Merge branch 'main' into atorralba/promote-ognl-injection

java/change-notes/2021-03-22-jax-rs-improvements.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for detecting XSS via JAX-RS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap).

java/change-notes/2021-04-02-add-spring-validation-errors.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added additional taint steps modeling the Spring `validation.Errors` class (`org.springframework.validation.Errors`).

java/change-notes/2021-04-06-ssrf-query.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* The query "Server-side request forgery (SSRF)" (`java/ssrf`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @porcupineyhairs](https://github.com/github/codeql/pull/3454).
+* Models for `URI` and `HttpRequest` in the `java.net` package have been improved. This may lead to more results from any query where these types' methods are relevant.
+* Models for Apache HttpComponents' `RequestLine` and `BasicRequestLine` types. This may lead to more results from any query where these types' methods are relevant.

java/change-notes/2021-05-11-apache-tuples.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models for the Apache Commons Lang tuple types (Pair, Triple and their immutable and mutable implementations). This may lead to more results from any query using data-flow analysis where a relevant path uses one of these container types.

java/change-notes/2021-05-17-add-unsafe-deserialization-sinks.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* The "Deserialization of user-controlled data" (`java/unsafe-deserialization`) query
+  now recognizes `JYaml`, `JsonIO`, `YAMLBeans`, `Castor`, `Hessian` and `Burlap` deserialization.

java/change-notes/2021-05-31-add-spring-stringutils.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added additional taint steps modeling the Spring `util` package (`org.springframework.util`).

java/change-notes/2021-06-08-spring-http.md

@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.http` package of the Spring framework have been modelled. 
+  This may result in additional results for security queries on projects using this framework.

java/change-notes/2021-06-08-spring-propertyvalues.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added additional taint steps modeling the Spring classes `PropertyValue`, `PropertyValues` and `MutablePropertyValues`. (`org.springframework.beans.*`).

java/change-notes/2021-06-18-apache-mutable.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models for the Apache Commons Lang Mutable types. This may lead to more results from any query using data-flow analysis where a relevant path uses one of these container types.

java/change-notes/2021-06-22-util-optional.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Models for java.util.Optional added. This may lead to more results whenever a data-flow path involves this type.

java/change-notes/2021-06-23-generic-type-names.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Static inner classes and static methods' enclosing and declaring types are now unbound rather than raw types. This means that, for example, Map.Entry's name is now `Map$Entry` not `Map<>$Entry` as before. This may impact custom queries that explicitly named these types.

java/change-notes/2021-06-24-dataflow-implicit-reads.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.

java/change-notes/2021-06-25-apache-collections-maputils-keyvalue.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models for  the package `keyvalue` and the classes `KeyValue` and `MapUtils` from Apache Commons Collections. This may lead to more results from any query using data-flow analysis where a relevant path uses one of these container types.

java/change-notes/2021-06-29-javax-json-models.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models of `javax.json` classes and methods. This may lead to more results where tracking tainted dataflow across JSON encoding or decoding is needed to diagnose a security or other issue.

java/change-notes/2021-07-01-spring-collections.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.ui`, and `org.springframework.cache` packages of
+  the Spring framework have been modelled.  This may result in additional results for security
+  queries on projects using this framework.

java/change-notes/2021-07-01-spring-webmultipart.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.web.multipart` package of the Spring framework
+  have been modelled.  This may result in additional results for security queries on projects using
+  this framework.

java/change-notes/2021-07-01-url-classloader-reactive-webclient.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for two new APIs susceptible to server-side request forgery (SSRF): using a `URLClassLoader`, and using Spring Web Reactive's `WebClient`.

java/change-notes/2021-07-02-split-queries.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Library `semmle.code.java.security.Random` is split into `RandomQuery`, for use by randomness-related queries, and `RandomValueSource`, for use by libraries wishing to augment the built-in set of random value sources. Any code importing `Random` will need changing to import one or other of these.

java/change-notes/2021-07-14-spring-jdbc.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* SQL-injection vulnerabilities relating to the `org.springframework.jdbc.object` are now recognised.

java/documentation/library-coverage/coverage.csv

@@ -0,0 +1,66 @@
+package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:information-leak,sink:jexl,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:sql,sink:url-open-stream,sink:url-redirect,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
+android.content,8,,4,,,,,,,,,8,,,,,,4,
+android.database,59,,30,,,,,,,,,59,,,,,,30,
+android.util,,16,,,,,,,,,,,,,,,16,,
+android.webkit,3,2,,,,,,,,,,,,,,3,2,,
+com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,,,,1,
+com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,,,,1,
+com.fasterxml.jackson.databind,,,3,,,,,,,,,,,,,,,3,
+com.google.common.base,,,85,,,,,,,,,,,,,,,62,23
+com.google.common.io,6,,73,,,,,,,,,,6,,,,,72,1
+com.unboundid.ldap.sdk,17,,,,,,,,17,,,,,,,,,,
+jakarta.json,,,123,,,,,,,,,,,,,,,100,23
+jakarta.ws.rs.client,1,,,,,,,,,1,,,,,,,,,
+jakarta.ws.rs.core,2,,143,,,,,,,,,,,2,,,,88,55
+java.beans,,,1,,,,,,,,,,,,,,,1,
+java.io,3,,20,,3,,,,,,,,,,,,,20,
+java.lang,,,3,,,,,,,,,,,,,,,1,2
+java.net,10,3,6,,,,,,,10,,,,,,,3,6,
+java.nio,10,,2,,10,,,,,,,,,,,,,2,
+java.sql,7,,,,,,,,,,,7,,,,,,,
+java.util,,,295,,,,,,,,,,,,,,,15,280
+javax.json,,,123,,,,,,,,,,,,,,,100,23
+javax.naming.directory,1,,,,,,,,1,,,,,,,,,,
+javax.net.ssl,2,,,,,,,,,,2,,,,,,,,
+javax.servlet,4,21,2,,,3,1,,,,,,,,,,21,2,
+javax.validation,1,1,,1,,,,,,,,,,,,,1,,
+javax.ws.rs.client,1,,,,,,,,,1,,,,,,,,,
+javax.ws.rs.core,3,,143,,,1,,,,,,,,2,,,,88,55
+javax.xml.transform.sax,,,4,,,,,,,,,,,,,,,4,
+javax.xml.transform.stream,,,2,,,,,,,,,,,,,,,2,
+javax.xml.xpath,3,,,,,,,,,,,,,,3,,,,
+org.apache.commons.codec,,,6,,,,,,,,,,,,,,,6,
+org.apache.commons.collections,,,99,,,,,,,,,,,,,,,4,95
+org.apache.commons.collections4,,,99,,,,,,,,,,,,,,,4,95
+org.apache.commons.io,,,22,,,,,,,,,,,,,,,22,
+org.apache.commons.jexl2,15,,,,,,,15,,,,,,,,,,,
+org.apache.commons.jexl3,15,,,,,,,15,,,,,,,,,,,
+org.apache.commons.lang3,,,423,,,,,,,,,,,,,,,292,131
+org.apache.commons.text,,,272,,,,,,,,,,,,,,,220,52
+org.apache.directory.ldap.client.api,1,,,,,,,,1,,,,,,,,,,
+org.apache.hc.core5.function,,,1,,,,,,,,,,,,,,,1,
+org.apache.hc.core5.http,1,2,39,,,,,,,,,,,,,1,2,39,
+org.apache.hc.core5.net,,,2,,,,,,,,,,,,,,,2,
+org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,18,6
+org.apache.http,27,3,70,,,,,,,25,,,,,,2,3,62,8
+org.apache.ibatis.jdbc,6,,,,,,,,,,,6,,,,,,,
+org.dom4j,20,,,,,,,,,,,,,,20,,,,
+org.hibernate,7,,,,,,,,,,,7,,,,,,,
+org.jooq,1,,,,,,,,,,,1,,,,,,,
+org.springframework.beans,,,26,,,,,,,,,,,,,,,,26
+org.springframework.cache,,,13,,,,,,,,,,,,,,,,13
+org.springframework.http,14,,70,,,,,,,14,,,,,,,,60,10
+org.springframework.jdbc.core,10,,,,,,,,,,,10,,,,,,,
+org.springframework.jdbc.object,9,,,,,,,,,,,9,,,,,,,
+org.springframework.ldap.core,14,,,,,,,,14,,,,,,,,,,
+org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,,,,6,,
+org.springframework.ui,,,32,,,,,,,,,,,,,,,,32
+org.springframework.util,,,139,,,,,,,,,,,,,,,87,52
+org.springframework.validation,,,13,,,,,,,,,,,,,,,13,
+org.springframework.web.client,13,3,,,,,,,,13,,,,,,,3,,
+org.springframework.web.context.request,,8,,,,,,,,,,,,,,,8,,
+org.springframework.web.multipart,,12,13,,,,,,,,,,,,,,12,13,
+org.springframework.web.reactive.function.client,2,,,,,,,,,2,,,,,,,,,
+org.xml.sax,,,1,,,,,,,,,,,,,,,1,
+org.xmlpull.v1,,3,,,,,,,,,,,,,,,3,,
+play.mvc,,4,,,,,,,,,,,,,,,4,,

java/documentation/library-coverage/coverage.rst

@@ -0,0 +1,22 @@
+Java framework & library support
+================================
+
+.. csv-table::
+   :header-rows: 1
+   :class: fullWidthTable
+   :widths: auto
+
+   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
+   Android,``android.*``,18,34,70,,,3,67,,,
+   `Apache Commons Collections <https://commons.apache.org/proper/commons-collections/>`_,"``org.apache.commons.collections``, ``org.apache.commons.collections4``",,198,,,,,,,,
+   `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
+   `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,423,,,,,,,,
+   `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,,
+   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,136,28,,,3,,,,25
+   `Google Guava <https://guava.dev/>`_,``com.google.common.*``,,158,6,,6,,,,,
+   Java Standard Library,``java.*``,3,327,30,13,,,7,,,10
+   Java extensions,"``javax.*``, ``jakarta.*``",22,540,18,,,,,1,1,2
+   `Spring <https://spring.io/>`_,``org.springframework.*``,29,306,62,,,,19,14,,29
+   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,12,82,,,,14,18,,
+   Totals,,84,2428,296,13,6,6,107,33,1,66
+

java/documentation/library-coverage/flow-model-coverage.csv

@@ -1,42 +0,0 @@
-package,sink,source,summary,sink:bean-validation,sink:create-file,sink:header-splitting,sink:information-leak,sink:ldap,sink:open-url,sink:set-hostname-verifier,sink:url-open-stream,sink:xpath,sink:xss,source:remote,summary:taint,summary:value
-android.util,,16,,,,,,,,,,,,16,,
-android.webkit,3,2,,,,,,,,,,,3,2,,
-com.esotericsoftware.kryo.io,,,1,,,,,,,,,,,,1,
-com.esotericsoftware.kryo5.io,,,1,,,,,,,,,,,,1,
-com.fasterxml.jackson.databind,,,2,,,,,,,,,,,,2,
-com.google.common.base,,,28,,,,,,,,,,,,22,6
-com.google.common.io,6,,69,,,,,,,,6,,,,68,1
-com.unboundid.ldap.sdk,17,,,,,,,17,,,,,,,,
-java.beans,,,1,,,,,,,,,,,,1,
-java.io,3,,20,,3,,,,,,,,,,20,
-java.lang,,,1,,,,,,,,,,,,1,
-java.net,2,3,4,,,,,,2,,,,,3,4,
-java.nio,10,,2,,10,,,,,,,,,,2,
-java.util,,,13,,,,,,,,,,,,13,
-javax.naming.directory,1,,,,,,,1,,,,,,,,
-javax.net.ssl,2,,,,,,,,,2,,,,,,
-javax.servlet,4,21,2,,,3,1,,,,,,,21,2,
-javax.validation,1,1,,1,,,,,,,,,,1,,
-javax.ws.rs.core,1,,,,,1,,,,,,,,,,
-javax.xml.transform.sax,,,4,,,,,,,,,,,,4,
-javax.xml.transform.stream,,,2,,,,,,,,,,,,2,
-javax.xml.xpath,3,,,,,,,,,,,3,,,,
-org.apache.commons.codec,,,2,,,,,,,,,,,,2,
-org.apache.commons.io,,,22,,,,,,,,,,,,22,
-org.apache.commons.lang3,,,313,,,,,,,,,,,,299,14
-org.apache.commons.text,,,203,,,,,,,,,,,,203,
-org.apache.directory.ldap.client.api,1,,,,,,,1,,,,,,,,
-org.apache.hc.core5.function,,,1,,,,,,,,,,,,1,
-org.apache.hc.core5.http,1,2,39,,,,,,,,,,1,2,39,
-org.apache.hc.core5.net,,,2,,,,,,,,,,,,2,
-org.apache.hc.core5.util,,,22,,,,,,,,,,,,18,4
-org.apache.http,2,3,66,,,,,,,,,,2,3,59,7
-org.dom4j,20,,,,,,,,,,,20,,,,
-org.springframework.ldap.core,14,,,,,,,14,,,,,,,,
-org.springframework.security.web.savedrequest,,6,,,,,,,,,,,,6,,
-org.springframework.web.client,,3,,,,,,,,,,,,3,,
-org.springframework.web.context.request,,8,,,,,,,,,,,,8,,
-org.springframework.web.multipart,,12,,,,,,,,,,,,12,,
-org.xml.sax,,,1,,,,,,,,,,,,1,
-org.xmlpull.v1,,3,,,,,,,,,,,,3,,
-play.mvc,,4,,,,,,,,,,,,4,,

java/documentation/library-coverage/flow-model-coverage.rst

@@ -1,19 +0,0 @@
-Java framework & library support
-================================
-
-.. csv-table::
-   :header-rows: 1
-   :class: fullWidthTable
-   :widths: auto
-
-   Framework / library,Package,Remote flow sources,Taint & value steps,Sinks (total),`CWE‑022` :sub:`Path injection`,`CWE‑036` :sub:`Path traversal`,`CWE‑079` :sub:`Cross-site scripting`,`CWE‑089` :sub:`SQL injection`,`CWE‑090` :sub:`LDAP injection`,`CWE‑094` :sub:`Code injection`,`CWE‑319` :sub:`Cleartext transmission`
-   Android,``android.*``,18,,3,,,3,,,,
-   Apache,``org.apache.*``,5,648,4,,,3,,1,,
-   `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,22,,,,,,,,
-   Google,``com.google.common.*``,,97,6,,6,,,,,
-   Java Standard Library,``java.*``,3,41,15,13,,,,,,2
-   Java extensions,``javax.*``,22,8,12,,,,,1,1,
-   `Spring <https://spring.io/>`_,``org.springframework.*``,29,,14,,,,,14,,
-   Others,"``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.databind``, ``com.unboundid.ldap.sdk``, ``org.dom4j``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``",7,5,37,,,,,17,,
-   Totals,,84,821,91,13,6,6,,33,1,2
-

java/documentation/library-coverage/frameworks.csv

@@ -1,8 +1,11 @@
-Framework name,URL,Package prefix
+Framework name,URL,Package prefixes
 Java Standard Library,,java.*
-Google,,com.google.common.*
-Apache,,org.apache.*
+Java extensions,,javax.* jakarta.*
+Google Guava,https://guava.dev/,com.google.common.*
+Apache Commons Collections,https://commons.apache.org/proper/commons-collections/,org.apache.commons.collections org.apache.commons.collections4
 Apache Commons IO,https://commons.apache.org/proper/commons-io/,org.apache.commons.io
+Apache Commons Lang,https://commons.apache.org/proper/commons-lang/,org.apache.commons.lang3
+Apache Commons Text,https://commons.apache.org/proper/commons-text/,org.apache.commons.text
+Apache HttpComponents,https://hc.apache.org/,org.apache.hc.core5.* org.apache.http
 Android,,android.*
 Spring,https://spring.io/,org.springframework.*
-Java extensions,,javax.*

java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql

@@ -7,7 +7,7 @@
  *              Such operations could interfere with the EJB container's operation.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/container-interference
  * @tags reliability

java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql

@@ -5,7 +5,7 @@
  *              for enterprise components.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/file-io
  * @tags reliability

java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql

@@ -4,7 +4,7 @@
  *              Such use could compromise security and system stability.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/native-code
  * @tags reliability

java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql

@@ -4,7 +4,7 @@
  *              as this could compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/reflection
  * @tags external/cwe/cwe-573

java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql

@@ -5,7 +5,7 @@
  *              This functionality is reserved for the EJB container for security reasons.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/security-configuration-access
  * @tags external/cwe/cwe-573

java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql

@@ -4,7 +4,7 @@
  *              the Java serialization protocol, since their use could compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/substitution-in-serialization
  * @tags external/cwe/cwe-573

java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql

@@ -5,7 +5,7 @@
  *              compromise security or interfere with the EJB container's operation.
  * @kind problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.8
  * @precision low
  * @id java/ejb/socket-or-stream-handler-factory
  * @tags reliability

java/ql/src/Likely Bugs/Arithmetic/BadAbsOfRandom.ql

@@ -11,7 +11,7 @@
  */
 
 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 
 from MethodAccess ma, Method abs, Method nextIntOrLong, RandomDataSource nma
 where

java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql

@@ -5,7 +5,7 @@
  *              numeric errors such as overflows.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision very-high
  * @id java/implicit-cast-in-compound-assignment
  * @tags reliability

java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql

@@ -4,7 +4,7 @@
  *              guarantee an evenly distributed sequence of random numbers.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/random-used-once
  * @tags reliability
@@ -13,7 +13,7 @@
  */
 
 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 
 from RandomDataSource ma
 where ma.getQualifier() instanceof ClassInstanceExpr

java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql

@@ -4,7 +4,7 @@
  *              may cause a deadlock.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
  * @precision medium
  * @id java/unreleased-lock
  * @tags reliability

java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -5,7 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @tags security external/cwe/cwe-20
  */
 

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -3,7 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @id java/path-injection
  * @tags security

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

@@ -3,7 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id java/path-injection-local
  * @tags security

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

@@ -6,7 +6,7 @@
  * @kind path-problem
  * @id java/zipslip
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision high
  * @tags security
  *       external/cwe/cwe-022

java/ql/src/Security/CWE/CWE-078/ExecRelative.ql

@@ -4,7 +4,7 @@
  *              malicious changes in the PATH environment variable.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/relative-path-command
  * @tags security

java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -4,7 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/command-line-injection
  * @tags security
@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql

@@ -4,7 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/command-line-injection-local
  * @tags security

java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

@@ -4,7 +4,7 @@
  *              insertion of special characters in the strings.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/concatenated-command-line
  * @tags security
@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 
 /**
  * Strings that are known to be sane by some simple local analysis. Such strings

java/ql/src/Security/CWE/CWE-079/XSS.ql

@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision high
  * @id java/xss
  * @tags security

java/ql/src/Security/CWE/CWE-079/XSSLocal.ql

@@ -4,7 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 2.9
+ * @security-severity 6.1
  * @precision medium
  * @id java/xss-local
  * @tags security

java/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id java/sql-injection
  * @tags security

java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql

@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision medium
  * @id java/sql-injection-local
  * @tags security

java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql

@@ -4,7 +4,7 @@
  *              characters is vulnerable to insertion of malicious code.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id java/concatenated-sql-query
  * @tags security

java/ql/src/Security/CWE/CWE-090/LdapInjection.ql

@@ -4,7 +4,7 @@
  *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/ldap-injection
  * @tags security

java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql

@@ -3,7 +3,7 @@
  * @description User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id java/insecure-bean-validation
  * @tags security

java/ql/src/Security/CWE/CWE-094/JexlInjection.ql

@@ -4,7 +4,7 @@
  *              may lead to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
  * @precision high
  * @id java/jexl-expression-injection
  * @tags security
@@ -12,27 +12,9 @@
  */
 
 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.JexlInjection
+import semmle.code.java.security.JexlInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * A taint-tracking configuration for unsafe user input
- * that is used to construct and evaluate a JEXL expression.
- * It supports both JEXL 2 and 3.
- */
-class JexlInjectionConfig extends TaintTracking::Configuration {
-  JexlInjectionConfig() { this = "JexlInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

@@ -5,7 +5,7 @@
  *              an HTTP header.
  * @kind problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id java/netty-http-response-splitting
  * @tags security

java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql

@@ -4,7 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision high
  * @id java/http-response-splitting
  * @tags security

java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql

@@ -4,7 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 6.1
  * @precision medium
  * @id java/http-response-splitting-local
  * @tags security

java/ql/src/Security/CWE/CWE-129/ArraySizing.qll

@@ -1,7 +1,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DefUse
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomDataSource
 private import BoundingChecks
 
 /**

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql

@@ -3,7 +3,7 @@
  * @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-construction
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql

@@ -4,7 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-construction-code-specified
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql

@@ -4,7 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-construction-local
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql

@@ -3,7 +3,7 @@
  * @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-index
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql

@@ -4,7 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-index-code-specified
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql

@@ -4,7 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
  * @precision medium
  * @id java/improper-validation-of-array-index-local
  * @tags security

java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql

@@ -3,7 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision high
  * @id java/tainted-format-string
  * @tags security

java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql

@@ -3,7 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
  * @precision medium
  * @id java/tainted-format-string-local
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -4,7 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/tainted-arithmetic
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql

@@ -4,7 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/tainted-arithmetic-local
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -4,7 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/uncontrolled-arithmetic
  * @tags security
@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 import semmle.code.java.security.SecurityTests
 import ArithmeticCommon
 import DataFlow::PathGraph

java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -4,7 +4,7 @@
  *              is then used in an arithmetic expression, this may result in an overflow.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.6
  * @precision medium
  * @id java/extreme-value-arithmetic
  * @tags security

java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -4,7 +4,7 @@
  *              to behave unexpectedly.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision medium
  * @id java/comparison-with-wider-type
  * @tags reliability

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -5,7 +5,7 @@
  *              that are useful to an attacker for developing a subsequent exploit.
  * @kind problem
  * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 5.4
  * @precision high
  * @id java/stack-trace-exposure
  * @tags security

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

@@ -3,7 +3,7 @@
  * @description Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.9
  * @precision high
  * @id java/unsafe-hostname-verification
  * @tags security
@@ -15,6 +15,7 @@ import semmle.code.java.controlflow.Guards
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.Encryption
+import semmle.code.java.security.SecurityFlag
 import DataFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
@@ -86,71 +87,30 @@ private class HostnameVerifierSink extends DataFlow::Node {
   HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
 }
 
-bindingset[result]
-private string getAFlagName() {
-  result
-      .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*")
-}
-
 /**
- * A flag has to either be of type `String`, `boolean` or `Boolean`.
+ * Flags suggesting a deliberately unsafe `HostnameVerifier` usage.
  */
-private class FlagType extends Type {
-  FlagType() {
-    this instanceof TypeString
-    or
-    this instanceof BooleanType
+private class UnsafeHostnameVerificationFlag extends FlagKind {
+  UnsafeHostnameVerificationFlag() { this = "UnsafeHostnameVerificationFlag" }
+
+  bindingset[result]
+  override string getAFlagName() {
+    result
+        .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*") and
+    result != "equalsIgnoreCase"
   }
 }
 
-private predicate isEqualsIgnoreCaseMethodAccess(MethodAccess ma) {
-  ma.getMethod().hasName("equalsIgnoreCase") and
-  ma.getMethod().getDeclaringType() instanceof TypeString
+/** Gets a guard that represents a (likely) flag controlling an unsafe `HostnameVerifier` use. */
+private Guard getAnUnsafeHostnameVerifierFlagGuard() {
+  result = any(UnsafeHostnameVerificationFlag flag).getAFlag().asExpr()
 }
 
-/** Holds if `source` should is considered a flag. */
-private predicate isFlag(DataFlow::Node source) {
-  exists(VarAccess v | v.getVariable().getName() = getAFlagName() |
-    source.asExpr() = v and v.getType() instanceof FlagType
-  )
-  or
-  exists(StringLiteral s | s.getRepresentedString() = getAFlagName() | source.asExpr() = s)
-  or
-  exists(MethodAccess ma | ma.getMethod().getName() = getAFlagName() |
-    source.asExpr() = ma and
-    ma.getType() instanceof FlagType and
-    not isEqualsIgnoreCaseMethodAccess(ma)
-  )
-}
-
-/** Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps. */
-private predicate flagFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-  DataFlow::localFlowStep(node1, node2)
-  or
-  exists(MethodAccess ma | ma.getMethod() = any(EnvReadMethod m) |
-    ma = node2.asExpr() and ma.getAnArgument() = node1.asExpr()
-  )
-  or
-  exists(MethodAccess ma |
-    ma.getMethod().hasName("parseBoolean") and
-    ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Boolean")
-  |
-    ma = node2.asExpr() and ma.getAnArgument() = node1.asExpr()
-  )
-}
-
-/** Gets a guard that depends on a flag. */
-private Guard getAGuard() {
-  exists(DataFlow::Node source, DataFlow::Node sink |
-    isFlag(source) and
-    flagFlowStep*(source, sink) and
-    sink.asExpr() = result
-  )
-}
-
-/** Holds if `node` is guarded by a flag that suggests an intentionally insecure feature. */
+/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
 private predicate isNodeGuardedByFlag(DataFlow::Node node) {
-  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) | g = getAGuard())
+  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
+    g = getASecurityFeatureFlagGuard() or g = getAnUnsafeHostnameVerifierFlagGuard()
+  )
 }
 
 from

java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql

@@ -3,7 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 7.5
  * @precision medium
  * @id java/cleartext-storage-in-class
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql

@@ -3,7 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision high
  * @id java/cleartext-storage-in-cookie
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql

@@ -3,7 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
  * @precision medium
  * @id java/cleartext-storage-in-properties
  * @tags security

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -3,7 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/non-https-url
  * @tags security

java/ql/src/Security/CWE/CWE-319/UseSSL.ql

@@ -3,7 +3,7 @@
  * @description Non-SSL connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/non-ssl-connection
  * @tags security

java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql

@@ -4,7 +4,7 @@
  *              third parties.
  * @kind problem
  * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/non-ssl-socket-factory
  * @tags security

java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision high
  * @id java/weak-cryptographic-algorithm
  * @tags security

java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql

@@ -3,7 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
  * @precision medium
  * @id java/potentially-weak-cryptographic-algorithm
  * @tags security

java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql

@@ -3,7 +3,7 @@
  * @description Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/predictable-seed
  * @tags security
@@ -11,7 +11,7 @@
  */
 
 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 
 from GetRandomData da, RValue use, PredictableSeedExpr source
 where

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql

@@ -3,7 +3,7 @@
  * @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision very-high
  * @id java/jhipster-prng
  * @tags security

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql

@@ -4,7 +4,7 @@
  *              a Cross-Site Request Forgery (CSRF) attack.
  * @kind problem
  * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
  * @precision high
  * @id java/spring-disabled-csrf-protection
  * @tags security

java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql

@@ -4,7 +4,7 @@
  *              if the state may be changed between the check and use.
  * @kind problem
  * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
  * @precision medium
  * @id java/toctou-race-condition
  * @tags security

java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql

@@ -3,7 +3,7 @@
  * @description Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.
  * @kind problem
  * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 7.2
  * @precision medium
  * @id java/socket-auth-race-condition
  * @tags security

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
-<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
+and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
 
@@ -75,6 +75,22 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
 SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
+<li>
+Hessian deserialization and related gadget chains:
+<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
+</li>
+<li>
+Castor and Hessian java deserialization vulnerabilities:
+<a href="https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/">Castor and Hessian deserialization</a>.
+</li>
+<li>
+Remote code execution in JYaml library:
+<a href="https://www.cybersecurity-help.cz/vdb/SB2020022512">JYaml deserialization</a>.
+</li>
+<li>
+JsonIO deserialization vulnerabilities:
+<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
+</li>
 </references>
 
 </qhelp>

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

@@ -4,7 +4,7 @@
  *              execute arbitrary code.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/unsafe-deserialization
  * @tags security
@@ -22,6 +22,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ClassInstanceExpr cie |
+      cie.getArgument(0) = pred.asExpr() and
+      cie = succ.asExpr() and
+      (
+        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+        cie.getConstructor().getDeclaringType() instanceof BurlapInput
+      )
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof BurlapInputInitMethod and
+      ma.getArgument(0) = pred.asExpr() and
+      ma.getQualifier() = succ.asExpr()
+    )
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      cie = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      ma.getArgument(0) = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf

java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql

@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 2.7
+ * @security-severity 6.1
  * @precision high
  * @id java/unvalidated-url-redirection
  * @tags security

java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql

@@ -4,7 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 2.7
+ * @security-severity 6.1
  * @precision medium
  * @id java/unvalidated-url-redirection-local
  * @tags security

java/ql/src/Security/CWE/CWE-611/XXE.ql

@@ -4,7 +4,7 @@
  * references may lead to disclosure of confidential data or denial of service.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.1
  * @precision high
  * @id java/xxe
  * @tags security

java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

@@ -4,7 +4,7 @@
  *              interception.
  * @kind problem
  * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
  * @precision high
  * @id java/insecure-cookie
  * @tags security

java/ql/src/Security/CWE/CWE-643/XPathInjection.ql

@@ -4,7 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision high
  * @id java/xml/xpath-injection
  * @tags security

java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql

@@ -4,7 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.0
  * @precision high
  * @id java/tainted-numeric-cast
  * @tags security

java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql

@@ -4,7 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.0
  * @precision medium
  * @id java/tainted-numeric-cast-local
  * @tags security

java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql

@@ -4,7 +4,7 @@
  *              the file may be modified or removed by external actors.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id java/world-writable-file-read
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -3,7 +3,7 @@
  * @description Using a hard-coded credential in a call to a sensitive Java API may compromise security.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision medium
  * @id java/hardcoded-credential-api-call
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql

@@ -3,7 +3,7 @@
  * @description Comparing a parameter to a hard-coded credential may compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id java/hardcoded-credential-comparison
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql

@@ -3,7 +3,7 @@
  * @description Using a hard-coded credential in a sensitive call may compromise security.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id java/hardcoded-credential-sensitive-call
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql

@@ -3,7 +3,7 @@
  * @description Hard-coding a password string may compromise security.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
  * @precision low
  * @id java/hardcoded-password-field
  * @tags security

java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql

@@ -4,7 +4,7 @@
  *              passing through authentication systems.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision medium
  * @id java/user-controlled-bypass
  * @tags security

java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql

@@ -4,7 +4,7 @@
  *              permissions being granted.
  * @kind path-problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
  * @precision high
  * @id java/tainted-permissions-check
  * @tags security

java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql

@@ -3,7 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
  * @precision very-high
  * @id java/maven/non-https-url
  * @tags security