Merge pull request #18299 from michaelnebel/java/deprecateexperimental

Java: Deprecate experimental queries.
github · Jan 29, 2025 · ee5416f · ee5416f
2 parents a42c0f6 + 98d6353
commit ee5416f
Show file tree

Hide file tree

Showing 137 changed files with 1,974 additions and 1,639 deletions.
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -104,9 +104,9 @@ private import codeql.mad.ModelValidation as SharedModelVal
  * Extend this class to include experimental model rows with `this` name
  * in data flow analysis.
  */
-abstract class ActiveExperimentalModels extends string {
+abstract private class ActiveExperimentalModelsInternal extends string {
   bindingset[this]
-  ActiveExperimentalModels() { any() }
+  ActiveExperimentalModelsInternal() { any() }
 
   /**
    * Holds if an experimental source model exists for the given parameters.
@@ -142,6 +142,8 @@ abstract class ActiveExperimentalModels extends string {
   }
 }
 
+deprecated class ActiveExperimentalModels = ActiveExperimentalModelsInternal;
+
 /** Holds if a source model exists for the given parameters. */
 predicate sourceModel(
   string package, string type, boolean subtypes, string name, string signature, string ext,
@@ -151,7 +153,7 @@ predicate sourceModel(
     Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance,
       madId)
     or
-    any(ActiveExperimentalModels q)
+    any(ActiveExperimentalModelsInternal q)
         .sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId)
   )
 }
@@ -165,7 +167,7 @@ predicate sinkModel(
     Extensions::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance,
       madId)
     or
-    any(ActiveExperimentalModels q)
+    any(ActiveExperimentalModelsInternal q)
         .sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId)
   )
 }
@@ -179,7 +181,7 @@ predicate summaryModel(
     Extensions::summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
       provenance, madId)
     or
-    any(ActiveExperimentalModels q)
+    any(ActiveExperimentalModelsInternal q)
         .summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
           provenance, madId)
   )

diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
@@ -34,6 +34,11 @@ extensible predicate neutralModel(
 );
 
 /**
+ * INTERNAL: Do not use.
+ *
+ * DEPRECATED: This predicate is only intended for adding models used by experimental queries.
+ * This predicate will be deleted in the future.
+ *
  * Holds if an experimental source model exists for the given parameters.
  * This is only for experimental queries.
  */
@@ -43,6 +48,11 @@ extensible predicate experimentalSourceModel(
 );
 
 /**
+ * INTERNAL: Do not use.
+ *
+ * DEPRECATED: This predicate is only intended for adding models used by experimental queries.
+ * This predicate will be deleted in the future.
+ *
  * Holds if an experimental sink model exists for the given parameters.
  * This is only for experimental queries.
  */
@@ -52,6 +62,11 @@ extensible predicate experimentalSinkModel(
 );
 
 /**
+ * INTERNAL: Do not use.
+ *
+ * DEPRECATED: This predicate is only intended for adding models used by experimental queries.
+ * This predicate will be deleted in the future.
+ *
  * Holds if an experimental summary model exists for the given parameters.
  * This is only for experimental queries.
  */

diff --git a/java/ql/src/change-notes/2024-12-17-experimental-queries.md b/java/ql/src/change-notes/2024-12-17-experimental-queries.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* All *experimental* queries have been deprecated. The queries are instead available as part of the *default* query suite in [CodeQL-Community-Packs](https://github.com/GitHubSecurityLab/CodeQL-Community-Packs).
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql b/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
@@ -111,9 +111,11 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
   )
 }
 
-from SpringBootPom pom, ApplicationProperties ap, Dependency d
-where
-  hasConfidentialEndPointExposed(pom, ap) and
-  d = pom.getADependency() and
-  d.getArtifact().getValue() = "spring-boot-starter-actuator"
-select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+deprecated query predicate problems(Dependency d, string message) {
+  exists(SpringBootPom pom |
+    hasConfidentialEndPointExposed(pom, _) and
+    d = pom.getADependency() and
+    d.getArtifact().getValue() = "spring-boot-starter-actuator"
+  ) and
+  message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql
@@ -12,8 +12,9 @@
  */
 
 import java
-import SpringBootActuators
+deprecated import SpringBootActuators
 
-from PermitAllCall permitAllCall
-where permitAllCall.permitsSpringBootActuators()
-select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."
+deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
+  permitAllCall.permitsSpringBootActuators() and
+  message = "Unauthenticated access to Spring Boot actuator is allowed."
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll b/java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll
@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 
 /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */

diff --git a/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
@@ -22,7 +22,7 @@ import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.Sanitizers
 import Log4jInjectionFlow::PathGraph
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "log4j-injection" }
 }
 
@@ -52,7 +52,13 @@ module Log4jInjectionConfig implements DataFlow::ConfigSig {
  */
 module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
 
-from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
-where Log4jInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  Log4jInjectionFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "Log4j log entry depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql b/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
@@ -17,7 +17,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
 import RemoteUrlToOpenStreamFlow::PathGraph
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "openstream-called-on-tainted-url" }
 }
 
@@ -53,11 +53,11 @@ module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
 
 module RemoteUrlToOpenStreamFlow = TaintTracking::Global<RemoteUrlToOpenStreamFlowConfig>;
 
-from
-  RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink,
-  MethodCall call
-where
+deprecated query predicate problems(
+  MethodCall call, RemoteUrlToOpenStreamFlow::PathNode source,
+  RemoteUrlToOpenStreamFlow::PathNode sink, string message
+) {
   sink.getNode().asExpr() = call.getQualifier() and
-  RemoteUrlToOpenStreamFlow::flowPath(source, sink)
-select call, source, sink,
-  "URL on which openStream is called may have been constructed from remote source."
+  RemoteUrlToOpenStreamFlow::flowPath(source, sink) and
+  message = "URL on which openStream is called may have been constructed from remote source."
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
@@ -17,12 +17,12 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.TaintedPathQuery
-import JFinalController
+deprecated import JFinalController
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.security.Sanitizers
 import InjectFilePathFlow::PathGraph
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "file-path-injection" }
 }
 
@@ -66,7 +66,13 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
 
 module InjectFilePathFlow = TaintTracking::Global<InjectFilePathConfig>;
 
-from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink
-where InjectFilePathFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "External control of file name or path due to $@.",
-  source.getNode(), "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  InjectFilePathFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "External control of file name or path due to $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll b/java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll
@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 private import semmle.code.java.dataflow.FlowSources
 

diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
@@ -11,15 +11,21 @@
  *       external/cwe/cwe-078
  */
 
-import CommandInjectionRuntimeExec
-import ExecUserFlow::PathGraph
+deprecated import CommandInjectionRuntimeExec
+deprecated import ExecUserFlow::PathGraph
 
-class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
+deprecated class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
 
-from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
-  DataFlow::Node sinkCmd
-where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
-select sink, source, sink,
-  "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+deprecated query predicate problems(
+  ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
+  string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
+  string message3
+) {
+  callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, _) and
+  sink0 = sink and
+  message1 =
+    "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
+  message2 = sourceCmd.toString() and
+  sourceNode = source.getNode() and
+  message3 = source.toString()
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll
@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 import semmle.code.java.dataflow.DataFlow

diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql b/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
@@ -12,15 +12,21 @@
  *       external/cwe/cwe-078
  */
 
-import CommandInjectionRuntimeExec
-import ExecUserFlow::PathGraph
+deprecated import CommandInjectionRuntimeExec
+deprecated import ExecUserFlow::PathGraph
 
-class LocalSource extends Source instanceof LocalUserInput { }
+deprecated class LocalSource extends Source instanceof LocalUserInput { }
 
-from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
-  DataFlow::Node sinkCmd
-where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
-select sink, source, sink,
-  "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+deprecated query predicate problems(
+  ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
+  string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
+  string message3
+) {
+  callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, _) and
+  sink0 = sink and
+  message1 =
+    "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
+  message2 = sourceCmd.toString() and
+  sourceNode = source.getNode() and
+  message3 = source.toString()
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql b/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
@@ -13,17 +13,23 @@
  */
 
 import java
+import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.security.CommandLineQuery
 import InputToArgumentToExecFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
-private class ActivateModels extends ActiveExperimentalModels {
+deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "jsch-os-injection" }
 }
 
 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
-from
-  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
-where execIsTainted(source, sink, execArg)
-select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  Expr execArg, InputToArgumentToExecFlow::PathNode source,
+  InputToArgumentToExecFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
+  string message2
+) {
+  execIsTainted(source, sink, execArg) and
+  message1 = "This command line depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
@@ -13,14 +13,13 @@
  */
 
 import java
-import MyBatisCommonLib
-import MyBatisAnnotationSqlInjectionLib
+deprecated import MyBatisAnnotationSqlInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.Sanitizers
-import MyBatisAnnotationSqlInjectionFlow::PathGraph
+deprecated import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
-private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
+deprecated private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
@@ -37,22 +36,27 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi
   }
 }
 
-private module MyBatisAnnotationSqlInjectionFlow =
+deprecated private module MyBatisAnnotationSqlInjectionFlow =
   TaintTracking::Global<MyBatisAnnotationSqlInjectionConfig>;
 
-from
-  MyBatisAnnotationSqlInjectionFlow::PathNode source,
-  MyBatisAnnotationSqlInjectionFlow::PathNode sink, IbatisSqlOperationAnnotation isoa,
-  MethodCall ma, string unsafeExpression
-where
-  MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
-  ma.getAnArgument() = sink.getNode().asExpr() and
-  myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
-  unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
-  (
-    isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression) or
-    isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression)
-  )
-select sink.getNode(), source, sink,
-  "MyBatis annotation SQL injection might include code from $@ to $@.", source.getNode(),
-  "this user input", isoa, "this SQL operation"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, MyBatisAnnotationSqlInjectionFlow::PathNode source,
+  MyBatisAnnotationSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
+  string message2, IbatisSqlOperationAnnotation isoa, string message3
+) {
+  exists(MethodCall ma, string unsafeExpression |
+    MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
+    ma.getAnArgument() = sinkNode.asExpr() and
+    myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
+    unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
+    (
+      isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression) or
+      isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression)
+    )
+  ) and
+  sinkNode = sink.getNode() and
+  message1 = "MyBatis annotation SQL injection might include code from $@ to $@." and
+  sourceNode = source.getNode() and
+  message2 = "this user input" and
+  message3 = "this SQL operation"
+}
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll
@@ -1,6 +1,7 @@
 /**
  * Provides classes for SQL injection detection regarding MyBatis annotated methods.
  */
+deprecated module;
 
 import java
 import MyBatisCommonLib

diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll
@@ -1,6 +1,7 @@
 /**
  * Provides public classes for MyBatis SQL injection detection.
  */
+deprecated module;
 
 import java
 import semmle.code.xml.MyBatisMapperXML