Remove unnecessary private markers

java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll

@@ -151,7 +151,7 @@ deprecated class SensitiveCommunicationConfig extends TaintTracking::Configurati
   }
 }
 
-private module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
+module SensitiveCommunicationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveInfoExpr }
 
   predicate isSink(DataFlow::Node sink) {

java/ql/lib/semmle/code/java/security/ArbitraryApkInstallationQuery.qll

@@ -9,7 +9,7 @@ private import semmle.code.java.security.ArbitraryApkInstallation
  * A dataflow configuration for flow from an external source of an APK to the
  * `setData[AndType][AndNormalize]` method of an intent.
  */
-private module ApkInstallationConfig implements DataFlow::ConfigSig {
+module ApkInstallationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node instanceof ExternalApkSource }
 
   predicate isSink(DataFlow::Node node) {

java/ql/lib/semmle/code/java/security/ExternalAPIs.qll

@@ -111,7 +111,7 @@ deprecated class UntrustedDataToExternalApiConfig extends TaintTracking::Configu
   override predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
 }
 
-private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
+module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -23,7 +23,7 @@ deprecated class FragmentInjectionTaintConf extends TaintTracking::Configuration
   }
 }
 
-private module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
+module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }

java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll

@@ -58,7 +58,7 @@ deprecated class HardcodedCredentialApiCallConfiguration extends DataFlow::Confi
 /**
  * A data-flow configuration that tracks flow from a hard-coded credential in a call to a sensitive Java API which may compromise security.
  */
-private module HardcodedCredentialApiCallConfig implements DataFlow::ConfigSig {
+module HardcodedCredentialApiCallConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node n) {
     n.asExpr() instanceof HardcodedExpr and
     not n.asExpr().getEnclosingCallable() instanceof ToStringMethod

java/ql/lib/semmle/code/java/security/HttpsUrlsQuery.qll

@@ -29,7 +29,7 @@ deprecated class HttpStringToUrlOpenMethodFlowConfig extends TaintTracking::Conf
 /**
  * A taint tracking configuration for HTTP connections.
  */
-private module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
+module HttpStringToUrlOpenMethodFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HttpStringLiteral }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlOpenSink }

java/ql/lib/semmle/code/java/security/InsecureBasicAuthQuery.qll

@@ -27,7 +27,7 @@ deprecated class BasicAuthFlowConfig extends TaintTracking::Configuration {
  * A taint tracking configuration for the Basic authentication scheme
  * being used in HTTP connections.
  */
-private module BasicAuthFlowConfig implements DataFlow::ConfigSig {
+module BasicAuthFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof InsecureBasicAuthSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureBasicAuthSink }

java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll

@@ -30,7 +30,7 @@ deprecated class InsecureTrustManagerConfiguration extends DataFlow::Configurati
  * A configuration to model the flow of an insecure `TrustManager`
  * to the initialization of an SSL context.
  */
-private module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
+module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof InsecureTrustManagerSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }

java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll

@@ -23,7 +23,7 @@ deprecated class KeySizeConfiguration extends DataFlow::Configuration {
 /**
  * A data flow configuration for tracking key sizes used in cryptographic algorithms.
  */
-private module KeySizeConfig implements DataFlow::StateConfigSig {
+module KeySizeConfig implements DataFlow::StateConfigSig {
   class FlowState = DataFlow::FlowState;
 
   predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -35,7 +35,7 @@ deprecated class IntentUriPermissionManipulationConf extends TaintTracking::Conf
   }
 }
 
-private module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
+module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof IntentUriPermissionManipulationSink }

java/ql/lib/semmle/code/java/security/LogInjectionQuery.qll

@@ -23,7 +23,7 @@ deprecated class LogInjectionConfiguration extends TaintTracking::Configuration
   }
 }
 
-private module LogInjectionConfig implements DataFlow::ConfigSig {
+module LogInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof LogInjectionSink }

java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll

@@ -28,7 +28,7 @@ deprecated class MissingJwtSignatureCheckConf extends DataFlow::Configuration {
  * Models flow from signing keys assignments to qualifiers of JWT insecure parsers.
  * This is used to determine whether a `JwtParser` performing unsafe parsing has a signing key set.
  */
-private module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
+module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof JwtParserWithInsecureParseSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof JwtParserWithInsecureParseSink }

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -28,7 +28,7 @@ deprecated class PartialPathTraversalFromRemoteConfig extends TaintTracking::Con
  * that is used to validate against path traversal, but is insufficient
  * and remains vulnerable to Partial Path Traversal.
  */
-private module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
+module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node node) {

java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll

@@ -26,7 +26,7 @@ deprecated class RsaWithoutOaepConfig extends DataFlow::Configuration {
   }
 }
 
-private module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
+module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) {
     exists(CompileTimeConstantExpr specExpr, string spec |
       specExpr.getStringValue() = spec and

java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll

@@ -49,7 +49,7 @@ deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configurati
 }
 
 /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
-private module SensitiveLoggerConfig implements DataFlow::ConfigSig {
+module SensitiveLoggerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
 
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }

java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll

@@ -165,7 +165,7 @@ deprecated class StaticInitializationVectorConfig extends TaintTracking::Configu
 /**
  * A config that tracks dataflow to initializing a cipher with a static initialization vector.
  */
-private module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
+module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof StaticInitializationVectorSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink }

java/ql/lib/semmle/code/java/security/UnsafeCertTrustQuery.qll

@@ -22,7 +22,7 @@ deprecated class SslEndpointIdentificationFlowConfig extends TaintTracking::Conf
   }
 }
 
-private module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
+module SslEndpointIdentificationFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof SslConnectionInit }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -26,7 +26,7 @@ deprecated class UnsafeContentResolutionConf extends TaintTracking::Configuratio
   }
 }
 
-private module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
+module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ContentUriResolutionSink }

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -437,7 +437,13 @@ deprecated class UnsafeTypeConfig extends TaintTracking2::Configuration {
   }
 }
 
-private module UnsafeTypeConfig implements DataFlow::ConfigSig {
+/**
+ * Tracks flow from a remote source to a type descriptor (e.g. a `java.lang.Class` instance)
+ * passed to a deserialization method.
+ *
+ * If this is user-controlled, arbitrary code could be executed while instantiating the user-specified type.
+ */
+module UnsafeTypeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeTypeSink }
@@ -528,7 +534,7 @@ deprecated class SafeObjectMapperConfig extends DataFlow2::Configuration {
   }
 }
 
-private module SafeObjectMapperConfig implements DataFlow::ConfigSig {
+module SafeObjectMapperConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof SetPolymorphicTypeValidatorSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ObjectMapperReadQualifier }

java/ql/lib/semmle/code/java/security/XmlParsers.qll

@@ -1013,7 +1013,7 @@ deprecated class SafeTransformerFactoryFlowConfig extends DataFlow3::Configurati
  * A dataflow configuration that identifies `TransformerFactory` and `SAXTransformerFactory`
  * instances that have been safely configured.
  */
-private module SafeTransformerFactoryFlowConfig implements DataFlow::ConfigSig {
+module SafeTransformerFactoryFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeTransformerFactory }
 
   predicate isSink(DataFlow::Node sink) {

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -65,7 +65,7 @@ deprecated predicate hasPolynomialReDoSResult(
 }
 
 /** A configuration for Polynomial ReDoS queries. */
-private module PolynomialRedosConfig implements DataFlow::ConfigSig {
+module PolynomialRedosConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) {