Merge pull request #6034 from owen-mc/java/jax-rs

Improve JAX-WS and JAX-RS models

java/change-notes/2021-03-22-jax-rs-improvements.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for detecting XSS via JAX-RS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap).

java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql

@@ -74,12 +74,9 @@ class MatchesHttpOnlyConfiguration extends TaintTracking2::Configuration {
   }
 }
 
-/** A class descended from `javax.servlet.http.Cookie` or `javax/jakarta.ws.rs.core.Cookie`. */
+/** A class descended from `javax.servlet.http.Cookie`. */
 class CookieClass extends RefType {
-  CookieClass() {
-    this.getASupertype*()
-        .hasQualifiedName(["javax.servlet.http", "javax.ws.rs.core", "jakarta.ws.rs.core"], "Cookie")
-  }
+  CookieClass() { this.getASupertype*().hasQualifiedName("javax.servlet.http", "Cookie") }
 }
 
 /** Holds if `expr` is any boolean-typed expression other than literal `false`. */

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -81,6 +81,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.JaxWS
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.XSS

java/ql/src/semmle/code/java/frameworks/JavaxAnnotations.qll

@@ -137,6 +137,13 @@ class InterceptorsAnnotation extends Annotation {
  * Annotations in the package `javax.jws`.
  */
 
+/**
+ * A `@javax.jws.WebMethod` annotation.
+ */
+class WebMethodAnnotation extends Annotation {
+  WebMethodAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebMethod") }
+}
+
 /**
  * A `@javax.jws.WebService` annotation.
  */

java/ql/src/semmle/code/java/frameworks/JaxWS.qll

@@ -1,4 +1,22 @@
+/**
+ * Definitions relating to JAX-WS (Java/Jakarta API for XML Web Services) and JAX-RS
+ * (Java/Jakarta API for RESTful Web Services).
+ */
+
 import java
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.XSS
+
+/**
+ * Gets a name for the root package of JAX-RS.
+ */
+string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] }
+
+/**
+ * Gets a name for package `subpackage` within the JAX-RS hierarchy.
+ */
+bindingset[subpackage]
+string getAJaxRsPackage(string subpackage) { result = getAJaxRsPackage() + "." + subpackage }
 
 /**
  * A JAX WS endpoint is constructed by the container, and its methods
@@ -13,6 +31,7 @@ class JaxWsEndpoint extends Class {
     )
   }
 
+  /** Gets a method annotated with `@WebMethod` or `@WebEndpoint`. */
   Callable getARemoteMethod() {
     result = this.getACallable() and
     exists(AnnotationType a | a = result.getAnAnnotation().getType() |
@@ -28,7 +47,7 @@ class JaxWsEndpoint extends Class {
 private predicate hasPathAnnotation(Annotatable annotatable) {
   exists(AnnotationType a |
     a = annotatable.getAnAnnotation().getType() and
-    a.getPackage().getName() = "javax.ws.rs"
+    a.getPackage().getName() = getAJaxRsPackage()
   |
     a.hasName("Path")
   )
@@ -41,7 +60,7 @@ class JaxRsResourceMethod extends Method {
   JaxRsResourceMethod() {
     exists(AnnotationType a |
       a = this.getAnAnnotation().getType() and
-      a.getPackage().getName() = "javax.ws.rs"
+      a.getPackage().getName() = getAJaxRsPackage()
     |
       a.hasName("GET") or
       a.hasName("POST") or
@@ -50,6 +69,27 @@ class JaxRsResourceMethod extends Method {
       a.hasName("OPTIONS") or
       a.hasName("HEAD")
     )
+    or
+    // A JaxRS resource method can also inherit these annotations from a supertype, but only if
+    // there are no JaxRS annotations on the method itself
+    this.getAnOverride() instanceof JaxRsResourceMethod and
+    not exists(this.getAnAnnotation().(JaxRSAnnotation))
+  }
+
+  /** Gets an `@Produces` annotation that applies to this method */
+  JaxRSProducesAnnotation getProducesAnnotation() {
+    result = this.getAnAnnotation()
+    or
+    // No direct annotations
+    not this.getAnAnnotation() instanceof JaxRSProducesAnnotation and
+    (
+      // Annotations on a method we've overridden
+      result = this.getAnOverride().getAnAnnotation()
+      or
+      // No annotations on this method, or a method we've overridden, so look to the class
+      not this.getAnOverride().getAnAnnotation() instanceof JaxRSProducesAnnotation and
+      result = this.getDeclaringType().getAnAnnotation()
+    )
   }
 }
 
@@ -81,7 +121,7 @@ class JaxRsResourceClass extends Class {
    * annotations leading to this resource method.
    */
   JaxRsResourceMethod getAResourceMethod() {
-    isPublic() and
+    this.isPublic() and
     result = this.getACallable()
   }
 
@@ -90,7 +130,7 @@ class JaxRsResourceClass extends Class {
    * but is not a resource method e.g. it is not annotated with `@GET` etc.
    */
   Callable getASubResourceLocator() {
-    result = getAMethod() and
+    result = this.getAMethod() and
     not result instanceof JaxRsResourceMethod and
     hasPathAnnotation(result)
   }
@@ -109,10 +149,10 @@ class JaxRsResourceClass extends Class {
    * (existence of particular parameters).
    */
   Constructor getAnInjectableConstructor() {
-    result = getAConstructor() and
+    result = this.getAConstructor() and
     // JaxRs Spec v2.0 - 3.12
     // Only root resources are constructed by the JaxRS container.
-    isRootResource() and
+    this.isRootResource() and
     // JaxRS can only construct the class using constructors that are public, and where the
     // container can provide all of the parameters. This includes the no-arg constructor.
     result.isPublic() and
@@ -125,29 +165,41 @@ class JaxRsResourceClass extends Class {
    * Gets a Callable that may be executed by the JaxRs container, injecting parameters as required.
    */
   Callable getAnInjectableCallable() {
-    result = getAResourceMethod() or
-    result = getAnInjectableConstructor() or
-    result = getASubResourceLocator()
+    result = this.getAResourceMethod() or
+    result = this.getAnInjectableConstructor() or
+    result = this.getASubResourceLocator()
   }
 
   /**
    * Gets a Field that may be injected with a value by the JaxRs container.
    */
   Field getAnInjectableField() {
-    result = getAField() and
+    result = this.getAField() and
     result.getAnAnnotation() instanceof JaxRsInjectionAnnotation
   }
 }
 
+/**
+ * An annotation from the `javax.ws.rs` or `jakarta.ws.rs` package hierarchy.
+ */
+class JaxRSAnnotation extends Annotation {
+  JaxRSAnnotation() {
+    exists(AnnotationType a |
+      a = this.getType() and
+      a.getPackage().getName().regexpMatch(["javax\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"])
+    )
+  }
+}
+
 /**
  * An annotation that is used by JaxRS containers to determine a value to inject into the annotated
  * element.
  */
-class JaxRsInjectionAnnotation extends Annotation {
+class JaxRsInjectionAnnotation extends JaxRSAnnotation {
   JaxRsInjectionAnnotation() {
     exists(AnnotationType a |
-      a = getType() and
-      a.getPackage().getName() = "javax.ws.rs"
+      a = this.getType() and
+      a.getPackage().getName() = getAJaxRsPackage()
     |
       a.hasName("BeanParam") or
       a.hasName("CookieParam") or
@@ -158,23 +210,31 @@ class JaxRsInjectionAnnotation extends Annotation {
       a.hasName("QueryParam")
     )
     or
-    getType().hasQualifiedName("javax.ws.rs.core", "Context")
+    this.getType().hasQualifiedName(getAJaxRsPackage("core"), "Context")
   }
 }
 
+/**
+ * The class `javax.ws.rs.core.Response`.
+ */
 class JaxRsResponse extends Class {
-  JaxRsResponse() { this.hasQualifiedName("javax.ws.rs.core", "Response") }
+  JaxRsResponse() { this.hasQualifiedName(getAJaxRsPackage("core"), "Response") }
 }
 
+/**
+ * The class `javax.ws.rs.core.Response$ResponseBuilder`.
+ */
 class JaxRsResponseBuilder extends Class {
-  JaxRsResponseBuilder() { this.hasQualifiedName("javax.ws.rs.core", "ResponseBuilder") }
+  JaxRsResponseBuilder() {
+    this.hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder")
+  }
 }
 
 /**
  * The class `javax.ws.rs.client.Client`.
  */
 class JaxRsClient extends RefType {
-  JaxRsClient() { this.hasQualifiedName("javax.ws.rs.client", "Client") }
+  JaxRsClient() { this.hasQualifiedName(getAJaxRsPackage("client"), "Client") }
 }
 
 /**
@@ -184,13 +244,12 @@ class JaxRsClient extends RefType {
 class JaxRsBeanParamConstructor extends Constructor {
   JaxRsBeanParamConstructor() {
     exists(JaxRsResourceClass resourceClass, Callable c, Parameter p |
-      c = resourceClass.getAnInjectableCallable()
-    |
+      c = resourceClass.getAnInjectableCallable() and
       p = c.getAParameter() and
-      p.getAnAnnotation().getType().hasQualifiedName("javax.ws.rs", "BeanParam") and
+      p.getAnAnnotation().getType().hasQualifiedName(getAJaxRsPackage(), "BeanParam") and
       this.getDeclaringType().getSourceDeclaration() = p.getType().(RefType).getSourceDeclaration()
     ) and
-    forall(Parameter p | p = getAParameter() |
+    forall(Parameter p | p = this.getAParameter() |
       p.getAnAnnotation() instanceof JaxRsInjectionAnnotation
     )
   }
@@ -200,7 +259,7 @@ class JaxRsBeanParamConstructor extends Constructor {
  * The class `javax.ws.rs.ext.MessageBodyReader`.
  */
 class MessageBodyReader extends GenericInterface {
-  MessageBodyReader() { this.hasQualifiedName("javax.ws.rs.ext", "MessageBodyReader") }
+  MessageBodyReader() { this.hasQualifiedName(getAJaxRsPackage("ext"), "MessageBodyReader") }
 }
 
 /**
@@ -208,7 +267,7 @@ class MessageBodyReader extends GenericInterface {
  */
 class MessageBodyReaderReadFrom extends Method {
   MessageBodyReaderReadFrom() {
-    this.getDeclaringType() instanceof MessageBodyReader and
+    this.getDeclaringType().getSourceDeclaration() instanceof MessageBodyReader and
     this.hasName("readFrom")
   }
 }
@@ -223,3 +282,507 @@ class MessageBodyReaderRead extends Method {
     )
   }
 }
+
+/** An `@Produces` annotation that describes which content types can be produced by this resource. */
+class JaxRSProducesAnnotation extends JaxRSAnnotation {
+  JaxRSProducesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Produces") }
+
+  /**
+   * Gets a declared content type that can be produced by this resource.
+   */
+  string getADeclaredContentType() {
+    result = this.getAValue().(CompileTimeConstantExpr).getStringValue()
+    or
+    exists(Field jaxMediaType |
+      // Accesses to static fields on `MediaType` class do not have constant strings in the database
+      // so convert the field name to a content type string
+      jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and
+      jaxMediaType.getAnAccess() = this.getAValue() and
+      // e.g. MediaType.TEXT_PLAIN => text/plain
+      result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/")
+    )
+  }
+}
+
+/** An `@Consumes` annotation that describes content types can be consumed by this resource. */
+class JaxRSConsumesAnnotation extends JaxRSAnnotation {
+  JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") }
+}
+
+/** A default sink representing methods susceptible to XSS attacks. */
+private class JaxRSXssSink extends XssSink {
+  JaxRSXssSink() {
+    exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs |
+      resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and
+      rs.getEnclosingCallable() = resourceMethod and
+      this.asExpr() = rs.getResult()
+    |
+      not exists(resourceMethod.getProducesAnnotation())
+      or
+      resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain"
+    )
+  }
+}
+
+/** A URL redirection sink from JAX-RS */
+private class JaxRsUrlRedirectSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
+        "javax.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
+        "javax.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect",
+        "jakarta.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
+        "jakarta.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect"
+      ]
+  }
+}
+
+/**
+ * Model Response:
+ *
+ * - the returned ResponseBuilder gains taint from a tainted entity or existing Response
+ */
+private class ResponseModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response;false;accepted;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response;false;fromResponse;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response;false;ok;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model ResponseBuilder:
+ *
+ * - becomes tainted by a tainted entity, but not by metadata, headers etc
+ * - build() method returns taint
+ * - almost all methods are fluent, and so preserve value
+ */
+private class ResponseBuilderModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;allow;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;cacheControl;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;contentLocation;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;cookie;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;encoding;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;entity;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;expires;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;header;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;language;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;lastModified;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;link;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;links;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;location;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;replaceAll;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;status;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;tag;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;type;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;variant;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Response$ResponseBuilder;true;variants;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
+/**
+ * Model HttpHeaders: methods that Date have to be syntax-checked, but those returning MediaType
+ * or Locale are assumed potentially dangerous, as these types do not generally check that the
+ * input data is recognised, only that it conforms to the expected syntax.
+ */
+private class HttpHeadersModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getAcceptableLanguages;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getAcceptableMediaTypes;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getCookies;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getHeaderString;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getLanguage;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getMediaType;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getRequestHeader;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;HttpHeaders;true;getRequestHeaders;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model MultivaluedMap, which extends Map<K, List<V>> and provides a few extra helper methods.
+ */
+private class MultivaluedMapModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;add;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addAll;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,List);;Element of Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addAll;(Object,Object[]);;ArrayElement of Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;addFirst;;;Argument[1];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;getFirst;;;Element of MapValue of Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedMap;true;putSingle;;;Argument[1];Element of MapValue of Argument[-1];value"
+      ]
+  }
+}
+
+/**
+ * Model AbstractMultivaluedMap, which implements MultivaluedMap.
+ */
+private class AbstractMultivaluedMapModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;AbstractMultivaluedMap;false;AbstractMultivaluedMap;;;MapValue of Argument[0];MapValue of Argument[-1];value"
+      ]
+  }
+}
+
+/**
+ * Model MultivaluedHashMap, which extends AbstractMultivaluedMap.
+ */
+private class MultivaluedHashMapModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "javax.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(Map);;MapValue of Argument[0];Element of MapValue of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "jakarta.ws.rs.core;MultivaluedHashMap;false;MultivaluedHashMap;(MultivaluedMap);;MapValue of Argument[0];MapValue of Argument[-1];value"
+      ]
+  }
+}
+
+/**
+ * Model PathSegment, which wraps a path and its associated matrix parameters.
+ */
+private class PathSegmentModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;PathSegment;true;getMatrixParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;PathSegment;true;getPath;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model UriInfo, which provides URI element accessors.
+ */
+private class UriInfoModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model Cookie, a simple tuple type.
+ */
+private class CookieModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint",
+        "javax.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getDomain;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getName;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getPath;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getValue;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;getVersion;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;true;toString;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Cookie;false;Cookie;;;Argument[0..4];Argument[-1];taint",
+        "jakarta.ws.rs.core;Cookie;false;valueOf;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model NewCookie, a simple tuple type.
+ */
+private class NewCookieModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint",
+        "javax.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;getComment;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;getExpiry;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;getMaxAge;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;true;toCookie;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;NewCookie;false;NewCookie;;;Argument[0..9];Argument[-1];taint",
+        "jakarta.ws.rs.core;NewCookie;false;valueOf;;;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model Form, a simple container type.
+ */
+private class FormModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;Form;false;Form;;;MapValue of Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint",
+        "javax.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint",
+        "javax.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;Form;false;Form;;;MapKey of Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;false;Form;;;MapValue of Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;false;Form;;;Argument[0..1];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;true;asMap;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;Form;true;param;;;Argument[0..1];Argument[-1];taint",
+        "jakarta.ws.rs.core;Form;true;param;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
+/**
+ * Model GenericEntity, a wrapper for HTTP entities (e.g., documents).
+ */
+private class GenericEntityModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint",
+        "javax.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;GenericEntity;false;GenericEntity;;;Argument[0];Argument[-1];taint",
+        "jakarta.ws.rs.core;GenericEntity;true;getEntity;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model MediaType, which provides accessors for elements of Content-Type and similar
+ * media type specifications.
+ */
+private class MediaTypeModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint",
+        "javax.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;false;MediaType;;;Argument[0..2];Argument[-1];taint",
+        "jakarta.ws.rs.core;MediaType;true;getParameters;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;true;getSubtype;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;true;getType;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;false;valueOf;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;MediaType;true;withCharset;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}
+
+/**
+ * Model UriBuilder, which provides a fluent interface to build a URI from components.
+ */
+private class UriBuilderModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value",
+        "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;build;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;build;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncoded;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromEncodedMap;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;buildFromMap;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;clone;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;fragment;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;false;fromLink;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;false;fromPath;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;false;fromUri;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;host;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;matrixParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[0..1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;path;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;queryParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrix;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceMatrixParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replacePath;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQuery;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;ArrayElement of Argument[1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;replaceQueryParam;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[0..2];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplate;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[0..1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplateFromEncoded;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplates;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapKey of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;MapValue of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;resolveTemplatesFromEncoded;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;scheme;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;schemeSpecificPart;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;segment;;;ArrayElement of Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;segment;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;toTemplate;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;uri;;;Argument[-1];ReturnValue;value",
+        "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriBuilder;true;userInfo;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}

java/ql/src/semmle/code/java/frameworks/guava/Base.qll

@@ -7,7 +7,7 @@ private class GuavaBaseCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "com.google.common.base;Strings;false;emptyToNull;(String);;Argument[0];ReturnValue;value",
         "com.google.common.base;Strings;false;nullToEmpty;(String);;Argument[0];ReturnValue;value",
         "com.google.common.base;Strings;false;padStart;(String,int,char);;Argument[0];ReturnValue;taint",

java/ql/src/semmle/code/java/frameworks/guava/IO.qll

@@ -7,7 +7,7 @@ private class GuavaIoCsv extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "com.google.common.io;BaseEncoding;true;decode;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.io;BaseEncoding;true;decodingStream;(Reader);;Argument[0];ReturnValue;taint",
         "com.google.common.io;BaseEncoding;true;decodingSource;(CharSource);;Argument[0];ReturnValue;taint",
@@ -89,7 +89,7 @@ private class GuavaIoSinkCsv extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
         "com.google.common.io;Resources;false;asByteSource;(URL);;Argument[0];url-open-stream",
         "com.google.common.io;Resources;false;asCharSource;(URL,Charset);;Argument[0];url-open-stream",
         "com.google.common.io;Resources;false;copy;(URL,OutputStream);;Argument[0];url-open-stream",

java/ql/src/semmle/code/java/security/UrlRedirect.qll

@@ -2,12 +2,19 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.ApacheHttp
+private import semmle.code.java.frameworks.JaxWS
 
-/** A URL redirection sink */
+/** A URL redirection sink. */
 abstract class UrlRedirectSink extends DataFlow::Node { }
 
+/** A default sink represeting methods susceptible to URL redirection attacks. */
+private class DefaultUrlRedirectSink extends UrlRedirectSink {
+  DefaultUrlRedirectSink() { sinkNode(this, "url-redirect") }
+}
+
 /** A Servlet URL redirection sink. */
 private class ServletUrlRedirectSink extends UrlRedirectSink {
   ServletUrlRedirectSink() {

java/ql/test/experimental/query-tests/security/CWE-1004/SensitiveCookieNotHttpOnly.expected

@@ -5,8 +5,12 @@ edges
 | SensitiveCookieNotHttpOnly.java:25:39:25:52 | tokenCookieStr : String | SensitiveCookieNotHttpOnly.java:25:28:25:64 | new Cookie(...) : Cookie |
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
 | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... |
-| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) |
-| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr |
+| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) |
+| SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie |
+| SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie |
+| SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie |
+| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String |
+| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr |
 | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
 | SensitiveCookieNotHttpOnly.java:70:28:70:55 | ... + ... : String | SensitiveCookieNotHttpOnly.java:71:42:71:50 | secString |
@@ -24,9 +28,13 @@ nodes
 | SensitiveCookieNotHttpOnly.java:42:42:42:49 | "token=" : String | semmle.label | "token=" : String |
 | SensitiveCookieNotHttpOnly.java:42:42:42:57 | ... + ... : String | semmle.label | ... + ... : String |
 | SensitiveCookieNotHttpOnly.java:42:42:42:69 | ... + ... | semmle.label | ... + ... |
+| SensitiveCookieNotHttpOnly.java:52:42:52:113 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:52:42:52:124 | toString(...) | semmle.label | toString(...) |
 | SensitiveCookieNotHttpOnly.java:52:56:52:75 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:63:37:63:115 | new NewCookie(...) : NewCookie | semmle.label | new NewCookie(...) : NewCookie |
 | SensitiveCookieNotHttpOnly.java:63:51:63:70 | "session-access-key" : String | semmle.label | "session-access-key" : String |
+| SensitiveCookieNotHttpOnly.java:64:25:64:39 | accessKeyCookie : NewCookie | semmle.label | accessKeyCookie : NewCookie |
+| SensitiveCookieNotHttpOnly.java:64:25:64:50 | toString(...) : String | semmle.label | toString(...) : String |
 | SensitiveCookieNotHttpOnly.java:65:42:65:47 | keyStr | semmle.label | keyStr |
 | SensitiveCookieNotHttpOnly.java:70:28:70:35 | "token=" : String | semmle.label | "token=" : String |
 | SensitiveCookieNotHttpOnly.java:70:28:70:43 | ... + ... : String | semmle.label | ... + ... : String |

java/ql/test/library-tests/dataflow/external-models/sinks.ql

@@ -7,7 +7,7 @@ class SinkModelTest extends SinkModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;spec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
         "my.qltest;B;false;sink1;(Object);;Argument[0];qltest",
         "my.qltest;B;false;sinkMethod;();;ReturnValue;qltest",
         "my.qltest;B$Tag;false;;;Annotated;ReturnValue;qltest-retval",

java/ql/test/library-tests/dataflow/external-models/srcs.ql

@@ -7,7 +7,7 @@ class SourceModelTest extends SourceModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;spec;kind",
+        //`namespace; type; subtypes; name; signature; ext; output; kind`
         "my.qltest;A;false;src1;();;ReturnValue;qltest",
         "my.qltest;A;false;src1;(String);;ReturnValue;qltest",
         "my.qltest;A;false;src1;(java.lang.String);;ReturnValue;qltest-alt",

java/ql/test/library-tests/dataflow/external-models/steps.ql

@@ -8,7 +8,7 @@ class SummaryModelTest extends SummaryModelCsv {
   override predicate row(string row) {
     row =
       [
-        //"package;type;overrides;name;signature;ext;inputspec;outputspec;kind",
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "my.qltest;C;false;stepArgRes;(Object);;Argument[0];ReturnValue;taint",
         "my.qltest;C;false;stepArgArg;(Object,Object);;Argument[0];Argument[1];taint",
         "my.qltest;C;false;stepArgQual;(Object);;Argument[0];Argument[-1];taint",

java/ql/test/library-tests/frameworks/JaxWs/JakartaRs1.java

@@ -0,0 +1,215 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.DELETE;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.OPTIONS;
+import jakarta.ws.rs.HEAD;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.BeanParam;
+import jakarta.ws.rs.CookieParam;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.HeaderParam;
+import jakarta.ws.rs.MatrixParam;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+public class JakartaRs1 { // $ RootResourceClass
+  public JakartaRs1() { // $ InjectableConstructor
+  }
+
+  @GET
+  int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+    return 0; // $ XssSink
+  }
+
+  @POST
+  void Post() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Produces("text/plain") // $ ProducesAnnotation=text/plain
+  @DELETE
+  double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+    return 0.0; // $ XssSink
+  }
+
+  @Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html
+  @PUT
+  void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+  }
+
+  @OPTIONS
+  void Options() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @HEAD
+  void Head() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Path("")
+  NonRootResourceClassJakarta subResourceLocator() { // $ SubResourceLocator
+    return null;
+  }
+
+  public class NonRootResourceClassJakarta { // $ NonRootResourceClass
+    @GET
+    int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return 0; // $ XssSink
+    }
+
+    @Produces("text/html") // $ ProducesAnnotation=text/html
+    @POST
+    boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+      return false;
+    }
+
+    @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain
+    @DELETE
+    double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+      return 0.0; // $ XssSink
+    }
+
+    @Path("")
+    AnotherNonRootResourceClassJakarta subResourceLocator1() { // $ SubResourceLocator
+      return null;
+    }
+
+    @GET
+    @Path("")
+    NotAResourceClass1Jakarta NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    @GET
+    NotAResourceClass2Jakarta NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    NotAResourceClass2Jakarta NotASubResourceLocator3() {
+      return null;
+    }
+  }
+}
+
+class AnotherNonRootResourceClassJakarta { // $ NonRootResourceClass
+  public AnotherNonRootResourceClassJakarta() {
+  }
+
+  public AnotherNonRootResourceClassJakarta(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  @Path("")
+  public void resourceMethodWithBeanParamParameter(@BeanParam FooJakarta FooJakarta) { // $ SubResourceLocator InjectionAnnotation
+  }
+}
+
+class FooJakarta {
+  FooJakarta() { // $ BeanParamConstructor
+  }
+
+  public FooJakarta( // $ BeanParamConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public FooJakarta(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+}
+
+class NotAResourceClass1Jakarta {
+}
+
+class NotAResourceClass2Jakarta {
+}
+
+class ExtendsJakartaRs1 extends JakartaRs1 {
+  @Override
+  int Get() { // $ ResourceMethod
+    return 1;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 1.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Produces("application/json") // $ ProducesAnnotation=application/json
+  @Override
+  void Options() {
+  }
+
+  @Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+  @Override
+  void Head() {
+  }
+
+}
+
+@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+class ExtendsJakartaRs1WithProducesAnnotation extends JakartaRs1 {
+  @Override
+  int Get() { // $ ResourceMethod=text/xml
+    return 2;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 2.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Override
+  void Options() { // $ ResourceMethod=text/xml
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JakartaRs2.java

@@ -0,0 +1,98 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.POST;
+import jakarta.ws.rs.DELETE;
+import jakarta.ws.rs.PUT;
+import jakarta.ws.rs.OPTIONS;
+import jakarta.ws.rs.HEAD;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.BeanParam;
+import jakarta.ws.rs.Consumes;
+import jakarta.ws.rs.CookieParam;
+import jakarta.ws.rs.FormParam;
+import jakarta.ws.rs.HeaderParam;
+import jakarta.ws.rs.MatrixParam;
+import jakarta.ws.rs.PathParam;
+import jakarta.ws.rs.QueryParam;
+import jakarta.ws.rs.client.Client;
+import jakarta.ws.rs.core.Context;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+class JakartaRs2 { // $ RootResourceClass
+  JakartaRs2() {
+  }
+
+  public JakartaRs2(// $ InjectableConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public JakartaRs2(@BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+
+  @BeanParam // $ InjectionAnnotation
+  int beanField; // $ InjectableField
+  @CookieParam("") // $ InjectionAnnotation
+  int cookieField; // $ InjectableField
+  @FormParam("") // $ InjectionAnnotation
+  int formField; // $ InjectableField
+  @HeaderParam("") // $ InjectionAnnotation
+  int headerField; // $ InjectableField
+  @MatrixParam("") // $ InjectionAnnotation
+  int matrixField; // $ InjectableField
+  @PathParam("") // $ InjectionAnnotation
+  int pathField; // $ InjectableField
+  @QueryParam("") // $ InjectionAnnotation
+  int queryField; // $ InjectableField
+  @Context // $ InjectionAnnotation
+  int context; // $ InjectableField
+  int fieldWithoutAnnotation;
+}
+
+class CustomUnmarshallerJakarta implements MessageBodyReader {
+
+  @Override
+  public boolean isReadable(Class aClass, Type type, Annotation[] annotations, MediaType mediaType) {
+    return true;
+  }
+
+
+  @Override
+  public Object readFrom(Class aClass, Type type, Annotation[] annotations, MediaType mediaType, MultivaluedMap multivaluedMap, InputStream inputStream) {
+    return null;
+  }
+}
+
+class MiscellaneousJakarta {
+  @Consumes("") // $ ConsumesAnnotation
+  public static void miscellaneousJakarta() throws IOException {
+    Response.ResponseBuilder responseBuilder = Response.accepted(); // $ ResponseBuilderDeclaration
+    Response response = responseBuilder.build(); // $ ResponseDeclaration
+    Client client; // $ ClientDeclaration
+    MessageBodyReader<String> messageBodyReader = null; // $ MessageBodyReaderDeclaration
+    messageBodyReader.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadFromCall MessageBodyReaderReadCall
+    CustomUnmarshallerJakarta CustomUnmarshallerJakarta = null;
+    CustomUnmarshallerJakarta.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadCall
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java

@@ -0,0 +1,410 @@
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import jakarta.ws.rs.core.AbstractMultivaluedMap;
+import jakarta.ws.rs.core.CacheControl;
+import jakarta.ws.rs.core.Cookie;
+import jakarta.ws.rs.core.EntityTag;
+import jakarta.ws.rs.core.Form;
+import jakarta.ws.rs.core.GenericEntity;
+import jakarta.ws.rs.core.HttpHeaders;
+import jakarta.ws.rs.core.Link;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedHashMap;
+import jakarta.ws.rs.core.MultivaluedMap;
+import jakarta.ws.rs.core.NewCookie;
+import jakarta.ws.rs.core.PathSegment;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.UriBuilder;
+import jakarta.ws.rs.core.UriInfo;
+import jakarta.ws.rs.core.Variant;
+
+public class JakartaRsFlow {
+  String taint() { return "tainted"; }
+
+  private static class ResponseSource {
+    static Response taint() { return null; }
+  }
+
+  private static class ResponseBuilderSource {
+    static Response.ResponseBuilder taint() { return Response.noContent(); }
+  }
+
+  private static class IntSource {
+    static int taint() { return 0; }
+  }
+
+  private static class BooleanSource {
+    static boolean taint() { return false; }
+  }
+
+  private static class DateSource {
+    static Date taint() { return null; }
+  }
+
+  private static class SetStringSource {
+    static Set<String> taint() { return new HashSet<String>(); }
+  }
+
+  static HttpHeaders taint(HttpHeaders h) { return h; }
+
+  static PathSegment taint(PathSegment ps) { return ps; }
+
+  static UriInfo taint(UriInfo ui) { return ui; }
+  
+  static Map taint(Map m) { return m; }
+  
+  static Link taint(Link l) { return l; }
+  
+  static Class taint(Class c) { return c; }
+
+  private static class UriSource {
+    static URI taint() throws Exception { return new URI(""); }
+  }
+
+  void sink(Object o) {}
+
+  void testResponse() {
+    sink(Response.accepted(taint())); // $ hasTaintFlow
+    sink(Response.fromResponse(ResponseSource.taint())); // $ hasTaintFlow
+    sink(Response.ok(taint())); // $ hasTaintFlow
+    sink(Response.ok(taint(), new MediaType())); // $ hasTaintFlow
+    sink(Response.ok(taint(), "type")); // $ hasTaintFlow
+    sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $ hasTaintFlow
+  }
+
+  void testResponseBuilder(MultivaluedMap<String,Object> multivaluedMap, List<Variant> list) throws Exception {
+    sink(ResponseBuilderSource.taint().build()); // $ hasTaintFlow
+    sink(Response.noContent().entity(taint())); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().allow(new HashSet<String>())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().clone()); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cookie()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().encoding("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().entity("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().expires(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().header("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().language("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().lastModified(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().links()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().location(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().status(400)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().type("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants(list)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants()); // $ hasValueFlow
+  }
+
+  void testHttpHeaders(HttpHeaders h) {
+    sink(taint(h).getAcceptableLanguages()); // $ hasTaintFlow
+    sink(taint(h).getAcceptableMediaTypes()); // $ hasTaintFlow
+    sink(taint(h).getCookies()); // $ hasTaintFlow
+    sink(taint(h).getHeaderString("")); // $ hasTaintFlow
+    sink(taint(h).getLanguage()); // $ hasTaintFlow
+    sink(taint(h).getMediaType()); // $ hasTaintFlow
+    sink(taint(h).getRequestHeader("")); // $ hasTaintFlow
+    sink(taint(h).getRequestHeaders()); // $ hasTaintFlow
+  }
+
+  void testMultivaluedMapAdd(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.add(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.add("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddAll(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2, MultivaluedMap<String, String> mm3) {
+    mm1.addAll(taint(), "a", "b");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    List<String> l = new ArrayList<String>();
+    l.add(taint());
+    mm2.addAll("key", l);
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    mm3.addAll("key", "a", taint());
+    sink(mm3.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddFirst(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.addFirst(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.addFirst("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    sink(mm2.getFirst("key")); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapputSingle(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.putSingle(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.putSingle("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  class MyAbstractMultivaluedMapJak<K, V> extends AbstractMultivaluedMap<K, V> {
+    public MyAbstractMultivaluedMapJak(Map<K, List<V>> map) {
+        super(map);
+    }
+  }
+
+  void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List<String>> map2, List<String> list) {
+    map1.put(taint(), list);
+    AbstractMultivaluedMap<String, String> amm1 = new MyAbstractMultivaluedMapJak<String, String>(map1);
+    sink(amm1.keySet().iterator().next()); // $  MISSING: hasValueFlow
+
+    list.add(taint());
+    map2.put("key", list);
+    AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMapJak<String, String>(map2);
+    sink(amm2.get("key").get(0)); // $  MISSING: hasValueFlow SPURIOUS: hasTaintFlow
+  }
+
+  void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,
+      MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    map1.put(taint(), "value");
+    MultivaluedHashMap<String, String> mhm1 = new MultivaluedHashMap<String, String>(map1);
+    sink(mhm1.keySet().iterator().next()); // $ hasValueFlow
+
+    map2.put("key", taint());
+    MultivaluedHashMap<String, String> mhm2 = new MultivaluedHashMap<String, String>(map2);
+    sink(mhm2.get("key").get(0)); // $ hasValueFlow
+
+    mm1.add(taint(), "value");
+    MultivaluedHashMap<String, String> mhm3 = new MultivaluedHashMap<String, String>(mm1);
+    sink(mhm3.keySet().iterator().next()); // $ hasValueFlow
+
+    mm2.add("key", taint());
+    MultivaluedHashMap<String, String> mhm4 = new MultivaluedHashMap<String, String>(mm2);
+    sink(mhm4.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testPathSegment(PathSegment ps1, PathSegment ps2) {
+    sink(taint(ps1).getMatrixParameters()); // $ hasTaintFlow
+    sink(taint(ps2).getPath()); // $ hasTaintFlow
+  }
+
+  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
+    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
+    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  }
+
+  void testCookie() {
+    sink(new Cookie(taint(), "", "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint(), 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", "", IntSource.taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "", "", "")); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "")); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getDomain()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getName()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getPath()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getValue()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getVersion()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).toString()); // $ hasTaintFlow
+  }
+
+  void testNewCookie() {
+    sink(new NewCookie(Cookie.valueOf(taint()))); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "")); // $ hasTaintFlow
+    sink(new NewCookie("", taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(NewCookie.valueOf(taint()).getComment()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getExpiry()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getMaxAge()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).toCookie()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testForm(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    sink(new Form(taint(), "")); // $ hasTaintFlow
+    sink(new Form("", taint())); // $ hasTaintFlow
+    mm1.add(taint(), "value");
+    sink(new Form(mm1)); // $ hasTaintFlow
+    mm2.add("key", taint());
+    sink(new Form(mm2)); // $ hasTaintFlow
+    Form f1 = new Form(taint(), "");
+    sink(f1.asMap()); // $ hasTaintFlow
+    Form f2 = new Form();
+    sink(f2.param(taint(), "b")); // $ hasTaintFlow
+    Form f3 = new Form();
+    sink(f3.param("a", taint())); // $ hasTaintFlow
+    Form f4 = new Form(taint(), "");
+    sink(f4.param("a", "b")); // $ hasTaintFlow
+  }
+
+  void testGenericEntity() {
+    Method m = DummyJakarta.class.getMethods()[0];
+    GenericEntity<Set<String>> ge = new GenericEntity<Set<String>>(SetStringSource.taint(), m.getGenericReturnType());
+    sink(ge); // $ hasTaintFlow
+    sink(ge.getEntity()); // $ hasTaintFlow
+  }
+
+  void testMediaType(Map<String, String> m) {
+    sink(new MediaType(taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", taint())); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", m)); // $ hasTaintFlow
+    sink(new MediaType("", taint(), m)); // $ hasTaintFlow
+    sink(new MediaType("", "", taint(m))); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", "")); // $ hasTaintFlow
+    sink(new MediaType("", taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", "", taint())); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getParameters()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getSubtype()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getType()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testUriBuilder() throws Exception {
+    sink(UriBuilder.fromPath("").build(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build(taint(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("", false)); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap<String, String>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
+    
+    sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow
+    sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromUri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").host(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).host("")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(taint(DummyJakarta.class))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(DummyJakarta.class, taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).path(DummyJakarta.class)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replacePath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replacePath("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQuery(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap<String, Object>())); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").scheme(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).scheme("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).segment("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).toTemplate()); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").uri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").userInfo(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).userInfo("")); // $ hasTaintFlow
+  }
+}
+
+class DummyJakarta {
+  private static Set<String> foo() { return null; }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxRs.ql

@@ -0,0 +1,155 @@
+import java
+import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.security.XSS
+import TestUtilities.InlineExpectationsTest
+
+class JaxRsTest extends InlineExpectationsTest {
+  JaxRsTest() { this = "JaxRsTest" }
+
+  override string getARelevantTag() {
+    result =
+      [
+        "ResourceMethod", "RootResourceClass", "NonRootResourceClass",
+        "ResourceMethodOnResourceClass", "InjectableConstructor", "InjectableField",
+        "InjectionAnnotation", "ResponseDeclaration", "ResponseBuilderDeclaration",
+        "ClientDeclaration", "BeanParamConstructor", "MessageBodyReaderDeclaration",
+        "MessageBodyReaderReadFromCall", "MessageBodyReaderReadCall", "ProducesAnnotation",
+        "ConsumesAnnotation"
+      ]
+  }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "ResourceMethod" and
+    exists(JaxRsResourceMethod resourceMethod |
+      resourceMethod.getLocation() = location and
+      element = resourceMethod.toString() and
+      if exists(resourceMethod.getProducesAnnotation())
+      then value = resourceMethod.getProducesAnnotation().getADeclaredContentType()
+      else value = ""
+    )
+    or
+    tag = "RootResourceClass" and
+    exists(JaxRsResourceClass resourceClass |
+      resourceClass.isRootResource() and
+      resourceClass.getLocation() = location and
+      element = resourceClass.toString() and
+      value = ""
+    )
+    or
+    tag = "NonRootResourceClass" and
+    exists(JaxRsResourceClass resourceClass |
+      not resourceClass.isRootResource() and
+      resourceClass.getLocation() = location and
+      element = resourceClass.toString() and
+      value = ""
+    )
+    or
+    tag = "ResourceMethodOnResourceClass" and
+    exists(JaxRsResourceMethod resourceMethod |
+      resourceMethod = any(JaxRsResourceClass ResourceClass).getAResourceMethod()
+    |
+      resourceMethod.getLocation() = location and
+      element = resourceMethod.toString() and
+      value = ""
+    )
+    or
+    tag = "InjectableConstructor" and
+    exists(Constructor cons |
+      cons = any(JaxRsResourceClass resourceClass).getAnInjectableConstructor()
+    |
+      cons.getLocation() = location and
+      element = cons.toString() and
+      value = ""
+    )
+    or
+    tag = "InjectableField" and
+    exists(Field field | field = any(JaxRsResourceClass resourceClass).getAnInjectableField() |
+      field.getLocation() = location and
+      element = field.toString() and
+      value = ""
+    )
+    or
+    tag = "InjectionAnnotation" and
+    exists(JaxRsInjectionAnnotation injectionAnnotation |
+      injectionAnnotation.getLocation() = location and
+      element = injectionAnnotation.toString() and
+      value = ""
+    )
+    or
+    tag = "ResponseDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType() instanceof JaxRsResponse and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "ResponseBuilderDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType() instanceof JaxRsResponseBuilder and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "ClientDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType() instanceof JaxRsClient and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "BeanParamConstructor" and
+    exists(JaxRsBeanParamConstructor cons |
+      cons.getLocation() = location and
+      element = cons.toString() and
+      value = ""
+    )
+    or
+    tag = "MessageBodyReaderDeclaration" and
+    exists(LocalVariableDecl decl |
+      decl.getType().(RefType).getSourceDeclaration() instanceof MessageBodyReader and
+      decl.getLocation() = location and
+      element = decl.toString() and
+      value = ""
+    )
+    or
+    tag = "MessageBodyReaderReadFromCall" and
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MessageBodyReaderReadFrom and
+      ma.getLocation() = location and
+      element = ma.toString() and
+      value = ""
+    )
+    or
+    tag = "MessageBodyReaderReadCall" and
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof MessageBodyReaderRead and
+      ma.getLocation() = location and
+      element = ma.toString() and
+      value = ""
+    )
+    or
+    tag = "ProducesAnnotation" and
+    exists(JaxRSProducesAnnotation producesAnnotation |
+      producesAnnotation.getLocation() = location and
+      element = producesAnnotation.toString() and
+      value = producesAnnotation.getADeclaredContentType()
+    )
+    or
+    tag = "ConsumesAnnotation" and
+    exists(JaxRSConsumesAnnotation consumesAnnotation |
+      consumesAnnotation.getLocation() = location and
+      element = consumesAnnotation.toString() and
+      value = ""
+    )
+    or
+    tag = "XssSink" and
+    exists(XssSink xssSink |
+      xssSink.getLocation() = location and
+      element = xssSink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxRs1.java

@@ -0,0 +1,215 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.PUT;
+import javax.ws.rs.OPTIONS;
+import javax.ws.rs.HEAD;
+import javax.ws.rs.Path;
+import javax.ws.rs.BeanParam;
+import javax.ws.rs.CookieParam;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.HeaderParam;
+import javax.ws.rs.MatrixParam;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+public class JaxRs1 { // $ RootResourceClass
+  public JaxRs1() { // $ InjectableConstructor
+  }
+
+  @GET
+  int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+    return 0; // $ XssSink
+  }
+
+  @POST
+  void Post() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Produces("text/plain") // $ ProducesAnnotation=text/plain
+  @DELETE
+  double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+    return 0.0; // $ XssSink
+  }
+
+  @Produces(MediaType.TEXT_HTML) // $ ProducesAnnotation=text/html
+  @PUT
+  void Put() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+  }
+
+  @OPTIONS
+  void Options() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @HEAD
+  void Head() { // $ ResourceMethod ResourceMethodOnResourceClass
+  }
+
+  @Path("")
+  NonRootResourceClass subResourceLocator() { // $ SubResourceLocator
+    return null;
+  }
+
+  public class NonRootResourceClass { // $ NonRootResourceClass
+    @GET
+    int Get() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return 0; // $ XssSink
+    }
+
+    @Produces("text/html") // $ ProducesAnnotation=text/html
+    @POST
+    boolean Post() { // $ ResourceMethod=text/html ResourceMethodOnResourceClass
+      return false;
+    }
+
+    @Produces(MediaType.TEXT_PLAIN) // $ ProducesAnnotation=text/plain
+    @DELETE
+    double Delete() { // $ ResourceMethod=text/plain ResourceMethodOnResourceClass
+      return 0.0; // $ XssSink
+    }
+
+    @Path("")
+    AnotherNonRootResourceClass subResourceLocator1() { // $ SubResourceLocator
+      return null;
+    }
+
+    @GET
+    @Path("")
+    NotAResourceClass1 NotASubResourceLocator1() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    @GET
+    NotAResourceClass2 NotASubResourceLocator2() { // $ ResourceMethod ResourceMethodOnResourceClass
+      return null; // $ XssSink
+    }
+
+    NotAResourceClass2 NotASubResourceLocator3() {
+      return null;
+    }
+  }
+}
+
+class AnotherNonRootResourceClass { // $ NonRootResourceClass
+  public AnotherNonRootResourceClass() {
+  }
+
+  public AnotherNonRootResourceClass(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  @Path("")
+  public void resourceMethodWithBeanParamParameter(@BeanParam Foo foo) { // $ SubResourceLocator InjectionAnnotation
+  }
+}
+
+class Foo {
+  Foo() { // $ BeanParamConstructor
+  }
+
+  public Foo( // $ BeanParamConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public Foo(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+}
+
+class NotAResourceClass1 {
+}
+
+class NotAResourceClass2 {
+}
+
+class ExtendsJaxRs1 extends JaxRs1 {
+  @Override
+  int Get() { // $ ResourceMethod
+    return 1;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 1.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Produces("application/json") // $ ProducesAnnotation=application/json
+  @Override
+  void Options() {
+  }
+
+  @Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+  @Override
+  void Head() {
+  }
+
+}
+
+@Produces(MediaType.TEXT_XML) // $ ProducesAnnotation=text/xml
+class ExtendsJaxRs1WithProducesAnnotation extends JaxRs1 {
+  @Override
+  int Get() { // $ ResourceMethod=text/xml
+    return 2;
+  }
+  
+  @Override
+  @QueryParam("") // $ InjectionAnnotation
+  void Post() {
+  }
+
+  @Override
+  double Delete() { // $ ResourceMethod=text/plain
+    return 2.0;
+  }
+
+  @Override
+  void Put() { // $ ResourceMethod=text/html
+  }
+
+  @Override
+  void Options() { // $ ResourceMethod=text/xml
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxRs2.java

@@ -0,0 +1,99 @@
+import java.io.InputStream;
+import java.io.IOException;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.PUT;
+import javax.ws.rs.OPTIONS;
+import javax.ws.rs.HEAD;
+import javax.ws.rs.Path;
+import javax.ws.rs.BeanParam;
+import javax.ws.rs.Consumes;
+import javax.ws.rs.CookieParam;
+import javax.ws.rs.FormParam;
+import javax.ws.rs.HeaderParam;
+import javax.ws.rs.MatrixParam;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.client.Client;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.MessageBodyReader;
+
+@Path("")
+class JaxRs2 { // $ RootResourceClass
+  JaxRs2() {
+  }
+
+  public JaxRs2(// $ InjectableConstructor
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context) { // $ InjectionAnnotation
+  }
+
+  public JaxRs2(
+      @BeanParam int beanParam, // $ InjectionAnnotation
+      @CookieParam("") int cookieParam, // $ InjectionAnnotation
+      @FormParam("") int formParam, // $ InjectionAnnotation
+      @HeaderParam("") int headerParam, // $ InjectionAnnotation
+      @MatrixParam("") int matrixParam, // $ InjectionAnnotation
+      @PathParam("") int pathParam, // $ InjectionAnnotation
+      @QueryParam("") int queryParam, // $ InjectionAnnotation
+      @Context int context, // $ InjectionAnnotation
+      int paramWithoutAnnotation) {
+  }
+
+  @BeanParam // $ InjectionAnnotation
+  int beanField; // $ InjectableField
+  @CookieParam("") // $ InjectionAnnotation
+  int cookieField; // $ InjectableField
+  @FormParam("") // $ InjectionAnnotation
+  int formField; // $ InjectableField
+  @HeaderParam("") // $ InjectionAnnotation
+  int headerField; // $ InjectableField
+  @MatrixParam("") // $ InjectionAnnotation
+  int matrixField; // $ InjectableField
+  @PathParam("") // $ InjectionAnnotation
+  int pathField; // $ InjectableField
+  @QueryParam("") // $ InjectionAnnotation
+  int queryField; // $ InjectableField
+  @Context // $ InjectionAnnotation
+  int context; // $ InjectableField
+  int fieldWithoutAnnotation;
+}
+
+class CustomUnmarshaller implements MessageBodyReader {
+
+  @Override
+  public boolean isReadable(Class aClass, Type type, Annotation[] annotations, MediaType mediaType) {
+    return true;
+  }
+
+
+  @Override
+  public Object readFrom(Class aClass, Type type, Annotation[] annotations, MediaType mediaType, MultivaluedMap multivaluedMap, InputStream inputStream) {
+    return null;
+  }
+}
+
+class Miscellaneous {
+  @Consumes("") // $ ConsumesAnnotation
+  public static void miscellaneous() throws IOException {
+    Response.ResponseBuilder responseBuilder = Response.accepted(); // $ ResponseBuilderDeclaration
+    Response response = responseBuilder.build(); // $ ResponseDeclaration
+    Client client; // $ ClientDeclaration
+    MessageBodyReader<String> messageBodyReader = null; // $ MessageBodyReaderDeclaration
+    messageBodyReader.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadFromCall MessageBodyReaderReadCall
+    CustomUnmarshaller customUnmarshaller = null;
+    customUnmarshaller.readFrom(null, null, null, null, null, null); // $ MessageBodyReaderReadCall
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java

@@ -0,0 +1,410 @@
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.ws.rs.core.AbstractMultivaluedMap;
+import javax.ws.rs.core.CacheControl;
+import javax.ws.rs.core.Cookie;
+import javax.ws.rs.core.EntityTag;
+import javax.ws.rs.core.Form;
+import javax.ws.rs.core.GenericEntity;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.Link;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedHashMap;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.NewCookie;
+import javax.ws.rs.core.PathSegment;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriBuilder;
+import javax.ws.rs.core.UriInfo;
+import javax.ws.rs.core.Variant;
+
+public class JaxRsFlow {
+  String taint() { return "tainted"; }
+
+  private static class ResponseSource {
+    static Response taint() { return null; }
+  }
+
+  private static class ResponseBuilderSource {
+    static Response.ResponseBuilder taint() { return Response.noContent(); }
+  }
+
+  private static class IntSource {
+    static int taint() { return 0; }
+  }
+
+  private static class BooleanSource {
+    static boolean taint() { return false; }
+  }
+
+  private static class DateSource {
+    static Date taint() { return null; }
+  }
+
+  private static class SetStringSource {
+    static Set<String> taint() { return new HashSet<String>(); }
+  }
+
+  static HttpHeaders taint(HttpHeaders h) { return h; }
+
+  static PathSegment taint(PathSegment ps) { return ps; }
+
+  static UriInfo taint(UriInfo ui) { return ui; }
+  
+  static Map taint(Map m) { return m; }
+  
+  static Link taint(Link l) { return l; }
+  
+  static Class taint(Class c) { return c; }
+
+  private static class UriSource {
+    static URI taint() throws Exception { return new URI(""); }
+  }
+
+  void sink(Object o) {}
+
+  void testResponse() {
+    sink(Response.accepted(taint())); // $ hasTaintFlow
+    sink(Response.fromResponse(ResponseSource.taint())); // $ hasTaintFlow
+    sink(Response.ok(taint())); // $ hasTaintFlow
+    sink(Response.ok(taint(), new MediaType())); // $ hasTaintFlow
+    sink(Response.ok(taint(), "type")); // $ hasTaintFlow
+    sink(Response.ok(taint(), new Variant(new MediaType(), "", ""))); // $ hasTaintFlow
+  }
+
+  void testResponseBuilder(MultivaluedMap<String,Object> multivaluedMap, List<Variant> list) throws Exception {
+    sink(ResponseBuilderSource.taint().build()); // $ hasTaintFlow
+    sink(Response.noContent().entity(taint())); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().allow(new HashSet<String>())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cacheControl(new CacheControl())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().clone()); // $ hasTaintFlow
+    sink(ResponseBuilderSource.taint().contentLocation(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().cookie()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().encoding("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().entity("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().expires(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().header("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().language("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().lastModified(new Date())); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link("", "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().link(new URI(""), "")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().links()); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().location(new URI(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().replaceAll(multivaluedMap)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().status(400)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag(new EntityTag(""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().tag("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().type("")); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variant(new Variant(new MediaType(), "", ""))); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants(list)); // $ hasValueFlow
+    sink(ResponseBuilderSource.taint().variants()); // $ hasValueFlow
+  }
+
+  void testHttpHeaders(HttpHeaders h) {
+    sink(taint(h).getAcceptableLanguages()); // $ hasTaintFlow
+    sink(taint(h).getAcceptableMediaTypes()); // $ hasTaintFlow
+    sink(taint(h).getCookies()); // $ hasTaintFlow
+    sink(taint(h).getHeaderString("")); // $ hasTaintFlow
+    sink(taint(h).getLanguage()); // $ hasTaintFlow
+    sink(taint(h).getMediaType()); // $ hasTaintFlow
+    sink(taint(h).getRequestHeader("")); // $ hasTaintFlow
+    sink(taint(h).getRequestHeaders()); // $ hasTaintFlow
+  }
+
+  void testMultivaluedMapAdd(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.add(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.add("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddAll(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2, MultivaluedMap<String, String> mm3) {
+    mm1.addAll(taint(), "a", "b");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    List<String> l = new ArrayList<String>();
+    l.add(taint());
+    mm2.addAll("key", l);
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    mm3.addAll("key", "a", taint());
+    sink(mm3.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapAddFirst(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.addFirst(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.addFirst("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+    sink(mm2.getFirst("key")); // $ hasValueFlow
+  }
+
+  void testMultivaluedMapputSingle(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    mm1.putSingle(taint(), "value");
+    sink(mm1.keySet().iterator().next()); // $ hasValueFlow
+    mm2.putSingle("key", taint());
+    sink(mm2.get("key").get(0)); // $ hasValueFlow
+  }
+
+  class MyAbstractMultivaluedMap<K, V> extends AbstractMultivaluedMap<K, V> {
+    public MyAbstractMultivaluedMap(Map<K, List<V>> map) {
+        super(map);
+    }
+  }
+
+  void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List<String>> map2, List<String> list) {
+    map1.put(taint(), list);
+    AbstractMultivaluedMap<String, String> amm1 = new MyAbstractMultivaluedMap<String, String>(map1);
+    sink(amm1.keySet().iterator().next()); // $  MISSING: hasValueFlow
+
+    list.add(taint());
+    map2.put("key", list);
+    AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMap<String, String>(map2);
+    sink(amm2.get("key").get(0)); // $  MISSING: hasValueFlow SPURIOUS: hasTaintFlow
+  }
+
+  void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,
+      MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    map1.put(taint(), "value");
+    MultivaluedHashMap<String, String> mhm1 = new MultivaluedHashMap<String, String>(map1);
+    sink(mhm1.keySet().iterator().next()); // $ hasValueFlow
+
+    map2.put("key", taint());
+    MultivaluedHashMap<String, String> mhm2 = new MultivaluedHashMap<String, String>(map2);
+    sink(mhm2.get("key").get(0)); // $ hasValueFlow
+
+    mm1.add(taint(), "value");
+    MultivaluedHashMap<String, String> mhm3 = new MultivaluedHashMap<String, String>(mm1);
+    sink(mhm3.keySet().iterator().next()); // $ hasValueFlow
+
+    mm2.add("key", taint());
+    MultivaluedHashMap<String, String> mhm4 = new MultivaluedHashMap<String, String>(mm2);
+    sink(mhm4.get("key").get(0)); // $ hasValueFlow
+  }
+
+  void testPathSegment(PathSegment ps1, PathSegment ps2) {
+    sink(taint(ps1).getMatrixParameters()); // $ hasTaintFlow
+    sink(taint(ps2).getPath()); // $ hasTaintFlow
+  }
+
+  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
+    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
+    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
+    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  }
+
+  void testCookie() {
+    sink(new Cookie(taint(), "", "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "", 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint(), 0)); // $ hasTaintFlow
+    sink(new Cookie("", "", "", "", IntSource.taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "", "", "")); // $ hasTaintFlow
+    sink(new Cookie("", taint(), "", "")); // $ hasTaintFlow
+    sink(new Cookie("", "", taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", "", "", taint())); // $ hasTaintFlow
+    sink(new Cookie(taint(), "")); // $ hasTaintFlow
+    sink(new Cookie("", taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint())); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getDomain()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getName()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getPath()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getValue()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).getVersion()); // $ hasTaintFlow
+    sink(Cookie.valueOf(taint()).toString()); // $ hasTaintFlow
+  }
+
+  void testNewCookie() {
+    sink(new NewCookie(Cookie.valueOf(taint()))); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(Cookie.valueOf(taint()), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie(Cookie.valueOf(""), "", 0, new Date(), true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "")); // $ hasTaintFlow
+    sink(new NewCookie("", taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", 0, "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", 0, "", 0, new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", 0, "", 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), 0, "", 0, new Date(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", IntSource.taint(), "", 0, new Date(), true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, taint(), 0, new Date(), true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", IntSource.taint(), new Date(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, DateSource.taint(), false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), BooleanSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", 0, "", 0, new Date(), false, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(new NewCookie(taint(), "", "", "", "", 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", taint(), "", "", "", 0, false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", taint(), "", "", 0, true, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", taint(), "", 0, false, false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", taint(), 0, true, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", IntSource.taint(), false, true)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, BooleanSource.taint(), false)); // $ hasTaintFlow
+    sink(new NewCookie("", "", "", "", "", 0, true, BooleanSource.taint())); // $ hasTaintFlow
+
+    sink(NewCookie.valueOf(taint()).getComment()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getExpiry()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).getMaxAge()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint()).toCookie()); // $ hasTaintFlow
+    sink(NewCookie.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testForm(MultivaluedMap<String, String> mm1, MultivaluedMap<String, String> mm2) {
+    sink(new Form(taint(), "")); // $ hasTaintFlow
+    sink(new Form("", taint())); // $ hasTaintFlow
+    mm1.add(taint(), "value");
+    sink(new Form(mm1)); // $ hasTaintFlow
+    mm2.add("key", taint());
+    sink(new Form(mm2)); // $ hasTaintFlow
+    Form f1 = new Form(taint(), "");
+    sink(f1.asMap()); // $ hasTaintFlow
+    Form f2 = new Form();
+    sink(f2.param(taint(), "b")); // $ hasTaintFlow
+    Form f3 = new Form();
+    sink(f3.param("a", taint())); // $ hasTaintFlow
+    Form f4 = new Form(taint(), "");
+    sink(f4.param("a", "b")); // $ hasTaintFlow
+  }
+
+  void testGenericEntity() {
+    Method m = Dummy.class.getMethods()[0];
+    GenericEntity<Set<String>> ge = new GenericEntity<Set<String>>(SetStringSource.taint(), m.getGenericReturnType());
+    sink(ge); // $ hasTaintFlow
+    sink(ge.getEntity()); // $ hasTaintFlow
+  }
+
+  void testMediaType(Map<String, String> m) {
+    sink(new MediaType(taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", taint())); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", m)); // $ hasTaintFlow
+    sink(new MediaType("", taint(), m)); // $ hasTaintFlow
+    sink(new MediaType("", "", taint(m))); // $ hasTaintFlow
+    sink(new MediaType(taint(), "", "")); // $ hasTaintFlow
+    sink(new MediaType("", taint(), "")); // $ hasTaintFlow
+    sink(new MediaType("", "", taint())); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getParameters()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getSubtype()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint()).getType()); // $ hasTaintFlow
+    sink(MediaType.valueOf(taint())); // $ hasTaintFlow
+  }
+
+  void testUriBuilder() throws Exception {
+    sink(UriBuilder.fromPath("").build(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build(taint(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").build("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).build("", false)); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").buildFromEncoded(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncoded("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromEncodedMap(taint(new HashMap<String, String>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
+    
+    sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow
+    sink(UriBuilder.fromLink(taint(Link.valueOf("")))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromUri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").host(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).host("")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").matrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").matrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).matrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(taint(Dummy.class))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").path(Dummy.class, taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).path(Dummy.class)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").queryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).queryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").replaceMatrix(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrix("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceMatrixParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceMatrixParam("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replacePath(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replacePath("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQuery(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQuery("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").replaceQueryParam("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).replaceQueryParam("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate(taint(), "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplate("", taint(), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplate("", "", false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplateFromEncoded("", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplateFromEncoded("", "")); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplates(taint(new HashMap<String, Object>()), true)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplates(new HashMap<String, Object>(), false)); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").resolveTemplatesFromEncoded(taint(new HashMap<String, Object>()))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).resolveTemplatesFromEncoded(new HashMap<String, Object>())); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").scheme(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).scheme("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").schemeSpecificPart(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).schemeSpecificPart("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment(taint(), "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").segment("", "", taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).segment("", "")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).toTemplate()); // $ hasTaintFlow
+
+    sink(UriBuilder.fromPath("").uri(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri("")); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").uri(UriSource.taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).uri(new URI(""))); // $ hasTaintFlow
+    sink(UriBuilder.fromPath("").userInfo(taint())); // $ hasTaintFlow
+    sink(UriBuilder.fromPath(taint()).userInfo("")); // $ hasTaintFlow
+  }
+}
+
+class Dummy {
+  private static Set<String> foo() { return null; }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.ql

@@ -0,0 +1,50 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:jax-rs-taint" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:jax-rs-value" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasTaintFlow", "hasValueFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.java

@@ -0,0 +1,44 @@
+import javax.jws.WebMethod;
+import javax.jws.WebService;
+import javax.xml.ws.WebEndpoint;
+import javax.xml.ws.WebServiceClient;
+import javax.xml.ws.WebServiceProvider;
+
+@WebService
+class WebServiceClass { // $ JaxWsEndpoint
+
+  @WebMethod
+  void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+  @WebEndpoint
+  void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+}
+
+@WebServiceProvider
+class WebServiceProviderClass { // $ JaxWsEndpoint
+
+  @WebMethod
+  void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+  @WebEndpoint
+  void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+}
+
+@WebServiceClient
+class WebServiceClientClass { // $ JaxWsEndpoint
+
+  @WebMethod
+  void WebMethodMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+  @WebEndpoint
+  void WebEndpointMethod() { // $ JaxWsEndpointRemoteMethod
+  }
+
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxWsEndpoint.ql

@@ -0,0 +1,27 @@
+import java
+import semmle.code.java.frameworks.JaxWS
+import TestUtilities.InlineExpectationsTest
+
+class JaxWsEndpointTest extends InlineExpectationsTest {
+  JaxWsEndpointTest() { this = "JaxWsEndpointTest" }
+
+  override string getARelevantTag() { result = ["JaxWsEndpoint", "JaxWsEndpointRemoteMethod"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "JaxWsEndpoint" and
+    exists(JaxWsEndpoint jaxWsEndpoint |
+      jaxWsEndpoint.getLocation() = location and
+      element = jaxWsEndpoint.toString() and
+      value = ""
+    )
+    or
+    tag = "JaxWsEndpointRemoteMethod" and
+    exists(Callable remoteMethod |
+      remoteMethod = any(JaxWsEndpoint jaxWsEndpoint).getARemoteMethod()
+    |
+      remoteMethod.getLocation() = location and
+      element = remoteMethod.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.expected

@@ -0,0 +1,19 @@
+edges
+| UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJakarta.java:10:24:10:62 | new URI(...) |
+| UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJakarta.java:13:33:13:71 | new URI(...) |
+| UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJax.java:10:24:10:62 | new URI(...) |
+| UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJax.java:13:33:13:71 | new URI(...) |
+nodes
+| UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UrlRedirectJax.java:10:24:10:62 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| UrlRedirectJax.java:13:33:13:71 | new URI(...) | semmle.label | new URI(...) |
+| UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+#select
+| UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJakarta.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJakarta.java:10:32:10:61 | getParameter(...) | user-provided value |
+| UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJakarta.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJakarta.java:13:41:13:70 | getParameter(...) | user-provided value |
+| UrlRedirectJax.java:10:24:10:62 | new URI(...) | UrlRedirectJax.java:10:32:10:61 | getParameter(...) : String | UrlRedirectJax.java:10:24:10:62 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJax.java:10:32:10:61 | getParameter(...) | user-provided value |
+| UrlRedirectJax.java:13:33:13:71 | new URI(...) | UrlRedirectJax.java:13:41:13:70 | getParameter(...) : String | UrlRedirectJax.java:13:33:13:71 | new URI(...) | Potentially untrusted URL redirection due to $@. | UrlRedirectJax.java:13:41:13:70 | getParameter(...) | user-provided value |

java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-601/UrlRedirect.ql

java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java

@@ -0,0 +1,15 @@
+import java.io.IOException;
+import java.net.URI;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import jakarta.ws.rs.core.Response;
+
+public class UrlRedirectJakarta extends HttpServlet {
+	protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception {
+		// BAD
+		jaxResponse.seeOther(new URI(request.getParameter("target")));
+
+		// BAD
+		jaxResponse.temporaryRedirect(new URI(request.getParameter("target")));
+	}
+}

java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java

@@ -0,0 +1,15 @@
+import java.io.IOException;
+import java.net.URI;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.Response;
+
+public class UrlRedirectJax extends HttpServlet {
+	protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception {
+		// BAD
+		jaxResponse.seeOther(new URI(request.getParameter("target")));
+
+		// BAD
+		jaxResponse.temporaryRedirect(new URI(request.getParameter("target")));
+	}
+}

java/ql/test/library-tests/frameworks/JaxWs/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/jsr311-api-1.1.1:${testdir}/../../../stubs/jsr181-api:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/servlet-api-2.4

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/BeanParam.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2012, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface BeanParam {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Consumes.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface Consumes {
+    String[] value() default "*/*";
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/CookieParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface CookieParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/DELETE.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface DELETE {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/FormParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface FormParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/GET.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface GET {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HEAD.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface HEAD {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/HeaderParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface HeaderParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/MatrixParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface MatrixParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/OPTIONS.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface OPTIONS {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/POST.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface POST {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PUT.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface PUT {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Path.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface Path {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/PathParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface PathParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/Produces.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface Produces {
+    String[] value() default "*/*";
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/QueryParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs;
+
+public @interface QueryParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/client/Client.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.client;
+// import java.net.URI;
+import javax.ws.rs.core.Configurable;
+// import javax.ws.rs.core.Link;
+// import javax.ws.rs.core.UriBuilder;
+// import javax.net.ssl.HostnameVerifier;
+// import javax.net.ssl.SSLContext;
+
+public interface Client extends Configurable<Client> {
+    public void close();
+
+    // public WebTarget target(String uri);
+
+    // public WebTarget target(URI uri);
+
+    // public WebTarget target(UriBuilder uriBuilder);
+
+    // public WebTarget target(Link link);
+
+    // public Invocation.Builder invocation(Link link);
+
+    // public SSLContext getSslContext();
+
+    // public HostnameVerifier getHostnameVerifier();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/AbstractMultivaluedMap.java

@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2012, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class AbstractMultivaluedMap<K, V> implements MultivaluedMap<K, V> {
+    public AbstractMultivaluedMap(Map<K, List<V>> store) {
+    }
+
+    @Override
+    public final void putSingle(K key, V value) {
+    }
+
+    @Override
+    public final void add(K key, V value) {
+    }
+
+    @Override
+    public final void addAll(K key, V... newValues) {
+    }
+
+    @Override
+    public final void addAll(K key, List<V> valueList) {
+    }
+
+    @Override
+    public final V getFirst(K key) {
+      return null;
+    }
+
+    @Override
+    public final void addFirst(K key, V value) {
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+      return false;
+    }
+
+    @Override
+    public Collection<List<V>> values() {
+      return null;
+    }
+
+    @Override
+    public int size() {
+      return 0;
+    }
+
+    @Override
+    public List<V> remove(Object key) {
+      return null;
+    }
+
+    @Override
+    public void putAll(Map<? extends K, ? extends List<V>> m) {
+    }
+
+    @Override
+    public List<V> put(K key, List<V> value) {
+      return null;
+    }
+
+    @Override
+    public Set<K> keySet() {
+      return null;
+    }
+
+    @Override
+    public boolean isEmpty() {
+      return false;
+    }
+
+    @Override
+    public List<V> get(Object key) {
+      return null;
+    }
+
+    @Override
+    public Set<Entry<K, List<V>>> entrySet() {
+      return null;
+    }
+
+    @Override
+    public boolean containsValue(Object value) {
+      return false;
+    }
+
+    @Override
+    public boolean containsKey(Object key) {
+      return false;
+    }
+
+    @Override
+    public void clear() {
+    }
+
+    @Override
+    public boolean equalsIgnoreValueOrder(MultivaluedMap<K, V> omap) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/CacheControl.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public class CacheControl {
+    public CacheControl() {
+    }
+
+    public static CacheControl valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isMustRevalidate() {
+      return false;
+    }
+
+    public void setMustRevalidate(final boolean mustRevalidate) {
+    }
+
+    public boolean isProxyRevalidate() {
+      return false;
+    }
+
+    public void setProxyRevalidate(final boolean proxyRevalidate) {
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public void setMaxAge(final int maxAge) {
+    }
+
+    public int getSMaxAge() {
+      return 0;
+    }
+
+    public void setSMaxAge(final int sMaxAge) {
+    }
+
+    public List<String> getNoCacheFields() {
+      return null;
+    }
+
+    public void setNoCache(final boolean noCache) {
+    }
+
+    public boolean isNoCache() {
+      return false;
+    }
+
+    public boolean isPrivate() {
+      return false;
+    }
+
+    public List<String> getPrivateFields() {
+      return null;
+    }
+
+    public void setPrivate(final boolean flag) {
+    }
+
+    public boolean isNoTransform() {
+      return false;
+    }
+
+    public void setNoTransform(final boolean noTransform) {
+    }
+
+    public boolean isNoStore() {
+      return false;
+    }
+
+    public void setNoStore(final boolean noStore) {
+    }
+
+    public Map<String, String> getCacheExtension() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Configurable.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Map;
+
+public interface Configurable<C extends Configurable> {
+    // public Configuration getConfiguration();
+
+    public C property(String name, Object value);
+
+    public C register(Class<?> componentClass);
+
+    public C register(Class<?> componentClass, int priority);
+
+    public C register(Class<?> componentClass, Class<?>... contracts);
+
+    public C register(Class<?> componentClass, Map<Class<?>, Integer> contracts);
+
+    public C register(Object component);
+
+    public C register(Object component, int priority);
+
+    public C register(Object component, Class<?>... contracts);
+
+    public C register(Object component, Map<Class<?>, Integer> contracts);
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Context.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public @interface Context {
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Cookie.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class Cookie {
+    public Cookie(final String name, final String value, final String path, final String domain, final int version)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value, final String path, final String domain)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value)
+            throws IllegalArgumentException {
+    }
+
+    public static Cookie valueOf(final String value) {
+      return null;
+    }
+
+    public String getName() {
+      return null;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    public int getVersion() {
+      return 0;
+    }
+
+    public String getDomain() {
+      return null;
+    }
+
+    public String getPath() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/EntityTag.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class EntityTag {
+    public EntityTag(final String value) {
+    }
+
+    public EntityTag(final String value, final boolean weak) {
+    }
+
+    public static EntityTag valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isWeak() {
+      return false;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Form.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class Form {
+    public Form() {
+    }
+
+    public Form(final String parameterName, final String parameterValue) {
+    }
+
+    public Form(final MultivaluedMap<String, String> store) {
+    }
+
+    public Form param(final String name, final String value) {
+      return null;
+    }
+
+    public MultivaluedMap<String, String> asMap() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/GenericEntity.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * Copyright (c) 2006 Google Inc.
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package javax.ws.rs.core;
+import java.lang.reflect.Type;
+
+public class GenericEntity<T> {
+    public GenericEntity(final T entity, final Type genericType) {
+    }
+
+    public final Class<?> getRawType() {
+      return null;
+    }
+
+    public final Type getType() {
+      return null;
+    }
+
+    public final T getEntity() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/HttpHeaders.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+public interface HttpHeaders {
+    public List<String> getRequestHeader(String name);
+
+    public String getHeaderString(String name);
+
+    public MultivaluedMap<String, String> getRequestHeaders();
+
+    public List<MediaType> getAcceptableMediaTypes();
+
+    public List<Locale> getAcceptableLanguages();
+
+    public MediaType getMediaType();
+
+    public Locale getLanguage();
+
+    public Map<String, Cookie> getCookies();
+
+    public Date getDate();
+
+    public int getLength();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Link.java

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+// import javax.xml.bind.annotation.adapters.XmlAdapter;
+// import javax.xml.namespace.QName;
+
+public abstract class Link {
+    public abstract URI getUri();
+
+    public abstract UriBuilder getUriBuilder();
+
+    public abstract String getRel();
+
+    public abstract List<String> getRels();
+
+    public abstract String getTitle();
+
+    public abstract String getType();
+
+    public abstract Map<String, String> getParams();
+
+    @Override
+    public abstract String toString();
+
+    public static Link valueOf(String value) {
+      return null;
+    }
+
+    public static Builder fromUri(URI uri) {
+      return null;
+    }
+
+    public static Builder fromUri(String uri) {
+      return null;
+    }
+
+    public static Builder fromUriBuilder(UriBuilder uriBuilder) {
+      return null;
+    }
+
+    public static Builder fromLink(Link link) {
+      return null;
+    }
+
+    public static Builder fromPath(String path) {
+      return null;
+    }
+
+    public static Builder fromResource(Class<?> resource) {
+      return null;
+    }
+
+    public static Builder fromMethod(Class<?> resource, String method) {
+      return null;
+    }
+
+    public interface Builder {
+        public Builder link(Link link);
+
+        public Builder link(String link);
+
+        public Builder uri(URI uri);
+
+        public Builder uri(String uri);
+
+        public Builder baseUri(URI uri);
+
+        public Builder baseUri(String uri);
+
+        public Builder uriBuilder(UriBuilder uriBuilder);
+
+        public Builder rel(String rel);
+
+        public Builder title(String title);
+
+        public Builder type(String type);
+
+        public Builder param(String name, String value);
+
+        public Link build(Object... values);
+
+        public Link buildRelativized(URI uri, Object... values);
+
+    }
+    public static class JaxbLink {
+        public JaxbLink() {
+        }
+
+        public JaxbLink(URI uri) {
+        }
+
+        // public JaxbLink(URI uri, Map<QName, Object> params) {
+        // }
+
+        public URI getUri() {
+          return null;
+        }
+
+        // public Map<QName, Object> getParams() {
+        //   return null;
+        // }
+
+        @Override
+        public boolean equals(Object o) {
+          return false;
+        }
+
+        @Override
+        public int hashCode() {
+          return 0;
+        }
+
+    }
+    // public static class JaxbAdapter extends XmlAdapter<JaxbLink, Link> {
+    //     @Override
+    //     public Link unmarshal(JaxbLink v) {
+    //       return null;
+    //     }
+
+    //     @Override
+    //     public JaxbLink marshal(Link v) {
+    //       return null;
+    //     }
+
+    // }
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MediaType.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Map;
+
+public class MediaType {
+    public final static MediaType WILDCARD_TYPE = new MediaType();
+
+    public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml");
+
+    public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml");
+
+    public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml");
+
+    public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml");
+
+    public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json");
+
+    public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded");
+
+    public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data");
+
+    public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream");
+
+    public final static String TEXT_PLAIN = "text/plain";
+
+    public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain");
+
+    public final static String TEXT_XML = "text/xml";
+    
+    public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml");
+
+    public final static String TEXT_HTML = "text/html";
+
+    public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html");
+
+    public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream");
+
+    public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json");
+
+    public static MediaType valueOf(String type){
+      return null;
+    }
+
+    public MediaType(String type, String subtype, Map<String, String> parameters) {
+    }
+
+    public MediaType(String type, String subtype) {
+    }
+
+    public MediaType(String type, String subtype, String charset) {
+    }
+
+    public MediaType() {
+    }
+
+    public String getType() {
+      return null;
+    }
+
+    public boolean isWildcardType() {
+      return false;
+    }
+
+    public String getSubtype() {
+      return null;
+    }
+
+    public boolean isWildcardSubtype() {
+      return false;
+    }
+
+    public Map<String, String> getParameters() {
+      return null;
+    }
+
+    public MediaType withCharset(String charset) {
+      return null;
+    }
+
+    public boolean isCompatible(MediaType other) {
+      return false;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedHashMap.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class MultivaluedHashMap<K, V> extends AbstractMultivaluedMap<K, V> implements Serializable {
+    // public MultivaluedHashMap() {
+    // }
+
+    // public MultivaluedHashMap(int initialCapacity) {
+    // }
+
+    // public MultivaluedHashMap(int initialCapacity, float loadFactor) {
+    // }
+
+    public MultivaluedHashMap(MultivaluedMap<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+    public MultivaluedHashMap(Map<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/MultivaluedMap.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public interface MultivaluedMap<K, V> extends Map<K, List<V>> {
+    void putSingle(K key, V value);
+
+    void add(K key, V value);
+
+    V getFirst(K key);
+
+    void addAll(K key, V... newValues);
+
+    void addAll(K key, List<V> valueList);
+
+    void addFirst(K key, V value);
+
+    boolean equalsIgnoreValueOrder(MultivaluedMap<K, V> otherMap);
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/NewCookie.java

@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.Date;
+
+public class NewCookie extends Cookie {
+    public NewCookie(String name, String value) {
+      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     String comment,
+                     int maxAge,
+                     boolean secure) {
+                      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     String comment,
+                     int maxAge,
+                     boolean secure,
+                     boolean httpOnly) {
+                      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     int version,
+                     String comment,
+                     int maxAge,
+                     boolean secure) {
+                      super("", "");
+    }
+
+    public NewCookie(String name,
+                     String value,
+                     String path,
+                     String domain,
+                     int version,
+                     String comment,
+                     int maxAge,
+                     Date expiry,
+                     boolean secure,
+                     boolean httpOnly) {
+                      super("", "");
+    }
+
+    public NewCookie(Cookie cookie) {
+      super("", "");
+    }
+
+    public NewCookie(Cookie cookie, String comment, int maxAge, boolean secure) {
+      super("", "");
+    }
+
+    public NewCookie(Cookie cookie, String comment, int maxAge, Date expiry, boolean secure, boolean httpOnly) {
+      super("", "");
+    }
+
+    public static NewCookie valueOf(String value) {
+      return null;
+    }
+
+    public String getComment() {
+      return null;
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public Date getExpiry() {
+      return null;
+    }
+
+    public boolean isSecure() {
+      return false;
+    }
+
+    public boolean isHttpOnly() {
+      return false;
+    }
+
+    public Cookie toCookie() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/PathSegment.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public interface PathSegment {
+    String getPath();
+
+    MultivaluedMap<String, String> getMatrixParameters();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Response.java

@@ -0,0 +1,285 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.lang.annotation.Annotation;
+import java.net.URI;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class Response implements AutoCloseable {
+    public abstract int getStatus();
+
+    public abstract StatusType getStatusInfo();
+
+    public abstract Object getEntity();
+
+    public abstract <T> T readEntity(Class<T> entityType);
+
+    // public abstract <T> T readEntity(GenericType<T> entityType);
+
+    public abstract <T> T readEntity(Class<T> entityType, Annotation[] annotations);
+
+    // public abstract <T> T readEntity(GenericType<T> entityType, Annotation[] annotations);
+
+    public abstract boolean hasEntity();
+
+    public abstract boolean bufferEntity();
+
+    @Override
+    public abstract void close();
+
+    public abstract MediaType getMediaType();
+
+    public abstract Locale getLanguage();
+
+    public abstract int getLength();
+
+    public abstract Set<String> getAllowedMethods();
+
+    // public abstract Map<String, NewCookie> getCookies();
+
+    // public abstract EntityTag getEntityTag();
+
+    public abstract Date getDate();
+
+    public abstract Date getLastModified();
+
+    public abstract URI getLocation();
+
+    // public abstract Set<Link> getLinks();
+
+    public abstract boolean hasLink(String relation);
+
+    // public abstract Link getLink(String relation);
+
+    // public abstract Link.Builder getLinkBuilder(String relation);
+
+    public abstract MultivaluedMap<String, Object> getMetadata();
+
+    public MultivaluedMap<String, Object> getHeaders() {
+      return null;
+    }
+
+    public abstract MultivaluedMap<String, String> getStringHeaders();
+
+    public abstract String getHeaderString(String name);
+
+    public static ResponseBuilder fromResponse(Response response) {
+      return null;
+    }
+
+    public static ResponseBuilder status(StatusType status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(Status status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(int status) {
+      return null;
+    }
+
+    public static ResponseBuilder status(int status, String reasonPhrase) {
+      return null;
+    }
+
+    public static ResponseBuilder ok() {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity, MediaType type) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity, String type) {
+      return null;
+    }
+
+    public static ResponseBuilder ok(Object entity, Variant variant) {
+      return null;
+    }
+
+    public static ResponseBuilder serverError() {
+      return null;
+    }
+
+    public static ResponseBuilder created(URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder accepted() {
+      return null;
+    }
+
+    public static ResponseBuilder accepted(Object entity) {
+      return null;
+    }
+
+    public static ResponseBuilder noContent() {
+      return null;
+    }
+
+    public static ResponseBuilder notModified() {
+      return null;
+    }
+
+    // public static ResponseBuilder notModified(EntityTag tag) {
+    //   return null;
+    // }
+
+    public static ResponseBuilder notModified(String tag) {
+      return null;
+    }
+
+    public static ResponseBuilder seeOther(URI location) {
+      return null;
+    }
+
+    public static ResponseBuilder temporaryRedirect(URI location) {
+      return null;
+    }
+
+    // public static ResponseBuilder notAcceptable(List<Variant> variants) {
+    //   return null;
+    // }
+
+    public static abstract class ResponseBuilder {
+        public abstract Response build();
+
+        @Override
+        public abstract ResponseBuilder clone();
+
+        public abstract ResponseBuilder status(int status);
+
+        public abstract ResponseBuilder status(int status, String reasonPhrase);
+
+        public ResponseBuilder status(StatusType status) {
+          return null;
+        }
+
+        public ResponseBuilder status(Status status) {
+          return null;
+        }
+
+        public abstract ResponseBuilder entity(Object entity);
+
+        public abstract ResponseBuilder entity(Object entity, Annotation[] annotations);
+
+        public abstract ResponseBuilder allow(String... methods);
+
+        public abstract ResponseBuilder allow(Set<String> methods);
+
+        public abstract ResponseBuilder cacheControl(CacheControl cacheControl);
+
+        public abstract ResponseBuilder encoding(String encoding);
+
+        public abstract ResponseBuilder header(String name, Object value);
+
+        public abstract ResponseBuilder replaceAll(MultivaluedMap<String, Object> headers);
+
+        public abstract ResponseBuilder language(String language);
+
+        public abstract ResponseBuilder language(Locale language);
+
+        public abstract ResponseBuilder type(MediaType type);
+
+        public abstract ResponseBuilder type(String type);
+
+        public abstract ResponseBuilder variant(Variant variant);
+
+        public abstract ResponseBuilder contentLocation(URI location);
+
+        public abstract ResponseBuilder cookie(NewCookie... cookies);
+
+        public abstract ResponseBuilder expires(Date expires);
+
+        public abstract ResponseBuilder lastModified(Date lastModified);
+
+        public abstract ResponseBuilder location(URI location);
+
+        public abstract ResponseBuilder tag(EntityTag tag);
+
+        public abstract ResponseBuilder tag(String tag);
+
+        public abstract ResponseBuilder variants(Variant... variants);
+
+        public abstract ResponseBuilder variants(List<Variant> variants);
+
+        public abstract ResponseBuilder links(Link... links);
+
+        public abstract ResponseBuilder link(URI uri, String rel);
+
+        public abstract ResponseBuilder link(String uri, String rel);
+
+    }
+    public interface StatusType {
+        public int getStatusCode();
+
+        public Status.Family getFamily();
+
+        public String getReasonPhrase();
+
+        public default Status toEnum() {
+          return null;
+        }
+
+    }
+    public enum Status implements StatusType {
+        DUMMY_STATUS;
+
+        public enum Family {
+            DUMMY_FAMILY;
+
+            public static Family familyOf(final int statusCode) {
+              return null;
+            }
+
+        }
+        @Override
+        public Family getFamily() {
+          return null;
+        }
+
+        @Override
+        public int getStatusCode() {
+          return 0;
+        }
+
+        @Override
+        public String getReasonPhrase() {
+          return null;
+        }
+
+        @Override
+        public String toString() {
+          return null;
+        }
+
+        public static Status fromStatusCode(final int statusCode) {
+          return null;
+        }
+
+    }
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilder.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.lang.reflect.Method;
+import java.net.URI;
+import java.util.Map;
+
+public abstract class UriBuilder {
+    public static UriBuilder fromUri(URI uri) {
+      return null;
+    }
+
+    public static UriBuilder fromUri(String uriTemplate) {
+      return null;
+    }
+
+    public static UriBuilder fromLink(Link link) {
+      return null;
+    }
+
+    public static UriBuilder fromPath(String path) throws IllegalArgumentException {
+      return null;
+    }
+
+    public static UriBuilder fromResource(Class<?> resource) {
+      return null;
+    }
+
+    public static UriBuilder fromMethod(Class<?> resource, String method) {
+      return null;
+    }
+
+    @Override
+    public abstract UriBuilder clone();
+
+    public abstract UriBuilder uri(URI uri);
+
+    public abstract UriBuilder uri(String uriTemplate);
+
+    public abstract UriBuilder scheme(String scheme);
+
+    public abstract UriBuilder schemeSpecificPart(String ssp);
+
+    public abstract UriBuilder userInfo(String ui);
+
+    public abstract UriBuilder host(String host);
+
+    public abstract UriBuilder port(int port);
+
+    public abstract UriBuilder replacePath(String path);
+
+    public abstract UriBuilder path(String path);
+
+    public abstract UriBuilder path(Class resource);
+
+    public abstract UriBuilder path(Class resource, String method);
+
+    public abstract UriBuilder path(Method method);
+
+    public abstract UriBuilder segment(String... segments);
+
+    public abstract UriBuilder replaceMatrix(String matrix);
+
+    public abstract UriBuilder matrixParam(String name, Object... values);
+
+    public abstract UriBuilder replaceMatrixParam(String name, Object... values);
+
+    public abstract UriBuilder replaceQuery(String query);
+
+    public abstract UriBuilder queryParam(String name, Object... values);
+
+    public abstract UriBuilder replaceQueryParam(String name, Object... values);
+
+    public abstract UriBuilder fragment(String fragment);
+
+    public abstract UriBuilder resolveTemplate(String name, Object value);
+
+    public abstract UriBuilder resolveTemplate(String name, Object value, boolean encodeSlashInPath);
+
+    public abstract UriBuilder resolveTemplateFromEncoded(String name, Object value);
+
+    public abstract UriBuilder resolveTemplates(Map<String, Object> templateValues);
+
+    public abstract UriBuilder resolveTemplates(Map<String, Object> templateValues, boolean encodeSlashInPath)
+            throws IllegalArgumentException;
+
+    public abstract UriBuilder resolveTemplatesFromEncoded(Map<String, Object> templateValues);
+
+    public abstract URI buildFromMap(Map<String, ?> values);
+
+    public abstract URI buildFromMap(Map<String, ?> values, boolean encodeSlashInPath)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI buildFromEncodedMap(Map<String, ?> values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI build(Object... values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI build(Object[] values, boolean encodeSlashInPath)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract URI buildFromEncoded(Object... values)
+            throws IllegalArgumentException, UriBuilderException;
+
+    public abstract String toTemplate();
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriBuilderException.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+
+public class UriBuilderException extends java.lang.RuntimeException {
+    public UriBuilderException() {
+    }
+
+    public UriBuilderException(String msg) {
+    }
+
+    public UriBuilderException(String msg, Throwable cause) {
+    }
+
+    public UriBuilderException(Throwable cause) {
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/UriInfo.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+
+public interface UriInfo {
+    public String getPath();
+
+    public String getPath(boolean decode);
+
+    public List<PathSegment> getPathSegments();
+
+    public List<PathSegment> getPathSegments(boolean decode);
+
+    public URI getRequestUri();
+
+    public UriBuilder getRequestUriBuilder();
+
+    public URI getAbsolutePath();
+
+    public UriBuilder getAbsolutePathBuilder();
+
+    public URI getBaseUri();
+
+    public UriBuilder getBaseUriBuilder();
+
+    public MultivaluedMap<String, String> getPathParameters();
+
+    public MultivaluedMap<String, String> getPathParameters(boolean decode);
+
+    public MultivaluedMap<String, String> getQueryParameters();
+
+    public MultivaluedMap<String, String> getQueryParameters(boolean decode);
+
+    public List<String> getMatchedURIs();
+
+    public List<String> getMatchedURIs(boolean decode);
+
+    public List<Object> getMatchedResources();
+
+    public URI resolve(URI uri);
+
+    public URI relativize(URI uri);
+
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/core/Variant.java

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.core;
+import java.util.List;
+import java.util.Locale;
+
+public class Variant {
+    public Variant(MediaType mediaType, String language, String encoding) {
+    }
+
+    public Variant(MediaType mediaType, String language, String country, String encoding) {
+    }
+
+    public Variant(MediaType mediaType, String language, String country, String languageVariant, String encoding) {
+    }
+
+    public Variant(MediaType mediaType, Locale language, String encoding) {
+    }
+
+    public Locale getLanguage() {
+      return null;
+    }
+
+    public String getLanguageString() {
+      return null;
+    }
+
+    public MediaType getMediaType() {
+      return null;
+    }
+
+    public String getEncoding() {
+      return null;
+    }
+
+    public static VariantListBuilder mediaTypes(MediaType... mediaTypes) {
+      return null;
+    }
+
+    public static VariantListBuilder languages(Locale... languages) {
+      return null;
+    }
+
+    public static VariantListBuilder encodings(String... encodings) {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+      return false;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    public static abstract class VariantListBuilder {
+        public static VariantListBuilder newInstance() {
+          return null;
+        }
+
+        public abstract List<Variant> build();
+
+        public abstract VariantListBuilder add();
+
+        public abstract VariantListBuilder languages(Locale... languages);
+
+        public abstract VariantListBuilder encodings(String... encodings);
+
+        public abstract VariantListBuilder mediaTypes(MediaType... mediaTypes);
+
+    }
+}

java/ql/test/stubs/javax-ws-rs-api-2.1.1/javax/ws/rs/ext/MessageBodyReader.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2010, 2017 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package javax.ws.rs.ext;
+import java.io.InputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+
+public interface MessageBodyReader<T> {
+    public boolean isReadable(Class<?> type, Type genericType,
+                              Annotation[] annotations, MediaType mediaType);
+
+    public T readFrom(Class<T> type, Type genericType,
+                      Annotation[] annotations, MediaType mediaType,
+                      MultivaluedMap<String, String> httpHeaders,
+                      InputStream entityStream) throws java.io.IOException /*, javax.ws.rs.WebApplicationException */;
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/BeanParam.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface BeanParam {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Consumes.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface Consumes {
+    String[] value() default "*/*";
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/CookieParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface CookieParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/DELETE.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface DELETE {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/FormParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface FormParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/GET.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface GET {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HEAD.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface HEAD {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/HeaderParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface HeaderParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/MatrixParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface MatrixParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/OPTIONS.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface OPTIONS {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/POST.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface POST {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PUT.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface PUT {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Path.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface Path {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/PathParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface PathParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/Produces.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface Produces {
+    String[] value() default "*/*";
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/QueryParam.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs;
+
+public @interface QueryParam {
+    String value();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/client/Client.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.client;
+// import java.net.URI;
+// import javax.net.ssl.HostnameVerifier;
+// import javax.net.ssl.SSLContext;
+import jakarta.ws.rs.core.Configurable;
+// import jakarta.ws.rs.core.Link;
+// import jakarta.ws.rs.core.UriBuilder;
+
+public interface Client extends Configurable<Client> {
+    public void close();
+
+    // public WebTarget target(String uri);
+
+    // public WebTarget target(URI uri);
+
+    // public WebTarget target(UriBuilder uriBuilder);
+
+    // public WebTarget target(Link link);
+
+    // public Invocation.Builder invocation(Link link);
+
+    // public SSLContext getSslContext();
+
+    // public HostnameVerifier getHostnameVerifier();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/AbstractMultivaluedMap.java

@@ -0,0 +1,131 @@
+/*
+ * Copyright (c) 2012, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.io.Serializable;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+public abstract class AbstractMultivaluedMap<K, V> implements MultivaluedMap<K, V>, Serializable {
+    public AbstractMultivaluedMap(final Map<K, List<V>> store) {
+    }
+
+    @Override
+    public final void putSingle(final K key, final V value) {
+    }
+
+    @Override
+    public final void add(final K key, final V value) {
+    }
+
+    @Override
+    public final void addAll(final K key, final V... newValues) {
+    }
+
+    @Override
+    public final void addAll(final K key, final List<V> valueList) {
+    }
+
+    @Override
+    public final V getFirst(final K key) {
+      return null;
+    }
+
+    @Override
+    public final void addFirst(final K key, final V value) {
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object o) {
+      return false;
+    }
+
+    @Override
+    public Collection<List<V>> values() {
+      return null;
+    }
+
+    @Override
+    public int size() {
+      return 0;
+    }
+
+    @Override
+    public List<V> remove(final Object key) {
+      return null;
+    }
+
+    @Override
+    public void putAll(final Map<? extends K, ? extends List<V>> m) {
+    }
+
+    @Override
+    public List<V> put(final K key, final List<V> value) {
+      return null;
+    }
+
+    @Override
+    public Set<K> keySet() {
+      return null;
+    }
+
+    @Override
+    public boolean isEmpty() {
+      return false;
+    }
+
+    @Override
+    public List<V> get(final Object key) {
+      return null;
+    }
+
+    @Override
+    public Set<Entry<K, List<V>>> entrySet() {
+      return null;
+    }
+
+    @Override
+    public boolean containsValue(final Object value) {
+      return false;
+    }
+
+    @Override
+    public boolean containsKey(final Object key) {
+      return false;
+    }
+
+    @Override
+    public void clear() {
+    }
+
+    @Override
+    public boolean equalsIgnoreValueOrder(final MultivaluedMap<K, V> omap) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/CacheControl.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public class CacheControl {
+    public CacheControl() {
+    }
+
+    public static CacheControl valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isMustRevalidate() {
+      return false;
+    }
+
+    public void setMustRevalidate(final boolean mustRevalidate) {
+    }
+
+    public boolean isProxyRevalidate() {
+      return false;
+    }
+
+    public void setProxyRevalidate(final boolean proxyRevalidate) {
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public void setMaxAge(final int maxAge) {
+    }
+
+    public int getSMaxAge() {
+      return 0;
+    }
+
+    public void setSMaxAge(final int sMaxAge) {
+    }
+
+    public List<String> getNoCacheFields() {
+      return null;
+    }
+
+    public void setNoCache(final boolean noCache) {
+    }
+
+    public boolean isNoCache() {
+      return false;
+    }
+
+    public boolean isPrivate() {
+      return false;
+    }
+
+    public List<String> getPrivateFields() {
+      return null;
+    }
+
+    public void setPrivate(final boolean flag) {
+    }
+
+    public boolean isNoTransform() {
+      return false;
+    }
+
+    public void setNoTransform(final boolean noTransform) {
+    }
+
+    public boolean isNoStore() {
+      return false;
+    }
+
+    public void setNoStore(final boolean noStore) {
+    }
+
+    public Map<String, String> getCacheExtension() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Configurable.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Map;
+
+public interface Configurable<C extends Configurable> {
+    // public Configuration getConfiguration();
+
+    public C property(String name, Object value);
+
+    public C register(Class<?> componentClass);
+
+    public C register(Class<?> componentClass, int priority);
+
+    public C register(Class<?> componentClass, Class<?>... contracts);
+
+    public C register(Class<?> componentClass, Map<Class<?>, Integer> contracts);
+
+    public C register(Object component);
+
+    public C register(Object component, int priority);
+
+    public C register(Object component, Class<?>... contracts);
+
+    public C register(Object component, Map<Class<?>, Integer> contracts);
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Context.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public @interface Context {
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Cookie.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class Cookie {
+    public Cookie(final String name, final String value, final String path, final String domain, final int version)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value, final String path, final String domain)
+            throws IllegalArgumentException {
+    }
+
+    public Cookie(final String name, final String value)
+            throws IllegalArgumentException {
+    }
+
+    public static Cookie valueOf(final String value) {
+      return null;
+    }
+
+    public String getName() {
+      return null;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    public int getVersion() {
+      return 0;
+    }
+
+    public String getDomain() {
+      return null;
+    }
+
+    public String getPath() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/EntityTag.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class EntityTag {
+    public EntityTag(final String value) {
+    }
+
+    public EntityTag(final String value, final boolean weak) {
+    }
+
+    public static EntityTag valueOf(final String value) {
+      return null;
+    }
+
+    public boolean isWeak() {
+      return false;
+    }
+
+    public String getValue() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Form.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public class Form {
+    public Form() {
+    }
+
+    public Form(final String parameterName, final String parameterValue) {
+    }
+
+    public Form(final MultivaluedMap<String, String> store) {
+    }
+
+    public Form param(final String name, final String value) {
+      return null;
+    }
+
+    public MultivaluedMap<String, String> asMap() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/GenericEntity.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * Copyright (c) 2006 Google Inc.
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package jakarta.ws.rs.core;
+import java.lang.reflect.Type;
+
+public class GenericEntity<T> {
+    public GenericEntity(final T entity, final Type genericType) {
+    }
+
+    public final Class<?> getRawType() {
+      return null;
+    }
+
+    public final Type getType() {
+      return null;
+    }
+
+    public final T getEntity() {
+      return null;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/HttpHeaders.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Date;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+public interface HttpHeaders {
+    public List<String> getRequestHeader(String name);
+
+    public String getHeaderString(String name);
+
+    public MultivaluedMap<String, String> getRequestHeaders();
+
+    public List<MediaType> getAcceptableMediaTypes();
+
+    public List<Locale> getAcceptableLanguages();
+
+    public MediaType getMediaType();
+
+    public Locale getLanguage();
+
+    public Map<String, Cookie> getCookies();
+
+    public Date getDate();
+
+    public int getLength();
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/Link.java

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2011, 2020 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+// import javax.xml.namespace.QName;
+// import jakarta.xml.bind.annotation.adapters.XmlAdapter;
+
+public abstract class Link {
+    public abstract URI getUri();
+
+    public abstract UriBuilder getUriBuilder();
+
+    public abstract String getRel();
+
+    public abstract List<String> getRels();
+
+    public abstract String getTitle();
+
+    public abstract String getType();
+
+    public abstract Map<String, String> getParams();
+
+    @Override
+    public abstract String toString();
+
+    public static Link valueOf(final String value) {
+      return null;
+    }
+
+    public static Builder fromUri(final URI uri) {
+      return null;
+    }
+
+    public static Builder fromUri(final String uri) {
+      return null;
+    }
+
+    public static Builder fromUriBuilder(final UriBuilder uriBuilder) {
+      return null;
+    }
+
+    public static Builder fromLink(final Link link) {
+      return null;
+    }
+
+    public static Builder fromPath(final String path) {
+      return null;
+    }
+
+    public static Builder fromResource(final Class<?> resource) {
+      return null;
+    }
+
+    public static Builder fromMethod(final Class<?> resource, final String method) {
+      return null;
+    }
+
+    public interface Builder {
+        public Builder link(Link link);
+
+        public Builder link(String link);
+
+        public Builder uri(URI uri);
+
+        public Builder uri(String uri);
+
+        public Builder baseUri(URI uri);
+
+        public Builder baseUri(String uri);
+
+        public Builder uriBuilder(UriBuilder uriBuilder);
+
+        public Builder rel(String rel);
+
+        public Builder title(String title);
+
+        public Builder type(String type);
+
+        public Builder param(String name, String value);
+
+        public Link build(Object... values);
+
+        public Link buildRelativized(URI uri, Object... values);
+
+    }
+    public static class JaxbLink {
+        public JaxbLink() {
+        }
+
+        public JaxbLink(final URI uri) {
+        }
+
+        // public JaxbLink(final URI uri, final Map<QName, Object> params) {
+        // }
+
+        public URI getUri() {
+          return null;
+        }
+
+        // public Map<QName, Object> getParams() {
+        //   return null;
+        // }
+
+        @Override
+        public boolean equals(final Object o) {
+          return false;
+        }
+
+        @Override
+        public int hashCode() {
+          return 0;
+        }
+
+    }
+    // public static class JaxbAdapter extends XmlAdapter<JaxbLink, Link> {
+    //     @Override
+    //     public Link unmarshal(final JaxbLink v) {
+    //       return null;
+    //     }
+
+    //     @Override
+    //     public JaxbLink marshal(final Link v) {
+    //       return null;
+    //     }
+
+    // }
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MediaType.java

@@ -0,0 +1,114 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Map;
+
+public class MediaType {
+    public final static MediaType WILDCARD_TYPE = new MediaType();
+
+    public final static MediaType APPLICATION_XML_TYPE = new MediaType("application", "xml");
+
+    public final static MediaType APPLICATION_ATOM_XML_TYPE = new MediaType("application", "atom+xml");
+
+    public final static MediaType APPLICATION_XHTML_XML_TYPE = new MediaType("application", "xhtml+xml");
+
+    public final static MediaType APPLICATION_SVG_XML_TYPE = new MediaType("application", "svg+xml");
+
+    public final static MediaType APPLICATION_JSON_TYPE = new MediaType("application", "json");
+
+    public final static MediaType APPLICATION_FORM_URLENCODED_TYPE = new MediaType("application", "x-www-form-urlencoded");
+
+    public final static MediaType MULTIPART_FORM_DATA_TYPE = new MediaType("multipart", "form-data");
+
+    public final static MediaType APPLICATION_OCTET_STREAM_TYPE = new MediaType("application", "octet-stream");
+
+    public final static String TEXT_PLAIN = "text/plain";
+
+    public final static MediaType TEXT_PLAIN_TYPE = new MediaType("text", "plain");
+
+    public final static String TEXT_XML = "text/xml";
+
+    public final static MediaType TEXT_XML_TYPE = new MediaType("text", "xml");
+
+    public final static String TEXT_HTML = "text/html";
+
+    public final static MediaType TEXT_HTML_TYPE = new MediaType("text", "html");
+
+    public static final MediaType SERVER_SENT_EVENTS_TYPE = new MediaType("text", "event-stream");
+
+    public static final MediaType APPLICATION_JSON_PATCH_JSON_TYPE = new MediaType("application", "json-patch+json");
+
+    public static MediaType valueOf(final String type) {
+      return null;
+    }
+
+    public MediaType(final String type, final String subtype, final Map<String, String> parameters) {
+    }
+
+    public MediaType(final String type, final String subtype) {
+    }
+
+    public MediaType(final String type, final String subtype, final String charset) {
+    }
+
+    public MediaType() {
+    }
+
+    public String getType() {
+      return null;
+    }
+
+    public boolean isWildcardType() {
+      return false;
+    }
+
+    public String getSubtype() {
+      return null;
+    }
+
+    public boolean isWildcardSubtype() {
+      return false;
+    }
+
+    public Map<String, String> getParameters() {
+      return null;
+    }
+
+    public MediaType withCharset(final String charset) {
+      return null;
+    }
+
+    public boolean isCompatible(final MediaType other) {
+      return false;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedHashMap.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2011, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.io.Serializable;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class MultivaluedHashMap<K, V> extends AbstractMultivaluedMap<K, V> implements Serializable {
+    // public MultivaluedHashMap() {
+    // }
+
+    // public MultivaluedHashMap(final int initialCapacity) {
+    // }
+
+    // public MultivaluedHashMap(final int initialCapacity, final float loadFactor) {
+    // }
+
+    public MultivaluedHashMap(final MultivaluedMap<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+    public MultivaluedHashMap(final Map<? extends K, ? extends V> map) {
+        super(new HashMap<K, List<V>>());
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/MultivaluedMap.java

@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.List;
+import java.util.Map;
+
+public interface MultivaluedMap<K, V> extends Map<K, List<V>> {
+    void putSingle(K key, V value);
+
+    void add(K key, V value);
+
+    V getFirst(K key);
+
+    void addAll(K key, V... newValues);
+
+    void addAll(K key, List<V> valueList);
+
+    void addFirst(K key, V value);
+
+    boolean equalsIgnoreValueOrder(MultivaluedMap<K, V> otherMap);
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/NewCookie.java

@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+import java.util.Date;
+
+public class NewCookie extends Cookie {
+    public NewCookie(final String name, final String value) {
+      super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final String comment,
+            final int maxAge,
+            final boolean secure) {
+              super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final String comment,
+            final int maxAge,
+            final boolean secure,
+            final boolean httpOnly) {
+              super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final int version,
+            final String comment,
+            final int maxAge,
+            final boolean secure) {
+              super("", "");
+    }
+
+    public NewCookie(final String name,
+            final String value,
+            final String path,
+            final String domain,
+            final int version,
+            final String comment,
+            final int maxAge,
+            final Date expiry,
+            final boolean secure,
+            final boolean httpOnly) {
+              super("", "");
+            }
+
+    public NewCookie(final Cookie cookie) {
+      super("", "");
+    }
+
+    public NewCookie(final Cookie cookie, final String comment, final int maxAge, final boolean secure) {
+      super("", "");
+    }
+
+    public NewCookie(final Cookie cookie, final String comment, final int maxAge, final Date expiry, final boolean secure, final boolean httpOnly) {
+      super("", "");
+    }
+
+    public static NewCookie valueOf(final String value) {
+      return null;
+    }
+
+    public String getComment() {
+      return null;
+    }
+
+    public int getMaxAge() {
+      return 0;
+    }
+
+    public Date getExpiry() {
+      return null;
+    }
+
+    public boolean isSecure() {
+      return false;
+    }
+
+    public boolean isHttpOnly() {
+      return false;
+    }
+
+    public Cookie toCookie() {
+      return null;
+    }
+
+    @Override
+    public String toString() {
+      return null;
+    }
+
+    @Override
+    public int hashCode() {
+      return 0;
+    }
+
+    @Override
+    public boolean equals(final Object obj) {
+      return false;
+    }
+
+}

java/ql/test/stubs/javax-ws-rs-api-3.0.0/jakarta/ws/rs/core/PathSegment.java

@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2010, 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+package jakarta.ws.rs.core;
+
+public interface PathSegment {
+    String getPath();
+
+    MultivaluedMap<String, String> getMatrixParameters();
+
+}