Deduplicate shared body of regular and experimental versions of java/command-line-injection query.

Author: smowton

java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg

java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

@@ -14,7 +14,7 @@
 
 import java
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 
 /**
  * Strings that are known to be sane by some simple local analysis. Such strings

java/ql/src/experimental/Security/CWE/CWE-078/ExecCommon.qll

@@ -14,7 +14,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 import JSchOSInjection
 import DataFlow::PathGraph
 

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql

@@ -1,3 +1,12 @@
+/**
+ * Provides classes and methods common to queries `java/command-line-injection`, `java/command-line-concatenation`
+ * and their experimental derivatives.
+ *
+ * Do not import this from a library file, in order to reduce the risk of
+ * unintentionally bringing a TaintTracking::Configuration into scope in an unrelated
+ * query.
+ */
+
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
 import semmle.code.java.security.CommandArguments