Java: resolve some more -1 to this conflicts

2025-12-17 01:03:14 +01:00 · 2023-03-23 17:56:46 -04:00
parent 9103e5c5dd
commit c213d56d2c
18 changed files with 114 additions and 27 deletions
--- a/java/ql/lib/ext/java.awt.model.yml
+++ b/java/ql/lib/ext/java.awt.model.yml
@@ -5,3 +5,11 @@ extensions:
    data:
      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"] # ! signature as "" instead?
      - ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.awt", "Insets", "Insets", "(int,int,int,int)", "manual"] # value-numeric
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -59,11 +59,9 @@ extensions:
      - ["java.io", "CharArrayReader", False, "CharArrayReader", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["java.io", "CharArrayWriter", True, "toCharArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "DataInput", True, "readFully", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
-      - ["java.io", "DataInput", True, "readInt", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
      - ["java.io", "DataInput", True, "readLine", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "DataInput", True, "readUTF", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.io", "DataInputStream", False, "DataInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["java.io", "DataOutput", True, "writeInt", "(int)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
      - ["java.io", "File", False, "File", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["java.io", "File", False, "File", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
      - ["java.io", "File", True, "getAbsoluteFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -99,7 +97,21 @@ extensions:
      pack: codeql/java-all
      extensible: neutralModel
    data:
+      - ["java.io", "Closeable", "close", "()", "manual"]
      - ["java.io", "File", "delete", "()", "manual"]
      - ["java.io", "File", "exists", "()", "manual"]
+      - ["java.io", "File", "getParentFile", "()", "manual"] # ! little unsure about this as a neutral
+      - ["java.io", "File", "isFile", "()", "manual"]
+      - ["java.io", "File", "length", "()", "manual"]
+      - ["java.io", "File", "listFiles", "()", "manual"] # ! little unsure about this as a neutral
      - ["java.io", "File", "isDirectory", "()", "manual"]
      - ["java.io", "File", "mkdirs", "()", "manual"]
+      - ["java.io", "InputStream", "close", "()", "manual"]
+      - ["java.io", "OutputStream", "flush", "()", "manual"] # ! little unsure about this as a neutral, but not sure how to represent output if summary model...
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.io", "DataInput", "readInt", "()", "manual"]         # taint-numeric
+      - ["java.io", "DataInput", "readLong", "()", "manual"]        # taint-numeric
+      - ["java.io", "DataOutput", "writeInt", "(int)", "manual"]    # taint-numeric
+      - ["java.io", "DataOutput", "writeLong", "(long)", "manual"]  # taint-numeric
--- a/java/ql/lib/ext/java.lang.invoke.model.yml
+++ b/java/ql/lib/ext/java.lang.invoke.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.lang.invoke", "MethodHandles", "lookup", "()", "manual"]
--- a/java/ql/lib/ext/java.lang.model.yml
+++ b/java/ql/lib/ext/java.lang.model.yml
@@ -117,6 +117,7 @@ extensions:
      - ["java.lang", "System", False, "getenv", "(String)", "", "Argument[-1].MapValue", "ReturnValue", "value", "manual"] # ! neutral instead?
      - ["java.lang", "System", False, "getenv", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]  # ! really unsure about this...; neutral instead? -- or unmodelled
      - ["java.lang", "Thread", False, "Thread", "(Runnable)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] # ! neutral instead?
+      - ["java.lang", "Thread", True, "getName", "()", "", "Argument[-1].SyntheticField[java.lang.Thread.name]", "ReturnValue", "value", "manual"]
      - ["java.lang", "ThreadLocal", True, "get", "()", "", "Argument[-1].SyntheticField[java.lang.ThreadLocal.value]", "ReturnValue", "value", "manual"] # ! not sure if this model is correct, and if should be neutral model instead
      - ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
      - ["java.lang", "Throwable", True, "getCause", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
@@ -128,11 +129,16 @@ extensions:
      extensible: neutralModel
    data:
      - ["java.lang", "AbstractStringBuilder", "length", "()", "manual"]
+      - ["java.lang", "AbstractStringBuilder", "setCharAt", "(int,char)", "manual"] # ! char manipulation not interesting? (or interesting since could set many chars... prbly switch to summary model)
+      - ["java.lang", "AbstractStringBuilder", "setLength", "(int)", "manual"] # ! summary?
      - ["java.lang", "Boolean", "equals", "(Object)", "manual"]
      - ["java.lang", "Boolean", "valueOf", "(boolean)", "manual"]
+      - ["java.lang", "CharSequence", "length", "()", "manual"]
      - ["java.lang", "Class", "forName", "(String)", "manual"]
      - ["java.lang", "Class", "getCanonicalName", "()", "manual"]
      - ["java.lang", "Class", "getClassLoader", "()", "manual"]
+      - ["java.lang", "Class", "getDeclaredConstructor", "(Class[])", "manual"]
+      - ["java.lang", "Class", "getDeclaredField", "(String)", "manual"]
      - ["java.lang", "Class", "getMethod", "(String,Class[])", "manual"]
      - ["java.lang", "Class", "getName", "()", "manual"]
      - ["java.lang", "Class", "getResource", "(String)", "manual"]
@@ -141,6 +147,8 @@ extensions:
      - ["java.lang", "Class", "isAssignableFrom", "(Class)", "manual"]
      - ["java.lang", "Class", "isInstance", "(Object)", "manual"]
      - ["java.lang", "Class", "toString", "()", "manual"]
+      - ["java.lang", "ClassLoader", "getResource", "(String)", "manual"]
+      - ["java.lang", "ClassLoader", "getResourceAsStream", "(String)", "manual"]
      - ["java.lang", "Enum", "Enum", "(String,int)", "manual"]
      - ["java.lang", "Enum", "equals", "(Object)", "manual"]
      - ["java.lang", "Enum", "hashCode", "()", "manual"]
@@ -154,6 +162,7 @@ extensions:
      - ["java.lang", "Object", "hashCode", "()", "manual"]
      - ["java.lang", "Object", "toString", "()", "manual"]
      - ["java.lang", "Runnable", "run", "()", "manual"]
+      - ["java.lang", "Runtime", "getRuntime", "()", "manual"]
      - ["java.lang", "String", "compareTo", "(String)", "manual"]
      - ["java.lang", "String", "contains", "(CharSequence)", "manual"]
      - ["java.lang", "String", "endsWith", "(String)", "manual"]
@@ -164,39 +173,49 @@ extensions:
      - ["java.lang", "String", "indexOf", "(String)", "manual"]
      - ["java.lang", "String", "isEmpty", "()", "manual"]
      - ["java.lang", "String", "lastIndexOf", "(int)", "manual"]
+      - ["java.lang", "String", "lastIndexOf", "(String)", "manual"]
      - ["java.lang", "String", "length", "()", "manual"]
      - ["java.lang", "String", "startsWith", "(String)", "manual"]
+      - ["java.lang", "String", "valueOf", "(boolean)", "manual"]
      - ["java.lang", "System", "currentTimeMillis", "()", "manual"]
      - ["java.lang", "System", "exit", "(int)", "manual"]
      - ["java.lang", "System", "identityHashCode", "(Object)", "manual"]
      - ["java.lang", "System", "lineSeparator", "()", "manual"] # ! double-check...
      - ["java.lang", "System", "nanoTime", "()", "manual"]
      - ["java.lang", "Thread", "currentThread", "()", "manual"]
+      - ["java.lang", "Thread", "getContextClassLoader", "()", "manual"] # ! summary instead?
      - ["java.lang", "Thread", "interrupt", "()", "manual"]
      - ["java.lang", "Thread", "sleep", "(long)", "manual"]
      - ["java.lang", "Thread", "start", "()", "manual"]
      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.lang", "Boolean", "booleanValue", "()", "manual"]       # taint-numeric
-      - ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"] # taint-numeric
-      - ["java.lang", "Double", "parseDouble", "(String)", "manual"]   # taint-numeric
-      - ["java.lang", "Integer", "Integer", "(int)", "manual"]         # taint-numeric
-      - ["java.lang", "Integer", "intValue", "()", "manual"]           # taint-numeric
-      - ["java.lang", "Integer", "parseInt", "(String)", "manual"]     # taint-numeric
-      - ["java.lang", "Integer", "toHexString", "(int)", "manual"]     # taint-numeric
-      - ["java.lang", "Integer", "toString", "()", "manual"]           # taint-numeric
-      - ["java.lang", "Integer", "toString", "(int)", "manual"]        # taint-numeric
-      - ["java.lang", "Integer", "valueOf", "(int)", "manual"]         # taint-numeric
-      - ["java.lang", "Integer", "valueOf", "(String)", "manual"]      # taint-numeric # ! should probably make this and others like it have a "" signature instead...
-      - ["java.lang", "Long", "Long", "(long)", "manual"]              # taint-numeric
-      - ["java.lang", "Long", "intValue", "()", "manual"]              # taint-numeric
-      - ["java.lang", "Long", "longValue", "()", "manual"]             # taint-numeric
-      - ["java.lang", "Long", "parseLong", "(String)", "manual"]       # taint-numeric
-      - ["java.lang", "Long", "toString", "()", "manual"]              # taint-numeric
-      - ["java.lang", "Long", "toString", "(long)", "manual"]          # taint-numeric
-      - ["java.lang", "Long", "valueOf", "(long)", "manual"]           # taint-numeric
-      - ["java.lang", "Long", "valueOf", "(String)", "manual"]         # taint-numeric
-      - ["java.lang", "Math", "max", "(int,int)", "manual"]            # value-numeric
-      - ["java.lang", "Math", "min", "(int,int)", "manual"]            # value-numeric
-      - ["java.lang", "String", "valueOf", "(int)", "manual"]          # taint-numeric
-      - ["java.lang", "String", "valueOf", "(long)", "manual"]         # taint-numeric
+      - ["java.lang", "Boolean", "booleanValue", "()", "manual"]          # taint-numeric
+      - ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"]    # taint-numeric
+      - ["java.lang", "Double", "doubleToLongBits", "(double)", "manual"] # taint-numeric
+      - ["java.lang", "Double", "parseDouble", "(String)", "manual"]      # taint-numeric
+      - ["java.lang", "Double", "valueOf", "(double)", "manual"]          # taint-numeric
+      - ["java.lang", "Integer", "Integer", "(int)", "manual"]            # taint-numeric
+      - ["java.lang", "Integer", "intValue", "()", "manual"]              # taint-numeric
+      - ["java.lang", "Integer", "parseInt", "(String)", "manual"]        # taint-numeric
+      - ["java.lang", "Integer", "toHexString", "(int)", "manual"]        # taint-numeric
+      - ["java.lang", "Integer", "toString", "()", "manual"]              # taint-numeric
+      - ["java.lang", "Integer", "toString", "(int)", "manual"]           # taint-numeric
+      - ["java.lang", "Integer", "valueOf", "(int)", "manual"]            # taint-numeric
+      - ["java.lang", "Integer", "valueOf", "(String)", "manual"]         # taint-numeric # ! should probably make this and others like it have a "" signature instead...
+      - ["java.lang", "Long", "Long", "(long)", "manual"]                 # taint-numeric
+      - ["java.lang", "Long", "intValue", "()", "manual"]                 # taint-numeric
+      - ["java.lang", "Long", "longValue", "()", "manual"]                # taint-numeric
+      - ["java.lang", "Long", "parseLong", "(String)", "manual"]          # taint-numeric
+      - ["java.lang", "Long", "toString", "()", "manual"]                 # taint-numeric
+      - ["java.lang", "Long", "toString", "(long)", "manual"]             # taint-numeric
+      - ["java.lang", "Long", "valueOf", "(long)", "manual"]              # taint-numeric
+      - ["java.lang", "Long", "valueOf", "(String)", "manual"]            # taint-numeric
+      - ["java.lang", "Math", "max", "(int,int)", "manual"]               # value-numeric
+      - ["java.lang", "Math", "max", "(long,long)", "manual"]             # value-numeric
+      - ["java.lang", "Math", "min", "(int,int)", "manual"]               # value-numeric
+      - ["java.lang", "Math", "min", "(long,long)", "manual"]             # value-numeric
+      - ["java.lang", "Number", "doubleValue", "()", "manual"]            # taint-numeric # ! remove others that could rely on subtyping through Number instead? (e.g. Double, Integer, etc.)
+      - ["java.lang", "Number", "intValue", "()", "manual"]               # taint-numeric
+      - ["java.lang", "Number", "longValue", "()", "manual"]              # taint-numeric
+      - ["java.lang", "String", "valueOf", "(int)", "manual"]             # taint-numeric
+      - ["java.lang", "String", "valueOf", "(long)", "manual"]            # taint-numeric
--- a/java/ql/lib/ext/java.lang.reflect.model.yml
+++ b/java/ql/lib/ext/java.lang.reflect.model.yml
@@ -4,6 +4,7 @@ extensions:
      extensible: summaryModel
    data:
      - ["java.lang.reflect", "Constructor", False, "newInstance", "(Object[])", "", "Argument[0].ArrayElement", "ReturnValue.Parameter", "value", "manual"] # ! unsure about input/output
+      - ["java.lang.reflect", "Field", False, "get", "(Object)", "", "Argument[0].Field", "ReturnValue", "value", "manual"] # ! very unsure about
      - ["java.lang.reflect", "Method", False, "invoke", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[-1].Parameter[0]", "value", "manual"] # ! very unsure if this model is correct...

  - addsTo:
--- a/java/ql/lib/ext/java.math.model.yml
+++ b/java/ql/lib/ext/java.math.model.yml
@@ -11,9 +11,14 @@ extensions:
      - ["java.math", "BigDecimal", "BigDecimal", "(String)", "manual"]         # taint-numeric
      - ["java.math", "BigDecimal", "add", "(BigDecimal)", "manual"]            # taint-numeric
      - ["java.math", "BigDecimal", "doubleValue", "()", "manual"]              # taint-numeric
+      - ["java.math", "BigDecimal", "intValue", "()", "manual"]                 # taint-numeric
+      - ["java.math", "BigDecimal", "multiply", "(BigDecimal)", "manual"]       # taint-numeric
      - ["java.math", "BigDecimal", "setScale", "(int,RoundingMode)", "manual"] # taint-numeric
+      - ["java.math", "BigDecimal", "subtract", "(BigDecimal)", "manual"]       # taint-numeric
+      - ["java.math", "BigDecimal", "toBigInteger", "()", "manual"]             # taint-numeric
      - ["java.math", "BigDecimal", "toString", "()", "manual"]                 # taint-numeric
      - ["java.math", "BigDecimal", "valueOf", "(double)", "manual"]            # taint-numeric
      - ["java.math", "BigDecimal", "valueOf", "(long)", "manual"]              # taint-numeric
+      - ["java.math", "BigInteger", "BigInteger", "(String)", "manual"]         # taint-numeric
      - ["java.math", "BigInteger", "or", "(BigInteger)", "manual"]             # taint-numeric
      - ["java.math", "BigInteger", "valueOf", "(long)", "manual"]              # taint-numeric
--- a/java/ql/lib/ext/java.nio.file.model.yml
+++ b/java/ql/lib/ext/java.nio.file.model.yml
@@ -44,7 +44,9 @@ extensions:
      - ["java.nio.file", "FileSystem", True, "getPathMatcher", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
      - ["java.nio.file", "FileSystem", True, "getRootDirectories", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["java.nio.file", "Path", True, "getParent", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      # ! should Path have subtyping of False for all methods instead? Why is `toFile` different?
      - ["java.nio.file", "Path", True, "normalize", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.nio.file", "Path", False, "getFileName", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! maybe need more field flow?
      - ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
      - ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[1]", "ReturnValue", "taint", "ai-generated"]
      - ["java.nio.file", "Path", True, "of", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
--- a/java/ql/lib/ext/java.nio.model.yml
+++ b/java/ql/lib/ext/java.nio.model.yml
@@ -11,5 +11,6 @@ extensions:
      pack: codeql/java-all
      extensible: neutralModel
    data:
+      - ["java.nio", "Buffer", "position", "()", "manual"] # ! maybe should be summary?
      - ["java.nio", "Buffer", "remaining", "()", "manual"]
      - ["java.nio", "ByteBuffer", "allocate", "(int)", "manual"]
--- a/java/ql/lib/ext/java.sql.model.yml
+++ b/java/ql/lib/ext/java.sql.model.yml
@@ -24,16 +24,20 @@ extensions:
      - ["java.sql", "PreparedStatement", True, "executeQuery", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! this should maybe be a neutral model, not sure if this really counts as "flow through"...
      - ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "Argument[this]", "value", "manual"]
      - ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.sql", "ResultSet", True, "getTimestamp", "(String)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+
  - addsTo:
      pack: codeql/java-all
      extensible: neutralModel
    data:
+      - ["java.sql", "Connection", "createStatement", "()", "manual"]
      - ["java.sql", "PreparedStatement", "executeUpdate", "()", "manual"]
      - ["java.sql", "ResultSet", "next", "()", "manual"]
      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
      - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "manual"]   # value-numeric
      - ["java.sql", "PreparedStatement", "setLong", "(int,long)", "manual"] # value-numeric
+      - ["java.sql", "ResultSet", "getInt", "(int)", "manual"]               # taint-numeric
      - ["java.sql", "ResultSet", "getInt", "(String)", "manual"]            # taint-numeric
      - ["java.sql", "ResultSet", "getLong", "(String)", "manual"]           # taint-numeric
      - ["java.sql", "ResultSet", "getString", "(int)", "manual"]            # taint-numeric
--- a/java/ql/lib/ext/java.text.model.yml
+++ b/java/ql/lib/ext/java.text.model.yml
@@ -4,6 +4,7 @@ extensions:
      extensible: summaryModel
    data:
      - ["java.text", "DateFormat", True, "parse", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! maybe not interesting flow and should be neutral model?
+      - ["java.text", "Format", True, "format", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! would cover DateFormat.format below through subtyping...
      - ["java.text", "MessageFormat", False, "format", "(String,Object[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]              # ! not sure I did this right
      - ["java.text", "MessageFormat", False, "format", "(String,Object[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] # ! not sure I did this right

--- a/java/ql/lib/ext/java.time.format.model.yml
+++ b/java/ql/lib/ext/java.time.format.model.yml
@@ -3,4 +3,5 @@ extensions:
      pack: codeql/java-all
      extensible: summaryModel
    data:
+      - ["java.time.format", "DateTimeFormatter", False, "format", "(TemporalAccessor)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! neutral?
      - ["java.time.format", "DateTimeFormatter", False, "ofPattern", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! neutral?
--- a/java/ql/lib/ext/java.time.model.yml
+++ b/java/ql/lib/ext/java.time.model.yml
@@ -4,6 +4,8 @@ extensions:
      extensible: summaryModel
    data:
      - ["java.time", "Duration", False, "ofSeconds", "(long)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! maybe not interesting flow and should be neutral model?
+      - ["java.time", "Instant", False, "parse", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! mmaybe should be neutral since time-related?
+      - ["java.time", "LocalDate", False, "parse", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

  - addsTo:
      pack: codeql/java-all
@@ -14,12 +16,15 @@ extensions:
      - ["java.time", "LocalDateTime", "now", "()", "manual"]
      - ["java.time", "ZonedDateTime", "now", "()", "manual"]
      - ["java.time", "ZoneId", "of", "(String)", "manual"]
+      - ["java.time", "ZoneId", "systemDefault", "()", "manual"]

      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
      - ["java.time", "Duration", "ofMillis", "(long)", "manual"]                   # taint-numeric
      - ["java.time", "Duration", "ofMinutes", "(long)", "manual"]                  # taint-numeric
      - ["java.time", "Duration", "toMillis", "()", "manual"]                       # taint-numeric
+      - ["java.time", "Instant", "ofEpochMilli", "(long)", "manual"]                # taint-numeric
      - ["java.time", "Instant", "toEpochMilli", "()", "manual"]                    # taint-numeric
+      - ["java.time", "LocalDate", "plusDays", "(long)", "manual"]                  # taint-numeric
      - ["java.time", "LocalDate", "of", "(int,int,int)", "manual"]                 # taint-numeric
      - ["java.time", "LocalDateTime", "of", "(int,int,int,int,int,int)", "manual"] # taint-numeric
--- a/java/ql/lib/ext/java.util.concurrent.atomic.model.yml
+++ b/java/ql/lib/ext/java.util.concurrent.atomic.model.yml
@@ -12,6 +12,7 @@ extensions:
      extensible: neutralModel
    data:
      - ["java.util.concurrent.atomic", "AtomicBoolean", "AtomicBoolean", "(boolean)", "manual"]
+      - ["java.util.concurrent.atomic", "AtomicBoolean", "compareAndSet", "(boolean,boolean)", "manual"]
      - ["java.util.concurrent.atomic", "AtomicBoolean", "get", "()", "manual"]
      - ["java.util.concurrent.atomic", "AtomicBoolean", "set", "(boolean)", "manual"]

@@ -23,3 +24,4 @@ extensions:
      - ["java.util.concurrent.atomic", "AtomicLong", "AtomicLong", "(long)", "manual"]      # value-numeric # ! this is supposedly already supported per the telemetry query, LOOK INTO WHY/HOW
      - ["java.util.concurrent.atomic", "AtomicLong", "addAndGet", "(long)", "manual"]       # taint-numeric
      - ["java.util.concurrent.atomic", "AtomicLong", "get", "()", "manual"]                 # value-numeric
+      - ["java.util.concurrent.atomic", "AtomicLong", "incrementAndGet", "()", "manual"]     # taint-numeric
--- a/java/ql/lib/ext/java.util.concurrent.locks.model.yml
+++ b/java/ql/lib/ext/java.util.concurrent.locks.model.yml
@@ -3,4 +3,5 @@ extensions:
      pack: codeql/java-all
      extensible: neutralModel
    data:
+      - ["java.util.concurrent.locks", "Lock", "lock", "()", "manual"]
      - ["java.util.concurrent.locks", "Lock", "unlock", "()", "manual"]
--- a/java/ql/lib/ext/java.util.concurrent.model.yml
+++ b/java/ql/lib/ext/java.util.concurrent.model.yml
@@ -21,7 +21,9 @@ extensions:
      - ["java.util.concurrent", "CompletableFuture", False, "completedFuture", "(Object)", "", "Argument[0]", "ReturnValue.SyntheticField[java.util.concurrent.CompletableFuture.value]", "value", "manual"]
      - ["java.util.concurrent", "CompletableFuture", False, "get", "()", "", "Argument[-1].SyntheticField[java.util.concurrent.CompletableFuture.value]", "ReturnValue", "value", "manual"] # ! not sure if using SyntheticField is correct here; also, should prbly remove this for `Future.get` below's subtyping to handle.
      - ["java.util.concurrent", "CompletableFuture", False, "join", "()", "", "Argument[-1].SyntheticField[java.util.concurrent.CompletableFuture.value]", "ReturnValue", "value", "manual"] # ! not sure if using SyntheticField is correct here
+      - ["java.util.concurrent", "CompletionStage", False, "toCompletableFuture", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
      - ["java.util.concurrent", "ConcurrentHashMap", True, "elements", "()", "", "Argument[this].MapValue", "ReturnValue.Element", "value", "manual"]
+      - ["java.util.concurrent", "ExecutorService", True, "submit", "(Runnable)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
      - ["java.util.concurrent", "Future", True, "get", "()", "", "Argument[-1].SyntheticField[java.util.concurrent.Future.value]", "ReturnValue", "value", "manual"] # ! not sure if using SyntheticField is correct here
      - ["java.util.concurrent", "TransferQueue", True, "transfer", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["java.util.concurrent", "TransferQueue", True, "tryTransfer", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
@@ -32,9 +34,12 @@ extensions:
      extensible: neutralModel
    data:
      - ["java.util.concurrent", "CompletableFuture", "completeExceptionally", "(Throwable)", "manual"] # ! summary?
+      - ["java.util.concurrent", "CompletableFuture", "isDone", "()", "manual"]
+      - ["java.util.concurrent", "CountDownLatch", "await", "()", "manual"] # ! combine with below, "" as signature
      - ["java.util.concurrent", "CountDownLatch", "await", "(long,TimeUnit)", "manual"]
      - ["java.util.concurrent", "CountDownLatch", "countDown", "()", "manual"]
      - ["java.util.concurrent", "Executor", "execute", "(Runnable)", "manual"]
+      - ["java.util.concurrent", "ExecutorService", "shutdown", "()", "manual"]

      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
--- a/java/ql/lib/ext/java.util.function.model.yml
+++ b/java/ql/lib/ext/java.util.function.model.yml
@@ -10,4 +10,5 @@ extensions:
      extensible: neutralModel
    data:
      - ["java.util.function", "BiConsumer", "accept", "(Object,Object)", "manual"] # ! remove this model?
+      - ["java.util.function", "BiFunction", "apply", "(Object,Object)", "manual"] # ! remove this model?
      - ["java.util.function", "Function", "identity", "()", "manual"]  # ! remove this model?
--- a/java/ql/lib/ext/java.util.model.yml
+++ b/java/ql/lib/ext/java.util.model.yml
@@ -124,6 +124,7 @@ extensions:
      - ["java.util", "EnumMap", False, "EnumMap", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
      - ["java.util", "Enumeration", True, "asIterator", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
      - ["java.util", "Enumeration", True, "nextElement", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
+      - ["java.util", "EventObject", True, "getSource", "()", "", "Argument[-1].Field[java.util.EventObject.source]", "ReturnValue", "value", "manual"] # ! double-check
      - ["java.util", "HashMap", False, "HashMap", "(Map)", "", "Argument[0].MapKey", "Argument[this].MapKey", "value", "manual"]
      - ["java.util", "HashMap", False, "HashMap", "(Map)", "", "Argument[0].MapValue", "Argument[this].MapValue", "value", "manual"]
      - ["java.util", "HashSet", False, "HashSet", "(Collection)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
@@ -160,6 +161,7 @@ extensions:
      - ["java.util", "ListIterator", True, "add", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["java.util", "ListIterator", True, "previous", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["java.util", "ListIterator", True, "set", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["java.util", "Locale", False, "forLanguageTag", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! neutral?
      - ["java.util", "Map", True, "computeIfAbsent", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
      - ["java.util", "Map", True, "computeIfAbsent", "", "", "Argument[1].ReturnValue", "Argument[this].MapValue", "value", "manual"]
      - ["java.util", "Map", True, "computeIfAbsent", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]
@@ -377,11 +379,14 @@ extensions:
      - ["java.util", "Collections", "emptyList", "()", "manual"]
      - ["java.util", "Collections", "emptyMap", "()", "manual"]
      - ["java.util", "Collections", "emptySet", "()", "manual"]
+      - ["java.util", "Collections", "sort", "(List)", "manual"] # ! summary model instead?
      - ["java.util", "Collections", "sort", "(List,Comparator)", "manual"] # ! summary model instead?
      - ["java.util", "Comparator", "comparing", "(Function)", "manual"] # ! seems complex (functional interface), should maybe not have any model?
      - ["java.util", "Enumeration", "hasMoreElements", "()", "manual"]
      - ["java.util", "HashMap", "containsKey", "(Object)", "manual"]
      - ["java.util", "HashMap", "HashMap", "(int)", "manual"]
+      - ["java.util", "HashMap", "size", "()", "manual"]
+      - ["java.util", "HashSet", "HashSet", "(int)", "manual"]
      - ["java.util", "Iterator", "hasNext", "()", "manual"]
      - ["java.util", "Iterator", "remove", "()", "manual"] # ! WithoutElement comment? (double-check if it returns anything, etc.)
      - ["java.util", "List", "contains", "(Object)", "manual"]
@@ -408,9 +413,12 @@ extensions:
      - ["java.util", "Set", "contains", "(Object)", "manual"]
      - ["java.util", "Set", "isEmpty", "()", "manual"]
      - ["java.util", "Set", "remove", "(Object)", "manual"] # ! WithoutElement comment? (double-check if it returns anything, etc.)
+      - ["java.util", "Set", "removeAll", "(Collection)", "manual"] # ! WithoutElement comment? (double-check if it returns anything, etc.)
      - ["java.util", "Set", "size", "()", "manual"]
+      - ["java.util", "UUID", "equals", "(Object)", "manual"]
      - ["java.util", "UUID", "randomUUID", "()", "manual"]
      - ["java.util", "UUID", "toString", "()", "manual"]
+      - ["java.util", "TimeZone", "getTimeZone", "(String)", "manual"]
      - ["java.util", "Vector", "size", "()", "manual"]

      # The below APIs are currently being stored as neutral models since `WithoutElement` has not yet been implemented for Java.
@@ -421,9 +429,13 @@ extensions:

      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.util", "Calendar", "add", "(int,int)", "manual"]      # taint-numeric
      - ["java.util", "Calendar", "get", "(int)", "manual"]          # value-numeric
      - ["java.util", "Calendar", "getTime", "()", "manual"]         # taint-numeric
      - ["java.util", "Calendar", "getTimeInMillis", "()", "manual"] # taint-numeric
      - ["java.util", "Calendar", "set", "(int,int)", "manual"]      # value-numeric
+      - ["java.util", "Calendar", "setTime", "(Date)", "manual"]     # taint-numeric
      - ["java.util", "Date", "Date", "(long)", "manual"]            # taint-numeric
      - ["java.util", "Date", "getTime", "()", "manual"]             # taint-numeric
+      - ["java.util", "Date", "from", "(Instant)", "manual"]         # taint-numeric
+      - ["java.util", "Date", "toInstant", "()", "manual"]           # taint-numeric
--- a/java/ql/lib/ext/java.util.stream.model.yml
+++ b/java/ql/lib/ext/java.util.stream.model.yml
@@ -9,8 +9,8 @@ extensions:
      - ["java.util.stream", "BaseStream", True, "sequential", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
      - ["java.util.stream", "BaseStream", True, "spliterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
      - ["java.util.stream", "BaseStream", True, "unordered", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
-      - ["java.util.stream", "IntStream", False, "range", "(int,int)", "", "Argument[0..1]", "ReturnValue.Element", "value", "manual"] # ! this one is a bit odd, is it correct to have it as a summary model?
-      - ["java.util.stream", "Stream", True, "allMatch", "(Predicate)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
+      - ["java.util.stream", "IntStream", False, "range", "(int,int)", "", "Argument[0..1]", "ReturnValue.Element", "value", "manual"] # ! this one is a bit odd, is it correct to have it as a summary model?; not interesting because Int stream?=neutral?
+      - ["java.util.stream", "Stream", True, "allMatch", "(Predicate)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"] # ! neutral instead?
      - ["java.util.stream", "Stream", True, "anyMatch", "(Predicate)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
      - ["java.util.stream", "Stream", True, "collect", "(Supplier,BiConsumer,BiConsumer)", "", "Argument[this].Element", "Argument[1].Parameter[1]", "value", "manual"]
      - ["java.util.stream", "Stream", True, "collect", "(Supplier,BiConsumer,BiConsumer)", "", "Argument[0].ReturnValue", "Argument[1].Parameter[0]", "value", "manual"]
@@ -95,4 +95,5 @@ extensions:
    data:
      - ["java.util.stream", "Collectors", "toList", "()", "manual"]
      - ["java.util.stream", "Collectors", "toSet", "()", "manual"]
+      - ["java.util.stream", "IntStream", "mapToObj", "(IntFunction)", "manual"]
      - ["java.util.stream", "Stream", "count", "()", "manual"]