Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch

2026-04-27 09:45:15 +02:00 · 2021-07-20 17:30:56 +02:00
parent 1014400a08 5a489a386a
commit 99e66cffa2
2246 changed files with 205894 additions and 30303 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-016/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-016/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8
--- a/java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-074-JndiInjection/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2
--- a/java/ql/test/experimental/query-tests/security/CWE-074/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-074/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/Saxon-HE-9.9.1-7
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/Saxon-HE-9.9.1-7
--- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.expected
@@ -0,0 +1,15 @@
+edges
+| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) |
+| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code |
+| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource |
+nodes
+| BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | semmle.label | new StaticScriptSource(...) |
+| BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:22:20:22:23 | code | semmle.label | code |
+| BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| BeanShellInjection.java:31:22:31:39 | staticScriptSource | semmle.label | staticScriptSource |
+#select
+| BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShellInjection.java:13:17:13:44 | getParameter(...) : String | BeanShellInjection.java:15:22:15:49 | new StaticScriptSource(...) | BeanShell injection from $@. | BeanShellInjection.java:13:17:13:44 | getParameter(...) | this user input |
+| BeanShellInjection.java:22:20:22:23 | code | BeanShellInjection.java:20:17:20:44 | getParameter(...) : String | BeanShellInjection.java:22:20:22:23 | code | BeanShell injection from $@. | BeanShellInjection.java:20:17:20:44 | getParameter(...) | this user input |
+| BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShellInjection.java:27:17:27:44 | getParameter(...) : String | BeanShellInjection.java:31:22:31:39 | staticScriptSource | BeanShell injection from $@. | BeanShellInjection.java:27:17:27:44 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java
@@ -0,0 +1,33 @@
+import bsh.Interpreter;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.scripting.bsh.BshScriptEvaluator;
+import org.springframework.scripting.support.StaticScriptSource;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class BeanShellInjection {
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		BshScriptEvaluator evaluator = new BshScriptEvaluator();
+		evaluator.evaluate(new StaticScriptSource(code)); //bad
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) throws Exception {
+		String code = request.getParameter("code");
+		Interpreter interpreter = new Interpreter();
+		interpreter.eval(code);  //bad
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String code = request.getParameter("code");
+		StaticScriptSource staticScriptSource = new StaticScriptSource("test");
+		staticScriptSource.setScript(code);
+		BshScriptEvaluator evaluator = new BshScriptEvaluator();
+		evaluator.evaluate(staticScriptSource);  //bad
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/BeanShellInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.expected
@@ -0,0 +1,15 @@
+edges
+| JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input |
+| JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input |
+| JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) |
+nodes
+| JShellInjection.java:12:18:12:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JShellInjection.java:15:15:15:19 | input | semmle.label | input |
+| JShellInjection.java:20:18:20:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JShellInjection.java:24:31:24:35 | input | semmle.label | input |
+| JShellInjection.java:29:18:29:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JShellInjection.java:37:16:37:28 | source(...) | semmle.label | source(...) |
+#select
+| JShellInjection.java:15:15:15:19 | input | JShellInjection.java:12:18:12:45 | getParameter(...) : String | JShellInjection.java:15:15:15:19 | input | JShell injection from $@. | JShellInjection.java:12:18:12:45 | getParameter(...) | this user input |
+| JShellInjection.java:24:31:24:35 | input | JShellInjection.java:20:18:20:45 | getParameter(...) : String | JShellInjection.java:24:31:24:35 | input | JShell injection from $@. | JShellInjection.java:20:18:20:45 | getParameter(...) | this user input |
+| JShellInjection.java:37:16:37:28 | source(...) | JShellInjection.java:29:18:29:45 | getParameter(...) : String | JShellInjection.java:37:16:37:28 | source(...) | JShell injection from $@. | JShellInjection.java:29:18:29:45 | getParameter(...) | this user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java
@@ -0,0 +1,40 @@
+import javax.servlet.http.HttpServletRequest;
+import jdk.jshell.JShell;
+import jdk.jshell.SourceCodeAnalysis;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class JShellInjection {
+
+	@GetMapping(value = "bad1")
+	public void bad1(HttpServletRequest request) {
+		String input = request.getParameter("code");
+		JShell jShell = JShell.builder().build();
+        // BAD: allow execution of arbitrary Java code
+		jShell.eval(input);
+	}
+
+	@GetMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) {
+		String input = request.getParameter("code");
+		JShell jShell = JShell.builder().build();
+		SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis();
+        // BAD: allow execution of arbitrary Java code
+		sourceCodeAnalysis.wrappers(input);
+	}
+
+	@GetMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) {
+		String input = request.getParameter("code");
+		JShell jShell = JShell.builder().build();
+		SourceCodeAnalysis.CompletionInfo info;
+		SourceCodeAnalysis sca = jShell.sourceCodeAnalysis();
+		for (info = sca.analyzeCompletion(input);
+				info.completeness().isComplete();
+				info = sca.analyzeCompletion(info.remaining())) {
+			// BAD: allow execution of arbitrary Java code
+			jShell.eval(info.source());
+		}
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-094/JShellInjection.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-094/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-094/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../../stubs/mvel2-2.4.7:${testdir}/../../../../stubs/jsr223-api:${testdir}/../../../../stubs/scriptengine:${testdir}/../../../../stubs/java-ee-el:${testdir}/../../../../stubs/juel-2.2:${testdir}/../../../stubs/groovy-all-3.0.7:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jython-2.7.2:${testdir}/../../../../experimental/stubs/rhino-1.7.13:${testdir}/../../../../stubs/bsh-2.0b5:${testdir}/../../../../experimental/stubs/jshell
--- a/java/ql/test/experimental/query-tests/security/CWE-1004/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-1004/options
@@ -1 +1 @@
-// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.2.3
+// semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jsr311-api-1.1.1:${testdir}/../../../../stubs/springframework-5.3.8
--- a/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrust.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrust.expected
@@ -1,5 +1,3 @@
-| UnsafeCertTrustTest.java:27:4:27:74 | init(...) | Unsafe configuration of trusted certificates |
-| UnsafeCertTrustTest.java:42:4:42:38 | init(...) | Unsafe configuration of trusted certificates |
-| UnsafeCertTrustTest.java:92:25:92:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
-| UnsafeCertTrustTest.java:103:25:103:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
-| UnsafeCertTrustTest.java:112:34:112:83 | createSocket(...) | Unsafe configuration of trusted certificates |
+| UnsafeCertTrustTest.java:26:25:26:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
+| UnsafeCertTrustTest.java:37:25:37:52 | createSSLEngine(...) | Unsafe configuration of trusted certificates |
+| UnsafeCertTrustTest.java:46:34:46:83 | createSocket(...) | Unsafe configuration of trusted certificates |
--- a/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-273/UnsafeCertTrustTest.java
@@ -18,72 +18,6 @@ import java.security.cert.X509Certificate;

 public class UnsafeCertTrustTest {

-	/**
-	 * Test the implementation of trusting all server certs as a variable
-	 */
-	public SSLSocketFactory testTrustAllCertManager() {
-		try {
-			final SSLContext context = SSLContext.getInstance("TLS");
-			context.init(null, new TrustManager[] { TRUST_ALL_CERTIFICATES }, null);
-			final SSLSocketFactory socketFactory = context.getSocketFactory();
-			return socketFactory;
-		} catch (final Exception x) {
-			throw new RuntimeException(x);
-		}
-	}
-
-	/**
-	 * Test the implementation of trusting all server certs as an anonymous class
-	 */
-	public SSLSocketFactory testTrustAllCertManagerOfVariable() {
-		try {
-			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] serverTMs = new TrustManager[] { new X509TrustAllManager() };
-			context.init(null, serverTMs, null);
-
-			final SSLSocketFactory socketFactory = context.getSocketFactory();
-			return socketFactory;
-		} catch (final Exception x) {
-			throw new RuntimeException(x);
-		}
-	}
-
-	private static final X509TrustManager TRUST_ALL_CERTIFICATES = new X509TrustManager() {
-		@Override
-		public void checkClientTrusted(final X509Certificate[] chain, final String authType)
-				throws CertificateException {
-		}
-
-		@Override
-		public void checkServerTrusted(final X509Certificate[] chain, final String authType)
-				throws CertificateException {
-			// Noncompliant
-		}
-
-		@Override
-		public X509Certificate[] getAcceptedIssuers() {
-			return null; // Noncompliant
-		}
-	};
-
-	private class X509TrustAllManager implements X509TrustManager {
-		@Override
-		public void checkClientTrusted(final X509Certificate[] chain, final String authType)
-				throws CertificateException {
-		}
-
-		@Override
-		public void checkServerTrusted(final X509Certificate[] chain, final String authType)
-				throws CertificateException {
-			// Noncompliant
-		}
-
-		@Override
-		public X509Certificate[] getAcceptedIssuers() {
-			return null; // Noncompliant
-		}
-	};
-
 	/**
 	 * Test the endpoint identification of SSL engine is set to null
 	 */
--- a/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected
@@ -0,0 +1,108 @@
+edges
+| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager |
+| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:131:23:131:34 | trustManager |
+| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager |
+| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:173:23:173:34 | trustManager |
+| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager |
+| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:215:23:215:34 | trustManager |
+| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager |
+| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager |
+| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager |
+| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager |
+| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager |
+| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager |
+| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager |
+| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager |
+| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager |
+| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager |
+| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager |
+| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager |
+| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager |
+nodes
+| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:131:23:131:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:173:23:173:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:215:23:215:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | semmle.label | trustManager |
+| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
+| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
+| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | semmle.label | trustManager |
+#select
+| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
+| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
--- a/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-295/InsecureTrustManager.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java
@@ -0,0 +1,420 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+
+public class InsecureTrustManagerTest {
+
+	private static final boolean TRUST_ALL = true;
+	private static final boolean SOME_NAME_THAT_IS_NOT_A_FLAG_NAME = true;
+
+	private static boolean isDisableTrust() {
+		return true;
+	}
+
+	private static boolean is42TheAnswerForEverything() {
+		return true;
+	}
+
+	private static class InsecureTrustManager implements X509TrustManager {
+		@Override
+		public X509Certificate[] getAcceptedIssuers() {
+			return null;
+		}
+
+		@Override
+		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+			// BAD: Does not verify the certificate chain, allowing any certificate.
+		}
+
+		@Override
+		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+
+		}
+	}
+
+	public static void main(String[] args) throws Exception {
+		directInsecureTrustManagerCall();
+
+		namedVariableFlagDirectInsecureTrustManagerCall();
+		noNamedVariableFlagDirectInsecureTrustManagerCall();
+		namedVariableFlagIndirectInsecureTrustManagerCall();
+		noNamedVariableFlagIndirectInsecureTrustManagerCall();
+
+		stringLiteralFlagDirectInsecureTrustManagerCall();
+		noStringLiteralFlagDirectInsecureTrustManagerCall();
+		stringLiteralFlagIndirectInsecureTrustManagerCall();
+		noStringLiteralFlagIndirectInsecureTrustManagerCall();
+
+		methodAccessFlagDirectInsecureTrustManagerCall();
+		noMethodAccessFlagDirectInsecureTrustManagerCall();
+		methodAccessFlagIndirectInsecureTrustManagerCall();
+		noMethodAccessFlagIndirectInsecureTrustManagerCall();
+
+		isEqualsIgnoreCaseDirectInsecureTrustManagerCall();
+		noIsEqualsIgnoreCaseDirectInsecureTrustManagerCall();
+		isEqualsIgnoreCaseIndirectInsecureTrustManagerCall();
+		noIsEqualsIgnoreCaseIndirectInsecureTrustManagerCall();
+
+		namedVariableFlagNOTGuardingDirectInsecureTrustManagerCall();
+		noNamedVariableFlagNOTGuardingDirectInsecureTrustManagerCall();
+
+		stringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall();
+		noStringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall();
+
+		methodAccessFlagNOTGuardingDirectInsecureTrustManagerCall();
+		noMethodAccessFlagNOTGuardingDirectInsecureTrustManagerCall();
+
+		isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall();
+		noIsEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall();
+
+		directSecureTrustManagerCall();
+
+	}
+
+	private static void directSecureTrustManagerCall() throws NoSuchAlgorithmException, KeyStoreException, IOException,
+			CertificateException, FileNotFoundException, KeyManagementException, MalformedURLException {
+		SSLContext context = SSLContext.getInstance("TLS");
+		File certificateFile = new File("path/to/self-signed-certificate");
+		// Create a `KeyStore` with default type
+		KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+		// This causes `keyStore` to be empty
+		keyStore.load(null, null);
+		X509Certificate generatedCertificate;
+		try (InputStream cert = new FileInputStream(certificateFile)) {
+			generatedCertificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(cert);
+		}
+		// Add the self-signed certificate to the key store
+		keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);
+		// Get default `TrustManagerFactory`
+		TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+		// Use it with our modified key store that trusts our self-signed certificate
+		tmf.init(keyStore);
+		TrustManager[] trustManagers = tmf.getTrustManagers();
+		context.init(null, trustManagers, null); // GOOD, we are not using a custom `TrustManager` but instead have
+													// added the self-signed certificate we want to trust to the key
+													// store. Note, the `trustManagers` will **only** trust this one
+													// certificate.
+		URL url = new URL("https://self-signed.badssl.com/");
+		HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
+		conn.setSSLSocketFactory(context.getSocketFactory());
+	}
+
+	private static void directInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException {
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+												// chain, allowing any certificate.
+	}
+
+	private static void namedVariableFlagDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (TRUST_ALL) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. BUT it is guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void namedVariableFlagIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (TRUST_ALL) {
+			disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
+			// method that install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. BUT it is guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noNamedVariableFlagDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noNamedVariableFlagIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
+			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+									// install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void stringLiteralFlagDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. BUT it is guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void stringLiteralFlagIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
+			disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
+			// method that install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. BUT it is guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noStringLiteralFlagDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noStringLiteralFlagIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
+			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			// install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void methodAccessFlagDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (isDisableTrust()) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. BUT it is guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void methodAccessFlagIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (isDisableTrust()) {
+			disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
+			// method that install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. BUT it is guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noMethodAccessFlagDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (is42TheAnswerForEverything()) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noMethodAccessFlagIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (is42TheAnswerForEverything()) {
+			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			// install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void isEqualsIgnoreCaseDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		String schemaFromHttpRequest = "HTTPS";
+		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void isEqualsIgnoreCaseIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		String schemaFromHttpRequest = "HTTPS";
+		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
+			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			// install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noIsEqualsIgnoreCaseDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		String schemaFromHttpRequest = "HTTPS";
+		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
+			SSLContext context = SSLContext.getInstance("TLS");
+			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void noIsEqualsIgnoreCaseIndirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		String schemaFromHttpRequest = "HTTPS";
+		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
+			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			// install a `TrustManager` that does not verify the certificate
+			// chain, allowing any certificate. It is NOT guarded
+			// by a feature flag.
+		}
+	}
+
+	private static void namedVariableFlagNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (TRUST_ALL) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if.
+
+	}
+
+	private static void noNamedVariableFlagNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if and it is NOT a valid flag.
+
+	}
+
+	private static void stringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if.
+
+	}
+
+	private static void noStringLiteralFlagNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if and it is NOT a valid flag.
+
+	}
+
+	private static void methodAccessFlagNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (isDisableTrust()) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if.
+
+	}
+
+	private static void noMethodAccessFlagNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		if (is42TheAnswerForEverything()) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if and it is NOT a valid flag.
+
+	}
+
+	private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		String schemaFromHttpRequest = "HTTPS";
+		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if and it is NOT a valid flag.
+
+	}
+
+	private static void noIsEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
+		String schemaFromHttpRequest = "HTTPS";
+		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
+			System.out.println("Disabling trust!");
+		}
+
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		// chain, allowing any certificate. It is NOT guarded
+		// by a feature flag, because it is outside the if and it is NOT a valid flag.
+
+	}
+
+	private static void disableTrustManager() throws NoSuchAlgorithmException, KeyManagementException {
+		SSLContext context = SSLContext.getInstance("TLS");
+		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the
+												// certificate
+		// chain, allowing any certificate. The method name suggests that this may be
+		// intentional, but we flag it anyway.
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.expected
@@ -1,54 +1,59 @@
 edges
-| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
-| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
-| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
-| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
-| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] |
-| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] | UnsafeTlsVersion.java:44:44:44:52 | protocols |
-| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] |
-| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] |
-| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] |
-| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] |
-| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] |
-| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
-| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
-| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
-| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
-| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] |
-| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] | UnsafeTlsVersion.java:81:32:81:40 | protocols |
-| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
-| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
-| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
-| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
-| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] |
-| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] | UnsafeTlsVersion.java:101:32:101:40 | protocols |
-| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
-| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
-| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
-| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
-| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] | UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] |
-| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] |
-| UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] | UnsafeTlsVersion.java:121:32:121:40 | protocols |
+| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
+| UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
+| UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
+| UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
+| UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String |
+| UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String | UnsafeTlsVersion.java:44:44:44:52 | protocols |
+| UnsafeTlsVersion.java:50:38:50:61 | {...} [[]] : String | UnsafeTlsVersion.java:50:38:50:61 | new String[] |
+| UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | UnsafeTlsVersion.java:50:38:50:61 | {...} [[]] : String |
+| UnsafeTlsVersion.java:51:38:51:59 | {...} [[]] : String | UnsafeTlsVersion.java:51:38:51:59 | new String[] |
+| UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | UnsafeTlsVersion.java:51:38:51:59 | {...} [[]] : String |
+| UnsafeTlsVersion.java:52:38:52:61 | {...} [[]] : String | UnsafeTlsVersion.java:52:38:52:61 | new String[] |
+| UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | UnsafeTlsVersion.java:52:38:52:61 | {...} [[]] : String |
+| UnsafeTlsVersion.java:53:38:53:63 | {...} [[]] : String | UnsafeTlsVersion.java:53:38:53:63 | new String[] |
+| UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | UnsafeTlsVersion.java:53:38:53:63 | {...} [[]] : String |
+| UnsafeTlsVersion.java:56:29:56:65 | {...} [[]] : String | UnsafeTlsVersion.java:56:29:56:65 | new String[] |
+| UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | UnsafeTlsVersion.java:56:29:56:65 | {...} [[]] : String |
+| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String | UnsafeTlsVersion.java:81:32:81:40 | protocols |
+| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
+| UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
+| UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
+| UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
+| UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String |
+| UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String | UnsafeTlsVersion.java:101:32:101:40 | protocols |
+| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } [[]] : String | UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String |
+| UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } [[]] : String |
+| UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String | UnsafeTlsVersion.java:121:32:121:40 | protocols |
 nodes
 | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | semmle.label | "SSL" |
 | UnsafeTlsVersion.java:17:28:17:34 | "SSLv2" | semmle.label | "SSLv2" |
@@ -56,64 +61,69 @@ nodes
 | UnsafeTlsVersion.java:19:28:19:32 | "TLS" | semmle.label | "TLS" |
 | UnsafeTlsVersion.java:20:28:20:34 | "TLSv1" | semmle.label | "TLSv1" |
 | UnsafeTlsVersion.java:21:28:21:36 | "TLSv1.1" | semmle.label | "TLSv1.1" |
-| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:31:5:31:46 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:31:39:31:45 | "SSLv3" : String | semmle.label | "SSLv3" : String |
-| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:32:5:32:44 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:32:39:32:43 | "TLS" : String | semmle.label | "TLS" : String |
-| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:33:5:33:46 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:33:39:33:45 | "TLSv1" : String | semmle.label | "TLSv1" : String |
-| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:34:5:34:48 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:34:39:34:47 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:35:5:35:68 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:35:39:35:45 | "TLSv1" : String | semmle.label | "TLSv1" : String |
 | UnsafeTlsVersion.java:35:48:35:56 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:43:74:43:92 | protocols : String[] | semmle.label | protocols : String[] |
+| UnsafeTlsVersion.java:43:74:43:92 | protocols [[]] : String | semmle.label | protocols [[]] : String |
 | UnsafeTlsVersion.java:44:44:44:52 | protocols | semmle.label | protocols |
 | UnsafeTlsVersion.java:50:38:50:61 | new String[] | semmle.label | new String[] |
+| UnsafeTlsVersion.java:50:38:50:61 | {...} [[]] : String | semmle.label | {...} [[]] : String |
 | UnsafeTlsVersion.java:50:53:50:59 | "SSLv3" : String | semmle.label | "SSLv3" : String |
 | UnsafeTlsVersion.java:51:38:51:59 | new String[] | semmle.label | new String[] |
+| UnsafeTlsVersion.java:51:38:51:59 | {...} [[]] : String | semmle.label | {...} [[]] : String |
 | UnsafeTlsVersion.java:51:53:51:57 | "TLS" : String | semmle.label | "TLS" : String |
 | UnsafeTlsVersion.java:52:38:52:61 | new String[] | semmle.label | new String[] |
+| UnsafeTlsVersion.java:52:38:52:61 | {...} [[]] : String | semmle.label | {...} [[]] : String |
 | UnsafeTlsVersion.java:52:53:52:59 | "TLSv1" : String | semmle.label | "TLSv1" : String |
 | UnsafeTlsVersion.java:53:38:53:63 | new String[] | semmle.label | new String[] |
+| UnsafeTlsVersion.java:53:38:53:63 | {...} [[]] : String | semmle.label | {...} [[]] : String |
 | UnsafeTlsVersion.java:53:53:53:61 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
 | UnsafeTlsVersion.java:56:29:56:65 | new String[] | semmle.label | new String[] |
+| UnsafeTlsVersion.java:56:29:56:65 | {...} [[]] : String | semmle.label | {...} [[]] : String |
 | UnsafeTlsVersion.java:56:44:56:52 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:68:5:68:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:68:21:68:27 | "SSLv3" : String | semmle.label | "SSLv3" : String |
-| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:69:5:69:26 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:69:21:69:25 | "TLS" : String | semmle.label | "TLS" : String |
-| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:70:5:70:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:70:21:70:27 | "TLSv1" : String | semmle.label | "TLSv1" : String |
-| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:71:5:71:30 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:71:21:71:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:72:5:72:41 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:72:21:72:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:79:43:79:61 | protocols : String[] | semmle.label | protocols : String[] |
+| UnsafeTlsVersion.java:79:43:79:61 | protocols [[]] : String | semmle.label | protocols [[]] : String |
 | UnsafeTlsVersion.java:81:32:81:40 | protocols | semmle.label | protocols |
-| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:88:5:88:34 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:88:27:88:33 | "SSLv3" : String | semmle.label | "SSLv3" : String |
-| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:89:5:89:32 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:89:27:89:31 | "TLS" : String | semmle.label | "TLS" : String |
-| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:90:5:90:34 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:90:27:90:33 | "TLSv1" : String | semmle.label | "TLSv1" : String |
-| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:91:5:91:36 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:91:27:91:35 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:92:5:92:47 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:92:27:92:35 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:99:55:99:73 | protocols : String[] | semmle.label | protocols : String[] |
+| UnsafeTlsVersion.java:99:55:99:73 | protocols [[]] : String | semmle.label | protocols [[]] : String |
 | UnsafeTlsVersion.java:101:32:101:40 | protocols | semmle.label | protocols |
-| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:108:5:108:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:108:21:108:27 | "SSLv3" : String | semmle.label | "SSLv3" : String |
-| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:109:5:109:26 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:109:21:109:25 | "TLS" : String | semmle.label | "TLS" : String |
-| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:110:5:110:28 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:110:21:110:27 | "TLSv1" : String | semmle.label | "TLSv1" : String |
-| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:111:5:111:30 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:111:21:111:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } : String[] | semmle.label | new ..[] { .. } : String[] |
+| UnsafeTlsVersion.java:112:5:112:41 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
 | UnsafeTlsVersion.java:112:21:112:29 | "TLSv1.1" : String | semmle.label | "TLSv1.1" : String |
-| UnsafeTlsVersion.java:119:43:119:61 | protocols : String[] | semmle.label | protocols : String[] |
+| UnsafeTlsVersion.java:119:43:119:61 | protocols [[]] : String | semmle.label | protocols [[]] : String |
 | UnsafeTlsVersion.java:121:32:121:40 | protocols | semmle.label | protocols |
 #select
 | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | $@ is unsafe | UnsafeTlsVersion.java:16:28:16:32 | "SSL" | SSL |
--- a/java/ql/test/experimental/query-tests/security/CWE-348/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-348/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/apache-commons-lang3-3.7/
--- a/java/ql/test/experimental/query-tests/security/CWE-352/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-352/options
@@ -1 +1 @@
-  //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.2.3/
+  //semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/fastjson-1.2.74/:${testdir}/../../../../stubs/gson-2.8.6/:${testdir}/../../../../stubs/jackson-databind-2.10/:${testdir}/../../../../stubs/springframework-5.3.8/
--- a/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java
@@ -2,12 +2,32 @@ import org.springframework.boot.SpringBootConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.remoting.caucho.HessianServiceExporter;
 import org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter;
 import org.springframework.remoting.rmi.RemoteInvocationSerializingExporter;
+import org.springframework.remoting.rmi.RmiServiceExporter;

@Configuration
 public class SpringExporterUnsafeDeserialization {

+    @Bean(name = "/unsafeRmiServiceExporter")
+    RmiServiceExporter unsafeRmiServiceExporter() {
+        RmiServiceExporter exporter = new RmiServiceExporter();
+        exporter.setServiceInterface(AccountService.class);
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceName(AccountService.class.getSimpleName());
+        exporter.setRegistryPort(1099); 
+        return exporter;
+    }
+
+    @Bean(name = "/unsafeHessianServiceExporter")
+    HessianServiceExporter unsafeHessianServiceExporter() {
+        HessianServiceExporter exporter = new HessianServiceExporter();
+        exporter.setService(new AccountServiceImpl());
+        exporter.setServiceInterface(AccountService.class);
+        return exporter;
+    }
+
    @Bean(name = "/unsafeHttpInvokerServiceExporter")
    HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() {
        HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter();
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.expected
@@ -1,4 +1,6 @@
-| SpringExporterUnsafeDeserialization.java:12:32:12:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
-| SpringExporterUnsafeDeserialization.java:20:41:20:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
-| SpringExporterUnsafeDeserialization.java:36:32:36:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
-| SpringExporterUnsafeDeserialization.java:48:32:48:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:14:24:14:47 | unsafeRmiServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeRmiServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:24:28:24:55 | unsafeHessianServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHessianServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:32:32:32:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:40:41:40:88 | unsafeCustomeRemoteInvocationSerializingExporter | Unsafe deserialization in a Spring exporter bean '/unsafeCustomeRemoteInvocationSerializingExporter' |
+| SpringExporterUnsafeDeserialization.java:56:32:56:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
+| SpringExporterUnsafeDeserialization.java:68:32:68:63 | unsafeHttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean '/unsafeHttpInvokerServiceExporter' |
--- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.expected
@@ -1,2 +1,4 @@
 | beans.xml:10:5:13:12 | /unsafeBooking | Unsafe deserialization in a Spring exporter bean '/unsafeBooking' |
 | beans.xml:15:5:18:12 | org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter' |
+| beans.xml:20:5:24:12 | org.springframework.remoting.rmi.RmiServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.rmi.RmiServiceExporter' |
+| beans.xml:26:5:29:12 | org.springframework.remoting.caucho.HessianServiceExporter | Unsafe deserialization in a Spring exporter bean 'org.springframework.remoting.caucho.HessianServiceExporter' |
--- a/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml
@@ -16,4 +16,15 @@
        <property name="service" ref="anotherBookingService"/>
        <property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
    </bean>
+
+    <bean class="org.springframework.remoting.rmi.RmiServiceExporter">
+        <property name="service" ref="oneMoreBookingService"/>
+        <property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
+        <property name="registryPort" value="1199"/>
+    </bean>
+
+    <bean class="org.springframework.remoting.caucho.HessianServiceExporter">
+        <property name="service" ref="oneMoreBookingService"/>
+        <property name="serviceInterface" value="com.gypsyengineer.api.CabBookingService"/>
+    </bean>
 </beans>
--- a/java/ql/test/experimental/query-tests/security/CWE-502/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-502/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8
--- a/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-522/InsecureLdapAuth.expected
@@ -1,35 +1,35 @@
 edges
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String |
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:20:49:20:59 | environment |
-| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
-| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:15:3:15:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:20:49:20:59 | environment |
+| InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | InsecureLdapAuth.java:15:3:15:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:20:49:20:59 | environment |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | InsecureLdapAuth.java:34:49:34:59 | environment |
-| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
-| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:29:3:29:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:34:49:34:59 | environment |
+| InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | InsecureLdapAuth.java:29:3:29:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:34:49:34:59 | environment |
 | InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:48:49:48:59 | environment |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | InsecureLdapAuth.java:63:49:63:59 | environment |
-| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
-| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:57:3:57:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:63:49:63:59 | environment |
+| InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | InsecureLdapAuth.java:57:3:57:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
 | InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:63:49:63:59 | environment |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:77:49:77:59 | environment |
-| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:77:49:77:59 | environment |
-| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:72:3:72:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:77:49:77:59 | environment |
+| InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | InsecureLdapAuth.java:72:3:72:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:91:49:91:59 | environment |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:105:59:105:69 | environment |
-| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
-| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:100:3:100:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:105:59:105:69 | environment |
+| InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | InsecureLdapAuth.java:100:3:100:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:105:59:105:69 | environment |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | InsecureLdapAuth.java:120:49:120:59 | environment |
-| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
-| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:115:3:115:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:120:49:120:59 | environment |
+| InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | InsecureLdapAuth.java:115:3:115:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:120:49:120:59 | environment |
 | InsecureLdapAuth.java:124:3:124:5 | env [post update] : Hashtable | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable |
@@ -37,23 +37,23 @@ edges
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String |
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | InsecureLdapAuth.java:142:50:142:60 | environment |
 | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
-| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
-| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:140:3:140:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:142:50:142:60 | environment |
+| InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | InsecureLdapAuth.java:140:3:140:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:142:50:142:60 | environment |
 | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String |
 | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | InsecureLdapAuth.java:153:50:153:60 | environment |
-| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
-| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:151:3:151:13 | environment [post update] [<map.value>] : String | InsecureLdapAuth.java:153:50:153:60 | environment |
+| InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | InsecureLdapAuth.java:151:3:151:13 | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | InsecureLdapAuth.java:153:50:153:60 | environment |
 nodes
 | InsecureLdapAuth.java:11:20:11:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:15:3:15:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:15:3:15:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:15:41:15:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:17:3:17:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:20:49:20:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:25:20:25:39 | ... + ... : String | semmle.label | ... + ... : String |
-| InsecureLdapAuth.java:29:3:29:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:29:3:29:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:29:41:29:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:31:3:31:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:34:49:34:59 | environment | semmle.label | environment |
@@ -61,7 +61,7 @@ nodes
 | InsecureLdapAuth.java:45:3:45:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:48:49:48:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:53:20:53:50 | "ldap://ad.your-server.com:636" : String | semmle.label | "ldap://ad.your-server.com:636" : String |
-| InsecureLdapAuth.java:57:3:57:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:57:3:57:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:57:41:57:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:59:3:59:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:62:3:62:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
@@ -69,19 +69,19 @@ nodes
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:63:49:63:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:68:20:68:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:72:3:72:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:72:3:72:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:72:41:72:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:77:49:77:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:88:3:88:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:91:49:91:59 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:96:20:96:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:100:3:100:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:100:3:100:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:100:41:100:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:102:3:102:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:105:59:105:69 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:111:20:111:50 | "ldap://ad.your-server.com:389" : String | semmle.label | "ldap://ad.your-server.com:389" : String |
-| InsecureLdapAuth.java:115:3:115:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:115:3:115:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:115:47:115:53 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:117:3:117:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:120:49:120:59 | environment | semmle.label | environment |
@@ -90,14 +90,14 @@ nodes
 | InsecureLdapAuth.java:128:3:128:5 | env [post update] : Hashtable | semmle.label | env [post update] : Hashtable |
 | InsecureLdapAuth.java:135:20:135:39 | ... + ... : String | semmle.label | ... + ... : String |
 | InsecureLdapAuth.java:137:10:137:20 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
-| InsecureLdapAuth.java:140:3:140:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:140:3:140:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:140:41:140:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:141:16:141:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:142:50:142:60 | environment | semmle.label | environment |
 | InsecureLdapAuth.java:147:20:147:39 | ... + ... : String | semmle.label | ... + ... : String |
-| InsecureLdapAuth.java:151:3:151:13 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
+| InsecureLdapAuth.java:151:3:151:13 | environment [post update] [<map.value>] : String | semmle.label | environment [post update] [<map.value>] : String |
 | InsecureLdapAuth.java:151:41:151:47 | ldapUrl : String | semmle.label | ldapUrl : String |
 | InsecureLdapAuth.java:152:16:152:26 | environment [post update] : Hashtable | semmle.label | environment [post update] : Hashtable |
 | InsecureLdapAuth.java:153:50:153:60 | environment | semmle.label | environment |
--- a/java/ql/test/experimental/query-tests/security/CWE-601/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-601/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.2.3/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/springframework-5.3.8/
--- a/java/ql/test/experimental/query-tests/security/CWE-652/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-652/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.2.3/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/apache-http-4.4.13/:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/saxon-xqj-9.x/:${testdir}/../../../../stubs/springframework-5.3.8/
--- a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.expected
@@ -0,0 +1,4 @@
+| InsecureRmiJmxEnvironmentConfiguration.java:12:5:12:69 | newJMXConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:12:59:12:62 | null | null |
+| InsecureRmiJmxEnvironmentConfiguration.java:17:5:17:50 | new RMIConnectorServer(...) | RMI/JMX server initialized with a null environment. Missing type restriction in RMI authentication method exposes the application to deserialization attacks. | InsecureRmiJmxEnvironmentConfiguration.java:17:34:17:37 | null | null |
+| InsecureRmiJmxEnvironmentConfiguration.java:25:5:25:49 | new RMIConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:25:34:25:36 | env | env |
+| InsecureRmiJmxEnvironmentConfiguration.java:33:5:33:68 | newJMXConnectorServer(...) | RMI/JMX server initialized with insecure environment $@, which never restricts accepted client objects to 'java.lang.String'. This exposes to deserialization attacks against the RMI authentication method. | InsecureRmiJmxEnvironmentConfiguration.java:33:59:33:61 | env | env |
--- a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java
@@ -0,0 +1,89 @@
+import java.io.IOException;
+import javax.management.remote.JMXConnectorServerFactory;
+import javax.management.remote.rmi.RMIConnectorServer;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class InsecureRmiJmxEnvironmentConfiguration {
+
+  public void initInsecureJmxDueToNullEnv() throws IOException {
+    // Bad initializing env (arg1) with null
+    JMXConnectorServerFactory.newJMXConnectorServer(null, null, null);
+  }
+
+  public void initInsecureRmiDueToNullEnv() throws IOException {
+    // Bad initializing env (arg1) with null
+    new RMIConnectorServer(null, null, null, null);
+  }
+
+  public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException {
+    // Bad initializing env (arg1) with missing
+    // "jmx.remote.rmi.server.credential.types"
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    new RMIConnectorServer(null, env, null, null);
+  }
+
+  public void initInsecureJmxDueToMissingEnvKeyValue() throws IOException {
+    // Bad initializing env (arg1) with missing
+    // "jmx.remote.rmi.server.credential.types"
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
+  }
+
+  public void secureJmxConnnectorServer() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    env.put("jmx.remote.rmi.server.credential.types",
+        new String[] { String[].class.getName(), String.class.getName() });
+    JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
+  }
+
+  public void secureRmiConnnectorServer() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    env.put("jmx.remote.rmi.server.credential.types",
+        new String[] { String[].class.getName(), String.class.getName() });
+    new RMIConnectorServer(null, env, null, null);
+  }
+
+  public void secureeJmxConnectorServerConstants1() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, "java.lang.String;!*"); // Deny everything but
+                                                                                   // java.lang.String
+    JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
+  }
+
+  public void secureeRmiConnectorServerConstants1() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+    env.put(RMIConnectorServer.CREDENTIALS_FILTER_PATTERN, stringsOnlyFilter);
+    new RMIConnectorServer(null, env, null, null);
+  }
+
+  public void secureJmxConnectorServerConstants2() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    env.put("jmx.remote.rmi.server.credentials.filter.pattern", "java.lang.String;!*"); // Deny everything but
+                                                                                        // java.lang.String
+    JMXConnectorServerFactory.newJMXConnectorServer(null, env, null);
+  }
+
+  public void secureRmiConnectorServerConstants2() throws IOException {
+    // Good
+    Map<String, Object> env = new HashMap<>();
+    env.put("jmx.remote.x.daemon", "true");
+    String stringsOnlyFilter = "java.lang.String;!*"; // Deny everything but java.lang.String
+    env.put("jmx.remote.rmi.server.credentials.filter.pattern", stringsOnlyFilter);
+    new RMIConnectorServer(null, env, null, null);
+  }
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-665/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-665/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/rmi-remote-0.0.0
--- a/java/ql/test/experimental/query-tests/security/CWE-917/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-917/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.3.8:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
--- a/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-927/SensitiveBroadcast.expected
@@ -3,8 +3,8 @@ edges
 | SensitiveBroadcast.java:13:41:13:52 | refreshToken : String | SensitiveBroadcast.java:14:31:14:36 | intent |
 | SensitiveBroadcast.java:25:32:25:39 | password : String | SensitiveBroadcast.java:26:31:26:36 | intent |
 | SensitiveBroadcast.java:36:35:36:39 | email : String | SensitiveBroadcast.java:38:31:38:36 | intent |
-| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | SensitiveBroadcast.java:52:31:52:36 | intent |
-| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList |
+| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String | SensitiveBroadcast.java:52:31:52:36 | intent |
+| SensitiveBroadcast.java:50:22:50:29 | password : String | SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String |
 | SensitiveBroadcast.java:97:35:97:40 | ticket : String | SensitiveBroadcast.java:98:54:98:59 | intent |
 | SensitiveBroadcast.java:109:32:109:39 | passcode : String | SensitiveBroadcast.java:111:54:111:59 | intent |
 | SensitiveBroadcast.java:136:33:136:38 | passwd : String | SensitiveBroadcast.java:140:54:140:59 | intent |
@@ -16,7 +16,7 @@ nodes
 | SensitiveBroadcast.java:26:31:26:36 | intent | semmle.label | intent |
 | SensitiveBroadcast.java:36:35:36:39 | email : String | semmle.label | email : String |
 | SensitiveBroadcast.java:38:31:38:36 | intent | semmle.label | intent |
-| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] : ArrayList | semmle.label | userinfo [post update] : ArrayList |
+| SensitiveBroadcast.java:50:9:50:16 | userinfo [post update] [<element>] : String | semmle.label | userinfo [post update] [<element>] : String |
 | SensitiveBroadcast.java:50:22:50:29 | password : String | semmle.label | password : String |
 | SensitiveBroadcast.java:52:31:52:36 | intent | semmle.label | intent |
 | SensitiveBroadcast.java:97:35:97:40 | ticket : String | semmle.label | ticket : String |
--- a/java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java
+++ b/java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIConnectorServer.java
@@ -0,0 +1,30 @@
+package javax.management.remote.rmi;
+
+import java.io.IOException;
+import java.util.Map;
+import java.io.IOException;
+import javax.management.remote.JMXConnectorServer;
+import javax.management.remote.JMXServiceURL;
+import javax.management.MBeanServer;
+import javax.management.remote.rmi.RMIServerImpl;
+//import javax.management.remote.JMXConnectorServer;
+
+//public class RMIConnectorServerTEST extends JMXConnectorServer{
+public class RMIConnectorServer extends java.lang.Object {
+
+    public static final String CREDENTIALS_FILTER_PATTERN = "jmx.remote.rmi.server.credentials.filter.pattern";
+
+    public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment) throws IOException {
+        // stub;
+    }
+
+    public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment, MBeanServer mbeanServer)
+            throws IOException {
+        // stub;
+    }
+
+    public RMIConnectorServer(JMXServiceURL url, Map<String, ?> environment, RMIServerImpl rmiServerImpl,
+            MBeanServer mbeanServer) throws IOException {
+        // stub;
+    }
+}
--- a/java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIServerImpl.java
+++ b/java/ql/test/experimental/stubs/javax-management-remote-rmi-0.0.1/javax/management/remote/rmi/RMIServerImpl.java
@@ -0,0 +1,10 @@
+package javax.management.remote.rmi;
+
+import java.util.Map;
+
+public class RMIServerImpl {
+    public RMIServerImpl(Map<String, ?> env) {
+        // stub;
+    }
+
+}
--- a/java/ql/test/experimental/stubs/jshell/jdk/jshell/JShell.java
+++ b/java/ql/test/experimental/stubs/jshell/jdk/jshell/JShell.java
@@ -0,0 +1,37 @@
+package jdk.jshell;
+
+import java.util.List;
+import java.lang.IllegalStateException;
+
+public class JShell implements AutoCloseable {
+
+    JShell(Builder b) throws IllegalStateException { }
+
+    public static class Builder {
+
+        Builder() { }
+
+        public JShell build() throws IllegalStateException {
+            return null;
+        }
+    }
+
+    public static JShell create() throws IllegalStateException {
+        return null;
+    }
+
+    public static Builder builder() {
+        return null;
+    }
+
+    public SourceCodeAnalysis sourceCodeAnalysis() {
+        return null;
+    }
+
+    public List<SnippetEvent> eval(String input) throws IllegalStateException {
+        return null;
+    }
+
+    @Override
+    public void close() { }
+}
--- a/java/ql/test/experimental/stubs/jshell/jdk/jshell/Snippet.java
+++ b/java/ql/test/experimental/stubs/jshell/jdk/jshell/Snippet.java
@@ -0,0 +1,31 @@
+package jdk.jshell;
+
+public abstract class Snippet {
+
+	public enum Kind {
+
+		IMPORT(true),
+
+		TYPE_DECL(true),
+
+		METHOD(true),
+
+		VAR(true),
+
+		EXPRESSION(false),
+
+		STATEMENT(false),
+
+		ERRONEOUS(false);
+
+		private final boolean isPersistent;
+
+        Kind(boolean isPersistent) {
+        	this.isPersistent = isPersistent;
+        }
+
+        public boolean isPersistent() {
+            return false;
+        }
+	}
+}
--- a/java/ql/test/experimental/stubs/jshell/jdk/jshell/SnippetEvent.java
+++ b/java/ql/test/experimental/stubs/jshell/jdk/jshell/SnippetEvent.java
@@ -0,0 +1,5 @@
+package jdk.jshell;
+
+public class SnippetEvent {
+
+}
--- a/java/ql/test/experimental/stubs/jshell/jdk/jshell/SourceCodeAnalysis.java
+++ b/java/ql/test/experimental/stubs/jshell/jdk/jshell/SourceCodeAnalysis.java
@@ -0,0 +1,111 @@
+package jdk.jshell;
+
+import java.util.Collection;
+import java.util.List;
+
+public abstract class SourceCodeAnalysis {
+
+    public abstract CompletionInfo analyzeCompletion(String input);
+
+    public abstract List<Suggestion> completionSuggestions(String input, int cursor, int[] anchor);
+
+    public abstract List<Documentation> documentation(String input, int cursor, boolean computeJavadoc);
+
+    public abstract String analyzeType(String code, int cursor);
+
+    public abstract QualifiedNames listQualifiedNames(String code, int cursor);
+
+    public abstract SnippetWrapper wrapper(Snippet snippet);
+
+    public abstract List<SnippetWrapper> wrappers(String input);
+
+    public abstract Collection<Snippet> dependents(Snippet snippet);
+
+    SourceCodeAnalysis() {}
+
+    public interface CompletionInfo {
+
+        Completeness completeness();
+
+        String remaining();
+
+        String source();
+    }
+
+    public enum Completeness {
+
+        COMPLETE(true),
+
+        COMPLETE_WITH_SEMI(true),
+
+        DEFINITELY_INCOMPLETE(false),
+
+        CONSIDERED_INCOMPLETE(false),
+
+        EMPTY(false),
+
+        UNKNOWN(true);
+
+        private final boolean isComplete;
+
+        Completeness(boolean isComplete) {
+            this.isComplete = isComplete;
+        }
+
+        public boolean isComplete() {
+            return isComplete;
+        }
+    }
+
+    public interface Suggestion {
+
+        String continuation();
+
+        boolean matchesType();
+    }
+
+    public interface Documentation {
+
+        String signature();
+
+        String javadoc();
+    }
+
+    public static final class QualifiedNames {
+
+
+        QualifiedNames(List<String> names, int simpleNameLength, boolean upToDate, boolean resolvable) { }
+
+        public List<String> getNames() {
+            return null;
+        }
+
+        public int getSimpleNameLength() {
+            return 1;
+        }
+
+        public boolean isUpToDate() {
+            return false;
+        }
+
+        public boolean isResolvable() {
+            return false;
+        }
+
+    }
+
+    public interface SnippetWrapper {
+
+        String source();
+
+        String wrapped();
+
+        String fullClassName();
+
+        Snippet.Kind kind();
+
+        int sourceToWrappedPosition(int pos);
+
+        int wrappedToSourcePosition(int pos);
+    }
+}
--- a/java/ql/test/experimental/stubs/rmi-remote-0.0.0/README
+++ b/java/ql/test/experimental/stubs/rmi-remote-0.0.0/README
@@ -0,0 +1 @@
+This is a workaround for a bug in which the extractor can't resolve type javax.management.remote.rmi.RMIConnectorServer even though it has been part of the JDK since Java 5
--- a/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnection.java
+++ b/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnection.java
@@ -0,0 +1,6 @@
+package javax.management.remote.rmi;
+
+import java.rmi.Remote;
+import java.io.Closeable;
+
+interface RMIConnection extends Closeable, Remote { }
--- a/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnectorServer.java
+++ b/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIConnectorServer.java
@@ -0,0 +1,34 @@
+package javax.management.remote.rmi;
+
+import java.util.Map;
+
+import javax.management.remote.JMXConnectorServer;
+import javax.management.remote.JMXConnector;
+import javax.management.remote.JMXServiceURL;
+import javax.management.remote.MBeanServerForwarder;
+import javax.management.MBeanServer;
+
+// Note this is a partial stub sufficient to the needs of tests for CWE-665
+public class RMIConnectorServer extends JMXConnectorServer {
+
+  public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment) { }
+  public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, MBeanServer mbeanServer) { }
+  public RMIConnectorServer(JMXServiceURL url, Map<String,?> environment, RMIServerImpl rmiServerImpl, MBeanServer mbeanServer) { }
+
+  public static String CREDENTIAL_TYPES	= "";
+  public static String CREDENTIALS_FILTER_PATTERN = "";
+  public static String JNDI_REBIND_ATTRIBUTE = "";
+  public static String RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE = "";
+  public static String RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE = "";
+  public static String SERIAL_FILTER_PATTERN = "";
+
+  public Map<String,?> getAttributes() { return null; }
+  public JMXServiceURL getAddress() { return null; }
+  public String[] getConnectionIds() { return null; }
+  public boolean isActive() { return true; }
+  public void setMBeanServerForwarder(MBeanServerForwarder mbsf) { }
+  public void start() { }
+  public void stop() { }
+  public JMXConnector toJMXConnector(Map<String,?> env) { return null; }
+
+}
--- a/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServer.java
+++ b/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServer.java
@@ -0,0 +1,3 @@
+package javax.management.remote.rmi;
+
+interface RMIServer { }
--- a/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServerImpl.java
+++ b/java/ql/test/experimental/stubs/rmi-remote-0.0.0/javax/management/remote/rmi/RMIServerImpl.java
@@ -0,0 +1,12 @@
+package javax.management.remote.rmi;
+
+import java.io.Closeable;
+import java.rmi.Remote;
+
+public class RMIServerImpl implements Closeable, RMIServer { 
+
+  public void close() { }
+  public String getVersion() { return null; }
+  public RMIConnection newClient(Object credentials) { return null; }
+
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-094/BeanShellInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-094/JShellInjection.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-295/InsecureTrustManager.ql`
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql`
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/rmi-remote-0.0.0`
				`@@ -0,0 +1 @@`
				`This is a workaround for a bug in which the extractor can't resolve type javax.management.remote.rmi.RMIConnectorServer even though it has been part of the JDK since Java 5`