Eliminate false positives\

haby0 · haby0 · commit 711a74c9c9a4 · 2021-04-30T10:31:40.000+08:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll b/java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll
@@ -41,10 +41,12 @@ private class CompareSink extends UseOfLessTrustedSink {
       ma.getMethod().getNumberOfParameters() = 1 and
       (
         ma.getArgument(0) = this.asExpr() and
-        ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
+        ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and
+        not ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"
         or
         ma.getQualifier() = this.asExpr() and
-        ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
+        ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and
+        not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"
       )
     )
     or
@@ -79,7 +81,8 @@ private class CompareSink extends UseOfLessTrustedSink {
           .hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and
       ma.getMethod().getNumberOfParameters() = 2 and
       ma.getAnArgument() = this.asExpr() and
-      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName
+      ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and
+      not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -41,10 +41,12 @@ private class CompareSink extends UseOfLessTrustedSink {`
`41`	`41`	`ma.getMethod().getNumberOfParameters() = 1 and`
`42`	`42`	`(`
`43`	`43`	`ma.getArgument(0) = this.asExpr() and`
`44`		`- ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName`
	`44`	`+ ma.getQualifier().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and`
	`45`	`+ not ma.getQualifier().(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"`
`45`	`46`	`or`
`46`	`47`	`ma.getQualifier() = this.asExpr() and`
`47`		`- ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName`
	`48`	`+ ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and`
	`49`	`+ not ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"`
`48`	`50`	`)`
`49`	`51`	`)`
`50`	`52`	`or`
`@@ -79,7 +81,8 @@ private class CompareSink extends UseOfLessTrustedSink {`
`79`	`81`	`.hasQualifiedName(["org.apache.commons.lang3", "org.apache.commons.lang"], "StringUtils") and`
`80`	`82`	`ma.getMethod().getNumberOfParameters() = 2 and`
`81`	`83`	`ma.getAnArgument() = this.asExpr() and`
`82`		`- ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName`
	`84`	`+ ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() instanceof PrivateHostName and`
	`85`	`+ not ma.getAnArgument().(CompileTimeConstantExpr).getStringValue() = "0:0:0:0:0:0:0:1"`
`83`	`86`	`)`
`84`	`87`	`}`
`85`	`88`	`}`