Java: update qhelp

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp

@@ -1,43 +1,35 @@
 <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>Spring Boot is a popular framework that facilitates the development of stand-alone applications
-and micro services. Spring Boot Actuator helps to expose production-ready support features against
-Spring Boot applications.</p>
-
-    <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application.
-Exposing unprotected actuator endpoints through configuration files can lead to information disclosure
-or even remote code execution vulnerability.</p>
-
-    <p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently
-developers simply leave management endpoints publicly accessible in the application configuration file
-<code>application.properties</code> without enforcing access control through Spring Security.</p>
+    <p>Spring Boot includes features called actuators that let you monitor and interact with your web
+    application. Exposing unprotected actuator endpoints through configuration files can lead to
+    information disclosure or even to remote code execution.</p>
   </overview>
 
   <recommendation>
-    <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce
-security checks on management endpoints using Spring Security. Otherwise accessing management endpoints
-on a different HTTP port other than the port that the web application is listening on also helps to
-improve the security.</p>
+    <p>Since actuator endpoints may contain sensitive information, carefully consider when to expose them,
+    and secure them as you would any sensitive URL. If you need to expose actuator endpoints, use Spring
+    Security, which secures actuators by default, or define a custom security configuration.
+    </p>
   </recommendation>
 
   <example>
-    <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration,
-no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration,
-security is enforced and only endpoints requiring exposure are exposed.</p>
+    <p>The following examples show <code>application.properties</code> configurations that expose sensitive
+    actuator endpoints.</p>
+    <sample src="application_bad.properties" />
+
+    <p>The below configurations ensure that sensitive actuator endpoints are not exposed.</p>
+    <sample src="application_good.properties" />
+
+    <p>To use Spring Security, which secures actuators by default, add the <code>spring-boot-starter-security</code>
+    dependency in your Maven <code>pom.xml</code> file.</p>
     <sample src="pom_good.xml" />
-    <sample src="pom_bad.xml" />
-    <sample src="application.properties" />
   </example>
 
   <references>
     <li>
-      Spring Boot documentation:
-      <a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Spring Boot Actuator: Production-ready Features</a>
-    </li>
-    <li>
-      VERACODE Blog:
-      <a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
+      Spring Boot Reference Documentation:
+      <a href="https://docs.spring.io/spring-boot/reference/actuator/endpoints.html">Endpoints</a>.
     </li>
     <li>
       HackerOne Report:

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties

@@ -1,22 +0,0 @@
-#management.endpoints.web.base-path=/admin
-
-
-#### BAD: All management endpoints are accessible ####
-# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
-
-# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
-management.security.enabled=false
-
-# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
-management.endpoints.web.exposure.include=*
-
-
-#### GOOD: All management endpoints have access control ####
-# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
-management.security.enabled=true
-
-# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
-management.security.enabled=true
-
-# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
-management.endpoints.web.exposure.include=beans,info,health

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_bad.properties

@@ -0,0 +1,10 @@
+# vulnerable configuration (Spring Boot 1.0 - 1.4): exposes endpoints by default
+
+# vulnerable configuration (Spring Boot 1.5): false value exposes endpoints
+management.security.enabled=false
+
+# vulnerable configuration (Spring Boot 2.x): exposes all endpoints
+management.endpoints.web.exposure.include=*
+
+# vulnerable configuration (Spring Boot 3.x): exposes all endpoints
+management.endpoints.web.exposure.include=*

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application_good.properties

@@ -0,0 +1,11 @@
+# safe configuration (Spring Boot 1.0 - 1.4)
+management.security.enabled=true
+
+# safe configuration (Spring Boot 1.5+)
+management.security.enabled=true
+
+# safe configuration (Spring Boot 2.x): exposes health and info only by default
+management.endpoints.web.exposure.include=health,info
+
+# safe configuration (Spring Boot 3.x): exposes health only by default
+management.endpoints.web.exposure.include=health

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml

@@ -1,50 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>spring-boot-actuator-app</groupId>
-    <artifactId>spring-boot-actuator-app</artifactId>
-    <version>1.0-SNAPSHOT</version>
-
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-    </properties>
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.3.8.RELEASE</version>
-        <relativePath/>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-        </dependency>
-
-        <!-- BAD: No Spring Security enabled -->
-        <!-- dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency -->
-
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-test</artifactId>
-        </dependency>
-    </dependencies>
-
-</project>

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml

@@ -1,50 +1,12 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>spring-boot-actuator-app</groupId>
-    <artifactId>spring-boot-actuator-app</artifactId>
-    <version>1.0-SNAPSHOT</version>
-
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-    </properties>
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.3.8.RELEASE</version>
-        <relativePath/>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
+...
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-        </dependency>
 
         <!-- GOOD: Enable Spring Security -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
         </dependency>
-
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-test</artifactId>
-        </dependency>
-    </dependencies>
-
-</project>
+...