Commit Graph

4491 Commits

Author SHA1 Message Date
dependabot[bot]
279df532f9 Bump the maven group across 30 directories with 11 updates
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-executable-war directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-existing-settings-xml directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-mirrorof directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 2 updates in the /java/ql/integration-tests/java/buildless-maven-multimodule directory: [junit:junit](https://github.com/junit-team/junit4) and org.apache.commons:commons-lang3.
Bumps the maven group with 2 updates in the /java/ql/integration-tests/java/buildless-maven-multimodule/submod2 directory: [junit:junit](https://github.com/junit-team/junit4) and org.apache.commons:commons-lang3.
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-maven-timeout directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-proxy-maven directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-sibling-projects/maven-project-1 directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/buildless-sibling-projects/maven-project-2 directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/diagnostics/compilation-error directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/diagnostics/multiple-candidate-builds/maven-project-1 directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/diagnostics/multiple-candidate-builds/maven-project-2 directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-download-failure directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-enforcer directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-enforcer-multiple-versions directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-enforcer-single-version directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-extract-properties directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-large-xml-files directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-small-xml-files directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-all directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-all-gbk-encoding directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-byname directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-disabled directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-sample-xml-mode-smart directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-wrapper directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-wrapper-script-only directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 1 update in the /java/ql/integration-tests/java/maven-wrapper-source-only directory: [junit:junit](https://github.com/junit-team/junit4).
Bumps the maven group with 9 updates in the /java/ql/test/utils/flowtestcasegenerator directory:

| Package | From | To |
| --- | --- | --- |
| org.apache.logging.log4j:log4j-core | `2.14.1` | `2.25.4` |
| [org.springframework.ldap:spring-ldap-core](https://github.com/spring-projects/spring-ldap) | `2.3.5.RELEASE` | `2.4.4` |
| [org.springframework:spring-web](https://github.com/spring-projects/spring-framework) | `5.3.18` | `6.1.21` |
| [org.springframework:spring-context](https://github.com/spring-projects/spring-framework) | `5.3.18` | `6.1.20` |
| [org.springframework:spring-webmvc](https://github.com/spring-projects/spring-framework) | `5.3.18` | `6.2.18` |
| [org.apache.shiro:shiro-core](https://github.com/apache/shiro) | `1.8.0` | `2.2.1` |
| [org.owasp.esapi:esapi](https://github.com/ESAPI/esapi-java-legacy) | `2.2.3.1` | `2.6.0.0` |
| org.thymeleaf:thymeleaf | `3.0.15.RELEASE` | `3.1.5.RELEASE` |
| [com.hubspot.jinjava:jinjava](https://github.com/HubSpot/jinjava) | `2.6.0` | `2.7.6` |



Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `org.apache.commons:commons-lang3` from 3.14.0 to 3.18.0

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `org.apache.commons:commons-lang3` from 3.14.0 to 3.18.0

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.12 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `junit:junit` from 4.11 to 4.13.1
- [Release notes](https://github.com/junit-team/junit4/releases)
- [Changelog](https://github.com/junit-team/junit4/blob/main/doc/ReleaseNotes4.11.md)
- [Commits](https://github.com/junit-team/junit4/compare/r4.11...r4.13.1)

Updates `org.apache.logging.log4j:log4j-core` from 2.14.1 to 2.25.4

Updates `org.springframework.ldap:spring-ldap-core` from 2.3.5.RELEASE to 2.4.4
- [Release notes](https://github.com/spring-projects/spring-ldap/releases)
- [Changelog](https://github.com/spring-projects/spring-ldap/blob/main/changelog.txt)
- [Commits](https://github.com/spring-projects/spring-ldap/compare/2.3.5.RELEASE...2.4.4)

Updates `org.springframework:spring-web` from 5.3.18 to 6.1.21
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.18...v6.1.21)

Updates `org.springframework:spring-context` from 5.3.18 to 6.1.20
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.18...v6.1.20)

Updates `org.springframework:spring-webmvc` from 5.3.18 to 6.2.18
- [Release notes](https://github.com/spring-projects/spring-framework/releases)
- [Commits](https://github.com/spring-projects/spring-framework/compare/v5.3.18...v6.2.18)

Updates `org.apache.shiro:shiro-core` from 1.8.0 to 2.2.1
- [Release notes](https://github.com/apache/shiro/releases)
- [Changelog](https://github.com/apache/shiro/blob/main/RELEASE-NOTES)
- [Commits](https://github.com/apache/shiro/compare/shiro-root-1.8.0...shiro-root-2.2.1)

Updates `org.owasp.esapi:esapi` from 2.2.3.1 to 2.6.0.0
- [Release notes](https://github.com/ESAPI/esapi-java-legacy/releases)
- [Commits](https://github.com/ESAPI/esapi-java-legacy/compare/esapi-2.2.3.1...esapi-2.6.0.0)

Updates `org.thymeleaf:thymeleaf` from 3.0.15.RELEASE to 3.1.5.RELEASE

Updates `com.hubspot.jinjava:jinjava` from 2.6.0 to 2.7.6
- [Release notes](https://github.com/HubSpot/jinjava/releases)
- [Changelog](https://github.com/HubSpot/jinjava/blob/master/CHANGES.md)
- [Commits](https://github.com/HubSpot/jinjava/compare/jinjava-2.6.0...jinjava-2.7.6)

---
updated-dependencies:
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: org.apache.commons:commons-lang3
  dependency-version: 3.18.0
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: org.apache.commons:commons-lang3
  dependency-version: 3.18.0
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: junit:junit
  dependency-version: 4.13.1
  dependency-type: direct:development
  dependency-group: maven
- dependency-name: org.apache.logging.log4j:log4j-core
  dependency-version: 2.25.4
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework.ldap:spring-ldap-core
  dependency-version: 2.4.4
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework:spring-web
  dependency-version: 6.1.21
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework:spring-context
  dependency-version: 6.1.20
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.springframework:spring-webmvc
  dependency-version: 6.2.18
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.apache.shiro:shiro-core
  dependency-version: 2.2.1
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.owasp.esapi:esapi
  dependency-version: 2.6.0.0
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: org.thymeleaf:thymeleaf
  dependency-version: 3.1.5.RELEASE
  dependency-type: direct:production
  dependency-group: maven
- dependency-name: com.hubspot.jinjava:jinjava
  dependency-version: 2.7.6
  dependency-type: direct:production
  dependency-group: maven
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-04 05:23:55 +00:00
Mathias Vorreiter Pedersen
b7b731bab7 Merge branch 'main' into mad-write-through-model 2026-06-30 15:12:02 +01:00
Geoffrey White
c0871defe9 Merge pull request #22077 from geoffw0/javainline
Java: Address testFailures in inline expectations tests
2026-06-30 10:49:24 +01:00
Geoffrey White
897d16929b Java: Add missing $ Source annotations. 2026-06-26 16:22:05 +01:00
Geoffrey White
6f997ae15c Java: Label spurious results. 2026-06-26 16:22:03 +01:00
Geoffrey White
300e48e48e Java: Move $ Source annotations that were incorrectly placed. 2026-06-26 16:21:49 +01:00
Geoffrey White
f840f6104a Java: Make some $ Source annotations query specific. 2026-06-26 16:21:46 +01:00
Mathias Vorreiter Pedersen
7861e9e596 Java: Fix a library test. 2026-06-26 14:18:23 +01:00
Anders Schack-Mulligen
11725e8921 Java: Accept test changes. 2026-06-23 14:28:44 +02:00
Owen Mansel-Chan
4bc083fd7f Remove confusing comments 2026-06-12 21:51:52 +01:00
Owen Mansel-Chan
89c1d66f90 Add SPURIOUS and MISSING alerts based on existing comments 2026-06-12 21:51:50 +01:00
Owen Mansel-Chan
3693185b6b Second pass 2026-06-10 09:14:47 +02:00
Owen Mansel-Chan
1c1d26453d First pass converting qlref tests to inline expectation with postprocess 2026-06-10 07:46:42 +02:00
Owen Mansel-Chan
52f2a5825a Merge pull request #21804 from github/copilot/add-tests-for-models
Java: Update CWE-918 model coverage for Apache HttpClient `execute` sinks
2026-06-03 12:55:56 +01:00
Owen Mansel-Chan
d95d99848c Build RequestBuilder more realistically 2026-05-28 11:05:40 +01:00
Owen Mansel-Chan
37589dd8a0 Improve how org.apache.http.client.HttpClient is created in test 2026-05-28 10:30:43 +01:00
Owen Mansel-Chan
a159dc1c66 Change variable name in test 2026-05-28 10:28:14 +01:00
Owen Mansel-Chan
36554d160c Merge pull request #21741 from MarkLee131/fix/path-injection-read-subkind
Fix/path injection read subkind
2026-05-08 12:38:16 +01:00
Anders Schack-Mulligen
6b6df374fa C#/Java: Accept test changes. 2026-05-07 15:07:31 +02:00
Owen Mansel-Chan
dd35bc0722 Update test output 2026-05-07 10:17:47 +01:00
copilot-swe-agent[bot]
043ec857ab Replace fluent SSRF changes with Apache HttpClient execute model tests
Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]
f5b17b0b48 Add SSRF tests and stubs for Apache Http fluent Request models
Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-05-06 16:08:02 +00:00
MarkLee131
bafa892116 Merge branch 'main' into fix/path-injection-read-subkind 2026-05-01 16:06:35 +08:00
MarkLee131
119994b59f Java: move File inspection methods to path-injection[read]
Per review feedback on #21741: File.canRead/canWrite/canExecute,
exists/isDirectory/isFile/isHidden only inspect a path, so move them
under the path-injection[read] sub-kind. Update TaintedPath.expected
and the experimental CWE-073 expected to match.
2026-05-01 16:04:29 +08:00
Owen Mansel-Chan
87c35e6401 Merge pull request #21654 from MarkLee131/fix/sensitive-log-hash-sanitizer
Java: treat hash/encrypt/digest methods as sensitive-log sanitizers
2026-04-30 13:21:03 +01:00
MarkLee131
90741b15e2 Merge branch 'main' into fix/path-injection-read-subkind 2026-04-30 18:37:12 +08:00
MarkLee131
28a6ff208c Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer
# Conflicts:
#	java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
#	java/ql/test/query-tests/security/CWE-532/Test.java
2026-04-29 20:59:59 +08:00
MarkLee131
75162bb9eb Update java/ql/test/query-tests/security/CWE-532/Test.java
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
2026-04-29 20:53:58 +08:00
MarkLee131
49d014cbac Merge branch 'main' into fix/trust-boundary-regexp-barrier 2026-04-29 20:48:22 +08:00
Owen Mansel-Chan
9fbe447428 Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests
Add Hibernate SQL injection sink models and coverage
2026-04-24 09:36:46 +01:00
copilot-swe-agent[bot]
25d232b815 Model additional Hibernate query sinks
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-04-23 13:41:03 +00:00
copilot-swe-agent[bot]
081ad03b4b Add Hibernate SQL injection sink tests
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-04-23 10:04:52 +00:00
Owen Mansel-Chan
9f19791d8c Merge branch 'main' into fix/path-injection-torealpath 2026-04-23 10:40:47 +01:00
Kaixuan Li
af794ed3c0 Merge branch 'main' into fix/trust-boundary-regexp-barrier 2026-04-21 23:01:06 +10:00
Kaixuan Li
07e97e20d8 Merge branch 'github:main' into fix/path-injection-read-subkind 2026-04-21 22:59:53 +10:00
Owen Mansel-Chan
c91b5b3c2e Merge pull request #21650 from MarkLee131/fix/sensitive-log-fp-regex
Java: reduce false positives in sensitive-log
2026-04-21 13:48:32 +01:00
MarkLee131
6d10b1582f Java: update regression-test expectations for path-injection[read]
The sink-model generator and the experimental java/file-path-injection
query now observe the new path-injection[read] sub-kind for the
FileInputStream and Files.copy source-argument models.

- CWE-073 FilePathInjection.expected: refresh the models table for the
  renamed kind on FileInputStream(File); alerts unchanged.
- modelgenerator Sinks.java: update the inline sink annotation for
  copyFileToDirectory(Path,Path,CopyOption[]) Argument[0] to the new
  path-injection[read] sub-kind, mirroring the library change.
2026-04-21 19:45:13 +08:00
MarkLee131
c336a1595d Java: split read-only path sinks into path-injection[read]
Introduce a new Models-as-Data sink sub-kind path-injection[read] for
models that only read from or inspect a path. The general
java/path-injection query and its PathInjectionSanitizer barrier
continue to consider both path-injection and path-injection[read]
sinks, so no alerts are lost. The java/zipslip query deliberately
selects only path-injection sinks, since read-only accesses such as
ClassLoader.getResource or FileInputStream are outside the archive
extraction threat model.

Addresses https://github.com/github/codeql/issues/21606 along the lines
proposed on the issue thread: prefer path-injection[read] over a
[create] sub-kind so that miscategorizing a sink causes a false
positive (easy to spot) rather than a false negative.

- shared/mad/codeql/mad/ModelValidation.qll: allow path-injection[...]
  as a valid sink kind.
- java/ql/lib/ext/*.model.yml: relabel the models that PR #12916
  migrated from the historical read-file kind (plus the newer
  ClassLoader resource-lookup variants that share the same read-only
  semantics).
- java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll and
  PathSanitizer.qll: select both path-injection and
  path-injection[read] sinks/barriers.
- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: keep only
  path-injection, with a comment explaining why path-injection[read]
  is excluded.
- java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java:
  add m7 regression covering the Dubbo-style classpath lookup from
  issue #21606 and assert no alert is produced.
- Update TaintedPath.expected for the renamed kinds in the models list.
- Add change-notes under java/ql/lib/change-notes and
  java/ql/src/change-notes.
2026-04-21 09:17:36 +10:00
Owen Mansel-Chan
9f310c20f3 Merge pull request #21734 from owen-mc/java/fix-partial-path-traversal
Java: fix bug in partial path traversal
2026-04-20 11:52:55 +01:00
Owen Mansel-Chan
6d4a3974ce Fix bug so += File.separator is recognized 2026-04-19 07:18:42 +01:00
Owen Mansel-Chan
6099c5d034 Add SPURIOUS test for += File.separator 2026-04-19 07:18:00 +01:00
Owen Mansel-Chan
63d20a54d4 Use inline expectations with second test
Co-authored-by: Copilot <copilot@github.com>
2026-04-19 07:17:05 +01:00
Owen Mansel-Chan
dca7046d8c Make inline expectation comments specify query 2026-04-18 10:35:15 +01:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
2026-04-17 18:46:51 +04:00
idrissrio
5a6eb79470 Java: Pin CWE-676 test to --release 25
Thread.stop() was removed in JDK 26. Pin the test to --release 25.
2026-04-07 09:28:22 +02:00
idrissrio
74b0e8c19a Java: Accept new test results after JDK 26 extractor upgrade 2026-04-07 09:28:20 +02:00
MarkLee131
b49c6dcbd4 Add @Pattern annotation test case and javax-validation-constraints stub
Adds a dedicated test verifying that fields annotated with
@javax.validation.constraints.Pattern are recognized as sanitized
by RegexpCheckBarrier, in addition to the existing String.matches()
guard test.
2026-04-04 22:04:05 +08:00
Kaixuan Li
258a53e146 Update java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-04 22:02:00 +08:00
MarkLee131
46ef0204ef Remove secretQuestion from FP exclusion list
secretQuestion is ambiguous: it could be the question text (not
sensitive) or a security question answer. Worse, the regex
secrets?(question) also matches secretQuestionAnswer, which is
clearly sensitive. Drop it to avoid false negatives.
2026-04-04 21:58:32 +08:00
MarkLee131
345b842edc Java: add RegexpCheckBarrier to trust-boundary-violation sanitizers
The trust-boundary-violation query only recognized OWASP ESAPI validators
as sanitizers. ESAPI is rarely used in modern Java projects, while regex
validation via String.matches() and @javax.validation.constraints.Pattern
is the standard approach in Spring/Jakarta applications.

RegexpCheckBarrier already exists in Sanitizers.qll and is used by other
queries (e.g., RequestForgery). This wires it into TrustBoundaryConfig,
so patterns like input.matches("[a-zA-Z0-9]+") and @Pattern annotations
are recognized as sanitizers, consistent with the existing ESAPI treatment.
2026-04-04 21:36:37 +08:00