From a276cc3094862274e7a4411cf53ec2b8cb00065f Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Wed, 19 Apr 2023 17:09:24 +0200 Subject: [PATCH] Convert all command injection sinks to MaD format --- .../2023-04-19-deprecated-execcallable.md | 4 +++ .../experimental/com.jcraft.jsch.model.yml | 6 ++++ java/ql/lib/ext/java.lang.model.yml | 27 ++++++++------- .../lib/ext/org.apache.commons.exec.model.yml | 9 +++++ java/ql/lib/semmle/code/java/JDK.qll | 34 ------------------- .../code/java/frameworks/apache/Exec.qll | 29 ---------------- .../code/java/security/CommandLineQuery.qll | 10 +++--- .../code/java/security/ExternalProcess.qll | 31 +++++++++-------- .../Security/CWE/CWE-078/ExecTaintedLocal.ql | 11 +++--- .../src/Security/CWE/CWE-078/ExecUnescaped.ql | 1 + .../Security/CWE/CWE-078/ExecTainted.ql | 6 +++- .../Security/CWE/CWE-078/JSchOSInjection.qll | 20 ----------- .../CWE-078/ExecTaintedLocal.expected | 20 +++++++---- 13 files changed, 81 insertions(+), 127 deletions(-) create mode 100644 java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md create mode 100644 java/ql/lib/ext/experimental/com.jcraft.jsch.model.yml create mode 100644 java/ql/lib/ext/org.apache.commons.exec.model.yml delete mode 100644 java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll diff --git a/java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md b/java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md new file mode 100644 index 00000000000..fc21d1825bf --- /dev/null +++ b/java/ql/lib/change-notes/2023-04-19-deprecated-execcallable.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The `ExecCallable` class in `ExternalProcess.qll` has been deprecated. diff --git a/java/ql/lib/ext/experimental/com.jcraft.jsch.model.yml b/java/ql/lib/ext/experimental/com.jcraft.jsch.model.yml new file mode 100644 index 00000000000..1a8783d91a5 --- /dev/null +++ b/java/ql/lib/ext/experimental/com.jcraft.jsch.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: experimentalSinkModel + data: + - ["com.jcraft.jsch", "ChannelExec", True, "setCommand", "", "", "Argument[0]", "command-injection", "manual", "jsch-os-injection"] diff --git a/java/ql/lib/ext/java.lang.model.yml b/java/ql/lib/ext/java.lang.model.yml index bbb269b3d55..59eb548af27 100644 --- a/java/ql/lib/ext/java.lang.model.yml +++ b/java/ql/lib/ext/java.lang.model.yml @@ -8,19 +8,20 @@ extensions: - ["java.lang", "ClassLoader", True, "getSystemResource", "(String)", "", "Argument[0]", "read-file", "ai-manual"] - ["java.lang", "ClassLoader", True, "getSystemResourceAsStream", "(String)", "", "Argument[0]", "read-file", "ai-manual"] - ["java.lang", "Module", True, "getResourceAsStream", "(String)", "", "Argument[0]", "read-file", "ai-manual"] - # These are modeled in plain CodeQL. TODO: migrate them. - # - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[0]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[2]", "command-injection", "ai-manual"] - # - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "ProcessBuilder", False, "command", "(List)", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "ProcessBuilder", False, "command", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "ProcessBuilder", False, "directory", "(File)", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(List)", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "ProcessBuilder", False, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String[],String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String[],String[],File)", "", "Argument[2]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"] + - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"] - ["java.lang", "String", False, "matches", "(String)", "", "Argument[0]", "regex-use[f-1]", "manual"] - ["java.lang", "String", False, "replaceAll", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"] - ["java.lang", "String", False, "replaceFirst", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"] diff --git a/java/ql/lib/ext/org.apache.commons.exec.model.yml b/java/ql/lib/ext/org.apache.commons.exec.model.yml new file mode 100644 index 00000000000..7b65ee46a49 --- /dev/null +++ b/java/ql/lib/ext/org.apache.commons.exec.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.commons.exec", "CommandLine", True, "parse", "(String)", "", "Argument[0]", "command-injection", "manual"] + - ["org.apache.commons.exec", "CommandLine", True, "parse", "(String,Map)", "", "Argument[0]", "command-injection", "manual"] + - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String)", "", "Argument[0]", "command-injection", "manual"] + - ["org.apache.commons.exec", "CommandLine", True, "addArguments", "(String,boolean)", "", "Argument[0]", "command-injection", "manual"] diff --git a/java/ql/lib/semmle/code/java/JDK.qll b/java/ql/lib/semmle/code/java/JDK.qll index 78f7defc32f..62115884c62 100644 --- a/java/ql/lib/semmle/code/java/JDK.qll +++ b/java/ql/lib/semmle/code/java/JDK.qll @@ -3,7 +3,6 @@ */ import Member -import semmle.code.java.security.ExternalProcess private import semmle.code.java.dataflow.FlowSteps // --- Standard types --- @@ -198,39 +197,6 @@ class TypeFile extends Class { } // --- Standard methods --- -/** - * Any constructor of class `java.lang.ProcessBuilder`. - */ -class ProcessBuilderConstructor extends Constructor, ExecCallable { - ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder } - - override int getAnExecutedArgument() { result = 0 } -} - -/** - * Any of the methods named `command` on class `java.lang.ProcessBuilder`. - */ -class MethodProcessBuilderCommand extends Method, ExecCallable { - MethodProcessBuilderCommand() { - this.hasName("command") and - this.getDeclaringType() instanceof TypeProcessBuilder - } - - override int getAnExecutedArgument() { result = 0 } -} - -/** - * Any method named `exec` on class `java.lang.Runtime`. - */ -class MethodRuntimeExec extends Method, ExecCallable { - MethodRuntimeExec() { - this.hasName("exec") and - this.getDeclaringType() instanceof TypeRuntime - } - - override int getAnExecutedArgument() { result = 0 } -} - /** * Any method named `getenv` on class `java.lang.System`. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll b/java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll deleted file mode 100644 index d6876bfae70..00000000000 --- a/java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll +++ /dev/null @@ -1,29 +0,0 @@ -/** Definitions related to the Apache Commons Exec library. */ - -import semmle.code.java.Type -import semmle.code.java.security.ExternalProcess - -/** The class `org.apache.commons.exec.CommandLine`. */ -private class TypeCommandLine extends Class { - TypeCommandLine() { this.hasQualifiedName("org.apache.commons.exec", "CommandLine") } -} - -/** The `parse()` method of the class `org.apache.commons.exec.CommandLine`. */ -private class MethodCommandLineParse extends Method, ExecCallable { - MethodCommandLineParse() { - this.getDeclaringType() instanceof TypeCommandLine and - this.hasName("parse") - } - - override int getAnExecutedArgument() { result = 0 } -} - -/** The `addArguments()` method of the class `org.apache.commons.exec.CommandLine`. */ -private class MethodCommandLineAddArguments extends Method, ExecCallable { - MethodCommandLineAddArguments() { - this.getDeclaringType() instanceof TypeCommandLine and - this.hasName("addArguments") - } - - override int getAnExecutedArgument() { result = 0 } -} diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index b6e3f5b188a..c0d09a9eeab 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -10,8 +10,8 @@ import java private import semmle.code.java.dataflow.FlowSources private import semmle.code.java.dataflow.ExternalFlow -private import semmle.code.java.security.ExternalProcess private import semmle.code.java.security.CommandArguments +private import semmle.code.java.security.ExternalProcess /** A sink for command injection vulnerabilities. */ abstract class CommandInjectionSink extends DataFlow::Node { } @@ -33,9 +33,7 @@ class CommandInjectionAdditionalTaintStep extends Unit { } private class DefaultCommandInjectionSink extends CommandInjectionSink { - DefaultCommandInjectionSink() { - this.asExpr() instanceof ArgumentToExec or sinkNode(this, "command-injection") - } + DefaultCommandInjectionSink() { sinkNode(this, "command-injection") } } private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer { @@ -100,7 +98,7 @@ predicate execIsTainted( RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg ) { RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and - sink.getNode().asExpr() = execArg + argumentToExec(execArg, sink.getNode()) } /** @@ -112,7 +110,7 @@ predicate execIsTainted( */ deprecated predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, Expr execArg) { exists(RemoteUserInputToArgumentToExecFlowConfig conf | - conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg + conf.hasFlowPath(source, sink) and argumentToExec(execArg, sink.getNode()) ) } diff --git a/java/ql/lib/semmle/code/java/security/ExternalProcess.qll b/java/ql/lib/semmle/code/java/security/ExternalProcess.qll index 9a061c7a419..385d2f6c548 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalProcess.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalProcess.qll @@ -1,16 +1,13 @@ /** Definitions related to external processes. */ import semmle.code.java.Member - -private module Instances { - private import semmle.code.java.JDK - private import semmle.code.java.frameworks.apache.Exec -} +private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.security.CommandLineQuery /** - * A callable that executes a command. + * DEPRECATED: A callable that executes a command. */ -abstract class ExecCallable extends Callable { +abstract deprecated class ExecCallable extends Callable { /** * Gets the index of an argument that will be part of the command that is executed. */ @@ -23,13 +20,19 @@ abstract class ExecCallable extends Callable { * to be executed. */ class ArgumentToExec extends Expr { - ArgumentToExec() { - exists(Call execCall, ExecCallable execCallable, int i | - execCall.getArgument(pragma[only_bind_into](i)) = this and - execCallable = execCall.getCallee() and - i = execCallable.getAnExecutedArgument() - ) - } + ArgumentToExec() { argumentToExec(this, _) } +} + +/** + * Holds if `e` is an expression used as an argument to a call that executes an external command. + * For calls to varargs method calls, this only includes the first argument, which will be the command + * to be executed. + */ +predicate argumentToExec(Expr e, CommandInjectionSink s) { + s.asExpr() = e + or + e.(Argument).isNthVararg(0) and + s.(DataFlow::ImplicitVarargsArray).getCall() = e.(Argument).getCall() } /** diff --git a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql index 08c230cb43a..38b79c468cd 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql @@ -14,11 +14,14 @@ import java import semmle.code.java.security.CommandLineQuery +import semmle.code.java.security.ExternalProcess import LocalUserInputToArgumentToExecFlow::PathGraph from LocalUserInputToArgumentToExecFlow::PathNode source, - LocalUserInputToArgumentToExecFlow::PathNode sink -where LocalUserInputToArgumentToExecFlow::flowPath(source, sink) -select sink.getNode().asExpr(), source, sink, "This command line depends on a $@.", - source.getNode(), "user-provided value" + LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e +where + LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and + argumentToExec(e, sink.getNode()) +select e, source, sink, "This command line depends on a $@.", source.getNode(), + "user-provided value" diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index 68e3cc2faa7..d50f583bbfe 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -14,6 +14,7 @@ import java import semmle.code.java.security.CommandLineQuery +import semmle.code.java.security.ExternalProcess /** * Strings that are known to be sane by some simple local analysis. Such strings diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql index 4305b9fbabc..5d543d65011 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql @@ -15,7 +15,11 @@ import java import semmle.code.java.security.CommandLineQuery import RemoteUserInputToArgumentToExecFlow::PathGraph -import JSchOSInjection +private import semmle.code.java.dataflow.ExternalFlow + +private class ActivateModels extends ActiveExperimentalModels { + ActivateModels() { this = "jsch-os-injection" } +} // This is a clone of query `java/command-line-injection` that also includes experimental sinks. from diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll b/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll deleted file mode 100644 index ec1f4d0adfa..00000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-078/JSchOSInjection.qll +++ /dev/null @@ -1,20 +0,0 @@ -/** - * Provides classes for JSch OS command injection detection - */ - -import java - -/** The class `com.jcraft.jsch.ChannelExec`. */ -private class JSchChannelExec extends RefType { - JSchChannelExec() { this.hasQualifiedName("com.jcraft.jsch", "ChannelExec") } -} - -/** A method to set an OS Command for the execution. */ -private class ChannelExecSetCommandMethod extends Method, ExecCallable { - ChannelExecSetCommandMethod() { - this.hasName("setCommand") and - this.getDeclaringType() instanceof JSchChannelExec - } - - override int getAnExecutedArgument() { result = 0 } -} diff --git a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected index 2ae893b5d1d..4616bd7c808 100644 --- a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected +++ b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected @@ -1,22 +1,28 @@ edges -| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... | +| Test.java:6:35:6:44 | arg : String | Test.java:7:44:7:69 | ... + ... : String | | Test.java:6:35:6:44 | arg : String | Test.java:10:61:10:73 | ... + ... : String | | Test.java:6:35:6:44 | arg : String | Test.java:16:13:16:25 | ... + ... : String | | Test.java:6:35:6:44 | arg : String | Test.java:22:15:22:27 | ... + ... : String | +| Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | Test.java:7:25:7:70 | new ..[] { .. } | +| Test.java:7:44:7:69 | ... + ... : String | Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | | Test.java:10:29:10:74 | {...} : String[] [[]] : String | Test.java:10:29:10:74 | new String[] | | Test.java:10:61:10:73 | ... + ... : String | Test.java:10:29:10:74 | {...} : String[] [[]] : String | | Test.java:16:5:16:7 | cmd [post update] : List [] : String | Test.java:18:29:18:31 | cmd | | Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : List [] : String | | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | Test.java:24:29:24:32 | cmd1 | | Test.java:22:15:22:27 | ... + ... : String | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | -| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... | +| Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... : String | +| Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | Test.java:29:25:29:65 | new ..[] { .. } | +| Test.java:29:44:29:64 | ... + ... : String | Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | | Test.java:57:27:57:39 | args : String[] | Test.java:60:20:60:22 | arg : String | | Test.java:57:27:57:39 | args : String[] | Test.java:61:23:61:25 | arg : String | | Test.java:60:20:60:22 | arg : String | Test.java:6:35:6:44 | arg : String | | Test.java:61:23:61:25 | arg : String | Test.java:28:38:28:47 | arg : String | nodes | Test.java:6:35:6:44 | arg : String | semmle.label | arg : String | -| Test.java:7:44:7:69 | ... + ... | semmle.label | ... + ... | +| Test.java:7:25:7:70 | new ..[] { .. } | semmle.label | new ..[] { .. } | +| Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String | semmle.label | new ..[] { .. } : String[] [[]] : String | +| Test.java:7:44:7:69 | ... + ... : String | semmle.label | ... + ... : String | | Test.java:10:29:10:74 | new String[] | semmle.label | new String[] | | Test.java:10:29:10:74 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String | | Test.java:10:61:10:73 | ... + ... : String | semmle.label | ... + ... : String | @@ -27,14 +33,16 @@ nodes | Test.java:22:15:22:27 | ... + ... : String | semmle.label | ... + ... : String | | Test.java:24:29:24:32 | cmd1 | semmle.label | cmd1 | | Test.java:28:38:28:47 | arg : String | semmle.label | arg : String | -| Test.java:29:44:29:64 | ... + ... | semmle.label | ... + ... | +| Test.java:29:25:29:65 | new ..[] { .. } | semmle.label | new ..[] { .. } | +| Test.java:29:25:29:65 | new ..[] { .. } : String[] [[]] : String | semmle.label | new ..[] { .. } : String[] [[]] : String | +| Test.java:29:44:29:64 | ... + ... : String | semmle.label | ... + ... : String | | Test.java:57:27:57:39 | args : String[] | semmle.label | args : String[] | | Test.java:60:20:60:22 | arg : String | semmle.label | arg : String | | Test.java:61:23:61:25 | arg : String | semmle.label | arg : String | subpaths #select -| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:44:7:69 | ... + ... | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value | +| Test.java:7:44:7:69 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:7:25:7:70 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value | | Test.java:10:29:10:74 | new String[] | Test.java:57:27:57:39 | args : String[] | Test.java:10:29:10:74 | new String[] | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value | | Test.java:18:29:18:31 | cmd | Test.java:57:27:57:39 | args : String[] | Test.java:18:29:18:31 | cmd | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value | | Test.java:24:29:24:32 | cmd1 | Test.java:57:27:57:39 | args : String[] | Test.java:24:29:24:32 | cmd1 | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value | -| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:44:29:64 | ... + ... | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value | +| Test.java:29:44:29:64 | ... + ... | Test.java:57:27:57:39 | args : String[] | Test.java:29:25:29:65 | new ..[] { .. } | This command line depends on a $@. | Test.java:57:27:57:39 | args | user-provided value |