Merge pull request #7136 from atorralba/atorralba/promote-insecure-trustmanager

Java: Promote Insecure TrustManager from experimental

java/ql/lib/semmle/code/java/security/InsecureTrustManager.qll

@@ -1,28 +1,52 @@
-/**
+/** Provides classes and predicates to reason about insecure `TrustManager`s. */
- * @name `TrustManager` that accepts all certificates
- * @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id java/insecure-trustmanager
- * @tags security
- *       external/cwe/cwe-295
- */
 
 import java
-import semmle.code.java.controlflow.Guards
+private import semmle.code.java.controlflow.Guards
-import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.security.Encryption
-import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.SecurityFlag
-import semmle.code.java.security.Encryption
+
-import semmle.code.java.security.SecurityFlag
+/** The creation of an insecure `TrustManager`. */
-import DataFlow::PathGraph
+abstract class InsecureTrustManagerSource extends DataFlow::Node { }
+
+private class DefaultInsecureTrustManagerSource extends InsecureTrustManagerSource {
+  DefaultInsecureTrustManagerSource() {
+    this.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
+  }
+}
+
+/**
+ * The use of a `TrustManager` in an SSL context.
+ * Intentionally insecure connections are not considered sinks.
+ */
+abstract class InsecureTrustManagerSink extends DataFlow::Node {
+  InsecureTrustManagerSink() { not isGuardedByInsecureFlag(this) }
+}
+
+private class DefaultInsecureTrustManagerSink extends InsecureTrustManagerSink {
+  DefaultInsecureTrustManagerSink() {
+    exists(MethodAccess ma, Method m |
+      m.hasName("init") and
+      m.getDeclaringType() instanceof SSLContext and
+      ma.getMethod() = m
+    |
+      ma.getArgument(1) = this.asExpr()
+    )
+  }
+}
+
+/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
+private predicate isGuardedByInsecureFlag(DataFlow::Node node) {
+  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
+    g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
+  )
+}
 
 /**
  * An insecure `X509TrustManager`.
  * An `X509TrustManager` is considered insecure if it never throws a `CertificateException`
  * and therefore implicitly trusts any certificate as valid.
  */
-class InsecureX509TrustManager extends RefType {
+private class InsecureX509TrustManager extends RefType {
   InsecureX509TrustManager() {
     this.getASupertype*() instanceof X509TrustManager and
     exists(Method m |
@@ -59,27 +83,6 @@ private predicate mayThrowCertificateException(Method m) {
   )
 }
 
-/**
- * A configuration to model the flow of an `InsecureX509TrustManager` to an `SSLContext.init` call.
- */
-class InsecureTrustManagerConfiguration extends TaintTracking::Configuration {
-  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) {
-    source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof InsecureX509TrustManager
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m |
-      m.hasName("init") and
-      m.getDeclaringType() instanceof SSLContext and
-      ma.getMethod() = m
-    |
-      ma.getArgument(1) = sink.asExpr()
-    )
-  }
-}
-
 /**
  * Flags suggesting a deliberately insecure `TrustManager` usage.
  */
@@ -98,20 +101,3 @@ private class InsecureTrustManagerFlag extends FlagKind {
 private Guard getAnInsecureTrustManagerFlagGuard() {
   result = any(InsecureTrustManagerFlag flag).getAFlag().asExpr()
 }
-
-/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
-private predicate isNodeGuardedByFlag(DataFlow::Node node) {
-  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
-    g = getASecurityFeatureFlagGuard() or g = getAnInsecureTrustManagerFlagGuard()
-  )
-}
-
-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, InsecureTrustManagerConfiguration cfg,
-  RefType trustManager
-where
-  cfg.hasFlowPath(source, sink) and
-  not isNodeGuardedByFlag(sink.getNode()) and
-  trustManager = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
-select sink, source, sink, "$@ that is defined $@ and trusts any certificate, is used here.",
-  source, "This trustmanager", trustManager, "here"

java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll

@@ -0,0 +1,25 @@
+/** Provides taint tracking configurations to be used in Trust Manager queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.InsecureTrustManager
+
+/**
+ * A configuration to model the flow of an insecure `TrustManager`
+ * to the initialization of an SSL context.
+ */
+class InsecureTrustManagerConfiguration extends DataFlow::Configuration {
+  InsecureTrustManagerConfiguration() { this = "InsecureTrustManagerConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof InsecureTrustManagerSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }
+
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
+    node.getType() instanceof Array and
+    c instanceof DataFlow::ArrayContent
+  }
+}

java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.qhelp

@@ -4,8 +4,8 @@
 <qhelp>
 <overview>
 <p>
-If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code> it trusts every certificate.
+If the <code>checkServerTrusted</code> method of a <code>TrustManager</code> never throws a <code>CertificateException</code>, it trusts every certificate.
-This allows an attacker to perform a machine-in-the-middle attack against the application therefore breaking any security Transport Layer Security (TLS) gives.
+This allows an attacker to perform a machine-in-the-middle attack against the application, therefore breaking any security Transport Layer Security (TLS) gives.
 </p>
 
 <p>
@@ -42,6 +42,6 @@ is loaded into a <code>KeyStore</code>. This explicitly defines the certificate
 </example>
 
 <references>
-<li>Android Develoers:<a href="https://developer.android.com/training/articles/security-ssl">Security with HTTPS and SSL</a>.</li>
+<li>Android Developers: <a href="https://developer.android.com/training/articles/security-ssl">Security with HTTPS and SSL</a>.</li>
 </references>
 </qhelp>

java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql

@@ -0,0 +1,21 @@
+/**
+ * @name `TrustManager` that accepts all certificates
+ * @description Trusting all certificates allows an attacker to perform a machine-in-the-middle attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id java/insecure-trustmanager
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.InsecureTrustManagerQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink
+where any(InsecureTrustManagerConfiguration cfg).hasFlowPath(source, sink)
+select sink, source, sink, "This $@, which is defined $@ and trusts any certificate, is used here.",
+  source, "TrustManager", source.getNode().asExpr().(ClassInstanceExpr).getConstructedType(), "here"

java/ql/src/change-notes/2021-11-15-insecure-trustamanger-query.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The query "`TrustManager` that accepts all certificates" (`java/insecure-trustmanager`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @intrigus-lgtm](https://github.com/github/codeql/pull/4879).

java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.expected

@@ -1,109 +0,0 @@
-edges
-| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager |
-| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:131:23:131:34 | trustManager |
-| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager |
-| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:173:23:173:34 | trustManager |
-| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager |
-| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:215:23:215:34 | trustManager |
-| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager |
-| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager |
-| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager |
-| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager |
-| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager |
-| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager |
-| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager |
-| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager |
-| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager |
-| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager |
-| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager |
-| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager |
-| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager |
-nodes
-| InsecureTrustManagerTest.java:121:33:121:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:130:34:130:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:130:55:130:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:131:23:131:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:151:34:151:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:172:34:172:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:172:55:172:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:173:23:173:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:193:34:193:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:214:34:214:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:214:55:214:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:215:23:215:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:235:34:235:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:257:34:257:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:280:34:280:82 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:305:33:305:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:319:33:319:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:333:33:333:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:347:33:347:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:361:33:361:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:375:33:375:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:390:33:390:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:405:33:405:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | semmle.label | trustManager |
-| InsecureTrustManagerTest.java:414:33:414:81 | {...} [[]] : InsecureTrustManager | semmle.label | {...} [[]] : InsecureTrustManager |
-| InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | semmle.label | new InsecureTrustManager(...) : InsecureTrustManager |
-| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | semmle.label | trustManager |
-subpaths
-#select
-| InsecureTrustManagerTest.java:122:22:122:33 | trustManager | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:122:22:122:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:121:54:121:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:152:23:152:34 | trustManager | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:152:23:152:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:151:55:151:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:194:23:194:34 | trustManager | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:194:23:194:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:193:55:193:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:236:23:236:34 | trustManager | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:236:23:236:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:235:55:235:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:258:23:258:34 | trustManager | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:258:23:258:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:257:55:257:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:281:23:281:34 | trustManager | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:281:23:281:34 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:280:55:280:80 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:306:22:306:33 | trustManager | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:306:22:306:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:305:54:305:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:320:22:320:33 | trustManager | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:320:22:320:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:319:54:319:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:334:22:334:33 | trustManager | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:334:22:334:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:333:54:333:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:348:22:348:33 | trustManager | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:348:22:348:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:347:54:347:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:362:22:362:33 | trustManager | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:362:22:362:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:361:54:361:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:376:22:376:33 | trustManager | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:376:22:376:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:375:54:375:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:391:22:391:33 | trustManager | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:391:22:391:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:390:54:390:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:406:22:406:33 | trustManager | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:406:22:406:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:405:54:405:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |
-| InsecureTrustManagerTest.java:415:22:415:33 | trustManager | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | InsecureTrustManagerTest.java:415:22:415:33 | trustManager | $@ that is defined $@ and trusts any certificate, is used here. | InsecureTrustManagerTest.java:414:54:414:79 | new InsecureTrustManager(...) : InsecureTrustManager | This trustmanager | InsecureTrustManagerTest.java:35:23:35:42 | InsecureTrustManager | here |

java/ql/test/experimental/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManager.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-295/InsecureTrustManager.ql

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.java

@@ -39,14 +39,12 @@ public class InsecureTrustManagerTest {
 		}
 
 		@Override
-		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+		public void checkServerTrusted(X509Certificate[] chain, String authType)
-			// BAD: Does not verify the certificate chain, allowing any certificate.
+				throws CertificateException {}
-		}
 
 		@Override
-		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+		public void checkClientTrusted(X509Certificate[] chain, String authType)
-
+				throws CertificateException {}
-		}
 	}
 
 	public static void main(String[] args) throws Exception {
@@ -88,8 +86,9 @@ public class InsecureTrustManagerTest {
 
 	}
 
-	private static void directSecureTrustManagerCall() throws NoSuchAlgorithmException, KeyStoreException, IOException,
+	private static void directSecureTrustManagerCall()
-			CertificateException, FileNotFoundException, KeyManagementException, MalformedURLException {
+			throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException,
+			FileNotFoundException, KeyManagementException, MalformedURLException {
 		SSLContext context = SSLContext.getInstance("TLS");
 		File certificateFile = new File("path/to/self-signed-certificate");
 		// Create a `KeyStore` with default type
@@ -98,49 +97,46 @@ public class InsecureTrustManagerTest {
 		keyStore.load(null, null);
 		X509Certificate generatedCertificate;
 		try (InputStream cert = new FileInputStream(certificateFile)) {
-			generatedCertificate = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(cert);
+			generatedCertificate = (X509Certificate) CertificateFactory.getInstance("X509")
+					.generateCertificate(cert);
 		}
 		// Add the self-signed certificate to the key store
 		keyStore.setCertificateEntry(certificateFile.getName(), generatedCertificate);
 		// Get default `TrustManagerFactory`
-		TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+		TrustManagerFactory tmf =
+				TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 		// Use it with our modified key store that trusts our self-signed certificate
 		tmf.init(keyStore);
 		TrustManager[] trustManagers = tmf.getTrustManagers();
-		context.init(null, trustManagers, null); // GOOD, we are not using a custom `TrustManager` but instead have
+		// we are not using a custom `TrustManager` but instead have added the self-signed
-													// added the self-signed certificate we want to trust to the key
+		// certificate we want to trust to the key store. Note, the `trustManagers` will **only**
-													// store. Note, the `trustManagers` will **only** trust this one
+		// trust this one certificate.
-													// certificate.
+		context.init(null, trustManagers, null); // Safe
 		URL url = new URL("https://self-signed.badssl.com/");
 		HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
 		conn.setSSLSocketFactory(context.getSocketFactory());
 	}
 
-	private static void directInsecureTrustManagerCall() throws NoSuchAlgorithmException, KeyManagementException {
+	private static void directInsecureTrustManagerCall()
+			throws NoSuchAlgorithmException, KeyManagementException {
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-												// chain, allowing any certificate.
 	}
 
 	private static void namedVariableFlagDirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (TRUST_ALL) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // Safe: guarded by feature flag
-			// chain, allowing any certificate. BUT it is guarded
-			// by a feature flag.
 		}
 	}
 
 	private static void namedVariableFlagIndirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (TRUST_ALL) {
-			disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
+			disableTrustManager(); // Safe: guarded by feature flag
-			// method that install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. BUT it is guarded
-			// by a feature flag.
 		}
 	}
 
@@ -148,20 +144,15 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // $ hasValueFlow
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
 	private static void noNamedVariableFlagIndirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (SOME_NAME_THAT_IS_NOT_A_FLAG_NAME) {
-			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			disableTrustManager(); // Alert is in the method
-									// install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -169,20 +160,15 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // Safe: guarded by feature flag
-			// chain, allowing any certificate. BUT it is guarded
-			// by a feature flag.
 		}
 	}
 
 	private static void stringLiteralFlagIndirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (Boolean.parseBoolean(System.getProperty("TRUST_ALL"))) {
-			disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
+			disableTrustManager(); // Safe: guarded by feature flag
-			// method that install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. BUT it is guarded
-			// by a feature flag.
 		}
 	}
 
@@ -190,20 +176,15 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // $ hasValueFlow
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
 	private static void noStringLiteralFlagIndirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (Boolean.parseBoolean(System.getProperty("SOME_NAME_THAT_IS_NOT_A_FLAG_NAME"))) {
-			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			disableTrustManager(); // Alert is in the method
-			// install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -211,20 +192,15 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (isDisableTrust()) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // GOOD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // Safe: guarded by feature flag
-			// chain, allowing any certificate. BUT it is guarded
-			// by a feature flag.
 		}
 	}
 
 	private static void methodAccessFlagIndirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (isDisableTrust()) {
-			disableTrustManager(); // GOOD [But the disableTrustManager method itself is still detected]: Calls a
+			disableTrustManager(); // Safe: guarded by feature flag
-			// method that install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. BUT it is guarded
-			// by a feature flag.
 		}
 	}
 
@@ -232,20 +208,15 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (is42TheAnswerForEverything()) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // $ hasValueFlow
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
 	private static void noMethodAccessFlagIndirectInsecureTrustManagerCall()
 			throws NoSuchAlgorithmException, KeyManagementException {
 		if (is42TheAnswerForEverything()) {
-			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			disableTrustManager(); // Alert is in the method
-			// install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -254,10 +225,8 @@ public class InsecureTrustManagerTest {
 		String schemaFromHttpRequest = "HTTPS";
 		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // $ hasValueFlow
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -265,10 +234,7 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		String schemaFromHttpRequest = "HTTPS";
 		if (schemaFromHttpRequest.equalsIgnoreCase("https")) {
-			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			disableTrustManager(); // Alert is in the method
-			// install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -277,10 +243,8 @@ public class InsecureTrustManagerTest {
 		String schemaFromHttpRequest = "HTTPS";
 		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
 			SSLContext context = SSLContext.getInstance("TLS");
-			TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+			TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-			context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+			context.init(null, trustManager, null); // $ hasValueFlow
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -288,10 +252,7 @@ public class InsecureTrustManagerTest {
 			throws NoSuchAlgorithmException, KeyManagementException {
 		String schemaFromHttpRequest = "HTTPS";
 		if (!schemaFromHttpRequest.equalsIgnoreCase("https")) {
-			disableTrustManager(); // BAD [This is detected in the disableTrustManager method]: Calls a method that
+			disableTrustManager(); // Alert is in the method
-			// install a `TrustManager` that does not verify the certificate
-			// chain, allowing any certificate. It is NOT guarded
-			// by a feature flag.
 		}
 	}
 
@@ -302,10 +263,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if.
 
 	}
 
@@ -316,10 +275,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if and it is NOT a valid flag.
 
 	}
 
@@ -330,10 +287,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if.
 
 	}
 
@@ -344,10 +299,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if and it is NOT a valid flag.
 
 	}
 
@@ -358,10 +311,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if.
 
 	}
 
@@ -372,11 +323,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if and it is NOT a valid flag.
-
 	}
 
 	private static void isEqualsIgnoreCaseNOTGuardingDirectInsecureTrustManagerCall()
@@ -387,10 +335,8 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if and it is NOT a valid flag.
 
 	}
 
@@ -402,19 +348,15 @@ public class InsecureTrustManagerTest {
 		}
 
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the certificate
+		context.init(null, trustManager, null); // $ hasValueFlow
-		// chain, allowing any certificate. It is NOT guarded
-		// by a feature flag, because it is outside the if and it is NOT a valid flag.
 
 	}
 
-	private static void disableTrustManager() throws NoSuchAlgorithmException, KeyManagementException {
+	private static void disableTrustManager()
+			throws NoSuchAlgorithmException, KeyManagementException {
 		SSLContext context = SSLContext.getInstance("TLS");
-		TrustManager[] trustManager = new TrustManager[] { new InsecureTrustManager() };
+		TrustManager[] trustManager = new TrustManager[] {new InsecureTrustManager()};
-		context.init(null, trustManager, null); // BAD: Uses a `TrustManager` that does not verify the
+		context.init(null, trustManager, null); // $ hasValueFlow
-												// certificate
-		// chain, allowing any certificate. The method name suggests that this may be
-		// intentional, but we flag it anyway.
 	}
-}
+}

java/ql/test/query-tests/security/CWE-295/InsecureTrustManager/InsecureTrustManagerTest.ql

@@ -0,0 +1,9 @@
+import java
+import semmle.code.java.security.InsecureTrustManagerQuery
+import TestUtilities.InlineFlowTest
+
+class InsecureTrustManagerTest extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() {
+    result = any(InsecureTrustManagerConfiguration c)
+  }
+}