Improve model for CWE-089

2026-02-11 20:51:06 +01:00 · 2026-01-13 21:48:43 +01:00
parent 89f0e79ea1
commit d335f039ef
15 changed files with 137 additions and 223 deletions
--- a/java/ql/lib/ext/com.couchbase.client.java.model.yml
+++ b/java/ql/lib/ext/com.couchbase.client.java.model.yml
@@ -10,19 +10,9 @@ extensions:
      - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
      # 'sql-injection' sinks
-      - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "analyticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "analyticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery)", "", "Argument[1]", "sql-injection", "manual"]
-      - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery,SearchOptions)", "", "Argument[1]", "sql-injection", "manual"]
-
-  - addsTo:
-      pack: codeql/java-all
-      extensible: summaryModel
-    data:
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[0]", "ReturnValue.MapKey", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "", "", "Argument[1]", "ReturnValue.MapValue", "taint", "manual"]
-      - ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java
@@ -2,17 +2,16 @@ package com.example;

 import com.couchbase.client.java.Bucket;
 import com.couchbase.client.java.Cluster;
-import com.couchbase.client.java.Collection;
-import com.couchbase.client.java.json.JsonObject;

 public class CouchBase {
  public static void main(String[] args) {
    Cluster cluster = Cluster.connect("192.168.0.158", "Administrator", "Administrator");
    Bucket bucket = cluster.bucket("travel-sample");
+    cluster.analyticsQuery(args[1]);
+    cluster.analyticsQuery(args[1], null);
    cluster.query(args[1]);
-
-    Collection collection = bucket.defaultCollection();
-    collection.replace("airbnb_1", JsonObject.create().putNull(System.getenv("ITEM_CATEGORY")));
-    collection.upsert("airbnb_1", JsonObject.create().put("country", args[1]));
+    cluster.query(args[1], null);
+    cluster.queryStreaming(args[1], null);
+    cluster.queryStreaming(args[1], null, null);
  }
 }
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.expected
@@ -29,7 +29,12 @@
 | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value |
 | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value |
 | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | This query depends on a $@. | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args | user-provided value |
-| CouchBase.java:12:19:12:25 | ...[...] | CouchBase.java:9:27:9:39 | args : String[] | CouchBase.java:12:19:12:25 | ...[...] | This query depends on a $@. | CouchBase.java:9:27:9:39 | args | user-provided value |
+| CouchBase.java:10:28:10:34 | ...[...] | CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:10:28:10:34 | ...[...] | This query depends on a $@. | CouchBase.java:7:27:7:39 | args | user-provided value |
+| CouchBase.java:11:28:11:34 | ...[...] | CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:11:28:11:34 | ...[...] | This query depends on a $@. | CouchBase.java:7:27:7:39 | args | user-provided value |
+| CouchBase.java:12:19:12:25 | ...[...] | CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:12:19:12:25 | ...[...] | This query depends on a $@. | CouchBase.java:7:27:7:39 | args | user-provided value |
+| CouchBase.java:13:19:13:25 | ...[...] | CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:13:19:13:25 | ...[...] | This query depends on a $@. | CouchBase.java:7:27:7:39 | args | user-provided value |
+| CouchBase.java:14:28:14:34 | ...[...] | CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:14:28:14:34 | ...[...] | This query depends on a $@. | CouchBase.java:7:27:7:39 | args | user-provided value |
+| CouchBase.java:15:28:15:34 | ...[...] | CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:15:28:15:34 | ...[...] | This query depends on a $@. | CouchBase.java:7:27:7:39 | args | user-provided value |
 | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
 | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
 | Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
@@ -49,21 +54,21 @@ edges
 | AllowListSanitizerWithJavaUtilList.java:51:13:51:16 | args : String[] | AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | provenance |  |
 | AllowListSanitizerWithJavaUtilList.java:54:23:54:26 | args : String[] | AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | provenance |  |
 | AllowListSanitizerWithJavaUtilList.java:55:14:55:17 | args : String[] | AllowListSanitizerWithJavaUtilList.java:283:33:283:45 | args : String[] | provenance |  |
-| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilList.java:283:33:283:45 | args : String[] | AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | provenance | Sink:MaD:5 |
+| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:88:66:88:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:94:66:94:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:100:66:100:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:106:66:106:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:58:39:58:51 | args : String[] | AllowListSanitizerWithJavaUtilList.java:118:66:118:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:149:67:149:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:169:67:169:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:187:67:187:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:207:67:207:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:231:67:231:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:132:32:132:44 | args : String[] | AllowListSanitizerWithJavaUtilList.java:242:67:242:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:260:67:260:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:269:67:269:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:247:42:247:54 | args : String[] | AllowListSanitizerWithJavaUtilList.java:278:67:278:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilList.java:283:33:283:45 | args : String[] | AllowListSanitizerWithJavaUtilList.java:293:67:293:71 | query | provenance | Sink:MaD:10 |
 | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:49:20:49:23 | args : String[] | provenance |  |
 | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | provenance |  |
 | AllowListSanitizerWithJavaUtilSet.java:47:26:47:38 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | provenance |  |
@@ -72,37 +77,42 @@ edges
 | AllowListSanitizerWithJavaUtilSet.java:50:13:50:16 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | provenance |  |
 | AllowListSanitizerWithJavaUtilSet.java:53:23:53:26 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | provenance |  |
 | AllowListSanitizerWithJavaUtilSet.java:54:14:54:17 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | provenance |  |
-| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | provenance | Sink:MaD:5 |
-| AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | provenance | Sink:MaD:5 |
-| CouchBase.java:9:27:9:39 | args : String[] | CouchBase.java:12:19:12:25 | ...[...] | provenance | Sink:MaD:1 |
+| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:87:66:87:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:93:66:93:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:99:66:99:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:105:66:105:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:57:39:57:51 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:117:66:117:70 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:148:67:148:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:168:67:168:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:186:67:186:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:206:67:206:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:230:67:230:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:131:32:131:44 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:241:67:241:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:259:67:259:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:268:67:268:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:246:42:246:54 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | provenance | Sink:MaD:10 |
+| AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | provenance | Sink:MaD:10 |
+| CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:10:28:10:34 | ...[...] | provenance | Sink:MaD:1 |
+| CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:11:28:11:34 | ...[...] | provenance | Sink:MaD:2 |
+| CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:12:19:12:25 | ...[...] | provenance | Sink:MaD:3 |
+| CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:13:19:13:25 | ...[...] | provenance | Sink:MaD:4 |
+| CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:14:28:14:34 | ...[...] | provenance | Sink:MaD:5 |
+| CouchBase.java:7:27:7:39 | args : String[] | CouchBase.java:15:28:15:34 | ...[...] | provenance | Sink:MaD:6 |
 | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:56:17:66 | stringQuery : String | provenance |  |
 | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | provenance |  |
 | Mongo.java:17:56:17:66 | stringQuery : String | Mongo.java:17:45:17:67 | parse(...) | provenance | Config |
-| Test.java:29:30:29:42 | args : String[] | Test.java:36:47:36:52 | query1 | provenance | Sink:MaD:5 |
-| Test.java:29:30:29:42 | args : String[] | Test.java:42:57:42:62 | query2 | provenance | Sink:MaD:2 |
-| Test.java:29:30:29:42 | args : String[] | Test.java:50:62:50:67 | query3 | provenance | Sink:MaD:3 |
+| Test.java:29:30:29:42 | args : String[] | Test.java:36:47:36:52 | query1 | provenance | Sink:MaD:10 |
+| Test.java:29:30:29:42 | args : String[] | Test.java:42:57:42:62 | query2 | provenance | Sink:MaD:7 |
+| Test.java:29:30:29:42 | args : String[] | Test.java:50:62:50:67 | query3 | provenance | Sink:MaD:8 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:58:19:58:26 | category : String | provenance |  |
-| Test.java:29:30:29:42 | args : String[] | Test.java:70:40:70:44 | query | provenance | Sink:MaD:6 |
-| Test.java:29:30:29:42 | args : String[] | Test.java:78:46:78:50 | query | provenance | Sink:MaD:4 |
+| Test.java:29:30:29:42 | args : String[] | Test.java:70:40:70:44 | query | provenance | Sink:MaD:11 |
+| Test.java:29:30:29:42 | args : String[] | Test.java:78:46:78:50 | query | provenance | Sink:MaD:9 |
 | Test.java:58:4:58:10 | querySb [post update] : StringBuilder | Test.java:60:29:60:35 | querySb : StringBuilder | provenance |  |
-| Test.java:58:19:58:26 | category : String | Test.java:58:4:58:10 | querySb [post update] : StringBuilder | provenance | MaD:7 |
-| Test.java:60:29:60:35 | querySb : StringBuilder | Test.java:60:29:60:46 | toString(...) : String | provenance | MaD:8 |
-| Test.java:60:29:60:46 | toString(...) : String | Test.java:62:47:62:61 | querySbToString | provenance | Sink:MaD:5 |
-| Test.java:183:33:183:45 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | provenance | Sink:MaD:5 |
-| Test.java:213:34:213:46 | args : String[] | Test.java:221:81:221:111 | ... + ... | provenance | Sink:MaD:5 |
+| Test.java:58:19:58:26 | category : String | Test.java:58:4:58:10 | querySb [post update] : StringBuilder | provenance | MaD:12 |
+| Test.java:60:29:60:35 | querySb : StringBuilder | Test.java:60:29:60:46 | toString(...) : String | provenance | MaD:13 |
+| Test.java:60:29:60:46 | toString(...) : String | Test.java:62:47:62:61 | querySbToString | provenance | Sink:MaD:10 |
+| Test.java:183:33:183:45 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | provenance | Sink:MaD:10 |
+| Test.java:213:34:213:46 | args : String[] | Test.java:221:81:221:111 | ... + ... | provenance | Sink:MaD:10 |
 | Test.java:227:26:227:38 | args : String[] | Test.java:228:11:228:14 | args : String[] | provenance |  |
 | Test.java:227:26:227:38 | args : String[] | Test.java:232:14:232:17 | args : String[] | provenance |  |
 | Test.java:227:26:227:38 | args : String[] | Test.java:233:15:233:18 | args : String[] | provenance |  |
@@ -110,14 +120,19 @@ edges
 | Test.java:232:14:232:17 | args : String[] | Test.java:183:33:183:45 | args : String[] | provenance |  |
 | Test.java:233:15:233:18 | args : String[] | Test.java:213:34:213:46 | args : String[] | provenance |  |
 models
-| 1 | Sink: com.couchbase.client.java; Cluster; true; query; (String); ; Argument[0]; sql-injection; manual |
-| 2 | Sink: java.sql; Connection; true; prepareCall; ; ; Argument[0]; sql-injection; manual |
-| 3 | Sink: java.sql; Connection; true; prepareStatement; ; ; Argument[0]; sql-injection; manual |
-| 4 | Sink: java.sql; Statement; true; executeLargeUpdate; ; ; Argument[0]; sql-injection; manual |
-| 5 | Sink: java.sql; Statement; true; executeQuery; ; ; Argument[0]; sql-injection; manual |
-| 6 | Sink: java.sql; Statement; true; executeUpdate; ; ; Argument[0]; sql-injection; manual |
-| 7 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual |
-| 8 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual |
+| 1 | Sink: com.couchbase.client.java; Cluster; true; analyticsQuery; (String); ; Argument[0]; sql-injection; manual |
+| 2 | Sink: com.couchbase.client.java; Cluster; true; analyticsQuery; (String,AnalyticsOptions); ; Argument[0]; sql-injection; manual |
+| 3 | Sink: com.couchbase.client.java; Cluster; true; query; (String); ; Argument[0]; sql-injection; manual |
+| 4 | Sink: com.couchbase.client.java; Cluster; true; query; (String,QueryOptions); ; Argument[0]; sql-injection; manual |
+| 5 | Sink: com.couchbase.client.java; Cluster; true; queryStreaming; (String,Consumer); ; Argument[0]; sql-injection; manual |
+| 6 | Sink: com.couchbase.client.java; Cluster; true; queryStreaming; (String,QueryOptions,Consumer); ; Argument[0]; sql-injection; manual |
+| 7 | Sink: java.sql; Connection; true; prepareCall; ; ; Argument[0]; sql-injection; manual |
+| 8 | Sink: java.sql; Connection; true; prepareStatement; ; ; Argument[0]; sql-injection; manual |
+| 9 | Sink: java.sql; Statement; true; executeLargeUpdate; ; ; Argument[0]; sql-injection; manual |
+| 10 | Sink: java.sql; Statement; true; executeQuery; ; ; Argument[0]; sql-injection; manual |
+| 11 | Sink: java.sql; Statement; true; executeUpdate; ; ; Argument[0]; sql-injection; manual |
+| 12 | Summary: java.lang; AbstractStringBuilder; true; append; ; ; Argument[0]; Argument[this]; taint; manual |
+| 13 | Summary: java.lang; CharSequence; true; toString; ; ; Argument[this]; ReturnValue; taint; manual |
 nodes
 | AllowListSanitizerWithJavaUtilList.java:48:26:48:38 | args : String[] | semmle.label | args : String[] |
 | AllowListSanitizerWithJavaUtilList.java:50:20:50:23 | args : String[] | semmle.label | args : String[] |
@@ -167,8 +182,13 @@ nodes
 | AllowListSanitizerWithJavaUtilSet.java:277:67:277:71 | query | semmle.label | query |
 | AllowListSanitizerWithJavaUtilSet.java:282:33:282:45 | args : String[] | semmle.label | args : String[] |
 | AllowListSanitizerWithJavaUtilSet.java:292:67:292:71 | query | semmle.label | query |
-| CouchBase.java:9:27:9:39 | args : String[] | semmle.label | args : String[] |
+| CouchBase.java:7:27:7:39 | args : String[] | semmle.label | args : String[] |
+| CouchBase.java:10:28:10:34 | ...[...] | semmle.label | ...[...] |
+| CouchBase.java:11:28:11:34 | ...[...] | semmle.label | ...[...] |
 | CouchBase.java:12:19:12:25 | ...[...] | semmle.label | ...[...] |
+| CouchBase.java:13:19:13:25 | ...[...] | semmle.label | ...[...] |
+| CouchBase.java:14:28:14:34 | ...[...] | semmle.label | ...[...] |
+| CouchBase.java:15:28:15:34 | ...[...] | semmle.label | ...[...] |
 | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] |
 | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) |
 | Mongo.java:17:56:17:66 | stringQuery : String | semmle.label | stringQuery : String |
--- a/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
+++ b/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCouchBaseCredentials.java
@@ -30,12 +30,22 @@ public class HardcodedCouchBaseCredentials {
    PasswordAuthenticator.builder()
        .username("Administrator") // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
        .password("password"); // $ HardcodedCredentialsSourceCall $ HardcodedCredentialsApiCall
-    PasswordAuthenticator.builder((Supplier<UsernameAndPassword>) new UsernameAndPassword(
-                "Administrator", // $ HardcodedCredentialsSourceCall$ MISSING: HardcodedCredentialsApiCall 
-                "password")); // $ HardcodedCredentialsSourceCall$ MISSING: HardcodedCredentialsApiCall 
+    PasswordAuthenticator.builder(
+        (Supplier<UsernameAndPassword>)
+            new UsernameAndPassword(
+                "Administrator", // $ HardcodedCredentialsSourceCall $ MISSING: HardcodedCredentialsApiCall
+                "password")); // $ HardcodedCredentialsSourceCall $ MISSING: HardcodedCredentialsApiCall
    PasswordAuthenticator.builder()
-        .username((Supplier<String>) () -> {return "Administrator";}) // $ MISSING: HardcodedCredentialsApiCall
-        .password((Supplier<String>) () -> {return "password";}); // $ MISSING: HardcodedCredentialsApiCall
+        .username(
+            (Supplier<String>)
+                () -> {
+                  return "Administrator"; // $ MISSING: HardcodedCredentialsApiCall
+                }) 
+        .password(
+            (Supplier<String>)
+                () -> {
+                  return "password"; // $ MISSING: HardcodedCredentialsApiCall
+                }); 

    // com.couchbase.client.java.Cluster sinks
    Cluster.connect(
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Bucket.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Bucket.java
@@ -1,18 +1,3 @@
-/*
- * Copyright (c) 2016 Couchbase, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
 package com.couchbase.client.java;

 public class Bucket {
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Cluster.java
@@ -1,25 +1,15 @@
-/*
- * Copyright (c) 2016 Couchbase, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 package com.couchbase.client.java;

 import com.couchbase.client.core.env.SeedNode;
+import com.couchbase.client.java.analytics.AnalyticsOptions;
+import com.couchbase.client.java.analytics.AnalyticsResult;
+import com.couchbase.client.java.query.QueryMetaData;
+import com.couchbase.client.java.query.QueryOptions;
 import com.couchbase.client.java.query.QueryResult;
+import com.couchbase.client.java.query.QueryRow;
 import java.io.Closeable;
 import java.util.Set;
+import java.util.function.Consumer;

 public class Cluster implements Closeable {

@@ -40,10 +30,33 @@ public class Cluster implements Closeable {
    return null;
  }

+  public AnalyticsResult analyticsQuery(final String statement) {
+    return null;
+  }
+
+  public AnalyticsResult analyticsQuery(final String statement, final AnalyticsOptions options) {
+    return null;
+  }
+
  public QueryResult query(final String statement) {
    return null;
  }

+  public QueryResult query(final String statement, final QueryOptions options) {
+    return null;
+  }
+
+  public QueryMetaData queryStreaming(String statement, Consumer<QueryRow> rowAction) {
+
+    return null;
+  }
+
+  public QueryMetaData queryStreaming(
+      String statement, QueryOptions options, Consumer<QueryRow> rowAction) {
+
+    return null;
+  }
+
  @Override
  public void close() {}
 }
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Collection.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/Collection.java
@@ -1,50 +0,0 @@
-/*
- * Copyright (c) 2018 Couchbase, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.couchbase.client.java;
-
-import com.couchbase.client.java.kv.InsertOptions;
-import com.couchbase.client.java.kv.MutationResult;
-import com.couchbase.client.java.kv.ReplaceOptions;
-import com.couchbase.client.java.kv.UpsertOptions;
-
-public class Collection {
-
-  public MutationResult insert(final String id, final Object content) {
-    return null;
-  }
-
-  public MutationResult insert(final String id, final Object content, final InsertOptions options) {
-    return null;
-  }
-
-  public MutationResult upsert(final String id, final Object content) {
-    return null;
-  }
-
-  public MutationResult upsert(final String id, final Object content, final UpsertOptions options) {
-    return null;
-  }
-
-  public MutationResult replace(final String id, final Object content) {
-    return null;
-  }
-
-  public MutationResult replace(
-      final String id, final Object content, final ReplaceOptions options) {
-    return null;
-  }
-}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/analytics/AnalyticsOptions.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/analytics/AnalyticsOptions.java
@@ -0,0 +1,3 @@
+package com.couchbase.client.java.analytics;
+
+public class AnalyticsOptions {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/analytics/AnalyticsResult.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/analytics/AnalyticsResult.java
@@ -0,0 +1,3 @@
+package com.couchbase.client.java.analytics;
+
+public class AnalyticsResult {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/json/JsonObject.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/json/JsonObject.java
@@ -1,33 +0,0 @@
-/*
- * Copyright (c) 2016 Couchbase, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.couchbase.client.java.json;
-
-import java.io.Serializable;
-
-public class JsonObject extends JsonValue implements Serializable {
-
-  public static JsonObject create() {
-    return null;
-  }
-
-  public JsonObject put(final String name, final Object value) {
-    return null;
-  }
-
-  public JsonObject putNull(final String name) {
-    return null;
-  }
-}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/json/JsonValue.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/json/JsonValue.java
@@ -1,19 +0,0 @@
-/*
- * Copyright (c) 2016 Couchbase, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package com.couchbase.client.java.json;
-
-
-public abstract class JsonValue {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryMetaData.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryMetaData.java
@@ -0,0 +1,3 @@
+package com.couchbase.client.java.query;
+
+public class QueryMetaData {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryOptions.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryOptions.java
@@ -0,0 +1,3 @@
+package com.couchbase.client.java.query;
+
+public class QueryOptions {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryResult.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryResult.java
@@ -1,19 +1,3 @@
-/*
- * Copyright (c) 2019 Couchbase, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *    http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
 package com.couchbase.client.java.query;

 public class QueryResult {}
--- a/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryRow.java
+++ b/java/ql/test/stubs/couchbaseClient/com/couchbase/client/java/query/QueryRow.java
@@ -0,0 +1,3 @@
+package com.couchbase.client.java.query;
+
+public class QueryRow {}