Java: Deprecate experimental queries. #18299
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
Fixed
Show fixed
Hide fixed
java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
Dismissed
Show dismissed
Hide dismissed
michaelnebel
force-pushed
the
java/deprecateexperimental
branch
2 times, most recently
from
fe1a2a1 to
3fa6d32
Compare
| sink0 = sink and | ||
| message1 = | ||
| "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and | ||
| message2 = sourceCmd.toString() and |
Check warning
Code scanning / CodeQL
Using 'toString' in query logic Warning
| "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and | ||
| message2 = sourceCmd.toString() and | ||
| sourceNode = source.getNode() and | ||
| message3 = source.toString() |
Check warning
Code scanning / CodeQL
Using 'toString' in query logic Warning
| sink0 = sink and | ||
| message1 = | ||
| "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and | ||
| message2 = sourceCmd.toString() and |
Check warning
Code scanning / CodeQL
Using 'toString' in query logic Warning
| "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and | ||
| message2 = sourceCmd.toString() and | ||
| sourceNode = source.getNode() and | ||
| message3 = source.toString() |
Check warning
Code scanning / CodeQL
Using 'toString' in query logic Warning
michaelnebel
force-pushed
the
java/deprecateexperimental
branch
2 times, most recently
from
a861f2f to
de27511
Compare
| import semmle.code.xml.MyBatisMapperXML | ||
| deprecated import MyBatisCommonLib | ||
| deprecated import MyBatisMapperXmlSqlInjectionLib | ||
| deprecated import semmle.code.xml.MyBatisMapperXML |
Check warning
Code scanning / CodeQL
Redundant import Warning
michaelnebel
force-pushed
the
java/deprecateexperimental
branch
from
1e92baa to
b9ed37d
Compare
| @@ -34,6 +34,8 @@ extensible predicate neutralModel( | |||
| ); | |||
|
|
|||
| /** | |||
| * DEPRECATED: Do not use. | |||
There was a problem hiding this comment.
Does experimentalSourceModel need a deprecated annotation?
Or should this QLDoc say INTERNAL: Do not use. instead?
| @@ -43,6 +45,8 @@ extensible predicate experimentalSourceModel( | |||
| ); | |||
|
|
|||
| /** | |||
| * DEPRECATED: Do not use. | |||
There was a problem hiding this comment.
Same question for experimentalSinkModel.
| @@ -52,6 +56,8 @@ extensible predicate experimentalSinkModel( | |||
| ); | |||
|
|
|||
| /** | |||
| * DEPRECATED: Do not use. | |||
There was a problem hiding this comment.
Same question for experimentalSummaryModel.
In this PR we deprecate all the Java experimental queries as they have been moved to the Code QL Community packs repo: https://github.com/GitHubSecurityLab/CodeQL-Community-Packs/
DCA looks good.