Add models of the javax.json package

Author: smowton

java/change-notes/2021-06-29-javax-json-models.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added models of `javax.json` classes and methods. This may lead to more results where tracking tainted dataflow across JSON encoding or decoding is needed to diagnose a security or other issue.

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -82,6 +82,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.JavaxJson
   private import semmle.code.java.frameworks.JaxWS
   private import semmle.code.java.frameworks.Optional
   private import semmle.code.java.frameworks.spring.SpringHttp

java/ql/src/semmle/code/java/frameworks/JavaxJson.qll

@@ -0,0 +1,62 @@
+/**
+ * Provides models for the `javax.json` package.
+ */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class FlowSummaries extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.json;JsonArray;false;getBoolean;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getBoolean;;;Argument[1];ReturnValue;value",
+        "javax.json;JsonArray;false;getInt;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getInt;;;Argument[1];ReturnValue;value",
+        "javax.json;JsonArray;false;getJsonArray;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getJsonNumber;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getJsonObject;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getJsonString;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getString;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArray;false;getString;;;Argument[1];ReturnValue;value",
+        "javax.json;JsonArray;false;getValuesAs;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonArrayBuilder;false;add;;;Argument[-1];ReturnValue;value",
+        "javax.json;JsonArrayBuilder;false;add;;;Argument[0];Argument[-1];taint",
+        "javax.json;JsonArrayBuilder;false;addNull;;;Argument[-1];ReturnValue;value",
+        "javax.json;JsonArrayBuilder;false;build;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;bigDecimalValue;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;bigIntegerValue;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;bigIntegerValueExact;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;doubleValue;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;intValue;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;intValueExact;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;longValue;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonNumber;false;longValueExact;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getBoolean;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getBoolean;;;Argument[1];ReturnValue;value",
+        "javax.json;JsonObject;false;getInt;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getInt;;;Argument[1];ReturnValue;value",
+        "javax.json;JsonObject;false;getJsonArray;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getJsonNumber;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getJsonObject;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getJsonString;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getString;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonObject;false;getString;;;Argument[1];ReturnValue;value",
+        "javax.json;JsonObjectBuilder;false;add;;;Argument[-1];ReturnValue;value",
+        "javax.json;JsonObjectBuilder;false;add;;;Argument[1];Argument[-1];taint",
+        "javax.json;JsonObjectBuilder;false;addNull;;;Argument[-1];ReturnValue;value",
+        "javax.json;JsonObjectBuilder;false;build;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonReader;false;read;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonReader;false;readArray;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonReader;false;readObject;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonReaderFactory;false;createReader;;;Argument[0];ReturnValue;taint",
+        "javax.json;JsonString;false;getChars;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonString;false;getString;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonValue;false;toString;;;Argument[-1];ReturnValue;taint",
+        "javax.json;JsonWriter;false;write;;;Argument[0];Argument[-1];taint",
+        "javax.json;JsonWriter;false;writeArray;;;Argument[0];Argument[-1];taint",
+        "javax.json;JsonWriter;false;writeObject;;;Argument[0];Argument[-1];taint",
+        "javax.json;JsonWriterFactory;false;createWriter;;;Argument[-1];Argument[0];taint"
+      ]
+  }
+}