Merge pull request #16362 from michaelnebel/java/removelocalqueries

Java: Remove local query variants.
2026-04-24 16:25:15 +02:00 · 2024-05-16 14:34:04 +02:00
parent ea3cc51286 8b0f3af5b1
commit b1329fd806
71 changed files with 182 additions and 459 deletions
--- a/java/ql/automodel/src/AutomodelAlertSinkUtil.qll
+++ b/java/ql/automodel/src/AutomodelAlertSinkUtil.qll
@@ -159,11 +159,7 @@ predicate sinkModelTallyPerQuery(string queryName, int alertCount, SinkModel sin
  SinkTallier<RequestForgeryConfig>::getSinkModelCount(alertCount, sinkModel)
  or
  queryName = "java/command-line-injection" and
-  exists(int c1, int c2 |
-    SinkTallier<RemoteUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c1, sinkModel) and
-    SinkTallier<LocalUserInputToArgumentToExecFlowConfig>::getSinkModelCount(c2, sinkModel) and
-    alertCount = c1 + c2
-  )
+  SinkTallier<InputToArgumentToExecFlowConfig>::getSinkModelCount(alertCount, sinkModel)
  or
  queryName = "java/concatenated-sql-query" and
  SinkTallier<UncontrolledStringBuilderSourceFlowConfig>::getSinkModelCount(alertCount, sinkModel)
--- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedLocalQuery.qll
@@ -5,9 +5,11 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon

 /**
+ * DEPRECATED: Use `ArithmeticOverflowConfig` instead.
+ *
 * A taint-tracking configuration to reason about arithmetic overflow using local-user-controlled data.
 */
-module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
+deprecated module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
@@ -18,15 +20,17 @@ module ArithmeticTaintedLocalOverflowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `ArithmeticOverflow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for arithmetic overflow using local-user-controlled data.
 */
-module ArithmeticTaintedLocalOverflowFlow =
+deprecated module ArithmeticTaintedLocalOverflowFlow =
  TaintTracking::Global<ArithmeticTaintedLocalOverflowConfig>;

 /**
 * A taint-tracking configuration to reason about arithmetic underflow using local-user-controlled data.
 */
-module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
+deprecated module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
@@ -37,7 +41,9 @@ module ArithmeticTaintedLocalUnderflowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `ArithmeticUnderflow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for arithmetic underflow using local-user-controlled data.
 */
-module ArithmeticTaintedLocalUnderflowFlow =
+deprecated module ArithmeticTaintedLocalUnderflowFlow =
  TaintTracking::Global<ArithmeticTaintedLocalUnderflowConfig>;
--- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
@@ -1,11 +1,11 @@
-/** Provides taint-tracking configurations to reason about arithmetic with unvalidated user input. */
+/** Provides taint-tracking configurations to reason about arithmetic with unvalidated input. */

 import java
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.ArithmeticCommon

-/** A taint-tracking configuration to reason about overflow from unvalidated user input. */
-module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
+/** A taint-tracking configuration to reason about overflow from unvalidated input. */
+module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { overflowSink(_, sink.asExpr()) }
@@ -15,8 +15,13 @@ module RemoteUserInputOverflowConfig implements DataFlow::ConfigSig {
  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

-/** A taint-tracking configuration to reason about underflow from unvalidated user input. */
-module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
+/**
+ * DEPRECATED: Use `ArithmeticOverflowConfig` instead.
+ */
+deprecated module RemoteUserInputOverflowConfig = ArithmeticOverflowConfig;
+
+/** A taint-tracking configuration to reason about underflow from unvalidated input. */
+module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { underflowSink(_, sink.asExpr()) }
@@ -26,8 +31,23 @@ module RemoteUserInputUnderflowConfig implements DataFlow::ConfigSig {
  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 }

-/** Taint-tracking flow for overflow from unvalidated user input. */
-module RemoteUserInputOverflow = TaintTracking::Global<RemoteUserInputOverflowConfig>;
+/**
+ * DEPRECATED: Use `ArithmeticUnderflowConfig` instead.
+ */
+deprecated module RemoteUserInputUnderflowConfig = ArithmeticUnderflowConfig;

-/** Taint-tracking flow for underflow from unvalidated user input. */
-module RemoteUserInputUnderflow = TaintTracking::Global<RemoteUserInputUnderflowConfig>;
+/** Taint-tracking flow for overflow from unvalidated input. */
+module ArithmeticOverflow = TaintTracking::Global<ArithmeticOverflowConfig>;
+
+/**
+ * DEPRECATED: Use `ArithmeticOverflow` instead.
+ */
+deprecated module RemoteUserInputOverflow = ArithmeticOverflow;
+
+/** Taint-tracking flow for underflow from unvalidated input. */
+module ArithmeticUnderflow = TaintTracking::Global<ArithmeticUnderflowConfig>;
+
+/**
+ * DEPRECATED: Use `ArithmeticUnderflow` instead.
+ */
+deprecated module RemoteUserInputUnderflow = ArithmeticUnderflow;
--- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -48,7 +48,7 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
 /**
 * A taint-tracking configuration for unvalidated user input that is used to run an external process.
 */
-module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
@@ -61,15 +61,24 @@ module RemoteUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig
 }

 /**
- * Taint-tracking flow for unvalidated user input that is used to run an external process.
+ * DEPRECATED: Use `InputToArgumentToExecFlowConfig` instead.
 */
-module RemoteUserInputToArgumentToExecFlow =
-  TaintTracking::Global<RemoteUserInputToArgumentToExecFlowConfig>;
+deprecated module RemoteUserInputToArgumentToExecFlowConfig = InputToArgumentToExecFlowConfig;
+
+/**
+ * Taint-tracking flow for unvalidated input that is used to run an external process.
+ */
+module InputToArgumentToExecFlow = TaintTracking::Global<InputToArgumentToExecFlowConfig>;
+
+/**
+ * DEPRECATED: Use `InputToArgumentToExecFlow` instead.
+ */
+deprecated module RemoteUserInputToArgumentToExecFlow = InputToArgumentToExecFlow;

 /**
 * A taint-tracking configuration for unvalidated local user input that is used to run an external process.
 */
-module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
+deprecated module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
@@ -82,9 +91,11 @@ module LocalUserInputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `InputToArgumentToExecFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for unvalidated local user input that is used to run an external process.
 */
-module LocalUserInputToArgumentToExecFlow =
+deprecated module LocalUserInputToArgumentToExecFlow =
  TaintTracking::Global<LocalUserInputToArgumentToExecFlowConfig>;

 /**
@@ -93,10 +104,9 @@ module LocalUserInputToArgumentToExecFlow =
 * reporting overlapping results.
 */
 predicate execIsTainted(
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 ) {
-  RemoteUserInputToArgumentToExecFlow::flowPath(source, sink) and
+  InputToArgumentToExecFlow::flowPath(source, sink) and
  argumentToExec(execArg, sink.getNode())
 }

--- a/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ExecTaintedLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.security.CommandArguments
 private import semmle.code.java.security.Sanitizers

 /** A taint-tracking configuration to reason about use of externally controlled strings to make command line commands. */
-module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
+deprecated module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
@@ -20,6 +20,8 @@ module ExecTaintedLocalConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRCATED: Unused.
+ *
 * Taint-tracking flow for use of externally controlled strings to make command line commands.
 */
-module ExecTaintedLocalFlow = TaintTracking::Global<ExecTaintedLocalConfig>;
+deprecated module ExecTaintedLocalFlow = TaintTracking::Global<ExecTaintedLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringLocalQuery.qll
@@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.StringFormat

 /** A taint-tracking configuration to reason about externally-controlled format strings from local sources. */
-module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
+deprecated module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -18,7 +18,9 @@ module ExternallyControlledFormatStringLocalConfig implements DataFlow::ConfigSi
 }

 /**
+ * DEPRECATED: Use `ExternallyControlledFormatStringFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for externally-controlled format strings from local sources.
 */
-module ExternallyControlledFormatStringLocalFlow =
+deprecated module ExternallyControlledFormatStringLocalFlow =
  TaintTracking::Global<ExternallyControlledFormatStringLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources
 /**
 * A taint-tracking configuration to reason about improper validation of local user-provided size used for array construction.
 */
-module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
+deprecated module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -16,7 +16,9 @@ module ImproperValidationOfArrayConstructionLocalConfig implements DataFlow::Con
 }

 /**
+ * DEPRECATED: Use `ImproperValidationOfArrayConstructionFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for improper validation of local user-provided size used for array construction.
 */
-module ImproperValidationOfArrayConstructionLocalFlow =
+deprecated module ImproperValidationOfArrayConstructionLocalFlow =
  TaintTracking::Global<ImproperValidationOfArrayConstructionLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources
 /**
 * A taint-tracking configuration to reason about improper validation of local user-provided array index.
 */
-module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
+deprecated module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -20,7 +20,9 @@ module ImproperValidationOfArrayIndexLocalConfig implements DataFlow::ConfigSig
 }

 /**
+ * DEPRECATED: Use `ImproperValidationOfArrayIndexFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for improper validation of local user-provided array index.
 */
-module ImproperValidationOfArrayIndexLocalFlow =
+deprecated module ImproperValidationOfArrayIndexLocalFlow =
  TaintTracking::Global<ImproperValidationOfArrayIndexLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
@@ -113,7 +113,7 @@ module NumericCastFlow = TaintTracking::Global<NumericCastFlowConfig>;
 * A taint-tracking configuration for reasoning about local user input that is
 * used in a numeric cast.
 */
-module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
+deprecated module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) {
@@ -134,6 +134,8 @@ module NumericCastLocalFlowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `NumericCastFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for local user input that is used in a numeric cast.
 */
-module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
+deprecated module NumericCastLocalFlow = TaintTracking::Global<NumericCastLocalFlowConfig>;
--- a/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ResponseSplittingLocalQuery.qll
@@ -7,7 +7,7 @@ private import semmle.code.java.security.ResponseSplitting
 /**
 * A taint-tracking configuration to reason about response splitting vulnerabilities from local user input.
 */
-module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
+deprecated module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
@@ -32,6 +32,8 @@ module ResponseSplittingLocalConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `ResponseSplittingFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for response splitting vulnerabilities from local user input.
 */
-module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
+deprecated module ResponseSplittingLocalFlow = TaintTracking::Global<ResponseSplittingLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll
@@ -12,7 +12,7 @@ private import semmle.code.java.security.Sanitizers
 * A taint-tracking configuration for reasoning about local user input that is
 * used in a SQL query.
 */
-module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
+deprecated module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
@@ -25,7 +25,9 @@ module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `QueryInjectionFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for local user input that is used in a SQL query.
 */
-module LocalUserInputToQueryInjectionFlow =
+deprecated module LocalUserInputToQueryInjectionFlow =
  TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
--- a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
@@ -80,7 +80,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
 /**
 * A taint-tracking configuration for tracking flow from local user input to the creation of a path.
 */
-module TaintedPathLocalConfig implements DataFlow::ConfigSig {
+deprecated module TaintedPathLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof TaintedPathSink }
@@ -95,5 +95,9 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
  }
 }

-/** Tracks flow from local user input to the creation of a path. */
-module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
+/**
+ * DEPRECATED: Use `TaintedPathFlow` instead and configure threat model sources to include `local`.
+ *
+ * Tracks flow from local user input to the creation of a path.
+ */
+deprecated module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/UrlRedirectLocalQuery.qll
@@ -7,13 +7,15 @@ private import semmle.code.java.security.UrlRedirect
 /**
 * A taint-tracking configuration to reason about URL redirection from local sources.
 */
-module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
+deprecated module UrlRedirectLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 }

 /**
+ * DEPRECATED: Use `UrlRedirectFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for URL redirection from local sources.
 */
-module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
+deprecated module UrlRedirectLocalFlow = TaintTracking::Global<UrlRedirectLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll
@@ -8,7 +8,7 @@ private import semmle.code.java.security.XSS
 /**
 * A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source.
 */
-module XssLocalConfig implements DataFlow::ConfigSig {
+deprecated module XssLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
@@ -23,6 +23,8 @@ module XssLocalConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `XssFlow` instead and configure threat model sources to include `local`.
+ *
 * Taint-tracking flow for cross-site scripting vulnerabilities from a local source.
 */
-module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
+deprecated module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
--- a/java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/XxeLocalQuery.qll
@@ -27,7 +27,7 @@ deprecated class XxeLocalConfig extends TaintTracking::Configuration {
 /**
 * A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
 */
-module XxeLocalConfig implements DataFlow::ConfigSig {
+deprecated module XxeLocalConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }

  predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
@@ -40,6 +40,8 @@ module XxeLocalConfig implements DataFlow::ConfigSig {
 }

 /**
+ * DEPRECATED: Use `XxeFlow` instead and configure threat model sources to include `local`.
+ *
 * Detect taint flow of unvalidated local user input that is used in XML external entity expansion.
 */
-module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
+deprecated module XxeLocalFlow = TaintTracking::Global<XxeLocalConfig>;
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="TaintedPath.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
@@ -1,24 +0,0 @@
-/**
- * @name Local-user-controlled data in path expression
- * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 7.5
- * @precision medium
- * @id java/path-injection-local
- * @tags security
- *       external/cwe/cwe-022
- *       external/cwe/cwe-023
- *       external/cwe/cwe-036
- *       external/cwe/cwe-073
- */
-
-import java
-import semmle.code.java.security.PathCreation
-import semmle.code.java.security.TaintedPathQuery
-import TaintedPathLocalFlow::PathGraph
-
-from TaintedPathLocalFlow::PathNode source, TaintedPathLocalFlow::PathNode sink
-where TaintedPathLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -14,11 +14,10 @@

 import java
 import semmle.code.java.security.CommandLineQuery
-import RemoteUserInputToArgumentToExecFlow::PathGraph
+import InputToArgumentToExecFlow::PathGraph

 from
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ExecTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -1,27 +0,0 @@
-/**
- * @name Local-user-controlled command line
- * @description Using externally controlled strings in a command line is vulnerable to malicious
- *              changes in the strings.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.8
- * @precision medium
- * @id java/command-line-injection-local
- * @tags security
- *       external/cwe/cwe-078
- *       external/cwe/cwe-088
- */
-
-import java
-import semmle.code.java.security.CommandLineQuery
-import semmle.code.java.security.ExternalProcess
-import LocalUserInputToArgumentToExecFlow::PathGraph
-
-from
-  LocalUserInputToArgumentToExecFlow::PathNode source,
-  LocalUserInputToArgumentToExecFlow::PathNode sink, Expr e
-where
-  LocalUserInputToArgumentToExecFlow::flowPath(source, sink) and
-  argumentToExec(e, sink.getNode())
-select e, source, sink, "This command line depends on a $@.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="XSS.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
@@ -1,21 +0,0 @@
-/**
- * @name Cross-site scripting from local source
- * @description Writing user input directly to a web page
- *              allows for a cross-site scripting vulnerability.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 6.1
- * @precision medium
- * @id java/xss-local
- * @tags security
- *       external/cwe/cwe-079
- */
-
-import java
-import semmle.code.java.security.XssLocalQuery
-import XssLocalFlow::PathGraph
-
-from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink
-where XssLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
-  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="SqlTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -1,24 +0,0 @@
-/**
- * @name Query built from local-user-controlled sources
- * @description Building a SQL or Java Persistence query from user-controlled sources is vulnerable to insertion of
- *              malicious code by the user.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 8.8
- * @precision medium
- * @id java/sql-injection-local
- * @tags security
- *       external/cwe/cwe-089
- *       external/cwe/cwe-564
- */
-
-import java
-import semmle.code.java.security.SqlTaintedLocalQuery
-import LocalUserInputToQueryInjectionFlow::PathGraph
-
-from
-  LocalUserInputToQueryInjectionFlow::PathNode source,
-  LocalUserInputToQueryInjectionFlow::PathNode sink
-where LocalUserInputToQueryInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ResponseSplitting.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -1,22 +0,0 @@
-/**
- * @name HTTP response splitting from local source
- * @description Writing user input directly to an HTTP header
- *              makes code vulnerable to attack by header splitting.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 6.1
- * @precision medium
- * @id java/http-response-splitting-local
- * @tags security
- *       external/cwe/cwe-113
- */
-
-import java
-import semmle.code.java.security.ResponseSplittingLocalQuery
-import ResponseSplittingLocalFlow::PathGraph
-
-from ResponseSplittingLocalFlow::PathNode source, ResponseSplittingLocalFlow::PathNode sink
-where ResponseSplittingLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink,
-  "This header depends on a $@, which may cause a response-splitting vulnerability.",
-  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ImproperValidationOfArrayConstruction.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
@@ -1,29 +0,0 @@
-/**
- * @name Improper validation of local user-provided size used for array construction
- * @description Using unvalidated local input as the argument to
- *              a construction of an array can lead to index out of bound exceptions.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 8.8
- * @precision medium
- * @id java/improper-validation-of-array-construction-local
- * @tags security
- *       external/cwe/cwe-129
- */
-
-import java
-import semmle.code.java.security.internal.ArraySizing
-import semmle.code.java.security.ImproperValidationOfArrayConstructionLocalQuery
-import ImproperValidationOfArrayConstructionLocalFlow::PathGraph
-
-from
-  ImproperValidationOfArrayConstructionLocalFlow::PathNode source,
-  ImproperValidationOfArrayConstructionLocalFlow::PathNode sink, Expr sizeExpr,
-  ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess
-where
-  arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sizeExpr, arrayCreation) and
-  sizeExpr = sink.getNode().asExpr() and
-  ImproperValidationOfArrayConstructionLocalFlow::flowPath(source, sink)
-select arrayAccess.getIndexExpr(), source, sink,
-  "This accesses the $@, but the array is initialized using a $@ which may be zero.", arrayCreation,
-  "array", source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ImproperValidationOfArrayIndex.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
@@ -1,27 +0,0 @@
-/**
- * @name Improper validation of local user-provided array index
- * @description Using local user input as an index to an array, without
- *              proper validation, can lead to index out of bound exceptions.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 8.8
- * @precision medium
- * @id java/improper-validation-of-array-index-local
- * @tags security
- *       external/cwe/cwe-129
- */
-
-import java
-import semmle.code.java.security.internal.ArraySizing
-import semmle.code.java.security.ImproperValidationOfArrayIndexLocalQuery
-import ImproperValidationOfArrayIndexLocalFlow::PathGraph
-
-from
-  ImproperValidationOfArrayIndexLocalFlow::PathNode source,
-  ImproperValidationOfArrayIndexLocalFlow::PathNode sink, CheckableArrayAccess arrayAccess
-where
-  arrayAccess.canThrowOutOfBounds(sink.getNode().asExpr()) and
-  ImproperValidationOfArrayIndexLocalFlow::flowPath(source, sink)
-select arrayAccess.getIndexExpr(), source, sink,
-  "This index depends on a $@ which can cause an ArrayIndexOutOfBoundsException.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ExternallyControlledFormatString.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -1,25 +0,0 @@
-/**
- * @name Use of externally-controlled format string from local source
- * @description Using external input in format strings can lead to exceptions or information leaks.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.3
- * @precision medium
- * @id java/tainted-format-string-local
- * @tags security
- *       external/cwe/cwe-134
- */
-
-import java
-import semmle.code.java.StringFormat
-import semmle.code.java.security.ExternallyControlledFormatStringLocalQuery
-import ExternallyControlledFormatStringLocalFlow::PathGraph
-
-from
-  ExternallyControlledFormatStringLocalFlow::PathNode source,
-  ExternallyControlledFormatStringLocalFlow::PathNode sink, StringFormat formatCall
-where
-  ExternallyControlledFormatStringLocalFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = formatCall.getFormatArgument()
-select formatCall.getFormatArgument(), source, sink, "Format string depends on a $@.",
-  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -18,18 +18,18 @@ import semmle.code.java.security.ArithmeticCommon
 import semmle.code.java.security.ArithmeticTaintedQuery

 module Flow =
-  DataFlow::MergePathGraph<RemoteUserInputOverflow::PathNode, RemoteUserInputUnderflow::PathNode,
-    RemoteUserInputOverflow::PathGraph, RemoteUserInputUnderflow::PathGraph>;
+  DataFlow::MergePathGraph<ArithmeticOverflow::PathNode, ArithmeticUnderflow::PathNode,
+    ArithmeticOverflow::PathGraph, ArithmeticUnderflow::PathGraph>;

 import Flow::PathGraph

 from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
 where
-  RemoteUserInputOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
+  ArithmeticOverflow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
  overflowSink(exp, sink.getNode().asExpr()) and
  effect = "overflow"
  or
-  RemoteUserInputUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
+  ArithmeticUnderflow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
  underflowSink(exp, sink.getNode().asExpr()) and
  effect = "underflow"
 select exp, source, sink,
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="ArithmeticTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
@@ -1,38 +0,0 @@
-/**
- * @name Local-user-controlled data in arithmetic expression
- * @description Arithmetic operations on user-controlled data that is not validated can cause
- *              overflows.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 8.6
- * @precision medium
- * @id java/tainted-arithmetic-local
- * @tags security
- *       external/cwe/cwe-190
- *       external/cwe/cwe-191
- */
-
-import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.security.ArithmeticCommon
-import semmle.code.java.security.ArithmeticTaintedLocalQuery
-
-module Flow =
-  DataFlow::MergePathGraph<ArithmeticTaintedLocalOverflowFlow::PathNode,
-    ArithmeticTaintedLocalUnderflowFlow::PathNode, ArithmeticTaintedLocalOverflowFlow::PathGraph,
-    ArithmeticTaintedLocalUnderflowFlow::PathGraph>;
-
-import Flow::PathGraph
-
-from Flow::PathNode source, Flow::PathNode sink, ArithExpr exp, string effect
-where
-  ArithmeticTaintedLocalOverflowFlow::flowPath(source.asPathNode1(), sink.asPathNode1()) and
-  overflowSink(exp, sink.getNode().asExpr()) and
-  effect = "overflow"
-  or
-  ArithmeticTaintedLocalUnderflowFlow::flowPath(source.asPathNode2(), sink.asPathNode2()) and
-  underflowSink(exp, sink.getNode().asExpr()) and
-  effect = "underflow"
-select exp, source, sink,
-  "This arithmetic expression depends on a $@, potentially causing an " + effect + ".",
-  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="UrlRedirect.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -1,21 +0,0 @@
-/**
- * @name URL redirection from local source
- * @description URL redirection based on unvalidated user-input
- *              may cause redirection to malicious web sites.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 6.1
- * @precision medium
- * @id java/unvalidated-url-redirection-local
- * @tags security
- *       external/cwe/cwe-601
- */
-
-import java
-import semmle.code.java.security.UrlRedirectLocalQuery
-import UrlRedirectLocalFlow::PathGraph
-
-from UrlRedirectLocalFlow::PathNode source, UrlRedirectLocalFlow::PathNode sink
-where UrlRedirectLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="XXE.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-611/XXELocal.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXELocal.ql
@@ -1,25 +0,0 @@
-/**
- * @name Resolving XML external entity in user-controlled data from local source
- * @description Parsing user-controlled XML documents and allowing expansion of external entity
- * references may lead to disclosure of confidential data or denial of service.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.1
- * @precision medium
- * @id java/xxe-local
- * @tags security
- *       external/cwe/cwe-611
- *       external/cwe/cwe-776
- *       external/cwe/cwe-827
- */
-
-import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.security.XxeLocalQuery
-import XxeLocalFlow::PathGraph
-
-from XxeLocalFlow::PathNode source, XxeLocalFlow::PathNode sink
-where XxeLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink,
-  "XML parsing depends on a $@ without guarding against external entity expansion.",
-  source.getNode(), "user-provided value"
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.qhelp
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.qhelp
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="NumericCastTainted.qhelp" /></qhelp>
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -1,29 +0,0 @@
-/**
- * @name Local-user-controlled data in numeric cast
- * @description Casting user-controlled numeric data to a narrower type without validation
- *              can cause unexpected truncation.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 9.0
- * @precision medium
- * @id java/tainted-numeric-cast-local
- * @tags security
- *       external/cwe/cwe-197
- *       external/cwe/cwe-681
- */
-
-import java
-import semmle.code.java.security.NumericCastTaintedQuery
-import NumericCastLocalFlow::PathGraph
-
-from
-  NumericCastLocalFlow::PathNode source, NumericCastLocalFlow::PathNode sink,
-  NumericNarrowingCastExpr exp, VarAccess tainted
-where
-  exp.getExpr() = tainted and
-  sink.getNode().asExpr() = tainted and
-  NumericCastLocalFlow::flowPath(source, sink) and
-  not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
-select exp, source, sink,
-  "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
-  "user-provided value"
--- a/java/ql/src/change-notes/2024-05-01-remove-local-query-variants.md
+++ b/java/ql/src/change-notes/2024-05-01-remove-local-query-variants.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* Removed `local` query variants. The results pertaining to local sources can be found using the non-local counterpart query. As an example, the results previously found by `java/unvalidated-url-redirection-local` can be found by `java/unvalidated-url-redirection`, if the `local` threat model is enabled. The removed queries are `java/path-injection-local`, `java/command-line-injection-local`, `java/xss-local`, `java/sql-injection-local`, `java/http-response-splitting-local`, `java/improper-validation-of-array-construction-local`, `java/improper-validation-of-array-index-local`, `java/tainted-format-string-local`, `java/tainted-arithmetic-local`, `java/unvalidated-url-redirection-local`, `java/xxe-local` and `java/tainted-numeric-cast-local`.
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -14,7 +14,7 @@

 import java
 import semmle.code.java.security.CommandLineQuery
-import RemoteUserInputToArgumentToExecFlow::PathGraph
+import InputToArgumentToExecFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow

 private class ActivateModels extends ActiveExperimentalModels {
@@ -23,8 +23,7 @@ private class ActivateModels extends ActiveExperimentalModels {

 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
 from
-  RemoteUserInputToArgumentToExecFlow::PathNode source,
-  RemoteUserInputToArgumentToExecFlow::PathNode sink, Expr execArg
+  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
 where execIsTainted(source, sink, execArg)
 select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
  "user-provided value"
--- a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected
--- a/java/ql/test/query-tests/security/CWE-078/ExecTainted.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-078/ExecTainted.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref
+++ b/java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-078/ExecTainted.ql
--- a/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-078/ExecTaintedLocal.ql
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-089/SqlTaintedLocal.ql
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.expected
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.qlref
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.expected
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.qlref
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
--- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.expected
@@ -1,12 +1,28 @@
 edges
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | provenance | Src:MaD:43040  |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42905 |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42908 |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | provenance | Src:MaD:43040  |
+| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | provenance | Src:MaD:43040  |
 | Test.java:33:30:33:74 | getParameter(...) : String | Test.java:34:20:34:32 | userParameter : String | provenance | Src:MaD:44662  |
 | Test.java:34:20:34:32 | userParameter : String | Test.java:37:31:37:43 | format : String | provenance |  |
 | Test.java:37:31:37:43 | format : String | Test.java:39:25:39:30 | format | provenance |  Sink:MaD:42905 |
 nodes
+| Test.java:17:27:17:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
+| Test.java:19:19:19:30 | userProperty | semmle.label | userProperty |
+| Test.java:21:23:21:34 | userProperty | semmle.label | userProperty |
+| Test.java:23:23:23:34 | userProperty | semmle.label | userProperty |
+| Test.java:25:28:25:39 | userProperty | semmle.label | userProperty |
+| Test.java:27:44:27:55 | userProperty | semmle.label | userProperty |
 | Test.java:33:30:33:74 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | Test.java:34:20:34:32 | userParameter : String | semmle.label | userParameter : String |
 | Test.java:37:31:37:43 | format : String | semmle.label | format : String |
 | Test.java:39:25:39:30 | format | semmle.label | format |
 subpaths
 #select
+| Test.java:19:19:19:30 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:21:23:21:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:23:23:23:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:25:28:25:39 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
+| Test.java:27:44:27:55 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
 | Test.java:39:25:39:30 | format | Test.java:33:30:33:74 | getParameter(...) : String | Test.java:39:25:39:30 | format | Format string depends on a $@. | Test.java:33:30:33:74 | getParameter(...) | user-provided value |
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.expected
@@ -1,20 +0,0 @@
-edges
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | provenance | Src:MaD:43040  |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42905 |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | provenance | Src:MaD:43040  Sink:MaD:42908 |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | provenance | Src:MaD:43040  |
-| Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | provenance | Src:MaD:43040  |
-nodes
-| Test.java:17:27:17:60 | getProperty(...) : String | semmle.label | getProperty(...) : String |
-| Test.java:19:19:19:30 | userProperty | semmle.label | userProperty |
-| Test.java:21:23:21:34 | userProperty | semmle.label | userProperty |
-| Test.java:23:23:23:34 | userProperty | semmle.label | userProperty |
-| Test.java:25:28:25:39 | userProperty | semmle.label | userProperty |
-| Test.java:27:44:27:55 | userProperty | semmle.label | userProperty |
-subpaths
-#select
-| Test.java:19:19:19:30 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:19:19:19:30 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:21:23:21:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:21:23:21:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:23:23:23:34 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:23:23:23:34 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:25:28:25:39 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:25:28:25:39 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
-| Test.java:27:44:27:55 | userProperty | Test.java:17:27:17:60 | getProperty(...) : String | Test.java:27:44:27:55 | userProperty | Format string depends on a $@. | Test.java:17:27:17:60 | getProperty(...) | user-provided value |
--- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatStringLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
--- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.expected
--- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.qlref
+++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-190/ArithmeticTainted.ql
--- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTaintedLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.expected
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.ext.yml
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref
@@ -0,0 +1 @@
+Security/CWE/CWE-681/NumericCastTainted.ql
--- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.qlref
+++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTaintedLocal.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-681/NumericCastTaintedLocal.ql
				`@@ -0,0 +1 @@`
				`Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-190/ArithmeticTaintedLocal.ql`
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-681/NumericCastTaintedLocal.ql`