From ba3c38c2265bb99e59f8847542463fa2bd5035f5 Mon Sep 17 00:00:00 2001
From: Ed Minnix <egregius313@github.com>
Date: Mon, 7 Aug 2023 00:04:02 -0400
Subject: [PATCH] Restrict `addCookie` to specific interface

---
 java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
index 752709a0b1c..66ed90aa5f9 100644
--- a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -57,7 +57,9 @@ abstract class WeakRandomnessSink extends DataFlow::Node { }
 private class CookieSink extends WeakRandomnessSink {
   CookieSink() {
     this.getType() instanceof TypeCookie and
-    exists(MethodAccess ma | ma.getMethod().hasName("addCookie") |
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("javax.servlet.http", "HttpServletResponse", "addCookie")
+    |
       ma.getArgument(0) = this.asExpr()
     )
   }