Refactor UnsafeTlsVersion

java/ql/src/experimental/Security/CWE/CWE-327/SslLib.qll

@@ -1,18 +1,14 @@
 import java
 import semmle.code.java.security.Encryption
 import semmle.code.java.dataflow.TaintTracking
-import DataFlow
-import PathGraph
 
 /**
  * A taint-tracking configuration for unsafe SSL and TLS versions.
  */
-class UnsafeTlsVersionConfig extends TaintTracking::Configuration {
-  UnsafeTlsVersionConfig() { this = "UnsafeTlsVersion::UnsafeTlsVersionConfig" }
+module UnsafeTlsVersionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof UnsafeTlsVersion }
 
-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof UnsafeTlsVersion }
-
-  override predicate isSink(DataFlow::Node sink) {
+  predicate isSink(DataFlow::Node sink) {
     sink instanceof SslContextGetInstanceSink or
     sink instanceof CreateSslParametersSink or
     sink instanceof SslParametersSetProtocolsSink or
@@ -20,6 +16,8 @@ class UnsafeTlsVersionConfig extends TaintTracking::Configuration {
   }
 }
 
+module UnsafeTlsVersionFlow = TaintTracking::Global<UnsafeTlsVersionConfig>;
+
 /**
  * A sink that sets protocol versions in `SSLContext`,
  * i.e `SSLContext.getInstance(protocol)`.

java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql

@@ -13,9 +13,9 @@
 
 import java
 import SslLib
-import DataFlow::PathGraph
+import UnsafeTlsVersionFlow::PathGraph
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeTlsVersionConfig conf
-where conf.hasFlowPath(source, sink)
+from UnsafeTlsVersionFlow::PathNode source, UnsafeTlsVersionFlow::PathNode sink
+where UnsafeTlsVersionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink, "$@ is unsafe.", source.getNode(),
   source.getNode().asExpr().(StringLiteral).getValue()