Convert all command injection sinks to MaD format

java/ql/lib/semmle/code/java/JDK.qll

@@ -3,7 +3,6 @@
  */
 
 import Member
-import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.dataflow.FlowSteps
 
 // --- Standard types ---
@@ -198,39 +197,6 @@ class TypeFile extends Class {
 }
 
 // --- Standard methods ---
-/**
- * Any constructor of class `java.lang.ProcessBuilder`.
- */
-class ProcessBuilderConstructor extends Constructor, ExecCallable {
-  ProcessBuilderConstructor() { this.getDeclaringType() instanceof TypeProcessBuilder }
-
-  override int getAnExecutedArgument() { result = 0 }
-}
-
-/**
- * Any of the methods named `command` on class `java.lang.ProcessBuilder`.
- */
-class MethodProcessBuilderCommand extends Method, ExecCallable {
-  MethodProcessBuilderCommand() {
-    this.hasName("command") and
-    this.getDeclaringType() instanceof TypeProcessBuilder
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}
-
-/**
- * Any method named `exec` on class `java.lang.Runtime`.
- */
-class MethodRuntimeExec extends Method, ExecCallable {
-  MethodRuntimeExec() {
-    this.hasName("exec") and
-    this.getDeclaringType() instanceof TypeRuntime
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}
-
 /**
  * Any method named `getenv` on class `java.lang.System`.
  */

java/ql/lib/semmle/code/java/frameworks/apache/Exec.qll

@@ -1,29 +0,0 @@
-/** Definitions related to the Apache Commons Exec library. */
-
-import semmle.code.java.Type
-import semmle.code.java.security.ExternalProcess
-
-/** The class `org.apache.commons.exec.CommandLine`. */
-private class TypeCommandLine extends Class {
-  TypeCommandLine() { this.hasQualifiedName("org.apache.commons.exec", "CommandLine") }
-}
-
-/** The `parse()` method of the class `org.apache.commons.exec.CommandLine`. */
-private class MethodCommandLineParse extends Method, ExecCallable {
-  MethodCommandLineParse() {
-    this.getDeclaringType() instanceof TypeCommandLine and
-    this.hasName("parse")
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}
-
-/** The `addArguments()` method of the class `org.apache.commons.exec.CommandLine`. */
-private class MethodCommandLineAddArguments extends Method, ExecCallable {
-  MethodCommandLineAddArguments() {
-    this.getDeclaringType() instanceof TypeCommandLine and
-    this.hasName("addArguments")
-  }
-
-  override int getAnExecutedArgument() { result = 0 }
-}

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -10,8 +10,8 @@
 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
-private import semmle.code.java.security.ExternalProcess
 private import semmle.code.java.security.CommandArguments
+private import semmle.code.java.security.ExternalProcess
 
 /** A sink for command injection vulnerabilities. */
 abstract class CommandInjectionSink extends DataFlow::Node { }
@@ -33,9 +33,7 @@ class CommandInjectionAdditionalTaintStep extends Unit {
 }
 
 private class DefaultCommandInjectionSink extends CommandInjectionSink {
-  DefaultCommandInjectionSink() {
-    this.asExpr() instanceof ArgumentToExec or sinkNode(this, "command-injection")
-  }
+  DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
 }
 
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
@@ -100,7 +98,7 @@ predicate execIsTainted(
   RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
 ) {
   RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = execArg
+  argumentToExec(execArg, sink.getNode())
 }
 
 /**
@@ -112,7 +110,7 @@ predicate execIsTainted(
  */
 deprecated predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, Expr execArg) {
   exists(RemoteUserInputToArgumentToExecFlowConfig conf |
-    conf.hasFlowPath(source, sink) and sink.getNode().asExpr() = execArg
+    conf.hasFlowPath(source, sink) and argumentToExec(execArg, sink.getNode())
   )
 }
 

java/ql/lib/semmle/code/java/security/ExternalProcess.qll

@@ -1,16 +1,13 @@
 /** Definitions related to external processes. */
 
 import semmle.code.java.Member
-
-private module Instances {
-  private import semmle.code.java.JDK
-  private import semmle.code.java.frameworks.apache.Exec
-}
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.security.CommandLineQuery
 
 /**
- * A callable that executes a command.
+ * DEPRECATED: A callable that executes a command.
  */
-abstract class ExecCallable extends Callable {
+abstract deprecated class ExecCallable extends Callable {
   /**
    * Gets the index of an argument that will be part of the command that is executed.
    */
@@ -23,13 +20,19 @@ abstract class ExecCallable extends Callable {
  * to be executed.
  */
 class ArgumentToExec extends Expr {
-  ArgumentToExec() {
-    exists(Call execCall, ExecCallable execCallable, int i |
-      execCall.getArgument(pragma[only_bind_into](i)) = this and
-      execCallable = execCall.getCallee() and
-      i = execCallable.getAnExecutedArgument()
-    )
-  }
+  ArgumentToExec() { argumentToExec(this, _) }
+}
+
+/**
+ * Holds if `e` is an expression used as an argument to a call that executes an external command.
+ * For calls to varargs method calls, this only includes the first argument, which will be the command
+ * to be executed.
+ */
+predicate argumentToExec(Expr e, CommandInjectionSink s) {
+  s.asExpr() = e
+  or
+  e.(Argument).isNthVararg(0) and
+  s.(DataFlow::ImplicitVarargsArray).getCall() = e.(Argument).getCall()
 }
 
 /**