Merge branch 'main' into feature/java-sinks-csv

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -79,8 +79,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
     printStackCall.getAnArgument() = printWriter and
     printStackCall.getQualifier() = exception and
     stackTraceString.getQualifier() = stringWriterVar.getAnAccess() and
-    stackTraceString.getMethod().getName() = "toString" and
-    stackTraceString.getMethod().getNumberOfParameters() = 0
+    stackTraceString.getMethod() instanceof ToStringMethod
   )
 }
 

java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql

@@ -33,9 +33,8 @@ class InsecureAlgoLiteral extends ShortStringLiteral {
 }
 
 predicate objectToString(MethodAccess ma) {
-  exists(Method m |
+  exists(ToStringMethod m |
     m = ma.getMethod() and
-    m.hasName("toString") and
     m.getDeclaringType() instanceof TypeObject and
     variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject
   )

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -19,14 +19,14 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr() instanceof HardcodedExpr and
-    not n.asExpr().getEnclosingCallable().getName() = "toString"
+    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
   }
 
   override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     node1.asExpr().getType() instanceof TypeString and
-    exists(MethodAccess ma | ma.getMethod().getName().regexpMatch("getBytes|toCharArray") |
+    exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
       node2.asExpr() = ma and
       ma.getQualifier() = node1.asExpr()
     )