dependabot[bot]
279df532f9
Bump the maven group across 30 directories with 11 updates
...
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-executable-war directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-existing-settings-xml directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-mirrorof directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 2 updates in the /java/ql/integration-tests/java/buildless-maven-multimodule directory: [junit:junit](https://github.com/junit-team/junit4 ) and org.apache.commons:commons-lang3.
Bumps the maven group with 2 updates in the /java/ql/integration-tests/java/buildless-maven-multimodule/submod2 directory: [junit:junit](https://github.com/junit-team/junit4 ) and org.apache.commons:commons-lang3.
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-timeout directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-proxy-maven directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-sibling-projects/maven-project-1 directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-sibling-projects/maven-project-2 directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/diagnostics/compilation-error directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/diagnostics/multiple-candidate-builds/maven-project-1 directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/diagnostics/multiple-candidate-builds/maven-project-2 directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-download-failure directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-enforcer directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-enforcer-multiple-versions directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-enforcer-single-version directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-extract-properties directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-large-xml-files directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-small-xml-files directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-all directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-byname directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-disabled directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-smart directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-wrapper directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-wrapper-script-only directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-wrapper-source-only directory: [junit:junit](https://github.com/junit-team/junit4 ).
Bumps the maven group with 9 updates in the /java/ql/test/utils/flowtestcasegenerator directory:
| Package | From | To |
| --- | --- | --- |
| org.apache.logging.log4j:log4j-core | `2.14.1` | `2.25.4` |
| [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap ) | `2.3.5.RELEASE` | `2.4.4` |
| [org.springframework:spring-web](https://github.com/spring-projects/spring-framework ) | `5.3.18` | `6.1.21` |
| [org.springframework:spring-context](https://github.com/spring-projects/spring-framework ) | `5.3.18` | `6.1.20` |
| [org.springframework:spring-webmvc](https://github.com/spring-projects/spring-framework ) | `5.3.18` | `6.2.18` |
| [org.apache.shiro:shiro-core](https://github.com/apache/shiro ) | `1.8.0` | `2.2.1` |
| [org.owasp.esapi:esapi](https://github.com/ESAPI/esapi-java-legacy ) | `2.2.3.1` | `2.6.0.0` |
| org.thymeleaf:thymeleaf | `3.0.15.RELEASE` | `3.1.5.RELEASE` |
| [com.hubspot.jinjava:jinjava](https://github.com/HubSpot/jinjava ) | `2.6.0` | `2.7.6` |
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `org.apache.commons:commons-lang3` from 3.14.0 to 3.18.0
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `org.apache.commons:commons-lang3` from 3.14.0 to 3.18.0
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.12 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases )
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md )
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1 )
Updates `org.apache.logging.log4j:log4j-core` from 2.14.1 to 2.25.4
Updates `org.springframework.ldap:spring-ldap-core` from 2.3.5.RELEASE to 2.4.4
- [Release notes](https://github.com/spring-projects/spring-ldap/releases )
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt )
- [Commits](https://github.com/spring-projects/spring-ldap/compare/2.3.5.RELEASE...2.4.4 )
Updates `org.springframework:spring-web` from 5.3.18 to 6.1.21
- [Release notes](https://github.com/spring-projects/spring-framework/releases )
- [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.18...v6.1.21 )
Updates `org.springframework:spring-context` from 5.3.18 to 6.1.20
- [Release notes](https://github.com/spring-projects/spring-framework/releases )
- [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.18...v6.1.20 )
Updates `org.springframework:spring-webmvc` from 5.3.18 to 6.2.18
- [Release notes](https://github.com/spring-projects/spring-framework/releases )
- [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.18...v6.2.18 )
Updates `org.apache.shiro:shiro-core` from 1.8.0 to 2.2.1
- [Release notes](https://github.com/apache/shiro/releases )
- [Changelog](https://github.com/apache/shiro/blob/main/RELEASE-NOTES )
- [Commits](https://github.com/apache/shiro/compare/shiro-root-1.8.0...shiro-root-2.2.1 )
Updates `org.owasp.esapi:esapi` from 2.2.3.1 to 2.6.0.0
- [Release notes](https://github.com/ESAPI/esapi-java-legacy/releases )
- [Commits](https://github.com/ESAPI/esapi-java-legacy/compare/esapi-2.2.3.1...esapi-2.6.0.0 )
Updates `org.thymeleaf:thymeleaf` from 3.0.15.RELEASE to 3.1.5.RELEASE
Updates `com.hubspot.jinjava:jinjava` from 2.6.0 to 2.7.6
- [Release notes](https://github.com/HubSpot/jinjava/releases )
- [Changelog](https://github.com/HubSpot/jinjava/blob/master/CHANGES.md )
- [Commits](https://github.com/HubSpot/jinjava/compare/jinjava-2.6.0...jinjava-2.7.6 )
---
updated-dependencies:
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: org.apache.commons:commons-lang3
dependency-version: 3.18.0
dependency-type: direct:production
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: org.apache.commons:commons-lang3
dependency-version: 3.18.0
dependency-type: direct:production
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: junit:junit
dependency-version: 4.13.1
dependency-type: direct:development
dependency-group: maven
- dependency-name: org.apache.logging.log4j:log4j-core
dependency-version: 2.25.4
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.springframework.ldap:spring-ldap-core
dependency-version: 2.4.4
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.springframework:spring-web
dependency-version: 6.1.21
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.springframework:spring-context
dependency-version: 6.1.20
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.springframework:spring-webmvc
dependency-version: 6.2.18
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.apache.shiro:shiro-core
dependency-version: 2.2.1
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.owasp.esapi:esapi
dependency-version: 2.6.0.0
dependency-type: direct:production
dependency-group: maven
- dependency-name: org.thymeleaf:thymeleaf
dependency-version: 3.1.5.RELEASE
dependency-type: direct:production
dependency-group: maven
- dependency-name: com.hubspot.jinjava:jinjava
dependency-version: 2.7.6
dependency-type: direct:production
dependency-group: maven
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-07-04 05:23:55 +00:00
Mathias Vorreiter Pedersen
b7b731bab7
Merge branch 'main' into mad-write-through-model
2026-06-30 15:12:02 +01:00
Geoffrey White
c0871defe9
Merge pull request #22077 from geoffw0/javainline
...
Java: Address testFailures in inline expectations tests
2026-06-30 10:49:24 +01:00
Geoffrey White
897d16929b
Java: Add missing $ Source annotations.
2026-06-26 16:22:05 +01:00
Geoffrey White
6f997ae15c
Java: Label spurious results.
2026-06-26 16:22:03 +01:00
Geoffrey White
300e48e48e
Java: Move $ Source annotations that were incorrectly placed.
2026-06-26 16:21:49 +01:00
Geoffrey White
f840f6104a
Java: Make some $ Source annotations query specific.
2026-06-26 16:21:46 +01:00
Mathias Vorreiter Pedersen
7861e9e596
Java: Fix a library test.
2026-06-26 14:18:23 +01:00
Anders Schack-Mulligen
11725e8921
Java: Accept test changes.
2026-06-23 14:28:44 +02:00
Owen Mansel-Chan
4bc083fd7f
Remove confusing comments
2026-06-12 21:51:52 +01:00
Owen Mansel-Chan
89c1d66f90
Add SPURIOUS and MISSING alerts based on existing comments
2026-06-12 21:51:50 +01:00
Owen Mansel-Chan
3693185b6b
Second pass
2026-06-10 09:14:47 +02:00
Owen Mansel-Chan
1c1d26453d
First pass converting qlref tests to inline expectation with postprocess
2026-06-10 07:46:42 +02:00
Owen Mansel-Chan
52f2a5825a
Merge pull request #21804 from github/copilot/add-tests-for-models
...
Java: Update CWE-918 model coverage for Apache HttpClient `execute` sinks
2026-06-03 12:55:56 +01:00
Owen Mansel-Chan
d95d99848c
Build RequestBuilder more realistically
2026-05-28 11:05:40 +01:00
Owen Mansel-Chan
37589dd8a0
Improve how org.apache.http.client.HttpClient is created in test
2026-05-28 10:30:43 +01:00
Owen Mansel-Chan
a159dc1c66
Change variable name in test
2026-05-28 10:28:14 +01:00
Owen Mansel-Chan
36554d160c
Merge pull request #21741 from MarkLee131/fix/path-injection-read-subkind
...
Fix/path injection read subkind
2026-05-08 12:38:16 +01:00
Anders Schack-Mulligen
6b6df374fa
C#/Java: Accept test changes.
2026-05-07 15:07:31 +02:00
Owen Mansel-Chan
dd35bc0722
Update test output
2026-05-07 10:17:47 +01:00
copilot-swe-agent[bot]
043ec857ab
Replace fluent SSRF changes with Apache HttpClient execute model tests
...
Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b
Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com >
2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]
f5b17b0b48
Add SSRF tests and stubs for Apache Http fluent Request models
...
Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549
Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com >
2026-05-06 16:08:02 +00:00
MarkLee131
bafa892116
Merge branch 'main' into fix/path-injection-read-subkind
2026-05-01 16:06:35 +08:00
MarkLee131
119994b59f
Java: move File inspection methods to path-injection[read]
...
Per review feedback on #21741 : File.canRead/canWrite/canExecute,
exists/isDirectory/isFile/isHidden only inspect a path, so move them
under the path-injection[read] sub-kind. Update TaintedPath.expected
and the experimental CWE-073 expected to match.
2026-05-01 16:04:29 +08:00
Owen Mansel-Chan
87c35e6401
Merge pull request #21654 from MarkLee131/fix/sensitive-log-hash-sanitizer
...
Java: treat hash/encrypt/digest methods as sensitive-log sanitizers
2026-04-30 13:21:03 +01:00
MarkLee131
90741b15e2
Merge branch 'main' into fix/path-injection-read-subkind
2026-04-30 18:37:12 +08:00
MarkLee131
28a6ff208c
Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer
...
# Conflicts:
# java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
# java/ql/test/query-tests/security/CWE-532/Test.java
2026-04-29 20:59:59 +08:00
MarkLee131
75162bb9eb
Update java/ql/test/query-tests/security/CWE-532/Test.java
...
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com >
2026-04-29 20:53:58 +08:00
MarkLee131
49d014cbac
Merge branch 'main' into fix/trust-boundary-regexp-barrier
2026-04-29 20:48:22 +08:00
Owen Mansel-Chan
9fbe447428
Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests
...
Add Hibernate SQL injection sink models and coverage
2026-04-24 09:36:46 +01:00
copilot-swe-agent[bot]
25d232b815
Model additional Hibernate query sinks
...
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47
Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com >
2026-04-23 13:41:03 +00:00
copilot-swe-agent[bot]
081ad03b4b
Add Hibernate SQL injection sink tests
...
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919
Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com >
2026-04-23 10:04:52 +00:00
Owen Mansel-Chan
9f19791d8c
Merge branch 'main' into fix/path-injection-torealpath
2026-04-23 10:40:47 +01:00
Kaixuan Li
af794ed3c0
Merge branch 'main' into fix/trust-boundary-regexp-barrier
2026-04-21 23:01:06 +10:00
Kaixuan Li
07e97e20d8
Merge branch 'github:main' into fix/path-injection-read-subkind
2026-04-21 22:59:53 +10:00
Owen Mansel-Chan
c91b5b3c2e
Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex
...
Java: reduce false positives in sensitive-log
2026-04-21 13:48:32 +01:00
MarkLee131
6d10b1582f
Java: update regression-test expectations for path-injection[read]
...
The sink-model generator and the experimental java/file-path-injection
query now observe the new path-injection[read] sub-kind for the
FileInputStream and Files.copy source-argument models.
- CWE-073 FilePathInjection.expected: refresh the models table for the
renamed kind on FileInputStream(File); alerts unchanged.
- modelgenerator Sinks.java: update the inline sink annotation for
copyFileToDirectory(Path,Path,CopyOption[]) Argument[0] to the new
path-injection[read] sub-kind, mirroring the library change.
2026-04-21 19:45:13 +08:00
MarkLee131
c336a1595d
Java: split read-only path sinks into path-injection[read]
...
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.
Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.
- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
migrated from the historical read-file kind (plus the newer
ClassLoader resource-lookup variants that share the same read-only
semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
PathSanitizer.qll: select both path-injection and
path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
path-injection, with a comment explaining why path-injection[read]
is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
add m7 regression covering the Dubbo-style classpath lookup from
issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
java/ql/src/change-notes.
2026-04-21 09:17:36 +10:00
Owen Mansel-Chan
9f310c20f3
Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal
...
Java: fix bug in partial path traversal
2026-04-20 11:52:55 +01:00
Owen Mansel-Chan
6d4a3974ce
Fix bug so += File.separator is recognized
2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034
Add SPURIOUS test for += File.separator
2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4
Use inline expectations with second test
...
Co-authored-by: Copilot <copilot@github.com >
2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c
Make inline expectation comments specify query
2026-04-18 10:35:15 +01:00
Salah Baddou
f5131f9bc6
Java: Add XXE sink model for Woodstox WstxInputFactory
...
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.
This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
2026-04-17 18:46:51 +04:00
idrissrio
5a6eb79470
Java: Pin CWE-676 test to --release 25
...
Thread.stop() was removed in JDK 26. Pin the test to --release 25.
2026-04-07 09:28:22 +02:00
idrissrio
74b0e8c19a
Java: Accept new test results after JDK 26 extractor upgrade
2026-04-07 09:28:20 +02:00
MarkLee131
b49c6dcbd4
Add @Pattern annotation test case and javax-validation-constraints stub
...
Adds a dedicated test verifying that fields annotated with
@javax.validation.constraints.Pattern are recognized as sanitized
by RegexpCheckBarrier, in addition to the existing String.matches()
guard test.
2026-04-04 22:04:05 +08:00
Kaixuan Li
258a53e146
Update java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
...
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2026-04-04 22:02:00 +08:00
MarkLee131
46ef0204ef
Remove secretQuestion from FP exclusion list
...
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
2026-04-04 21:58:32 +08:00
MarkLee131
345b842edc
Java: add RegexpCheckBarrier to trust-boundary-violation sanitizers
...
The trust-boundary-violation query only recognized OWASP ESAPI validators
as sanitizers. ESAPI is rarely used in modern Java projects, while regex
validation via String.matches() and @javax.validation.constraints.Pattern
is the standard approach in Spring/Jakarta applications.
RegexpCheckBarrier already exists in Sanitizers.qll and is used by other
queries (e.g., RequestForgery). This wires it into TrustBoundaryConfig,
so patterns like input.matches("[a-zA-Z0-9]+") and @Pattern annotations
are recognized as sanitizers, consistent with the existing ESAPI treatment.
2026-04-04 21:36:37 +08:00