Java: Convert hardcoded-jwt-key models to data extensions.

Author: michaelnebel

java/ql/lib/ext/experimental/com.auth0.jwt.interfaces.model.yml

@@ -0,0 +1,19 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: extExperimentalSummaryModel
+    data:
+      - ["com.auth0.jwt.interfaces", "Verification", True, "acceptExpiresAt", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "acceptIssuedAt", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "acceptLeeway", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "acceptNotBefore", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "build", "", "", "Argument[-1]", "ReturnValue", "taint", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "ignoreIssuedAt", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withAnyOfAudience", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withArrayClaim", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withAudience", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withClaim", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withClaimPresence", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withIssuer", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withJWTId", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]
+      - ["com.auth0.jwt.interfaces", "Verification", True, "withSubject", "", "", "Argument[-1]", "ReturnValue", "value", "manual", "hardcoded-jwt-key"]

java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.qll

@@ -6,6 +6,10 @@ import java
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 
+private class ActivateModels extends ActiveExperimentalModels {
+  ActivateModels() { this = "hardcoded-jwt-key" }
+}
+
 /** The class `com.auth0.jwt.JWT`. */
 class Jwt extends RefType {
   Jwt() { this.hasQualifiedName("com.auth0.jwt", "JWT") }
@@ -125,21 +129,3 @@ class HardcodedJwtKeyConfiguration extends TaintTracking::Configuration {
     )
   }
 }
-
-/** Taint model related to verifying JWT tokens. */
-private class VerificationFlowStep extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "com.auth0.jwt.interfaces;Verification;true;build;;;Argument[-1];ReturnValue;taint;manual",
-        "com.auth0.jwt.interfaces;Verification;true;" +
-          ["acceptLeeway", "acceptExpiresAt", "acceptNotBefore", "acceptIssuedAt", "ignoreIssuedAt"]
-          + ";;;Argument[-1];ReturnValue;value;manual",
-        "com.auth0.jwt.interfaces;Verification;true;with" +
-          [
-            "Issuer", "Subject", "Audience", "AnyOfAudience", "ClaimPresence", "Claim",
-            "ArrayClaim", "JWTId"
-          ] + ";;;Argument[-1];ReturnValue;value;manual"
-      ]
-  }
-}