Add experimental,ml-generated tags

2026-05-19 13:48:30 +02:00 · 2022-08-22 15:59:16 +02:00
parent 72c204063d
commit ce2b59ae4a
144 changed files with 160 additions and 7 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -8,6 +8,7 @@
 * @id java/insecure-spring-actuator-config
 * @tags security
 *       external/cwe/cwe-016
+ *       experimental
 */

 /*
--- a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
@@ -8,6 +8,7 @@
 * @id java/spring-boot-exposed-actuators
 * @tags security
 *       external/cwe/cwe-16
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
@@ -12,6 +12,7 @@
 *       external/cwe/cwe-074
 *       external/cwe/cwe-400
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
@@ -8,6 +8,7 @@
 * @id java/openstream-called-on-tainted-url
 * @tags security
 *       external/cwe/cwe-036
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -9,6 +9,7 @@
 * @id java/file-path-injection
 * @tags security
 *       external/cwe-073
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -9,6 +9,7 @@
 * @tags security
 *       external/cwe/cwe-078
 *       external/cwe/cwe-088
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
@@ -9,6 +9,7 @@
 * @id java/mybatis-annotation-sql-injection
 * @tags security
 *       external/cwe/cwe-089
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
@@ -9,6 +9,7 @@
 * @id java/mybatis-xml-sql-injection
 * @tags security
 *       external/cwe/cwe-089
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
@@ -8,6 +8,7 @@
 * @id java/beanshell-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
@@ -8,6 +8,7 @@
 * @id java/android-insecure-dex-loading
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
@@ -8,6 +8,7 @@
 * @id java/jshell-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
@@ -8,6 +8,7 @@
 * @id java/javaee-expression-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
@@ -9,6 +9,7 @@
 * @tags security
 *       external/cwe/cwe-094
 *       external/cwe/cwe-095
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-eval
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql
@@ -7,6 +7,7 @@
 * @id java/spring-view-manipulation-implicit
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql
@@ -7,6 +7,7 @@
 * @id java/spring-view-manipulation
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/TemplateInjection.ql
@@ -7,6 +7,7 @@
 * @id java/server-side-template-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
@@ -7,6 +7,7 @@
 * @id java/tomcat-disabled-httponly
 * @tags security
 *       external/cwe/cwe-1004
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
@@ -8,6 +8,7 @@
 * @id java/sensitive-cookie-not-httponly
 * @tags security
 *       external/cwe/cwe-1004
+ *       experimental
 */

 /*
--- a/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
@@ -7,6 +7,7 @@
 * @problem.severity error
 * @tags security
 *       external/cwe/cwe-200
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
@@ -7,6 +7,7 @@
 * @problem.severity warning
 * @tags security
 *       external/cwe/cwe-200
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
@@ -10,6 +10,7 @@
 * @id java/possible-timing-attack-against-signature
 * @tags security
 *       external/cwe/cwe-208
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
@@ -8,6 +8,7 @@
 * @id java/timing-attack-against-headers-value
 * @tags security
 *       external/cwe/cwe-208
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
@@ -11,6 +11,7 @@
 * @id java/timing-attack-against-signature
 * @tags security
 *       external/cwe/cwe-208
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -9,6 +9,7 @@
 * @id java/jxbrowser/disabled-certificate-validation
 * @tags security
 *       external/cwe/cwe-295
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
@@ -8,6 +8,7 @@
 * @id java/ignored-hostname-verification
 * @tags security
 *       external/cwe/cwe-297
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
@@ -9,6 +9,7 @@
 * @id java/insecure-ldaps-endpoint
 * @tags security
 *       external/cwe/cwe-297
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
@@ -8,6 +8,7 @@
 * @id java/disabled-certificate-revocation-checking
 * @tags security
 *       external/cwe/cwe-299
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.ql
@@ -6,6 +6,7 @@
 * @id java/hardcoded-jwt-key
 * @tags security
 *       external/cwe/cwe-321
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -7,6 +7,7 @@
 * @id java/insufficient-key-size
 * @tags security
 *       external/cwe/cwe-326
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-tls-version
 * @tags security
 *       external/cwe/cwe-327
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -7,6 +7,7 @@
 * @id java/unvalidated-cors-origin-set
 * @tags security
 *       external/cwe/cwe-346
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
@@ -8,6 +8,7 @@
 * @id java/ip-address-spoofing
 * @tags security
 *       external/cwe/cwe-348
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -8,6 +8,7 @@
 * @id java/jsonp-injection
 * @tags security
 *       external/cwe/cwe-352
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
@@ -7,6 +7,7 @@
 * @problem.severity warning
 * @tags security
 *       external/cwe/cwe-400
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-reflection
 * @tags security
 *       external/cwe/cwe-470
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql
@@ -7,6 +7,7 @@
 * @id java/main-method-in-enterprise-bean
 * @tags security
 *       external/cwe/cwe-489
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
@@ -7,6 +7,7 @@
 * @id java/main-method-in-web-components
 * @tags security
 *       external/cwe/cwe-489
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql
@@ -8,6 +8,7 @@
 * @id java/struts-development-mode
 * @tags security
 *       external/cwe/cwe-489
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
@@ -10,6 +10,7 @@
 * @id java/unsafe-deserialization-rmi
 * @tags security
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
@@ -9,6 +9,7 @@
 * @id java/unsafe-deserialization-spring-exporter-in-configuration-class
 * @tags security
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
@@ -9,6 +9,7 @@
 * @id java/unsafe-deserialization-spring-exporter-in-xml-configuration
 * @tags security
 *       external/cwe/cwe-502
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureLdapAuth.ql
@@ -8,6 +8,7 @@
 * @tags security
 *       external/cwe/cwe-522
 *       external/cwe/cwe-319
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
@@ -10,6 +10,7 @@
 * @id java/server-directory-listing
 * @tags security
 *       external/cwe/cwe-548
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -8,6 +8,7 @@
 * @id java/unsafe-url-forward-dispatch
 * @tags security
 *       external/cwe-552
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
@@ -9,6 +9,7 @@
 *       external/cwe/cwe-555
 *       external/cwe/cwe-256
 *       external/cwe/cwe-260
+ *       experimental
 */

 /*
--- a/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
@@ -9,6 +9,7 @@
 *       external/cwe/cwe-555
 *       external/cwe/cwe-256
 *       external/cwe/cwe-260
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -7,6 +7,7 @@
 * @id java/sensitive-query-with-get
 * @tags security
 *       external/cwe/cwe-598
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
@@ -10,6 +10,7 @@
 * @id java/uncaught-servlet-exception
 * @tags security
 *       external/cwe/cwe-600
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -8,6 +8,7 @@
 * @id java/spring-unvalidated-url-redirection
 * @tags security
 *       external/cwe/cwe-601
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-611/XXE.ql
@@ -9,6 +9,7 @@
 * @id java/xxe-with-experimental-sinks
 * @tags security
 *       external/cwe/cwe-611
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-611/XXELocal.ql
@@ -11,6 +11,7 @@
 * @id java/xxe-local-experimental-sinks
 * @tags security
 *       external/cwe/cwe-611
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
@@ -8,6 +8,7 @@
 * @id java/xquery-injection
 * @tags security
 *       external/cwe/cwe-652
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
@@ -5,6 +5,7 @@
 * @problem.severity error
 * @tags security
 *       external/cwe/cwe-665
+ *       experimental
 * @precision high
 * @id java/insecure-rmi-jmx-server-initialization
 */
--- a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -10,6 +10,7 @@
 * @tags security
 *       external/cwe/cwe-730
 *       external/cwe/cwe-400
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
@@ -10,6 +10,7 @@
 * @id java/android/nfe-local-android-dos
 * @tags security
 *       external/cwe/cwe-755
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
@@ -7,6 +7,7 @@
 * @id java/hash-without-salt
 * @tags security
 *       external/cwe/cwe-759
+ *       experimental
 */

 import java
--- a/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql
@@ -9,6 +9,7 @@
 * @id java/incorrect-url-verification
 * @tags security
 *       external/cwe/cwe-939
+ *       experimental
 */

 import java