Merge pull request #13978 from egregius313/egregius313/java/mad/convert-sensitive-api-to-mad

Java: Convert `SensitiveApi.qll` to use Models-as-Data

Author: egregius313

java/ql/lib/change-notes/2023-10-04-deprecated-sensitiveapi-predicates.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* In `SensitiveApi.qll`, `javaApiCallablePasswordParam`, `javaApiCallableUsernameParam`, `javaApiCallableCryptoKeyParam`, and `otherApiCallableCredentialParam` predicates have been deprecated. They have been replaced with a new class `CredentialsSinkNode` and its child classes `PasswordSink`, `UsernameSink`, and `CryptoKeySink`. The predicates have been changed to using the new classes, so there may be minor changes in results relying on these predicates.

java/ql/lib/ext/ch.ethz.ssh2.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["ch.ethz.ssh2", "Connection", False, "authenticateWithPassword", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["ch.ethz.ssh2", "Connection", False, "authenticateWithPassword", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]

java/ql/lib/ext/com.amazonaws.auth.model.yml

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.amazonaws.auth", "BasicAWSCredentials", False, "BasicAWSCredentials", "(String,String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.amazonaws.auth", "BasicAWSCredentials", False, "BasicAWSCredentials", "(String,String)", "", "Argument[1]", "credentials-key", "manual"]

java/ql/lib/ext/com.auth0.jwt.algorithms.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC256", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC256", "(byte[])", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC384", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC384", "(byte[])", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC512", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.auth0.jwt.algorithms", "Algorithm", False, "HMAC512", "(byte[])", "", "Argument[0]", "credentials-key", "manual"]

java/ql/lib/ext/com.azure.identity.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.azure.identity", "ClientSecretCredentialBuilder", False, "clientSecret", "(String)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.azure.identity", "UsernamePasswordCredentialBuilder", False, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.azure.identity", "UsernamePasswordCredentialBuilder", False, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]

java/ql/lib/ext/com.jcraft.jsch.model.yml

@@ -4,6 +4,10 @@ extensions:
       extensible: sinkModel
     data:
       - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"]
+      - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.jcraft.jsch", "Session", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.jcraft.jsch", "Session", False, "setPassword", "(byte[])", "", "Argument[0]", "credentials-password", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

java/ql/lib/ext/com.microsoft.sqlserver.jdbc.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "getConnection", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "getConnection", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.microsoft.sqlserver.jdbc", "SQLServerDataSource", False, "setUser", "(String)", "", "Argument[0]", "credentials-username", "manual"]

java/ql/lib/ext/com.mongodb.model.yml

@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.mongodb", "MongoCredential", False, "createCredential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createCredential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createGSSAPICredential", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createMongoCRCredential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createMongoCRCredential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createMongoX509Credential", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createPlainCredential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createPlainCredential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createScramSha1Credential", "(String,String,char[])", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.mongodb", "MongoCredential", False, "createScramSha1Credential", "(String,String,char[])", "", "Argument[2]", "credentials-password", "manual"]

java/ql/lib/ext/com.sshtools.j2ssh.authentication.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sshtools.j2ssh.authentication", "PasswordAuthenticationClient", False, "setPassword", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.sshtools.j2ssh.authentication", "PasswordAuthenticationClient", True, "setUsername", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.sshtools.j2ssh.authentication", "SshAuthenticationClient", True, "setUsername", "(String)", "", "Argument[0]", "credentials-username", "manual"]

java/ql/lib/ext/com.sun.crypto.provider.model.yml

@@ -0,0 +1,24 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "getPreKeyedHash", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.crypto.provider", "KeyProtector", False, "KeyProtector", "(char[])", "", "Argument[0]", "credentials-password", "hq-generated"]
+      - ["com.sun.crypto.provider", "CipherCore", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESCrypt", False, "expandKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESKey", False, "DESKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESKey", False, "DESKey", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESKeyGenerator", False, "setParityBit", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESedeKey", False, "DESedeKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DESedeKey", False, "DESedeKey", "(byte[],int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DHPrivateKey", False, "DHPrivateKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "DHPublicKey", False, "DHPublicKey", "(byte[])", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "FeedbackCipher", True, "init", "(boolean,String,byte[],byte[])", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "GaloisCounterMode", False, "init", "(boolean,String,byte[],byte[])", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "GaloisCounterMode", False, "init", "(boolean,String,byte[],byte[],int)", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "PBECipherCore", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "PBES1Core", False, "unwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "PKCS12PBECipherCore", False, "implUnwrap", "(byte[],String,int)", "", "Argument[0]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "SymmetricCipher", True, "init", "(boolean,String,byte[])", "", "Argument[2]", "credentials-key", "hq-generated"]
+      - ["com.sun.crypto.provider", "TlsMasterSecretGenerator$TlsMasterSecretKey", False, "TlsMasterSecretKey", "(byte[],int,int)", "", "Argument[0]", "credentials-key", "hq-generated"]