feat(java): Update all MethodAccess predicate

GeekMasher · GeekMasher · commit 55cd2a219876 · 2024-06-13T19:41:38.000+01:00
diff --git a/java/lib/ResearchMode.qll b/java/lib/ResearchMode.qll
@@ -38,7 +38,7 @@ class FieldTaintStep extends TaintTracking::AdditionalTaintStep {
 class NotifyWaitTaintStep extends TaintTracking::AdditionalTaintStep {
   override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
     exists(
-      MethodAccess notify, RefType t, MethodAccess wait, SynchronizedStmt notifySync,
+      MethodCall notify, RefType t, MethodCall wait, SynchronizedStmt notifySync,
       SynchronizedStmt waitSync
     |
       notify.getMethod().getName() = ["notify", "notifyAll"] and
@@ -65,7 +65,7 @@ class NotifyWaitTaintStep extends TaintTracking::AdditionalTaintStep {
  */
 class ExceptionTaintStep extends TaintTracking::AdditionalTaintStep {
   override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-    exists(Call call, TryStmt t, CatchClause c, MethodAccess gm |
+    exists(Call call, TryStmt t, CatchClause c, MethodCall gm |
       call.getEnclosingStmt().getEnclosingStmt*() = t.getBlock() and
       t.getACatchClause() = c and
       (
@@ -85,7 +85,7 @@ class ExceptionTaintStep extends TaintTracking::AdditionalTaintStep {
  */
 private class GetterTaintStep extends TaintTracking::AdditionalTaintStep {
   override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-    exists(MethodAccess ma, Method m |
+    exists(MethodCall ma, Method m |
       ma.getMethod() = m and
       m.getName().matches("get%") and
       m.getNumberOfParameters() = 0 and
@@ -97,7 +97,7 @@ private class GetterTaintStep extends TaintTracking::AdditionalTaintStep {
 /*
  * private class SetterTaintStep extends TaintTracking::AdditionalTaintStep {
  *  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
- *    exists(MethodAccess ma, Method m |
+ *    exists(MethodCall ma, Method m |
  *      ma.getMethod() = m and
  *      m.getName().matches("set%") and
  *      m.getNumberOfParameters() = 1 and
@@ -110,8 +110,8 @@ private class GetterTaintStep extends TaintTracking::AdditionalTaintStep {
  *
  * class GlobalSanitizer extends TaintTracking::Sanitizer {
  *  override predicate sanitize(DataFlow::Node node) {
- *    node.asExpr().(MethodAccess).getMethod().hasName("getInputStream") or
- *    node.asExpr().(MethodAccess).getMethod().hasName("getHostName")
+ *    node.asExpr().(MethodCall).getMethod().hasName("getInputStream") or
+ *    node.asExpr().(MethodCall).getMethod().hasName("getHostName")
  *  }
  * }
  */
diff --git a/java/lib/applications/Dubbo.qll b/java/lib/applications/Dubbo.qll
@@ -21,7 +21,7 @@ module Dubbo {
 
   class CodecSupportGetPayload extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .hasQualifiedName("org.apache.dubbo.remoting.transport", "CodecSupport") and
@@ -34,7 +34,7 @@ module Dubbo {
 
   class CodecSupportDeserialize extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .hasQualifiedName("org.apache.dubbo.remoting.transport", "CodecSupport") and
@@ -58,7 +58,7 @@ module Dubbo {
 
   class ChannelBuffer_ThisReturn_TaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .getASourceSupertype*()
@@ -72,7 +72,7 @@ module Dubbo {
 
   class ChannelBuffer_ThisArg1_TaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .getASourceSupertype*()
@@ -86,7 +86,7 @@ module Dubbo {
 
   class ChannelBuffer_ThisArg0_TaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .getASourceSupertype*()
@@ -100,7 +100,7 @@ module Dubbo {
 
   class ChannelBuffer_ArgThis1_TaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .getASourceSupertype*()
@@ -114,7 +114,7 @@ module Dubbo {
 
   class ChannelBuffer_ArgThis0_TaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .getDeclaringType()
             .getASourceSupertype*()
diff --git a/java/lib/frameworks/GoogleGuavaCache.qll b/java/lib/frameworks/GoogleGuavaCache.qll
@@ -38,7 +38,7 @@ module GuavaCache {
    */
   class LoadCacheItemTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma1, MethodAccess ma2, VarAccess va |
+      exists(MethodCall ma1, MethodCall ma2, VarAccess va |
         ma1.getMethod() instanceof GetFromCacheMethod and
         ma2.getMethod() instanceof BuildCacheLoaderMethod and
         exists(Method m |
diff --git a/java/lib/frameworks/Protobuf.qll b/java/lib/frameworks/Protobuf.qll
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
 module Protobuf {
   class ProtoToCoreTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod().getName().matches("toCore%") and
         n2.asExpr() = ma and
         n1.asExpr() = ma.getArgument(0)
@@ -13,7 +13,7 @@ module Protobuf {
 
   class ByteStringThisReturnTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         //ma.getMethod().getName().matches(["toByteArray", "toString", "toStringUtf8", "substring", "concat", "asReadOnlyByteBuffer", "asReadOnlyByteBufferList"]) and
         ma.getMethod().getName().matches("toByteArray") and
         ma.getMethod()
@@ -29,7 +29,7 @@ module Protobuf {
 
   class ByteStringArgReturnTaintStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod().getName().matches(["readFrom", "copyFrom", "concat"]) and
         ma.getMethod()
             .getDeclaringType()
@@ -44,7 +44,7 @@ module Protobuf {
 
   class RemoteSource extends RemoteFlowSource {
     RemoteSource() {
-      exists(MethodAccess ma, Method m |
+      exists(MethodCall ma, Method m |
         ma.getMethod() = m and
         m.getName().matches("get%") and
         m.getDeclaringType()
diff --git a/java/lib/ghsl/BeanManipulation.qll b/java/lib/ghsl/BeanManipulation.qll
@@ -40,7 +40,7 @@ class SetPropertyMethod extends Method {
 
 class BeanManipulationSink extends DataFlow::ExprNode {
   BeanManipulationSink() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod() instanceof SetPropertyMethod and
       this.getExpr() = ma.getAnArgument()
     )
diff --git a/java/lib/ghsl/Encoding.qll b/java/lib/ghsl/Encoding.qll
@@ -11,7 +11,7 @@ module Base64 {
   // codeql/java/ql/lib/semmle/code/java/security/HardcodedCredentialsApiCallQuery.qll
   class Encoders extends Base64::Encoding {
     Encoders() {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .hasQualifiedName([
                 "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
@@ -29,7 +29,7 @@ module Base64 {
 
   class Decoders extends Base64::Decoding {
     Decoders() {
-      exists(MethodAccess ma |
+      exists(MethodCall ma |
         ma.getMethod()
             .hasQualifiedName([
                 "java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
diff --git a/java/lib/ghsl/LocalSources.qll b/java/lib/ghsl/LocalSources.qll
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources
 
 class FileReadAccess extends LocalUserInput {
   FileReadAccess() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       // https://docs.oracle.com/javase/8/docs/api/java/lang/Class.html#getResourceAsStream-java.lang.String-
       (
         ma.getMethod().hasQualifiedName("java.lang", "Class", "getResourceAsStream") or
diff --git a/java/lib/ghsl/Logging.qll b/java/lib/ghsl/Logging.qll
@@ -8,7 +8,7 @@ abstract class LoggingMethodsSinks extends DataFlow::Node { }
 // TODO: Use the exists libs in CodeQL to extend this
 class PrintMethods extends LoggingMethodsSinks {
   PrintMethods() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().getDeclaringType().hasQualifiedName("java.io", _) and
       (
         ma.getMethod().hasName("println") or
@@ -50,7 +50,7 @@ class Log4jLoggerType extends LoggerType {
 
 class LoggingMethods extends LoggingMethodsSinks {
   LoggingMethods() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().getDeclaringType() instanceof LoggerType and
       (
         ma.getMethod().hasName("debug") or
diff --git a/java/lib/ghsl/SensitiveInformation.qll b/java/lib/ghsl/SensitiveInformation.qll
@@ -7,7 +7,7 @@ abstract class SensitiveInformationSources extends DataFlow::Node { }
 
 class HttpSession extends SensitiveInformationSources {
   HttpSession() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       // https://docs.oracle.com/javaee/5/api/javax/servlet/http/HttpSession.html
       // Assumption: Nothing from the Session object should be logged
       ma.getMethod().getDeclaringType().hasQualifiedName("javax.servlet.http", "HttpSession") and
@@ -18,7 +18,7 @@ class HttpSession extends SensitiveInformationSources {
 
 class Properties extends SensitiveInformationSources {
   Properties() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().hasName("getProperty") and
       this.asExpr() = ma
     )
diff --git a/java/src/CVEs/CVE-2022-22965.ql b/java/src/CVEs/CVE-2022-22965.ql
@@ -32,7 +32,7 @@ private module Spring4ShellConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node n) {
     n.getLocation().getFile().getRelativePath().matches(["%test%", "%mock%"])
     or
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().hasName("toString") and DataFlow::getInstanceArgument(ma) = n
     )
   }
diff --git a/java/src/CVEs/CVE-2022-33980.ql b/java/src/CVEs/CVE-2022-33980.ql
@@ -16,7 +16,7 @@ private module ACCInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m and ma.getAnArgument() = sink.asExpr() |
+    exists(MethodCall ma, Method m | ma.getMethod() = m and ma.getAnArgument() = sink.asExpr() |
       m.getName() = ["addProperty", "setProperty"] and
       m.getDeclaringType()
           .getASourceSupertype*()
diff --git a/java/src/CVEs/CVE-2022-42889.ql b/java/src/CVEs/CVE-2022-42889.ql
@@ -16,7 +16,7 @@ private module ACTInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m and ma.getAnArgument() = sink.asExpr() |
+    exists(MethodCall ma, Method m | ma.getMethod() = m and ma.getAnArgument() = sink.asExpr() |
       m.getName() = "replace" and
       m.getDeclaringType()
           .getASourceSupertype*()
diff --git a/java/src/audit/CWE-079/XSSJSPLenient.ql b/java/src/audit/CWE-079/XSSJSPLenient.ql
@@ -39,7 +39,7 @@ class XSSConfig extends TaintTracking::Configuration {
 class ServletRequestSource extends RemoteFlowSource {
   ServletRequestSource() {
     exists(Method m |
-      this.asExpr().(MethodAccess).getMethod() = m and
+      this.asExpr().(MethodCall).getMethod() = m and
       m.getDeclaringType().getAnAncestor*().getQualifiedName() = "javax.servlet.ServletRequest"
     )
   }
@@ -50,7 +50,7 @@ class ServletRequestSource extends RemoteFlowSource {
 // Additional taint step: If an object is tainted, so are its methods' return values
 class TaintedObjectMA extends XssAdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.asExpr() = node2.asExpr().(MethodAccess).getQualifier()
+    node1.asExpr() = node2.asExpr().(MethodCall).getQualifier()
   }
 }
 
@@ -115,7 +115,7 @@ class JSPTaintStep extends XssAdditionalTaintStep {
   }
 }
 
-MethodAccess methodCallOn(string methodName, Variable v) {
+MethodCall methodCallOn(string methodName, Variable v) {
   result.getQualifier() = v.getAnAccess() and result.getCallee().getName() = methodName
 }
 
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExecLocal.ql
@@ -19,9 +19,8 @@ class LocalSource extends Source {
 }
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf,
-  MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd,
-  ExecTaintConfiguration confCmd
+  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf, MethodCall call,
+  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
 where
   call.getMethod() instanceof RuntimeExecMethod and
   // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExecTest.ql
@@ -19,7 +19,7 @@ class DataSource extends Source {
 }
 
 from
-  DataFlow::Node source, DataFlow::Node sink, ExecTaintConfiguration2 conf, MethodAccess call,
+  DataFlow::Node source, DataFlow::Node sink, ExecTaintConfiguration2 conf, MethodCall call,
   int index, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
 where
   call.getMethod() instanceof RuntimeExecMethod and
diff --git a/java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql b/java/src/security/CWE-078/CommandInjectionRuntimeExecTestPath.ql
@@ -20,9 +20,8 @@ class DataSource extends Source {
 }
 
 from
-  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf,
-  MethodAccess call, DataFlow::Node sourceCmd, DataFlow::Node sinkCmd,
-  ExecTaintConfiguration confCmd
+  DataFlow::PathNode source, DataFlow::PathNode sink, ExecTaintConfiguration2 conf, MethodCall call,
+  DataFlow::Node sourceCmd, DataFlow::Node sinkCmd, ExecTaintConfiguration confCmd
 where
   call.getMethod() instanceof RuntimeExecMethod and
   // this is a command-accepting call to exec, e.g. rt.exec(new String[]{"/bin/sh", ...})
diff --git a/java/src/security/CWE-094/GroovyCodeInjection.ql b/java/src/security/CWE-094/GroovyCodeInjection.ql
@@ -37,7 +37,7 @@ class ParseClassMethod extends Method {
 
 class GroovyCodeInjectionSink extends DataFlow::ExprNode {
   GroovyCodeInjectionSink() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod() instanceof ParseClassMethod and
       this.getExpr() = ma.getArgument(0)
     )
diff --git a/java/src/security/CWE-094/RhinoScriptInjection.ql b/java/src/security/CWE-094/RhinoScriptInjection.ql
@@ -39,7 +39,7 @@ class CompileScriptMethod extends Method {
 
 class RhinoInjectionSink extends DataFlow::ExprNode {
   RhinoInjectionSink() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       (ma.getMethod() instanceof CompileMethod or ma.getMethod() instanceof EvaluateMethod) and
       this.getExpr() = ma.getArgument(1)
       or
diff --git a/java/src/security/CWE-094/RubyScriptInjection.ql b/java/src/security/CWE-094/RubyScriptInjection.ql
@@ -16,7 +16,7 @@ import RubyScriptInjectionFlow::PathGraph
 
 class BSFSink extends DataFlow::ExprNode {
   BSFSink() {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+    exists(MethodCall ma, Method m | ma.getMethod() = m |
       m.getName() = ["exec", "eval", "compileScript", "compileExpr", "compileApply"] and
       m.getDeclaringType().hasQualifiedName("org.apache.bsf", "BSFManager") and
       this.getExpr() = ma.getAnArgument()
@@ -26,7 +26,7 @@ class BSFSink extends DataFlow::ExprNode {
 
 class JRubySink extends DataFlow::ExprNode {
   JRubySink() {
-    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+    exists(MethodCall ma, Method m | ma.getMethod() = m |
       m.getName() = ["runScriptlet", "parse"] and
       m.getDeclaringType().hasQualifiedName("org.jruby.embed", "ScriptingContainer") and
       this.getExpr() = ma.getAnArgument()
diff --git a/java/src/security/CWE-326/Base64Encryption.ql b/java/src/security/CWE-326/Base64Encryption.ql
@@ -21,7 +21,7 @@ import ghsl.SensitiveInformation
 
 class Base64Sinks extends DataFlow::Node {
   Base64Sinks() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().getDeclaringType().hasQualifiedName("java.util", "Base64$Encoder") and
       this.asExpr() = ma
     )
@@ -46,4 +46,3 @@ from Base64EncryptionFlow::PathNode source, Base64EncryptionFlow::PathNode sink
 where Base64EncryptionFlow::flowPath(source, sink) //using flowPath instead of hasFlowPath
 select sink.getNode(), source, sink, "Sensitive data is being 'encrypted' with Base64 Encoding: $@",
   source.getNode(), "user-provided value"
-
diff --git a/java/src/security/CWE-338/WeakPRNG.ql b/java/src/security/CWE-338/WeakPRNG.ql
@@ -21,7 +21,7 @@ abstract class RandomNumberGeneratorSinks extends DataFlow::Node { }
 
 class MathRandom extends RandomNumberGeneratorSinks {
   MathRandom() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Math") and
       ma.getMethod().getName() = "random" and
       this.asExpr() = ma
@@ -31,7 +31,7 @@ class MathRandom extends RandomNumberGeneratorSinks {
 
 class RandomUtils extends RandomNumberGeneratorSinks {
   RandomUtils() {
-    exists(MethodAccess ma |
+    exists(MethodCall ma |
       ma.getMethod().getDeclaringType().hasQualifiedName("java.util", "Random") and
       (
         ma.getMethod().getName() = "next" or

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ class SetPropertyMethod extends Method {`
`40`	`40`
`41`	`41`	`class BeanManipulationSink extends DataFlow::ExprNode {`
`42`	`42`	`BeanManipulationSink() {`
`43`		`- exists(MethodAccess ma \|`
	`43`	`+ exists(MethodCall ma \|`
`44`	`44`	`ma.getMethod() instanceof SetPropertyMethod and`
`45`	`45`	`this.getExpr() = ma.getAnArgument()`
`46`	`46`	`)`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.FlowSources`
`3`	`3`
`4`	`4`	`class FileReadAccess extends LocalUserInput {`
`5`	`5`	`FileReadAccess() {`
`6`		`- exists(MethodAccess ma \|`
	`6`	`+ exists(MethodCall ma \|`
`7`	`7`	`// https://docs.oracle.com/javase/8/docs/api/java/lang/Class.html#getResourceAsStream-java.lang.String-`
`8`	`8`	`(`
`9`	`9`	`ma.getMethod().hasQualifiedName("java.lang", "Class", "getResourceAsStream") or`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,7 @@ private module Spring4ShellConfig implements DataFlow::ConfigSig {`
`32`	`32`	`predicate isBarrier(DataFlow::Node n) {`
`33`	`33`	`n.getLocation().getFile().getRelativePath().matches(["%test%", "%mock%"])`
`34`	`34`	`or`
`35`		`- exists(MethodAccess ma \|`
	`35`	`+ exists(MethodCall ma \|`
`36`	`36`	`ma.getMethod().hasName("toString") and DataFlow::getInstanceArgument(ma) = n`
`37`	`37`	`)`
`38`	`38`	`}`