Use InlineExpectationsTest

java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.expected

@@ -1,2 +0,0 @@
-| InsecureJavaMail.java:29:27:29:72 | getInstance(...) | Java mailing has insecure SSL configuration |
-| InsecureJavaMail.java:37:3:37:29 | setSSLOnConnect(...) | Java mailing has insecure SSL configuration |

java/ql/test/query-tests/security/CWE-297/InsecureJavaMail.qlref

@@ -1 +0,0 @@
-Security/CWE/CWE-297/InsecureJavaMail.ql

java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.java

@@ -10,7 +10,7 @@ import org.apache.commons.mail.SimpleEmail;
 
 import java.util.Properties;
 
-class InsecureJavaMail {
+class InsecureJavaMailTest {
 	public void testJavaMail() {
 		final Properties properties = new Properties();
 		properties.put("mail.transport.protocol", "protocol");
@@ -24,9 +24,26 @@ class InsecureJavaMail {
 		};
 		if (null != authenticator) {
 			properties.put("mail.smtp.auth", "true");
-			// properties.put("mail.smtp.ssl.checkserveridentity", "true");
 		}
-		final Session session = Session.getInstance(properties, authenticator);
+		final Session session = Session.getInstance(properties, authenticator); // $hasInsecureJavaMail
+	}
+
+	public void testSecureJavaMail() {
+		final Properties properties = new Properties();
+		properties.put("mail.transport.protocol", "protocol");
+		properties.put("mail.smtp.host", "hostname");
+		properties.put("mail.smtp.socketFactory.class", "classname");
+
+		final javax.mail.Authenticator authenticator = new javax.mail.Authenticator() {
+			protected PasswordAuthentication getPasswordAuthentication() {
+				return new PasswordAuthentication("username", "password");
+			}
+		};
+		if (null != authenticator) {
+			properties.put("mail.smtp.auth", "true");
+			properties.put("mail.smtp.ssl.checkserveridentity", "true");
+		}
+		final Session session = Session.getInstance(properties, authenticator); // Safe
 	}
 
 	public void testSimpleMail() throws Exception {
@@ -34,8 +51,21 @@ class InsecureJavaMail {
 		email.setHostName("config.hostName");
 		email.setSmtpPort(25);
 		email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
-		email.setSSLOnConnect(true);
-		// email.setSSLCheckServerIdentity(true);
+		email.setSSLOnConnect(true); // $hasInsecureJavaMail
+		email.setFrom("fromAddress");
+		email.setSubject("subject");
+		email.setMsg("body");
+		email.addTo("toAddress");
+		email.send();
+	}
+
+	public void testSecureSimpleMail() throws Exception {
+		Email email = new SimpleEmail();
+		email.setHostName("config.hostName");
+		email.setSmtpPort(25);
+		email.setAuthenticator(new DefaultAuthenticator("config.username", "config.password"));
+		email.setSSLOnConnect(true); // Safe
+		email.setSSLCheckServerIdentity(true);
 		email.setFrom("fromAddress");
 		email.setSubject("subject");
 		email.setMsg("body");

java/ql/test/query-tests/security/CWE-297/InsecureJavaMailTest.ql

@@ -0,0 +1,23 @@
+import java
+import semmle.code.java.security.Mail
+import TestUtilities.InlineExpectationsTest
+
+class InsecureJavaMailTest extends InlineExpectationsTest {
+  InsecureJavaMailTest() { this = "HasInsecureJavaMailTest" }
+
+  override string getARelevantTag() { result = "hasInsecureJavaMail" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasInsecureJavaMail" and
+    exists(MethodAccess ma |
+      ma.getLocation() = location and
+      element = ma.toString() and
+      value = ""
+    |
+      ma.getMethod() instanceof MailSessionGetInstanceMethod and
+      isInsecureMailPropertyConfig(ma.getArgument(0))
+      or
+      enablesEmailSsl(ma) and not hasSslCertificateCheck(ma.getQualifier())
+    )
+  }
+}