Merge pull request #8426 from atorralba/atorralba/missing-severities

Java: Add missing security-severity scores

java/ql/src/Security/CWE/CWE-074/JndiInjection.ql

@@ -4,6 +4,7 @@
  *              object and to execution of arbitrary code.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.8
  * @precision high
  * @id java/jndi-injection
  * @tags security

java/ql/src/Security/CWE/CWE-074/XsltInjection.ql

@@ -4,6 +4,7 @@
  *              information disclosure or execution of arbitrary code.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.8
  * @precision high
  * @id java/xslt-injection
  * @tags security

java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql

@@ -4,6 +4,7 @@
  *              may lead to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.3
  * @precision high
  * @id java/groovy-injection
  * @tags security

java/ql/src/Security/CWE/CWE-094/MvelInjection.ql

@@ -4,6 +4,7 @@
  *              may lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.3
  * @precision high
  * @id java/mvel-expression-injection
  * @tags security

java/ql/src/Security/CWE/CWE-094/SpelInjection.ql

@@ -4,6 +4,7 @@
  *              may lead to remote code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.3
  * @precision high
  * @id java/spel-expression-injection
  * @tags security

java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql

@@ -3,6 +3,7 @@
  * @description Writing information without explicit permissions to a shared temporary directory may disclose it to other users.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.5
  * @precision medium
  * @id java/local-temp-file-or-directory-information-disclosure
  * @tags security

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

@@ -5,6 +5,7 @@
  *              the app vulnerable to man-in-the-middle attacks.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 9.8
  * @precision medium
  * @id java/unsafe-cert-trust
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidDatabase.ql

@@ -5,6 +5,7 @@
  *              privileges or unexpected exposure from chained vulnerabilities.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 7.5
  * @precision medium
  * @id java/android/cleartext-storage-database
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidFilesystem.ql

@@ -5,6 +5,7 @@
  *              from chained vulnerabilities.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 7.5
  * @precision medium
  * @id java/android/cleartext-storage-filesystem
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageSharedPrefs.ql

@@ -5,6 +5,7 @@
  *              privileges or unexpected exposure from chained vulnerabilities.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 7.5
  * @precision medium
  * @id java/android/cleartext-storage-shared-prefs
  * @tags security

java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -6,6 +6,7 @@
  *              the data vulnerable to packet sniffing.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 8.8
  * @precision medium
  * @id java/insecure-basic-auth
  * @tags security

java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql

@@ -4,6 +4,7 @@
  *              application files and web resources from any origin exposing them to attack.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 6.1
  * @precision medium
  * @id java/android/unsafe-android-webview-fetch
  * @tags security

java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql

@@ -4,6 +4,7 @@
  *                lead to execution of arbitrary code.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 9.8
  * @precision high
  * @id java/ognl-injection
  * @tags security