SpinOnField.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeJava.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
+ql/java/ql/src/Performance/InefficientEmptyStringTest.ql
+ql/java/ql/src/Performance/InefficientKeySetIterator.ql
+ql/java/ql/src/Performance/InefficientOutputStream.ql
+ql/java/ql/src/Performance/InefficientPrimConstructor.ql
+ql/java/ql/src/Performance/InnerClassCouldBeStatic.ql
+ql/java/ql/src/Performance/NewStringString.ql
+ql/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
+ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
+ql/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+ql/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
+ql/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
+ql/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+ql/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+ql/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql
+ql/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+ql/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidDatabase.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidFilesystem.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageSharedPrefs.ql
+ql/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
+ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+ql/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+ql/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+ql/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
+ql/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+ql/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+ql/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+ql/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
+ql/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql
+ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
+ql/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql
+ql/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql
+ql/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+ql/java/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+ql/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+ql/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+ql/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+ql/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
+ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+ql/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+ql/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+ql/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
+ql/java/ql/src/Security/CWE/CWE-926/ContentProviderIncompletePermissions.ql
+ql/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+ql/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql
+ql/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql
+ql/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/java/ql/src/Telemetry/ExtractorInformation.ql
+ql/java/ql/src/Telemetry/SupportedExternalApis.ql
+ql/java/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/java/ql/src/Telemetry/SupportedExternalSources.ql
+ql/java/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+ql/java/ql/src/Violations of Best Practice/Boxed Types/BoxedVariable.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/CreatesEmptyZip.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/DeadRefTypes.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/InterfaceCannotBeImplemented.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnreadLocal.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnusedLabel.ql
+ql/java/ql/src/Violations of Best Practice/Declarations/NoConstantsOnly.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/IgnoreExceptionalReturn.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/NumberFormatException.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/GetClassGetResource.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/AmbiguousOuterSuper.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingMethodNames.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/FieldMasksSuperField.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldConfusing.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/NextFromIterator.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/PrintLnArray.ql

java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected

@@ -0,0 +1,123 @@
+ql/java/ql/src/Diagnostics/ExtractionErrors.ql
+ql/java/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
+ql/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeJava.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
+ql/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
+ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
+ql/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+ql/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
+ql/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
+ql/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+ql/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+ql/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql
+ql/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+ql/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidDatabase.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidFilesystem.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageSharedPrefs.ql
+ql/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
+ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+ql/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+ql/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+ql/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
+ql/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+ql/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+ql/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+ql/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
+ql/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql
+ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
+ql/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql
+ql/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql
+ql/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+ql/java/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+ql/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+ql/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+ql/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+ql/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
+ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+ql/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+ql/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+ql/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
+ql/java/ql/src/Security/CWE/CWE-926/ContentProviderIncompletePermissions.ql
+ql/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+ql/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql
+ql/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql
+ql/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/java/ql/src/Telemetry/ExtractorInformation.ql
+ql/java/ql/src/Telemetry/SupportedExternalApis.ql
+ql/java/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/java/ql/src/Telemetry/SupportedExternalSources.ql
+ql/java/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql

java/ql/integration-tests/java/query-suite/not_included_in_qls.expected

@@ -0,0 +1,285 @@
+ql/java/ql/src/Advisory/Declarations/NonFinalImmutableField.ql
+ql/java/ql/src/Advisory/Declarations/NonPrivateField.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocMethods.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocParameters.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocReturnValues.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocThrows.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocTypes.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidCloneMethodAccess.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidCloneOverride.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidCloneableInterface.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidFinalizeOverride.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsConstants.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsMethods.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsPackages.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsRefTypes.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsVariables.ql
+ql/java/ql/src/Advisory/Statements/MissingDefaultInSwitch.ql
+ql/java/ql/src/Advisory/Statements/OneStatementPerLine.ql
+ql/java/ql/src/Advisory/Statements/TerminateIfElseIfWithElse.ql
+ql/java/ql/src/Advisory/Types/GenericsConstructor.ql
+ql/java/ql/src/Advisory/Types/GenericsReturnType.ql
+ql/java/ql/src/Advisory/Types/GenericsVariable.ql
+ql/java/ql/src/AlertSuppression.ql
+ql/java/ql/src/AlertSuppressionAnnotations.ql
+ql/java/ql/src/Architecture/Dependencies/MutualDependency.ql
+ql/java/ql/src/Architecture/Dependencies/UnusedMavenDependencyBinary.ql
+ql/java/ql/src/Architecture/Dependencies/UnusedMavenDependencySource.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/DeeplyNestedClass.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/FeatureEnvy.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/HubClasses.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/InappropriateIntimacy.ql
+ql/java/ql/src/Complexity/BlockWithTooManyStatements.ql
+ql/java/ql/src/Complexity/ComplexCondition.ql
+ql/java/ql/src/DeadCode/DeadClass.ql
+ql/java/ql/src/DeadCode/DeadEnumConstant.ql
+ql/java/ql/src/DeadCode/DeadField.ql
+ql/java/ql/src/DeadCode/DeadMethod.ql
+ql/java/ql/src/DeadCode/FLinesOfDeadCode.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbGraphics.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSocketAsServer.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbStaticFieldNonFinal.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSynchronization.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbThis.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbThreads.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/MissingParentBean.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/TooManyBeans.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/UnusedBean.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/UselessPropertyOverride.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/AvoidAutowiring.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/DontUseConstructorArgIndex.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/ImportsFirst.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/NoBeanDescription.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/ParentShouldNotUseAbstractClass.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseIdInsteadOfName.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseLocalRef.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseSetterInjection.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseShortcutForms.ql
+ql/java/ql/src/Frameworks/Spring/XML Configuration Errors/MissingSetters.ql
+ql/java/ql/src/Language Abuse/CastThisToTypeParameter.ql
+ql/java/ql/src/Language Abuse/DubiousDowncastOfThis.ql
+ql/java/ql/src/Language Abuse/DubiousTypeTestOfThis.ql
+ql/java/ql/src/Language Abuse/EmptyMethod.ql
+ql/java/ql/src/Language Abuse/EmptyStatement.ql
+ql/java/ql/src/Language Abuse/EnumIdentifier.ql
+ql/java/ql/src/Language Abuse/ImplementsAnnotation.ql
+ql/java/ql/src/Language Abuse/MissedTernaryOpportunity.ql
+ql/java/ql/src/Language Abuse/UselessUpcast.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/CondExprTypes.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/OctalLiteral.ql
+ql/java/ql/src/Likely Bugs/Comparison/BitwiseSignCheck.ql
+ql/java/ql/src/Likely Bugs/Comparison/DefineEqualsWhenAddingFields.ql
+ql/java/ql/src/Likely Bugs/Comparison/EqualsUsesInstanceOf.ql
+ql/java/ql/src/Likely Bugs/Comparison/NoAssignInBooleanExprs.ql
+ql/java/ql/src/Likely Bugs/Comparison/NoComparisonOnFloats.ql
+ql/java/ql/src/Likely Bugs/Comparison/ObjectComparison.ql
+ql/java/ql/src/Likely Bugs/Concurrency/BusyWait.ql
+ql/java/ql/src/Likely Bugs/Concurrency/EmptyRunMethodInThread.ql
+ql/java/ql/src/Likely Bugs/Concurrency/InconsistentAccess.ql
+ql/java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql
+ql/java/ql/src/Likely Bugs/Concurrency/NotifyWithoutSynch.ql
+ql/java/ql/src/Likely Bugs/Concurrency/PriorityCalls.ql
+ql/java/ql/src/Likely Bugs/Concurrency/WaitOutsideLoop.ql
+ql/java/ql/src/Likely Bugs/Concurrency/WaitWithTwoLocks.ql
+ql/java/ql/src/Likely Bugs/Concurrency/YieldCalls.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/TearDownNoSuper.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/TestCaseNoTests.ql
+ql/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql
+ql/java/ql/src/Likely Bugs/I18N/MissingLocaleArgument.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ConstructorTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/NestedLoopsSameVariable.ql
+ql/java/ql/src/Likely Bugs/Serialization/NonSerializableComparator.ql
+ql/java/ql/src/Likely Bugs/Serialization/NonSerializableField.ql
+ql/java/ql/src/Likely Bugs/Serialization/TransientNotSerializable.ql
+ql/java/ql/src/Likely Bugs/Statements/EmptyBlock.ql
+ql/java/ql/src/Likely Bugs/Statements/EmptySynchronizedBlock.ql
+ql/java/ql/src/Likely Bugs/Statements/ImpossibleCast.ql
+ql/java/ql/src/Likely Bugs/Statements/InconsistentCallOnResult.ql
+ql/java/ql/src/Likely Bugs/Statements/ReturnValueIgnored.ql
+ql/java/ql/src/Likely Bugs/Statements/StaticFieldWrittenByInstance.ql
+ql/java/ql/src/Metrics/Authors/AuthorsPerFile.ql
+ql/java/ql/src/Metrics/Callables/CCyclomaticComplexity.ql
+ql/java/ql/src/Metrics/Callables/CLinesOfCode.ql
+ql/java/ql/src/Metrics/Callables/CLinesOfComment.ql
+ql/java/ql/src/Metrics/Callables/CNumberOfCalls.ql
+ql/java/ql/src/Metrics/Callables/CNumberOfParameters.ql
+ql/java/ql/src/Metrics/Callables/CNumberOfStatements.ql
+ql/java/ql/src/Metrics/Callables/StatementNestingDepth.ql
+ql/java/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+ql/java/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+ql/java/ql/src/Metrics/Files/FAfferentCoupling.ql
+ql/java/ql/src/Metrics/Files/FCommentRatio.ql
+ql/java/ql/src/Metrics/Files/FCyclomaticComplexity.ql
+ql/java/ql/src/Metrics/Files/FEfferentCoupling.ql
+ql/java/ql/src/Metrics/Files/FLines.ql
+ql/java/ql/src/Metrics/Files/FLinesOfCode.ql
+ql/java/ql/src/Metrics/Files/FLinesOfComment.ql
+ql/java/ql/src/Metrics/Files/FLinesOfCommentedCode.ql
+ql/java/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
+ql/java/ql/src/Metrics/Files/FLinesOfSimilarCode.ql
+ql/java/ql/src/Metrics/Files/FNumberOfClasses.ql
+ql/java/ql/src/Metrics/Files/FNumberOfInterfaces.ql
+ql/java/ql/src/Metrics/Files/FNumberOfTests.ql
+ql/java/ql/src/Metrics/Files/FSelfContainedness.ql
+ql/java/ql/src/Metrics/RefTypes/TAfferentCoupling.ql
+ql/java/ql/src/Metrics/RefTypes/TEfferentCoupling.ql
+ql/java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.ql
+ql/java/ql/src/Metrics/RefTypes/TInheritanceDepth.ql
+ql/java/ql/src/Metrics/RefTypes/TLackOfCohesionCK.ql
+ql/java/ql/src/Metrics/RefTypes/TLackOfCohesionHS.ql
+ql/java/ql/src/Metrics/RefTypes/TLinesOfCode.ql
+ql/java/ql/src/Metrics/RefTypes/TLinesOfComment.ql
+ql/java/ql/src/Metrics/RefTypes/TNumberOfCallables.ql
+ql/java/ql/src/Metrics/RefTypes/TNumberOfFields.ql
+ql/java/ql/src/Metrics/RefTypes/TNumberOfStatements.ql
+ql/java/ql/src/Metrics/RefTypes/TPercentageOfComments.ql
+ql/java/ql/src/Metrics/RefTypes/TPercentageOfComplexCode.ql
+ql/java/ql/src/Metrics/RefTypes/TResponse.ql
+ql/java/ql/src/Metrics/RefTypes/TSelfContainedness.ql
+ql/java/ql/src/Metrics/RefTypes/TSizeOfAPI.ql
+ql/java/ql/src/Metrics/RefTypes/TSpecialisationIndex.ql
+ql/java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
+ql/java/ql/src/Metrics/Summaries/GeneratedVsManualCoverage.ql
+ql/java/ql/src/Performance/ConcatenationInLoops.ql
+ql/java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
+ql/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
+ql/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+ql/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
+ql/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
+ql/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
+ql/java/ql/src/Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
+ql/java/ql/src/Violations of Best Practice/Comments/CommentedCode.ql
+ql/java/ql/src/Violations of Best Practice/Comments/TodoComments.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/AssignmentInReturn.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/DeadStoreOfLocal.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/DeadStoreOfLocalUnread.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/EmptyFinalize.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/FinalizerNullsFields.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/LocalInitialisedButNotUsed.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/LocalNotRead.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/NonAssignedFields.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/PointlessForwardingMethod.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnusedField.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnusedLocal.ql
+ql/java/ql/src/Violations of Best Practice/Declarations/BreakInSwitchCase.ql
+ql/java/ql/src/Violations of Best Practice/Declarations/MakeImportsExplicit.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/DroppedExceptions.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/ExceptionCatch.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/StaticArray.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicConstantsNumbers.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicConstantsString.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicNumbersUseConstant.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicStringsUseConstant.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverridesNames.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsField.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql
+ql/java/ql/src/Violations of Best Practice/legacy/AutoBoxing.ql
+ql/java/ql/src/Violations of Best Practice/legacy/FinallyMayNotComplete.ql
+ql/java/ql/src/Violations of Best Practice/legacy/InexactVarArg.ql
+ql/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.ql
+ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryCast.ql
+ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryImport.ql
+ql/java/ql/src/definitions.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql
+ql/java/ql/src/external/DuplicateAnonymous.ql
+ql/java/ql/src/external/DuplicateBlock.ql
+ql/java/ql/src/external/DuplicateMethod.ql
+ql/java/ql/src/external/MostlyDuplicateClass.ql
+ql/java/ql/src/external/MostlyDuplicateFile.ql
+ql/java/ql/src/external/MostlyDuplicateMethod.ql
+ql/java/ql/src/external/MostlySimilarFile.ql
+ql/java/ql/src/filters/ClassifyFiles.ql
+ql/java/ql/src/meta/frameworks/Coverage.ql
+ql/java/ql/src/meta/ssa/AmbiguousToString.ql
+ql/java/ql/src/meta/ssa/TooFewPhiInputs.ql
+ql/java/ql/src/meta/ssa/UncertainDefWithoutPrior.ql
+ql/java/ql/src/meta/ssa/UseWithoutUniqueSsaVariable.ql
+ql/java/ql/src/utils/modelconverter/ExtractNeutrals.ql
+ql/java/ql/src/utils/modelconverter/ExtractSinks.ql
+ql/java/ql/src/utils/modelconverter/ExtractSources.ql
+ql/java/ql/src/utils/modelconverter/ExtractSummaries.ql
+ql/java/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql
+ql/java/ql/src/utils/modeleditor/FrameworkModeEndpoints.ql
+ql/java/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureMixedNeutralModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureMixedSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureTypeBasedSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
+ql/java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
+ql/java/ql/src/utils/stub-generator/MinimalStubsFromSource.ql

java/ql/integration-tests/java/query-suite/test.py

@@ -0,0 +1,29 @@
+import os
+import runs_on
+import pytest
+
+well_known_query_suites = ['java-code-quality.qls', 'java-security-and-quality.qls', 'java-security-extended.qls', 'java-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, java, cwd, expected_files, semmle_code_dir, query_suite):
+    actual = codeql.resolve.queries(query_suite, _capture=True).strip()
+    actual = sorted(actual.splitlines())
+    actual = [os.path.relpath(q, semmle_code_dir) for q in actual]
+    actual_file_name = query_suite + '.actual'
+    expected_files.add(actual_file_name)
+    (cwd / actual_file_name).write_text('\n'.join(actual)+'\n')
+
+@runs_on.posix
+def test_not_included_queries(codeql, java, cwd, expected_files, semmle_code_dir):
+    all_queries = codeql.resolve.queries(semmle_code_dir / 'ql' / 'java' / 'ql' / 'src', _capture=True).strip().splitlines()
+
+    included_in_qls = set()
+    for query_suite in well_known_query_suites:
+        included_in_qls |= set(codeql.resolve.queries(query_suite, _capture=True).strip().splitlines())
+
+    not_included = sorted(set(all_queries) - included_in_qls)
+    not_included = [os.path.relpath(q, semmle_code_dir) for q in not_included]
+    not_included_file_name = 'not_included_in_qls.actual'
+    expected_files.add(not_included_file_name)
+    (cwd / not_included_file_name).write_text('\n'.join(not_included)+'\n')

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,25 @@
+## 7.1.3
+
+### Minor Analysis Improvements
+
+* Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
+* All existing modelling and support for `javax.persistence` now applies to `jakarta.persistence` as well.
+
+## 7.1.2
+
+### Minor Analysis Improvements
+
+* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
+* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.
+
+### Bug Fixes
+
+* In `build-mode: none` where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
+* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
+* Java build-mode `none` no longer fails when a required version of Gradle cannot be downloaded using the `gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
+* Java build-mode `none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
+* Java build-mode `none` now correctly uses Maven dependency information on Windows platforms.
+
 ## 7.1.1
 
 No user-facing changes.

java/ql/lib/change-notes/2025-03-03-maven-fixes.md

@@ -1,5 +0,0 @@
----
-category: fix
----
-* Java build-mode `none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
-* Java build-mode `none` now correctly uses Maven dependency information on Windows platforms.

java/ql/lib/change-notes/2025-03-10-matches-replace-path-sanitizer.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.

java/ql/lib/change-notes/2025-03-18-cyclic-types.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.

java/ql/lib/change-notes/2025-03-18-gradle-fixes.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Java build-mode `none` no longer fails when a required version of Gradle cannot be downloaded using the `gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.

java/ql/lib/change-notes/2025-03-18-maven-enforcer.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.

java/ql/lib/change-notes/released/7.1.2.md

@@ -0,0 +1,14 @@
+## 7.1.2
+
+### Minor Analysis Improvements
+
+* Java extraction is now able to download Maven 3.9.x if a Maven Enforcer Plugin configuration indicates it is necessary. Maven 3.8.x is still preferred if the enforcer-plugin configuration (if any) permits it.
+* Added a path injection sanitizer for calls to `java.lang.String.matches`, `java.lang.String.replace`, and `java.lang.String.replaceAll` that make sure '/', '\', '..' are not in the path.
+
+### Bug Fixes
+
+* In `build-mode: none` where the project has a Gradle build system, database creation no longer attempts to download some non-existent jar files relating to non-jar Maven artifacts, such as BOMs. This was harmless, but saves some time and reduces spurious warnings.
+* Java extraction no longer freezes for a long time or times out when using libraries that feature expanding cyclic generic types. For example, this was known to occur when using some classes from the Blazebit Persistence library.
+* Java build-mode `none` no longer fails when a required version of Gradle cannot be downloaded using the `gradle wrapper` command, such as due to a firewall. It will now attempt to use the system version of Gradle if present, or otherwise proceed without detailed dependency information.
+* Java build-mode `none` no longer fails when a required version of Maven cannot be downloaded, such as due to a firewall. It will now attempt to use the system version of Maven if present, or otherwise proceed without detailed dependency information.
+* Java build-mode `none` now correctly uses Maven dependency information on Windows platforms.

java/ql/lib/change-notes/released/7.1.3.md

@@ -0,0 +1,6 @@
+## 7.1.3
+
+### Minor Analysis Improvements
+
+* Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
+* All existing modelling and support for `javax.persistence` now applies to `jakarta.persistence` as well.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.1
+lastReleaseVersion: 7.1.3

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 7.1.2-dev
+version: 7.1.4-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/lib/semmle/code/java/Expr.qll

@@ -180,7 +180,7 @@ class CompileTimeConstantExpr extends Expr {
   /**
    * Gets the string value of this expression, where possible.
    */
-  pragma[nomagic]
+  cached
   string getStringValue() {
     result = this.(StringLiteral).getValue()
     or
@@ -205,7 +205,7 @@ class CompileTimeConstantExpr extends Expr {
   /**
    * Gets the boolean value of this expression, where possible.
    */
-  pragma[nomagic]
+  cached
   boolean getBooleanValue() {
     // Literal value.
     result = this.(BooleanLiteral).getBooleanValue()

java/ql/lib/semmle/code/java/controlflow/BasicBlocks.qll

@@ -5,6 +5,19 @@
 import java
 import Dominance
 
+cached
+private module BasicBlockStage {
+  cached
+  predicate ref() { any() }
+
+  cached
+  predicate backref() {
+    (exists(any(BasicBlock bb).getABBSuccessor()) implies any()) and
+    (exists(any(BasicBlock bb).getNode(_)) implies any()) and
+    (exists(any(BasicBlock bb).length()) implies any())
+  }
+}
+
 /**
  * A control-flow node that represents the start of a basic block.
  *
@@ -12,8 +25,11 @@ import Dominance
  * often be treated as a unit in analyses.
  */
 class BasicBlock extends ControlFlowNode {
+  cached
   BasicBlock() {
-    not exists(this.getAPredecessor()) and exists(this.getASuccessor())
+    BasicBlockStage::ref() and
+    not exists(this.getAPredecessor()) and
+    exists(this.getASuccessor())
     or
     strictcount(this.getAPredecessor()) > 1
     or
@@ -24,7 +40,10 @@ class BasicBlock extends ControlFlowNode {
 
   /** Gets an immediate successor of this basic block. */
   cached
-  BasicBlock getABBSuccessor() { result = this.getLastNode().getASuccessor() }
+  BasicBlock getABBSuccessor() {
+    BasicBlockStage::ref() and
+    result = this.getLastNode().getASuccessor()
+  }
 
   /** Gets an immediate predecessor of this basic block. */
   BasicBlock getABBPredecessor() { result.getABBSuccessor() = this }
@@ -35,7 +54,9 @@ class BasicBlock extends ControlFlowNode {
   /** Gets the control-flow node at a specific (zero-indexed) position in this basic block. */
   cached
   ControlFlowNode getNode(int pos) {
-    result = this and pos = 0
+    BasicBlockStage::ref() and
+    result = this and
+    pos = 0
     or
     exists(ControlFlowNode mid, int mid_pos | pos = mid_pos + 1 |
       this.getNode(mid_pos) = mid and
@@ -52,7 +73,10 @@ class BasicBlock extends ControlFlowNode {
 
   /** Gets the number of control-flow nodes contained in this basic block. */
   cached
-  int length() { result = strictcount(this.getANode()) }
+  int length() {
+    BasicBlockStage::ref() and
+    result = strictcount(this.getANode())
+  }
 
   /** Holds if this basic block strictly dominates `node`. */
   predicate bbStrictlyDominates(BasicBlock node) { bbStrictlyDominates(this, node) }

java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll

@@ -14,9 +14,26 @@
 import java
 private import codeql.ssa.Ssa as SsaImplCommon
 
+cached
+private module BaseSsaStage {
+  cached
+  predicate ref() { any() }
+
+  cached
+  predicate backref() {
+    (exists(TLocalVar(_, _)) implies any()) and
+    (exists(any(BaseSsaSourceVariable v).getAnAccess()) implies any()) and
+    (exists(getAUse(_)) implies any())
+  }
+}
+
+cached
 private newtype TBaseSsaSourceVariable =
   TLocalVar(Callable c, LocalScopeVariable v) {
-    c = v.getCallable() or c = v.getAnAccess().getEnclosingCallable()
+    BaseSsaStage::ref() and
+    c = v.getCallable()
+    or
+    c = v.getAnAccess().getEnclosingCallable()
   }
 
 /**
@@ -31,6 +48,7 @@ class BaseSsaSourceVariable extends TBaseSsaSourceVariable {
    */
   cached
   VarAccess getAnAccess() {
+    BaseSsaStage::ref() and
     exists(LocalScopeVariable v, Callable c |
       this = TLocalVar(c, v) and result = v.getAnAccess() and result.getEnclosingCallable() = c
     )
@@ -188,6 +206,7 @@ cached
 private module Cached {
   cached
   VarRead getAUse(Impl::Definition def) {
+    BaseSsaStage::ref() and
     exists(BaseSsaSourceVariable v, BasicBlock bb, int i |
       Impl::ssaDefReachesRead(v, def, bb, i) and
       result.getControlFlowNode() = bb.getNode(i) and

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowNodes.qll

@@ -26,6 +26,14 @@ private predicate deadcode(Expr e) {
 module SsaFlow {
   module Impl = SsaImpl::DataFlowIntegration;
 
+  private predicate ssaDefAssigns(SsaExplicitUpdate def, Expr value) {
+    exists(VariableUpdate upd | upd = def.getDefiningExpr() |
+      value = upd.(VariableAssign).getSource() or
+      value = upd.(AssignOp) or
+      value = upd.(RecordBindingVariableExpr)
+    )
+  }
+
   Impl::Node asNode(Node n) {
     n = TSsaNode(result)
     or
@@ -33,7 +41,12 @@ module SsaFlow {
     or
     result.(Impl::ExprPostUpdateNode).getExpr() = n.(PostUpdateNode).getPreUpdateNode().asExpr()
     or
-    TExplicitParameterNode(result.(Impl::ParameterNode).getParameter()) = n
+    exists(Parameter p |
+      n = TExplicitParameterNode(p) and
+      result.(Impl::WriteDefSourceNode).getDefinition().(SsaImplicitInit).isParameterDefinition(p)
+    )
+    or
+    ssaDefAssigns(result.(Impl::WriteDefSourceNode).getDefinition(), n.asExpr())
   }
 
   predicate localFlowStep(SsaSourceVariable v, Node nodeFrom, Node nodeTo, boolean isUseStep) {

java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll

@@ -647,22 +647,8 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
 
   Expr getARead(Definition def) { result = getAUse(def) }
 
-  class Parameter = J::Parameter;
-
-  predicate ssaDefAssigns(Impl::WriteDefinition def, Expr value) {
-    exists(VariableUpdate upd | upd = def.(SsaExplicitUpdate).getDefiningExpr() |
-      value = upd.(VariableAssign).getSource() or
-      value = upd.(AssignOp) or
-      value = upd.(RecordBindingVariableExpr)
-    )
-  }
-
-  predicate ssaDefInitializesParam(Impl::WriteDefinition def, Parameter p) {
-    def.(SsaImplicitInit).getSourceVariable() =
-      any(SsaSourceVariable v |
-        v.getVariable() = p and
-        v.getEnclosingCallable() = p.getCallable()
-      )
+  predicate ssaDefHasSource(WriteDefinition def) {
+    def instanceof SsaExplicitUpdate or def.(SsaImplicitInit).isParameterDefinition(_)
   }
 
   predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) {
@@ -680,10 +666,17 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
     }
   }
 
+  /** Holds if the guard `guard` directly controls block `bb` upon evaluating to `branch`. */
+  predicate guardDirectlyControlsBlock(Guard guard, BasicBlock bb, boolean branch) {
+    guard.directlyControls(bb, branch)
+  }
+
   /** Holds if the guard `guard` controls block `bb` upon evaluating to `branch`. */
   predicate guardControlsBlock(Guard guard, BasicBlock bb, boolean branch) {
     guard.controls(bb, branch)
   }
+
+  predicate includeWriteDefsInFlowStep() { none() }
 }
 
 private module DataFlowIntegrationImpl = Impl::DataFlowIntegration<DataFlowIntegrationInput>;

java/ql/lib/semmle/code/java/deadcode/DeadField.qll

@@ -161,10 +161,10 @@ class JpaReadField extends ReflectivelyReadField {
       this = entity.getAField() and
       (
         entity.getAccessType() = "field" or
-        this.hasAnnotation("javax.persistence", "Access")
+        this.hasAnnotation(getAPersistencePackageName(), "Access")
       )
     |
-      not this.hasAnnotation("javax.persistence", "Transient") and
+      not this.hasAnnotation(getAPersistencePackageName(), "Transient") and
       not this.isStatic() and
       not this.isFinal()
     )

java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll

@@ -7,6 +7,7 @@ import semmle.code.java.deadcode.StrutsEntryPoints
 import semmle.code.java.deadcode.TestEntryPoints
 import semmle.code.java.deadcode.WebEntryPoints
 import semmle.code.java.frameworks.javaee.JavaServerFaces
+import semmle.code.java.frameworks.javaee.Persistence
 import semmle.code.java.frameworks.JAXB
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.JMX
@@ -395,7 +396,7 @@ class PersistencePropertyMethod extends CallableEntryPoint {
       this = e.getACallable() and
       (
         e.getAccessType() = "property" or
-        this.hasAnnotation("javax.persistence", "Access")
+        this.hasAnnotation(getAPersistencePackageName(), "Access")
       ) and
       (
         this.getName().matches("get%") or

java/ql/lib/semmle/code/java/environment/SystemProperty.qll

@@ -269,18 +269,24 @@ private MethodCall getSystemPropertyFromSpringProperties(string propertyName) {
  * for final variables.
  */
 private predicate localExprFlowPlusInitializers(Expr e1, Expr e2) {
+  e1 = e2 or
   localFlowPlusInitializers(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
 }
 
+private predicate localFlowPlusInitializers(DataFlow::Node pred, DataFlow::Node succ) =
+  fastTC(localFlowStepPlusInitializers/2)(pred, succ)
+
 /**
- * Holds if data can flow from `pred` to `succ` in zero or more
- * local (intra-procedural) steps or via instance or static variable intializers
+ * Holds if data can flow from `pred` to `succ` in a
+ * local (intra-procedural) step or via instance or static variable intializers
  * for final variables.
  */
-private predicate localFlowPlusInitializers(DataFlow::Node pred, DataFlow::Node succ) {
-  exists(Variable v | v.isFinal() and pred.asExpr() = v.getInitializer() |
-    DataFlow::localFlow(DataFlow::exprNode(v.getAnAccess()), succ)
+private predicate localFlowStepPlusInitializers(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(Variable v |
+    v.isFinal() and
+    pred.asExpr() = v.getInitializer() and
+    succ.asExpr() = v.getAnAccess()
   )
   or
-  DataFlow::localFlow(pred, succ)
+  DataFlow::localFlowStep(pred, succ)
 }

java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll

@@ -4,6 +4,11 @@
 
 import java
 
+/**
+ * Gets a JavaEE Persistence API package name.
+ */
+string getAPersistencePackageName() { result = ["javax.persistence", "jakarta.persistence"] }
+
 /**
  * A `RefType` with the `@Entity` annotation that indicates that it can be persisted using a JPA
  * compatible framework.
@@ -27,13 +32,13 @@ class PersistentEntity extends RefType {
     else
       // If the access type is not explicit, then the location of the `Id` annotation determines
       // which access type is used.
-      if this.getAMethod().hasAnnotation("javax.persistence", "Id")
+      if this.getAMethod().hasAnnotation(getAPersistencePackageName(), "Id")
       then result = "property"
       else result = "field"
   }
 
   /**
-   * Gets the access type for this entity as defined by a `@javax.persistence.Access` annotation,
+   * Gets the access type for this entity as defined by a `@{javax,jakarta}.persistence.Access` annotation,
    * if any, in lower case.
    */
   string getAccessTypeFromAnnotation() {
@@ -44,617 +49,673 @@ class PersistentEntity extends RefType {
 }
 
 /*
- * Annotations in the `javax.persistence` package.
+ * Annotations in the `{javax,jakarta}.persistence` package.
  */
 
 /**
- * A `@javax.persistence.Access` annotation.
+ * A `@{javax,jakarta}.persistence.Access` annotation.
  */
 class AccessAnnotation extends Annotation {
-  AccessAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Access") }
+  AccessAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Access") }
 }
 
 /**
- * A `@javax.persistence.AccessType` annotation.
+ * A `@{javax,jakarta}.persistence.AccessType` annotation.
  */
 class AccessTypeAnnotation extends Annotation {
-  AccessTypeAnnotation() { this.getType().hasQualifiedName("javax.persistence", "AccessType") }
+  AccessTypeAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "AccessType")
+  }
 }
 
 /**
- * A `@javax.persistence.AssociationOverride` annotation.
+ * A `@{javax,jakarta}.persistence.AssociationOverride` annotation.
  */
 class AssociationOverrideAnnotation extends Annotation {
   AssociationOverrideAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "AssociationOverride")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "AssociationOverride")
   }
 }
 
 /**
- * A `@javax.persistence.AssociationOverrides` annotation.
+ * A `@{javax,jakarta}.persistence.AssociationOverrides` annotation.
  */
 class AssociationOverridesAnnotation extends Annotation {
   AssociationOverridesAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "AssociationOverrides")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "AssociationOverrides")
   }
 }
 
 /**
- * A `@javax.persistence.AttributeOverride` annotation.
+ * A `@{javax,jakarta}.persistence.AttributeOverride` annotation.
  */
 class AttributeOverrideAnnotation extends Annotation {
   AttributeOverrideAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "AttributeOverride")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "AttributeOverride")
   }
 }
 
 /**
- * A `@javax.persistence.AttributeOverrides` annotation.
+ * A `@{javax,jakarta}.persistence.AttributeOverrides` annotation.
  */
 class AttributeOverridesAnnotation extends Annotation {
   AttributeOverridesAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "AttributeOverrides")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "AttributeOverrides")
   }
 }
 
 /**
- * A `@javax.persistence.Basic` annotation.
+ * A `@{javax,jakarta}.persistence.Basic` annotation.
  */
 class BasicAnnotation extends Annotation {
-  BasicAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Basic") }
+  BasicAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Basic") }
 }
 
 /**
- * A `@javax.persistence.Cacheable` annotation.
+ * A `@{javax,jakarta}.persistence.Cacheable` annotation.
  */
 class CacheableAnnotation extends Annotation {
-  CacheableAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Cacheable") }
+  CacheableAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "Cacheable")
+  }
 }
 
 /**
- * A `@javax.persistence.CollectionTable` annotation.
+ * A `@{javax,jakarta}.persistence.CollectionTable` annotation.
  */
 class CollectionTableAnnotation extends Annotation {
   CollectionTableAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "CollectionTable")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "CollectionTable")
   }
 }
 
 /**
- * A `@javax.persistence.Column` annotation.
+ * A `@{javax,jakarta}.persistence.Column` annotation.
  */
 class ColumnAnnotation extends Annotation {
-  ColumnAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Column") }
+  ColumnAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Column") }
 }
 
 /**
- * A `@javax.persistence.ColumnResult` annotation.
+ * A `@{javax,jakarta}.persistence.ColumnResult` annotation.
  */
 class ColumnResultAnnotation extends Annotation {
-  ColumnResultAnnotation() { this.getType().hasQualifiedName("javax.persistence", "ColumnResult") }
+  ColumnResultAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "ColumnResult")
+  }
 }
 
 /**
- * A `@javax.persistence.DiscriminatorColumn` annotation.
+ * A `@{javax,jakarta}.persistence.DiscriminatorColumn` annotation.
  */
 class DiscriminatorColumnAnnotation extends Annotation {
   DiscriminatorColumnAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "DiscriminatorColumn")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "DiscriminatorColumn")
   }
 }
 
 /**
- * A `@javax.persistence.DiscriminatorValue` annotation.
+ * A `@{javax,jakarta}.persistence.DiscriminatorValue` annotation.
  */
 class DiscriminatorValueAnnotation extends Annotation {
   DiscriminatorValueAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "DiscriminatorValue")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "DiscriminatorValue")
   }
 }
 
 /**
- * A `@javax.persistence.ElementCollection` annotation.
+ * A `@{javax,jakarta}.persistence.ElementCollection` annotation.
  */
 class ElementCollectionAnnotation extends Annotation {
   ElementCollectionAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "ElementCollection")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "ElementCollection")
   }
 }
 
 /**
- * A `@javax.persistence.Embeddable` annotation.
+ * A `@{javax,jakarta}.persistence.Embeddable` annotation.
  */
 class EmbeddableAnnotation extends Annotation {
-  EmbeddableAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Embeddable") }
+  EmbeddableAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "Embeddable")
+  }
 }
 
 /**
- * A `@javax.persistence.Embedded` annotation.
+ * A `@{javax,jakarta}.persistence.Embedded` annotation.
  */
 class EmbeddedAnnotation extends Annotation {
-  EmbeddedAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Embedded") }
+  EmbeddedAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Embedded") }
 }
 
 /**
- * A `@javax.persistence.EmbeddedId` annotation.
+ * A `@{javax,jakarta}.persistence.EmbeddedId` annotation.
  */
 class EmbeddedIdAnnotation extends Annotation {
-  EmbeddedIdAnnotation() { this.getType().hasQualifiedName("javax.persistence", "EmbeddedId") }
+  EmbeddedIdAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "EmbeddedId")
+  }
 }
 
 /**
- * A `@javax.persistence.Entity` annotation.
+ * A `@{javax,jakarta}.persistence.Entity` annotation.
  */
 class EntityAnnotation extends Annotation {
-  EntityAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Entity") }
+  EntityAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Entity") }
 }
 
 /**
- * A `@javax.persistence.EntityListeners` annotation.
+ * A `@{javax,jakarta}.persistence.EntityListeners` annotation.
  */
 class EntityListenersAnnotation extends Annotation {
   EntityListenersAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "EntityListeners")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "EntityListeners")
   }
 }
 
 /**
- * A `@javax.persistence.EntityResult` annotation.
+ * A `@{javax,jakarta}.persistence.EntityResult` annotation.
  */
 class EntityResultAnnotation extends Annotation {
-  EntityResultAnnotation() { this.getType().hasQualifiedName("javax.persistence", "EntityResult") }
+  EntityResultAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "EntityResult")
+  }
 }
 
 /**
- * A `@javax.persistence.Enumerated` annotation.
+ * A `@{javax,jakarta}.persistence.Enumerated` annotation.
  */
 class EnumeratedAnnotation extends Annotation {
-  EnumeratedAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Enumerated") }
+  EnumeratedAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "Enumerated")
+  }
 }
 
 /**
- * A `@javax.persistence.ExcludeDefaultListeners` annotation.
+ * A `@{javax,jakarta}.persistence.ExcludeDefaultListeners` annotation.
  */
 class ExcludeDefaultListenersAnnotation extends Annotation {
   ExcludeDefaultListenersAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "ExcludeDefaultListeners")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "ExcludeDefaultListeners")
   }
 }
 
 /**
- * A `@javax.persistence.ExcludeSuperclassListeners` annotation.
+ * A `@{javax,jakarta}.persistence.ExcludeSuperclassListeners` annotation.
  */
 class ExcludeSuperclassListenersAnnotation extends Annotation {
   ExcludeSuperclassListenersAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "ExcludeSuperclassListeners")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "ExcludeSuperclassListeners")
   }
 }
 
 /**
- * A `@javax.persistence.FieldResult` annotation.
+ * A `@{javax,jakarta}.persistence.FieldResult` annotation.
  */
 class FieldResultAnnotation extends Annotation {
-  FieldResultAnnotation() { this.getType().hasQualifiedName("javax.persistence", "FieldResult") }
+  FieldResultAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "FieldResult")
+  }
 }
 
 /**
- * A `@javax.persistence.GeneratedValue` annotation.
+ * A `@{javax,jakarta}.persistence.GeneratedValue` annotation.
  */
 class GeneratedValueAnnotation extends Annotation {
   GeneratedValueAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "GeneratedValue")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "GeneratedValue")
   }
 }
 
 /**
- * A `@javax.persistence.Id` annotation.
+ * A `@{javax,jakarta}.persistence.Id` annotation.
  */
 class IdAnnotation extends Annotation {
-  IdAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Id") }
+  IdAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Id") }
 }
 
 /**
- * A `@javax.persistence.IdClass` annotation.
+ * A `@{javax,jakarta}.persistence.IdClass` annotation.
  */
 class IdClassAnnotation extends Annotation {
-  IdClassAnnotation() { this.getType().hasQualifiedName("javax.persistence", "IdClass") }
+  IdClassAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "IdClass") }
 }
 
 /**
- * A `@javax.persistence.Inheritance` annotation.
+ * A `@{javax,jakarta}.persistence.Inheritance` annotation.
  */
 class InheritanceAnnotation extends Annotation {
-  InheritanceAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Inheritance") }
+  InheritanceAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "Inheritance")
+  }
 }
 
 /**
- * A `@javax.persistence.JoinColumn` annotation.
+ * A `@{javax,jakarta}.persistence.JoinColumn` annotation.
  */
 class JoinColumnAnnotation extends Annotation {
-  JoinColumnAnnotation() { this.getType().hasQualifiedName("javax.persistence", "JoinColumn") }
+  JoinColumnAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "JoinColumn")
+  }
 }
 
 /**
- * A `@javax.persistence.JoinColumns` annotation.
+ * A `@{javax,jakarta}.persistence.JoinColumns` annotation.
  */
 class JoinColumnsAnnotation extends Annotation {
-  JoinColumnsAnnotation() { this.getType().hasQualifiedName("javax.persistence", "JoinColumns") }
+  JoinColumnsAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "JoinColumns")
+  }
 }
 
 /**
- * A `@javax.persistence.JoinTable` annotation.
+ * A `@{javax,jakarta}.persistence.JoinTable` annotation.
  */
 class JoinTableAnnotation extends Annotation {
-  JoinTableAnnotation() { this.getType().hasQualifiedName("javax.persistence", "JoinTable") }
+  JoinTableAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "JoinTable")
+  }
 }
 
 /**
- * A `@javax.persistence.Lob` annotation.
+ * A `@{javax,jakarta}.persistence.Lob` annotation.
  */
 class LobAnnotation extends Annotation {
-  LobAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Lob") }
+  LobAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Lob") }
 }
 
 /**
- * A `@javax.persistence.ManyToMany` annotation.
+ * A `@{javax,jakarta}.persistence.ManyToMany` annotation.
  */
 class ManyToManyAnnotation extends Annotation {
-  ManyToManyAnnotation() { this.getType().hasQualifiedName("javax.persistence", "ManyToMany") }
+  ManyToManyAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "ManyToMany")
+  }
 }
 
 /**
- * A `@javax.persistence.ManyToOne` annotation.
+ * A `@{javax,jakarta}.persistence.ManyToOne` annotation.
  */
 class ManyToOneAnnotation extends Annotation {
-  ManyToOneAnnotation() { this.getType().hasQualifiedName("javax.persistence", "ManyToOne") }
+  ManyToOneAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "ManyToOne")
+  }
 }
 
 /**
- * A `@javax.persistence.MapKey` annotation.
+ * A `@{javax,jakarta}.persistence.MapKey` annotation.
  */
 class MapKeyAnnotation extends Annotation {
-  MapKeyAnnotation() { this.getType().hasQualifiedName("javax.persistence", "MapKey") }
+  MapKeyAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKey") }
 }
 
 /**
- * A `@javax.persistence.MapKeyClass` annotation.
+ * A `@{javax,jakarta}.persistence.MapKeyClass` annotation.
  */
 class MapKeyClassAnnotation extends Annotation {
-  MapKeyClassAnnotation() { this.getType().hasQualifiedName("javax.persistence", "MapKeyClass") }
+  MapKeyClassAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKeyClass")
+  }
 }
 
 /**
- * A `@javax.persistence.MapKeyColumn` annotation.
+ * A `@{javax,jakarta}.persistence.MapKeyColumn` annotation.
  */
 class MapKeyColumnAnnotation extends Annotation {
-  MapKeyColumnAnnotation() { this.getType().hasQualifiedName("javax.persistence", "MapKeyColumn") }
+  MapKeyColumnAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKeyColumn")
+  }
 }
 
 /**
- * A `@javax.persistence.MapKeyEnumerated` annotation.
+ * A `@{javax,jakarta}.persistence.MapKeyEnumerated` annotation.
  */
 class MapKeyEnumeratedAnnotation extends Annotation {
   MapKeyEnumeratedAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "MapKeyEnumerated")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKeyEnumerated")
   }
 }
 
 /**
- * A `@javax.persistence.MapKeyJoinColumn` annotation.
+ * A `@{javax,jakarta}.persistence.MapKeyJoinColumn` annotation.
  */
 class MapKeyJoinColumnAnnotation extends Annotation {
   MapKeyJoinColumnAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "MapKeyJoinColumn")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKeyJoinColumn")
   }
 }
 
 /**
- * A `@javax.persistence.MapKeyJoinColumns` annotation.
+ * A `@{javax,jakarta}.persistence.MapKeyJoinColumns` annotation.
  */
 class MapKeyJoinColumnsAnnotation extends Annotation {
   MapKeyJoinColumnsAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "MapKeyJoinColumns")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKeyJoinColumns")
   }
 }
 
 /**
- * A `@javax.persistence.MapKeyTemporal` annotation.
+ * A `@{javax,jakarta}.persistence.MapKeyTemporal` annotation.
  */
 class MapKeyTemporalAnnotation extends Annotation {
   MapKeyTemporalAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "MapKeyTemporal")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MapKeyTemporal")
   }
 }
 
 /**
- * A `@javax.persistence.MappedSuperclass` annotation.
+ * A `@{javax,jakarta}.persistence.MappedSuperclass` annotation.
  */
 class MappedSuperclassAnnotation extends Annotation {
   MappedSuperclassAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "MappedSuperclass")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "MappedSuperclass")
   }
 }
 
 /**
- * A `@javax.persistence.MapsId` annotation.
+ * A `@{javax,jakarta}.persistence.MapsId` annotation.
  */
 class MapsIdAnnotation extends Annotation {
-  MapsIdAnnotation() { this.getType().hasQualifiedName("javax.persistence", "MapsId") }
+  MapsIdAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "MapsId") }
 }
 
 /**
- * A `@javax.persistence.NamedNativeQueries` annotation.
+ * A `@{javax,jakarta}.persistence.NamedNativeQueries` annotation.
  */
 class NamedNativeQueriesAnnotation extends Annotation {
   NamedNativeQueriesAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "NamedNativeQueries")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "NamedNativeQueries")
   }
 }
 
 /**
- * A `@javax.persistence.NamedNativeQuery` annotation.
+ * A `@{javax,jakarta}.persistence.NamedNativeQuery` annotation.
  */
 class NamedNativeQueryAnnotation extends Annotation {
   NamedNativeQueryAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "NamedNativeQuery")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "NamedNativeQuery")
   }
 }
 
 /**
- * A `@javax.persistence.NamedQueries` annotation.
+ * A `@{javax,jakarta}.persistence.NamedQueries` annotation.
  */
 class NamedQueriesAnnotation extends Annotation {
-  NamedQueriesAnnotation() { this.getType().hasQualifiedName("javax.persistence", "NamedQueries") }
+  NamedQueriesAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "NamedQueries")
+  }
 }
 
 /**
- * A `@javax.persistence.NamedQuery` annotation.
+ * A `@{javax,jakarta}.persistence.NamedQuery` annotation.
  */
 class NamedQueryAnnotation extends Annotation {
-  NamedQueryAnnotation() { this.getType().hasQualifiedName("javax.persistence", "NamedQuery") }
+  NamedQueryAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "NamedQuery")
+  }
 }
 
 /**
- * A `@javax.persistence.OneToMany` annotation.
+ * A `@{javax,jakarta}.persistence.OneToMany` annotation.
  */
 class OneToManyAnnotation extends Annotation {
-  OneToManyAnnotation() { this.getType().hasQualifiedName("javax.persistence", "OneToMany") }
+  OneToManyAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "OneToMany")
+  }
 }
 
 /**
- * A `@javax.persistence.OneToOne` annotation.
+ * A `@{javax,jakarta}.persistence.OneToOne` annotation.
  */
 class OneToOneAnnotation extends Annotation {
-  OneToOneAnnotation() { this.getType().hasQualifiedName("javax.persistence", "OneToOne") }
+  OneToOneAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "OneToOne") }
 }
 
 /**
- * A `@javax.persistence.OrderBy` annotation.
+ * A `@{javax,jakarta}.persistence.OrderBy` annotation.
  */
 class OrderByAnnotation extends Annotation {
-  OrderByAnnotation() { this.getType().hasQualifiedName("javax.persistence", "OrderBy") }
+  OrderByAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "OrderBy") }
 }
 
 /**
- * A `@javax.persistence.OrderColumn` annotation.
+ * A `@{javax,jakarta}.persistence.OrderColumn` annotation.
  */
 class OrderColumnAnnotation extends Annotation {
-  OrderColumnAnnotation() { this.getType().hasQualifiedName("javax.persistence", "OrderColumn") }
+  OrderColumnAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "OrderColumn")
+  }
 }
 
 /**
- * A `@javax.persistence.PersistenceContext` annotation.
+ * A `@{javax,jakarta}.persistence.PersistenceContext` annotation.
  */
 class PersistenceContextAnnotation extends Annotation {
   PersistenceContextAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PersistenceContext")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PersistenceContext")
   }
 }
 
 /**
- * A `@javax.persistence.PersistenceContexts` annotation.
+ * A `@{javax,jakarta}.persistence.PersistenceContexts` annotation.
  */
 class PersistenceContextsAnnotation extends Annotation {
   PersistenceContextsAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PersistenceContexts")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PersistenceContexts")
   }
 }
 
 /**
- * A `@javax.persistence.PersistenceProperty` annotation.
+ * A `@{javax,jakarta}.persistence.PersistenceProperty` annotation.
  */
 class PersistencePropertyAnnotation extends Annotation {
   PersistencePropertyAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PersistenceProperty")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PersistenceProperty")
   }
 }
 
 /**
- * A `@javax.persistence.PersistenceUnit` annotation.
+ * A `@{javax,jakarta}.persistence.PersistenceUnit` annotation.
  */
 class PersistenceUnitAnnotation extends Annotation {
   PersistenceUnitAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PersistenceUnit")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PersistenceUnit")
   }
 }
 
 /**
- * A `@javax.persistence.PersistenceUnits` annotation.
+ * A `@{javax,jakarta}.persistence.PersistenceUnits` annotation.
  */
 class PersistenceUnitsAnnotation extends Annotation {
   PersistenceUnitsAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PersistenceUnits")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PersistenceUnits")
   }
 }
 
 /**
- * A `@javax.persistence.PostLoad` annotation.
+ * A `@{javax,jakarta}.persistence.PostLoad` annotation.
  */
 class PostLoadAnnotation extends Annotation {
-  PostLoadAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PostLoad") }
+  PostLoadAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "PostLoad") }
 }
 
 /**
- * A `@javax.persistence.PostPersist` annotation.
+ * A `@{javax,jakarta}.persistence.PostPersist` annotation.
  */
 class PostPersistAnnotation extends Annotation {
-  PostPersistAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PostPersist") }
+  PostPersistAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PostPersist")
+  }
 }
 
 /**
- * A `@javax.persistence.PostRemove` annotation.
+ * A `@{javax,jakarta}.persistence.PostRemove` annotation.
  */
 class PostRemoveAnnotation extends Annotation {
-  PostRemoveAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PostRemove") }
+  PostRemoveAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PostRemove")
+  }
 }
 
 /**
- * A `@javax.persistence.PostUpdate` annotation.
+ * A `@{javax,jakarta}.persistence.PostUpdate` annotation.
  */
 class PostUpdateAnnotation extends Annotation {
-  PostUpdateAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PostUpdate") }
+  PostUpdateAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PostUpdate")
+  }
 }
 
 /**
- * A `@javax.persistence.PrePersist` annotation.
+ * A `@{javax,jakarta}.persistence.PrePersist` annotation.
  */
 class PrePersistAnnotation extends Annotation {
-  PrePersistAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PrePersist") }
+  PrePersistAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PrePersist")
+  }
 }
 
 /**
- * A `@javax.persistence.PreRemove` annotation.
+ * A `@{javax,jakarta}.persistence.PreRemove` annotation.
  */
 class PreRemoveAnnotation extends Annotation {
-  PreRemoveAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PreRemove") }
+  PreRemoveAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PreRemove")
+  }
 }
 
 /**
- * A `@javax.persistence.PreUpdate` annotation.
+ * A `@{javax,jakarta}.persistence.PreUpdate` annotation.
  */
 class PreUpdateAnnotation extends Annotation {
-  PreUpdateAnnotation() { this.getType().hasQualifiedName("javax.persistence", "PreUpdate") }
+  PreUpdateAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PreUpdate")
+  }
 }
 
 /**
- * A `@javax.persistence.PrimaryKeyJoinColumn` annotation.
+ * A `@{javax,jakarta}.persistence.PrimaryKeyJoinColumn` annotation.
  */
 class PrimaryKeyJoinColumnAnnotation extends Annotation {
   PrimaryKeyJoinColumnAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PrimaryKeyJoinColumn")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PrimaryKeyJoinColumn")
   }
 }
 
 /**
- * A `@javax.persistence.PrimaryKeyJoinColumns` annotation.
+ * A `@{javax,jakarta}.persistence.PrimaryKeyJoinColumns` annotation.
  */
 class PrimaryKeyJoinColumnsAnnotation extends Annotation {
   PrimaryKeyJoinColumnsAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "PrimaryKeyJoinColumns")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "PrimaryKeyJoinColumns")
   }
 }
 
 /**
- * A `@javax.persistence.QueryHint` annotation.
+ * A `@{javax,jakarta}.persistence.QueryHint` annotation.
  */
 class QueryHintAnnotation extends Annotation {
-  QueryHintAnnotation() { this.getType().hasQualifiedName("javax.persistence", "QueryHint") }
+  QueryHintAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "QueryHint")
+  }
 }
 
 /**
- * A `@javax.persistence.SecondaryTable` annotation.
+ * A `@{javax,jakarta}.persistence.SecondaryTable` annotation.
  */
 class SecondaryTableAnnotation extends Annotation {
   SecondaryTableAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "SecondaryTable")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "SecondaryTable")
   }
 }
 
 /**
- * A `@javax.persistence.SecondaryTables` annotation.
+ * A `@{javax,jakarta}.persistence.SecondaryTables` annotation.
  */
 class SecondaryTablesAnnotation extends Annotation {
   SecondaryTablesAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "SecondaryTables")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "SecondaryTables")
   }
 }
 
 /**
- * A `@javax.persistence.SequenceGenerator` annotation.
+ * A `@{javax,jakarta}.persistence.SequenceGenerator` annotation.
  */
 class SequenceGeneratorAnnotation extends Annotation {
   SequenceGeneratorAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "SequenceGenerator")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "SequenceGenerator")
   }
 }
 
 /**
- * A `@javax.persistence.SqlResultSetMapping` annotation.
+ * A `@{javax,jakarta}.persistence.SqlResultSetMapping` annotation.
  */
 class SqlResultSetMappingAnnotation extends Annotation {
   SqlResultSetMappingAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "SqlResultSetMapping")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "SqlResultSetMapping")
   }
 }
 
 /**
- * A `@javax.persistence.SqlResultSetMappings` annotation.
+ * A `@{javax,jakarta}.persistence.SqlResultSetMappings` annotation.
  */
 class SqlResultSetMappingsAnnotation extends Annotation {
   SqlResultSetMappingsAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "SqlResultSetMappings")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "SqlResultSetMappings")
   }
 }
 
 /**
- * A `@javax.persistence.Table` annotation.
+ * A `@{javax,jakarta}.persistence.Table` annotation.
  */
 class TableAnnotation extends Annotation {
-  TableAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Table") }
+  TableAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Table") }
 }
 
 /**
- * A `@javax.persistence.TableGenerator` annotation.
+ * A `@{javax,jakarta}.persistence.TableGenerator` annotation.
  */
 class TableGeneratorAnnotation extends Annotation {
   TableGeneratorAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "TableGenerator")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "TableGenerator")
   }
 }
 
 /**
- * A `@javax.persistence.Temporal` annotation.
+ * A `@{javax,jakarta}.persistence.Temporal` annotation.
  */
 class TemporalAnnotation extends Annotation {
-  TemporalAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Temporal") }
+  TemporalAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Temporal") }
 }
 
 /**
- * A `@javax.persistence.Transient` annotation.
+ * A `@{javax,jakarta}.persistence.Transient` annotation.
  */
 class TransientAnnotation extends Annotation {
-  TransientAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Transient") }
+  TransientAnnotation() {
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "Transient")
+  }
 }
 
 /**
- * A `@javax.persistence.UniqueConstraint` annotation.
+ * A `@{javax,jakarta}.persistence.UniqueConstraint` annotation.
  */
 class UniqueConstraintAnnotation extends Annotation {
   UniqueConstraintAnnotation() {
-    this.getType().hasQualifiedName("javax.persistence", "UniqueConstraint")
+    this.getType().hasQualifiedName(getAPersistencePackageName(), "UniqueConstraint")
   }
 }
 
 /**
- * A `@javax.persistence.Version` annotation.
+ * A `@{javax,jakarta}.persistence.Version` annotation.
  */
 class VersionAnnotation extends Annotation {
-  VersionAnnotation() { this.getType().hasQualifiedName("javax.persistence", "Version") }
+  VersionAnnotation() { this.getType().hasQualifiedName(getAPersistencePackageName(), "Version") }
 }
 
-/** The interface `javax.persistence.EntityManager`. */
+/** The interface `{javax,jakarta}.persistence.EntityManager`. */
 class TypeEntityManager extends Interface {
-  TypeEntityManager() { this.hasQualifiedName("javax.persistence", "EntityManager") }
+  TypeEntityManager() { this.hasQualifiedName(getAPersistencePackageName(), "EntityManager") }
 
   /** Gets a method named `createQuery` declared in the `EntityManager` interface. */
   Method getACreateQueryMethod() {
@@ -675,9 +736,9 @@ class TypeEntityManager extends Interface {
   }
 }
 
-/** The interface `javax.persistence.Query`, which represents queries in the Java Persistence Query Language. */
+/** The interface `{javax,jakarta}.persistence.Query`, which represents queries in the Java Persistence Query Language. */
 class TypeQuery extends Interface {
-  TypeQuery() { this.hasQualifiedName("javax.persistence", "Query") }
+  TypeQuery() { this.hasQualifiedName(getAPersistencePackageName(), "Query") }
 
   /** Gets a method named `setParameter` declared in the `Query` interface. */
   Method getASetParameterMethod() {

java/ql/lib/semmle/code/java/security/Sanitizers.qll

@@ -23,6 +23,7 @@ class SimpleTypeSanitizer extends DataFlow::Node {
     this.getType()
         .(RefType)
         .getASourceSupertype*()
-        .hasQualifiedName("java.time.temporal", "TemporalAccessor")
+        .hasQualifiedName("java.time.temporal", "TemporalAccessor") or
+    this.getType() instanceof EnumType
   }
 }

java/ql/src/CHANGELOG.md

@@ -1,3 +1,23 @@
+## 1.4.1
+
+No user-facing changes.
+
+## 1.4.0
+
+### New Queries
+
+* Added a new quality query, `java/empty-method`, to detect empty methods.
+* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).
+
+### Major Analysis Improvements
+
+* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.
+
+### Minor Analysis Improvements
+
+* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.
+* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.
+
 ## 1.3.1
 
 No user-facing changes.

java/ql/src/Performance/StringReplaceAllWithNonRegex.md

@@ -0,0 +1,29 @@
+# Use of `String#replaceAll` with a first argument which is not a regular expression
+
+Using `String#replaceAll` is less performant than `String#replace` when the first argument is not a regular expression.
+
+## Overview
+
+The `String#replaceAll` method is designed to work with regular expressions as its first parameter. When you use a simple string without any regex patterns (like special characters or syntax), it's more efficient to use `String#replace` instead. This is because `replaceAll` has to compile the input as a regular expression first, which adds unnecessary overhead when you are just replacing literal text.
+
+## Recommendation
+
+Use `String#replace` instead where a `replaceAll` call uses a trivial string as its first argument.
+
+## Example
+
+```java
+public class Test {
+    void f() {
+        String s1 = "test";
+        s1 = s1.replaceAll("t", "x"); // NON_COMPLIANT
+        s1 = s1.replaceAll(".*", "x"); // COMPLIANT
+    }
+}
+
+```
+
+## References
+
+- Java SE Documentation: [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)).
+- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).

java/ql/src/Performance/StringReplaceAllWithNonRegex.ql

@@ -0,0 +1,24 @@
+/**
+ * @id java/string-replace-all-with-non-regex
+ * @name Use of `String#replaceAll` with a first argument which is not a regular expression
+ * @description Using `String#replaceAll` with a first argument which is not a regular expression
+ *              is less efficient than using `String#replace`.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity recommendation
+ * @tags quality
+ *       reliability
+ *       performance
+ *       external/cwe/cwe-1176
+ */
+
+import java
+
+from StringReplaceAllCall replaceAllCall, StringLiteral firstArg
+where
+  firstArg = replaceAllCall.getArgument(0) and
+  //only contains characters that could be a simple string
+  firstArg.getValue().regexpMatch("^[a-zA-Z0-9]+$")
+select replaceAllCall,
+  "This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression.",
+  firstArg, "first argument"

java/ql/src/Telemetry/SupportedExternalApis.ql

@@ -2,7 +2,7 @@
  * @name Usage of supported APIs coming from external libraries
  * @description A list of supported 3rd party APIs used in the codebase. Excludes test and generated code.
  * @kind metric
- * @tags summary telemetry
+ * @tags summary telemetry exclude-from-incremental
  * @id java/telemetry/supported-external-api
  */
 

java/ql/src/Telemetry/SupportedExternalSinks.ql

@@ -2,7 +2,7 @@
  * @name Supported sinks in external libraries
  * @description A list of 3rd party APIs detected as sinks. Excludes test and generated code.
  * @kind metric
- * @tags summary telemetry
+ * @tags summary telemetry exclude-from-incremental
  * @id java/telemetry/supported-external-api-sinks
  */
 

java/ql/src/Telemetry/UnsupportedExternalAPIs.ql

@@ -2,7 +2,7 @@
  * @name Usage of unsupported APIs coming from external libraries
  * @description A list of 3rd party APIs used in the codebase. Excludes test and generated code.
  * @kind metric
- * @tags summary telemetry
+ * @tags summary telemetry exclude-from-incremental
  * @id java/telemetry/unsupported-external-api
  */
 

java/ql/src/change-notes/2025-02-24-spring-boot-actuators-promo.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).

java/ql/src/change-notes/2025-03-02-unreleased-lock-fp.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.

java/ql/src/change-notes/2025-03-03-fix-improper-intent-verification-query.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.

java/ql/src/change-notes/2025-03-10-empty-method.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new quality query, `java/empty-method`, to detect empty methods.

java/ql/src/change-notes/2025-03-13-fix-toctou-false-positive.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.

java/ql/src/change-notes/released/1.4.0.md

@@ -0,0 +1,15 @@
+## 1.4.0
+
+### New Queries
+
+* Added a new quality query, `java/empty-method`, to detect empty methods.
+* The query `java/spring-boot-exposed-actuators` has been promoted from experimental to the main query pack. Its results will now appear by default, and the query itself will be removed from the [CodeQL Community Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs). This query was originally submitted as an experimental query [by @ggolawski](https://github.com/github/codeql/pull/2901).
+
+### Major Analysis Improvements
+
+* Updated the `java/unreleased-lock` query so that it no longer report alerts in cases where a boolean variable is used to track lock state.
+
+### Minor Analysis Improvements
+
+* Fixed a false positive in "Time-of-check time-of-use race condition" (`java/toctou-race-condition`) where a field of a non-static class was not considered always-locked if it was accessed in a constructor.
+* Overrides of `BroadcastReceiver::onReceive` with no statements in their body are no longer considered unverified by the `java/improper-intent-verification` query. This will reduce false positives from `onReceive` methods which do not perform any actions.

java/ql/src/change-notes/released/1.4.1.md

@@ -0,0 +1,3 @@
+## 1.4.1
+
+No user-facing changes.

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.1
+lastReleaseVersion: 1.4.1

java/ql/src/codeql-suites/java-code-quality.qls

@@ -1,15 +1,16 @@
 - queries: .
 - include:
     id:
-      - java/suspicious-date-format
-      - java/integer-multiplication-cast-to-long
-      - java/equals-on-unrelated-types
       - java/contradictory-type-checks
-      - java/reference-equality-of-boxed-types
-      - java/inconsistent-equals-and-hashcode
-      - java/unchecked-cast-in-equals
-      - java/unused-container
-      - java/input-resource-leak
-      - java/output-resource-leak
-      - java/type-variable-hides-type
       - java/do-not-call-finalize
+      - java/equals-on-unrelated-types
+      - java/inconsistent-equals-and-hashcode
+      - java/input-resource-leak
+      - java/integer-multiplication-cast-to-long
+      - java/output-resource-leak
+      - java/reference-equality-of-boxed-types
+      - java/string-replace-all-with-non-regex
+      - java/suspicious-date-format
+      - java/type-variable-hides-type
+      - java/unchecked-cast-in-equals
+      - java/unused-container

java/ql/src/codeql-suites/java-security-and-quality.qls

@@ -1,4 +1,164 @@
 - description: Security-and-quality queries for Java
 - queries: .
-- apply: security-and-quality-selectors.yml
-  from: codeql/suite-helpers
+- include:
+    kind:
+    - problem
+    - path-problem
+    precision:
+    - high
+    - very-high
+    tags contain:
+    - security
+- include:
+    kind:
+    - problem
+    - path-problem
+    precision: medium
+    problem.severity:
+    - error
+    - warning
+    tags contain:
+    - security
+- include:
+    id:
+      - java/abs-of-random
+      - java/abstract-to-concrete-cast
+      - java/call-to-object-tostring
+      - java/call-to-thread-run
+      - java/chained-type-tests
+      - java/class-name-matches-super-class
+      - java/comparison-of-identical-expressions
+      - java/comparison-with-nan
+      - java/confusing-method-name
+      - java/confusing-method-signature
+      - java/constant-comparison
+      - java/constant-loop-condition
+      - java/constants-only-interface
+      - java/continue-in-false-loop
+      - java/contradictory-type-checks
+      - java/database-resource-leak
+      - java/deprecated-call
+      - java/dereferenced-expr-may-be-null
+      - java/dereferenced-value-is-always-null
+      - java/dereferenced-value-may-be-null
+      - java/empty-container
+      - java/empty-zip-file-entry
+      - java/equals-on-arrays
+      - java/equals-on-unrelated-types
+      - java/equals-typo
+      - java/evaluation-to-constant
+      - java/field-masks-super-field
+      - java/hashcode-typo
+      - java/hashing-without-hashcode
+      - java/ignored-error-status-of-call
+      - java/implicit-cast-in-compound-assignment
+      - java/inconsistent-compareto-and-equals
+      - java/inconsistent-equals-and-hashcode
+      - java/inconsistent-javadoc-throws
+      - java/inconsistent-sync-writeobject
+      - java/incorrect-serial-version-uid
+      - java/index-out-of-bounds
+      - java/ineffective-annotation-present-check
+      - java/inefficient-boxed-constructor
+      - java/inefficient-empty-string-test
+      - java/inefficient-key-set-iterator
+      - java/inefficient-output-stream
+      - java/inefficient-string-constructor
+      - java/input-resource-leak
+      - java/integer-multiplication-cast-to-long
+      - java/internal-representation-exposure
+      - java/iterable-wraps-iterator
+      - java/iterator-hasnext-calls-next
+      - java/iterator-implements-iterable
+      - java/iterator-remove-failure
+      - java/jdk-internal-api-access
+      - java/local-shadows-field
+      - java/local-variable-is-never-read
+      - java/lshift-larger-than-type-width
+      - java/misleading-indentation
+      - java/missing-call-to-super-clone
+      - java/missing-case-in-switch
+      - java/missing-clone-method
+      - java/missing-format-argument
+      - java/missing-no-arg-constructor-on-externalizable
+      - java/missing-no-arg-constructor-on-serializable
+      - java/missing-override-annotation
+      - java/missing-space-in-concatenation
+      - java/missing-super-finalize
+      - java/multiplication-of-remainder
+      - java/non-final-call-in-constructor
+      - java/non-null-boxed-variable
+      - java/non-overriding-package-private
+      - java/non-serializable-inner-class
+      - java/non-short-circuit-evaluation
+      - java/non-static-nested-class
+      - java/non-sync-override
+      - java/notify-instead-of-notify-all
+      - java/output-resource-leak
+      - java/print-array
+      - java/random-used-once
+      - java/redundant-assignment
+      - java/reference-equality-of-boxed-types
+      - java/reference-equality-on-strings
+      - java/run-finalizers-on-exit
+      - java/sleep-with-lock-held
+      - java/spin-on-field
+      - java/string-buffer-char-init
+      - java/subtle-inherited-call
+      - java/suspicious-date-format
+      - java/sync-on-boxed-types
+      - java/test-for-negative-container-size
+      - java/thread-start-in-constructor
+      - java/thread-unsafe-dateformat
+      - java/tostring-typo
+      - java/type-bound-extends-final
+      - java/type-mismatch-access
+      - java/type-mismatch-modification
+      - java/type-variable-hides-type
+      - java/uncaught-number-format-exception
+      - java/unchecked-cast-in-equals
+      - java/underscore-identifier
+      - java/unimplementable-interface
+      - java/unknown-javadoc-parameter
+      - java/unreachable-catch-clause
+      - java/unreleased-lock
+      - java/unsafe-double-checked-locking
+      - java/unsafe-double-checked-locking-init-order
+      - java/unsafe-get-resource
+      - java/unsafe-sync-on-field
+      - java/unsynchronized-getter
+      - java/unused-container
+      - java/unused-format-argument
+      - java/unused-label
+      - java/unused-parameter
+      - java/unused-reference-type
+      - java/useless-null-check
+      - java/useless-tostring-call
+      - java/useless-type-test
+      - java/wait-on-condition-interface
+      - java/whitespace-contradicts-precedence
+      - java/wrong-compareto-signature
+      - java/wrong-equals-signature
+      - java/wrong-junit-suite-signature
+      - java/wrong-object-serialization-signature
+      - java/wrong-readresolve-signature
+      - java/wrong-swing-event-adapter-signature
+- include:
+    kind:
+    - diagnostic
+- include:
+    kind:
+    - metric
+    tags contain:
+    - summary
+- exclude:
+    deprecated: //
+- exclude:
+    query path:
+      - /^experimental\/.*/
+      - Metrics/Summaries/FrameworkCoverage.ql
+      - /Diagnostics/Internal/.*/
+- exclude:
+    tags contain:
+      - modeleditor
+      - modelgenerator

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.3.2-dev
+version: 1.4.2-dev
 groups:
   - java
   - queries

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -32,10 +32,16 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, JavaDataF
 
   class Callable = J::Callable;
 
-  class NodeExtended extends DataFlow::Node {
-    Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingCallable() }
+  class NodeExtended = DataFlow::Node;
+
+  Callable getAsExprEnclosingCallable(NodeExtended node) {
+    result = node.asExpr().getEnclosingCallable()
   }
 
+  Callable getEnclosingCallable(NodeExtended node) { result = node.getEnclosingCallable() }
+
+  Parameter asParameter(NodeExtended node) { result = node.asParameter() }
+
   private predicate isInfrequentlyUsed(J::CompilationUnit cu) {
     cu.getPackage().getName().matches("javax.swing%") or
     cu.getPackage().getName().matches("java.awt%")

java/ql/test/library-tests/dataflow/capture/test.expected

@@ -1,10 +1,7 @@
-| A.java:14:14:14:16 | "A" : String | A.java:14:7:14:20 | SSA def(a) : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:14:11:14:20 | f2(...) : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:15:16:15:16 | a : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:15:16:15:22 | get(...) : String |
 | A.java:14:14:14:16 | "A" : String | A.java:18:8:18:15 | p : String |
-| A.java:14:14:14:16 | "A" : String | A.java:18:25:40:3 | SSA def(p) : String |
-| A.java:14:14:14:16 | "A" : String | A.java:28:7:38:5 | SSA def(a) : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:28:11:38:5 | new (...) : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:28:11:38:5 | p : String |
 | A.java:14:14:14:16 | "A" : String | A.java:30:14:30:16 | parameter this : new A(...) { ... } [p] |
@@ -16,16 +13,11 @@
 | A.java:14:14:14:16 | "A" : String | A.java:35:26:35:27 | this : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:39:12:39:12 | a : new A(...) { ... } [p] |
 | A.java:14:14:14:16 | "A" : String | A.java:39:12:39:12 | p : String |
-| A.java:21:11:21:13 | "B" : String | A.java:14:7:14:20 | SSA def(a) : new A(...) { ... } [String s] |
 | A.java:21:11:21:13 | "B" : String | A.java:14:11:14:20 | f2(...) : new A(...) { ... } [String s] |
 | A.java:21:11:21:13 | "B" : String | A.java:15:16:15:16 | a : new A(...) { ... } [String s] |
 | A.java:21:11:21:13 | "B" : String | A.java:15:16:15:22 | get(...) : String |
 | A.java:21:11:21:13 | "B" : String | A.java:21:7:21:13 | ...=... : String |
-| A.java:21:11:21:13 | "B" : String | A.java:21:7:21:13 | SSA def(s) : String |
-| A.java:21:11:21:13 | "B" : String | A.java:21:7:21:13 | [input] SSA phi(s) : String |
 | A.java:21:11:21:13 | "B" : String | A.java:25:5:25:26 | SSA phi(s) : String |
-| A.java:21:11:21:13 | "B" : String | A.java:25:5:25:26 | phi(String s) : String |
-| A.java:21:11:21:13 | "B" : String | A.java:28:7:38:5 | SSA def(a) : new A(...) { ... } [String s] |
 | A.java:21:11:21:13 | "B" : String | A.java:28:11:38:5 | String s : String |
 | A.java:21:11:21:13 | "B" : String | A.java:28:11:38:5 | new (...) : new A(...) { ... } [String s] |
 | A.java:21:11:21:13 | "B" : String | A.java:30:14:30:16 | parameter this : new A(...) { ... } [String s] |
@@ -37,16 +29,11 @@
 | A.java:21:11:21:13 | "B" : String | A.java:35:26:35:27 | this : new A(...) { ... } [String s] |
 | A.java:21:11:21:13 | "B" : String | A.java:39:12:39:12 | String s : String |
 | A.java:21:11:21:13 | "B" : String | A.java:39:12:39:12 | a : new A(...) { ... } [String s] |
-| A.java:23:11:23:13 | "C" : String | A.java:14:7:14:20 | SSA def(a) : new A(...) { ... } [String s] |
 | A.java:23:11:23:13 | "C" : String | A.java:14:11:14:20 | f2(...) : new A(...) { ... } [String s] |
 | A.java:23:11:23:13 | "C" : String | A.java:15:16:15:16 | a : new A(...) { ... } [String s] |
 | A.java:23:11:23:13 | "C" : String | A.java:15:16:15:22 | get(...) : String |
 | A.java:23:11:23:13 | "C" : String | A.java:23:7:23:13 | ...=... : String |
-| A.java:23:11:23:13 | "C" : String | A.java:23:7:23:13 | SSA def(s) : String |
-| A.java:23:11:23:13 | "C" : String | A.java:23:7:23:13 | [input] SSA phi(s) : String |
 | A.java:23:11:23:13 | "C" : String | A.java:25:5:25:26 | SSA phi(s) : String |
-| A.java:23:11:23:13 | "C" : String | A.java:25:5:25:26 | phi(String s) : String |
-| A.java:23:11:23:13 | "C" : String | A.java:28:7:38:5 | SSA def(a) : new A(...) { ... } [String s] |
 | A.java:23:11:23:13 | "C" : String | A.java:28:11:38:5 | String s : String |
 | A.java:23:11:23:13 | "C" : String | A.java:28:11:38:5 | new (...) : new A(...) { ... } [String s] |
 | A.java:23:11:23:13 | "C" : String | A.java:30:14:30:16 | parameter this : new A(...) { ... } [String s] |
@@ -60,20 +47,16 @@
 | A.java:23:11:23:13 | "C" : String | A.java:39:12:39:12 | a : new A(...) { ... } [String s] |
 | A.java:25:22:25:24 | "D" : String | A.java:4:5:4:7 | parameter this [Return] : Box [elem] |
 | A.java:25:22:25:24 | "D" : String | A.java:4:9:4:16 | e : String |
-| A.java:25:22:25:24 | "D" : String | A.java:4:19:4:31 | SSA def(e) : String |
 | A.java:25:22:25:24 | "D" : String | A.java:4:21:4:24 | this <.field> [post update] : Box [elem] |
 | A.java:25:22:25:24 | "D" : String | A.java:4:21:4:28 | ...=... : String |
 | A.java:25:22:25:24 | "D" : String | A.java:4:28:4:28 | e : String |
 | A.java:25:22:25:24 | "D" : String | A.java:6:12:6:18 | parameter this : Box [elem] |
 | A.java:25:22:25:24 | "D" : String | A.java:6:31:6:34 | elem : String |
 | A.java:25:22:25:24 | "D" : String | A.java:6:31:6:34 | this <.field> : Box [elem] |
-| A.java:25:22:25:24 | "D" : String | A.java:14:7:14:20 | SSA def(a) : new A(...) { ... } [Box b1, ... (2)] |
 | A.java:25:22:25:24 | "D" : String | A.java:14:11:14:20 | f2(...) : new A(...) { ... } [Box b1, ... (2)] |
 | A.java:25:22:25:24 | "D" : String | A.java:15:16:15:16 | a : new A(...) { ... } [Box b1, ... (2)] |
 | A.java:25:22:25:24 | "D" : String | A.java:15:16:15:22 | get(...) : String |
-| A.java:25:22:25:24 | "D" : String | A.java:25:9:25:25 | SSA def(b1) : Box [elem] |
 | A.java:25:22:25:24 | "D" : String | A.java:25:14:25:25 | new Box(...) : Box [elem] |
-| A.java:25:22:25:24 | "D" : String | A.java:28:7:38:5 | SSA def(a) : new A(...) { ... } [Box b1, ... (2)] |
 | A.java:25:22:25:24 | "D" : String | A.java:28:11:38:5 | Box b1 : Box [elem] |
 | A.java:25:22:25:24 | "D" : String | A.java:28:11:38:5 | new (...) : new A(...) { ... } [Box b1, ... (2)] |
 | A.java:25:22:25:24 | "D" : String | A.java:30:14:30:16 | parameter this : new A(...) { ... } [Box b1, ... (2)] |
@@ -88,19 +71,16 @@
 | A.java:25:22:25:24 | "D" : String | A.java:39:12:39:12 | a : new A(...) { ... } [Box b1, ... (2)] |
 | A.java:27:16:27:18 | "E" : String | A.java:5:10:5:16 | parameter this [Return] : Box [elem] |
 | A.java:27:16:27:18 | "E" : String | A.java:5:18:5:25 | e : String |
-| A.java:27:16:27:18 | "E" : String | A.java:5:28:5:40 | SSA def(e) : String |
 | A.java:27:16:27:18 | "E" : String | A.java:5:30:5:33 | this <.field> [post update] : Box [elem] |
 | A.java:27:16:27:18 | "E" : String | A.java:5:30:5:37 | ...=... : String |
 | A.java:27:16:27:18 | "E" : String | A.java:5:37:5:37 | e : String |
 | A.java:27:16:27:18 | "E" : String | A.java:6:12:6:18 | parameter this : Box [elem] |
 | A.java:27:16:27:18 | "E" : String | A.java:6:31:6:34 | elem : String |
 | A.java:27:16:27:18 | "E" : String | A.java:6:31:6:34 | this <.field> : Box [elem] |
-| A.java:27:16:27:18 | "E" : String | A.java:14:7:14:20 | SSA def(a) : new A(...) { ... } [Box b2, ... (2)] |
 | A.java:27:16:27:18 | "E" : String | A.java:14:11:14:20 | f2(...) : new A(...) { ... } [Box b2, ... (2)] |
 | A.java:27:16:27:18 | "E" : String | A.java:15:16:15:16 | a : new A(...) { ... } [Box b2, ... (2)] |
 | A.java:27:16:27:18 | "E" : String | A.java:15:16:15:22 | get(...) : String |
 | A.java:27:16:27:18 | "E" : String | A.java:27:5:27:6 | b2 [post update] : Box [elem] |
-| A.java:27:16:27:18 | "E" : String | A.java:28:7:38:5 | SSA def(a) : new A(...) { ... } [Box b2, ... (2)] |
 | A.java:27:16:27:18 | "E" : String | A.java:28:11:38:5 | Box b2 : Box [elem] |
 | A.java:27:16:27:18 | "E" : String | A.java:28:11:38:5 | new (...) : new A(...) { ... } [Box b2, ... (2)] |
 | A.java:27:16:27:18 | "E" : String | A.java:30:14:30:16 | parameter this : new A(...) { ... } [Box b2, ... (2)] |

java/ql/test/library-tests/dataflow/null/testnullflow.expected

@@ -1,6 +1,4 @@
 | A.java:5:18:5:21 | null | A.java:2:13:2:20 | o |
-| A.java:5:18:5:21 | null | A.java:5:12:5:21 | SSA def(src) |
 | A.java:5:18:5:21 | null | A.java:5:18:5:21 | null |
-| A.java:5:18:5:21 | null | A.java:6:12:6:18 | SSA def(x) |
 | A.java:5:18:5:21 | null | A.java:6:16:6:18 | src |
 | A.java:5:18:5:21 | null | A.java:7:10:7:10 | x |

java/ql/test/library-tests/dataflow/partial/test.expected

@@ -3,14 +3,12 @@ edges
 | A.java:12:14:12:18 | src(...) : Object | A.java:12:5:12:5 | b [post update] : Box [elem] |
 | A.java:12:14:12:18 | src(...) : Object | A.java:12:5:12:18 | ...=... : Object |
 | A.java:13:12:13:12 | b : Box [elem] | A.java:17:13:17:16 | f1(...) : Box [elem] |
-| A.java:17:9:17:16 | SSA def(b) : Box [elem] | A.java:18:8:18:8 | b : Box [elem] |
-| A.java:17:13:17:16 | f1(...) : Box [elem] | A.java:17:9:17:16 | SSA def(b) : Box [elem] |
+| A.java:17:13:17:16 | f1(...) : Box [elem] | A.java:18:8:18:8 | b : Box [elem] |
 | A.java:18:8:18:8 | b : Box [elem] | A.java:21:11:21:15 | b : Box [elem] |
 #select
 | 0 | A.java:12:5:12:5 | b [post update] : Box [elem] |
 | 0 | A.java:12:5:12:18 | ...=... : Object |
 | 0 | A.java:13:12:13:12 | b : Box [elem] |
-| 1 | A.java:17:9:17:16 | SSA def(b) : Box [elem] |
 | 1 | A.java:17:13:17:16 | f1(...) : Box [elem] |
 | 1 | A.java:18:8:18:8 | b : Box [elem] |
 | 2 | A.java:21:11:21:15 | b : Box [elem] |

java/ql/test/library-tests/dataflow/partial/testRev.expected

@@ -2,8 +2,7 @@ edges
 | A.java:4:16:4:18 | parameter this [Return] [elem] | A.java:22:17:22:25 | new Box(...) [elem] |
 | A.java:4:16:4:18 | this <constr(this)> [post update] [elem] | A.java:4:16:4:18 | parameter this [Return] [elem] |
 | A.java:5:19:5:22 | elem | A.java:24:10:24:19 | other.elem |
-| A.java:22:9:22:25 | SSA def(other) [elem] | A.java:23:13:23:17 | other [elem] |
-| A.java:22:17:22:25 | new Box(...) [elem] | A.java:22:9:22:25 | SSA def(other) [elem] |
+| A.java:22:17:22:25 | new Box(...) [elem] | A.java:23:13:23:17 | other [elem] |
 | A.java:23:13:23:17 | other [elem] | A.java:24:10:24:14 | other [elem] |
 | A.java:23:13:23:17 | other [post update] [elem] | A.java:24:10:24:14 | other [elem] |
 | A.java:24:10:24:14 | other [elem] | A.java:24:10:24:19 | other.elem |
@@ -11,7 +10,6 @@ edges
 | A.java:28:5:28:5 | b [post update] [elem] | A.java:27:16:27:20 | b [Return] [elem] |
 | A.java:28:14:28:25 | new Object(...) | A.java:28:5:28:5 | b [post update] [elem] |
 #select
-| 0 | A.java:22:9:22:25 | SSA def(other) [elem] |
 | 0 | A.java:22:17:22:25 | new Box(...) [elem] |
 | 0 | A.java:23:13:23:17 | other [elem] |
 | 0 | A.java:23:13:23:17 | other [post update] [elem] |

java/ql/test/library-tests/dataflow/switchexpr/switchexprflow.expected

@@ -1,13 +1,9 @@
 | TestSwitchExpr.java:4:15:4:22 | o |
-| TestSwitchExpr.java:7:16:7:28 | SSA def(x1) |
 | TestSwitchExpr.java:7:21:7:28 | source(...) |
-| TestSwitchExpr.java:8:16:8:30 | SSA def(x2) |
 | TestSwitchExpr.java:8:21:8:30 | switch (...) |
 | TestSwitchExpr.java:10:24:10:25 | x1 |
-| TestSwitchExpr.java:12:16:12:30 | SSA def(x3) |
 | TestSwitchExpr.java:12:21:12:30 | switch (...) |
 | TestSwitchExpr.java:13:38:13:39 | x2 |
-| TestSwitchExpr.java:16:16:16:30 | SSA def(x4) |
 | TestSwitchExpr.java:16:21:16:30 | switch (...) |
 | TestSwitchExpr.java:19:23:19:24 | x3 |
 | TestSwitchExpr.java:23:14:23:15 | x4 |

java/ql/test/library-tests/dataflow/taint-ioutils/dataFlow.expected

@@ -1,24 +1,19 @@
-| Test.java:12:15:12:47 | SSA def(inp) |
 | Test.java:12:21:12:47 | new FileInputStream(...) |
 | Test.java:14:21:14:39 | buffer(...) |
 | Test.java:14:36:14:38 | inp |
-| Test.java:15:16:15:54 | SSA def(lines) |
 | Test.java:15:24:15:54 | readLines(...) |
 | Test.java:15:42:15:44 | inp |
 | Test.java:16:18:16:45 | readFully(...) |
 | Test.java:16:36:16:38 | inp |
 | Test.java:17:22:17:55 | toBufferedInputStream(...) |
 | Test.java:17:52:17:54 | inp |
-| Test.java:18:10:18:71 | SSA def(bufread) |
 | Test.java:18:20:18:71 | toBufferedReader(...) |
 | Test.java:18:45:18:70 | new InputStreamReader(...) |
 | Test.java:18:67:18:69 | inp |
 | Test.java:19:19:19:48 | toByteArray(...) |
 | Test.java:19:39:19:41 | inp |
-| Test.java:20:10:20:50 | SSA def(chars) |
 | Test.java:20:18:20:50 | toCharArray(...) |
 | Test.java:20:38:20:40 | inp |
-| Test.java:21:10:21:43 | SSA def(s) |
 | Test.java:21:14:21:43 | toString(...) |
 | Test.java:21:31:21:33 | inp |
 | Test.java:22:20:22:52 | toInputStream(...) |

java/ql/test/library-tests/dataflow/this-flow/this-flow.expected

@@ -10,13 +10,11 @@
 | A.java:20:16:20:16 | this <.field> |
 | A.java:21:12:21:20 | getThis(...) |
 | A.java:21:12:21:20 | this <.method> |
-| A.java:25:7:25:17 | SSA def(a) |
 | A.java:25:11:25:17 | new A(...) |
 | A.java:25:11:25:17 | new A(...) [pre constructor] |
 | A.java:26:12:26:12 | a |
 | A.java:26:12:26:22 | getThis(...) |
 | A.java:26:12:26:36 | getThisWrap(...) |
-| A.java:27:7:27:17 | SSA def(c) |
 | A.java:27:11:27:17 | new C(...) |
 | A.java:27:11:27:17 | new C(...) [pre constructor] |
 | A.java:28:5:28:5 | c |

java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected

@@ -0,0 +1 @@
+| Test.java:4:14:4:36 | replaceAll(...) | This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression. | Test.java:4:28:4:30 | "t" | first argument |

java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref

@@ -0,0 +1,2 @@
+query: Performance/StringReplaceAllWithNonRegex.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java

@@ -0,0 +1,7 @@
+public class Test {
+    void f() {
+        String s1 = "test";
+        s1 = s1.replaceAll("t", "x"); // $ Alert // NON_COMPLIANT
+        s1 = s1.replaceAll(".*", "x"); // COMPLIANT
+    }
+}

java/ql/test/query-tests/security/CWE-089/semmle/examples/JakartaPersistence.java

@@ -0,0 +1,13 @@
+import jakarta.persistence.EntityManager;
+
+public class JakartaPersistence {
+
+  public static String source() { return null; }
+
+  public static void test(EntityManager entityManager) {
+
+    entityManager.createNativeQuery(source()); // $ sqlInjection
+
+  }
+
+}

java/ql/test/query-tests/security/CWE-089/semmle/examples/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive --release 21
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0 --release 21

java/ql/test/stubs/jakarta-persistence-api-3.2.0/jakarta/persistence/EntityManager.java

@@ -0,0 +1,7 @@
+package jakarta.persistence;
+
+public interface EntityManager extends AutoCloseable {
+
+  Query createNativeQuery(String sqlString);
+
+}

java/ql/test/stubs/jakarta-persistence-api-3.2.0/jakarta/persistence/Query.java

@@ -0,0 +1,7 @@
+package jakarta.persistence;
+
+public interface Query {
+
+  int executeUpdate();
+
+}