Java: Clean up some instances of getQualifiedName.

2026-03-01 21:34:50 +01:00 · 2024-05-13 13:06:44 +02:00
parent 5eaaf02bf5
commit 76e740bc1d
10 changed files with 31 additions and 38 deletions
--- a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
@@ -16,23 +16,24 @@ import semmle.code.java.security.Encryption

 class NetworkClass extends Class {
  NetworkClass() {
-    this.getAnAncestor().getQualifiedName().matches("java.rmi.%") or
-    this.getAnAncestor().getQualifiedName().matches("java.net.%") or
-    this.getAnAncestor().getQualifiedName().matches("javax.net.%")
+    this.getAnAncestor()
+        .getPackage()
+        .getName()
+        .regexpMatch("(java\\.net|java\\.rmi|javax\\.net)(\\..*)?")
  }
 }

 class SocketFactoryType extends RefType {
  SocketFactoryType() {
-    this.getQualifiedName() = "java.rmi.server.RMIServerSocketFactory" or
-    this.getQualifiedName() = "java.rmi.server.RMIClientSocketFactory" or
-    this.getQualifiedName() = "javax.net.SocketFactory" or
-    this.getQualifiedName() = "java.net.SocketImplFactory"
+    this.hasQualifiedName("java.rmi.server", "RMIServerSocketFactory") or
+    this.hasQualifiedName("java.rmi.server", "RMIClientSocketFactory") or
+    this.hasQualifiedName("javax.net", "SocketFactory") or
+    this.hasQualifiedName("java.net", "SocketImplFactory")
  }
 }

 /** Holds if the method `m` has a factory parameter at location `p`. */
-cached
+pragma[nomagic]
 predicate usesFactory(Method m, int p) {
  m.getParameter(p).getType().(RefType).getAnAncestor() instanceof SocketFactoryType
 }
--- a/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+++ b/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
@@ -13,11 +13,13 @@

 import java

-predicate dangerousMethod(string descriptor) { descriptor = "java.lang.Thread.stop" }
+predicate dangerousMethod(string pack, string type, string name) {
+  pack = "java.lang" and type = "Thread" and name = "stop"
+}

-from MethodCall call, Method target, string descriptor
+from MethodCall call, Method target, string pack, string type, string name
 where
  call.getCallee() = target and
-  descriptor = target.getDeclaringType().getQualifiedName() + "." + target.getName() and
-  dangerousMethod(descriptor)
-select call, "Call to " + descriptor + " is potentially dangerous."
+  target.hasQualifiedName(pack, type, name) and
+  dangerousMethod(pack, type, name)
+select call, "Call to " + pack + "." + type + "." + name + " is potentially dangerous."