Reformat and comment extension files

Non-semantic changes only.

java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.ext.yml

@@ -26,3 +26,9 @@ extensions:
       - ["", "LibKt", True, "extensionSink", "(String,int,int)", "", "Argument[1]", "kotlinMadFlowTest", "manual"]
       - ["", "SinkClass", True, "memberSink", "(int,int)", "", "Argument[0]", "kotlinMadFlowTest", "manual"]
       - ["", "SinkClass", True, "extensionMemberSink", "(String,int,int)", "", "Argument[1]", "kotlinMadFlowTest", "manual"]
+
+  # - addsTo:
+  #     pack: codeql/java-all
+  #     extensible: supportedThreatModels
+  #   data:
+  #     - ["kotlinMadFlowTest"]

java/ql/lib/ext/threat-grouping.model.yml

@@ -0,0 +1,68 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      # These are all sources of "database" kind of tainted data
+      # They are only enabled of the "database" threat model is enabled
+
+      # Package java.sql
+      - ["java.sql", "PreparedStatement", True, "executeQuery", "()", "", "ReturnValue", "database", "manual"]
+      - ["java.sql", "PreparedStatement", True, "getMetaData", "()", "", "ReturnValue", "database", "manual"]
+      - ["java.sql", "PreparedStatement", True, "getParameterMetaData", "", "", "ReturnValue", "database", "manual"]
+      - ["java.sql", "Statement", True, "executeQuery", "(String)", "", "ReturnValue", "database", "manual"]
+      - ["java.sql", "Statement", True, "getResultSet", "()", "", "ReturnValue", "database", "manual"]
+      - ["java.sql", "Statement", True, "getGeneratedKeys", "()", "", "ReturnValue", "database", "manual"]
+      - ["java.sql", "Statement", True, "getConnection", "()", "", "ReturnValue", "database", "manual"]
+
+      # Package org.hibernate
+      - ["org.hibernate", "Query", True, "list", "()", "", ReturnValue", "database", "manual"]
+      - ["org.hibernate", "Query", True, "scroll", "", "", ReturnValue", "database", "manual"]
+      - ["org.hibernate", "Query", True, "iterate", "", "", ReturnValue", "database", "manual"]
+
+      # Package org.jooq
+      - ["org.jooq", "ResultQuery", True, "fetch", "()", "", "ReturnValue", "database", "manual"]
+      - ["org.jooq", "ResultQuery", True, "iterator", "()", "", "ReturnValue", "database", "manual"]
+
+      # Package org.springframework.jdbc.object
+      - ["org.springframework.jdbc.object", "SqlQuery", True, "execute", "", "", "ReturnValue", "database", "manual"]
+      - ["org.springframework.jdbc.object", "SqlQuery", True, "executeByNamedParam", "", "", "ReturnValue", "database", "manual"]
+
+
+  # Create a graph of parent-child relationships between threat models and their kinds
+  # The left side is a kind of threat model. The right side groups the kinds together.
+  # This is unlikely to be directly added to by users.
+  - addsTo:
+      pack: codeql/java-all
+      extensible: threatModelGrouping
+    data:
+      # Default threat model
+      - ["remote", "default"]
+      - ["uri-path", "default"]
+
+      # Android threat models
+      # TODO This part of the hierarchy may be removed when Android sources are refactored
+      - ["android-widget", "android"]
+      - ["android-external-storage-dir", "android"]
+      - ["contentprovider", "android"]
+      - ["android-external-storage-dir", "standard"]
+
+      # Remote threat models
+      - ["request", "remote"]
+      - ["response", "remote"]
+
+      # Local threat models
+      - ["database", "local"]
+      - ["cli", "local"]
+      - ["environment", "local"]
+      - ["file", "local"]
+
+  # Provide an empty supportedThreatModels to make `resolve extensions` happy
+  - addsTo:
+      pack: codeql/java-all
+      extensible: supportedThreatModels
+
+    # Choose which threat models are enabled in this query.
+    # The default threat model is implicitly enabled.
+    data: []

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -84,6 +84,7 @@ private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific as FlowSummaryImplSpecific
 private import internal.AccessPathSyntax
 private import ExternalFlowExtensions as Extensions
+private import ExternalFlowConfiguration as ConfiguredExtensions
 private import FlowSummary
 
 /**
@@ -135,10 +136,13 @@ predicate sourceModel(
   string package, string type, boolean subtypes, string name, string signature, string ext,
   string output, string kind, string provenance
 ) {
-  Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
-  or
-  any(ActiveExperimentalModels q)
-      .sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)
+  exists(string relatedKind | relatedKind = ConfiguredExtensions::relatedSourceModel(kind) |
+    Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, relatedKind,
+      provenance)
+    or
+    any(ActiveExperimentalModels q)
+        .sourceModel(package, type, subtypes, name, signature, ext, output, relatedKind, provenance)
+  )
 }
 
 /** Holds if a sink model exists for the given parameters. */
@@ -284,7 +288,8 @@ module ModelValidation {
     )
     or
     exists(string kind | sourceModel(_, _, _, _, _, _, _, kind, _) |
-      not kind = ["remote", "contentprovider", "android-widget", "android-external-storage-dir"] and
+      not kind =
+        ["remote", "database", "contentprovider", "android-widget", "android-external-storage-dir"] and
       not kind.matches("qltest%") and
       result = "Invalid kind \"" + kind + "\" in source model."
     )

java/ql/lib/semmle/code/java/dataflow/ExternalFlowConfiguration.qll

@@ -0,0 +1,94 @@
+/**
+ * This module provides extensible predicates for configuring which kinds of MaD models
+ * are applicable to a given query.
+ */
+
+private import ExternalFlowExtensions
+
+/**
+ * Holds if the specified kind of source model is supported for the current query.
+ */
+extensible private predicate supportedThreatModels(string kind);
+
+/**
+ * Holds if the specified kind of source model is containted within the specified group.
+ */
+extensible predicate threatModelGrouping(string kind, string group);
+
+/**
+ * Finds all of the threat models that are ancestors of the specified kind.
+ */
+private string parentThreatModel(string kind) {
+  exists(string parent | threatModelGrouping(kind, parent) |
+    result = parent or result = parentThreatModel(parent)
+  )
+}
+
+/**
+ * Finds all of the threat models that are descendants of the specified kind/group.
+ */
+private string childThreatModel(string group) {
+  exists(string child | threatModelGrouping(child, group) |
+    result = child or result = childThreatModel(child)
+  )
+}
+
+/**
+ * Holds if source models of the specified kind are
+ * supported for the current query.
+ */
+bindingset[kind]
+predicate supportedSourceModel(string kind) {
+  // all threat model includes all kinds
+  supportedThreatModels("all")
+  or
+  // check if this kind is supported directly
+  supportedThreatModels(kind)
+  or
+  // check if one of this kind's ancestors are supported
+  exists(string group | group = parentThreatModel(kind) | supportedThreatModels(group))
+  or
+  // if supportedThreatModels is empty, check if kind is a subtype of "default"
+  not supportedThreatModels(_) and
+  ("default" = parentThreatModel(kind) or "default" = kind)
+}
+
+private string getGlobalGroups() { result = ["default", "all"] }
+
+/**
+ * A class that represents a kind of any model or group.
+ */
+private class Kind extends string {
+  Kind() {
+    sourceModel(_, _, _, _, _, _, _, this, _) or
+    sinkModel(_, _, _, _, _, _, _, this, _) or
+    summaryModel(_, _, _, _, _, _, _, _, this, _) or
+    experimentalSourceModel(_, _, _, _, _, _, _, this, _, _) or
+    experimentalSinkModel(_, _, _, _, _, _, _, this, _, _) or
+    experimentalSummaryModel(_, _, _, _, _, _, _, _, this, _, _) or
+    supportedThreatModels(this) or
+    threatModelGrouping(this, _) or
+    threatModelGrouping(_, this) or
+    this = getGlobalGroups()
+  }
+}
+
+/**
+ * Gets the related source model kind(s) under the specified threat model.
+ */
+string relatedSourceModel(Kind kind) {
+  // Use the kinds provided by the query
+  result = kind
+  or
+  // Use all kinds regardless of the query.
+  supportedThreatModels("all") and
+  result = kind and
+  sourceModel(_, _, _, _, _, _, _, result, _)
+  or
+  // Use the kinds that are provided by the threat model in case it is not default or all.
+  exists(string model | not model = getGlobalGroups() and supportedThreatModels(model) |
+    result = model
+    or
+    exists(string child | child = childThreatModel(model) | result = child)
+  )
+}

java/ql/test/experimental/configured-flow/Test.java

@@ -0,0 +1,36 @@
+import java.sql.*;
+import java.net.*;
+import java.util.logging.*;
+import java.nio.charset.StandardCharsets;
+
+class Test {
+  private String byteToString(byte[] data) {
+    return new String(data, StandardCharsets.UTF_8);
+  }
+
+  public void M1(Statement handle) throws Exception {
+    // Only a source if "remote" is a selected threat model
+    Socket sock = new Socket("localhost", 1234);
+    byte[] data = new byte[1024];
+    sock.getInputStream().read(data);
+
+    // Logging sink
+    Logger logger = Logger.getLogger("foo");
+    logger.severe(byteToString(data));
+
+    // SQL sink
+    handle.executeUpdate("INSERT INTO foo VALUES ('" + byteToString(data) + "')");
+  }
+
+  public void M2(Statement handle) throws Exception {
+    // Only a source if "database" is a selected threat model
+    ResultSet rs = handle.executeQuery("SELECT * FROM foo");
+
+    // SQL sink
+    handle.executeUpdate("INSERT INTO foo VALUES ('" + rs.getString("name") + "')");
+
+    // Logging sink
+    Logger logger = Logger.getLogger("foo");
+    logger.severe(rs.getString("name"));
+  }
+}

java/ql/test/experimental/configured-flow/Test.qll

@@ -0,0 +1,12 @@
+private import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.TaintTracking
+
+private module ThreatModelConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
+
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+module ThreatModel = TaintTracking::Global<ThreatModelConfig>;

java/ql/test/experimental/configured-flow/TestHardcoded.qll

@@ -0,0 +1,12 @@
+private import java
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
+private import semmle.code.java.dataflow.TaintTracking
+
+private module ThreatModelConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "remote") }
+
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+module ThreatModel = TaintTracking::Global<ThreatModelConfig>;

java/ql/test/experimental/configured-flow/test-default.expected

@@ -0,0 +1,41 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:20 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+| Test.java:34:19:34:20 | rs : ResultSet | Test.java:34:19:34:38 | getString(...) |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:34:19:34:20 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:34:19:34:38 | getString(...) | semmle.label | getString(...) |
+subpaths
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
+| Test.java:34:19:34:38 | getString(...) | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:38 | getString(...) | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |

java/ql/test/experimental/configured-flow/test-default.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["default"] # Strictly not needed as all possible sources are already included.

java/ql/test/experimental/configured-flow/test-default.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Testing the threat model
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision low
+ * @id java/threat-model-default
+ * @tags security
+ */
+
+import Test
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select sink.getNode(), source, sink, "This is some kind of threat model thingy $@.",
+  source.getNode(), "Source of that thingy"

java/ql/test/experimental/configured-flow/test-hardcoded-all.expected

@@ -0,0 +1,41 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:20 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+| Test.java:34:19:34:20 | rs : ResultSet | Test.java:34:19:34:38 | getString(...) |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:34:19:34:20 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:34:19:34:38 | getString(...) | semmle.label | getString(...) |
+subpaths
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
+| Test.java:34:19:34:38 | getString(...) | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:38 | getString(...) | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |

java/ql/test/experimental/configured-flow/test-hardcoded-all.ext.yml

@@ -0,0 +1,9 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["remote"] # Strictly not needed as this is included by default.
+      - ["database"]
+      

java/ql/test/experimental/configured-flow/test-hardcoded-all.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Testing the threat model
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision low
+ * @id java/threat-model-hardcoded-all
+ * @tags security
+ */
+
+import TestHardcoded
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select sink.getNode(), source, sink, "This is some kind of threat model thingy $@.",
+  source.getNode(), "Source of that thingy"

java/ql/test/experimental/configured-flow/test-hardcoded-database.expected

@@ -0,0 +1,41 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:20 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+| Test.java:34:19:34:20 | rs : ResultSet | Test.java:34:19:34:38 | getString(...) |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+| Test.java:34:19:34:20 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:34:19:34:38 | getString(...) | semmle.label | getString(...) |
+subpaths
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |
+| Test.java:34:19:34:38 | getString(...) | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:34:19:34:38 | getString(...) | This is some kind of threat model thingy $@. | Test.java:27:20:27:59 | executeQuery(...) | Source of that thingy |

java/ql/test/experimental/configured-flow/test-hardcoded-database.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["database"]

java/ql/test/experimental/configured-flow/test-hardcoded-database.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Testing the threat model
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision low
+ * @id java/threat-model-hardcoded-database
+ * @tags security
+ */
+
+import TestHardcoded
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select sink.getNode(), source, sink, "This is some kind of threat model thingy $@.",
+  source.getNode(), "Source of that thingy"

java/ql/test/experimental/configured-flow/test-hardcoded-default.expected

@@ -0,0 +1,28 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+subpaths
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |

java/ql/test/experimental/configured-flow/test-hardcoded-default.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["default"]

java/ql/test/experimental/configured-flow/test-hardcoded-default.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Testing the threat model
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision low
+ * @id java/threat-model-hardcoded-default
+ * @tags security
+ */
+
+import TestHardcoded
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select sink.getNode(), source, sink, "This is some kind of threat model thingy $@.",
+  source.getNode(), "Source of that thingy"

java/ql/test/experimental/configured-flow/test-hardcoded-remote.expected

@@ -0,0 +1,28 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:19:32:19:35 | data : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:19:32:19:35 | data : byte[] | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:19:19:19:36 | byteToString(...) | semmle.label | byteToString(...) |
+| Test.java:19:32:19:35 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+subpaths
+| Test.java:19:32:19:35 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:19:19:19:36 | byteToString(...) |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:19:19:19:36 | byteToString(...) | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:19:19:19:36 | byteToString(...) | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This is some kind of threat model thingy $@. | Test.java:15:5:15:25 | getInputStream(...) | Source of that thingy |

java/ql/test/experimental/configured-flow/test-hardcoded-remote.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["remote"] # Strictly not needed as this is included by default.

java/ql/test/experimental/configured-flow/test-hardcoded-remote.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Testing the threat model
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision low
+ * @id java/threat-model-hardcoded-remote
+ * @tags security
+ */
+
+import TestHardcoded
+import ThreatModel::PathGraph
+
+from ThreatModel::PathNode source, ThreatModel::PathNode sink
+where ThreatModel::flowPath(source, sink)
+select sink.getNode(), source, sink, "This is some kind of threat model thingy $@.",
+  source.getNode(), "Source of that thingy"

java/ql/test/experimental/configured-flow/test-relatedsourcemodels1.expected

@@ -0,0 +1 @@
+| remote | remote |

java/ql/test/experimental/configured-flow/test-relatedsourcemodels1.ext.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["default"]

java/ql/test/experimental/configured-flow/test-relatedsourcemodels1.ql

@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.ExternalFlowConfiguration
+
+from string relatedKind, string kind
+where kind = "remote" and relatedKind = relatedSourceModel(kind)
+select kind, relatedKind

java/ql/test/experimental/configured-flow/test-relatedsourcemodels2.expected

@@ -0,0 +1,7 @@
+| remote | group1 |
+| remote | kind10 |
+| remote | kind11 |
+| remote | remote |
+| remote | subgroup1 |
+| remote | subkind10 |
+| remote | subkind11 |

java/ql/test/experimental/configured-flow/test-relatedsourcemodels2.ext.yml

@@ -0,0 +1,22 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["default"]
+      - ["group1"]
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: threatModelGrouping
+    data:
+      - ["kind10", "group1"]
+      - ["kind11", "group1"]
+      - ["subgroup1", "group1"]
+      - ["subkind10", "subgroup1"]
+      - ["subkind11", "subgroup1"]
+      - ["kind20", "group2"]
+      - ["kind21", "group2"]
+      - ["subgroup2", "group2"]
+      - ["subkind20", "subgroup2"]
+      - ["subkind21", "subgroup2"]

java/ql/test/experimental/configured-flow/test-relatedsourcemodels2.ql

@@ -0,0 +1,5 @@
+import semmle.code.java.dataflow.ExternalFlowConfiguration
+
+from string relatedKind, string kind
+where kind = "remote" and relatedKind = relatedSourceModel(kind)
+select kind, relatedKind

java/ql/test/experimental/configured-flow/test-sqlinjection1.expected

@@ -0,0 +1,21 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+subpaths
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This query depends on a $@. | Test.java:15:5:15:25 | getInputStream(...) | user-provided value |

java/ql/test/experimental/configured-flow/test-sqlinjection1.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql

java/ql/test/experimental/configured-flow/test-sqlinjection2.expected

@@ -0,0 +1,29 @@
+edges
+| Test.java:7:31:7:41 | data : byte[] | Test.java:8:23:8:26 | data : byte[] |
+| Test.java:8:23:8:26 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:15:32:15:35 | data [post update] : byte[] |
+| Test.java:15:32:15:35 | data [post update] : byte[] | Test.java:22:69:22:72 | data : byte[] |
+| Test.java:22:56:22:73 | byteToString(...) : String | Test.java:22:26:22:80 | ... + ... |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] |
+| Test.java:22:69:22:72 | data : byte[] | Test.java:22:56:22:73 | byteToString(...) : String |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:56:30:57 | rs : ResultSet |
+| Test.java:30:56:30:57 | rs : ResultSet | Test.java:30:56:30:75 | getString(...) : String |
+| Test.java:30:56:30:75 | getString(...) : String | Test.java:30:26:30:82 | ... + ... |
+nodes
+| Test.java:7:31:7:41 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:8:12:8:51 | new String(...) : String | semmle.label | new String(...) : String |
+| Test.java:8:23:8:26 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:15:5:15:25 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| Test.java:15:32:15:35 | data [post update] : byte[] | semmle.label | data [post update] : byte[] |
+| Test.java:22:26:22:80 | ... + ... | semmle.label | ... + ... |
+| Test.java:22:56:22:73 | byteToString(...) : String | semmle.label | byteToString(...) : String |
+| Test.java:22:69:22:72 | data : byte[] | semmle.label | data : byte[] |
+| Test.java:27:20:27:59 | executeQuery(...) : ResultSet | semmle.label | executeQuery(...) : ResultSet |
+| Test.java:30:26:30:82 | ... + ... | semmle.label | ... + ... |
+| Test.java:30:56:30:57 | rs : ResultSet | semmle.label | rs : ResultSet |
+| Test.java:30:56:30:75 | getString(...) : String | semmle.label | getString(...) : String |
+subpaths
+| Test.java:22:69:22:72 | data : byte[] | Test.java:7:31:7:41 | data : byte[] | Test.java:8:12:8:51 | new String(...) : String | Test.java:22:56:22:73 | byteToString(...) : String |
+#select
+| Test.java:22:26:22:80 | ... + ... | Test.java:15:5:15:25 | getInputStream(...) : InputStream | Test.java:22:26:22:80 | ... + ... | This query depends on a $@. | Test.java:15:5:15:25 | getInputStream(...) | user-provided value |
+| Test.java:30:26:30:82 | ... + ... | Test.java:27:20:27:59 | executeQuery(...) : ResultSet | Test.java:30:26:30:82 | ... + ... | This query depends on a $@. | Test.java:27:20:27:59 | executeQuery(...) | user-provided value |

java/ql/test/experimental/configured-flow/test-sqlinjection2.ext.yml

@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/java-tests
+      extensible: supportedThreatModels
+    data:
+      - ["database"]

java/ql/test/experimental/configured-flow/test-sqlinjection2.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-089/SqlTainted.ql