Move ESAPI models into the Weak Randomness query

These models don't need to apply to all queries. So instead they are
better suited to be within the weak randomness query itself.

java/ql/test/query-tests/security/CWE-330/WeakRandomCookies.java

@@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.Cookie;
 import org.apache.commons.lang3.RandomStringUtils;
+import org.owasp.esapi.Encoder;
 
 public class WeakRandomCookies extends HttpServlet {
     HttpServletResponse response;
@@ -20,9 +21,11 @@ public class WeakRandomCookies extends HttpServlet {
         Cookie cookie = new Cookie("name", Integer.toString(c));
         response.addCookie(cookie); // $hasWeakRandomFlow
 
+        Encoder enc = null;
         int c2 = r.nextInt();
+        String value = enc.encodeForHTML(Integer.toString(c2));
         // BAD: The cookie value may be predictable.
-        Cookie cookie2 = new Cookie("name" + c2, "value");
+        Cookie cookie2 = new Cookie("name", value);
         response.addCookie(cookie2); // $hasWeakRandomFlow
 
         byte[] bytes = new byte[16];

java/ql/test/query-tests/security/CWE-330/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../stubs/esapi-2.0.1