diff --git a/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll b/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll index ba3a3c73302..e566ca41c2f 100644 --- a/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll +++ b/go/ql/lib/semmle/go/dataflow/GlobalValueNumbering.qll @@ -255,8 +255,6 @@ private predicate globalValueNumbers(DataFlow::CallNode ce, int start, GVN head, * methods. */ class GVN extends GvnBase { - GVN() { this instanceof GvnBase } - /** Gets a data-flow node that has this GVN. */ DataFlow::Node getANode() { this = globalValueNumber(result) } diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll index d48335d299f..a388e4bab04 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll @@ -1347,7 +1347,6 @@ module Public { } } -private import Private private import Public class SummaryPostUpdateNode extends FlowSummaryNode, PostUpdateNode { diff --git a/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql b/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql index 6e8d99471ee..b9bf1be2c1d 100644 --- a/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql +++ b/go/ql/src/Security/CWE-020/UntrustedDataToExternalAPI.ql @@ -6,7 +6,8 @@ * @precision low * @problem.severity error * @security-severity 7.8 - * @tags security external/cwe/cwe-020 + * @tags security + * external/cwe/cwe-020 */ import go diff --git a/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql b/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql index 45198047904..89ce5949245 100644 --- a/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql +++ b/go/ql/src/Security/CWE-020/UntrustedDataToUnknownExternalAPI.ql @@ -6,7 +6,8 @@ * @precision low * @problem.severity error * @security-severity 7.8 - * @tags security external/cwe/cwe-020 + * @tags security + * external/cwe/cwe-020 */ import go diff --git a/go/ql/src/experimental/CWE-918/validator.qll b/go/ql/src/experimental/CWE-918/validator.qll index 5b9840b8494..2c9dc0592f3 100644 --- a/go/ql/src/experimental/CWE-918/validator.qll +++ b/go/ql/src/experimental/CWE-918/validator.qll @@ -24,7 +24,7 @@ class FieldWithTags extends FieldDecl { * For example: the tag `json:"word" binding:"required,alpha"` yields `key: "json", value: "word"` * and `key: "binding" values: "required","alpha"`. */ - predicate getTagByKeyValue(string key, string value) { + predicate hasTagKeyValue(string key, string value) { exists(string tag, string key_value, string values | this.getTag().toString() = tag and // Each key_value is like key:"value1,value2" @@ -50,7 +50,7 @@ class AlphanumericStructFieldRead extends DataFlow::Node { exists(FieldWithTags decl, Field field, string tag | this = field.getARead() and field.getDeclaration() = decl.getNameExpr(0) and - decl.getTagByKeyValue(key, tag) and + decl.hasTagKeyValue(key, tag) and isAlphanumericValidationKind(tag) ) } diff --git a/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll b/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll index 50fc7d06b56..063836b5513 100644 --- a/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll +++ b/go/ql/src/experimental/frameworks/DecompressionBombsCustomizations.qll @@ -511,7 +511,7 @@ module DecompressionBombs { } /** - * Provides decompression bomb sinks for packages that use some standard IO interfaces/methods for reading decompressed data + * A standard IO function for reading decompressed data. */ class GeneralReadIoSink extends Sink { GeneralReadIoSink() { diff --git a/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql b/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql index 171aee86824..e6ba4ce067b 100644 --- a/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql +++ b/go/ql/test/library-tests/semmle/go/dataflow/GlobalVariableSideEffects/Flows.ql @@ -2,7 +2,6 @@ import go import utils.test.InlineFlowTest string getArgString(DataFlow::Node src, DataFlow::Node sink) { - exists(src) and result = "\"" + sink.toString() + " (from source " + src.(DataFlow::CallNode).getArgument(0).getExactValue() + ")\"" diff --git a/java/ql/lib/semmle/code/java/JDK.qll b/java/ql/lib/semmle/code/java/JDK.qll index bdc2fb92fa0..f965fbfe6ba 100644 --- a/java/ql/lib/semmle/code/java/JDK.qll +++ b/java/ql/lib/semmle/code/java/JDK.qll @@ -321,12 +321,7 @@ class WriteObjectMethod extends Method { class ReadObjectMethod extends Method { ReadObjectMethod() { this.getDeclaringType() instanceof TypeObjectInputStream and - ( - this.hasName("readObject") or - this.hasName("readObjectOverride") or - this.hasName("readUnshared") or - this.hasName("resolveObject") - ) + this.hasName(["readObject", "readObjectOverride", "readUnshared", "resolveObject"]) } } diff --git a/java/ql/lib/semmle/code/java/NumberFormatException.qll b/java/ql/lib/semmle/code/java/NumberFormatException.qll index 83f66d1a709..96174cd1ddc 100644 --- a/java/ql/lib/semmle/code/java/NumberFormatException.qll +++ b/java/ql/lib/semmle/code/java/NumberFormatException.qll @@ -46,12 +46,7 @@ private class SpecialClassInstanceExpr extends ClassInstanceExpr { } predicate throwsNfe() { - this.isStringConstructor("Byte") or - this.isStringConstructor("Short") or - this.isStringConstructor("Integer") or - this.isStringConstructor("Long") or - this.isStringConstructor("Float") or - this.isStringConstructor("Double") + this.isStringConstructor(["Byte", "Short", "Integer", "Long", "Float", "Double"]) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll index 96075bbccf3..1283aa3d21e 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JAXB.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JAXB.qll @@ -107,10 +107,7 @@ class XmlAccessType extends EnumConstant { */ class JaxbMemberAnnotation extends JaxbAnnotationType { JaxbMemberAnnotation() { - this.hasName("XmlElement") or - this.hasName("XmlAttribute") or - this.hasName("XmlElementRefs") or - this.hasName("XmlElements") + this.hasName(["XmlElement", "XmlAttribute", "XmlElementRefs", "XmlElements"]) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll index d59976c0c6c..a866d84df21 100644 --- a/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll +++ b/java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll @@ -677,7 +677,7 @@ Type inheritsMatchingMethodExceptThrows(SessionEjb ejb, Method m) { } /** - * Holds if `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `m`. + * Holds if `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `icm`. * (Ignores `throws` clauses.) */ predicate inheritsMatchingCreateMethodIgnoreThrows( @@ -704,7 +704,7 @@ predicate inheritsMatchingCreateMethodIgnoreThrows( } /** - * If `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `m` except for the `throws` clause, + * If `ejb` inherits an `ejbCreate` or `@Init` method matching `create` method `icm` except for the `throws` clause, * then return any type in the `throws` clause that does not match. */ Type inheritsMatchingCreateMethodExceptThrows(StatefulSessionEjb ejb, EjbInterfaceCreateMethod icm) { diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll index ee00433da12..a444dc96d5a 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll @@ -187,13 +187,10 @@ class SpringServletInputAnnotation extends Annotation { a = this.getType() and a.getPackage().getName() = "org.springframework.web.bind.annotation" | - a.hasName("MatrixVariable") or - a.hasName("RequestParam") or - a.hasName("RequestHeader") or - a.hasName("CookieValue") or - a.hasName("RequestPart") or - a.hasName("PathVariable") or - a.hasName("RequestBody") + a.hasName([ + "MatrixVariable", "RequestParam", "RequestHeader", "CookieValue", "RequestPart", + "PathVariable", "RequestBody" + ]) ) } } diff --git a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll index 641fb0c6e6f..729268d4008 100644 --- a/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll +++ b/java/ql/lib/semmle/code/java/frameworks/struts/StrutsActions.qll @@ -40,12 +40,7 @@ class Struts2ActionClass extends Class { getStrutsMapperClass(this) = "org.apache.struts2.dispatcher.mapper.RestfulActionMapper" then // The "Restful" action mapper maps rest APIs to specific methods - result.hasName("index") or - result.hasName("create") or - result.hasName("editNew") or - result.hasName("view") or - result.hasName("remove") or - result.hasName("update") + result.hasName(["index", "create", "editNew", "view", "remove", "update"]) else if getStrutsMapperClass(this) = "org.apache.struts2.rest.RestActionMapper" or @@ -53,13 +48,7 @@ class Struts2ActionClass extends Class { then // The "Rest" action mapper is provided with the rest plugin, and maps rest APIs to specific // methods based on a "ruby-on-rails" style. - result.hasName("index") or - result.hasName("show") or - result.hasName("edit") or - result.hasName("editNew") or - result.hasName("create") or - result.hasName("update") or - result.hasName("destroy") + result.hasName(["index", "show", "edit", "editNew", "create", "update", "destroy"]) else if exists(getStrutsMapperClass(this)) then diff --git a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql index a75672445fb..ec1024fde02 100644 --- a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql +++ b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql @@ -6,7 +6,8 @@ * @precision low * @problem.severity error * @security-severity 7.8 - * @tags security external/cwe/cwe-020 + * @tags security + * external/cwe/cwe-020 */ import java