Merge branch 'main' into atorralba/java/command-injection-mad-sinks

java/ql/lib/change-notes/2023-05-19-path-injection-sinks-mad.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Path creation sinks modeled in `PathCreation.qll` have been added to the models-as-data sink kind `path-injection`.

java/ql/lib/change-notes/2023-06-01-new-models.md

@@ -0,0 +1,7 @@
+---
+category: minorAnalysis
+---
+* Added models for the following packages:
+
+  * java.lang
+  * java.nio.file

java/ql/lib/change-notes/2023-06-02-delete-deps.md

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Deleted the deprecated `getRHS` predicate from the `LValue` class, use `getRhs` instead.
+* Deleted the deprecated `getCFGNode` predicate from the `SsaVariable` class, use `getCfgNode` instead.
+* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.

java/ql/lib/change-notes/2023-06-06-kotlin-use-with-flow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added flow through the block arguments of `kotlin.io.use` and `kotlin.with`.

java/ql/lib/change-notes/2023-06-06-new-models.md

@@ -0,0 +1,15 @@
+---
+category: minorAnalysis
+---
+* Added models for the following packages:
+
+  * com.alibaba.druid.sql
+  * com.fasterxml.jackson.databind
+  * com.jcraft.jsch
+  * io.netty.handler.ssl
+  * okhttp3
+  * org.antlr.runtime
+  * org.fusesource.leveldbjni
+  * org.influxdb
+  * org.springframework.core.io
+  * org.yaml.snakeyaml

java/ql/lib/change-notes/2023-06-08-type-strengthening.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.

java/ql/lib/ext/com.alibaba.druid.sql.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.alibaba.druid.sql", "SQLUtils", False, "toMySqlString", "(SQLObject)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml

@@ -9,3 +9,9 @@ extensions:
       - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
       - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue.Element", "ReturnValue", "taint", "manual"]
       - ["com.fasterxml.jackson.databind", "ObjectReader", False, "createParser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readValue", "(File,Class)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "writeValue", "(File,Object)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/com.google.gson.model.yml

@@ -26,18 +26,23 @@ extensions:
       - ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(Boolean)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(Character)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(JsonElement)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(Number)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(String)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "addAll", "(JsonArray)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
       - ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
       - ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
       - ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "add", "", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[0]", "Argument[this].MapKey", "value", "manual"]
-      - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "addProperty", "(String,String)", "", "Argument[1]", "Argument[this].MapValue", "taint", "manual"]
       - ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "asMap", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapKey", "value", "manual"]
-      - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapKey", "ReturnValue.Element.MapValue", "value", "manual"]
+      - ["com.google.gson", "JsonObject", True, "entrySet", "", "", "Argument[this].MapValue", "ReturnValue.Element.MapValue", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "get", "", "", "Argument[this].MapValue", "ReturnValue", "value", "manual"]
       - ["com.google.gson", "JsonObject", True, "keySet", "", "", "Argument[this].MapKey", "ReturnValue.Element", "value", "manual"]
       - ["com.google.gson", "JsonPrimitive", True, "JsonPrimitive", "(Character)", "", "Argument[0]", "Argument[this]", "taint", "manual"]

java/ql/lib/ext/com.jcraft.jsch.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.jcraft.jsch", "ChannelSftp", True, "realpath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/io.netty.handler.ssl.model.yml

@@ -5,3 +5,5 @@ extensions:
     data:
       - ["io.netty.handler.ssl", "OpenSslServerContext", False, "OpenSslServerContext", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["io.netty.handler.ssl", "SslContextBuilder", False, "forServer", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/java.io.model.yml

@@ -3,6 +3,10 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.io", "File", False, "File", "(File,String)", "", "Argument[1]", "path-injection", "manual"] # old PathCreation
+      - ["java.io", "File", False, "File", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
+      - ["java.io", "File", False, "File", "(String,String)", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
+      - ["java.io", "File", False, "File", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
       - ["java.io", "File", True, "createTempFile", "(String,String,File)", "", "Argument[2]", "path-injection", "ai-manual"]
       - ["java.io", "File", True, "renameTo", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.io", "FileInputStream", True, "FileInputStream", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -11,6 +15,7 @@ extensions:
       - ["java.io", "FileOutputStream", False, "write", "", "", "Argument[0]", "file-content-store", "manual"]
       - ["java.io", "FileReader", True, "FileReader", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.io", "FileReader", True, "FileReader", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.io", "FileReader", True, "FileReader", "(String,Charset)", "", "Argument[0]", "path-injection", "manual"]
       - ["java.io", "FileSystem", True, "createDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.io", "FileWriter", False, "FileWriter", "", "", "Argument[0]", "path-injection", "manual"]
       - ["java.io", "PrintStream", False, "PrintStream", "(File)", "", "Argument[0]", "path-injection", "manual"]

java/ql/lib/ext/java.lang.model.yml

@@ -21,14 +21,17 @@ extensions:
       - ["java.lang", "Runtime", True, "exec", "(String,String[])", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "Runtime", True, "exec", "(String,String[],File)", "", "Argument[2]", "command-injection", "ai-manual"]
+      # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
+      # - ["java.lang", "Runtime", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
+      # - ["java.lang", "Runtime", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "String", False, "matches", "(String)", "", "Argument[0]", "regex-use[f-1]", "manual"]
       - ["java.lang", "String", False, "replaceAll", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "replaceFirst", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "split", "(String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "split", "(String,int)", "", "Argument[0]", "regex-use[-1]", "manual"]
-      # These are modeled in plain CodeQL. TODO: migrate them.
-      # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library.
-      # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"] # This is actually injecting a library.
+      # These are potential vulnerabilities, but not for command-injection. No query for this kind of vulnerability currently exists.
+      # - ["java.lang", "System", False, "load", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
+      # - ["java.lang", "System", False, "loadLibrary", "(String)", "", "Argument[0]", "command-injection", "ai-manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,Object)", "", "Argument[1]", "log-injection", "manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Object[])", "", "Argument[2..3]", "log-injection", "manual"]
       - ["java.lang", "System$Logger", True, "log", "(Level,ResourceBundle,String,Throwable)", "", "Argument[2]", "log-injection", "manual"]

java/ql/lib/ext/java.nio.file.model.yml

@@ -18,6 +18,7 @@ extensions:
       - ["java.nio.file", "Files", False, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "deleteIfExists", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.nio.file", "Files", False, "getFileStore", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # the FileStore class is unlikely to be used for later sanitization
       - ["java.nio.file", "Files", False, "lines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "lines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "move", "", "", "Argument[1]", "path-injection", "manual"]
@@ -26,6 +27,7 @@ extensions:
       - ["java.nio.file", "Files", False, "newBufferedWriter", "", "", "Argument[0]", "path-injection", "manual"]
       - ["java.nio.file", "Files", False, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "newOutputStream", "", "", "Argument[0]", "path-injection", "manual"]
+      - ["java.nio.file", "Files", False, "probeContentType", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"] # accesses the file based on user input, but only reads its content type from it
       - ["java.nio.file", "Files", False, "readAllBytes", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "readAllLines", "(Path,Charset)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", False, "readAllLines", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
@@ -40,12 +42,23 @@ extensions:
       - ["java.nio.file", "Files", True, "delete", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", True, "newInputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "Files", True, "newOutputStream", "(Path,OpenOption[])", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["java.nio.file", "FileSystem", False, "getPath", "", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "Path", False, "of", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "Path", False, "of", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "Path", False, "resolve", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "Path", False, "resolveSibling", "(String)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "Paths", False, "get", "(String,String[])", "", "Argument[0..1]", "path-injection", "manual"] # old PathCreation
+      - ["java.nio.file", "Paths", False, "get", "(URI)", "", "Argument[0]", "path-injection", "manual"] # old PathCreation
       - ["java.nio.file", "SecureDirectoryStream", True, "deleteDirectory", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
       - ["java.nio.file", "SecureDirectoryStream", True, "deleteFile", "(Path)", "", "Argument[0]", "path-injection", "ai-manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
     data:
+      - ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
+      - ["java.nio.file", "Files", False, "find", "(Path,int,BiPredicate,FileVisitOption[])", "", "Argument[2]", "ReturnValue.Element", "taint", "ai-manual"]
+      - ["java.nio.file", "Files", False, "list", "(Path)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
+      - ["java.nio.file", "Files", False, "readSymbolicLink", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"] # this can be used to enumerate a file system
       - ["java.nio.file", "Files", True, "newBufferedReader", "(Path,Charset)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
       - ["java.nio.file", "Files", True, "newBufferedReader", "(Path)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
       - ["java.nio.file", "Files", True, "newByteChannel", "(Path,OpenOption[])", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/java.sql.model.yml

@@ -21,7 +21,6 @@ extensions:
       extensible: summaryModel
     data:
       - ["java.sql", "Connection", True, "nativeSQL", "(String)", "", "Argument[0]", "ReturnValue", "taint", "hq-manual"]
-      - ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "Argument[this]", "value", "manual"]
       - ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
 
   - addsTo:
@@ -31,13 +30,14 @@ extensions:
       - ["java.sql", "Connection", "createStatement", "()", "summary", "manual"]
       - ["java.sql", "PreparedStatement", "executeUpdate", "()", "summary", "manual"]
       - ["java.sql", "PreparedStatement", "executeQuery", "()", "summary", "manual"]
+      - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "summary", "manual"]
+      - ["java.sql", "PreparedStatement", "setLong", "(int,long)", "summary", "manual"]
+      - ["java.sql", "PreparedStatement", "setString", "(int,String)", "summary", "manual"]
       - ["java.sql", "ResultSet", "next", "()", "summary", "manual"]
       - ["java.sql", "Statement", "close", "()", "summary", "manual"]
 
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "summary", "manual"]   # value-numeric
-      - ["java.sql", "PreparedStatement", "setLong", "(int,long)", "summary", "manual"] # value-numeric
       - ["java.sql", "ResultSet", "getInt", "(int)", "summary", "manual"]               # taint-numeric
       - ["java.sql", "ResultSet", "getInt", "(String)", "summary", "manual"]            # taint-numeric
       - ["java.sql", "ResultSet", "getLong", "(String)", "summary", "manual"]           # taint-numeric

java/ql/lib/ext/kotlin.io.model.yml

@@ -11,6 +11,8 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
+      - ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
+      - ["kotlin.io", "CloseableKt", False, "use", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]
       - ["kotlin.io", "FilesKt", False, "normalize", "(File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
       - ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
       - ["kotlin.io", "FilesKt", False, "relativeTo", "(File,File)", "", "Argument[1]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/kotlin.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["kotlin", "StandardKt", False, "with", "", "", "Argument[0]", "Argument[1].Parameter[0]", "value", "manual"]
+      - ["kotlin", "StandardKt", False, "with", "", "", "Argument[1].ReturnValue", "ReturnValue", "value", "manual"]

java/ql/lib/ext/okhttp3.model.yml

@@ -58,3 +58,4 @@ extensions:
       - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["okhttp3", "HttpUrl$Builder", False, "username", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["okhttp3", "Request$Builder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/org.antlr.runtime.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.antlr.runtime", "ANTLRFileStream", True, "ANTLRFileStream", "(String,String)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/org.fusesource.leveldbjni.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.fusesource.leveldbjni", "JniDBFactory", True, "open", "(File,Options)", "", "Argument[0]", "path-injection", "ai-manual"]

java/ql/lib/ext/org.influxdb.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.influxdb", "InfluxDBFactory", False, "connect", "(String,String,String,Builder)", "", "Argument[0]", "request-forgery", "ai-manual"]

java/ql/lib/ext/org.springframework.core.io.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "request-forgery", "manual"]

java/ql/lib/ext/org.yaml.snakeyaml.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.yaml.snakeyaml", "Yaml", True, "load", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/semmle/code/java/Expr.qll

@@ -1809,9 +1809,6 @@ class LValue extends VarAccess {
    * are source expressions of the assignment.
    */
   Expr getRhs() { exists(Assignment e | e.getDest() = this and e.getSource() = result) }
-
-  /** DEPRECATED: Alias for getRhs */
-  deprecated Expr getRHS() { result = this.getRhs() }
 }
 
 /**

java/ql/lib/semmle/code/java/Type.qll

@@ -987,6 +987,17 @@ private string getAPublicObjectMethodSignature() {
   )
 }
 
+pragma[nomagic]
+private predicate interfaceInheritsOverridingNonAbstractMethod(Interface interface, Method m) {
+  interface.inherits(m) and
+  not m.isAbstract() and
+  m.overrides(_)
+}
+
+bindingset[m]
+pragma[inline_late]
+private Method getAnOverridden(Method m) { m.overrides(result) }
+
 private Method getAnAbstractMethod(Interface interface) {
   interface.inherits(result) and
   result.isAbstract() and
@@ -995,9 +1006,8 @@ private Method getAnAbstractMethod(Interface interface) {
   // Make sure that there is no other non-abstract method
   // (e.g. `default`) which overrides the abstract one
   not exists(Method m |
-    interface.inherits(m) and
-    not m.isAbstract() and
-    m.overrides(result)
+    interfaceInheritsOverridingNonAbstractMethod(interface, m) and
+    result = getAnOverridden(m)
   )
 }
 

java/ql/lib/semmle/code/java/controlflow/internal/Preconditions.qll

@@ -6,15 +6,6 @@
 
 import java
 
-/**
- * DEPRECATED: Use `conditionCheckMethodArgument` instead.
- * Holds if `m` is a non-overridable method that checks that its first argument
- * is equal to `checkTrue` and throws otherwise.
- */
-deprecated predicate conditionCheckMethod(Method m, boolean checkTrue) {
-  conditionCheckMethodArgument(m, 0, checkTrue)
-}
-
 /**
  * Holds if `m` is a non-overridable method that checks that its zero-indexed `argument`
  * is equal to `checkTrue` and throws otherwise.

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -265,13 +265,57 @@ module ModelValidation {
     )
   }
 
+  private class OutdatedSinkKind extends string {
+    OutdatedSinkKind() {
+      this =
+        [
+          "sql", "url-redirect", "xpath", "ssti", "logging", "groovy", "jexl", "mvel", "xslt",
+          "ldap", "pending-intent-sent", "intent-start", "set-hostname-verifier",
+          "header-splitting", "xss", "write-file", "create-file", "read-file", "open-url",
+          "jdbc-url"
+        ]
+    }
+
+    private string replacementKind() {
+      this = ["sql", "xpath", "groovy", "jexl", "mvel", "xslt", "ldap"] and
+      result = this + "-injection"
+      or
+      this = "url-redirect" and result = "url-redirection"
+      or
+      this = "ssti" and result = "template-injection"
+      or
+      this = "logging" and result = "log-injection"
+      or
+      this = "pending-intent-sent" and result = "pending-intents"
+      or
+      this = "intent-start" and result = "intent-redirection"
+      or
+      this = "set-hostname-verifier" and result = "hostname-verification"
+      or
+      this = "header-splitting" and result = "response-splitting"
+      or
+      this = "xss" and result = "html-injection\" or \"js-injection"
+      or
+      this = "write-file" and result = "file-content-store"
+      or
+      this = ["create-file", "read-file"] and result = "path-injection"
+      or
+      this = ["open-url", "jdbc-url"] and result = "request-forgery"
+    }
+
+    string outdatedMessage() {
+      result =
+        "The kind \"" + this + "\" is outdated. Use \"" + this.replacementKind() + "\" instead."
+    }
+  }
+
   private string getInvalidModelKind() {
     exists(string kind | summaryModel(_, _, _, _, _, _, _, _, kind, _) |
       not kind = ["taint", "value"] and
       result = "Invalid kind \"" + kind + "\" in summary model."
     )
     or
-    exists(string kind | sinkModel(_, _, _, _, _, _, _, kind, _) |
+    exists(string kind, string msg | sinkModel(_, _, _, _, _, _, _, kind, _) |
       not kind =
         [
           "request-forgery", "jndi-injection", "ldap-injection", "sql-injection", "log-injection",
@@ -283,7 +327,11 @@ module ModelValidation {
         ] and
       not kind.matches("regex-use%") and
       not kind.matches("qltest%") and
-      result = "Invalid kind \"" + kind + "\" in sink model."
+      msg = "Invalid kind \"" + kind + "\" in sink model." and
+      // The part of this message that refers to outdated sink kinds can be deleted after June 1st, 2024.
+      if kind instanceof OutdatedSinkKind
+      then result = msg + " " + kind.(OutdatedSinkKind).outdatedMessage()
+      else result = msg
     )
     or
     exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |

java/ql/lib/semmle/code/java/dataflow/SSA.qll

@@ -931,9 +931,6 @@ class SsaVariable extends TSsaVariable {
     this = TSsaUntracked(_, result)
   }
 
-  /** DEPRECATED: Alias for getCfgNode */
-  deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() }
-
   /** Gets a textual representation of this SSA variable. */
   string toString() { none() }
 

java/ql/lib/semmle/code/java/dataflow/internal/BaseSSA.qll

@@ -483,9 +483,6 @@ class BaseSsaVariable extends TBaseSsaVariable {
     this = TSsaEntryDef(_, result)
   }
 
-  /** DEPRECATED: Alias for getCfgNode */
-  deprecated ControlFlowNode getCFGNode() { result = this.getCfgNode() }
-
   string toString() { none() }
 
   Location getLocation() { result = this.getCfgNode().getLocation() }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

@@ -1135,8 +1135,8 @@ module Impl<FullStateConfigSig Config> {
         DataFlowCall call, ArgNodeEx arg, ParamNodeEx p, boolean allowsFieldFlow
       );
 
-      bindingset[node, state, t, ap]
-      predicate filter(NodeEx node, FlowState state, Typ t, Ap ap);
+      bindingset[node, state, t0, ap]
+      predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t);
 
       bindingset[typ, contentType]
       predicate typecheckStore(Typ typ, DataFlowType contentType);
@@ -1199,17 +1199,21 @@ module Impl<FullStateConfigSig Config> {
         NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
         ApOption argAp, Typ t, Ap ap, ApApprox apa
       ) {
-        fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t, ap, apa) and
-        PrevStage::revFlow(node, state, apa) and
-        filter(node, state, t, ap)
+        fwdFlow1(node, state, cc, summaryCtx, argT, argAp, _, t, ap, apa)
       }
 
-      pragma[inline]
-      additional predicate fwdFlow(
+      private predicate fwdFlow1(
         NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
-        ApOption argAp, Typ t, Ap ap
+        ApOption argAp, Typ t0, Typ t, Ap ap, ApApprox apa
       ) {
-        fwdFlow(node, state, cc, summaryCtx, argT, argAp, t, ap, _)
+        fwdFlow0(node, state, cc, summaryCtx, argT, argAp, t0, ap, apa) and
+        PrevStage::revFlow(node, state, apa) and
+        filter(node, state, t0, ap, t)
+      }
+
+      pragma[nomagic]
+      private predicate typeStrengthen(Typ t0, Ap ap, Typ t) {
+        fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t
       }
 
       pragma[assume_small_delta]
@@ -1339,6 +1343,11 @@ module Impl<FullStateConfigSig Config> {
       private predicate fwdFlowConsCand(Typ t2, Ap cons, Content c, Typ t1, Ap tail) {
         fwdFlowStore(_, t1, tail, c, t2, _, _, _, _, _, _) and
         cons = apCons(c, t1, tail)
+        or
+        exists(Typ t0 |
+          typeStrengthen(t0, cons, t2) and
+          fwdFlowConsCand(t0, cons, c, t1, tail)
+        )
       }
 
       pragma[nomagic]
@@ -1359,7 +1368,7 @@ module Impl<FullStateConfigSig Config> {
         ParamNodeOption summaryCtx, TypOption argT, ApOption argAp
       ) {
         exists(ApHeadContent apc |
-          fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap) and
+          fwdFlow(node1, state, cc, summaryCtx, argT, argAp, t, ap, _) and
           apc = getHeadContent(ap) and
           readStepCand0(node1, apc, c, node2)
         )
@@ -1520,14 +1529,14 @@ module Impl<FullStateConfigSig Config> {
         NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap
       ) {
         revFlow0(node, state, returnCtx, returnAp, ap) and
-        fwdFlow(node, state, _, _, _, _, _, ap)
+        fwdFlow(node, state, _, _, _, _, _, ap, _)
       }
 
       pragma[nomagic]
       private predicate revFlow0(
         NodeEx node, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap
       ) {
-        fwdFlow(node, state, _, _, _, _, _, ap) and
+        fwdFlow(node, state, _, _, _, _, _, ap, _) and
         sinkNode(node, state) and
         (
           if hasSinkCallCtx()
@@ -1780,13 +1789,13 @@ module Impl<FullStateConfigSig Config> {
         boolean fwd, int nodes, int fields, int conscand, int states, int tuples
       ) {
         fwd = true and
-        nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _)) and
+        nodes = count(NodeEx node | fwdFlow(node, _, _, _, _, _, _, _, _)) and
         fields = count(Content f0 | fwdConsCand(f0, _, _)) and
         conscand = count(Content f0, Typ t, Ap ap | fwdConsCand(f0, t, ap)) and
-        states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _)) and
+        states = count(FlowState state | fwdFlow(_, state, _, _, _, _, _, _, _)) and
         tuples =
           count(NodeEx n, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
-            ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap))
+            ApOption argAp, Typ t, Ap ap | fwdFlow(n, state, cc, summaryCtx, argT, argAp, t, ap, _))
         or
         fwd = false and
         nodes = count(NodeEx node | revFlow(node, _, _, _, _)) and
@@ -1963,10 +1972,10 @@ module Impl<FullStateConfigSig Config> {
       )
     }
 
-    bindingset[node, state, t, ap]
-    predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
+    bindingset[node, state, t0, ap]
+    predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
       PrevStage::revFlowState(state) and
-      exists(t) and
+      t0 = t and
       exists(ap) and
       not stateBarrier(node, state) and
       (
@@ -2197,8 +2206,8 @@ module Impl<FullStateConfigSig Config> {
     import BooleanCallContext
 
     predicate localStep(
-      NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-      DataFlowType t, LocalCc lcc
+      NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t,
+      LocalCc lcc
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and
       exists(lcc)
@@ -2218,10 +2227,16 @@ module Impl<FullStateConfigSig Config> {
       )
     }
 
-    bindingset[node, state, t, ap]
-    predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
+    bindingset[node, state, t0, ap]
+    predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
       exists(state) and
-      (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and
+      // We can get away with not using type strengthening here, since we aren't
+      // going to use the tracked types in the construction of Stage 4 access
+      // paths. For Stage 4 and onwards, the tracked types must be consistent as
+      // the cons candidates including types are used to construct subsequent
+      // access path approximations.
+      t0 = t and
+      (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t0) else any()) and
       (
         notExpectsContent(node)
         or
@@ -2241,6 +2256,16 @@ module Impl<FullStateConfigSig Config> {
     import MkStage<Stage2>::Stage<Stage3Param>
   }
 
+  bindingset[node, t0]
+  private predicate strengthenType(NodeEx node, DataFlowType t0, DataFlowType t) {
+    if castingNodeEx(node)
+    then
+      exists(DataFlowType nt | nt = node.getDataFlowType() |
+        if typeStrongerThan(nt, t0) then t = nt else (compatibleTypes(nt, t0) and t = t0)
+      )
+    else t = t0
+  }
+
   private module Stage4Param implements MkStage<Stage3>::StageParam {
     private module PrevStage = Stage3;
 
@@ -2274,8 +2299,8 @@ module Impl<FullStateConfigSig Config> {
 
     pragma[nomagic]
     predicate localStep(
-      NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-      DataFlowType t, LocalCc lcc
+      NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t,
+      LocalCc lcc
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, t, _) and
       PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
@@ -2333,11 +2358,11 @@ module Impl<FullStateConfigSig Config> {
       )
     }
 
-    bindingset[node, state, t, ap]
-    predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
+    bindingset[node, state, t0, ap]
+    predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
       exists(state) and
       not clear(node, ap) and
-      (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and
+      strengthenType(node, t0, t) and
       (
         notExpectsContent(node)
         or
@@ -2365,7 +2390,7 @@ module Impl<FullStateConfigSig Config> {
     exists(AccessPathFront apf |
       Stage4::revFlow(node, state, TReturnCtxMaybeFlowThrough(_), _, apf) and
       Stage4::fwdFlow(node, state, any(Stage4::CcCall ccc), _, _, TAccessPathFrontSome(argApf), _,
-        apf)
+        apf, _)
     )
   }
 
@@ -2579,8 +2604,8 @@ module Impl<FullStateConfigSig Config> {
     import LocalCallContext
 
     predicate localStep(
-      NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue,
-      DataFlowType t, LocalCc lcc
+      NodeEx node1, FlowState state1, NodeEx node2, FlowState state2, boolean preservesValue, Typ t,
+      LocalCc lcc
     ) {
       localFlowBigStep(node1, state1, node2, state2, preservesValue, t, lcc) and
       PrevStage::revFlow(node1, pragma[only_bind_into](state1), _) and
@@ -2609,9 +2634,9 @@ module Impl<FullStateConfigSig Config> {
       )
     }
 
-    bindingset[node, state, t, ap]
-    predicate filter(NodeEx node, FlowState state, Typ t, Ap ap) {
-      (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any()) and
+    bindingset[node, state, t0, ap]
+    predicate filter(NodeEx node, FlowState state, Typ t0, Ap ap, Typ t) {
+      strengthenType(node, t0, t) and
       exists(state) and
       exists(ap)
     }
@@ -2632,7 +2657,7 @@ module Impl<FullStateConfigSig Config> {
       Stage5::parameterMayFlowThrough(p, _) and
       Stage5::revFlow(n, state, TReturnCtxMaybeFlowThrough(_), _, apa0) and
       Stage5::fwdFlow(n, state, any(CallContextCall ccc), TParamNodeSome(p.asNode()), _,
-        TAccessPathApproxSome(apa), _, apa0)
+        TAccessPathApproxSome(apa), _, apa0, _)
     )
   }
 
@@ -2649,7 +2674,7 @@ module Impl<FullStateConfigSig Config> {
     TSummaryCtxSome(ParamNodeEx p, FlowState state, DataFlowType t, AccessPath ap) {
       exists(AccessPathApprox apa | ap.getApprox() = apa |
         Stage5::parameterMayFlowThrough(p, apa) and
-        Stage5::fwdFlow(p, state, _, _, _, _, t, apa) and
+        Stage5::fwdFlow(p, state, _, _, Option<DataFlowType>::some(t), _, _, apa, _) and
         Stage5::revFlow(p, state, _)
       )
     }
@@ -2820,9 +2845,7 @@ module Impl<FullStateConfigSig Config> {
       ap = TAccessPathNil()
       or
       // ... or a step from an existing PathNode to another node.
-      pathStep(_, node, state, cc, sc, t, ap) and
-      Stage5::revFlow(node, state, ap.getApprox()) and
-      (if castingNodeEx(node) then compatibleTypes(node.getDataFlowType(), t) else any())
+      pathStep(_, node, state, cc, sc, t, ap)
     } or
     TPathNodeSink(NodeEx node, FlowState state) {
       exists(PathNodeMid sink |
@@ -3340,13 +3363,24 @@ module Impl<FullStateConfigSig Config> {
     ap = mid.getAp()
   }
 
+  private predicate pathStep(
+    PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
+    AccessPath ap
+  ) {
+    exists(DataFlowType t0 |
+      pathStep0(mid, node, state, cc, sc, t0, ap) and
+      Stage5::revFlow(node, state, ap.getApprox()) and
+      strengthenType(node, t0, t)
+    )
+  }
+
   /**
    * Holds if data may flow from `mid` to `node`. The last step in or out of
    * a callable is recorded by `cc`.
    */
   pragma[assume_small_delta]
   pragma[nomagic]
-  private predicate pathStep(
+  private predicate pathStep0(
     PathNodeMid mid, NodeEx node, FlowState state, CallContext cc, SummaryCtx sc, DataFlowType t,
     AccessPath ap
   ) {
@@ -3964,7 +3998,7 @@ module Impl<FullStateConfigSig Config> {
         ap = TPartialNil() and
         exists(explorationLimit())
         or
-        partialPathNodeMk0(node, state, cc, sc1, sc2, sc3, sc4, t, ap) and
+        partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and
         distSrc(node.getEnclosingCallable()) <= explorationLimit()
       } or
       TPartialPathNodeRev(
@@ -3990,11 +4024,20 @@ module Impl<FullStateConfigSig Config> {
       }
 
     pragma[nomagic]
-    private predicate partialPathNodeMk0(
-      NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
-      TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap
+    private predicate partialPathStep(
+      PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
+      TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap
     ) {
-      partialPathStep(_, node, state, cc, sc1, sc2, sc3, sc4, t, ap) and
+      partialPathStep1(mid, node, state, cc, sc1, sc2, sc3, sc4, _, t, ap)
+    }
+
+    pragma[nomagic]
+    private predicate partialPathStep1(
+      PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
+      TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t0, DataFlowType t,
+      PartialAccessPath ap
+    ) {
+      partialPathStep0(mid, node, state, cc, sc1, sc2, sc3, sc4, t0, ap) and
       not fullBarrier(node) and
       not stateBarrier(node, state) and
       not clearsContentEx(node, ap.getHead()) and
@@ -4002,9 +4045,14 @@ module Impl<FullStateConfigSig Config> {
         notExpectsContent(node) or
         expectsContentEx(node, ap.getHead())
       ) and
-      if node.asNode() instanceof CastingNode
-      then compatibleTypes(node.getDataFlowType(), t)
-      else any()
+      strengthenType(node, t0, t)
+    }
+
+    pragma[nomagic]
+    private predicate partialPathTypeStrengthen(
+      DataFlowType t0, PartialAccessPath ap, DataFlowType t
+    ) {
+      partialPathStep1(_, _, _, _, _, _, _, _, t0, t, ap) and t0 != t
     }
 
     /**
@@ -4183,7 +4231,8 @@ module Impl<FullStateConfigSig Config> {
       }
     }
 
-    private predicate partialPathStep(
+    pragma[nomagic]
+    private predicate partialPathStep0(
       PartialPathNodeFwd mid, NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1,
       TSummaryCtx2 sc2, TSummaryCtx3 sc3, TSummaryCtx4 sc4, DataFlowType t, PartialAccessPath ap
     ) {
@@ -4309,6 +4358,11 @@ module Impl<FullStateConfigSig Config> {
       DataFlowType t1, PartialAccessPath ap1, Content c, DataFlowType t2, PartialAccessPath ap2
     ) {
       partialPathStoreStep(_, t1, ap1, c, _, t2, ap2)
+      or
+      exists(DataFlowType t0 |
+        partialPathTypeStrengthen(t0, ap2, t2) and
+        apConsFwd(t1, ap1, c, t0, ap2)
+      )
     }
 
     pragma[nomagic]

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -176,7 +176,7 @@ predicate expectsContent(Node n, ContentSet c) {
  * possible flow. A single type is used for all numeric types to account for
  * numeric conversions, and otherwise the erasure is used.
  */
-DataFlowType getErasedRepr(Type t) {
+RefType getErasedRepr(Type t) {
   exists(Type e | e = t.getErasure() |
     if e instanceof NumericOrCharType
     then result.(BoxedType).getPrimitiveType().getName() = "double"
@@ -189,6 +189,13 @@ DataFlowType getErasedRepr(Type t) {
   t instanceof NullType and result instanceof TypeObject
 }
 
+class DataFlowType extends SrcRefType {
+  DataFlowType() { this = getErasedRepr(_) }
+}
+
+pragma[nomagic]
+predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { t1.getASourceSupertype+() = t2 }
+
 pragma[noinline]
 DataFlowType getNodeType(Node n) {
   result = getErasedRepr(n.getTypeBound())
@@ -259,8 +266,6 @@ class DataFlowCallable extends TDataFlowCallable {
 
 class DataFlowExpr = Expr;
 
-class DataFlowType = RefType;
-
 private newtype TDataFlowCall =
   TCall(Call c) or
   TSummaryCall(SummarizedCallable c, Node receiver) {

java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll

@@ -456,9 +456,6 @@ class ArbitraryXmlEntryPoint extends ReflectivelyConstructedClass {
   }
 }
 
-/** DEPRECATED: Alias for ArbitraryXmlEntryPoint */
-deprecated class ArbitraryXMLEntryPoint = ArbitraryXmlEntryPoint;
-
 /** A Selenium PageObject, created by a call to PageFactory.initElements(..). */
 class SeleniumPageObjectEntryPoint extends ReflectivelyConstructedClass instanceof SeleniumPageObject
 { }

java/ql/lib/semmle/code/java/frameworks/Networking.qll

@@ -38,9 +38,6 @@ class UrlConnectionGetInputStreamMethod extends Method {
   }
 }
 
-/** DEPRECATED: Alias for UrlConnectionGetInputStreamMethod */
-deprecated class URLConnectionGetInputStreamMethod = UrlConnectionGetInputStreamMethod;
-
 /** The method `java.net.Socket::getInputStream`. */
 class SocketGetInputStreamMethod extends Method {
   SocketGetInputStreamMethod() {

java/ql/lib/semmle/code/java/frameworks/Servlets.qll

@@ -128,9 +128,6 @@ class HttpServletRequestGetRequestUrlMethod extends Method {
   }
 }
 
-/** DEPRECATED: Alias for HttpServletRequestGetRequestUrlMethod */
-deprecated class HttpServletRequestGetRequestURLMethod = HttpServletRequestGetRequestUrlMethod;
-
 /**
  * The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
  */
@@ -339,9 +336,6 @@ class ServletWebXmlListenerType extends RefType {
   }
 }
 
-/** DEPRECATED: Alias for ServletWebXmlListenerType */
-deprecated class ServletWebXMLListenerType = ServletWebXmlListenerType;
-
 /** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
 predicate isServletRequestMethod(Method m) {
   m.getDeclaringType() instanceof ServletClass and

java/ql/lib/semmle/code/java/frameworks/UnboundId.qll

@@ -29,9 +29,6 @@ class TypeUnboundIdLdapConnection extends Class {
   }
 }
 
-/** DEPRECATED: Alias for TypeUnboundIdLdapConnection */
-deprecated class TypeUnboundIdLDAPConnection = TypeUnboundIdLdapConnection;
-
 /*--- Methods ---*/
 /** A method with the name `setBaseDN` declared in `com.unboundid.ldap.sdk.SearchRequest`. */
 class MethodUnboundIdSearchRequestSetBaseDN extends Method {
@@ -103,9 +100,6 @@ class MethodUnboundIdLdapConnectionSearch extends Method {
   }
 }
 
-/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearch */
-deprecated class MethodUnboundIdLDAPConnectionSearch = MethodUnboundIdLdapConnectionSearch;
-
 /** A method with the name `asyncSearch` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
 class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
   MethodUnboundIdLdapConnectionAsyncSearch() {
@@ -114,10 +108,6 @@ class MethodUnboundIdLdapConnectionAsyncSearch extends Method {
   }
 }
 
-/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionAsyncSearch */
-deprecated class MethodUnboundIdLDAPConnectionAsyncSearch =
-  MethodUnboundIdLdapConnectionAsyncSearch;
-
 /** A method with the name `searchForEntry` declared in `com.unboundid.ldap.sdk.LDAPConnection`. */
 class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
   MethodUnboundIdLdapConnectionSearchForEntry() {
@@ -125,7 +115,3 @@ class MethodUnboundIdLdapConnectionSearchForEntry extends Method {
     this.hasName("searchForEntry")
   }
 }
-
-/** DEPRECATED: Alias for MethodUnboundIdLdapConnectionSearchForEntry */
-deprecated class MethodUnboundIdLDAPConnectionSearchForEntry =
-  MethodUnboundIdLdapConnectionSearchForEntry;

java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll

@@ -20,9 +20,6 @@ class JacksonJsonIgnoreAnnotation extends NonReflectiveAnnotation {
   }
 }
 
-/** DEPRECATED: Alias for JacksonJsonIgnoreAnnotation */
-deprecated class JacksonJSONIgnoreAnnotation = JacksonJsonIgnoreAnnotation;
-
 /** A type whose values may be serialized using the Jackson JSON framework. */
 abstract class JacksonSerializableType extends Type { }
 

java/ql/lib/semmle/code/java/frameworks/javaee/PersistenceXML.qll

@@ -26,9 +26,6 @@ class PersistenceXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for PersistenceXmlFile */
-deprecated class PersistenceXMLFile = PersistenceXmlFile;
-
 /** The root `persistence` XML element in a `persistence.xml` file. */
 class PersistenceXmlRoot extends XmlElement {
   PersistenceXmlRoot() {

java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBJarXML.qll

@@ -35,9 +35,6 @@ class EjbJarXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for EjbJarXmlFile */
-deprecated class EjbJarXMLFile = EjbJarXmlFile;
-
 /** The root `ejb-jar` XML element in an `ejb-jar.xml` file. */
 class EjbJarRootElement extends XmlElement {
   EjbJarRootElement() {

java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFFacesContextXML.qll

@@ -16,9 +16,6 @@ class FacesConfigXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for FacesConfigXmlFile */
-deprecated class FacesConfigXMLFile = FacesConfigXmlFile;
-
 /**
  * An XML element in a `FacesConfigXMLFile`.
  */
@@ -31,9 +28,6 @@ class FacesConfigXmlElement extends XmlElement {
   string getValue() { result = this.allCharactersString().trim() }
 }
 
-/** DEPRECATED: Alias for FacesConfigXmlElement */
-deprecated class FacesConfigXMLElement = FacesConfigXmlElement;
-
 /**
  * An element in a JSF config file that declares a managed bean.
  */

java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll

@@ -100,9 +100,6 @@ class SpringBeanXmlAutowiredSetterMethod extends Method {
   }
 }
 
-/** DEPRECATED: Alias for SpringBeanXmlAutowiredSetterMethod */
-deprecated class SpringBeanXMLAutowiredSetterMethod = SpringBeanXmlAutowiredSetterMethod;
-
 /**
  * A callable that is annotated with `@Autowired`.
  *

java/ql/lib/semmle/code/java/frameworks/spring/SpringCamel.qll

@@ -13,9 +13,6 @@ class SpringCamelXmlElement extends SpringXmlElement {
   SpringCamelXmlElement() { this.getNamespace().getUri() = "http://camel.apache.org/schema/spring" }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlElement */
-deprecated class SpringCamelXMLElement = SpringCamelXmlElement;
-
 /**
  * An element in a Spring beans file that defines an Apache Camel context.
  *
@@ -25,9 +22,6 @@ class SpringCamelXmlContext extends SpringCamelXmlElement {
   SpringCamelXmlContext() { this.getName() = "camelContext" }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlContext */
-deprecated class SpringCamelXMLContext = SpringCamelXmlContext;
-
 /**
  * An element in a Spring beans file that defines an Apache Camel route context.
  *
@@ -38,9 +32,6 @@ class SpringCamelXmlRouteContext extends SpringCamelXmlElement {
   SpringCamelXmlRouteContext() { this.getName() = "routeContext" }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlRouteContext */
-deprecated class SpringCamelXMLRouteContext = SpringCamelXmlRouteContext;
-
 /**
  * An element in a Spring beans files that defines an Apache Camel route.
  *
@@ -58,9 +49,6 @@ class SpringCamelXmlRoute extends SpringCamelXmlElement {
   }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlRoute */
-deprecated class SpringCamelXMLRoute = SpringCamelXmlRoute;
-
 /**
  * An element in a Spring bean file that is logically contained in an Apache Camel route.
  */
@@ -71,9 +59,6 @@ class SpringCamelXmlRouteElement extends SpringCamelXmlElement {
   }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlRouteElement */
-deprecated class SpringCamelXMLRouteElement = SpringCamelXmlRouteElement;
-
 /**
  * A reference to a Spring bean in an Apache Camel route defined in a Spring beans file.
  *
@@ -98,9 +83,6 @@ class SpringCamelXmlBeanRef extends SpringCamelXmlRouteElement {
   RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlBeanRef */
-deprecated class SpringCamelXMLBeanRef = SpringCamelXmlBeanRef;
-
 /**
  * A declaration of a target in an Apache Camel route defined in a Spring beans file.
  *
@@ -120,9 +102,6 @@ class SpringCamelXmlToElement extends SpringCamelXmlRouteElement {
   deprecated string getURI() { result = this.getUri() }
 }
 
-/** DEPRECATED: Alias for SpringCamelXmlToElement */
-deprecated class SpringCamelXMLToElement = SpringCamelXmlToElement;
-
 /**
  * A declaration of a Apache Camel "method" expression defined in a Spring beans file.
  *
@@ -147,6 +126,3 @@ class SpringCamelXmlMethodElement extends SpringCamelXmlElement {
    */
   RefType getBeanType() { result.getQualifiedName() = this.getAttribute("beanType").getValue() }
 }
-
-/** DEPRECATED: Alias for SpringCamelXmlMethodElement */
-deprecated class SpringCamelXMLMethodElement = SpringCamelXmlMethodElement;

java/ql/lib/semmle/code/java/frameworks/spring/SpringComponentScan.qll

@@ -23,9 +23,6 @@ class SpringXmlComponentScan extends SpringXmlElement {
   string getAProfileExpr() { result = this.getSpringBeanFile().getAProfileExpr() }
 }
 
-/** DEPRECATED: Alias for SpringXmlComponentScan */
-deprecated class SpringXMLComponentScan = SpringXmlComponentScan;
-
 /**
  * An annotation of a class that configures which packages are considered to be "base" packages
  * when performing the Spring component scan.

java/ql/lib/semmle/code/java/frameworks/spring/SpringFlex.qll

@@ -57,11 +57,6 @@ class SpringRemotingDestinationClass extends Class {
    */
   SpringRemotingDestination getRemotingDestinationXml() { this = result.getSpringBean().getClass() }
 
-  /** DEPRECATED: Alias for getRemotingDestinationXml */
-  deprecated SpringRemotingDestination getRemotingDestinationXML() {
-    result = this.getRemotingDestinationXml()
-  }
-
   /**
    * Holds if the class is operating on an "include" or "exclude" basis.
    *

java/ql/lib/semmle/code/java/frameworks/spring/SpringXMLElement.qll

@@ -37,6 +37,3 @@ class SpringXmlElement extends XmlElement {
 
   string getContentString() { result = this.allCharactersString() }
 }
-
-/** DEPRECATED: Alias for SpringXmlElement */
-deprecated class SpringXMLElement = SpringXmlElement;

java/ql/lib/semmle/code/java/frameworks/struts/StrutsConventions.qll

@@ -77,9 +77,6 @@ StrutsXmlFile getRootXmlFile(RefType refType) {
   )
 }
 
-/** DEPRECATED: Alias for getRootXmlFile */
-deprecated StrutsXMLFile getRootXMLFile(RefType refType) { result = getRootXmlFile(refType) }
-
 /**
  * Gets the suffix used for automatically identifying actions when using the convention plugin.
  *

java/ql/lib/semmle/code/java/frameworks/struts/StrutsXML.qll

@@ -5,9 +5,6 @@ import java
  */
 predicate isStrutsXmlIncluded() { exists(StrutsXmlFile strutsXml) }
 
-/** DEPRECATED: Alias for isStrutsXmlIncluded */
-deprecated predicate isStrutsXMLIncluded = isStrutsXmlIncluded/0;
-
 /**
  * A struts 2 configuration file.
  */
@@ -51,9 +48,6 @@ abstract class StrutsXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for StrutsXmlFile */
-deprecated class StrutsXMLFile = StrutsXmlFile;
-
 /**
  * A Struts 2 "root" configuration XML file directly read by struts.
  *
@@ -66,9 +60,6 @@ class StrutsRootXmlFile extends StrutsXmlFile {
   }
 }
 
-/** DEPRECATED: Alias for StrutsRootXmlFile */
-deprecated class StrutsRootXMLFile = StrutsRootXmlFile;
-
 /**
  * A Struts 2 configuration XML file included, directly or indirectly, by a root Struts configuration.
  */
@@ -76,9 +67,6 @@ class StrutsIncludedXmlFile extends StrutsXmlFile {
   StrutsIncludedXmlFile() { exists(StrutsXmlInclude include | this = include.getIncludedFile()) }
 }
 
-/** DEPRECATED: Alias for StrutsIncludedXmlFile */
-deprecated class StrutsIncludedXMLFile = StrutsIncludedXmlFile;
-
 /**
  * A Folder which has one or more Struts 2 root configurations.
  */
@@ -116,9 +104,6 @@ class StrutsXmlElement extends XmlElement {
   string getValue() { result = this.allCharactersString().trim() }
 }
 
-/** DEPRECATED: Alias for StrutsXmlElement */
-deprecated class StrutsXMLElement = StrutsXmlElement;
-
 /**
  * A `<include>` element within a `struts.xml` file.
  *
@@ -141,9 +126,6 @@ class StrutsXmlInclude extends StrutsXmlElement {
   }
 }
 
-/** DEPRECATED: Alias for StrutsXmlInclude */
-deprecated class StrutsXMLInclude = StrutsXmlInclude;
-
 /**
  * Escape a string for use as the matcher in a string.match(..) call.
  */
@@ -192,9 +174,6 @@ class StrutsXmlAction extends StrutsXmlElement {
   }
 }
 
-/** DEPRECATED: Alias for StrutsXmlAction */
-deprecated class StrutsXMLAction = StrutsXmlAction;
-
 /**
  * A `<constant>` property, representing a configuration parameter to struts.
  */
@@ -205,6 +184,3 @@ class StrutsXmlConstant extends StrutsXmlElement {
 
   string getConstantValue() { result = this.getAttribute("value").getValue() }
 }
-
-/** DEPRECATED: Alias for StrutsXmlConstant */
-deprecated class StrutsXMLConstant = StrutsXmlConstant;

java/ql/lib/semmle/code/java/security/Encryption.qll

@@ -25,9 +25,6 @@ class HttpsUrlConnection extends RefType {
   HttpsUrlConnection() { this.hasQualifiedName("javax.net.ssl", "HttpsURLConnection") }
 }
 
-/** DEPRECATED: Alias for HttpsUrlConnection */
-deprecated class HttpsURLConnection = HttpsUrlConnection;
-
 class SslSocketFactory extends RefType {
   SslSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") }
 }

java/ql/lib/semmle/code/java/security/ExternalAPIs.qll

@@ -12,9 +12,6 @@ import semmle.code.java.dataflow.TaintTracking
  */
 abstract class SafeExternalApiMethod extends Method { }
 
-/** DEPRECATED: Alias for SafeExternalApiMethod */
-deprecated class SafeExternalAPIMethod = SafeExternalApiMethod;
-
 /** The default set of "safe" external APIs. */
 private class DefaultSafeExternalApiMethod extends SafeExternalApiMethod {
   DefaultSafeExternalApiMethod() {
@@ -95,9 +92,6 @@ class ExternalApiDataNode extends DataFlow::Node {
   string getMethodDescription() { result = this.getMethod().getQualifiedName() }
 }
 
-/** DEPRECATED: Alias for ExternalApiDataNode */
-deprecated class ExternalAPIDataNode = ExternalApiDataNode;
-
 /**
  * DEPRECATED: Use `UntrustedDataToExternalApiFlow` instead.
  *
@@ -125,9 +119,6 @@ module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
  */
 module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
 
-/** DEPRECATED: Alias for UntrustedDataToExternalApiConfig */
-deprecated class UntrustedDataToExternalAPIConfig = UntrustedDataToExternalApiConfig;
-
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
   UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
@@ -136,9 +127,6 @@ class UntrustedExternalApiDataNode extends ExternalApiDataNode {
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
 }
 
-/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
-deprecated class UntrustedExternalAPIDataNode = UntrustedExternalApiDataNode;
-
 /** An external API which is used with untrusted data. */
 private newtype TExternalApi =
   /** An untrusted API method `m` where untrusted data is passed at `index`. */
@@ -172,6 +160,3 @@ class ExternalApiUsedWithUntrustedData extends TExternalApi {
     )
   }
 }
-
-/** DEPRECATED: Alias for ExternalApiUsedWithUntrustedData */
-deprecated class ExternalAPIUsedWithUntrustedData = ExternalApiUsedWithUntrustedData;

java/ql/lib/semmle/code/java/security/LogInjection.qll

@@ -46,16 +46,33 @@ private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer {
   }
 }
 
+private predicate stringMethodAccess(
+  MethodAccess ma, CompileTimeConstantExpr arg0, CompileTimeConstantExpr arg1
+) {
+  ma.getMethod().getDeclaringType() instanceof TypeString and
+  arg0 = ma.getArgument(0) and
+  arg1 = ma.getArgument(1)
+}
+
+private predicate stringMethodArgument(CompileTimeConstantExpr arg) {
+  stringMethodAccess(_, arg, _) or stringMethodAccess(_, _, arg)
+}
+
+bindingset[match]
+pragma[inline_late]
+private predicate stringMethodArgumentValueMatches(CompileTimeConstantExpr const, string match) {
+  stringMethodArgument(const) and
+  const.getStringValue().matches(match)
+}
+
 /**
  * Holds if the return value of `ma` is sanitized against log injection attacks
  * by removing line breaks from it.
  */
 private predicate logInjectionSanitizer(MethodAccess ma) {
   exists(CompileTimeConstantExpr target, CompileTimeConstantExpr replacement |
-    ma.getMethod().getDeclaringType() instanceof TypeString and
-    target = ma.getArgument(0) and
-    replacement = ma.getArgument(1) and
-    not replacement.getStringValue().matches(["%\n%", "%\r%"])
+    stringMethodAccess(ma, target, replacement) and
+    not stringMethodArgumentValueMatches(replacement, ["%\n%", "%\r%"])
   |
     ma.getMethod().hasName("replace") and
     not replacement.getIntValue() = [10, 13] and
@@ -68,7 +85,7 @@ private predicate logInjectionSanitizer(MethodAccess ma) {
     (
       // Replace anything not in an allow list
       target.getStringValue().matches("[^%]") and
-      not target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
+      not stringMethodArgumentValueMatches(target, "%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
       or
       // Replace line breaks
       target.getStringValue() = ["\n", "\r", "\\n", "\\r", "\\R"]

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -5,7 +5,6 @@ import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.ExternalFlow
-import semmle.code.java.security.PathCreation
 import semmle.code.java.security.PathSanitizer
 
 /**
@@ -55,11 +54,7 @@ private class TaintPreservingUriCtorParam extends Parameter {
 module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(PathCreation p).getAnInput()
-    or
-    sinkNode(sink, "path-injection")
-  }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer.getType() instanceof BoxedType or
@@ -82,11 +77,7 @@ module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
 module TaintedPathLocalConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
 
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(PathCreation p).getAnInput()
-    or
-    sinkNode(sink, "path-injection")
-  }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "path-injection") }
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer.getType() instanceof BoxedType or

java/ql/lib/semmle/code/java/security/XmlParsers.qll

@@ -337,9 +337,6 @@ class SaxBuilder extends RefType {
   }
 }
 
-/** DEPRECATED: Alias for SaxBuilder */
-deprecated class SAXBuilder = SaxBuilder;
-
 /**
  * A call to `SAXBuilder.build.`
  */
@@ -359,9 +356,6 @@ class SaxBuilderParse extends XmlParserCall {
   }
 }
 
-/** DEPRECATED: Alias for SaxBuilderParse */
-deprecated class SAXBuilderParse = SaxBuilderParse;
-
 private module SafeSaxBuilderToSaxBuilderParseFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxBuilder }
 
@@ -386,9 +380,6 @@ class SaxBuilderConfig extends ParserConfig {
   }
 }
 
-/** DEPRECATED: Alias for SaxBuilderConfig */
-deprecated class SAXBuilderConfig = SaxBuilderConfig;
-
 /** A safely configured `SaxBuilder`. */
 class SafeSaxBuilder extends VarAccess {
   SafeSaxBuilder() {
@@ -404,9 +395,6 @@ class SafeSaxBuilder extends VarAccess {
   }
 }
 
-/** DEPRECATED: Alias for SafeSaxBuilder */
-deprecated class SafeSAXBuilder = SafeSaxBuilder;
-
 /*
  * The case in
  * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
@@ -420,17 +408,11 @@ class SaxParser extends RefType {
   SaxParser() { this.hasQualifiedName("javax.xml.parsers", "SAXParser") }
 }
 
-/** DEPRECATED: Alias for SaxParser */
-deprecated class SAXParser = SaxParser;
-
 /** The class `javax.xml.parsers.SAXParserFactory`. */
 class SaxParserFactory extends RefType {
   SaxParserFactory() { this.hasQualifiedName("javax.xml.parsers", "SAXParserFactory") }
 }
 
-/** DEPRECATED: Alias for SaxParserFactory */
-deprecated class SAXParserFactory = SaxParserFactory;
-
 /** A call to `SAXParser.parse`. */
 class SaxParserParse extends XmlParserCall {
   SaxParserParse() {
@@ -446,9 +428,6 @@ class SaxParserParse extends XmlParserCall {
   override predicate isSafe() { SafeSaxParserFlow::flowToExpr(this.getQualifier()) }
 }
 
-/** DEPRECATED: Alias for SaxParserParse */
-deprecated class SAXParserParse = SaxParserParse;
-
 /** A `ParserConfig` that is specific to `SaxParserFactory`. */
 class SaxParserFactoryConfig extends ParserConfig {
   SaxParserFactoryConfig() {
@@ -460,9 +439,6 @@ class SaxParserFactoryConfig extends ParserConfig {
   }
 }
 
-/** DEPRECATED: Alias for SaxParserFactoryConfig */
-deprecated class SAXParserFactoryConfig = SaxParserFactoryConfig;
-
 /**
  * A safely configured `SAXParserFactory`.
  */
@@ -496,9 +472,6 @@ class SafeSaxParserFactory extends VarAccess {
   }
 }
 
-/** DEPRECATED: Alias for SafeSaxParserFactory */
-deprecated class SafeSAXParserFactory = SafeSaxParserFactory;
-
 private module SafeSaxParserFactoryToNewSaxParserFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxParserFactory }
 
@@ -540,9 +513,6 @@ class SafeSaxParser extends MethodAccess {
   }
 }
 
-/** DEPRECATED: Alias for SafeSaxParser */
-deprecated class SafeSAXParser = SafeSaxParser;
-
 /* SAXReader: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxreader */
 /**
  * The class `org.dom4j.io.SAXReader`.
@@ -551,9 +521,6 @@ class SaxReader extends RefType {
   SaxReader() { this.hasQualifiedName("org.dom4j.io", "SAXReader") }
 }
 
-/** DEPRECATED: Alias for SaxReader */
-deprecated class SAXReader = SaxReader;
-
 /** A call to `SAXReader.read`. */
 class SaxReaderRead extends XmlParserCall {
   SaxReaderRead() {
@@ -569,9 +536,6 @@ class SaxReaderRead extends XmlParserCall {
   override predicate isSafe() { SafeSaxReaderFlow::flowToExpr(this.getQualifier()) }
 }
 
-/** DEPRECATED: Alias for SaxReaderRead */
-deprecated class SAXReaderRead = SaxReaderRead;
-
 /** A `ParserConfig` specific to `SaxReader`. */
 class SaxReaderConfig extends ParserConfig {
   SaxReaderConfig() {
@@ -583,9 +547,6 @@ class SaxReaderConfig extends ParserConfig {
   }
 }
 
-/** DEPRECATED: Alias for SaxReaderConfig */
-deprecated class SAXReaderConfig = SaxReaderConfig;
-
 private module SafeSaxReaderFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxReader }
 
@@ -626,9 +587,6 @@ class SafeSaxReader extends VarAccess {
   }
 }
 
-/** DEPRECATED: Alias for SafeSaxReader */
-deprecated class SafeSAXReader = SafeSaxReader;
-
 /* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlreader */
 /** The class `org.xml.sax.XMLReader`. */
 class XmlReader extends RefType {
@@ -640,9 +598,6 @@ class InputSource extends Class {
   InputSource() { this.hasQualifiedName("org.xml.sax", "InputSource") }
 }
 
-/** DEPRECATED: Alias for XmlReader */
-deprecated class XMLReader = XmlReader;
-
 /** A call to `XMLReader.read`. */
 class XmlReaderParse extends XmlParserCall {
   XmlReaderParse() {
@@ -661,9 +616,6 @@ class XmlReaderParse extends XmlParserCall {
   }
 }
 
-/** DEPRECATED: Alias for XmlReaderParse */
-deprecated class XMLReaderParse = XmlReaderParse;
-
 /** A `ParserConfig` specific to the `XmlReader`. */
 class XmlReaderConfig extends ParserConfig {
   XmlReaderConfig() {
@@ -675,9 +627,6 @@ class XmlReaderConfig extends ParserConfig {
   }
 }
 
-/** DEPRECATED: Alias for XmlReaderConfig */
-deprecated class XMLReaderConfig = XmlReaderConfig;
-
 private module ExplicitlySafeXmlReaderFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ExplicitlySafeXmlReader }
 
@@ -697,9 +646,6 @@ class SafeXmlReaderFlowSink extends Expr {
   }
 }
 
-/** DEPRECATED: Alias for SafeXmlReaderFlowSink */
-deprecated class SafeXMLReaderFlowSink = SafeXmlReaderFlowSink;
-
 /** An `XmlReader` that is explicitly configured to be safe. */
 class ExplicitlySafeXmlReader extends VarAccess {
   ExplicitlySafeXmlReader() {
@@ -739,9 +685,6 @@ class ExplicitlySafeXmlReader extends VarAccess {
   }
 }
 
-/** DEPRECATED: Alias for ExplicitlySafeXmlReader */
-deprecated class ExplicitlySafeXMLReader = ExplicitlySafeXmlReader;
-
 private module CreatedSafeXmlReaderFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof CreatedSafeXmlReader }
 
@@ -778,9 +721,6 @@ class CreatedSafeXmlReader extends Call {
   }
 }
 
-/** DEPRECATED: Alias for CreatedSafeXmlReader */
-deprecated class CreatedSafeXMLReader = CreatedSafeXmlReader;
-
 /*
  * SAXSource in
  * https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller
@@ -791,9 +731,6 @@ class SaxSource extends RefType {
   SaxSource() { this.hasQualifiedName("javax.xml.transform.sax", "SAXSource") }
 }
 
-/** DEPRECATED: Alias for SaxSource */
-deprecated class SAXSource = SaxSource;
-
 /** A call to the constructor of `SAXSource` with `XmlReader` and `InputSource`. */
 class ConstructedSaxSource extends ClassInstanceExpr {
   ConstructedSaxSource() {
@@ -814,9 +751,6 @@ class ConstructedSaxSource extends ClassInstanceExpr {
   }
 }
 
-/** DEPRECATED: Alias for ConstructedSaxSource */
-deprecated class ConstructedSAXSource = ConstructedSaxSource;
-
 /** A call to the `SAXSource.setXMLReader` method. */
 class SaxSourceSetReader extends MethodAccess {
   SaxSourceSetReader() {
@@ -828,9 +762,6 @@ class SaxSourceSetReader extends MethodAccess {
   }
 }
 
-/** DEPRECATED: Alias for SaxSourceSetReader */
-deprecated class SAXSourceSetReader = SaxSourceSetReader;
-
 /** A `SaxSource` that is safe to use. */
 class SafeSaxSource extends Expr {
   SafeSaxSource() {
@@ -847,9 +778,6 @@ class SafeSaxSource extends Expr {
   }
 }
 
-/** DEPRECATED: Alias for SafeSaxSource */
-deprecated class SafeSAXSource = SafeSaxSource;
-
 /* Transformer: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#transformerfactory */
 /** An access to a method use for configuring a transformer or schema. */
 abstract class TransformerConfig extends MethodAccess {
@@ -1063,9 +991,6 @@ class SaxTransformerFactoryNewXmlFilter extends XmlParserCall {
   override predicate isSafe() { SafeTransformerFactoryFlow::flowToExpr(this.getQualifier()) }
 }
 
-/** DEPRECATED: Alias for SaxTransformerFactoryNewXmlFilter */
-deprecated class SAXTransformerFactoryNewXMLFilter = SaxTransformerFactoryNewXmlFilter;
-
 /* Schema: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory */
 /** The class `javax.xml.validation.SchemaFactory`. */
 class SchemaFactory extends RefType {
@@ -1197,9 +1122,6 @@ class SimpleXmlPersisterCall extends XmlParserCall {
   override predicate isSafe() { none() }
 }
 
-/** DEPRECATED: Alias for SimpleXmlPersisterCall */
-deprecated class SimpleXMLPersisterCall = SimpleXmlPersisterCall;
-
 /** A call to `provide` in `Provider`. */
 class SimpleXmlProviderCall extends XmlParserCall {
   SimpleXmlProviderCall() {
@@ -1218,9 +1140,6 @@ class SimpleXmlProviderCall extends XmlParserCall {
   override predicate isSafe() { none() }
 }
 
-/** DEPRECATED: Alias for SimpleXmlProviderCall */
-deprecated class SimpleXMLProviderCall = SimpleXmlProviderCall;
-
 /** A call to `read` in `NodeBuilder`. */
 class SimpleXmlNodeBuilderCall extends XmlParserCall {
   SimpleXmlNodeBuilderCall() {
@@ -1236,9 +1155,6 @@ class SimpleXmlNodeBuilderCall extends XmlParserCall {
   override predicate isSafe() { none() }
 }
 
-/** DEPRECATED: Alias for SimpleXmlNodeBuilderCall */
-deprecated class SimpleXMLNodeBuilderCall = SimpleXmlNodeBuilderCall;
-
 /** A call to the `format` method of the `Formatter`. */
 class SimpleXmlFormatterCall extends XmlParserCall {
   SimpleXmlFormatterCall() {
@@ -1254,9 +1170,6 @@ class SimpleXmlFormatterCall extends XmlParserCall {
   override predicate isSafe() { none() }
 }
 
-/** DEPRECATED: Alias for SimpleXmlFormatterCall */
-deprecated class SimpleXMLFormatterCall = SimpleXmlFormatterCall;
-
 /** A configuration for secure processing. */
 Expr configSecureProcessing() {
   result.(ConstantStringExpr).getStringValue() =

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -4,6 +4,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.security.PathCreation
 
 /**
  * A method that returns the name of an archive entry.
@@ -40,5 +41,28 @@ module ZipSlipFlow = TaintTracking::Global<ZipSlipConfig>;
  * A sink that represents a file creation, such as a file write, copy or move operation.
  */
 private class FileCreationSink extends DataFlow::Node {
-  FileCreationSink() { sinkNode(this, "path-injection") }
+  FileCreationSink() {
+    sinkNode(this, "path-injection") and
+    not isPathCreation(this)
+  }
+}
+
+/**
+ * Holds if `sink` is a path creation node that doesn't imply a read/write filesystem operation.
+ * This is to avoid creating new spurious alerts, since `PathCreation` sinks weren't
+ * previously part of this query.
+ */
+private predicate isPathCreation(DataFlow::Node sink) {
+  exists(PathCreation pc |
+    pc.getAnInput() = sink.asExpr()
+    or
+    pc.getAnInput().(Argument).isVararg() and sink.(DataFlow::ImplicitVarargsArray).getCall() = pc
+  |
+    // exclude actual read/write operations included in `PathCreation`
+    not pc.(Call)
+        .getCallee()
+        .getDeclaringType()
+        .hasQualifiedName("java.io",
+          ["FileInputStream", "FileOutputStream", "FileReader", "FileWriter"])
+  )
 }

java/ql/lib/semmle/code/xml/WebXML.qll

@@ -5,9 +5,6 @@ import java
  */
 predicate isWebXmlIncluded() { exists(WebXmlFile webXml) }
 
-/** DEPRECATED: Alias for isWebXmlIncluded */
-deprecated predicate isWebXMLIncluded = isWebXmlIncluded/0;
-
 /**
  * A deployment descriptor file, typically called `web.xml`.
  */
@@ -31,9 +28,6 @@ class WebXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for WebXmlFile */
-deprecated class WebXMLFile = WebXmlFile;
-
 /**
  * An XML element in a `WebXMLFile`.
  */
@@ -46,9 +40,6 @@ class WebXmlElement extends XmlElement {
   string getValue() { result = this.allCharactersString().trim() }
 }
 
-/** DEPRECATED: Alias for WebXmlElement */
-deprecated class WebXMLElement = WebXmlElement;
-
 /**
  * A `<context-param>` element in a `web.xml` file.
  */

java/ql/src/Metrics/Summaries/LinesOfCode.ql

@@ -1,8 +1,8 @@
 /**
  * @id java/summary/lines-of-code
  * @name Total lines of Java code in the database
- * @description The total number of lines of code across all files. This is a useful metric of the size of a database.
- *              For all files that were seen during the build, this query counts the lines of code, excluding whitespace
+ * @description The total number of lines of code across all Java files. This is a useful metric of the size of a database.
+ *              For all Java files that were seen during the build, this query counts the lines of code, excluding whitespace
  *              or comments.
  * @kind metric
  * @tags summary
@@ -11,4 +11,4 @@
 
 import java
 
-select sum(CompilationUnit f | f.fromSource() | f.getNumberOfLinesOfCode())
+select sum(CompilationUnit f | f.fromSource() and f.isJavaSourceFile() | f.getNumberOfLinesOfCode())

java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql

@@ -0,0 +1,18 @@
+/**
+ * @id java/summary/lines-of-code-kotlin
+ * @name Total lines of Kotlin code in the database
+ * @description The total number of lines of code across all Kotlin files. This is a useful metric of the size of a database.
+ *              For all Kotlin files that were seen during the build, this query counts the lines of code, excluding whitespace
+ *              or comments.
+ * @kind metric
+ * @tags summary
+ *       lines-of-code
+ */
+
+import java
+
+select sum(CompilationUnit f |
+    f.fromSource() and f.isKotlinSourceFile()
+  |
+    f.getNumberOfLinesOfCode()
+  )

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -14,6 +14,7 @@
  */
 
 import java
+import semmle.code.java.security.PathCreation
 import semmle.code.java.security.TaintedPathQuery
 import TaintedPathFlow::PathGraph
 

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

@@ -14,6 +14,7 @@
  */
 
 import java
+import semmle.code.java.security.PathCreation
 import semmle.code.java.security.TaintedPathQuery
 import TaintedPathLocalFlow::PathGraph
 

java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql

@@ -128,4 +128,4 @@ where
   not exists(Property p | p.getBackingField() = f)
 select c,
   c.getName() + " exposes the internal representation stored in field " + f.getName() +
-    ". The value may be modified $@.", why.getLocation(), whyText
+    ". The value may be modified $@.", why, whyText

java/ql/src/change-notes/2023-06-05-lines-of-code.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/summary/lines-of-code` query now only counts lines of Java code. The new `java/summary/lines-of-code-kotlin` counts lines of Kotlin code.

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -16,7 +16,6 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.PathCreation
 import JFinalController
 import semmle.code.java.security.PathSanitizer
 import InjectFilePathFlow::PathGraph
@@ -52,7 +51,7 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(PathCreation p).getAnInput() and
+    sinkNode(sink, "path-injection") and
     not sink instanceof NormalizedPathNode
   }
 

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

@@ -56,9 +56,6 @@ predicate myBatisMapperXmlElementFromMethod(Method method, MyBatisMapperXmlEleme
   )
 }
 
-/** DEPRECATED: Alias for myBatisMapperXmlElementFromMethod */
-deprecated predicate myBatisMapperXMLElementFromMethod = myBatisMapperXmlElementFromMethod/2;
-
 /** Holds if the specified `method` has Ibatis Sql operation annotation `isoa`. */
 predicate myBatisSqlOperationAnnotationFromMethod(Method method, IbatisSqlOperationAnnotation isoa) {
   exists(MyBatisSqlOperationAnnotationMethod msoam |

java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll

@@ -55,10 +55,14 @@ class WebResourceResponseSink extends DataFlow::Node {
 }
 
 /**
- * A value step from the URL argument of `WebView::loadUrl` to the URL parameter of
+ * A taint step from the URL argument of `WebView::loadUrl` to the URL/WebResourceRequest parameter of
  * `WebViewClient::shouldInterceptRequest`.
+ *
+ * TODO: This ought to be a value step when it is targeting the URL parameter,
+ * and it ought to check the parameter type in both cases to ensure that we only
+ * hit the overloads we intend to.
  */
-private class FetchUrlStep extends AdditionalValueStep {
+private class FetchUrlStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
     exists(
       // webview.loadUrl(url) -> webview.setWebViewClient(new WebViewClient() { shouldInterceptRequest(view, url) });

java/ql/src/experimental/semmle/code/xml/StrutsXML.qll

@@ -10,9 +10,6 @@ class StrutsXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for StrutsXmlFile */
-deprecated class StrutsXMLFile = StrutsXmlFile;
-
 /**
  * An XML element in a `StrutsXMLFile`.
  */
@@ -25,9 +22,6 @@ class StrutsXmlElement extends XmlElement {
   string getValue() { result = this.allCharactersString().trim() }
 }
 
-/** DEPRECATED: Alias for StrutsXmlElement */
-deprecated class StrutsXMLElement = StrutsXmlElement;
-
 /**
  * A `<constant>` element in a `StrutsXMLFile`.
  */

java/ql/src/semmle/code/xml/MyBatisMapperXML.qll

@@ -14,9 +14,6 @@ class MyBatisMapperXmlFile extends XmlFile {
   }
 }
 
-/** DEPRECATED: Alias for MyBatisMapperXmlFile */
-deprecated class MyBatisMapperXMLFile = MyBatisMapperXmlFile;
-
 /**
  * An XML element in a `MyBatisMapperXMLFile`.
  */
@@ -36,9 +33,6 @@ class MyBatisMapperXmlElement extends XmlElement {
   }
 }
 
-/** DEPRECATED: Alias for MyBatisMapperXmlElement */
-deprecated class MyBatisMapperXMLElement = MyBatisMapperXmlElement;
-
 /**
  * An MyBatis Mapper sql operation element.
  */

java/ql/test/TestUtilities/InlineFlowTest.qll

@@ -7,7 +7,7 @@
  * import TestUtilities.InlineFlowTest
  * ```
  *
- * To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
+ * To declare expectations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
  * Example of the corresponding test file, e.g. Test.java
  * ```java
  * public class Test {

java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.expected

@@ -2075,28 +2075,28 @@ edges
 | Log4jJndiInjectionTest.java:1085:39:1085:46 | source(...) : String | Log4jJndiInjectionTest.java:1085:25:1085:46 | (...)... |
 | Log4jJndiInjectionTest.java:1088:47:1088:54 | source(...) : String | Log4jJndiInjectionTest.java:1088:38:1088:54 | (...)... |
 | Log4jJndiInjectionTest.java:1089:53:1089:60 | source(...) : String | Log4jJndiInjectionTest.java:1089:44:1089:60 | (...)... |
-| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1092:34:1092:36 | map |
-| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1092:34:1092:36 | map |
+| Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1091:37:1091:44 | source(...) : String | Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String |
-| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg |
-| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage |
+| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg |
+| Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage |
 | Log4jJndiInjectionTest.java:1095:80:1095:87 | source(...) : String | Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String |
-| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg |
-| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage |
+| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg |
+| Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage |
 | Log4jJndiInjectionTest.java:1100:44:1100:51 | source(...) : String | Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String |
-| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg |
-| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage |
+| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg |
+| Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage |
 | Log4jJndiInjectionTest.java:1105:43:1105:50 | source(...) : String | Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String |
-| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [<map.value>] : String |
-| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1111:42:1111:49 | source(...) : String | Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String |
-| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg |
-| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage |
+| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg |
+| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage |
 | Log4jJndiInjectionTest.java:1116:61:1116:68 | source(...) : String | Log4jJndiInjectionTest.java:1116:52:1116:68 | (...)... |
 | Log4jJndiInjectionTest.java:1117:81:1117:88 | source(...) : String | Log4jJndiInjectionTest.java:1117:72:1117:88 | (...)... |
-| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1120:43:1120:45 | map |
-| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String | Log4jJndiInjectionTest.java:1121:63:1121:65 | map |
-| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1120:43:1120:45 | map |
+| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String | Log4jJndiInjectionTest.java:1121:63:1121:65 | map |
+| Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1119:42:1119:49 | source(...) : String | Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String |
 nodes
 | Log4jJndiInjectionTest.java:24:16:24:45 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -4168,33 +4168,33 @@ nodes
 | Log4jJndiInjectionTest.java:1088:47:1088:54 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1089:44:1089:60 | (...)... | semmle.label | (...)... |
 | Log4jJndiInjectionTest.java:1089:53:1089:60 | source(...) : String | semmle.label | source(...) : String |
-| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : Map [<map.value>] : String | semmle.label | map [post update] : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1091:13:1091:15 | map [post update] : HashMap [<map.value>] : String | semmle.label | map [post update] : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1091:28:1091:44 | (...)... : String | semmle.label | (...)... : String |
 | Log4jJndiInjectionTest.java:1091:37:1091:44 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1092:34:1092:36 | map | semmle.label | map |
-| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : MapMessage | semmle.label | with(...) : MapMessage |
+| Log4jJndiInjectionTest.java:1095:31:1095:88 | with(...) : StringMapMessage | semmle.label | with(...) : StringMapMessage |
 | Log4jJndiInjectionTest.java:1095:71:1095:87 | (...)... : String | semmle.label | (...)... : String |
 | Log4jJndiInjectionTest.java:1095:80:1095:87 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1096:26:1096:29 | mmsg | semmle.label | mmsg |
-| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage |
+| Log4jJndiInjectionTest.java:1100:13:1100:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage |
 | Log4jJndiInjectionTest.java:1100:35:1100:51 | (...)... : String | semmle.label | (...)... : String |
 | Log4jJndiInjectionTest.java:1100:44:1100:51 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1101:26:1101:29 | mmsg | semmle.label | mmsg |
-| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage |
+| Log4jJndiInjectionTest.java:1105:13:1105:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage |
 | Log4jJndiInjectionTest.java:1105:34:1105:50 | (...)... : String | semmle.label | (...)... : String |
 | Log4jJndiInjectionTest.java:1105:43:1105:50 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1106:26:1106:29 | mmsg | semmle.label | mmsg |
-| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : Map [<map.value>] : String | semmle.label | map [post update] : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1111:13:1111:15 | map [post update] : HashMap [<map.value>] : String | semmle.label | map [post update] : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1111:33:1111:49 | (...)... : String | semmle.label | (...)... : String |
 | Log4jJndiInjectionTest.java:1111:42:1111:49 | source(...) : String | semmle.label | source(...) : String |
-| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : MapMessage | semmle.label | mmsg [post update] : MapMessage |
-| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : Map [<map.value>] : String | semmle.label | map : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1112:13:1112:16 | mmsg [post update] : StringMapMessage | semmle.label | mmsg [post update] : StringMapMessage |
+| Log4jJndiInjectionTest.java:1112:25:1112:27 | map : HashMap [<map.value>] : String | semmle.label | map : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1113:26:1113:29 | mmsg | semmle.label | mmsg |
 | Log4jJndiInjectionTest.java:1116:52:1116:68 | (...)... | semmle.label | (...)... |
 | Log4jJndiInjectionTest.java:1116:61:1116:68 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1117:72:1117:88 | (...)... | semmle.label | (...)... |
 | Log4jJndiInjectionTest.java:1117:81:1117:88 | source(...) : String | semmle.label | source(...) : String |
-| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : Map [<map.value>] : String | semmle.label | map [post update] : Map [<map.value>] : String |
+| Log4jJndiInjectionTest.java:1119:13:1119:15 | map [post update] : HashMap [<map.value>] : String | semmle.label | map [post update] : HashMap [<map.value>] : String |
 | Log4jJndiInjectionTest.java:1119:33:1119:49 | (...)... : String | semmle.label | (...)... : String |
 | Log4jJndiInjectionTest.java:1119:42:1119:49 | source(...) : String | semmle.label | source(...) : String |
 | Log4jJndiInjectionTest.java:1120:43:1120:45 | map | semmle.label | map |

java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.expected

@@ -2,7 +2,12 @@ edges
 | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath |
 | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath |
 | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath |
+| FilePathInjection.java:177:50:177:58 | file : File | FilePathInjection.java:182:30:182:33 | file |
 | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath |
+| FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath : String |
+| FilePathInjection.java:209:15:209:32 | new File(...) : File | FilePathInjection.java:217:19:217:22 | file : File |
+| FilePathInjection.java:209:24:209:31 | filePath : String | FilePathInjection.java:209:15:209:32 | new File(...) : File |
+| FilePathInjection.java:217:19:217:22 | file : File | FilePathInjection.java:177:50:177:58 | file : File |
 nodes
 | FilePathInjection.java:21:21:21:34 | getPara(...) : String | semmle.label | getPara(...) : String |
 | FilePathInjection.java:26:47:26:59 | finalFilePath | semmle.label | finalFilePath |
@@ -10,11 +15,17 @@ nodes
 | FilePathInjection.java:72:47:72:59 | finalFilePath | semmle.label | finalFilePath |
 | FilePathInjection.java:87:21:87:34 | getPara(...) : String | semmle.label | getPara(...) : String |
 | FilePathInjection.java:95:47:95:59 | finalFilePath | semmle.label | finalFilePath |
+| FilePathInjection.java:177:50:177:58 | file : File | semmle.label | file : File |
+| FilePathInjection.java:182:30:182:33 | file | semmle.label | file |
 | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| FilePathInjection.java:209:15:209:32 | new File(...) : File | semmle.label | new File(...) : File |
 | FilePathInjection.java:209:24:209:31 | filePath | semmle.label | filePath |
+| FilePathInjection.java:209:24:209:31 | filePath : String | semmle.label | filePath : String |
+| FilePathInjection.java:217:19:217:22 | file : File | semmle.label | file : File |
 subpaths
 #select
 | FilePathInjection.java:26:47:26:59 | finalFilePath | FilePathInjection.java:21:21:21:34 | getPara(...) : String | FilePathInjection.java:26:47:26:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:21:21:21:34 | getPara(...) | user-provided value |
 | FilePathInjection.java:72:47:72:59 | finalFilePath | FilePathInjection.java:64:21:64:34 | getPara(...) : String | FilePathInjection.java:72:47:72:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:64:21:64:34 | getPara(...) | user-provided value |
 | FilePathInjection.java:95:47:95:59 | finalFilePath | FilePathInjection.java:87:21:87:34 | getPara(...) : String | FilePathInjection.java:95:47:95:59 | finalFilePath | External control of file name or path due to $@. | FilePathInjection.java:87:21:87:34 | getPara(...) | user-provided value |
+| FilePathInjection.java:182:30:182:33 | file | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:182:30:182:33 | file | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |
 | FilePathInjection.java:209:24:209:31 | filePath | FilePathInjection.java:205:17:205:44 | getParameter(...) : String | FilePathInjection.java:209:24:209:31 | filePath | External control of file name or path due to $@. | FilePathInjection.java:205:17:205:44 | getParameter(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.expected

@@ -1,152 +1,152 @@
 edges
-| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object |
-| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | InsecureWebResourceResponse.java:59:34:59:43 | url : Object |
-| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | InsecureWebResourceResponse.java:80:34:80:43 | url : Object |
-| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | InsecureWebResourceResponse.java:106:34:106:43 | url : Object |
-| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | InsecureWebResourceResponse.java:131:36:131:45 | url : Object |
-| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | InsecureWebResourceResponse.java:156:35:156:44 | url : Object |
-| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | InsecureWebResourceResponse.java:181:34:181:43 | url : Object |
-| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | InsecureWebResourceResponse.java:188:34:188:43 | url : Object |
-| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | InsecureWebResourceResponse.java:217:35:217:44 | url : Object |
-| InsecureWebResourceResponse.java:59:34:59:43 | url : Object | InsecureWebResourceResponse.java:75:20:75:22 | url : Object |
-| InsecureWebResourceResponse.java:63:77:63:86 | url : Object | InsecureWebResourceResponse.java:65:41:65:43 | url : Object |
+| InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String |
+| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | InsecureWebResourceResponse.java:59:34:59:43 | url : String |
+| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | InsecureWebResourceResponse.java:80:34:80:43 | url : String |
+| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | InsecureWebResourceResponse.java:106:34:106:43 | url : String |
+| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | InsecureWebResourceResponse.java:131:36:131:45 | url : String |
+| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | InsecureWebResourceResponse.java:156:35:156:44 | url : String |
+| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | InsecureWebResourceResponse.java:181:34:181:43 | url : String |
+| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | InsecureWebResourceResponse.java:188:34:188:43 | url : String |
+| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | InsecureWebResourceResponse.java:217:35:217:44 | url : String |
+| InsecureWebResourceResponse.java:59:34:59:43 | url : String | InsecureWebResourceResponse.java:75:20:75:22 | url : String |
+| InsecureWebResourceResponse.java:63:77:63:86 | url : String | InsecureWebResourceResponse.java:65:41:65:43 | url : String |
 | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri |
-| InsecureWebResourceResponse.java:65:41:65:43 | url : Object | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri |
+| InsecureWebResourceResponse.java:65:41:65:43 | url : String | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri |
 | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:68:71:68:81 | inputStream |
 | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String |
 | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream |
-| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:80:34:80:43 | url : Object | InsecureWebResourceResponse.java:101:20:101:22 | url : Object |
-| InsecureWebResourceResponse.java:84:77:84:86 | url : Object | InsecureWebResourceResponse.java:86:41:86:43 | url : Object |
+| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:75:20:75:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:80:34:80:43 | url : String | InsecureWebResourceResponse.java:101:20:101:22 | url : String |
+| InsecureWebResourceResponse.java:84:77:84:86 | url : String | InsecureWebResourceResponse.java:86:41:86:43 | url : String |
 | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri |
-| InsecureWebResourceResponse.java:86:41:86:43 | url : Object | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri |
+| InsecureWebResourceResponse.java:86:41:86:43 | url : String | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri |
 | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File |
 | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String |
 | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File |
 | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:91:75:91:85 | inputStream |
 | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream |
-| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:106:34:106:43 | url : Object | InsecureWebResourceResponse.java:127:20:127:22 | url : Object |
-| InsecureWebResourceResponse.java:110:77:110:86 | url : Object | InsecureWebResourceResponse.java:112:41:112:43 | url : Object |
+| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:101:20:101:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:106:34:106:43 | url : String | InsecureWebResourceResponse.java:127:20:127:22 | url : String |
+| InsecureWebResourceResponse.java:110:77:110:86 | url : String | InsecureWebResourceResponse.java:112:41:112:43 | url : String |
 | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri |
-| InsecureWebResourceResponse.java:112:41:112:43 | url : Object | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri |
+| InsecureWebResourceResponse.java:112:41:112:43 | url : String | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri |
 | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String |
 | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String |
 | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | InsecureWebResourceResponse.java:115:75:115:78 | path : String |
 | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:117:75:117:85 | inputStream |
 | InsecureWebResourceResponse.java:115:75:115:78 | path : String | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String |
 | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | InsecureWebResourceResponse.java:115:55:115:108 | new FileInputStream(...) : FileInputStream |
-| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:131:36:131:45 | url : Object | InsecureWebResourceResponse.java:152:20:152:22 | url : Object |
-| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:156:35:156:44 | url : Object | InsecureWebResourceResponse.java:177:20:177:22 | url : Object |
-| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:181:34:181:43 | url : Object | InsecureWebResourceResponse.java:184:20:184:22 | url : Object |
-| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:188:34:188:43 | url : Object | InsecureWebResourceResponse.java:209:20:209:22 | url : Object |
-| InsecureWebResourceResponse.java:192:77:192:102 | request : Object | InsecureWebResourceResponse.java:194:31:194:37 | request : Object |
-| InsecureWebResourceResponse.java:194:31:194:37 | request : Object | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri |
+| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:127:20:127:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:131:36:131:45 | url : String | InsecureWebResourceResponse.java:152:20:152:22 | url : String |
+| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:152:20:152:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:156:35:156:44 | url : String | InsecureWebResourceResponse.java:177:20:177:22 | url : String |
+| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:177:20:177:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:181:34:181:43 | url : String | InsecureWebResourceResponse.java:184:20:184:22 | url : String |
+| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:184:20:184:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:188:34:188:43 | url : String | InsecureWebResourceResponse.java:209:20:209:22 | url : String |
+| InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri |
 | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri |
 | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File |
 | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String |
 | InsecureWebResourceResponse.java:196:66:196:89 | getLastPathSegment(...) : String | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File |
 | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:199:75:199:85 | inputStream |
 | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream |
-| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:217:35:217:44 | url : Object | InsecureWebResourceResponse.java:226:20:226:22 | url : Object |
-| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:63:77:63:86 | url : Object |
-| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:84:77:84:86 | url : Object |
-| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:110:77:110:86 | url : Object |
-| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:192:77:192:102 | request : Object |
-| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | InsecureWebResourceResponse.java:232:69:232:78 | url : Object |
-| InsecureWebResourceResponse.java:232:69:232:78 | url : Object | InsecureWebResourceResponse.java:234:33:234:35 | url : Object |
+| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:209:20:209:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:217:35:217:44 | url : String | InsecureWebResourceResponse.java:226:20:226:22 | url : String |
+| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:63:77:63:86 | url : String |
+| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:84:77:84:86 | url : String |
+| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:110:77:110:86 | url : String |
+| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:226:20:226:22 | url : String | InsecureWebResourceResponse.java:232:69:232:78 | url : String |
+| InsecureWebResourceResponse.java:232:69:232:78 | url : String | InsecureWebResourceResponse.java:234:33:234:35 | url : String |
 | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri |
-| InsecureWebResourceResponse.java:234:33:234:35 | url : Object | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri |
+| InsecureWebResourceResponse.java:234:33:234:35 | url : String | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri |
 | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | InsecureWebResourceResponse.java:237:63:237:73 | inputStream |
 | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String |
 | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream |
-| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object |
-| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object |
-| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | InsecureWebViewActivity.java:42:28:42:37 | url : Object |
-| InsecureWebViewActivity.java:42:28:42:37 | url : Object | InsecureWebViewActivity.java:43:25:43:27 | url : Object |
-| InsecureWebViewActivity.java:43:25:43:27 | url : Object | InsecureWebViewActivity.java:53:77:53:86 | url : Object |
-| InsecureWebViewActivity.java:53:77:53:86 | url : Object | InsecureWebViewActivity.java:55:41:55:43 | url : Object |
+| InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String |
+| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String |
+| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | InsecureWebViewActivity.java:42:28:42:37 | url : String |
+| InsecureWebViewActivity.java:42:28:42:37 | url : String | InsecureWebViewActivity.java:43:25:43:27 | url : String |
+| InsecureWebViewActivity.java:43:25:43:27 | url : String | InsecureWebViewActivity.java:53:77:53:86 | url : String |
+| InsecureWebViewActivity.java:53:77:53:86 | url : String | InsecureWebViewActivity.java:55:41:55:43 | url : String |
 | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri |
-| InsecureWebViewActivity.java:55:41:55:43 | url : Object | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri |
+| InsecureWebViewActivity.java:55:41:55:43 | url : String | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri |
 | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | InsecureWebViewActivity.java:58:71:58:81 | inputStream |
 | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String |
 | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream |
 nodes
 | InsecureWebResourceResponse.java:28:27:28:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
-| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebResourceResponse.java:59:34:59:43 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:63:77:63:86 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:28:27:28:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
+| InsecureWebResourceResponse.java:30:25:30:32 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:32:25:32:32 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:34:25:34:32 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:36:26:36:33 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:38:26:38:33 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:40:25:40:32 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:42:25:42:32 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:44:26:44:33 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebResourceResponse.java:59:34:59:43 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:63:77:63:86 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:65:31:65:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
-| InsecureWebResourceResponse.java:65:41:65:43 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:65:41:65:43 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:66:51:66:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
 | InsecureWebResourceResponse.java:66:71:66:73 | uri : Uri | semmle.label | uri : Uri |
 | InsecureWebResourceResponse.java:66:71:66:83 | getPath(...) : String | semmle.label | getPath(...) : String |
 | InsecureWebResourceResponse.java:68:71:68:81 | inputStream | semmle.label | inputStream |
-| InsecureWebResourceResponse.java:75:20:75:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:80:34:80:43 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:84:77:84:86 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:75:20:75:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:80:34:80:43 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:84:77:84:86 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:86:31:86:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
-| InsecureWebResourceResponse.java:86:41:86:43 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:86:41:86:43 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:88:42:88:90 | new File(...) : File | semmle.label | new File(...) : File |
 | InsecureWebResourceResponse.java:88:66:88:68 | uri : Uri | semmle.label | uri : Uri |
 | InsecureWebResourceResponse.java:88:66:88:89 | getLastPathSegment(...) : String | semmle.label | getLastPathSegment(...) : String |
 | InsecureWebResourceResponse.java:89:55:89:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
 | InsecureWebResourceResponse.java:89:75:89:83 | cacheFile : File | semmle.label | cacheFile : File |
 | InsecureWebResourceResponse.java:91:75:91:85 | inputStream | semmle.label | inputStream |
-| InsecureWebResourceResponse.java:101:20:101:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:106:34:106:43 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:110:77:110:86 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:101:20:101:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:106:34:106:43 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:110:77:110:86 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:112:31:112:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
-| InsecureWebResourceResponse.java:112:41:112:43 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:112:41:112:43 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:113:35:113:37 | uri : Uri | semmle.label | uri : Uri |
 | InsecureWebResourceResponse.java:113:35:113:47 | getPath(...) : String | semmle.label | getPath(...) : String |
 | InsecureWebResourceResponse.java:113:35:113:60 | substring(...) : String | semmle.label | substring(...) : String |
@@ -154,16 +154,16 @@ nodes
 | InsecureWebResourceResponse.java:115:75:115:78 | path : String | semmle.label | path : String |
 | InsecureWebResourceResponse.java:115:75:115:107 | substring(...) : String | semmle.label | substring(...) : String |
 | InsecureWebResourceResponse.java:117:75:117:85 | inputStream | semmle.label | inputStream |
-| InsecureWebResourceResponse.java:127:20:127:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:131:36:131:45 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:152:20:152:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:156:35:156:44 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:177:20:177:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:181:34:181:43 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:184:20:184:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:188:34:188:43 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:192:77:192:102 | request : Object | semmle.label | request : Object |
-| InsecureWebResourceResponse.java:194:31:194:37 | request : Object | semmle.label | request : Object |
+| InsecureWebResourceResponse.java:127:20:127:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:131:36:131:45 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:152:20:152:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:156:35:156:44 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:177:20:177:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:181:34:181:43 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:184:20:184:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:188:34:188:43 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:192:77:192:102 | request : WebResourceRequest | semmle.label | request : WebResourceRequest |
+| InsecureWebResourceResponse.java:194:31:194:37 | request : WebResourceRequest | semmle.label | request : WebResourceRequest |
 | InsecureWebResourceResponse.java:194:31:194:46 | getUrl(...) : Uri | semmle.label | getUrl(...) : Uri |
 | InsecureWebResourceResponse.java:196:42:196:90 | new File(...) : File | semmle.label | new File(...) : File |
 | InsecureWebResourceResponse.java:196:66:196:68 | uri : Uri | semmle.label | uri : Uri |
@@ -171,24 +171,24 @@ nodes
 | InsecureWebResourceResponse.java:197:55:197:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
 | InsecureWebResourceResponse.java:197:75:197:83 | cacheFile : File | semmle.label | cacheFile : File |
 | InsecureWebResourceResponse.java:199:75:199:85 | inputStream | semmle.label | inputStream |
-| InsecureWebResourceResponse.java:209:20:209:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:217:35:217:44 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:226:20:226:22 | url : Object | semmle.label | url : Object |
-| InsecureWebResourceResponse.java:232:69:232:78 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:209:20:209:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:217:35:217:44 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:226:20:226:22 | url : String | semmle.label | url : String |
+| InsecureWebResourceResponse.java:232:69:232:78 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:234:23:234:36 | parse(...) : Uri | semmle.label | parse(...) : Uri |
-| InsecureWebResourceResponse.java:234:33:234:35 | url : Object | semmle.label | url : Object |
+| InsecureWebResourceResponse.java:234:33:234:35 | url : String | semmle.label | url : String |
 | InsecureWebResourceResponse.java:235:43:235:76 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
 | InsecureWebResourceResponse.java:235:63:235:65 | uri : Uri | semmle.label | uri : Uri |
 | InsecureWebResourceResponse.java:235:63:235:75 | getPath(...) : String | semmle.label | getPath(...) : String |
 | InsecureWebResourceResponse.java:237:63:237:73 | inputStream | semmle.label | inputStream |
 | InsecureWebViewActivity.java:27:27:27:37 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
-| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : Object | semmle.label | inputUrl : Object |
-| InsecureWebViewActivity.java:42:28:42:37 | url : Object | semmle.label | url : Object |
-| InsecureWebViewActivity.java:43:25:43:27 | url : Object | semmle.label | url : Object |
-| InsecureWebViewActivity.java:53:77:53:86 | url : Object | semmle.label | url : Object |
+| InsecureWebViewActivity.java:27:27:27:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
+| InsecureWebViewActivity.java:28:20:28:27 | inputUrl : String | semmle.label | inputUrl : String |
+| InsecureWebViewActivity.java:42:28:42:37 | url : String | semmle.label | url : String |
+| InsecureWebViewActivity.java:43:25:43:27 | url : String | semmle.label | url : String |
+| InsecureWebViewActivity.java:53:77:53:86 | url : String | semmle.label | url : String |
 | InsecureWebViewActivity.java:55:31:55:44 | parse(...) : Uri | semmle.label | parse(...) : Uri |
-| InsecureWebViewActivity.java:55:41:55:43 | url : Object | semmle.label | url : Object |
+| InsecureWebViewActivity.java:55:41:55:43 | url : String | semmle.label | url : String |
 | InsecureWebViewActivity.java:56:51:56:84 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
 | InsecureWebViewActivity.java:56:71:56:73 | uri : Uri | semmle.label | uri : Uri |
 | InsecureWebViewActivity.java:56:71:56:83 | getPath(...) : String | semmle.label | getPath(...) : String |

java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.expected

@@ -1,47 +1,47 @@
 edges
 | FileService.java:20:31:20:43 | intent : Intent | FileService.java:21:28:21:33 | intent : Intent |
-| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : Object |
-| FileService.java:21:28:21:64 | getStringExtra(...) : Object | FileService.java:25:42:25:50 | localPath : Object |
+| FileService.java:21:28:21:33 | intent : Intent | FileService.java:21:28:21:64 | getStringExtra(...) : String |
+| FileService.java:21:28:21:64 | getStringExtra(...) : String | FileService.java:25:42:25:50 | localPath : String |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | FileService.java:40:41:40:55 | params : Object[] |
-| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
-| FileService.java:25:42:25:50 | localPath : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object |
-| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object |
-| FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:35:17:35:25 | sourceUri : Object |
-| FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object |
-| FileService.java:35:17:35:25 | sourceUri : Object | FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object |
-| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : Object |
-| FileService.java:44:33:44:52 | (...)... : Object | FileService.java:45:53:45:59 | ...[...] |
+| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] |
+| FileService.java:25:42:25:50 | localPath : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String |
+| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String |
+| FileService.java:32:13:32:28 | sourceUri : String | FileService.java:35:17:35:25 | sourceUri : String |
+| FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String |
+| FileService.java:35:17:35:25 | sourceUri : String | FileService.java:34:20:36:13 | {...} : Object[] [[]] : String |
+| FileService.java:40:41:40:55 | params : Object[] | FileService.java:44:33:44:52 | (...)... : String[] |
+| FileService.java:44:33:44:52 | (...)... : String[] | FileService.java:45:53:45:59 | ...[...] |
 | LeakFileActivity2.java:15:13:15:18 | intent : Intent | LeakFileActivity2.java:16:26:16:31 | intent : Intent |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:20:31:20:43 | intent : Intent |
 | LeakFileActivity.java:14:35:14:38 | data : Intent | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent |
 | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent |
-| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Object |
-| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object |
-| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | LeakFileActivity.java:21:58:21:82 | getPath(...) |
+| LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | LeakFileActivity.java:19:31:19:53 | getData(...) : Uri |
+| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri |
+| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | LeakFileActivity.java:21:58:21:82 | getPath(...) |
 nodes
 | FileService.java:20:31:20:43 | intent : Intent | semmle.label | intent : Intent |
 | FileService.java:21:28:21:33 | intent : Intent | semmle.label | intent : Intent |
-| FileService.java:21:28:21:64 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
+| FileService.java:21:28:21:64 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
 | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] | semmle.label | makeParamsToExecute(...) : Object[] |
-| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object | semmle.label | makeParamsToExecute(...) : Object[] [[]] : Object |
-| FileService.java:25:42:25:50 | localPath : Object | semmle.label | localPath : Object |
-| FileService.java:32:13:32:28 | sourceUri : Object | semmle.label | sourceUri : Object |
-| FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | semmle.label | new Object[] : Object[] [[]] : Object |
-| FileService.java:34:20:36:13 | {...} : Object[] [[]] : Object | semmle.label | {...} : Object[] [[]] : Object |
-| FileService.java:35:17:35:25 | sourceUri : Object | semmle.label | sourceUri : Object |
+| FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String | semmle.label | makeParamsToExecute(...) : Object[] [[]] : String |
+| FileService.java:25:42:25:50 | localPath : String | semmle.label | localPath : String |
+| FileService.java:32:13:32:28 | sourceUri : String | semmle.label | sourceUri : String |
+| FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | semmle.label | new Object[] : Object[] [[]] : String |
+| FileService.java:34:20:36:13 | {...} : Object[] [[]] : String | semmle.label | {...} : Object[] [[]] : String |
+| FileService.java:35:17:35:25 | sourceUri : String | semmle.label | sourceUri : String |
 | FileService.java:40:41:40:55 | params : Object[] | semmle.label | params : Object[] |
-| FileService.java:44:33:44:52 | (...)... : Object | semmle.label | (...)... : Object |
+| FileService.java:44:33:44:52 | (...)... : String[] | semmle.label | (...)... : String[] |
 | FileService.java:45:53:45:59 | ...[...] | semmle.label | ...[...] |
 | LeakFileActivity2.java:15:13:15:18 | intent : Intent | semmle.label | intent : Intent |
 | LeakFileActivity2.java:16:26:16:31 | intent : Intent | semmle.label | intent : Intent |
 | LeakFileActivity.java:14:35:14:38 | data : Intent | semmle.label | data : Intent |
 | LeakFileActivity.java:18:40:18:59 | contentIntent : Intent | semmle.label | contentIntent : Intent |
 | LeakFileActivity.java:19:31:19:43 | contentIntent : Intent | semmle.label | contentIntent : Intent |
-| LeakFileActivity.java:19:31:19:53 | getData(...) : Object | semmle.label | getData(...) : Object |
-| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Object | semmle.label | streamsToUpload : Object |
+| LeakFileActivity.java:19:31:19:53 | getData(...) : Uri | semmle.label | getData(...) : Uri |
+| LeakFileActivity.java:21:58:21:72 | streamsToUpload : Uri | semmle.label | streamsToUpload : Uri |
 | LeakFileActivity.java:21:58:21:82 | getPath(...) | semmle.label | getPath(...) |
 subpaths
-| FileService.java:25:42:25:50 | localPath : Object | FileService.java:32:13:32:28 | sourceUri : Object | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : Object | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : Object |
+| FileService.java:25:42:25:50 | localPath : String | FileService.java:32:13:32:28 | sourceUri : String | FileService.java:34:20:36:13 | new Object[] : Object[] [[]] : String | FileService.java:25:13:25:51 | makeParamsToExecute(...) : Object[] [[]] : String |
 #select
 | FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:15:13:15:18 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:15:13:15:18 | intent | this user input |
 | FileService.java:45:53:45:59 | ...[...] | LeakFileActivity2.java:16:26:16:31 | intent : Intent | FileService.java:45:53:45:59 | ...[...] | Leaking arbitrary Android file from $@. | LeakFileActivity2.java:16:26:16:31 | intent | this user input |

java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected

@@ -6,17 +6,17 @@ edges
 | UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue |
 | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String |
 | UnsafeReflection.java:46:132:46:168 | body : Map | UnsafeReflection.java:49:37:49:40 | body : Map |
-| UnsafeReflection.java:49:23:49:59 | (...)... : Object | UnsafeReflection.java:53:67:53:73 | rawData : Object |
+| UnsafeReflection.java:49:23:49:59 | (...)... : List | UnsafeReflection.java:53:67:53:73 | rawData : List |
 | UnsafeReflection.java:49:37:49:40 | body : Map | UnsafeReflection.java:49:37:49:59 | get(...) : Object |
-| UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : Object |
+| UnsafeReflection.java:49:37:49:59 | get(...) : Object | UnsafeReflection.java:49:23:49:59 | (...)... : List |
 | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String |
-| UnsafeReflection.java:53:67:53:73 | rawData : Object | UnsafeReflection.java:104:102:104:118 | data : Object |
+| UnsafeReflection.java:53:67:53:73 | rawData : List | UnsafeReflection.java:104:102:104:118 | data : List |
 | UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | UnsafeReflection.java:68:76:68:89 | parameterValue |
 | UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | UnsafeReflection.java:83:76:83:89 | parameterValue |
 | UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | UnsafeReflection.java:98:76:98:89 | parameterValue |
 | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:21:119:26 | method |
 | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | UnsafeReflection.java:119:35:119:38 | bean |
-| UnsafeReflection.java:104:102:104:118 | data : Object | UnsafeReflection.java:119:41:119:44 | data |
+| UnsafeReflection.java:104:102:104:118 | data : List | UnsafeReflection.java:119:41:119:44 | data |
 nodes
 | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -29,11 +29,11 @@ nodes
 | UnsafeReflection.java:39:58:39:71 | parameterValue | semmle.label | parameterValue |
 | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
 | UnsafeReflection.java:46:132:46:168 | body : Map | semmle.label | body : Map |
-| UnsafeReflection.java:49:23:49:59 | (...)... : Object | semmle.label | (...)... : Object |
+| UnsafeReflection.java:49:23:49:59 | (...)... : List | semmle.label | (...)... : List |
 | UnsafeReflection.java:49:37:49:40 | body : Map | semmle.label | body : Map |
 | UnsafeReflection.java:49:37:49:59 | get(...) : Object | semmle.label | get(...) : Object |
 | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
-| UnsafeReflection.java:53:67:53:73 | rawData : Object | semmle.label | rawData : Object |
+| UnsafeReflection.java:53:67:53:73 | rawData : List | semmle.label | rawData : List |
 | UnsafeReflection.java:62:33:62:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:68:76:68:89 | parameterValue | semmle.label | parameterValue |
 | UnsafeReflection.java:77:33:77:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
@@ -41,7 +41,7 @@ nodes
 | UnsafeReflection.java:92:33:92:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:98:76:98:89 | parameterValue | semmle.label | parameterValue |
 | UnsafeReflection.java:104:34:104:57 | beanIdOrClassName : String | semmle.label | beanIdOrClassName : String |
-| UnsafeReflection.java:104:102:104:118 | data : Object | semmle.label | data : Object |
+| UnsafeReflection.java:104:102:104:118 | data : List | semmle.label | data : List |
 | UnsafeReflection.java:119:21:119:26 | method | semmle.label | method |
 | UnsafeReflection.java:119:35:119:38 | bean | semmle.label | bean |
 | UnsafeReflection.java:119:41:119:44 | data | semmle.label | data |

java/ql/test/experimental/query-tests/security/CWE-552/UnsafeUrlForward.expected

@@ -3,13 +3,14 @@ edges
 | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource | UnsafeLoadSpringResource.java:35:31:35:33 | clr |
 | UnsafeLoadSpringResource.java:31:49:31:56 | fileName : String | UnsafeLoadSpringResource.java:31:27:31:57 | new ClassPathResource(...) : ClassPathResource |
 | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName |
+| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName |
 | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path |
 | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:17:20:17:25 | params : Map |
-| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object |
-| UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | UnsafeResourceGet2.java:19:93:19:99 | loadUrl |
+| UnsafeResourceGet2.java:17:20:17:25 | params : Map | UnsafeResourceGet2.java:17:20:17:40 | get(...) : String |
+| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | UnsafeResourceGet2.java:19:93:19:99 | loadUrl |
 | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:33:20:33:25 | params : Map |
-| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object |
-| UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | UnsafeResourceGet2.java:37:20:37:22 | url |
+| UnsafeResourceGet2.java:33:20:33:25 | params : Map | UnsafeResourceGet2.java:33:20:33:40 | get(...) : String |
+| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | UnsafeResourceGet2.java:37:20:37:22 | url |
 | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | UnsafeResourceGet.java:41:20:41:22 | url |
 | UnsafeResourceGet.java:111:24:111:58 | getParameter(...) : String | UnsafeResourceGet.java:115:68:115:78 | requestPath |
 | UnsafeResourceGet.java:143:23:143:56 | getParameter(...) : String | UnsafeResourceGet.java:150:20:150:22 | url |
@@ -35,15 +36,17 @@ nodes
 | UnsafeLoadSpringResource.java:35:31:35:33 | clr | semmle.label | clr |
 | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | semmle.label | fileName : String |
 | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | semmle.label | fileName |
+| UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | semmle.label | fileName : String |
+| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | semmle.label | fileName |
 | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | semmle.label | getServletPath(...) : String |
 | UnsafeRequestPath.java:23:33:23:36 | path | semmle.label | path |
 | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
 | UnsafeResourceGet2.java:17:20:17:25 | params : Map | semmle.label | params : Map |
-| UnsafeResourceGet2.java:17:20:17:40 | get(...) : Object | semmle.label | get(...) : Object |
+| UnsafeResourceGet2.java:17:20:17:40 | get(...) : String | semmle.label | get(...) : String |
 | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | semmle.label | loadUrl |
 | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | semmle.label | getRequestParameterMap(...) : Map |
 | UnsafeResourceGet2.java:33:20:33:25 | params : Map | semmle.label | params : Map |
-| UnsafeResourceGet2.java:33:20:33:40 | get(...) : Object | semmle.label | get(...) : Object |
+| UnsafeResourceGet2.java:33:20:33:40 | get(...) : String | semmle.label | get(...) : String |
 | UnsafeResourceGet2.java:37:20:37:22 | url | semmle.label | url |
 | UnsafeResourceGet.java:32:23:32:56 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeResourceGet.java:41:20:41:22 | url | semmle.label | url |
@@ -83,6 +86,7 @@ subpaths
 #select
 | UnsafeLoadSpringResource.java:35:31:35:33 | clr | UnsafeLoadSpringResource.java:27:32:27:77 | fileName : String | UnsafeLoadSpringResource.java:35:31:35:33 | clr | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:27:32:27:77 | fileName | user-provided value |
 | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | UnsafeLoadSpringResource.java:68:32:68:77 | fileName : String | UnsafeLoadSpringResource.java:76:38:76:45 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:68:32:68:77 | fileName | user-provided value |
+| UnsafeLoadSpringResource.java:116:51:116:58 | fileName | UnsafeLoadSpringResource.java:108:32:108:77 | fileName : String | UnsafeLoadSpringResource.java:116:51:116:58 | fileName | Potentially untrusted URL forward due to $@. | UnsafeLoadSpringResource.java:108:32:108:77 | fileName | user-provided value |
 | UnsafeRequestPath.java:23:33:23:36 | path | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) : String | UnsafeRequestPath.java:23:33:23:36 | path | Potentially untrusted URL forward due to $@. | UnsafeRequestPath.java:20:17:20:63 | getServletPath(...) | user-provided value |
 | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:19:93:19:99 | loadUrl | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:16:32:16:79 | getRequestParameterMap(...) | user-provided value |
 | UnsafeResourceGet2.java:37:20:37:22 | url | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) : Map | UnsafeResourceGet2.java:37:20:37:22 | url | Potentially untrusted URL forward due to $@. | UnsafeResourceGet2.java:32:32:32:79 | getRequestParameterMap(...) | user-provided value |

java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected

@@ -1,11 +1,11 @@
 edges
 | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:32 | map : Map |
-| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password |
-| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object |
+| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password |
+| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | SensitiveGetQuery2.java:15:29:15:36 | password : String |
 | SensitiveGetQuery2.java:14:30:14:32 | map : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object |
-| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
-| SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object |
-| SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password |
+| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : String |
+| SensitiveGetQuery2.java:15:29:15:36 | password : String | SensitiveGetQuery2.java:18:40:18:54 | password : String |
+| SensitiveGetQuery2.java:18:40:18:54 | password : String | SensitiveGetQuery2.java:19:61:19:68 | password |
 | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | SensitiveGetQuery3.java:13:57:13:64 | password |
 | SensitiveGetQuery3.java:17:10:17:40 | getParameter(...) : String | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String |
 | SensitiveGetQuery4.java:14:24:14:66 | getRequestParameter(...) : String | SensitiveGetQuery4.java:16:37:16:47 | accessToken |
@@ -16,12 +16,12 @@ edges
 | SensitiveGetQuery.java:17:40:17:54 | password : String | SensitiveGetQuery.java:18:61:18:68 | password |
 nodes
 | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
-| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object |
+| SensitiveGetQuery2.java:14:21:14:48 | (...)... : String | semmle.label | (...)... : String |
 | SensitiveGetQuery2.java:14:30:14:32 | map : Map | semmle.label | map : Map |
 | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | semmle.label | get(...) : Object |
 | SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password |
-| SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object |
-| SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object |
+| SensitiveGetQuery2.java:15:29:15:36 | password : String | semmle.label | password : String |
+| SensitiveGetQuery2.java:18:40:18:54 | password : String | semmle.label | password : String |
 | SensitiveGetQuery2.java:19:61:19:68 | password | semmle.label | password |
 | SensitiveGetQuery3.java:12:21:12:60 | getRequestParameter(...) : String | semmle.label | getRequestParameter(...) : String |
 | SensitiveGetQuery3.java:13:57:13:64 | password | semmle.label | password |

java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.expected

@@ -1,25 +1,25 @@
 edges
-| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object |
-| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) |
-| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object |
-| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) |
-| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object |
-| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) |
-| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object |
-| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:44:21:44:43 | new Double(...) |
-| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) |
+| NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String |
+| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) |
+| NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String |
+| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) |
+| NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String |
+| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) |
+| NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String |
+| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:44:21:44:43 | new Double(...) |
+| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) |
 nodes
 | NFEAndroidDoS.java:13:24:13:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
+| NFEAndroidDoS.java:13:24:13:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
 | NFEAndroidDoS.java:14:21:14:51 | parseDouble(...) | semmle.label | parseDouble(...) |
 | NFEAndroidDoS.java:22:21:22:31 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
+| NFEAndroidDoS.java:22:21:22:55 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
 | NFEAndroidDoS.java:23:15:23:40 | parseInt(...) | semmle.label | parseInt(...) |
 | NFEAndroidDoS.java:25:22:25:32 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
+| NFEAndroidDoS.java:25:22:25:57 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
 | NFEAndroidDoS.java:26:16:26:42 | parseInt(...) | semmle.label | parseInt(...) |
 | NFEAndroidDoS.java:43:24:43:34 | getIntent(...) : Intent | semmle.label | getIntent(...) : Intent |
-| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : Object | semmle.label | getStringExtra(...) : Object |
+| NFEAndroidDoS.java:43:24:43:61 | getStringExtra(...) : String | semmle.label | getStringExtra(...) : String |
 | NFEAndroidDoS.java:44:21:44:43 | new Double(...) | semmle.label | new Double(...) |
 | NFEAndroidDoS.java:47:21:47:47 | valueOf(...) | semmle.label | valueOf(...) |
 subpaths

java/ql/test/ext/TestModels/Test.java

@@ -82,7 +82,7 @@ public class Test {
             Connection con = DriverManager.getConnection("");
             PreparedStatement ps1 = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?");
             ps1.setString(1, (String)source());
-            sink(ps1); // $hasValueFlow
+            sink(ps1); // safe
 
             // java.util.concurrent.atomic
             AtomicReference ar = new AtomicReference(source());

java/ql/test/kotlin/library-tests/dataflow/summaries/use.kt

@@ -0,0 +1,11 @@
+import java.io.Closeable
+
+class UseFlowTest {
+    fun <T> taint(t: T) = t
+    fun sink(s: Closeable) { }
+
+    fun test(input: Closeable) {
+        taint(input).use { it -> sink(it) } // $ hasValueFlow
+        sink(taint(input).use { it }) // $ hasValueFlow
+    }
+}

java/ql/test/kotlin/library-tests/dataflow/summaries/with.kt

@@ -0,0 +1,9 @@
+class WithFlowTest {
+    fun <T> taint(t: T) = t
+    fun sink(s: String) { }
+
+    fun test(input: String) {
+        with(taint(input)) { sink(this) } // $ hasValueFlow
+        sink(with(taint(input)) { this }) // $ hasValueFlow
+    }
+}

java/ql/test/library-tests/dispatch/CallableViaSummary.java

@@ -0,0 +1,31 @@
+import java.util.*;
+
+public class CallableViaSummary {
+    public interface Element {
+        public void handle(String message);
+    }
+
+    public void main(String[] args) {
+        List<Element> elements = new ArrayList<>();
+
+        List<Element> elements2 = new ArrayList<>();
+
+        elements.add(new Element() {
+            @Override
+            public void handle(String message) {
+                System.out.println(message);
+            }
+        });
+
+        elements.add(message -> System.out.println(message));
+
+        // This dispatches to the two added elements because
+        // the summary of ArrayList causes flow via type tracking.
+        elements.get(0).handle("Hello, world!");
+
+        // This does not dispatch to anything, showing that the
+        // open-world assumption does not apply
+        // (and hence that type tracking is necessary above).
+        elements2.get(0).handle("Hello, world!");
+    }
+}

java/ql/test/library-tests/dispatch/viaSummary.expected

@@ -0,0 +1,2 @@
+| CallableViaSummary.java:24:9:24:47 | handle(...) | CallableViaSummary.java:15:25:15:30 | handle |
+| CallableViaSummary.java:24:9:24:47 | handle(...) | CallableViaSummary.java:20:22:20:59 | handle |

java/ql/test/library-tests/dispatch/viaSummary.ql

@@ -0,0 +1,9 @@
+import java
+import semmle.code.java.dispatch.VirtualDispatch
+
+from MethodAccess ma, Method m
+where
+  m = viableImpl(ma) and
+  m.fromSource() and
+  ma.getFile().toString() = "CallableViaSummary"
+select ma, m

java/ql/test/library-tests/frameworks/apache-collections/Test.java

@@ -721,14 +721,14 @@ public class Test {
 		{
 			// "org.apache.commons.collections4;MapUtils;true;getMap;;;MapValue of Argument[0];ReturnValue;value;manual"
 			Map out = null;
-			Map in = newTreeMapWithMapValue((String)source());
+			Map in = newTreeMapWithMapValue((Map)source());
 			out = MapUtils.getMap(in, null, null);
 			sink(out); // $ hasValueFlow
 		}
 		{
 			// "org.apache.commons.collections4;MapUtils;true;getMap;;;MapValue of Argument[0];ReturnValue;value;manual"
 			Map out = null;
-			Map in = newTreeMapWithMapValue((String)source());
+			Map in = newTreeMapWithMapValue((Map)source());
 			out = MapUtils.getMap(in, null);
 			sink(out); // $ hasValueFlow
 		}
@@ -7257,4 +7257,4 @@ public class Test {
 		}
 	}
 
-}
+}

java/ql/test/library-tests/frameworks/gson/Test.java

@@ -25,7 +25,7 @@ public class Test {
 	<K> K getMapKeyDefault(Map.Entry<K,?> container) { return container.getKey(); }
 	JsonElement getMapValueDefault(JsonObject container) { return container.get(null); }
 	<V> V  getMapValueDefault(Map.Entry<?,V> container) { return container.getValue(); }
-	JsonArray newWithElementDefault(String element) { JsonArray a = new JsonArray(); a.add(element); return a; }
+	JsonArray newWithElementDefault(JsonElement element) { JsonArray a = new JsonArray(); a.add(element); return a; }
 	JsonObject newWithMapKeyDefault(String key) { JsonObject o = new JsonObject(); o.add(key, (JsonElement) null); return o; }
 	JsonObject newWithMapValueDefault(JsonElement element) { JsonObject o = new JsonObject(); o.add(null, element); return o; }
 	Object source() { return null; }
@@ -232,51 +232,58 @@ public class Test {
 			sink(out); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(Boolean);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			Boolean in = (Boolean)source();
 			out.add(in);
-			sink(getElement(out)); // $ hasValueFlow
+			sink(getElement(out)); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(Character);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			Character in = (Character)source();
 			out.add(in);
-			sink(getElement(out)); // $ hasValueFlow
+			sink(getElement(out)); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(JsonElement);;Argument[0];Argument[this].Element;value;manual"
 			JsonArray out = null;
 			JsonElement in = (JsonElement)source();
 			out.add(in);
 			sink(getElement(out)); // $ hasValueFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(Number);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			Number in = (Number)source();
 			out.add(in);
-			sink(getElement(out)); // $ hasValueFlow
+			sink(getElement(out)); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(String);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			String in = (String)source();
 			out.add(in);
+			sink(getElement(out)); // $ hasTaintFlow
+		}
+		{
+			// "com.google.gson;JsonArray;true;addAll;(JsonArray);;Argument[0].Element;Argument[this].Element;value;manual"
+			JsonArray out = null;
+			JsonArray in = newWithElementDefault((JsonElement) source());
+			out.addAll(in);
 			sink(getElement(out)); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonArray;true;asList;;;Argument[this].Element;ReturnValue.Element;value;manual"
 			List out = null;
-			JsonArray in = (JsonArray)newWithElementDefault((String) source());
+			JsonArray in = newWithElementDefault((JsonElement) source());
 			out = in.asList();
 			sink(getElement(out)); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonArray;true;get;;;Argument[this].Element;ReturnValue;value;manual"
 			JsonElement out = null;
-			JsonArray in = (JsonArray)newWithElementDefault((String) source());
+			JsonArray in = newWithElementDefault((JsonElement) source());
 			out = in.get(0);
 			sink(out); // $ hasValueFlow
 		}
@@ -400,51 +407,51 @@ public class Test {
 			sink(getMapKeyDefault(out)); // $ hasValueFlow
 		}
 		{
-			// "com.google.gson;JsonObject;true;addProperty;(String,String);;Argument[1];Argument[this].MapValue;value;manual"
+			// "com.google.gson;JsonObject;true;addProperty;(String,String);;Argument[1];Argument[this].MapValue;taint;manual"
 			JsonObject out = null;
 			String in = (String)source();
 			out.addProperty((String)null, in);
-			sink(getMapValueDefault(out)); // $ hasValueFlow
+			sink(getMapValueDefault(out)); // $ hasTaintFlow
 		}
 		{
 			// "com.google.gson;JsonObject;true;asMap;;;Argument[this].MapKey;ReturnValue.MapKey;value;manual"
 			Map out = null;
-			JsonObject in = (JsonObject)newWithMapKeyDefault((String) source());
+			JsonObject in = newWithMapKeyDefault((String) source());
 			out = in.asMap();
 			sink(getMapKey(out)); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonObject;true;asMap;;;Argument[this].MapValue;ReturnValue.MapValue;value;manual"
 			Map out = null;
-			JsonObject in = (JsonObject)newWithMapValueDefault((JsonElement) source());
+			JsonObject in = newWithMapValueDefault((JsonElement) source());
 			out = in.asMap();
 			sink(getMapValue(out)); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonObject;true;entrySet;;;Argument[this].MapKey;ReturnValue.Element.MapKey;value;manual"
 			Set<Map.Entry<String,JsonElement>> out = null;
-			JsonObject in = (JsonObject)newWithMapKeyDefault((String) source());
+			JsonObject in = newWithMapKeyDefault((String) source());
 			out = in.entrySet();
 			sink(getMapKeyDefault(getElement(out))); // $ hasValueFlow
 		}
 		{
-			// "com.google.gson;JsonObject;true;entrySet;;;Argument[this].MapKey;ReturnValue.Element.MapValue;value;manual"
+			// "com.google.gson;JsonObject;true;entrySet;;;Argument[this].MapValue;ReturnValue.Element.MapValue;value;manual"
 			Set<Map.Entry<String,JsonElement>> out = null;
-			JsonObject in = (JsonObject) newWithMapKeyDefault((String) source());
+			JsonObject in = newWithMapValueDefault((JsonElement) source());
 			out = in.entrySet();
 			sink(getMapValueDefault(getElement(out))); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonObject;true;get;;;Argument[this].MapValue;ReturnValue;value;manual"
 			JsonElement out = null;
-			JsonObject in = (JsonObject)newWithMapValueDefault((JsonElement) source());
+			JsonObject in = newWithMapValueDefault((JsonElement) source());
 			out = in.get(null);
 			sink(out); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonObject;true;keySet;;;Argument[this].MapKey;ReturnValue.Element;value;manual"
 			Set out = null;
-			JsonObject in = (JsonObject)newWithMapKeyDefault((String) source());
+			JsonObject in = newWithMapKeyDefault((String) source());
 			out = in.keySet();
 			sink(getElement(out)); // $ hasValueFlow
 		}

java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.expected

@@ -1,7 +1,7 @@
-| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:5:5:5:19 | User.java:5:5:5:19 | after this call to getStrings |
-| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:13:12:13:26 | User.java:13:12:13:26 | after this call to getStrings |
-| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:38:12:38:26 | User.java:38:12:38:26 | after this call to getStrings |
-| ExposesRep.java:13:30:13:41 | getStringMap | getStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:9:5:9:21 | User.java:9:5:9:21 | after this call to getStringMap |
-| ExposesRep.java:17:15:17:24 | setStrings | setStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:22:5:22:6 | User.java:22:5:22:6 | through the variable ss |
-| ExposesRep.java:21:15:21:26 | setStringMap | setStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:27:5:27:5 | User.java:27:5:27:5 | through the variable m |
-| ExposesRep.java:29:14:29:21 | getArray | getArray exposes the internal representation stored in field array. The value may be modified $@. | User.java:31:5:31:18 | User.java:31:5:31:18 | after this call to getArray |
+| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:5:5:5:19 | getStrings(...) | after this call to getStrings |
+| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:13:12:13:26 | getStrings(...) | after this call to getStrings |
+| ExposesRep.java:11:19:11:28 | getStrings | getStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:38:12:38:26 | getStrings(...) | after this call to getStrings |
+| ExposesRep.java:13:30:13:41 | getStringMap | getStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:9:5:9:21 | getStringMap(...) | after this call to getStringMap |
+| ExposesRep.java:17:15:17:24 | setStrings | setStrings exposes the internal representation stored in field strings. The value may be modified $@. | User.java:22:5:22:6 | ss | through the variable ss |
+| ExposesRep.java:21:15:21:26 | setStringMap | setStringMap exposes the internal representation stored in field stringMap. The value may be modified $@. | User.java:27:5:27:5 | m | through the variable m |
+| ExposesRep.java:29:14:29:21 | getArray | getArray exposes the internal representation stored in field array. The value may be modified $@. | User.java:31:5:31:18 | getArray(...) | after this call to getArray |

java/ql/test/query-tests/Metrics/GeneratedVsManualCoverage/TopJdkApisTest/TopJdkApisTest.expected

@@ -8,7 +8,7 @@
 | java.nio | 0 | 0 | 2 | 3 | 5 | 0.4 | 0.0 | 0.4 | 0.0 | NaN | 0.6 |
 | java.nio.charset | 0 | 0 | 0 | 1 | 1 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 |
 | java.nio.file | 0 | 0 | 7 | 1 | 8 | 0.875 | 0.0 | 0.875 | 0.0 | NaN | 0.125 |
-| java.sql | 0 | 0 | 2 | 14 | 16 | 0.125 | 0.0 | 0.125 | 0.0 | NaN | 0.875 |
+| java.sql | 0 | 0 | 1 | 15 | 16 | 0.0625 | 0.0 | 0.0625 | 0.0 | NaN | 0.9375 |
 | java.text | 0 | 0 | 0 | 5 | 5 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 |
 | java.time | 0 | 0 | 0 | 17 | 17 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 |
 | java.time.chrono | 0 | 0 | 0 | 1 | 1 | 0.0 | 0.0 | 0.0 | NaN | NaN | 1.0 |

java/ql/test/query-tests/Telemetry/SupportedExternalSinks/SupportedExternalSinks.expected

@@ -1,2 +1,3 @@
+| java.io.File#File(String) | 1 |
 | java.io.FileWriter#FileWriter(File) | 1 |
 | java.net.URL#openStream() | 1 |

java/ql/test/query-tests/security/CWE-078/ExecTaintedLocal.expected

@@ -7,8 +7,8 @@ edges
 | Test.java:7:44:7:69 | ... + ... : String | Test.java:7:25:7:70 | new ..[] { .. } : String[] [[]] : String |
 | Test.java:10:29:10:74 | {...} : String[] [[]] : String | Test.java:10:29:10:74 | new String[] |
 | Test.java:10:61:10:73 | ... + ... : String | Test.java:10:29:10:74 | {...} : String[] [[]] : String |
-| Test.java:16:5:16:7 | cmd [post update] : List [<element>] : String | Test.java:18:29:18:31 | cmd |
-| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : List [<element>] : String |
+| Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | Test.java:18:29:18:31 | cmd |
+| Test.java:16:13:16:25 | ... + ... : String | Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String |
 | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | Test.java:24:29:24:32 | cmd1 |
 | Test.java:22:15:22:27 | ... + ... : String | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String |
 | Test.java:28:38:28:47 | arg : String | Test.java:29:44:29:64 | ... + ... : String |
@@ -26,7 +26,7 @@ nodes
 | Test.java:10:29:10:74 | new String[] | semmle.label | new String[] |
 | Test.java:10:29:10:74 | {...} : String[] [[]] : String | semmle.label | {...} : String[] [[]] : String |
 | Test.java:10:61:10:73 | ... + ... : String | semmle.label | ... + ... : String |
-| Test.java:16:5:16:7 | cmd [post update] : List [<element>] : String | semmle.label | cmd [post update] : List [<element>] : String |
+| Test.java:16:5:16:7 | cmd [post update] : ArrayList [<element>] : String | semmle.label | cmd [post update] : ArrayList [<element>] : String |
 | Test.java:16:13:16:25 | ... + ... : String | semmle.label | ... + ... : String |
 | Test.java:18:29:18:31 | cmd | semmle.label | cmd |
 | Test.java:22:5:22:8 | cmd1 [post update] : String[] [[]] : String | semmle.label | cmd1 [post update] : String[] [[]] : String |