Java: Deprecate experimental queries.

Author: michaelnebel

java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql

@@ -111,9 +111,11 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
   )
 }
 
-from SpringBootPom pom, ApplicationProperties ap, Dependency d
-where
-  hasConfidentialEndPointExposed(pom, ap) and
-  d = pom.getADependency() and
-  d.getArtifact().getValue() = "spring-boot-starter-actuator"
-select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+deprecated query predicate problems(Dependency d, string message) {
+  exists(SpringBootPom pom |
+    hasConfidentialEndPointExposed(pom, _) and
+    d = pom.getADependency() and
+    d.getArtifact().getValue() = "spring-boot-starter-actuator"
+  ) and
+  message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+}

java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql

@@ -12,8 +12,9 @@
  */
 
 import java
-import SpringBootActuators
+deprecated import SpringBootActuators
 
-from PermitAllCall permitAllCall
-where permitAllCall.permitsSpringBootActuators()
-select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."
+deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
+  permitAllCall.permitsSpringBootActuators() and
+  message = "Unauthenticated access to Spring Boot actuator is allowed."
+}

java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 
 /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -52,7 +52,13 @@ module Log4jInjectionConfig implements DataFlow::ConfigSig {
  */
 module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
 
-from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
-where Log4jInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  Log4jInjectionFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "Log4j log entry depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

@@ -53,11 +53,11 @@ module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
 
 module RemoteUrlToOpenStreamFlow = TaintTracking::Global<RemoteUrlToOpenStreamFlowConfig>;
 
-from
-  RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink,
-  MethodCall call
-where
+deprecated query predicate problems(
+  MethodCall call, RemoteUrlToOpenStreamFlow::PathNode source,
+  RemoteUrlToOpenStreamFlow::PathNode sink, string message
+) {
   sink.getNode().asExpr() = call.getQualifier() and
-  RemoteUrlToOpenStreamFlow::flowPath(source, sink)
-select call, source, sink,
-  "URL on which openStream is called may have been constructed from remote source."
+  RemoteUrlToOpenStreamFlow::flowPath(source, sink) and
+  message = "URL on which openStream is called may have been constructed from remote source."
+}

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -17,7 +17,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.TaintedPathQuery
-import JFinalController
+deprecated import JFinalController
 import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.security.Sanitizers
 import InjectFilePathFlow::PathGraph
@@ -66,7 +66,13 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
 
 module InjectFilePathFlow = TaintTracking::Global<InjectFilePathConfig>;
 
-from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink
-where InjectFilePathFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "External control of file name or path due to $@.",
-  source.getNode(), "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  InjectFilePathFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "External control of file name or path due to $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 private import semmle.code.java.dataflow.FlowSources
 

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql

@@ -11,15 +11,21 @@
  *       external/cwe/cwe-078
  */
 
-import CommandInjectionRuntimeExec
-import ExecUserFlow::PathGraph
+deprecated import CommandInjectionRuntimeExec
+deprecated import ExecUserFlow::PathGraph
 
-class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
+deprecated class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
 
-from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
-  DataFlow::Node sinkCmd
-where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
-select sink, source, sink,
-  "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+deprecated query predicate problems(
+  ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
+  string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
+  string message3
+) {
+  callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, _) and
+  sink0 = sink and
+  message1 =
+    "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
+  message2 = sourceCmd.toString() and
+  sourceNode = source.getNode() and
+  message3 = source.toString()
+}

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 import semmle.code.java.dataflow.DataFlow

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql

@@ -12,15 +12,21 @@
  *       external/cwe/cwe-078
  */
 
-import CommandInjectionRuntimeExec
-import ExecUserFlow::PathGraph
+deprecated import CommandInjectionRuntimeExec
+deprecated import ExecUserFlow::PathGraph
 
-class LocalSource extends Source instanceof LocalUserInput { }
+deprecated class LocalSource extends Source instanceof LocalUserInput { }
 
-from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
-  DataFlow::Node sinkCmd
-where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
-select sink, source, sink,
-  "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+deprecated query predicate problems(
+  ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
+  string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
+  string message3
+) {
+  callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, _) and
+  sink0 = sink and
+  message1 =
+    "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
+  message2 = sourceCmd.toString() and
+  sourceNode = source.getNode() and
+  message3 = source.toString()
+}