From e0c2a437801ee49243528a9d026130ed69c259cb Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Tue, 30 Apr 2024 10:35:37 +0200
Subject: [PATCH] Java: Deprecate the content of XssLocalQuery and remove the
 Xss local query variant.

---
 .../code/java/security/XssLocalQuery.qll      |  6 ++++--
 .../src/Security/CWE/CWE-079/XSSLocal.qhelp   |  5 -----
 java/ql/src/Security/CWE/CWE-079/XSSLocal.ql  | 21 -------------------
 3 files changed, 4 insertions(+), 28 deletions(-)
 delete mode 100644 java/ql/src/Security/CWE/CWE-079/XSSLocal.qhelp
 delete mode 100644 java/ql/src/Security/CWE/CWE-079/XSSLocal.ql

diff --git a/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll
index f19872bb489..5e1098865aa 100644
--- a/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll
@@ -8,7 +8,7 @@ private import semmle.code.java.security.XSS
 /**
  * A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source.
  */
-module XssLocalConfig implements DataFlow::ConfigSig {
+deprecated module XssLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
@@ -23,6 +23,8 @@ module XssLocalConfig implements DataFlow::ConfigSig {
 }
 
 /**
+ * DEPRECATED: Use `XssFlow` instead and configure threat model sources to include `local`.
+ *
  * Taint-tracking flow for cross-site scripting vulnerabilities from a local source.
  */
-module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
+deprecated module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.qhelp b/java/ql/src/Security/CWE/CWE-079/XSSLocal.qhelp
deleted file mode 100644
index b35c7d781ff..00000000000
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.qhelp
+++ /dev/null
@@ -1,5 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<include src="XSS.qhelp" /></qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
deleted file mode 100644
index 09a7849fd56..00000000000
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
+++ /dev/null
@@ -1,21 +0,0 @@
-/**
- * @name Cross-site scripting from local source
- * @description Writing user input directly to a web page
- *              allows for a cross-site scripting vulnerability.
- * @kind path-problem
- * @problem.severity recommendation
- * @security-severity 6.1
- * @precision medium
- * @id java/xss-local
- * @tags security
- *       external/cwe/cwe-079
- */
-
-import java
-import semmle.code.java.security.XssLocalQuery
-import XssLocalFlow::PathGraph
-
-from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink
-where XssLocalFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
-  source.getNode(), "user-provided value"