From 1c1d26453ddec0796b22968273afe81006e5084c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 07:46:42 +0200 Subject: [PATCH 1/2] First pass converting qlref tests to inline expectation with postprocess --- .../examples/NonceReuse/NonceReuse.qlref | 4 +- .../quantum/examples/NonceReuse/Test.java | 10 +- .../security/CWE-020/Log4jInjectionTest.qlref | 4 +- .../CWE-020/Log4jJndiInjectionTest.java | 2096 ++++++++--------- .../security/CWE-073/FilePathInjection.java | 18 +- .../security/CWE-073/FilePathInjection.qlref | 4 +- .../CommandInjectionRuntimeExecLocal.qlref | 4 +- .../security/CWE-078/ExecTainted.qlref | 4 +- .../security/CWE-078/JSchOSInjectionTest.java | 8 +- .../security/CWE-078/RuntimeExecTest.java | 12 +- .../main/MyBatisAnnotationSqlInjection.qlref | 4 +- .../main/MyBatisMapperXmlSqlInjection.qlref | 4 +- .../CWE-089/src/main/MybatisSqlInjection.java | 20 +- .../src/main/MybatisSqlInjectionService.java | 20 +- .../security/CWE-094/BeanShellInjection.java | 12 +- .../security/CWE-094/BeanShellInjection.qlref | 4 +- .../security/CWE-094/JShellInjection.java | 14 +- .../security/CWE-094/JShellInjection.qlref | 4 +- .../CWE-094/JakartaExpressionInjection.java | 18 +- .../CWE-094/JakartaExpressionInjection.qlref | 4 +- .../security/CWE-094/JythonInjection.java | 18 +- .../security/CWE-094/JythonInjection.qlref | 4 +- .../security/CWE-094/RhinoServlet.java | 12 +- .../security/CWE-094/ScriptEngineTest.java | 14 +- .../security/CWE-094/ScriptInjection.qlref | 4 +- .../security/CWE-200/FileService.java | 2 +- .../CWE-200/InsecureWebResourceResponse.java | 12 +- .../CWE-200/InsecureWebResourceResponse.qlref | 4 +- .../CWE-200/InsecureWebViewActivity.java | 4 +- .../security/CWE-200/LeakFileActivity.java | 4 +- .../security/CWE-200/LeakFileActivity2.java | 4 +- .../CWE-200/SensitiveAndroidFileLeak.qlref | 4 +- .../NotConstantTimeCheckOnSignature/Test.java | 14 +- .../Test.qlref | 4 +- .../TimingAttackAgainstHeader/Test.java | 2 +- .../TimingAttackAgainstHeader.qlref | 3 +- .../TimingAttackAgainstSignagure/Test.java | 38 +- .../TimingAttackAgainstSignagure/Test.qlref | 4 +- .../JxBrowserWithoutCertValidation.qlref | 3 +- ...JxBrowserWithoutCertValidationV6_23_1.java | 4 +- .../JxBrowserWithoutCertValidation.qlref | 3 +- .../CWE-297/IgnoredHostnameVerification.java | 4 +- .../CWE-297/IgnoredHostnameVerification.qlref | 3 +- .../CWE-297/InsecureLdapEndpoint.java | 10 +- .../CWE-297/InsecureLdapEndpoint.qlref | 3 +- .../CWE-299/DisabledRevocationChecking.java | 4 +- .../CWE-299/DisabledRevocationChecking.qlref | 4 +- .../security/CWE-327/UnsafeTlsVersion.java | 70 +- .../security/CWE-327/UnsafeTlsVersion.qlref | 4 +- .../security/CWE-346/UnvalidatedCors.java | 4 +- .../security/CWE-346/UnvalidatedCors.qlref | 4 +- .../security/CWE-347/Auth0NoVerifier.qlref | 4 +- .../security/CWE-347/JwtNoVerifier.java | 6 +- .../ClientSuppliedIpUsedInSecurityCheck.java | 6 +- .../ClientSuppliedIpUsedInSecurityCheck.qlref | 4 +- .../security/CWE-352/JsonpController.java | 30 +- .../security/CWE-352/JsonpInjection.qlref | 4 +- .../CWE-400/LocalThreadResourceAbuse.qlref | 4 +- .../security/CWE-400/ThreadResourceAbuse.java | 26 +- .../CWE-400/ThreadResourceAbuse.qlref | 4 +- .../security/CWE-400/UploadListener.java | 2 +- .../security/CWE-470/BadClassLoader.java | 6 +- .../CWE-470/LoadClassNoSignatureCheck.qlref | 4 +- .../security/CWE-470/UnsafeReflection.java | 12 +- .../security/CWE-470/UnsafeReflection.qlref | 4 +- .../security/CWE-489/ServiceBean.java | 2 +- .../security/CWE-489/ServiceBean.qlref | 3 +- .../CWE-489/ServletContextListenerMain.java | 2 +- .../security/CWE-489/ServletMain.java | 2 +- .../security/CWE-489/ServletMain.qlref | 3 +- .../SpringExporterUnsafeDeserialization.java | 12 +- .../CWE-502/UnsafeDeserializationRmi.java | 10 +- .../CWE-502/UnsafeDeserializationRmi.qlref | 4 +- ...feSpringExporterInConfigurationClass.qlref | 3 +- ...safeSpringExporterInXMLConfiguration.qlref | 3 +- .../query-tests/security/CWE-502/beans.xml | 8 +- .../CWE-548/InsecureDirectoryConfig.qlref | 3 +- .../security/CWE-548/insecure-web.xml | 4 +- .../CWE-555/PasswordInConfigurationFile.qlref | 3 +- .../security/CWE-555/applicationContext.xml | 2 +- .../query-tests/security/CWE-555/context.xml | 4 +- .../security/CWE-555/custom-config.xml | 2 +- .../security/CWE-598/SensitiveGetQuery.java | 6 +- .../security/CWE-598/SensitiveGetQuery.qlref | 4 +- .../security/CWE-598/SensitiveGetQuery2.java | 6 +- .../security/CWE-598/SensitiveGetQuery3.java | 4 +- .../security/CWE-598/SensitiveGetQuery4.java | 4 +- .../CWE-600/UncaughtServletException.java | 16 +- .../CWE-600/UncaughtServletException.qlref | 4 +- .../security/CWE-601/SpringUrlRedirect.java | 56 +- .../security/CWE-601/SpringUrlRedirect.qlref | 4 +- .../security/CWE-625/DotRegexFilter.java | 6 +- .../security/CWE-625/DotRegexServlet.java | 16 +- .../security/CWE-625/DotRegexSpring.java | 8 +- .../security/CWE-625/PermissiveDotRegex.qlref | 4 +- .../security/CWE-652/XQueryInjection.java | 40 +- .../security/CWE-652/XQueryInjection.qlref | 4 +- ...nsecureRmiJmxEnvironmentConfiguration.java | 8 +- ...secureRmiJmxEnvironmentConfiguration.qlref | 3 +- .../security/CWE-755/NFEAndroidDoS.java | 20 +- .../security/CWE-755/NFEAndroidDoS.qlref | 4 +- .../security/CWE-759/HashWithoutSalt.java | 12 +- .../security/CWE-759/HashWithoutSalt.qlref | 4 +- .../frameworks/JaxWs/UrlRedirect.qlref | 4 +- .../frameworks/JaxWs/UrlRedirectJakarta.java | 4 +- .../frameworks/JaxWs/UrlRedirectJax.java | 4 +- .../AmbiguousOuterSuper.qlref | 3 +- .../AmbiguousOuterSuper/GenericTest.java | 2 +- .../query-tests/AmbiguousOuterSuper/Test.java | 2 +- .../query-tests/AutoBoxing/AutoBoxing.qlref | 3 +- java/ql/test/query-tests/AutoBoxing/Test.java | 22 +- .../AvoidDeprecatedCallableAccess.qlref | 3 +- .../AvoidDeprecatedCallableAccess/Test.java | 6 +- .../BadAbsOfRandom/BadAbsOfRandom.qlref | 3 +- .../test/query-tests/BadAbsOfRandom/Test.java | 12 +- .../query-tests/BadCheckOdd/BadCheckOdd.java | 20 +- .../query-tests/BadCheckOdd/BadCheckOdd.qlref | 3 +- .../BoxedVariable/BoxedVariable.java | 10 +- .../BoxedVariable/BoxedVariable.qlref | 3 +- .../test/query-tests/BusyWait/BusyWait.qlref | 3 +- .../test/query-tests/BusyWait/BusyWaits.java | 6 +- .../CloseReader/CloseReader.java | 8 +- .../CloseReader/CloseReader.qlref | 3 +- .../CloseWriter/CloseWriter.java | 6 +- .../CloseWriter/CloseWriter.qlref | 3 +- .../query-tests/CompareIdenticalValues/A.java | 36 +- .../CompareIdenticalValues.qlref | 3 +- .../ComplexCondition/ComplexCondition.java | 8 +- .../ComplexCondition/ComplexCondition.qlref | 3 +- .../ConfusingOverloading.qlref | 3 +- .../TestConfusingOverloading.java | 2 +- .../ConstantExpAppearsNonConstant.qlref | 3 +- .../ConstantExpAppearsNonConstant/Test.java | 22 +- .../query-tests/ConstantLoopCondition/A.java | 8 +- .../ConstantLoopCondition.qlref | 3 +- .../ContainerSizeCmpZero.qlref | 3 +- .../ContainerSizeCmpZero/Main.java | 36 +- .../query-tests/ContinueInFalseLoop/A.java | 6 +- .../ContinueInFalseLoop.qlref | 3 +- .../ContradictoryTypeChecks.qlref | 3 +- .../ContradictoryTypeChecks/Test.java | 12 +- .../DeadCode/DeadRefTypes/DeadRefTypes.qlref | 3 +- .../DeadCode/DeadRefTypes/UnusedClass.java | 2 +- .../NonAssignedFields/NonAssignedFields.qlref | 3 +- .../DeadCode/camel/DeadClass.qlref | 3 +- .../DeadCode/camel/DeadMethod.qlref | 3 +- .../camel/com/semmle/camel/DeadTarget.java | 4 +- .../camel/javadsl/CustomRouteBuilder.java | 2 +- .../Declarations/BreakInSwitchCase.qlref | 3 +- .../test/query-tests/Declarations/Test.java | 4 +- .../DefineEqualsWhenAddingFields.qlref | 4 +- .../query-tests/DoubleCheckedLocking/A.java | 16 +- .../DoubleCheckedLocking.qlref | 3 +- .../DoubleCheckedLockingWithInitRace.qlref | 3 +- .../query-tests/EqualsArray/EqualsArray.qlref | 3 +- .../ql/test/query-tests/EqualsArray/Test.java | 6 +- .../EqualsUsesInstanceOf.qlref | 3 +- .../ExposeRepresentation.qlref | 3 +- .../ExposeRepresentation/ExposesRep.java | 10 +- java/ql/test/query-tests/Finally/Finally.java | 14 +- .../Finally/FinallyMayNotComplete.qlref | 3 +- .../HashedButNoHash/HashedButNoHash.qlref | 3 +- .../query-tests/HashedButNoHash/Test.java | 2 +- .../IgnoreExceptionalReturn.qlref | 3 +- .../IgnoreExceptionalReturn/Test.java | 12 +- .../ImpossibleCast/ImpossibleCast.qlref | 3 +- .../ImpossibleCast/impossible_cast/A.java | 4 +- .../InconsistentEqualsHashCode.qlref | 3 +- .../InconsistentEqualsHashCode/Test.java | 6 +- .../InconsistentCallOnResult.qlref | 3 +- .../InconsistentOperations/Operations.java | 4 +- .../ReturnValueIgnored.qlref | 3 +- .../InconsistentOperations/Test2.java | 4 +- .../InconsistentOperations/Test3.java | 4 +- .../InefficientOutputStream.qlref | 3 +- .../InefficientOutputStreamBad.java | 2 +- .../InnerClassCouldBeStatic/Classes.java | 42 +- .../InnerClassCouldBeStatic.qlref | 3 +- .../InnerClassCouldBeStatic/Test.java | 2 +- .../Iterable/IterableIterator.qlref | 3 +- java/ql/test/query-tests/Iterable/Test.java | 6 +- .../Iterable/WrappedIterator.qlref | 3 +- .../IteratorRemoveMayFail.qlref | 3 +- .../IteratorRemoveMayFail/Test.java | 6 +- .../Javadoc/ImpossibleJavadocThrows.java | 6 +- .../Javadoc/ImpossibleJavadocThrows.qlref | 3 +- .../LShiftLargerThanTypeWidth/A.java | 44 +- .../LShiftLargerThanTypeWidth.qlref | 3 +- .../LazyInitStaticField.qlref | 3 +- .../LazyInitStaticField/LazyInits.java | 14 +- .../MissingEnumInSwitch.qlref | 3 +- .../Statements/MissingEnumInSwitch/Test.java | 20 +- .../MissedTernaryOpportunity.qlref | 3 +- .../MissedTernaryOpportunityTest.java | 12 +- .../MissingCallToSuperClone.qlref | 3 +- .../MissingCallToSuperClone/Test.java | 2 +- .../MissingInstanceofInEquals/Bad.java | 4 +- .../MissingInstanceofInEquals.qlref | 3 +- .../MissingOverrideAnnotation.qlref | 3 +- .../MissingOverrideAnnotation/Test.java | 4 +- .../test/query-tests/MissingSpaceTypo/A.java | 28 +- .../MissingSpaceTypo/MissingSpaceTypo.qlref | 3 +- ...issingVoidConstructorsOnSerializable.qlref | 3 +- .../Test.java | 2 +- .../MutualDependency/MutualDependency.qlref | 3 +- .../onepackage/MutualDependency.java | 2 +- .../Naming/ConfusingOverloading.qlref | 3 +- .../test/query-tests/Naming/NamingTest.java | 2 +- .../NonPrivateField/NonPrivateField.qlref | 3 +- .../NonPrivateField/NonPrivateFieldTest.java | 18 +- .../NonSerializableField.qlref | 3 +- .../NonSerializableFieldTest.java | 32 +- .../NonSerializableInnerClass.qlref | 3 +- .../NonSerializableInnerClassTest.java | 10 +- .../NonSynchronizedOverride.qlref | 3 +- .../NonSynchronizedOverride/Test.java | 10 +- .../NotifyWithoutSynch.qlref | 3 +- .../query-tests/NotifyWithoutSynch/Test.java | 20 +- java/ql/test/query-tests/Nullness/A.java | 42 +- java/ql/test/query-tests/Nullness/B.java | 50 +- java/ql/test/query-tests/Nullness/C.java | 14 +- .../test/query-tests/Nullness/ExprDeref.java | 2 +- java/ql/test/query-tests/Nullness/F.java | 4 +- java/ql/test/query-tests/Nullness/G.java | 2 +- .../query-tests/Nullness/NullAlways.qlref | 3 +- .../query-tests/Nullness/NullExprDeref.qlref | 3 +- .../test/query-tests/Nullness/NullMaybe.qlref | 3 +- .../NumberFormatException.qlref | 3 +- .../NumberFormatException/Test.java | 60 +- .../PartiallyMaskedCatch.qlref | 3 +- .../PartiallyMaskedCatchTest.java | 6 +- .../PointlessForwardingMethod.qlref | 3 +- .../pointlessforwardingmethod/Test.java | 2 +- .../query-tests/PrintLnArray/PrintLn.qlref | 3 +- .../test/query-tests/PrintLnArray/Test.java | 4 +- .../RandomUsedOnce/RandomUsedOnce.qlref | 3 +- .../test/query-tests/RandomUsedOnce/Test.java | 2 +- java/ql/test/query-tests/RangeAnalysis/A.java | 34 +- .../RangeAnalysis/ArrayIndexOutOfBounds.qlref | 3 +- .../ReadOnlyContainer/ReadOnlyContainer.qlref | 3 +- .../query-tests/ReadOnlyContainer/Test.java | 6 +- .../ReturnValueIgnored.qlref | 3 +- .../return_value_ignored/Test.java | 4 +- .../SelfAssignment/SelfAssignment.qlref | 3 +- .../test/query-tests/SelfAssignment/Test.java | 4 +- .../SimplifyBoolExpr/SimplifyBoolExpr.java | 18 +- .../SimplifyBoolExpr/SimplifyBoolExpr.qlref | 3 +- .../SpuriousJavadocParam/Test.java | 34 +- .../SpuriousJavadocParam/test.qlref | 3 +- .../StartInConstructor.qlref | 3 +- .../query-tests/StartInConstructor/Test.java | 2 +- .../query-tests/StaticArray/StaticArray.java | 10 +- .../query-tests/StaticArray/StaticArray.qlref | 3 +- .../StringComparison/StringComparison.java | 6 +- .../StringComparison/StringComparison.qlref | 3 +- java/ql/test/query-tests/StringFormat/A.java | 64 +- .../StringFormat/MissingFormatArg.qlref | 3 +- .../StringFormat/UnusedFormatArg.qlref | 3 +- .../query-tests/SuspiciousDateFormat/A.java | 2 +- .../SuspiciousDateFormat.qlref | 3 +- .../SynchSetUnsynchSet.qlref | 3 +- .../query-tests/SynchSetUnsynchGet/Test.java | 4 +- .../TypeMismatch/IncomparableEquals.qlref | 3 +- .../TypeMismatch/RemoveTypeMismatch.qlref | 3 +- .../TypeMismatch/incomparable_equals/B.java | 2 +- .../TypeMismatch/incomparable_equals/F.java | 4 +- .../TypeMismatch/remove_type_mismatch/A.java | 12 +- java/ql/test/query-tests/UnreadLocal/A.java | 12 +- .../UnreadLocal/DeadStoreOfLocal.qlref | 3 +- .../UnreadLocal/DeadStoreOfLocalUnread.qlref | 3 +- .../query-tests/UnreadLocal/UnreadLocal.qlref | 3 +- .../UnreadLocal/ImplicitReads.java | 2 +- .../UnreadLocal/UnreadLocal/UnreadLocals.java | 4 +- .../UnreleasedLock/UnreleasedLock.java | 12 +- .../UnreleasedLock/UnreleasedLock.qlref | 3 +- .../test/query-tests/UseBraces/UseBraces.java | 28 +- .../query-tests/UseBraces/UseBraces.qlref | 3 +- .../query-tests/UselessComparisonTest/A.java | 30 +- .../UselessComparisonTest/CharLiterals.java | 8 +- .../UselessComparisonTest/Test.java | 16 +- .../UselessComparisonTest.qlref | 3 +- .../test/query-tests/UselessNullCheck/A.java | 16 +- .../UselessNullCheck/UselessNullCheck.qlref | 3 +- .../test/query-tests/UselessUpcast/Test.java | 6 +- .../test/query-tests/UselessUpcast/Test2.java | 4 +- .../UselessUpcast/UselessUpcast.qlref | 3 +- .../WhitespaceContradictsPrecedence.java | 4 +- .../WhitespaceContradictsPrecedence.qlref | 3 +- .../WriteOnlyContainer/CollectionTest.java | 4 +- .../WriteOnlyContainer/MapTest.java | 4 +- .../WriteOnlyContainer.qlref | 3 +- .../query-tests/WrongNanComparison/Test.java | 4 +- .../WrongNanComparison.qlref | 3 +- .../dead-code/DeadCallable/DeadCallable.qlref | 3 +- .../dead-code/DeadCallable/Main.java | 10 +- .../dead-code/DeadClass/DeadClass.qlref | 3 +- .../dead-code/DeadClass/DeadEnumTest.java | 2 +- .../DeadClass/ExternalDeadCodeCycle.java | 2 +- .../dead-code/DeadClass/ExternalDeadRoot.java | 2 +- .../DeadClass/InternalDeadCodeCycle.java | 2 +- .../dead-code/DeadClass/NamespaceTest.java | 2 +- .../DeadEnumConstant/DeadEnumConstant.qlref | 3 +- .../DeadEnumConstantTest.java | 4 +- .../DeadField/AnnotationValueTest.java | 2 +- .../DeadField/AnnotationValueUtil.java | 6 +- .../dead-code/DeadField/BasicTest.java | 6 +- .../dead-code/DeadField/DeadField.qlref | 3 +- .../dead-code/DeadField/ReflectionTest.java | 4 +- .../dead-code/DeadMethod/DeadMethod.qlref | 3 +- .../DeadMethod/InternalDeadCodeCycle.java | 4 +- .../dead-code/DeadMethod/JMXTest.java | 2 +- .../DeadMethod/SuppressedConstructorTest.java | 6 +- .../dead-code/UselessParameter/Test.java | 2 +- .../UselessParameter/UselessParameter.qlref | 3 +- .../UnusedMavenDependencyBinary.qlref | 3 +- .../UnusedMavenDependencySource.qlref | 3 +- .../maven-dependencies/my-project/pom.xml | 8 +- .../CWE-020/OverlyLargeRangeQuery.qlref | 3 +- .../CWE-020/SuspiciousRegexpRange.java | 20 +- .../CWE-022/semmle/tests/ZipSlip.qlref | 4 +- .../CWE-022/semmle/tests/ZipTest.java | 8 +- .../security/CWE-078/ExecRelative.qlref | 3 +- .../security/CWE-078/ExecTainted.qlref | 4 +- .../security/CWE-078/ExecUnescaped.qlref | 3 +- .../security/CWE-078/TaintedEnvironment.java | 2 +- .../query-tests/security/CWE-078/Test.java | 14 +- .../semmle/tests/SetJavascriptEnabled.java | 2 +- .../tests/WebViewAddJavascriptInterface.java | 2 +- .../tests/WebViewAddJavascriptInterface.qlref | 3 +- .../tests/WebViewSetEnabledJavaScript.qlref | 3 +- .../AllowListSanitizerWithJavaUtilList.java | 54 +- .../AllowListSanitizerWithJavaUtilSet.java | 54 +- .../CWE-089/semmle/examples/CouchBase.java | 14 +- .../CWE-089/semmle/examples/Mongo.java | 8 +- .../semmle/examples/SqlConcatenated.qlref | 3 +- .../CWE-089/semmle/examples/SqlTainted.qlref | 4 +- .../CWE-089/semmle/examples/Test.java | 24 +- .../security/CWE-090/LdapInjection.java | 164 +- .../security/CWE-090/LdapInjection.qlref | 4 +- .../CWE-094/InsecureBeanValidation.java | 4 +- .../CWE-094/InsecureBeanValidation.qlref | 4 +- .../tests/MavenPomDependsOnBintray.qlref | 3 +- .../CWE-1104/semmle/tests/bad-bintray-pom.xml | 10 +- .../semmle/tests/ResponseSplitting.java | 12 +- .../semmle/tests/ResponseSplitting.qlref | 4 +- ...mproperValidationOfArrayConstruction.qlref | 4 +- ...tionOfArrayConstructionCodeSpecified.qlref | 4 +- .../ImproperValidationOfArrayIndex.qlref | 4 +- ...rValidationOfArrayIndexCodeSpecified.qlref | 4 +- .../security/CWE-129/semmle/tests/Test.java | 28 +- .../ExternallyControlledFormatString.qlref | 4 +- .../security/CWE-134/semmle/tests/Test.java | 16 +- .../semmle/tests/ArithmeticTainted.java | 20 +- .../semmle/tests/ArithmeticTainted.qlref | 4 +- .../semmle/tests/ArithmeticUncontrolled.qlref | 4 +- .../tests/ArithmeticWithExtremeValues.qlref | 4 +- .../semmle/tests/ComparisonWithWiderType.java | 6 +- .../tests/ComparisonWithWiderType.qlref | 3 +- .../semmle/tests/InformationLoss.qlref | 3 +- .../CWE-190/semmle/tests/IntMultToLong.qlref | 3 +- .../security/CWE-190/semmle/tests/Test.java | 54 +- .../Files.java | 4 +- .../TempDirLocalInformationDisclosure.qlref | 4 +- .../Test.java | 78 +- .../WebViewAccess/WebViewContentAccess.java | 20 +- .../WebViewAccess/WebViewContentAccess.qlref | 3 +- .../WebViewAccess/WebViewFileAccess.java | 6 +- .../WebViewAccess/WebViewFileAccess.qlref | 3 +- ...itiveDataExposureThroughErrorMessage.qlref | 3 +- .../semmle/tests/StackTraceExposure.qlref | 3 +- .../security/CWE-209/semmle/tests/Test.java | 8 +- .../CWE-297/UnsafeHostnameVerification.java | 22 +- .../CWE-297/UnsafeHostnameVerification.qlref | 4 +- .../security/CWE-311/CWE-319/HttpsUrls.qlref | 4 +- .../CWE-311/CWE-319/HttpsUrlsTest.java | 18 +- .../security/CWE-311/CWE-319/UseSSL.qlref | 3 +- .../security/CWE-311/CWE-319/UseSSLTest.java | 2 +- .../CWE-614/semmle/tests/InsecureCookie.qlref | 3 +- .../CWE-311/CWE-614/semmle/tests/Test.java | 8 +- .../backup/AllowBackupEnabledTest.qlref | 3 +- .../TestExplicitlyEnabled/AndroidManifest.xml | 2 +- .../backup/TestMissing/AndroidManifest.xml | 2 +- .../semmle/tests/BrokenCryptoAlgorithm.qlref | 4 +- .../tests/MaybeBrokenCryptoAlgorithm.qlref | 3 +- .../security/CWE-327/semmle/tests/Test.java | 6 +- .../CWE-327/semmle/tests/WeakHashing.java | 6 +- .../semmle/tests/PredictableSeed.qlref | 3 +- .../security/CWE-335/semmle/tests/Test.java | 6 +- .../semmle/tests/JHipsterGeneratedPRNG.qlref | 3 +- .../semmle/tests/vulnerable/RandomUtil.java | 10 +- .../CWE-421/semmle/SocketAuthRace.qlref | 3 +- .../security/CWE-421/semmle/Test.java | 6 +- .../CWE-601/semmle/tests/UrlRedirect.java | 8 +- .../CWE-601/semmle/tests/UrlRedirect.qlref | 4 +- .../CWE-601/semmle/tests/UrlRedirect2.java | 2 +- .../CWE-601/semmle/tests/mad/Test.java | 4 +- .../tests/PotentiallyDangerousFunction.qlref | 3 +- .../security/CWE-676/semmle/tests/Test.java | 2 +- .../semmle/tests/NumericCastTainted.qlref | 4 +- .../security/CWE-681/semmle/tests/Test.java | 6 +- .../tests/ReadingFromWorldWritableFile.qlref | 3 +- .../security/CWE-732/semmle/tests/Test.java | 6 +- .../tests/TaintedPermissionsCheck.qlref | 4 +- .../tests/TaintedPermissionsCheckTest.java | 4 +- .../tests/InsecureDependencyResolution.qlref | 3 +- .../CWE-829/semmle/tests/insecure-pom.xml | 10 +- .../semmle/tests/LockOrderInconsistency.qlref | 3 +- .../semmle/tests/MethodAccessLockOrder.java | 2 +- .../semmle/tests/ReentrantLockOrder.java | 4 +- .../tests/SynchronizedStmtLockOrder.java | 4 +- .../CWE-835/semmle/tests/InfiniteLoop.java | 2 +- .../CWE-835/semmle/tests/InfiniteLoop.qlref | 3 +- .../org/apache/camel/Consume.java | 8 +- .../camel/builder/ExpressionClause.java | 2 +- .../apache/camel/builder/RouteBuilder.java | 4 +- .../camel/impl/DefaultCamelContext.java | 2 +- .../apache/camel/model/FilterDefinition.java | 2 +- .../apache/camel/model/OutputDefinition.java | 2 +- .../camel/model/ProcessorDefinition.java | 2 +- .../apache/camel/model/RouteDefinition.java | 2 +- 420 files changed, 2847 insertions(+), 2599 deletions(-) diff --git a/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref b/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref index 9658a376bb90..b3c88b353dd7 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref +++ b/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.qlref @@ -1,2 +1,4 @@ query: experimental/quantum/Examples/ReusedNonce.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/Test.java b/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/Test.java index e384143db086..80524e269e79 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/Test.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/Test.java @@ -16,7 +16,7 @@ public static SecretKey generateAESKey() throws Exception { private static byte[] getRandomWrapper1() throws Exception { byte[] val = new byte[16]; - new SecureRandom().nextBytes(val); + new SecureRandom().nextBytes(val); // $ Source return val; } @@ -37,7 +37,7 @@ private static void funcA1(byte[] iv) throws Exception { IvParameterSpec ivSpec = new IvParameterSpec(iv); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); SecretKey key = generateAESKey(); - cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcB1 + cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcB1 byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes()); } @@ -46,7 +46,7 @@ private static void funcB1() throws Exception { IvParameterSpec ivSpec = new IvParameterSpec(iv); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); SecretKey key = generateAESKey(); - cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcA1 + cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcA1 byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes()); } @@ -73,13 +73,13 @@ private static void funcA3() throws Exception { IvParameterSpec ivSpec1 = new IvParameterSpec(iv); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); SecretKey key1 = generateAESKey(); - cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // BAD: reuse of `iv` below + cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // $ Alert // BAD: reuse of `iv` below byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes()); IvParameterSpec ivSpec2 = new IvParameterSpec(iv); Cipher cipher2 = Cipher.getInstance("AES/CBC/PKCS5Padding"); SecretKey key2 = generateAESKey(); - cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // BAD: Reuse of `iv` above + cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // $ Alert // BAD: Reuse of `iv` above byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes()); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref b/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref index ea158af1e3ab..3b0cb0955c93 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-020/Log4jInjectionTest.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-020/Log4jJndiInjectionTest.java b/java/ql/test/experimental/query-tests/security/CWE-020/Log4jJndiInjectionTest.java index c180fdc40f1f..25f43bf4e69c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-020/Log4jJndiInjectionTest.java +++ b/java/ql/test/experimental/query-tests/security/CWE-020/Log4jJndiInjectionTest.java @@ -21,985 +21,985 @@ public class Log4jJndiInjectionTest { private HttpServletRequest request; public Object source() { - return request.getParameter("source"); + return request.getParameter("source"); // $ Source } public void test() { Logger logger = null; { // @formatter:off - logger.debug((CharSequence) source()); - logger.debug((CharSequence) source(), (Throwable) null); - logger.debug((Marker) null, (CharSequence) source()); - logger.debug((Marker) null, (CharSequence) source(), null); - logger.debug((Marker) null, (Message) source()); - logger.debug((Marker) null, (MessageSupplier) source()); - logger.debug((Marker) null, (MessageSupplier) source(), null); - logger.debug((Marker) null, source()); - logger.debug((Marker) null, (String) source()); - logger.debug((Marker) null, (String) source(), new Object[] {}); - logger.debug((Marker) null, (String) null, new Object[] {source()}); - logger.debug((Marker) null, (String) null, (Object) source()); - logger.debug((Marker) null, (String) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((Marker) null, (String) source(), (Supplier) null); - logger.debug((Marker) null, (String) null, (Supplier) source()); - logger.debug((Marker) null, (String) source(), (Throwable) null); - logger.debug((Marker) null, (Supplier) source()); - logger.debug((Marker) null, (Supplier) source(), (Throwable) null); - logger.debug((MessageSupplier) source()); - logger.debug((MessageSupplier) source(), (Throwable) null); - logger.debug((Message) source()); - logger.debug((Message) source(), (Throwable) null); - logger.debug(source()); - logger.debug(source(), (Throwable) null); - logger.debug((String) source()); - logger.debug((String) source(), (Object[]) null); - logger.debug((String) null, new Object[] {source()}); - logger.debug((String) null, (Object) source()); - logger.debug((String) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) source(), (Object) null); - logger.debug((String) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.debug((String) source(), (Supplier) null); - logger.debug((String) null, (Supplier) source()); - logger.debug((String) source(), (Throwable) null); - logger.debug((Supplier) source()); - logger.debug((Supplier) source(), (Throwable) null); - logger.error((CharSequence) source()); - logger.error((CharSequence) source(), (Throwable) null); - logger.error((Marker) null, (CharSequence) source()); - logger.error((Marker) null, (CharSequence) source(), null); - logger.error((Marker) null, (Message) source()); - logger.error((Marker) null, (MessageSupplier) source()); - logger.error((Marker) null, (MessageSupplier) source(), null); - logger.error((Marker) null, source()); - logger.error((Marker) null, (String) source()); - logger.error((Marker) null, (String) source(), new Object[] {}); - logger.error((Marker) null, (String) null, new Object[] {source()}); - logger.error((Marker) null, (String) null, (Object) source()); - logger.error((Marker) null, (String) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((Marker) null, (String) source(), (Supplier) null); - logger.error((Marker) null, (String) null, (Supplier) source()); - logger.error((Marker) null, (String) source(), (Throwable) null); - logger.error((Marker) null, (Supplier) source()); - logger.error((Marker) null, (Supplier) source(), (Throwable) null); - logger.error((MessageSupplier) source()); - logger.error((MessageSupplier) source(), (Throwable) null); - logger.error((Message) source()); - logger.error((Message) source(), (Throwable) null); - logger.error(source()); - logger.error(source(), (Throwable) null); - logger.error((String) source()); - logger.error((String) source(), (Object[]) null); - logger.error((String) null, new Object[] {source()}); - logger.error((String) null, (Object) source()); - logger.error((String) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) source(), (Object) null); - logger.error((String) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.error((String) source(), (Supplier) null); - logger.error((String) null, (Supplier) source()); - logger.error((String) source(), (Throwable) null); - logger.error((Supplier) source()); - logger.error((Supplier) source(), (Throwable) null); - logger.fatal((CharSequence) source()); - logger.fatal((CharSequence) source(), (Throwable) null); - logger.fatal((Marker) null, (CharSequence) source()); - logger.fatal((Marker) null, (CharSequence) source(), null); - logger.fatal((Marker) null, (Message) source()); - logger.fatal((Marker) null, (MessageSupplier) source()); - logger.fatal((Marker) null, (MessageSupplier) source(), null); - logger.fatal((Marker) null, source()); - logger.fatal((Marker) null, (String) source()); - logger.fatal((Marker) null, (String) source(), new Object[] {}); - logger.fatal((Marker) null, (String) null, new Object[] {source()}); - logger.fatal((Marker) null, (String) null, (Object) source()); - logger.fatal((Marker) null, (String) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((Marker) null, (String) source(), (Supplier) null); - logger.fatal((Marker) null, (String) null, (Supplier) source()); - logger.fatal((Marker) null, (String) source(), (Throwable) null); - logger.fatal((Marker) null, (Supplier) source()); - logger.fatal((Marker) null, (Supplier) source(), (Throwable) null); - logger.fatal((MessageSupplier) source()); - logger.fatal((MessageSupplier) source(), (Throwable) null); - logger.fatal((Message) source()); - logger.fatal((Message) source(), (Throwable) null); - logger.fatal(source()); - logger.fatal(source(), (Throwable) null); - logger.fatal((String) source()); - logger.fatal((String) source(), (Object[]) null); - logger.fatal((String) null, new Object[] {source()}); - logger.fatal((String) null, (Object) source()); - logger.fatal((String) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) source(), (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.fatal((String) source(), (Supplier) null); - logger.fatal((String) null, (Supplier) source()); - logger.fatal((String) source(), (Throwable) null); - logger.fatal((Supplier) source()); - logger.fatal((Supplier) source(), (Throwable) null); - logger.info((CharSequence) source()); - logger.info((CharSequence) source(), (Throwable) null); - logger.info((Marker) null, (CharSequence) source()); - logger.info((Marker) null, (CharSequence) source(), null); - logger.info((Marker) null, (Message) source()); - logger.info((Marker) null, (MessageSupplier) source()); - logger.info((Marker) null, (MessageSupplier) source(), null); - logger.info((Marker) null, source()); - logger.info((Marker) null, (String) source()); - logger.info((Marker) null, (String) source(), new Object[] {}); - logger.info((Marker) null, (String) null, new Object[] {source()}); - logger.info((Marker) null, (String) null, (Object) source()); - logger.info((Marker) null, (String) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((Marker) null, (String) source(), (Supplier) null); - logger.info((Marker) null, (String) null, (Supplier) source()); - logger.info((Marker) null, (String) source(), (Throwable) null); - logger.info((Marker) null, (Supplier) source()); - logger.info((Marker) null, (Supplier) source(), (Throwable) null); - logger.info((MessageSupplier) source()); - logger.info((MessageSupplier) source(), (Throwable) null); - logger.info((Message) source()); - logger.info((Message) source(), (Throwable) null); - logger.info(source()); - logger.info(source(), (Throwable) null); - logger.info((String) source()); - logger.info((String) source(), (Object[]) null); - logger.info((String) null, new Object[] {source()}); - logger.info((String) null, (Object) source()); - logger.info((String) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) source(), (Object) null); - logger.info((String) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.info((String) source(), (Supplier) null); - logger.info((String) null, (Supplier) source()); - logger.info((String) source(), (Throwable) null); - logger.info((Supplier) source()); - logger.info((Supplier) source(), (Throwable) null); - logger.log((Level) null, (CharSequence) source()); - logger.log((Level) null, (CharSequence) source(), (Throwable) null); - logger.log((Level) null, (Marker) null, (CharSequence) source()); - logger.log((Level) null, (Marker) null, (CharSequence) source(), null); - logger.log((Level) null, (Marker) null, (Message) source()); - logger.log((Level) null, (Marker) null, (MessageSupplier) source()); - logger.log((Level) null, (Marker) null, (MessageSupplier) source(), null); - logger.log((Level) null, (Marker) null, source()); - logger.log((Level) null, (Marker) null, (String) source()); - logger.log((Level) null, (Marker) null, (String) source(), new Object[] {}); - logger.log((Level) null, (Marker) null, (String) null, new Object[] {source()}); - logger.log((Level) null, (Marker) null, (String) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (Marker) null, (String) source(), (Supplier) null); - logger.log((Level) null, (Marker) null, (String) null, (Supplier) source()); - logger.log((Level) null, (Marker) null, (String) source(), (Throwable) null); - logger.log((Level) null, (Marker) null, (Supplier) source()); - logger.log((Level) null, (Marker) null, (Supplier) source(), (Throwable) null); - logger.log((Level) null, (MessageSupplier) source()); - logger.log((Level) null, (MessageSupplier) source(), (Throwable) null); - logger.log((Level) null, (Message) source()); - logger.log((Level) null, (Message) source(), (Throwable) null); - logger.log((Level) null, source()); - logger.log((Level) null, source(), (Throwable) null); - logger.log((Level) null, (String) source()); - logger.log((Level) null, (String) source(), (Object[]) null); - logger.log((Level) null, (String) null, new Object[] {source()}); - logger.log((Level) null, (String) null, (Object) source()); - logger.log((Level) null, (String) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.log((Level) null, (String) source(), (Supplier) null); - logger.log((Level) null, (String) null, (Supplier) source()); - logger.log((Level) null, (String) source(), (Throwable) null); - logger.log((Level) null, (Supplier) source()); - logger.log((Level) null, (Supplier) source(), (Throwable) null); - logger.trace((CharSequence) source()); - logger.trace((CharSequence) source(), (Throwable) null); - logger.trace((Marker) null, (CharSequence) source()); - logger.trace((Marker) null, (CharSequence) source(), null); - logger.trace((Marker) null, (Message) source()); - logger.trace((Marker) null, (MessageSupplier) source()); - logger.trace((Marker) null, (MessageSupplier) source(), null); - logger.trace((Marker) null, source()); - logger.trace((Marker) null, (String) source()); - logger.trace((Marker) null, (String) source(), new Object[] {}); - logger.trace((Marker) null, (String) null, new Object[] {source()}); - logger.trace((Marker) null, (String) null, (Object) source()); - logger.trace((Marker) null, (String) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((Marker) null, (String) source(), (Supplier) null); - logger.trace((Marker) null, (String) null, (Supplier) source()); - logger.trace((Marker) null, (String) source(), (Throwable) null); - logger.trace((Marker) null, (Supplier) source()); - logger.trace((Marker) null, (Supplier) source(), (Throwable) null); - logger.trace((MessageSupplier) source()); - logger.trace((MessageSupplier) source(), (Throwable) null); - logger.trace((Message) source()); - logger.trace((Message) source(), (Throwable) null); - logger.trace(source()); - logger.trace(source(), (Throwable) null); - logger.trace((String) source()); - logger.trace((String) source(), (Object[]) null); - logger.trace((String) null, new Object[] {source()}); - logger.trace((String) null, (Object) source()); - logger.trace((String) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) source(), (Object) null); - logger.trace((String) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.trace((String) source(), (Supplier) null); - logger.trace((String) null, (Supplier) source()); - logger.trace((String) source(), (Throwable) null); - logger.trace((Supplier) source()); - logger.trace((Supplier) source(), (Throwable) null); - logger.warn((CharSequence) source()); - logger.warn((CharSequence) source(), (Throwable) null); - logger.warn((Marker) null, (CharSequence) source()); - logger.warn((Marker) null, (CharSequence) source(), null); - logger.warn((Marker) null, (Message) source()); - logger.warn((Marker) null, (MessageSupplier) source()); - logger.warn((Marker) null, (MessageSupplier) source(), null); - logger.warn((Marker) null, source()); - logger.warn((Marker) null, (String) source()); - logger.warn((Marker) null, (String) source(), new Object[] {}); - logger.warn((Marker) null, (String) null, new Object[] {source()}); - logger.warn((Marker) null, (String) null, (Object) source()); - logger.warn((Marker) null, (String) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((Marker) null, (String) source(), (Supplier) null); - logger.warn((Marker) null, (String) null, (Supplier) source()); - logger.warn((Marker) null, (String) source(), (Throwable) null); - logger.warn((Marker) null, (Supplier) source()); - logger.warn((Marker) null, (Supplier) source(), (Throwable) null); - logger.warn((MessageSupplier) source()); - logger.warn((MessageSupplier) source(), (Throwable) null); - logger.warn((Message) source()); - logger.warn((Message) source(), (Throwable) null); - logger.warn(source()); - logger.warn(source(), (Throwable) null); - logger.warn((String) source()); - logger.warn((String) source(), (Object[]) null); - logger.warn((String) null, new Object[] {source()}); - logger.warn((String) null, (Object) source()); - logger.warn((String) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) source(), (Object) null); - logger.warn((String) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - logger.warn((String) source(), (Supplier) null); - logger.warn((String) null, (Supplier) source()); - logger.warn((String) source(), (Throwable) null); - logger.warn((Supplier) source()); - logger.warn((Supplier) source(), (Throwable) null); + logger.debug((CharSequence) source()); // $ Alert + logger.debug((CharSequence) source(), (Throwable) null); // $ Alert + logger.debug((Marker) null, (CharSequence) source()); // $ Alert + logger.debug((Marker) null, (CharSequence) source(), null); // $ Alert + logger.debug((Marker) null, (Message) source()); // $ Alert + logger.debug((Marker) null, (MessageSupplier) source()); // $ Alert + logger.debug((Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.debug((Marker) null, source()); // $ Alert + logger.debug((Marker) null, (String) source()); // $ Alert + logger.debug((Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.debug((Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.debug((Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.debug((Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.debug((Marker) null, (Supplier) source()); // $ Alert + logger.debug((Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.debug((MessageSupplier) source()); // $ Alert + logger.debug((MessageSupplier) source(), (Throwable) null); // $ Alert + logger.debug((Message) source()); // $ Alert + logger.debug((Message) source(), (Throwable) null); // $ Alert + logger.debug(source()); // $ Alert + logger.debug(source(), (Throwable) null); // $ Alert + logger.debug((String) source()); // $ Alert + logger.debug((String) source(), (Object[]) null); // $ Alert + logger.debug((String) null, new Object[] {source()}); // $ Alert + logger.debug((String) null, (Object) source()); // $ Alert + logger.debug((String) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.debug((String) source(), (Supplier) null); // $ Alert + logger.debug((String) null, (Supplier) source()); // $ Alert + logger.debug((String) source(), (Throwable) null); // $ Alert + logger.debug((Supplier) source()); // $ Alert + logger.debug((Supplier) source(), (Throwable) null); // $ Alert + logger.error((CharSequence) source()); // $ Alert + logger.error((CharSequence) source(), (Throwable) null); // $ Alert + logger.error((Marker) null, (CharSequence) source()); // $ Alert + logger.error((Marker) null, (CharSequence) source(), null); // $ Alert + logger.error((Marker) null, (Message) source()); // $ Alert + logger.error((Marker) null, (MessageSupplier) source()); // $ Alert + logger.error((Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.error((Marker) null, source()); // $ Alert + logger.error((Marker) null, (String) source()); // $ Alert + logger.error((Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.error((Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.error((Marker) null, (String) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.error((Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.error((Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.error((Marker) null, (Supplier) source()); // $ Alert + logger.error((Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.error((MessageSupplier) source()); // $ Alert + logger.error((MessageSupplier) source(), (Throwable) null); // $ Alert + logger.error((Message) source()); // $ Alert + logger.error((Message) source(), (Throwable) null); // $ Alert + logger.error(source()); // $ Alert + logger.error(source(), (Throwable) null); // $ Alert + logger.error((String) source()); // $ Alert + logger.error((String) source(), (Object[]) null); // $ Alert + logger.error((String) null, new Object[] {source()}); // $ Alert + logger.error((String) null, (Object) source()); // $ Alert + logger.error((String) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.error((String) source(), (Supplier) null); // $ Alert + logger.error((String) null, (Supplier) source()); // $ Alert + logger.error((String) source(), (Throwable) null); // $ Alert + logger.error((Supplier) source()); // $ Alert + logger.error((Supplier) source(), (Throwable) null); // $ Alert + logger.fatal((CharSequence) source()); // $ Alert + logger.fatal((CharSequence) source(), (Throwable) null); // $ Alert + logger.fatal((Marker) null, (CharSequence) source()); // $ Alert + logger.fatal((Marker) null, (CharSequence) source(), null); // $ Alert + logger.fatal((Marker) null, (Message) source()); // $ Alert + logger.fatal((Marker) null, (MessageSupplier) source()); // $ Alert + logger.fatal((Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.fatal((Marker) null, source()); // $ Alert + logger.fatal((Marker) null, (String) source()); // $ Alert + logger.fatal((Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.fatal((Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.fatal((Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.fatal((Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.fatal((Marker) null, (Supplier) source()); // $ Alert + logger.fatal((Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.fatal((MessageSupplier) source()); // $ Alert + logger.fatal((MessageSupplier) source(), (Throwable) null); // $ Alert + logger.fatal((Message) source()); // $ Alert + logger.fatal((Message) source(), (Throwable) null); // $ Alert + logger.fatal(source()); // $ Alert + logger.fatal(source(), (Throwable) null); // $ Alert + logger.fatal((String) source()); // $ Alert + logger.fatal((String) source(), (Object[]) null); // $ Alert + logger.fatal((String) null, new Object[] {source()}); // $ Alert + logger.fatal((String) null, (Object) source()); // $ Alert + logger.fatal((String) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.fatal((String) source(), (Supplier) null); // $ Alert + logger.fatal((String) null, (Supplier) source()); // $ Alert + logger.fatal((String) source(), (Throwable) null); // $ Alert + logger.fatal((Supplier) source()); // $ Alert + logger.fatal((Supplier) source(), (Throwable) null); // $ Alert + logger.info((CharSequence) source()); // $ Alert + logger.info((CharSequence) source(), (Throwable) null); // $ Alert + logger.info((Marker) null, (CharSequence) source()); // $ Alert + logger.info((Marker) null, (CharSequence) source(), null); // $ Alert + logger.info((Marker) null, (Message) source()); // $ Alert + logger.info((Marker) null, (MessageSupplier) source()); // $ Alert + logger.info((Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.info((Marker) null, source()); // $ Alert + logger.info((Marker) null, (String) source()); // $ Alert + logger.info((Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.info((Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.info((Marker) null, (String) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.info((Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.info((Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.info((Marker) null, (Supplier) source()); // $ Alert + logger.info((Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.info((MessageSupplier) source()); // $ Alert + logger.info((MessageSupplier) source(), (Throwable) null); // $ Alert + logger.info((Message) source()); // $ Alert + logger.info((Message) source(), (Throwable) null); // $ Alert + logger.info(source()); // $ Alert + logger.info(source(), (Throwable) null); // $ Alert + logger.info((String) source()); // $ Alert + logger.info((String) source(), (Object[]) null); // $ Alert + logger.info((String) null, new Object[] {source()}); // $ Alert + logger.info((String) null, (Object) source()); // $ Alert + logger.info((String) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.info((String) source(), (Supplier) null); // $ Alert + logger.info((String) null, (Supplier) source()); // $ Alert + logger.info((String) source(), (Throwable) null); // $ Alert + logger.info((Supplier) source()); // $ Alert + logger.info((Supplier) source(), (Throwable) null); // $ Alert + logger.log((Level) null, (CharSequence) source()); // $ Alert + logger.log((Level) null, (CharSequence) source(), (Throwable) null); // $ Alert + logger.log((Level) null, (Marker) null, (CharSequence) source()); // $ Alert + logger.log((Level) null, (Marker) null, (CharSequence) source(), null); // $ Alert + logger.log((Level) null, (Marker) null, (Message) source()); // $ Alert + logger.log((Level) null, (Marker) null, (MessageSupplier) source()); // $ Alert + logger.log((Level) null, (Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.log((Level) null, (Marker) null, source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.log((Level) null, (Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.log((Level) null, (Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.log((Level) null, (Marker) null, (Supplier) source()); // $ Alert + logger.log((Level) null, (Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.log((Level) null, (MessageSupplier) source()); // $ Alert + logger.log((Level) null, (MessageSupplier) source(), (Throwable) null); // $ Alert + logger.log((Level) null, (Message) source()); // $ Alert + logger.log((Level) null, (Message) source(), (Throwable) null); // $ Alert + logger.log((Level) null, source()); // $ Alert + logger.log((Level) null, source(), (Throwable) null); // $ Alert + logger.log((Level) null, (String) source()); // $ Alert + logger.log((Level) null, (String) source(), (Object[]) null); // $ Alert + logger.log((Level) null, (String) null, new Object[] {source()}); // $ Alert + logger.log((Level) null, (String) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.log((Level) null, (String) source(), (Supplier) null); // $ Alert + logger.log((Level) null, (String) null, (Supplier) source()); // $ Alert + logger.log((Level) null, (String) source(), (Throwable) null); // $ Alert + logger.log((Level) null, (Supplier) source()); // $ Alert + logger.log((Level) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.trace((CharSequence) source()); // $ Alert + logger.trace((CharSequence) source(), (Throwable) null); // $ Alert + logger.trace((Marker) null, (CharSequence) source()); // $ Alert + logger.trace((Marker) null, (CharSequence) source(), null); // $ Alert + logger.trace((Marker) null, (Message) source()); // $ Alert + logger.trace((Marker) null, (MessageSupplier) source()); // $ Alert + logger.trace((Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.trace((Marker) null, source()); // $ Alert + logger.trace((Marker) null, (String) source()); // $ Alert + logger.trace((Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.trace((Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.trace((Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.trace((Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.trace((Marker) null, (Supplier) source()); // $ Alert + logger.trace((Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.trace((MessageSupplier) source()); // $ Alert + logger.trace((MessageSupplier) source(), (Throwable) null); // $ Alert + logger.trace((Message) source()); // $ Alert + logger.trace((Message) source(), (Throwable) null); // $ Alert + logger.trace(source()); // $ Alert + logger.trace(source(), (Throwable) null); // $ Alert + logger.trace((String) source()); // $ Alert + logger.trace((String) source(), (Object[]) null); // $ Alert + logger.trace((String) null, new Object[] {source()}); // $ Alert + logger.trace((String) null, (Object) source()); // $ Alert + logger.trace((String) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.trace((String) source(), (Supplier) null); // $ Alert + logger.trace((String) null, (Supplier) source()); // $ Alert + logger.trace((String) source(), (Throwable) null); // $ Alert + logger.trace((Supplier) source()); // $ Alert + logger.trace((Supplier) source(), (Throwable) null); // $ Alert + logger.warn((CharSequence) source()); // $ Alert + logger.warn((CharSequence) source(), (Throwable) null); // $ Alert + logger.warn((Marker) null, (CharSequence) source()); // $ Alert + logger.warn((Marker) null, (CharSequence) source(), null); // $ Alert + logger.warn((Marker) null, (Message) source()); // $ Alert + logger.warn((Marker) null, (MessageSupplier) source()); // $ Alert + logger.warn((Marker) null, (MessageSupplier) source(), null); // $ Alert + logger.warn((Marker) null, source()); // $ Alert + logger.warn((Marker) null, (String) source()); // $ Alert + logger.warn((Marker) null, (String) source(), new Object[] {}); // $ Alert + logger.warn((Marker) null, (String) null, new Object[] {source()}); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((Marker) null, (String) source(), (Supplier) null); // $ Alert + logger.warn((Marker) null, (String) null, (Supplier) source()); // $ Alert + logger.warn((Marker) null, (String) source(), (Throwable) null); // $ Alert + logger.warn((Marker) null, (Supplier) source()); // $ Alert + logger.warn((Marker) null, (Supplier) source(), (Throwable) null); // $ Alert + logger.warn((MessageSupplier) source()); // $ Alert + logger.warn((MessageSupplier) source(), (Throwable) null); // $ Alert + logger.warn((Message) source()); // $ Alert + logger.warn((Message) source(), (Throwable) null); // $ Alert + logger.warn(source()); // $ Alert + logger.warn(source(), (Throwable) null); // $ Alert + logger.warn((String) source()); // $ Alert + logger.warn((String) source(), (Object[]) null); // $ Alert + logger.warn((String) null, new Object[] {source()}); // $ Alert + logger.warn((String) null, (Object) source()); // $ Alert + logger.warn((String) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + logger.warn((String) source(), (Supplier) null); // $ Alert + logger.warn((String) null, (Supplier) source()); // $ Alert + logger.warn((String) source(), (Throwable) null); // $ Alert + logger.warn((Supplier) source()); // $ Alert + logger.warn((Supplier) source(), (Throwable) null); // $ Alert // @formatter:on - logger.logMessage(null, null, null, null, (Message) source(), null); - logger.printf(null, null, (String) source(), (Object[]) null); - logger.printf(null, null, null, new Object[] {source()}); - logger.printf(null, (String) source(), (Object[]) null); - logger.printf(null, null, new Object[] {source()}); + logger.logMessage(null, null, null, null, (Message) source(), null); // $ Alert + logger.printf(null, null, (String) source(), (Object[]) null); // $ Alert + logger.printf(null, null, null, new Object[] {source()}); // $ Alert + logger.printf(null, (String) source(), (Object[]) null); // $ Alert + logger.printf(null, null, new Object[] {source()}); // $ Alert logger.traceEntry((Message) source()); logger.traceEntry((String) source(), (Object[]) null); logger.traceEntry((String) null, new Object[] {source()}); @@ -1017,109 +1017,109 @@ public void test() { } { LogBuilder builder = null; - builder.log((CharSequence) source()); - builder.log((Message) source()); - builder.log(source()); - builder.log((String) source()); - builder.log((String) source(), (Object[]) null); - builder.log((String) null, new Object[] {source()}); - builder.log((String) null, source()); + builder.log((CharSequence) source()); // $ Alert + builder.log((Message) source()); // $ Alert + builder.log(source()); // $ Alert + builder.log((String) source()); // $ Alert + builder.log((String) source(), (Object[]) null); // $ Alert + builder.log((String) null, new Object[] {source()}); // $ Alert + builder.log((String) null, source()); // $ Alert // @formatter:off - builder.log((String) null, (Object) source()); - builder.log((String) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) source(), (Object) null); - builder.log((String) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); - builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); + builder.log((String) null, (Object) source()); // $ Alert + builder.log((String) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source()); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) null, (Object) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert + builder.log((String) source(), (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null, (Object) null); // $ Alert // @formatter:on - builder.log((String) source(), (Supplier) null); - builder.log((String) null, (Supplier) source()); - builder.log((Supplier) source()); + builder.log((String) source(), (Supplier) null); // $ Alert + builder.log((String) null, (Supplier) source()); // $ Alert + builder.log((Supplier) source()); // $ Alert } { - ThreadContext.put("key", (String) source()); - ThreadContext.putIfNull("key", (String) source()); + ThreadContext.put("key", (String) source()); // $ Alert + ThreadContext.putIfNull("key", (String) source()); // $ Alert Map map = new HashMap(); map.put("key", (String) source()); - ThreadContext.putAll(map); + ThreadContext.putAll(map); // $ Alert } { MapMessage mmsg = new StringMapMessage().with("username", (String) source()); - logger.error(mmsg); + logger.error(mmsg); // $ Alert } { MapMessage mmsg = new StringMapMessage(); mmsg.with("username", (String) source()); - logger.error(mmsg); + logger.error(mmsg); // $ Alert } { MapMessage mmsg = new StringMapMessage(); mmsg.put("username", (String) source()); - logger.error(mmsg); + logger.error(mmsg); // $ Alert } { MapMessage mmsg = new StringMapMessage(); Map map = new HashMap(); map.put("username", (String) source()); mmsg.putAll(map); - logger.error(mmsg); + logger.error(mmsg); // $ Alert } { - CloseableThreadContext.put("username", (String) source()); - CloseableThreadContext.put("safe", "safe").put("username", (String) source()); + CloseableThreadContext.put("username", (String) source()); // $ Alert + CloseableThreadContext.put("safe", "safe").put("username", (String) source()); // $ Alert Map map = new HashMap(); map.put("username", (String) source()); - CloseableThreadContext.putAll(map); - CloseableThreadContext.put("safe", "safe").putAll(map); + CloseableThreadContext.putAll(map); // $ Alert + CloseableThreadContext.put("safe", "safe").putAll(map); // $ Alert } } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.java b/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.java index 2534386a2106..6080167987c1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.java @@ -18,12 +18,12 @@ public class FilePathInjection extends Controller { // BAD: Upload file to user specified path without validation public void uploadFile() throws IOException { - String savePath = getPara("dir"); + String savePath = getPara("dir"); // $ Source File file = getFile("fileParam").getFile(); String finalFilePath = BASE_PATH + savePath; FileInputStream fis = new FileInputStream(file); - FileOutputStream fos = new FileOutputStream(finalFilePath); + FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert int i = 0; do { @@ -61,7 +61,7 @@ public void uploadFile2() throws IOException { // BAD: Upload file to user specified path without validation through session attribute public void uploadFile3() throws IOException { - String savePath = getPara("dir"); + String savePath = getPara("dir"); // $ Source setSessionAttr("uploadDir", savePath); String sessionUploadDir = getSessionAttr("uploadDir"); @@ -69,7 +69,7 @@ public void uploadFile3() throws IOException { String finalFilePath = BASE_PATH + sessionUploadDir; FileInputStream fis = new FileInputStream(file); - FileOutputStream fos = new FileOutputStream(finalFilePath); + FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert int i = 0; do { @@ -84,7 +84,7 @@ public void uploadFile3() throws IOException { // BAD: Upload file to user specified path without validation through request attribute public void uploadFile4() throws IOException { - String savePath = getPara("dir"); + String savePath = getPara("dir"); // $ Source setAttr("uploadDir2", savePath); String requestUploadDir = getAttr("uploadDir2"); @@ -92,7 +92,7 @@ public void uploadFile4() throws IOException { String finalFilePath = BASE_PATH + requestUploadDir; FileInputStream fis = new FileInputStream(file); - FileOutputStream fos = new FileOutputStream(finalFilePath); + FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert int i = 0; do { @@ -179,7 +179,7 @@ private void readFile(HttpServletResponse resp, File file) { FileInputStream fis = null; try { os = resp.getOutputStream(); - fis = new FileInputStream(file); + fis = new FileInputStream(file); // $ Alert byte fileContent[] = new byte[(int) file.length()]; fis.read(fileContent); os.write(fileContent); @@ -202,12 +202,12 @@ private void readFile(HttpServletResponse resp, File file) { // BAD: Download file to user specified path without validation public void downloadFile() throws FileNotFoundException, IOException { HttpServletRequest request = getRequest(); - String path = request.getParameter("path"); + String path = request.getParameter("path"); // $ Source String filePath = BASE_PATH + path; HttpServletResponse resp = getResponse(); File file = new File(filePath); - if (path != null && file.exists()) { + if (path != null && file.exists()) { // $ Alert resp.setHeader("Content-type", "application/force-download"); resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\""); resp.setHeader("Content-Transfer-Encoding", "Binary"); diff --git a/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.qlref index e0dc75098eb2..c541d90b184b 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-073/FilePathInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-073/FilePathInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref b/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref index 24bd62c5a2e6..9916b1562890 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-078/CommandInjectionRuntimeExecLocal.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref index ddd01d295395..4db90bad013d 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-078/ExecTainted.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-078/ExecTainted.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java index 7b8c5a1181c9..3b21f0de7f43 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java +++ b/java/ql/test/experimental/query-tests/security/CWE-078/JSchOSInjectionTest.java @@ -11,7 +11,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) String host = "sshHost"; String user = "user"; String password = "password"; - String command = request.getParameter("command"); + String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental] java.util.Properties config = new java.util.Properties(); config.put("StrictHostKeyChecking", "no"); @@ -24,7 +24,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) session.connect(); Channel channel = session.openChannel("exec"); - ((ChannelExec) channel).setCommand("ping " + command); + ((ChannelExec) channel).setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental] channel.setInputStream(null); ((ChannelExec) channel).setErrStream(System.err); @@ -37,7 +37,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) String host = "sshHost"; String user = "user"; String password = "password"; - String command = request.getParameter("command"); + String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental] java.util.Properties config = new java.util.Properties(); config.put("StrictHostKeyChecking", "no"); @@ -50,7 +50,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) session.connect(); ChannelExec channel = (ChannelExec)session.openChannel("exec"); - channel.setCommand("ping " + command); + channel.setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental] channel.setInputStream(null); channel.setErrStream(System.err); diff --git a/java/ql/test/experimental/query-tests/security/CWE-078/RuntimeExecTest.java b/java/ql/test/experimental/query-tests/security/CWE-078/RuntimeExecTest.java index 203c3855c87d..9d1ec9d73f76 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-078/RuntimeExecTest.java +++ b/java/ql/test/experimental/query-tests/security/CWE-078/RuntimeExecTest.java @@ -14,29 +14,29 @@ public class RuntimeExecTest { public static void test() { System.out.println("Command injection test"); - String script = System.getenv("SCRIPTNAME"); + String script = System.getenv("SCRIPTNAME"); // $ Source[java/command-line-injection-extra-local] if (script != null) { try { // 1. array literal in the args - Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); + Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); // $ Alert[java/command-line-injection-extra-local] // 2. array literal with dataflow String[] commandArray1 = new String[]{"/bin/sh", script}; - Runtime.getRuntime().exec(commandArray1); + Runtime.getRuntime().exec(commandArray1); // $ Alert[java/command-line-injection-extra-local] // 3. array assignment after it is created String[] commandArray2 = new String[4]; commandArray2[0] = "/bin/sh"; commandArray2[1] = script; - Runtime.getRuntime().exec(commandArray2); + Runtime.getRuntime().exec(commandArray2); // $ Alert[java/command-line-injection-extra-local] // 4. Stream concatenation Runtime.getRuntime().exec( - Stream.concat( + Stream.concat( // $ Arrays.stream(new String[]{"/bin/sh"}), Arrays.stream(new String[]{script}) - ).toArray(String[]::new) + ).toArray(String[]::new) // $ Alert[java/command-line-injection-extra-local] ); } catch (Exception e) { diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.qlref index 44302277a796..2ed491d5df0d 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref index 19e95a85de4c..404b67d50018 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java index 856c1d0b299e..7ea49efbf9ab 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java @@ -16,55 +16,55 @@ public class MybatisSqlInjection { private MybatisSqlInjectionService mybatisSqlInjectionService; @GetMapping(value = "msi1") - public List bad1(@RequestParam String name) { + public List bad1(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection] List result = mybatisSqlInjectionService.bad1(name); return result; } @GetMapping(value = "msi2") - public List bad2(@RequestParam String name) { + public List bad2(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection] List result = mybatisSqlInjectionService.bad2(name); return result; } @GetMapping(value = "msi3") - public List bad3(@ModelAttribute Test test) { + public List bad3(@ModelAttribute Test test) { // $ Source[java/mybatis-xml-sql-injection] List result = mybatisSqlInjectionService.bad3(test); return result; } @RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json") - public void bad4(@RequestBody Test test) { + public void bad4(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection] mybatisSqlInjectionService.bad4(test); } @RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json") - public void bad5(@RequestBody Test test) { + public void bad5(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection] mybatisSqlInjectionService.bad5(test); } @RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json") - public void bad6(@RequestBody Map params) { + public void bad6(@RequestBody Map params) { // $ Source[java/mybatis-xml-sql-injection] mybatisSqlInjectionService.bad6(params); } @RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json") - public void bad7(@RequestBody List params) { + public void bad7(@RequestBody List params) { // $ Source[java/mybatis-xml-sql-injection] mybatisSqlInjectionService.bad7(params); } @RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json") - public void bad8(@RequestBody String[] params) { + public void bad8(@RequestBody String[] params) { // $ Source[java/mybatis-xml-sql-injection] mybatisSqlInjectionService.bad8(params); } @GetMapping(value = "msi9") - public void bad9(@RequestParam String name) { + public void bad9(@RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection] mybatisSqlInjectionService.bad9(name); } @GetMapping(value = "msi10") - public void bad10(@RequestParam Integer id, @RequestParam String name) { + public void bad10(@RequestParam Integer id, @RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection] mybatisSqlInjectionService.bad10(id, name); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java index 6e334ea35dda..7a686c0498a5 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java +++ b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java @@ -11,48 +11,48 @@ public class MybatisSqlInjectionService { private SqlInjectionMapper sqlInjectionMapper; public List bad1(String name) { - List result = sqlInjectionMapper.bad1(name); + List result = sqlInjectionMapper.bad1(name); // $ Alert[java/mybatis-xml-sql-injection] return result; } public List bad2(String name) { - List result = sqlInjectionMapper.bad2(name); + List result = sqlInjectionMapper.bad2(name); // $ Alert[java/mybatis-xml-sql-injection] return result; } public List bad3(Test test) { - List result = sqlInjectionMapper.bad3(test); + List result = sqlInjectionMapper.bad3(test); // $ Alert[java/mybatis-xml-sql-injection] return result; } public void bad4(Test test) { - sqlInjectionMapper.bad4(test); + sqlInjectionMapper.bad4(test); // $ Alert[java/mybatis-xml-sql-injection] } public void bad5(Test test) { - sqlInjectionMapper.bad5(test); + sqlInjectionMapper.bad5(test); // $ Alert[java/mybatis-xml-sql-injection] } public void bad6(Map params) { - sqlInjectionMapper.bad6(params); + sqlInjectionMapper.bad6(params); // $ Alert[java/mybatis-xml-sql-injection] } public void bad7(List params) { - sqlInjectionMapper.bad7(params); + sqlInjectionMapper.bad7(params); // $ Alert[java/mybatis-xml-sql-injection] } public void bad8(String[] params) { - sqlInjectionMapper.bad8(params); + sqlInjectionMapper.bad8(params); // $ Alert[java/mybatis-xml-sql-injection] } public void bad9(String name) { HashMap hashMap = new HashMap(); hashMap.put("name", name); - sqlInjectionMapper.bad9(hashMap); + sqlInjectionMapper.bad9(hashMap); // $ Alert[java/mybatis-annotation-sql-injection] } public void bad10(Integer id, String name) { - sqlInjectionMapper.bad10(id, name); + sqlInjectionMapper.bad10(id, name); // $ Alert[java/mybatis-annotation-sql-injection] } public List good1(Integer id) { diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java index ee98929312b6..015c1569df49 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.java @@ -10,24 +10,24 @@ public class BeanShellInjection { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/beanshell-injection] BshScriptEvaluator evaluator = new BshScriptEvaluator(); - evaluator.evaluate(new StaticScriptSource(code)); //bad + evaluator.evaluate(new StaticScriptSource(code)); // $ Alert[java/beanshell-injection] //bad } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) throws Exception { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/beanshell-injection] Interpreter interpreter = new Interpreter(); - interpreter.eval(code); //bad + interpreter.eval(code); // $ Alert[java/beanshell-injection] //bad } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/beanshell-injection] StaticScriptSource staticScriptSource = new StaticScriptSource("test"); staticScriptSource.setScript(code); BshScriptEvaluator evaluator = new BshScriptEvaluator(); - evaluator.evaluate(staticScriptSource); //bad + evaluator.evaluate(staticScriptSource); // $ Alert[java/beanshell-injection] //bad } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref index 00de86522031..8476fa9ca1a9 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-094/BeanShellInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-094/BeanShellInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java index 115030087fff..5e37c77e7549 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.java @@ -9,24 +9,24 @@ public class JShellInjection { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String input = request.getParameter("code"); + String input = request.getParameter("code"); // $ Source[java/jshell-injection] JShell jShell = JShell.builder().build(); // BAD: allow execution of arbitrary Java code - jShell.eval(input); + jShell.eval(input); // $ Alert[java/jshell-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String input = request.getParameter("code"); + String input = request.getParameter("code"); // $ Source[java/jshell-injection] JShell jShell = JShell.builder().build(); SourceCodeAnalysis sourceCodeAnalysis = jShell.sourceCodeAnalysis(); // BAD: allow execution of arbitrary Java code - sourceCodeAnalysis.wrappers(input); + sourceCodeAnalysis.wrappers(input); // $ Alert[java/jshell-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { - String input = request.getParameter("code"); + String input = request.getParameter("code"); // $ Source[java/jshell-injection] JShell jShell = JShell.builder().build(); SourceCodeAnalysis.CompletionInfo info; SourceCodeAnalysis sca = jShell.sourceCodeAnalysis(); @@ -34,7 +34,7 @@ public void bad3(HttpServletRequest request) { info.completeness().isComplete(); info = sca.analyzeCompletion(info.remaining())) { // BAD: allow execution of arbitrary Java code - jShell.eval(info.source()); + jShell.eval(info.source()); // $ Alert[java/jshell-injection] } } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref index d5b2db58b53a..ec418d1a57dd 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-094/JShellInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-094/JShellInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java index ae5b6a8d5e41..93cbddd5778a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.java @@ -20,7 +20,7 @@ private static void testWithSocket(Consumer action) throws IOException { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); + int n = socket.getInputStream().read(bytes); // $ Source[java/javaee-expression-injection] String expression = new String(bytes, 0, n); action.accept(expression); } @@ -31,7 +31,7 @@ private static void testWithSocket(Consumer action) throws IOException { private static void testWithELProcessorEval() throws IOException { testWithSocket(expression -> { ELProcessor processor = new ELProcessor(); - processor.eval(expression); + processor.eval(expression); // $ Alert[java/javaee-expression-injection] }); } @@ -39,7 +39,7 @@ private static void testWithELProcessorEval() throws IOException { private static void testWithELProcessorGetValue() throws IOException { testWithSocket(expression -> { ELProcessor processor = new ELProcessor(); - processor.getValue(expression, Object.class); + processor.getValue(expression, Object.class); // $ Alert[java/javaee-expression-injection] }); } @@ -50,7 +50,7 @@ private static void testWithLambdaExpressionInvoke() throws IOException { StandardELContext context = new StandardELContext(factory); ValueExpression valueExpression = factory.createValueExpression(context, expression, Object.class); LambdaExpression lambdaExpression = new LambdaExpression(new ArrayList<>(), valueExpression); - lambdaExpression.invoke(context, new Object[0]); + lambdaExpression.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection] }); } @@ -58,7 +58,7 @@ private static void testWithLambdaExpressionInvoke() throws IOException { private static void testWithELProcessorSetValue() throws IOException { testWithSocket(expression -> { ELProcessor processor = new ELProcessor(); - processor.setValue(expression, new Object()); + processor.setValue(expression, new Object()); // $ Alert[java/javaee-expression-injection] }); } @@ -66,7 +66,7 @@ private static void testWithELProcessorSetValue() throws IOException { private static void testWithELProcessorSetVariable() throws IOException { testWithSocket(expression -> { ELProcessor processor = new ELProcessor(); - processor.setVariable("test", expression); + processor.setVariable("test", expression); // $ Alert[java/javaee-expression-injection] }); } @@ -76,7 +76,7 @@ private static void testWithJuelValueExpressionGetValue() throws IOException { ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); ELContext context = new de.odysseus.el.util.SimpleContext(); ValueExpression e = factory.createValueExpression(context, expression, Object.class); - e.getValue(context); + e.getValue(context); // $ Alert[java/javaee-expression-injection] }); } @@ -86,7 +86,7 @@ private static void testWithJuelValueExpressionSetValue() throws IOException { ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); ELContext context = new de.odysseus.el.util.SimpleContext(); ValueExpression e = factory.createValueExpression(context, expression, Object.class); - e.setValue(context, new Object()); + e.setValue(context, new Object()); // $ Alert[java/javaee-expression-injection] }); } @@ -96,7 +96,7 @@ private static void testWithJuelMethodExpressionInvoke() throws IOException { ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); ELContext context = new de.odysseus.el.util.SimpleContext(); MethodExpression e = factory.createMethodExpression(context, expression, Object.class, new Class[0]); - e.invoke(context, new Object[0]); + e.invoke(context, new Object[0]); // $ Alert[java/javaee-expression-injection] }); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref index e00d8a116585..a1e03eeadcbc 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java index f9b29fec6cc2..653e7fd4afbb 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.java @@ -25,7 +25,7 @@ public JythonInjection() { // BAD: allow execution of arbitrary Python code protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/plain"); - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/jython-injection] PythonInterpreter interpreter = null; ByteArrayOutputStream out = new ByteArrayOutputStream(); @@ -33,7 +33,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t interpreter = new PythonInterpreter(); interpreter.setOut(out); interpreter.setErr(out); - interpreter.exec(code); + interpreter.exec(code); // $ Alert[java/jython-injection] out.flush(); response.getWriter().print(out.toString()); @@ -50,12 +50,12 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t // BAD: allow execution of arbitrary Python code protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/plain"); - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/jython-injection] PythonInterpreter interpreter = null; try { interpreter = new PythonInterpreter(); - PyObject py = interpreter.eval(code); + PyObject py = interpreter.eval(code); // $ Alert[java/jython-injection] response.getWriter().print(py.toString()); } catch(PyException ex) { @@ -70,7 +70,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response) // BAD: allow arbitrary Jython expression to run protected void doPut(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/plain"); - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/jython-injection] InteractiveInterpreter interpreter = null; ByteArrayOutputStream out = new ByteArrayOutputStream(); @@ -78,7 +78,7 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response) t interpreter = new InteractiveInterpreter(); interpreter.setOut(out); interpreter.setErr(out); - interpreter.runsource(code); + interpreter.runsource(code); // $ Alert[java/jython-injection] out.flush(); response.getWriter().print(out.toString()); @@ -94,7 +94,7 @@ protected void doPut(HttpServletRequest request, HttpServletResponse response) t // BAD: load arbitrary class file to execute protected void doTrace(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/plain"); - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/jython-injection] PythonInterpreter interpreter = null; ByteArrayOutputStream out = new ByteArrayOutputStream(); @@ -103,7 +103,7 @@ protected void doTrace(HttpServletRequest request, HttpServletResponse response) interpreter.setOut(out); interpreter.setErr(out); - PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc")); + PyCode pyCode = BytecodeLoader.makeCode("test", code.getBytes(), getServletContext().getRealPath("/com/example/test.pyc")); // $ Alert[java/jython-injection] interpreter.exec(pyCode); out.flush(); @@ -128,7 +128,7 @@ protected void doHead(HttpServletRequest request, HttpServletResponse response) interpreter.setOut(out); interpreter.setErr(out); - PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval); + PyCode pyCode = Py.compile(request.getInputStream(), "Test.py", org.python.core.CompileMode.eval); // $ Alert[java/jython-injection] interpreter.exec(pyCode); out.flush(); diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref index 7448a79394ec..3d3b09f48018 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-094/JythonInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java index e76a9543f87d..129c19034667 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java +++ b/java/ql/test/experimental/query-tests/security/CWE-094/RhinoServlet.java @@ -25,11 +25,11 @@ public RhinoServlet() { // BAD: allow arbitrary Java and JavaScript code to be executed protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/plain"); - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/unsafe-eval] Context ctx = Context.enter(); try { Scriptable scope = ctx.initStandardObjects(); - Object result = ctx.evaluateString(scope, code, "", 1, null); + Object result = ctx.evaluateString(scope, code, "", 1, null); // $ Alert[java/unsafe-eval] response.getWriter().print(Context.toString(result)); } catch(RhinoException ex) { response.getWriter().println(ex.getMessage()); @@ -78,14 +78,14 @@ public boolean visibleToScripts(String className) { // BAD: allow arbitrary code to be compiled for subsequent execution protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/unsafe-eval] ClassCompiler compiler = new ClassCompiler(new CompilerEnvirons()); - Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName"); + Object[] objs = compiler.compileToClassFiles(code, "/sourceLocation", 1, "mainClassName"); // $ Alert[java/unsafe-eval] } // BAD: allow arbitrary code to be loaded for subsequent execution protected void doPost2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String code = request.getParameter("code"); - Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes()); + String code = request.getParameter("code"); // $ Source[java/unsafe-eval] + Class clazz = new DefiningClassLoader().defineClass("Powerfunc", code.getBytes()); // $ Alert[java/unsafe-eval] } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java index ed7099d7598d..a80003fe5ebd 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java +++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptEngineTest.java @@ -21,14 +21,14 @@ public void testWithScriptEngineReference(String input) throws ScriptException { ScriptEngineManager scriptEngineManager = new ScriptEngineManager(); // Create with ScriptEngine reference ScriptEngine scriptEngine = scriptEngineManager.getEngineByExtension("js"); - Object result = scriptEngine.eval(input); + Object result = scriptEngine.eval(input); // $ Alert[java/unsafe-eval] } public void testNashornWithScriptEngineReference(String input) throws ScriptException { NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); // Create Nashorn with ScriptEngine reference ScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" }); - Object result = engine.eval(input); + Object result = engine.eval(input); // $ Alert[java/unsafe-eval] } @@ -36,27 +36,27 @@ public void testNashornWithNashornScriptEngineReference(String input) throws Scr NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); // Create Nashorn with NashornScriptEngine reference NashornScriptEngine engine = (NashornScriptEngine) factory.getScriptEngine(new String[] { "-scripting" }); - Object result = engine.eval(input); + Object result = engine.eval(input); // $ Alert[java/unsafe-eval] } public void testCustomScriptEngineReference(String input) throws ScriptException { MyCustomFactory factory = new MyCustomFactory(); //Create with Custom Script Engine reference MyCustomScriptEngine engine = (MyCustomScriptEngine) factory.getScriptEngine(new String[] { "-scripting" }); - Object result = engine.eval(input); + Object result = engine.eval(input); // $ Alert[java/unsafe-eval] } public void testScriptEngineCompilable(String input) throws ScriptException { NashornScriptEngineFactory factory = new NashornScriptEngineFactory(); Compilable engine = (Compilable) factory.getScriptEngine(new String[] { "-scripting" }); - CompiledScript script = engine.compile(input); + CompiledScript script = engine.compile(input); // $ Alert[java/unsafe-eval] Object result = script.eval(); } public void testScriptEngineGetProgram(String input) throws ScriptException { ScriptEngineManager scriptEngineManager = new ScriptEngineManager(); ScriptEngine engine = scriptEngineManager.getEngineByName("nashorn"); - String program = engine.getFactory().getProgram(input); + String program = engine.getFactory().getProgram(input); // $ Alert[java/unsafe-eval] Object result = engine.eval(program); } @@ -88,7 +88,7 @@ public MyCustomFactory() { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { - String code = request.getParameter("code"); + String code = request.getParameter("code"); // $ Source[java/unsafe-eval] new ScriptEngineTest().testWithScriptEngineReference(code); new ScriptEngineTest().testNashornWithScriptEngineReference(code); diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref index 8bd566cf4fda..6aabb565b8b3 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-094/ScriptInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/FileService.java b/java/ql/test/experimental/query-tests/security/CWE-200/FileService.java index 4641a975429d..e3a89e3999a1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/FileService.java +++ b/java/ql/test/experimental/query-tests/security/CWE-200/FileService.java @@ -42,7 +42,7 @@ protected String doInBackground(Object[] params) { try { String[] uris = (String[]) params[1]; - outputStream = new FileOutputStream(uris[0]); + outputStream = new FileOutputStream(uris[0]); // $ Alert[java/sensitive-android-file-leak] return "success"; } catch (Exception e) { } diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.java b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.java index 1405484c56a1..275286e2710a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.java +++ b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.java @@ -25,7 +25,7 @@ public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(-1); - String inputUrl = getIntent().getStringExtra("inputUrl"); + String inputUrl = getIntent().getStringExtra("inputUrl"); // $ Source[java/insecure-webview-resource-response] getBadResponse1(inputUrl); @@ -65,7 +65,7 @@ public WebResourceResponse shouldInterceptRequest(WebView view, String url) { Uri uri = Uri.parse(url); FileInputStream inputStream = new FileInputStream(uri.getPath()); String mimeType = getMimeTypeFromPath(uri.getPath()); - return new WebResourceResponse(mimeType, "UTF-8", inputStream); + return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response] } catch (IOException ie) { return new WebResourceResponse("text/plain", "UTF-8", null); } @@ -88,7 +88,7 @@ public WebResourceResponse shouldInterceptRequest(WebView view, String url) { File cacheFile = new File(getCacheDir(), uri.getLastPathSegment()); FileInputStream inputStream = new FileInputStream(cacheFile); String mimeType = getMimeTypeFromPath(uri.getPath()); - return new WebResourceResponse(mimeType, "UTF-8", inputStream); + return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response] } else { return new WebResourceResponse("text/plain", "UTF-8", null); } @@ -114,7 +114,7 @@ public WebResourceResponse shouldInterceptRequest(WebView view, String url) { if (path.startsWith("files/")) { FileInputStream inputStream = new FileInputStream(path.substring("files/".length())); String mimeType = getMimeTypeFromPath(uri.getPath()); - return new WebResourceResponse(mimeType, "UTF-8", inputStream); + return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response] } else { return new WebResourceResponse("text/plain", "UTF-8", null); } @@ -196,7 +196,7 @@ public WebResourceResponse shouldInterceptRequest(WebView view, WebResourceReque File cacheFile = new File(getCacheDir(), uri.getLastPathSegment()); FileInputStream inputStream = new FileInputStream(cacheFile); String mimeType = getMimeTypeFromPath(uri.getPath()); - return new WebResourceResponse(mimeType, "UTF-8", inputStream); + return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response] } else { return new WebResourceResponse("text/plain", "UTF-8", null); } @@ -234,7 +234,7 @@ public WebResourceResponse shouldInterceptRequest(WebView view, String url) { Uri uri = Uri.parse(url); FileInputStream inputStream = new FileInputStream(uri.getPath()); String mimeType = InsecureWebResourceResponse.getMimeTypeFromPath(uri.getPath()); - return new WebResourceResponse(mimeType, "UTF-8", inputStream); + return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response] } catch (IOException ie) { return new WebResourceResponse("text/plain", "UTF-8", null); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.qlref b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.qlref index 09049772ede7..f592d7c83a79 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebResourceResponse.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebViewActivity.java b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebViewActivity.java index 6644eb97289f..e63de5c9d4e6 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebViewActivity.java +++ b/java/ql/test/experimental/query-tests/security/CWE-200/InsecureWebViewActivity.java @@ -24,7 +24,7 @@ public void onCreate(Bundle savedInstanceState) { setContentView(-1); webview = (VulnerableWebView) findViewById(-1); - String inputUrl = getIntent().getStringExtra("inputUrl"); + String inputUrl = getIntent().getStringExtra("inputUrl"); // $ Source[java/insecure-webview-resource-response] loadWebUrl(inputUrl); } @@ -55,7 +55,7 @@ public WebResourceResponse shouldInterceptRequest(WebView view, String url) { Uri uri = Uri.parse(url); FileInputStream inputStream = new FileInputStream(uri.getPath()); String mimeType = InsecureWebViewActivity.getMimeTypeFromPath(uri.getPath()); - return new WebResourceResponse(mimeType, "UTF-8", inputStream); + return new WebResourceResponse(mimeType, "UTF-8", inputStream); // $ Alert[java/insecure-webview-resource-response] } catch (IOException ie) { return new WebResourceResponse("text/plain", "UTF-8", null); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity.java b/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity.java index 3520ed0fd40f..6d7cf90ce0b9 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity.java +++ b/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity.java @@ -11,14 +11,14 @@ public class LeakFileActivity extends Activity { protected void onActivityResult(int requestCode, int resultCode, Intent data) { if (requestCode == GetFileActivity.REQUEST_CODE__SELECT_CONTENT_FROM_APPS && resultCode == RESULT_OK) { - loadOfContentFromApps(data, resultCode); + loadOfContentFromApps(data, resultCode); // $ Source[java/sensitive-android-file-leak] } } private void loadOfContentFromApps(Intent contentIntent, int resultCode) { Uri streamsToUpload = contentIntent.getData(); try { - RandomAccessFile file = new RandomAccessFile(streamsToUpload.getPath(), "r"); + RandomAccessFile file = new RandomAccessFile(streamsToUpload.getPath(), "r"); // $ Alert[java/sensitive-android-file-leak] } catch (Exception ex) { ex.printStackTrace(); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity2.java b/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity2.java index 56e695ec97a2..c3fa282fc0e1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity2.java +++ b/java/ql/test/experimental/query-tests/security/CWE-200/LeakFileActivity2.java @@ -12,8 +12,8 @@ protected void onActivityResult(int requestCode, int resultCode, Intent data) { if (requestCode == GetFileActivity.REQUEST_CODE__SELECT_CONTENT_FROM_APPS && resultCode == RESULT_OK) { Intent intent = new Intent(this, FileService.class); - intent.putExtra(FileService.KEY_LOCAL_FILE, localPath); - startService(intent); + intent.putExtra(FileService.KEY_LOCAL_FILE, localPath); // $ Source[java/sensitive-android-file-leak] + startService(intent); // $ Source[java/sensitive-android-file-leak] } } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.qlref b/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.qlref index a98eeb219143..d4cad711fc27 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-200/SensitiveAndroidFileLeak.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.java b/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.java index 7a4433e485dd..20a61b88c365 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.java +++ b/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.java @@ -11,8 +11,8 @@ public class Test { // BAD: compare MACs using a not-constant time method public boolean unsafeMacCheck(byte[] expectedMac, byte[] data) throws Exception { Mac mac = Mac.getInstance("HmacSHA256"); - byte[] actualMac = mac.doFinal(data); - return Arrays.equals(expectedMac, actualMac); + byte[] actualMac = mac.doFinal(data); // $ Source + return Arrays.equals(expectedMac, actualMac); // $ Alert } // GOOD: compare MACs using a constant time method @@ -27,8 +27,8 @@ public boolean unsafeCheckSignatures(byte[] expected, byte[] data, PrivateKey ke Signature engine = Signature.getInstance("SHA256withRSA"); engine.initSign(key); engine.update(data); - byte[] signature = engine.sign(); - return Arrays.equals(expected, signature); + byte[] signature = engine.sign(); // $ Source + return Arrays.equals(expected, signature); // $ Alert } // GOOD: compare signatures using a constant time method @@ -44,8 +44,8 @@ public boolean saferCheckSignatures(byte[] expected, byte[] data, PrivateKey key public boolean unsafeCheckCustomMac(byte[] expected, byte[] plaintext, Key key) throws Exception { Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); - byte[] tag = cipher.doFinal(plaintext); - return Arrays.equals(expected, tag); + byte[] tag = cipher.doFinal(plaintext); // $ Source + return Arrays.equals(expected, tag); // $ Alert } // GOOD: compare ciphertexts using a constant time method @@ -56,4 +56,4 @@ public boolean saferCheckCustomMac(byte[] expected, byte[] plaintext, Key key) t return MessageDigest.isEqual(expected, tag); } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.qlref b/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.qlref index 7a83f56cbd6c..b426adf811f1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCheckOnSignature/Test.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/Test.java b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/Test.java index 3e9dbc11fff2..73b0b1fcafc3 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/Test.java +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/Test.java @@ -7,7 +7,7 @@ public class Test { private boolean UnsafeComparison(HttpServletRequest request) { String Key = "secret"; - return Key.equals(request.getHeader("X-Auth-Token")); + return Key.equals(request.getHeader("X-Auth-Token")); // $ Alert } private boolean safeComparison(HttpServletRequest request) { diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/TimingAttackAgainstHeader.qlref b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/TimingAttackAgainstHeader.qlref index 086df8ab1bbb..0c95df907ba8 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/TimingAttackAgainstHeader.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/TimingAttackAgainstHeader.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql +query: experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.java b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.java index 0755f1fe6687..9613dd2d3df1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.java +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.java @@ -18,9 +18,9 @@ public boolean unsafeMacCheckWithArrayEquals(Socket socket) throws Exception { Mac mac = Mac.getInstance("HmacSHA256"); byte[] data = new byte[1024]; is.read(data); - byte[] actualMac = mac.doFinal(data); + byte[] actualMac = mac.doFinal(data); // $ Source byte[] expectedMac = is.readNBytes(32); - return Arrays.equals(expectedMac, actualMac); + return Arrays.equals(expectedMac, actualMac); // $ Alert } } @@ -31,9 +31,9 @@ public boolean unsafeMacCheckWithDoFinalWithOutputArray(Socket socket) throws Ex Mac mac = Mac.getInstance("HmacSHA256"); byte[] actualMac = new byte[256]; mac.update(data); - mac.doFinal(actualMac, 0); + mac.doFinal(actualMac, 0); // $ Source byte[] expectedMac = socket.getInputStream().readNBytes(256); - return Arrays.equals(expectedMac, actualMac); + return Arrays.equals(expectedMac, actualMac); // $ Alert } } @@ -56,9 +56,9 @@ public boolean unsafeCheckSignatures(Socket socket, PrivateKey key) throws Excep engine.initSign(key); byte[] data = socket.getInputStream().readAllBytes(); engine.update(data); - byte[] signature = engine.sign(); + byte[] signature = engine.sign(); // $ Source byte[] expected = is.readNBytes(256); - return Arrays.equals(expected, signature); + return Arrays.equals(expected, signature); // $ Alert } } @@ -70,9 +70,9 @@ public boolean unsafeCheckSignaturesWithOutputArray(Socket socket, PrivateKey ke byte[] data = socket.getInputStream().readAllBytes(); engine.update(data); byte[] signature = new byte[1024]; - engine.sign(signature, 0, 1024); + engine.sign(signature, 0, 1024); // $ Source byte[] expected = is.readNBytes(256); - return Arrays.equals(expected, signature); + return Arrays.equals(expected, signature); // $ Alert } } @@ -96,9 +96,9 @@ public boolean unsafeCheckCiphertext(Socket socket, Key key) throws Exception { byte[] hash = MessageDigest.getInstance("SHA-256").digest(plaintext); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); - byte[] tag = cipher.doFinal(hash); + byte[] tag = cipher.doFinal(hash); // $ Source byte[] expected = socket.getInputStream().readAllBytes(); - return Objects.deepEquals(expected, tag); + return Objects.deepEquals(expected, tag); // $ Alert } } @@ -113,9 +113,9 @@ public boolean unsafeCheckCiphertextWithOutputArray(Socket socket, Key key) thro cipher.init(Cipher.ENCRYPT_MODE, key); cipher.update(hash); byte[] tag = new byte[1024]; - cipher.doFinal(tag, 0); + cipher.doFinal(tag, 0); // $ Source byte[] expected = is.readNBytes(32); - return Arrays.equals(expected, tag); + return Arrays.equals(expected, tag); // $ Alert } } @@ -131,9 +131,9 @@ public boolean unsafeCheckCiphertextWithByteBuffer(Socket socket, Key key) throw cipher.init(Cipher.ENCRYPT_MODE, key); cipher.update(hash); ByteBuffer tag = ByteBuffer.wrap(new byte[1024]); - cipher.doFinal(ByteBuffer.wrap(plaintext), tag); + cipher.doFinal(ByteBuffer.wrap(plaintext), tag); // $ Source byte[] expected = socket.getInputStream().readNBytes(1024); - return Arrays.equals(expected, tag.array()); + return Arrays.equals(expected, tag.array()); // $ Alert } } @@ -145,9 +145,9 @@ public boolean unsafeCheckCiphertextWithByteBufferEquals(Socket socket, Key key) byte[] plaintext = socket.getInputStream().readAllBytes(); cipher.update(plaintext); ByteBuffer tag = ByteBuffer.wrap(new byte[1024]); - cipher.doFinal(ByteBuffer.wrap(plaintext), tag); + cipher.doFinal(ByteBuffer.wrap(plaintext), tag); // $ Source byte[] expected = is.readNBytes(32); - return ByteBuffer.wrap(expected).equals(tag); + return ByteBuffer.wrap(expected).equals(tag); // $ Alert } } @@ -171,9 +171,9 @@ public boolean noUserInputWhenCheckingCiphertext(Socket socket, Key key) throws byte[] plaintext = is.readNBytes(100); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); cipher.init(Cipher.ENCRYPT_MODE, key); - byte[] tag = cipher.doFinal(plaintext); + byte[] tag = cipher.doFinal(plaintext); // $ Source byte[] expected = is.readNBytes(32); - return Arrays.equals(expected, tag); + return Arrays.equals(expected, tag); // $ Alert } } @@ -233,4 +233,4 @@ public boolean safeMacCheckWithLoop(Socket socket) throws Exception { } } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.qlref b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.qlref index f8275271b6bb..fc815564ac0b 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref index cab6f2a49621..fc54893242c9 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidation.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql +query: experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java index 8f7be261413d..a0035959217d 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java +++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.23.1/JxBrowserWithoutCertValidationV6_23_1.java @@ -14,7 +14,7 @@ public static void main(String[] args) { } private static void badUsage() { - Browser browser = new Browser(); + Browser browser = new Browser(); // $ Alert browser.loadURL("https://example.com"); // no further calls // BAD: The browser ignores any certificate error by default! @@ -33,4 +33,4 @@ public boolean onCertificateError(CertificateErrorParams params) { }); // GOOD: A secure `LoadHandler` is used. browser.loadURL("https://example.com"); } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref index cab6f2a49621..fc54893242c9 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-295/jxbrowser-6.24/JxBrowserWithoutCertValidation.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql +query: experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java index f79fd15af232..fd4d0d7103e4 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java +++ b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.java @@ -13,7 +13,7 @@ public static SSLSocket connectWithIgnoredHostnameVerification( SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(host, port); socket.startHandshake(); - verifier.verify(host, socket.getSession()); + verifier.verify(host, socket.getSession()); // $ Alert[java/ignored-hostname-verification] return socket; } @@ -109,4 +109,4 @@ public boolean verify(String hostname, SSLSession session) { } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.qlref b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.qlref index 454b421f7b24..20387fe9f620 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-297/IgnoredHostnameVerification.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.java b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.java index 72f6bee118a7..e04acd919b09 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.java +++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.java @@ -16,7 +16,7 @@ public Hashtable createConnectionEnv() { env.put(Context.SECURITY_CREDENTIALS, "secpassword"); // Disable SSL endpoint check - System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); + System.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); // $ Alert[java/insecure-ldaps-endpoint] return env; } @@ -47,7 +47,7 @@ public Hashtable createConnectionEnv3() { // Disable SSL endpoint check Properties properties = new Properties(); properties.setProperty("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); - System.setProperties(properties); + System.setProperties(properties); // $ Alert[java/insecure-ldaps-endpoint] return env; } @@ -65,7 +65,7 @@ public Hashtable createConnectionEnv4() { // Disable SSL endpoint check Properties properties = new Properties(); properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", "true"); - System.setProperties(properties); + System.setProperties(properties); // $ Alert[java/insecure-ldaps-endpoint] return env; } @@ -81,7 +81,7 @@ public Hashtable createConnectionEnv5() { env.put(Context.SECURITY_CREDENTIALS, "secpassword"); // Disable SSL endpoint check - System.setProperty(PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION, Boolean.TRUE.toString()); + System.setProperty(PROP_DISABLE_LDAP_ENDPOINT_IDENTIFICATION, Boolean.TRUE.toString()); // $ Alert[java/insecure-ldaps-endpoint] return env; } @@ -99,7 +99,7 @@ public Hashtable createConnectionEnv6() { // Disable SSL endpoint check Properties properties = new Properties(); properties.put("com.sun.jndi.ldap.object.disableEndpointIdentification", true); - System.setProperties(properties); + System.setProperties(properties); // $ Alert[java/insecure-ldaps-endpoint] return env; } diff --git a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.qlref b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.qlref index 1c4d99bb6a3a..5fdd2fbfcf01 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-297/InsecureLdapEndpoint.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql +query: experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.java b/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.java index 41b470b62d01..4b377a34f948 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.java +++ b/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.java @@ -14,7 +14,7 @@ public class DisabledRevocationChecking { private boolean flag = true; public void disableRevocationChecking() { - flag = false; + flag = false; // $ Alert } public void testDisabledRevocationChecking(KeyStore cacerts, CertPath certPath) throws Exception { @@ -25,7 +25,7 @@ public void testDisabledRevocationChecking(KeyStore cacerts, CertPath certPath) public void validate(KeyStore cacerts, CertPath certPath) throws Exception { CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXParameters params = new PKIXParameters(cacerts); - params.setRevocationEnabled(flag); + params.setRevocationEnabled(flag); // $ Sink validator.validate(certPath, params); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.qlref b/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.qlref index cc9089b49519..6902ecb5905f 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-299/DisabledRevocationChecking.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.java b/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.java index 11649621c85d..ae87251ea3ad 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.java +++ b/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.java @@ -13,12 +13,12 @@ public class UnsafeTlsVersion { public static void testSslContextWithProtocol() throws NoSuchAlgorithmException { // unsafe - SSLContext.getInstance("SSL"); - SSLContext.getInstance("SSLv2"); - SSLContext.getInstance("SSLv3"); - SSLContext.getInstance("TLS"); - SSLContext.getInstance("TLSv1"); - SSLContext.getInstance("TLSv1.1"); + SSLContext.getInstance("SSL"); // $ Alert + SSLContext.getInstance("SSLv2"); // $ Alert + SSLContext.getInstance("SSLv3"); // $ Alert + SSLContext.getInstance("TLS"); // $ Alert + SSLContext.getInstance("TLSv1"); // $ Alert + SSLContext.getInstance("TLSv1.1"); // $ Alert // safe SSLContext.getInstance("TLSv1.2"); @@ -28,11 +28,11 @@ public static void testSslContextWithProtocol() throws NoSuchAlgorithmException public static void testCreateSslParametersWithProtocol(String[] cipherSuites) { // unsafe - createSslParameters(cipherSuites, "SSLv3"); - createSslParameters(cipherSuites, "TLS"); - createSslParameters(cipherSuites, "TLSv1"); - createSslParameters(cipherSuites, "TLSv1.1"); - createSslParameters(cipherSuites, "TLSv1", "TLSv1.1", "TLSv1.2"); + createSslParameters(cipherSuites, "SSLv3"); // $ Source + createSslParameters(cipherSuites, "TLS"); // $ Source + createSslParameters(cipherSuites, "TLSv1"); // $ Source + createSslParameters(cipherSuites, "TLSv1.1"); // $ Source + createSslParameters(cipherSuites, "TLSv1", "TLSv1.1", "TLSv1.2"); // $ Source createSslParameters(cipherSuites, "TLSv1.2"); // safe @@ -41,19 +41,19 @@ public static void testCreateSslParametersWithProtocol(String[] cipherSuites) { } public static SSLParameters createSslParameters(String[] cipherSuites, String... protocols) { - return new SSLParameters(cipherSuites, protocols); + return new SSLParameters(cipherSuites, protocols); // $ Alert } public static void testSettingProtocolsForSslParameters() { // unsafe - new SSLParameters().setProtocols(new String[] { "SSLv3" }); - new SSLParameters().setProtocols(new String[] { "TLS" }); - new SSLParameters().setProtocols(new String[] { "TLSv1" }); - new SSLParameters().setProtocols(new String[] { "TLSv1.1" }); + new SSLParameters().setProtocols(new String[] { "SSLv3" }); // $ Alert + new SSLParameters().setProtocols(new String[] { "TLS" }); // $ Alert + new SSLParameters().setProtocols(new String[] { "TLSv1" }); // $ Alert + new SSLParameters().setProtocols(new String[] { "TLSv1.1" }); // $ Alert SSLParameters parameters = new SSLParameters(); - parameters.setProtocols(new String[] { "TLSv1.1", "TLSv1.2" }); + parameters.setProtocols(new String[] { "TLSv1.1", "TLSv1.2" }); // $ Alert // safe new SSLParameters().setProtocols(new String[] { "TLSv1.2" }); @@ -65,11 +65,11 @@ public static void testSettingProtocolsForSslParameters() { public static void testSettingProtocolForSslSocket() throws IOException { // unsafe - createSslSocket("SSLv3"); - createSslSocket("TLS"); - createSslSocket("TLSv1"); - createSslSocket("TLSv1.1"); - createSslSocket("TLSv1.1", "TLSv1.2"); + createSslSocket("SSLv3"); // $ Source + createSslSocket("TLS"); // $ Source + createSslSocket("TLSv1"); // $ Source + createSslSocket("TLSv1.1"); // $ Source + createSslSocket("TLSv1.1", "TLSv1.2"); // $ Source // safe createSslSocket("TLSv1.2"); @@ -78,18 +78,18 @@ public static void testSettingProtocolForSslSocket() throws IOException { public static SSLSocket createSslSocket(String... protocols) throws IOException { SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(); - socket.setEnabledProtocols(protocols); + socket.setEnabledProtocols(protocols); // $ Alert return socket; } public static void testSettingProtocolForSslServerSocket() throws IOException { // unsafe - createSslServerSocket("SSLv3"); - createSslServerSocket("TLS"); - createSslServerSocket("TLSv1"); - createSslServerSocket("TLSv1.1"); - createSslServerSocket("TLSv1.1", "TLSv1.2"); + createSslServerSocket("SSLv3"); // $ Source + createSslServerSocket("TLS"); // $ Source + createSslServerSocket("TLSv1"); // $ Source + createSslServerSocket("TLSv1.1"); // $ Source + createSslServerSocket("TLSv1.1", "TLSv1.2"); // $ Source // safe createSslServerSocket("TLSv1.2"); @@ -98,18 +98,18 @@ public static void testSettingProtocolForSslServerSocket() throws IOException { public static SSLServerSocket createSslServerSocket(String... protocols) throws IOException { SSLServerSocket socket = (SSLServerSocket) SSLServerSocketFactory.getDefault().createServerSocket(); - socket.setEnabledProtocols(protocols); + socket.setEnabledProtocols(protocols); // $ Alert return socket; } public static void testSettingProtocolForSslEngine() throws NoSuchAlgorithmException { // unsafe - createSslEngine("SSLv3"); - createSslEngine("TLS"); - createSslEngine("TLSv1"); - createSslEngine("TLSv1.1"); - createSslEngine("TLSv1.1", "TLSv1.2"); + createSslEngine("SSLv3"); // $ Source + createSslEngine("TLS"); // $ Source + createSslEngine("TLSv1"); // $ Source + createSslEngine("TLSv1.1"); // $ Source + createSslEngine("TLSv1.1", "TLSv1.2"); // $ Source // safe createSslEngine("TLSv1.2"); @@ -118,7 +118,7 @@ public static void testSettingProtocolForSslEngine() throws NoSuchAlgorithmExcep public static SSLEngine createSslEngine(String... protocols) throws NoSuchAlgorithmException { SSLEngine engine = SSLContext.getDefault().createSSLEngine(); - engine.setEnabledProtocols(protocols); + engine.setEnabledProtocols(protocols); // $ Alert return engine; } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.qlref b/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.qlref index f29bf9a7836a..5f599e917bd5 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-327/UnsafeTlsVersion.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.java b/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.java index 9ec3c8466bec..d6f0ce5ab2d6 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.java +++ b/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.java @@ -18,13 +18,13 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; - String url = request.getHeader("Origin"); + String url = request.getHeader("Origin"); // $ Source if (!StringUtils.isEmpty(url)) { String val = response.getHeader("Access-Control-Allow-Origin"); if (StringUtils.isEmpty(val)) { - response.addHeader("Access-Control-Allow-Origin", url); + response.addHeader("Access-Control-Allow-Origin", url); // $ Alert response.addHeader("Access-Control-Allow-Credentials", "true"); } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.qlref b/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.qlref index 90fde66959b1..fdd2a5c3f790 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-346/UnvalidatedCors.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-346/UnvalidatedCors.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.qlref b/java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.qlref index 0cd8baf6d341..5a642823c7cb 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-347/Auth0NoVerifier.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql -postprocess: utils/test/PrettyPrintModels.ql \ No newline at end of file +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java b/java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java index 15a31bcc476c..b6814f36abf7 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java +++ b/java/ql/test/experimental/query-tests/security/CWE-347/JwtNoVerifier.java @@ -41,7 +41,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro PrintWriter out = response.getWriter(); // NOT OK: only decode, no verification - String JwtToken1 = request.getParameter("JWT2"); + String JwtToken1 = request.getParameter("JWT2"); // $ Source String userName = decodeToken(JwtToken1); if (Objects.equals(userName, "Admin")) { out.println(""); @@ -55,7 +55,7 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro JWT.decode(JwtToken2); // NOT OK: only decode, no verification - String JwtToken3 = (String) authToken.getCredentials(); + String JwtToken3 = (String) authToken.getCredentials(); // $ Source userName = decodeToken(JwtToken3); if (Objects.equals(userName, "Admin")) { out.println(""); @@ -88,7 +88,7 @@ public static boolean verifyToken(final String token, final String key) { public static String decodeToken(final String token) { DecodedJWT jwt = JWT.decode(token); - return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse(""); + return Optional.of(jwt).map(item -> item.getClaim("userName").asString()).orElse(""); // $ Alert } diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java index 93a860981d1d..1e0175fcd35a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java +++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.java @@ -14,7 +14,7 @@ public class ClientSuppliedIpUsedInSecurityCheck { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String ip = getClientIP(); - if (!StringUtils.startsWith(ip, "192.168.")) { + if (!StringUtils.startsWith(ip, "192.168.")) { // $ Alert new Exception("ip illegal"); } } @@ -22,7 +22,7 @@ public void bad1(HttpServletRequest request) { @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String ip = getClientIP(); - if (!"127.0.0.1".equals(ip)) { + if (!"127.0.0.1".equals(ip)) { // $ Alert new Exception("ip illegal"); } } @@ -40,7 +40,7 @@ public String good1(HttpServletRequest request) { } protected String getClientIP() { - String xfHeader = request.getHeader("X-Forwarded-For"); + String xfHeader = request.getHeader("X-Forwarded-For"); // $ Source if (xfHeader == null) { return request.getRemoteAddr(); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref index 8ca6ac71c9a6..78f375ab1ee4 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-348/ClientSuppliedIpUsedInSecurityCheck.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java index c7fd850bb093..ec3e070b342d 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java +++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java @@ -30,79 +30,79 @@ public class JsonpController { @ResponseBody public String bad1(HttpServletRequest request) { String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source Gson gson = new Gson(); String result = gson.toJson(hashMap); resultStr = jsonpCallback + "(" + result + ")"; - return resultStr; + return resultStr; // $ Alert } @GetMapping(value = "jsonp2") @ResponseBody public String bad2(HttpServletRequest request) { String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")"; - return resultStr; + return resultStr; // $ Alert } @GetMapping(value = "jsonp3") @ResponseBody public String bad3(HttpServletRequest request) { String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source String jsonStr = getJsonStr(hashMap); resultStr = jsonpCallback + "(" + jsonStr + ")"; - return resultStr; + return resultStr; // $ Alert } @GetMapping(value = "jsonp4") @ResponseBody public String bad4(HttpServletRequest request) { String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source String restr = JSONObject.toJSONString(hashMap); resultStr = jsonpCallback + "(" + restr + ");"; - return resultStr; + return resultStr; // $ Alert } @GetMapping(value = "jsonp5") @ResponseBody public void bad5(HttpServletRequest request, HttpServletResponse response) throws Exception { - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source PrintWriter pw = null; Gson gson = new Gson(); String result = gson.toJson(hashMap); String resultStr = null; pw = response.getWriter(); resultStr = jsonpCallback + "(" + result + ")"; - pw.println(resultStr); + pw.println(resultStr); // $ Alert } @GetMapping(value = "jsonp6") @ResponseBody public void bad6(HttpServletRequest request, HttpServletResponse response) throws Exception { - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source PrintWriter pw = null; ObjectMapper mapper = new ObjectMapper(); String result = mapper.writeValueAsString(hashMap); String resultStr = null; pw = response.getWriter(); resultStr = jsonpCallback + "(" + result + ")"; - pw.println(resultStr); + pw.println(resultStr); // $ Alert } @RequestMapping(value = "jsonp7", method = RequestMethod.GET) @ResponseBody public String bad7(HttpServletRequest request) { String resultStr = null; - String jsonpCallback = request.getParameter("jsonpCallback"); + String jsonpCallback = request.getParameter("jsonpCallback"); // $ Source Gson gson = new Gson(); String result = gson.toJson(hashMap); resultStr = jsonpCallback + "(" + result + ")"; - return resultStr; + return resultStr; // $ Alert } @RequestMapping(value = "jsonp11") @@ -158,4 +158,4 @@ public static String readPostContent(HttpServletRequest request){ public static String getJsonStr(Object result) { return JSONObject.toJSONString(result); } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref index 15b579b57eab..86da535af89c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-352/JsonpInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref b/java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref index 12c247f1f3ba..95485a215fe4 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-400/LocalThreadResourceAbuse.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java b/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java index e5cd70c42f21..44d25320eeff 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java +++ b/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.java @@ -15,7 +15,7 @@ public class ThreadResourceAbuse extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from request parameter without validation - String delayTimeStr = request.getParameter("DelayTime"); + String delayTimeStr = request.getParameter("DelayTime"); // $ Source[java/thread-resource-abuse] try { int delayTime = Integer.valueOf(delayTimeStr); new UncheckedSyncAction(delayTime).start(); @@ -26,7 +26,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) t protected void doGet2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from request parameter without validation try { - int delayTime = request.getParameter("nodelay") != null ? 0 : Integer.valueOf(request.getParameter("DelayTime")); + int delayTime = request.getParameter("nodelay") != null ? 0 : Integer.valueOf(request.getParameter("DelayTime")); // $ Source[java/thread-resource-abuse] new UncheckedSyncAction(delayTime).start(); } catch (NumberFormatException e) { } @@ -34,7 +34,7 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response) protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from context init parameter without validation - String delayTimeStr = getServletContext().getInitParameter("DelayTime"); + String delayTimeStr = getServletContext().getInitParameter("DelayTime"); // $ Source[java/local-thread-resource-abuse] try { int delayTime = Integer.valueOf(delayTimeStr); new UncheckedSyncAction(delayTime).start(); @@ -71,7 +71,7 @@ public UncheckedSyncAction(int waitTime) { public void run() { // BAD: no boundary check on wait time try { - Thread.sleep(waitTime); + Thread.sleep(waitTime); // $ Alert[java/thread-resource-abuse] Alert[java/local-thread-resource-abuse] // Do other updates } catch (InterruptedException e) { } @@ -138,10 +138,10 @@ protected void doHead(HttpServletRequest request, HttpServletResponse response) Cookie cookie = cookies[i]; if (cookie.getName().equals("DelayTime")) { - String delayTimeStr = cookie.getValue(); + String delayTimeStr = cookie.getValue(); // $ Source[java/thread-resource-abuse] try { int delayTime = Integer.valueOf(delayTimeStr); - TimeUnit.MILLISECONDS.sleep(delayTime); + TimeUnit.MILLISECONDS.sleep(delayTime); // $ Alert[java/thread-resource-abuse] // Do other updates } catch (NumberFormatException ne) { } catch (InterruptedException ie) { @@ -169,11 +169,11 @@ int parseRetryAfter(String value) { protected void doHead2(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from request header without validation - String header = request.getHeader("Retry-After"); + String header = request.getHeader("Retry-After"); // $ Source[java/thread-resource-abuse] int retryAfter = Integer.parseInt(header); try { - Thread.sleep(retryAfter); + Thread.sleep(retryAfter); // $ Alert[java/thread-resource-abuse] } catch (InterruptedException ignore) { // ignore } @@ -203,7 +203,7 @@ private long getContentLength(HttpServletRequest request) { protected void doHead4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from request header without validation try { - String uploadDelayStr = request.getParameter("delay"); + String uploadDelayStr = request.getParameter("delay"); // $ Source[java/thread-resource-abuse] int uploadDelay = Integer.parseInt(uploadDelayStr); UploadListener listener = new UploadListener(uploadDelay, getContentLength(request)); @@ -212,11 +212,11 @@ protected void doHead4(HttpServletRequest request, HttpServletResponse response) protected void doHead5(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from request header with binary multiplication expression and without validation - String header = request.getHeader("Retry-After"); + String header = request.getHeader("Retry-After"); // $ Source[java/thread-resource-abuse] int retryAfter = Integer.parseInt(header); try { - Thread.sleep(retryAfter * 1000); + Thread.sleep(retryAfter * 1000); // $ Alert[java/thread-resource-abuse] } catch (InterruptedException ignore) { // ignore } @@ -224,13 +224,13 @@ protected void doHead5(HttpServletRequest request, HttpServletResponse response) protected void doHead6(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: Get thread pause time from request header with multiplication assignment operator and without validation - String header = request.getHeader("Retry-After"); + String header = request.getHeader("Retry-After"); // $ Source[java/thread-resource-abuse] int retryAfter = Integer.parseInt(header); retryAfter *= 1000; try { - Thread.sleep(retryAfter); + Thread.sleep(retryAfter); // $ Alert[java/thread-resource-abuse] } catch (InterruptedException ignore) { // ignore } diff --git a/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.qlref b/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.qlref index caf6f8da85ba..bf6365944bae 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-400/ThreadResourceAbuse.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-400/UploadListener.java b/java/ql/test/experimental/query-tests/security/CWE-400/UploadListener.java index 9e2131168725..d6df514518bf 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-400/UploadListener.java +++ b/java/ql/test/experimental/query-tests/security/CWE-400/UploadListener.java @@ -32,7 +32,7 @@ public void update(long done, long total, int item) { // Just a way to slow down the upload process and see the progress bar in fast networks. if (slowUploads > 0 && done < total) { try { - Thread.sleep(slowUploads); + Thread.sleep(slowUploads); // $ Alert[java/thread-resource-abuse] } catch (Exception e) { } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/BadClassLoader.java b/java/ql/test/experimental/query-tests/security/CWE-470/BadClassLoader.java index 6fd6b9ccfa57..213dfa961964 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-470/BadClassLoader.java +++ b/java/ql/test/experimental/query-tests/security/CWE-470/BadClassLoader.java @@ -12,10 +12,10 @@ public void onCreate() { for (PackageInfo p : getPackageManager().getInstalledPackages(0)) { try { if (p.packageName.startsWith("some.package.")) { - Context appContext = createPackageContext(p.packageName, - CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY); + Context appContext = createPackageContext(p.packageName, // $ + CONTEXT_INCLUDE_CODE | CONTEXT_IGNORE_SECURITY); // $ Source[java/android/unsafe-reflection] ClassLoader classLoader = appContext.getClassLoader(); - Object result = classLoader.loadClass("some.package.SomeClass") + Object result = classLoader.loadClass("some.package.SomeClass") // $ Alert[java/android/unsafe-reflection] .getMethod("someMethod") .invoke(null); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref b/java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref index 5feabdb8becd..d1d07a95f731 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-470/LoadClassNoSignatureCheck.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.java b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.java index d9dc0573660c..2822ad3dff26 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.java @@ -18,11 +18,11 @@ public class UnsafeReflection { @GetMapping(value = "uf1") public void bad1(HttpServletRequest request) { - String className = request.getParameter("className"); + String className = request.getParameter("className"); // $ Source[java/unsafe-reflection] String parameterValue = request.getParameter("parameterValue"); try { Class clazz = Class.forName(className); - Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); //bad + Object object = clazz.getDeclaredConstructors()[0].newInstance(parameterValue); // $ Alert[java/unsafe-reflection] //bad } catch (Exception e) { e.printStackTrace(); } @@ -30,20 +30,20 @@ public void bad1(HttpServletRequest request) { @GetMapping(value = "uf2") public void bad2(HttpServletRequest request) { - String className = request.getParameter("className"); + String className = request.getParameter("className"); // $ Source[java/unsafe-reflection] String parameterValue = request.getParameter("parameterValue"); try { ClassLoader classLoader = ClassLoader.getSystemClassLoader(); Class clazz = classLoader.loadClass(className); Object object = clazz.newInstance(); - clazz.getDeclaredMethods()[0].invoke(object, parameterValue); //bad + clazz.getDeclaredMethods()[0].invoke(object, parameterValue); // $ Alert[java/unsafe-reflection] //bad } catch (Exception e) { e.printStackTrace(); } } @RequestMapping(value = {"/service/{beanIdOrClassName}/{methodName}"}, method = {RequestMethod.POST}, consumes = {"application/json"}, produces = {"application/json"}) - public Object bad3(@PathVariable("beanIdOrClassName") String beanIdOrClassName, @PathVariable("methodName") String methodName, @RequestBody Map body) throws Exception { + public Object bad3(@PathVariable("beanIdOrClassName") String beanIdOrClassName, @PathVariable("methodName") String methodName, @RequestBody Map body) throws Exception { // $ Source[java/unsafe-reflection] List rawData = null; try { rawData = (List)body.get("methodInput"); @@ -116,7 +116,7 @@ private Object invokeService(String beanIdOrClassName, String methodName, Multip b++; continue; } - Object result = method.invoke(bean, data); + Object result = method.invoke(bean, data); // $ Alert[java/unsafe-reflection] Map map = new HashMap<>(); return map; } diff --git a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.qlref b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.qlref index 28822316a908..119312e6ae8b 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-470/UnsafeReflection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java index a29a82bb15bc..056074f3b35c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java +++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.java @@ -52,7 +52,7 @@ public String doService() { } /** Local unit testing code */ - public static void main(String[] args) throws Exception { + public static void main(String[] args) throws Exception { // $ Alert[java/main-method-in-enterprise-bean] ServiceBean b = new ServiceBean(); b.doService(); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref index 38d09d01cfbc..80869cba4ff1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServiceBean.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-489/EJBMain.ql +query: experimental/Security/CWE/CWE-489/EJBMain.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java b/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java index 38ce153aa5ab..71351029f56c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java +++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletContextListenerMain.java @@ -14,7 +14,7 @@ public void contextDestroyed(ServletContextEvent sce) { } // BAD - Implement a main method in servlet listener. - public static void main(String[] args) { + public static void main(String[] args) { // $ Alert[java/main-method-in-web-components] try { URL url = new URL("https://www.example.com"); url.openConnection(); diff --git a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java index 55b73bd3b720..4f3029b6d13e 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java +++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.java @@ -25,7 +25,7 @@ public void destroy() { } // BAD - Implement a main method in servlet. - public static void main(String[] args) throws Exception { + public static void main(String[] args) throws Exception { // $ Alert[java/main-method-in-web-components] // Connect to my server URL url = new URL("https://www.example.com"); url.openConnection(); diff --git a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref index bf8fc2aacce2..71869fb862e8 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-489/ServletMain.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-489/WebComponentMain.ql +query: experimental/Security/CWE/CWE-489/WebComponentMain.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java b/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java index f1b2453ea151..5f5fcd561299 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java +++ b/java/ql/test/experimental/query-tests/security/CWE-502/SpringExporterUnsafeDeserialization.java @@ -11,7 +11,7 @@ public class SpringExporterUnsafeDeserialization { @Bean(name = "/unsafeRmiServiceExporter") - RmiServiceExporter unsafeRmiServiceExporter() { + RmiServiceExporter unsafeRmiServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class] RmiServiceExporter exporter = new RmiServiceExporter(); exporter.setServiceInterface(AccountService.class); exporter.setService(new AccountServiceImpl()); @@ -21,7 +21,7 @@ RmiServiceExporter unsafeRmiServiceExporter() { } @Bean(name = "/unsafeHessianServiceExporter") - HessianServiceExporter unsafeHessianServiceExporter() { + HessianServiceExporter unsafeHessianServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class] HessianServiceExporter exporter = new HessianServiceExporter(); exporter.setService(new AccountServiceImpl()); exporter.setServiceInterface(AccountService.class); @@ -29,7 +29,7 @@ HessianServiceExporter unsafeHessianServiceExporter() { } @Bean(name = "/unsafeHttpInvokerServiceExporter") - HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { + HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class] HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter(); exporter.setService(new AccountServiceImpl()); exporter.setServiceInterface(AccountService.class); @@ -37,7 +37,7 @@ HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { } @Bean(name = "/unsafeCustomeRemoteInvocationSerializingExporter") - RemoteInvocationSerializingExporter unsafeCustomeRemoteInvocationSerializingExporter() { + RemoteInvocationSerializingExporter unsafeCustomeRemoteInvocationSerializingExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class] return new CustomeRemoteInvocationSerializingExporter(); } @@ -53,7 +53,7 @@ HttpInvokerServiceExporter notABean() { class SpringBootTestApplication { @Bean(name = "/unsafeHttpInvokerServiceExporter") - HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { + HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class] HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter(); exporter.setService(new AccountServiceImpl()); exporter.setServiceInterface(AccountService.class); @@ -65,7 +65,7 @@ HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { class SpringBootTestConfiguration { @Bean(name = "/unsafeHttpInvokerServiceExporter") - HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { + HttpInvokerServiceExporter unsafeHttpInvokerServiceExporter() { // $ Alert[java/unsafe-deserialization-spring-exporter-in-configuration-class] HttpInvokerServiceExporter exporter = new HttpInvokerServiceExporter(); exporter.setService(new AccountServiceImpl()); exporter.setServiceInterface(AccountService.class); diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java index 197a1c478435..2f551e1205e5 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java +++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.java @@ -12,9 +12,9 @@ public class UnsafeDeserializationRmi { // BAD (bind a remote object that has a vulnerable method) public static void testRegistryBindWithObjectParameter() throws Exception { Registry registry = LocateRegistry.createRegistry(1099); - registry.bind("unsafe", new UnsafeRemoteObjectImpl()); - registry.rebind("unsafe", new UnsafeRemoteObjectImpl()); - registry.rebind("unsafe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl())); + registry.bind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi] + registry.rebind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi] + registry.rebind("unsafe", UnicastRemoteObject.exportObject(new UnsafeRemoteObjectImpl())); // $ Alert[java/unsafe-deserialization-rmi] } // GOOD (bind a remote object that has methods that takes safe parameters) @@ -26,8 +26,8 @@ public static void testRegistryBindWithIntParameter() throws Exception { // BAD (bind a remote object that has a vulnerable method) public static void testNamingBindWithObjectParameter() throws Exception { - Naming.bind("unsafe", new UnsafeRemoteObjectImpl()); - Naming.rebind("unsafe", new UnsafeRemoteObjectImpl()); + Naming.bind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi] + Naming.rebind("unsafe", new UnsafeRemoteObjectImpl()); // $ Alert[java/unsafe-deserialization-rmi] } // GOOD (bind a remote object that has methods that takes safe parameters) diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref index f9691113cfaa..711338908ee1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeDeserializationRmi.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.qlref b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.qlref index 823c7735ec5a..e58985f0971c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInConfigurationClass.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.qlref b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.qlref index 46024a0b6b33..4491a0d32255 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-502/UnsafeSpringExporterInXMLConfiguration.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml b/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml index fbb936d901db..fc7536c7175e 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml +++ b/java/ql/test/experimental/query-tests/security/CWE-502/beans.xml @@ -10,21 +10,21 @@ - + - + - + - + diff --git a/java/ql/test/experimental/query-tests/security/CWE-548/InsecureDirectoryConfig.qlref b/java/ql/test/experimental/query-tests/security/CWE-548/InsecureDirectoryConfig.qlref index ead6d782be86..a6a93025c437 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-548/InsecureDirectoryConfig.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-548/InsecureDirectoryConfig.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql +query: experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-548/insecure-web.xml b/java/ql/test/experimental/query-tests/security/CWE-548/insecure-web.xml index 346f98346b31..3e197e53fcac 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-548/insecure-web.xml +++ b/java/ql/test/experimental/query-tests/security/CWE-548/insecure-web.xml @@ -16,7 +16,7 @@ listings true - + 1 @@ -26,4 +26,4 @@ / - \ No newline at end of file + diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref b/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref index b996de137231..29138b5006d3 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-555/PasswordInConfigurationFile.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql +query: experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml b/java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml index 040c866759b9..a4030150cb91 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml +++ b/java/ql/test/experimental/query-tests/security/CWE-555/applicationContext.xml @@ -6,7 +6,7 @@ - + diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/context.xml b/java/ql/test/experimental/query-tests/security/CWE-555/context.xml index 6ea601bc6d7f..f3e59bfcdb1d 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-555/context.xml +++ b/java/ql/test/experimental/query-tests/security/CWE-555/context.xml @@ -5,7 +5,7 @@ maxTotal="100" maxIdle="30" maxWaitMillis="10000" username="root" password="1234" driverClassName="com.mysql.jdbc.Driver" - url="jdbc:mysql://www.example1.com:3306/proj"/> + url="jdbc:mysql://www.example1.com:3306/proj"/> - \ No newline at end of file + diff --git a/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml b/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml index 3569f0d09de9..10ad6b30f7cc 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml +++ b/java/ql/test/experimental/query-tests/security/CWE-555/custom-config.xml @@ -1,4 +1,4 @@ - + diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java index 2b7386bb6005..d1a633be31cb 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java +++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java @@ -9,13 +9,13 @@ public class SensitiveGetQuery extends HttpServlet { // BAD - Tests retrieving sensitive information through `request.getParameter()` in a GET request. public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String username = request.getParameter("username"); - String password = request.getParameter("password"); + String password = request.getParameter("password"); // $ Source - processUserInfo(username, password); + processUserInfo(username, password); // $ Alert } void processUserInfo(String username, String password) { - System.out.println("username = " + username+"; password "+password); + System.out.println("username = " + username+"; password "+password); // $ Alert } // GOOD - Tests retrieving sensitive information through `request.getParameter()` in a POST request. diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref index 53c2523e0411..20c3e79eb968 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java index 6b4fec0b3315..97b929c792f1 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java +++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java @@ -9,14 +9,14 @@ public class SensitiveGetQuery2 extends HttpServlet { // BAD - Tests retrieving sensitive information through `request.getParameterMap()` in a GET request. public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - Map map = request.getParameterMap(); + Map map = request.getParameterMap(); // $ Source String username = (String) map.get("username"); String password = (String) map.get("password"); - processUserInfo(username, password); + processUserInfo(username, password); // $ Alert } void processUserInfo(String username, String password) { - System.out.println("username = " + username+"; password "+password); + System.out.println("username = " + username+"; password "+password); // $ Alert } // GOOD - Tests retrieving sensitive information through `request.getParameterMap()` in a POST request. diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery3.java b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery3.java index 5d191bb52b15..e34534236d0a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery3.java +++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery3.java @@ -10,11 +10,11 @@ public class SensitiveGetQuery3 extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String username = getRequestParameter(request, "username"); String password = getRequestParameter(request, "password"); - System.out.println("Username="+username+"; password="+password); + System.out.println("Username="+username+"; password="+password); // $ Alert } String getRequestParameter(HttpServletRequest request, String paramName) { - return request.getParameter(paramName); + return request.getParameter(paramName); // $ Source } // GOOD - Tests retrieving sensitive information through a wrapper call in a POST request. diff --git a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery4.java b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery4.java index 29e94d254d46..4f5399b9e10e 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery4.java +++ b/java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery4.java @@ -13,11 +13,11 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) thro String tokenType = getRequestParameter(request, "tokenType"); String accessToken = getRequestParameter(request, "accessToken"); System.out.println("Username="+username+"; token="+token+"; tokenType="+tokenType); - System.out.println("AccessToken="+accessToken); + System.out.println("AccessToken="+accessToken); // $ Alert } String getRequestParameter(HttpServletRequest request, String paramName) { - return request.getParameter(paramName); + return request.getParameter(paramName); // $ Source } // GOOD - Tests retrieving non-sensitive tokens and sensitive tokens in a POST request. diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java index 1e38c917b0f1..63f19ef87a3e 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java +++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.java @@ -10,11 +10,11 @@ class UncaughtServletException extends HttpServlet { // BAD - Tests `doGet` without catching exceptions. public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - String ip = request.getParameter("srcIP"); - InetAddress addr = InetAddress.getByName(ip); // getByName(String) throws UnknownHostException + String ip = request.getParameter("srcIP"); // $ Source + InetAddress addr = InetAddress.getByName(ip); // $ Alert // getByName(String) throws UnknownHostException - String userId = request.getRemoteUser(); - Integer.parseInt(userId); // Integer.parse(String) throws RuntimeException + String userId = request.getRemoteUser(); // $ Source + Integer.parseInt(userId); // $ Alert // Integer.parse(String) throws RuntimeException } // GOOD - Tests `doPost` with catching exceptions. @@ -51,8 +51,8 @@ public void doDelete(HttpServletRequest request, HttpServletResponse response) t // BAD - Tests rethrowing caught exceptions with stack trace. public void doOptions(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { try { - String ip = request.getParameter("srcIP"); - InetAddress addr = InetAddress.getByName(ip); + String ip = request.getParameter("srcIP"); // $ Source + InetAddress addr = InetAddress.getByName(ip); // $ Alert } catch (UnknownHostException uhex) { uhex.printStackTrace(); throw uhex; @@ -72,8 +72,8 @@ public void service(HttpServletRequest request, HttpServletResponse response) th try { addr = InetAddress.getByName(ip); - String userId = request.getRemoteUser(); - Integer.parseInt(userId); // Integer.parse(String) throws RuntimeException + String userId = request.getRemoteUser(); // $ Source + Integer.parseInt(userId); // $ Alert // Integer.parse(String) throws RuntimeException } catch (UnknownHostException uhex) { throw new UnknownHostException("Got exception "+uhex.getMessage()); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref index 14466d983a7e..11977e14ba2e 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-600/UncaughtServletException.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-600/UncaughtServletException.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java index e5909b3478ed..a73f9c14249d 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java +++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.java @@ -14,53 +14,53 @@ public class SpringUrlRedirect { private final static String VALID_REDIRECT = "http://127.0.0.1"; @GetMapping("url1") - public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception { + public RedirectView bad1(String redirectUrl, HttpServletResponse response) throws Exception { // $ Source RedirectView rv = new RedirectView(); - rv.setUrl(redirectUrl); + rv.setUrl(redirectUrl); // $ Alert return rv; } @GetMapping("url2") - public String bad2(String redirectUrl) { - String url = "redirect:" + redirectUrl; + public String bad2(String redirectUrl) { // $ Source + String url = "redirect:" + redirectUrl; // $ Alert return url; } @GetMapping("url3") - public RedirectView bad3(String redirectUrl) { - RedirectView rv = new RedirectView(redirectUrl); + public RedirectView bad3(String redirectUrl) { // $ Source + RedirectView rv = new RedirectView(redirectUrl); // $ Alert return rv; } @GetMapping("url4") - public ModelAndView bad4(String redirectUrl) { - return new ModelAndView("redirect:" + redirectUrl); + public ModelAndView bad4(String redirectUrl) { // $ Source + return new ModelAndView("redirect:" + redirectUrl); // $ Alert } @GetMapping("url5") - public String bad5(String redirectUrl) { + public String bad5(String redirectUrl) { // $ Source StringBuffer stringBuffer = new StringBuffer(); stringBuffer.append("redirect:"); - stringBuffer.append(redirectUrl); + stringBuffer.append(redirectUrl); // $ Alert return stringBuffer.toString(); } @GetMapping("url6") - public String bad6(String redirectUrl) { + public String bad6(String redirectUrl) { // $ Source StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append("redirect:"); - stringBuilder.append(redirectUrl); + stringBuilder.append(redirectUrl); // $ Alert return stringBuilder.toString(); } @GetMapping("url7") - public String bad7(String redirectUrl) { - return "redirect:" + String.format("%s/?aaa", redirectUrl); + public String bad7(String redirectUrl) { // $ Source + return "redirect:" + String.format("%s/?aaa", redirectUrl); // $ Alert } @GetMapping("url8") - public String bad8(String redirectUrl, String token) { - return "redirect:" + String.format(redirectUrl + "?token=%s", token); + public String bad8(String redirectUrl, String token) { // $ Source + return "redirect:" + String.format(redirectUrl + "?token=%s", token); // $ Alert } @GetMapping("url9") @@ -86,49 +86,49 @@ public String good3(String status) { } @GetMapping("url12") - public ResponseEntity bad9(String redirectUrl) { + public ResponseEntity bad9(String redirectUrl) { // $ Source return ResponseEntity.status(HttpStatus.FOUND) - .location(URI.create(redirectUrl)) + .location(URI.create(redirectUrl)) // $ Alert .build(); } @GetMapping("url13") - public ResponseEntity bad10(String redirectUrl) { + public ResponseEntity bad10(String redirectUrl) { // $ Source HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.setLocation(URI.create(redirectUrl)); - return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER); + return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER); // $ Alert } @GetMapping("url14") - public ResponseEntity bad11(String redirectUrl) { + public ResponseEntity bad11(String redirectUrl) { // $ Source HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Location", redirectUrl); - return ResponseEntity.status(HttpStatus.SEE_OTHER).headers(httpHeaders).build(); + return ResponseEntity.status(HttpStatus.SEE_OTHER).headers(httpHeaders).build(); // $ Alert } @GetMapping("url15") - public ResponseEntity bad12(String redirectUrl) { + public ResponseEntity bad12(String redirectUrl) { // $ Source HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Location", redirectUrl); - return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER); + return new ResponseEntity<>(httpHeaders, HttpStatus.SEE_OTHER); // $ Alert } @GetMapping("url16") - public ResponseEntity bad13(String redirectUrl) { + public ResponseEntity bad13(String redirectUrl) { // $ Source HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.add("Location", redirectUrl); - return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER); + return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER); // $ Alert } @GetMapping("url17") - public ResponseEntity bad14(String redirectUrl) { + public ResponseEntity bad14(String redirectUrl) { // $ Source HttpHeaders httpHeaders = new HttpHeaders(); httpHeaders.setLocation(URI.create(redirectUrl)); - return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER); + return new ResponseEntity<>("TestBody", httpHeaders, HttpStatus.SEE_OTHER); // $ Alert } } diff --git a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref index 3c1c8a42a95b..62384d5e4302 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexFilter.java b/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexFilter.java index 6ce97453d8fb..28583c0ecb3c 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexFilter.java +++ b/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexFilter.java @@ -26,10 +26,10 @@ public void init(FilterConfig config) throws ServletException { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletResponse httpResponse = (HttpServletResponse) response; - String source = httpRequest.getPathInfo(); + String source = httpRequest.getPathInfo(); // $ Source Pattern p = Pattern.compile(PROTECTED_PATTERN); - Matcher m = p.matcher(source); + Matcher m = p.matcher(source); // $ Alert if (m.matches()) { // Protected page - check access token and redirect to login page @@ -67,4 +67,4 @@ public void doFilter2(ServletRequest request, ServletResponse response, FilterCh public void destroy() { // Close resources } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexServlet.java b/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexServlet.java index 47d3175afcf6..c2d50a50d71a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexServlet.java +++ b/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexServlet.java @@ -16,10 +16,10 @@ public class DotRegexServlet extends HttpServlet { // BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String source = request.getPathInfo(); + String source = request.getPathInfo(); // $ Source Pattern p = Pattern.compile(PROTECTED_PATTERN); - Matcher m = p.matcher(source); + Matcher m = p.matcher(source); // $ Alert if (m.matches()) { // Protected page - check access token and redirect to login page @@ -54,9 +54,9 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response) // BAD: A string with line return e.g. `/protected/%0axyz` can bypass the path check protected void doGet3(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String source = request.getRequestURI(); + String source = request.getRequestURI(); // $ Source - boolean matches = source.matches(PROTECTED_PATTERN); + boolean matches = source.matches(PROTECTED_PATTERN); // $ Alert if (matches) { // Protected page - check access token and redirect to login page @@ -72,9 +72,9 @@ protected void doGet3(HttpServletRequest request, HttpServletResponse response) // BAD: A string with line return e.g. `/protected/%0axyz` can bypass the path check protected void doGet4(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String source = request.getPathInfo(); + String source = request.getPathInfo(); // $ Source - boolean matches = Pattern.matches(PROTECTED_PATTERN, source); + boolean matches = Pattern.matches(PROTECTED_PATTERN, source); // $ Alert if (matches) { // Protected page - check access token and redirect to login page @@ -109,10 +109,10 @@ protected void doGet5(HttpServletRequest request, HttpServletResponse response) // BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check protected void doGet6(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String source = request.getPathInfo(); + String source = request.getPathInfo(); // $ Source Pattern p = Pattern.compile(PROTECTED_PATTERN); - Matcher m = p.matcher(source); + Matcher m = p.matcher(source); // $ Alert if (m.matches()) { // Protected page - check access token and redirect to login page diff --git a/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexSpring.java b/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexSpring.java index 4651508fe195..196a305b0865 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexSpring.java +++ b/java/ql/test/experimental/query-tests/security/CWE-625/DotRegexSpring.java @@ -17,10 +17,10 @@ public class DotRegexSpring { @GetMapping("param") // BAD: A string with line return e.g. `/protected/%0dxyz` can bypass the path check - public String withParam(@RequestParam String path, Model model) throws UnsupportedEncodingException { + public String withParam(@RequestParam String path, Model model) throws UnsupportedEncodingException { // $ Source Pattern p = Pattern.compile(PROTECTED_PATTERN); path = decodePath(path); - Matcher m = p.matcher(path); + Matcher m = p.matcher(path); // $ Alert if (m.matches()) { // Protected page - check access token and redirect to login page @@ -34,10 +34,10 @@ public String withParam(@RequestParam String path, Model model) throws Unsupport @GetMapping("{path}") // BAD: A string with line return e.g. `%252Fprotected%252F%250dxyz` can bypass the path check - public RedirectView withPathVariable1(@PathVariable String path, Model model) throws UnsupportedEncodingException { + public RedirectView withPathVariable1(@PathVariable String path, Model model) throws UnsupportedEncodingException { // $ Source Pattern p = Pattern.compile(PROTECTED_PATTERN); path = decodePath(path); - Matcher m = p.matcher(path); + Matcher m = p.matcher(path); // $ Alert if (m.matches()) { // Protected page - check access token and redirect to login page diff --git a/java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.qlref b/java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.qlref index 67382a5e297e..b4a93ae73f2a 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-625/PermissiveDotRegex.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java index d8df8057cc6e..5dccb7dbe225 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java +++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.java @@ -42,13 +42,13 @@ public static void main(String[] args) throws Exception { @RequestMapping public void testRequestbad(HttpServletRequest request) throws Exception { - String name = request.getParameter("name"); + String name = request.getParameter("name"); // $ Source XQDataSource ds = new SaxonXQDataSource(); XQConnection conn = ds.getConnection(); String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password"; XQPreparedExpression xqpe = conn.prepareExpression(query); - XQResultSequence result = xqpe.executeQuery(); + XQResultSequence result = xqpe.executeQuery(); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -56,13 +56,13 @@ public void testRequestbad(HttpServletRequest request) throws Exception { @RequestMapping public void testRequestbad1(HttpServletRequest request) throws Exception { - String name = request.getParameter("name"); + String name = request.getParameter("name"); // $ Source XQDataSource xqds = new SaxonXQDataSource(); String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password"; XQConnection conn = xqds.getConnection(); XQExpression expr = conn.createExpression(); - XQResultSequence result = expr.executeQuery(query); + XQResultSequence result = expr.executeQuery(query); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -70,26 +70,26 @@ public void testRequestbad1(HttpServletRequest request) throws Exception { @RequestMapping - public void testStringtbad(@RequestParam String nameStr) throws XQException { + public void testStringtbad(@RequestParam String nameStr) throws XQException { // $ Source XQDataSource ds = new SaxonXQDataSource(); XQConnection conn = ds.getConnection(); String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr + "'] return $user/password"; XQPreparedExpression xqpe = conn.prepareExpression(query); - XQResultSequence result = xqpe.executeQuery(); + XQResultSequence result = xqpe.executeQuery(); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } } @RequestMapping - public void testStringtbad1(@RequestParam String nameStr) throws XQException { + public void testStringtbad1(@RequestParam String nameStr) throws XQException { // $ Source XQDataSource xqds = new SaxonXQDataSource(); String query = "for $user in doc(\"users.xml\")/Users/User[name='" + nameStr + "'] return $user/password"; XQConnection conn = xqds.getConnection(); XQExpression expr = conn.createExpression(); - XQResultSequence result = expr.executeQuery(query); + XQResultSequence result = expr.executeQuery(query); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -97,11 +97,11 @@ public void testStringtbad1(@RequestParam String nameStr) throws XQException { @RequestMapping public void testInputStreambad(HttpServletRequest request) throws Exception { - InputStream name = request.getInputStream(); + InputStream name = request.getInputStream(); // $ Source XQDataSource ds = new SaxonXQDataSource(); XQConnection conn = ds.getConnection(); XQPreparedExpression xqpe = conn.prepareExpression(name); - XQResultSequence result = xqpe.executeQuery(); + XQResultSequence result = xqpe.executeQuery(); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -109,11 +109,11 @@ public void testInputStreambad(HttpServletRequest request) throws Exception { @RequestMapping public void testInputStreambad1(HttpServletRequest request) throws Exception { - InputStream name = request.getInputStream(); + InputStream name = request.getInputStream(); // $ Source XQDataSource xqds = new SaxonXQDataSource(); XQConnection conn = xqds.getConnection(); XQExpression expr = conn.createExpression(); - XQResultSequence result = expr.executeQuery(name); + XQResultSequence result = expr.executeQuery(name); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -121,12 +121,12 @@ public void testInputStreambad1(HttpServletRequest request) throws Exception { @RequestMapping public void testReaderbad(HttpServletRequest request) throws Exception { - InputStream name = request.getInputStream(); + InputStream name = request.getInputStream(); // $ Source BufferedReader br = new BufferedReader(new InputStreamReader(name)); XQDataSource ds = new SaxonXQDataSource(); XQConnection conn = ds.getConnection(); XQPreparedExpression xqpe = conn.prepareExpression(br); - XQResultSequence result = xqpe.executeQuery(); + XQResultSequence result = xqpe.executeQuery(); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -134,12 +134,12 @@ public void testReaderbad(HttpServletRequest request) throws Exception { @RequestMapping public void testReaderbad1(HttpServletRequest request) throws Exception { - InputStream name = request.getInputStream(); + InputStream name = request.getInputStream(); // $ Source BufferedReader br = new BufferedReader(new InputStreamReader(name)); XQDataSource xqds = new SaxonXQDataSource(); XQConnection conn = xqds.getConnection(); XQExpression expr = conn.createExpression(); - XQResultSequence result = expr.executeQuery(br); + XQResultSequence result = expr.executeQuery(br); // $ Alert while (result.next()) { System.out.println(result.getItemAsString(null)); } @@ -147,16 +147,16 @@ public void testReaderbad1(HttpServletRequest request) throws Exception { @RequestMapping public void testExecuteCommandbad(HttpServletRequest request) throws Exception { - String name = request.getParameter("name"); + String name = request.getParameter("name"); // $ Source XQDataSource xqds = new SaxonXQDataSource(); XQConnection conn = xqds.getConnection(); XQExpression expr = conn.createExpression(); //bad code - expr.executeCommand(name); + expr.executeCommand(name); // $ Alert //bad code - InputStream is = request.getInputStream(); + InputStream is = request.getInputStream(); // $ Source BufferedReader br = new BufferedReader(new InputStreamReader(is)); - expr.executeCommand(br); + expr.executeCommand(br); // $ Alert expr.close(); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref index df94ae95807d..a998a694ade6 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-652/XQueryInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java index f1294847fcc0..b631e7c6cca9 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java +++ b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.java @@ -9,12 +9,12 @@ public class InsecureRmiJmxEnvironmentConfiguration { public void initInsecureJmxDueToNullEnv() throws IOException { // Bad initializing env (arg1) with null - JMXConnectorServerFactory.newJMXConnectorServer(null, null, null); + JMXConnectorServerFactory.newJMXConnectorServer(null, null, null); // $ Alert } public void initInsecureRmiDueToNullEnv() throws IOException { // Bad initializing env (arg1) with null - new RMIConnectorServer(null, null, null, null); + new RMIConnectorServer(null, null, null, null); // $ Alert } public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException { @@ -22,7 +22,7 @@ public void initInsecureRmiDueToMissingEnvKeyValue() throws IOException { // "jmx.remote.rmi.server.credential.types" Map env = new HashMap<>(); env.put("jmx.remote.x.daemon", "true"); - new RMIConnectorServer(null, env, null, null); + new RMIConnectorServer(null, env, null, null); // $ Alert } public void initInsecureJmxDueToMissingEnvKeyValue() throws IOException { @@ -30,7 +30,7 @@ public void initInsecureJmxDueToMissingEnvKeyValue() throws IOException { // "jmx.remote.rmi.server.credential.types" Map env = new HashMap<>(); env.put("jmx.remote.x.daemon", "true"); - JMXConnectorServerFactory.newJMXConnectorServer(null, env, null); + JMXConnectorServerFactory.newJMXConnectorServer(null, env, null); // $ Alert } public void secureJmxConnnectorServer() throws IOException { diff --git a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref index de4b67445338..3b1127b46953 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-665/InsecureRmiJmxEnvironmentConfiguration.qlref @@ -1 +1,2 @@ -experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql \ No newline at end of file +query: experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.java b/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.java index bf527f04fe1e..9ceefd5a388b 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.java +++ b/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.java @@ -10,8 +10,8 @@ public void testOnCreate1(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(-1); - String minPriceStr = getIntent().getStringExtra("priceMin"); - double minPrice = Double.parseDouble(minPriceStr); + String minPriceStr = getIntent().getStringExtra("priceMin"); // $ Source + double minPrice = Double.parseDouble(minPriceStr); // $ Alert } // BAD - parse string extra to integer @@ -19,11 +19,11 @@ public void testOnCreate2(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(-1); - String widthStr = getIntent().getStringExtra("width"); - int width = Integer.parseInt(widthStr); + String widthStr = getIntent().getStringExtra("width"); // $ Source + int width = Integer.parseInt(widthStr); // $ Alert - String heightStr = getIntent().getStringExtra("height"); - int height = Integer.parseInt(heightStr); + String heightStr = getIntent().getStringExtra("height"); // $ Source + int height = Integer.parseInt(heightStr); // $ Alert } // GOOD - parse int extra to integer @@ -40,11 +40,11 @@ public void testOnCreate4(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(-1); - String minPriceStr = getIntent().getStringExtra("priceMin"); - double minPrice = new Double(minPriceStr); + String minPriceStr = getIntent().getStringExtra("priceMin"); // $ Source + double minPrice = new Double(minPriceStr); // $ Alert String maxPriceStr = getIntent().getStringExtra("priceMax"); - double maxPrice = Double.valueOf(minPriceStr); + double maxPrice = Double.valueOf(minPriceStr); // $ Alert } // GOOD - parse string extra to double with caught NFE @@ -83,4 +83,4 @@ public void testOnCreate7(Bundle savedInstanceState) { double priceMin = IntentUtils.getDoubleExtra(this, "priceMin"); } -} \ No newline at end of file +} diff --git a/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.qlref b/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.qlref index 17bd71ea68af..9e538d9fd8a0 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-755/NFEAndroidDoS.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java b/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java index 48911486db14..ba482a503e72 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java +++ b/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.java @@ -7,7 +7,7 @@ public class HashWithoutSalt { // BAD - Hash without a salt. public String getSHA256Hash(String password) throws NoSuchAlgorithmException { MessageDigest md = MessageDigest.getInstance("SHA-256"); - byte[] messageDigest = md.digest(password.getBytes()); + byte[] messageDigest = md.digest(password.getBytes()); // $ Alert return Base64.getEncoder().encodeToString(messageDigest); } @@ -22,7 +22,7 @@ public String getSHA256Hash(String password, byte[] salt) throws NoSuchAlgorithm // BAD - Hash without a salt. public String getSHA256Hash2(String password) throws NoSuchAlgorithmException { MessageDigest md = MessageDigest.getInstance("SHA-256"); - md.update(password.getBytes()); + md.update(password.getBytes()); // $ Alert byte[] messageDigest = md.digest(); return Base64.getEncoder().encodeToString(messageDigest); } @@ -90,8 +90,8 @@ public String getWrapperSHA256Hash(String password) throws NoSuchAlgorithmExcept // BAD - Invoking a wrapper implementation through qualifier without a salt. public String getWrapperSHA256Hash2(String password) throws NoSuchAlgorithmException, ClassNotFoundException, IllegalAccessException, InstantiationException { SHA256 sha256 = new SHA256(); - byte[] passBytes = password.getBytes(); - sha256.update(passBytes, 0, passBytes.length); + byte[] passBytes = password.getBytes(); // $ Source + sha256.update(passBytes, 0, passBytes.length); // $ Alert return Base64.getEncoder().encodeToString(sha256.digest()); } @@ -108,8 +108,8 @@ public String getWrapperSHA256Hash3(String password) throws NoSuchAlgorithmExcep // BAD - Invoking a wrapper implementation through argument without a salt. public String getWrapperSHA256Hash4(String password) throws NoSuchAlgorithmException { SHA256 sha256 = new SHA256(); - byte[] passBytes = password.getBytes(); - update(sha256, passBytes, 0, passBytes.length); + byte[] passBytes = password.getBytes(); // $ Source + update(sha256, passBytes, 0, passBytes.length); // $ Alert return Base64.getEncoder().encodeToString(sha256.digest()); } diff --git a/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.qlref b/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.qlref index b2f767ca66ac..186b2833671f 100644 --- a/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.qlref +++ b/java/ql/test/experimental/query-tests/security/CWE-759/HashWithoutSalt.qlref @@ -1,2 +1,4 @@ query: experimental/Security/CWE/CWE-759/HashWithoutSalt.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref index 933c3569eed8..f41f720f7251 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirect.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-601/UrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java index 897ee7890bd9..263472d3fc5c 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJakarta.java @@ -7,9 +7,9 @@ public class UrlRedirectJakarta extends HttpServlet { protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception { // BAD - jaxResponse.seeOther(new URI(request.getParameter("target"))); + jaxResponse.seeOther(new URI(request.getParameter("target"))); // $ Alert[java/unvalidated-url-redirection] // BAD - jaxResponse.temporaryRedirect(new URI(request.getParameter("target"))); + jaxResponse.temporaryRedirect(new URI(request.getParameter("target"))); // $ Alert[java/unvalidated-url-redirection] } } diff --git a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java index 4ba3d1f13317..a757351a93c2 100644 --- a/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java +++ b/java/ql/test/library-tests/frameworks/JaxWs/UrlRedirectJax.java @@ -7,9 +7,9 @@ public class UrlRedirectJax extends HttpServlet { protected void doGetJax(HttpServletRequest request, Response jaxResponse) throws Exception { // BAD - jaxResponse.seeOther(new URI(request.getParameter("target"))); + jaxResponse.seeOther(new URI(request.getParameter("target"))); // $ Alert[java/unvalidated-url-redirection] // BAD - jaxResponse.temporaryRedirect(new URI(request.getParameter("target"))); + jaxResponse.temporaryRedirect(new URI(request.getParameter("target"))); // $ Alert[java/unvalidated-url-redirection] } } diff --git a/java/ql/test/query-tests/AmbiguousOuterSuper/AmbiguousOuterSuper.qlref b/java/ql/test/query-tests/AmbiguousOuterSuper/AmbiguousOuterSuper.qlref index 70c62b8c8514..add5a9dc5338 100644 --- a/java/ql/test/query-tests/AmbiguousOuterSuper/AmbiguousOuterSuper.qlref +++ b/java/ql/test/query-tests/AmbiguousOuterSuper/AmbiguousOuterSuper.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Naming Conventions/AmbiguousOuterSuper.ql \ No newline at end of file +query: Violations of Best Practice/Naming Conventions/AmbiguousOuterSuper.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/AmbiguousOuterSuper/GenericTest.java b/java/ql/test/query-tests/AmbiguousOuterSuper/GenericTest.java index f0d14dc48675..b35ac02925c0 100644 --- a/java/ql/test/query-tests/AmbiguousOuterSuper/GenericTest.java +++ b/java/ql/test/query-tests/AmbiguousOuterSuper/GenericTest.java @@ -11,7 +11,7 @@ void f() { } class Inner extends GenericTest { public void test() { - f(); + f(); // $ Alert } } diff --git a/java/ql/test/query-tests/AmbiguousOuterSuper/Test.java b/java/ql/test/query-tests/AmbiguousOuterSuper/Test.java index e2a506f1438a..875b4f7bbe98 100644 --- a/java/ql/test/query-tests/AmbiguousOuterSuper/Test.java +++ b/java/ql/test/query-tests/AmbiguousOuterSuper/Test.java @@ -11,7 +11,7 @@ void f() { } class Inner extends Test { public void test() { - f(); + f(); // $ Alert } } diff --git a/java/ql/test/query-tests/AutoBoxing/AutoBoxing.qlref b/java/ql/test/query-tests/AutoBoxing/AutoBoxing.qlref index f116f3bd8b41..dc47875616d8 100644 --- a/java/ql/test/query-tests/AutoBoxing/AutoBoxing.qlref +++ b/java/ql/test/query-tests/AutoBoxing/AutoBoxing.qlref @@ -1 +1,2 @@ -Violations of Best Practice/legacy/AutoBoxing.ql +query: Violations of Best Practice/legacy/AutoBoxing.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/AutoBoxing/Test.java b/java/ql/test/query-tests/AutoBoxing/Test.java index 49c12f0c5213..300a82a9a57d 100644 --- a/java/ql/test/query-tests/AutoBoxing/Test.java +++ b/java/ql/test/query-tests/AutoBoxing/Test.java @@ -1,19 +1,19 @@ class Test { void unbox(Integer i, Boolean b) { // NOT OK - int j = i + 19; + int j = i + 19; // $ Alert // OK if (i == null); // NOT OK - if (i == 42); + if (i == 42); // $ Alert // NOT OK - j += i; + j += i; // $ Alert // NOT OK - int k = i; + int k = i; // $ Alert // NOT OK - bar(b); + bar(b); // $ Alert // NOT OK - int l = i == null ? 0 : i; + int l = i == null ? 0 : i; // $ Alert } void bar(boolean b) {} @@ -21,15 +21,15 @@ void bar(boolean b) {} Integer box(int i) { Integer[] is = new Integer[1]; // NOT OK - is[0] = i; + is[0] = i; // $ Alert // NOT OK - Integer j = i; + Integer j = i; // $ Alert // NOT OK - return i == -1 ? null : i; + return i == -1 ? null : i; // $ Alert } void rebox(Integer i) { // NOT OK - i += 19; + i += 19; // $ Alert } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/AvoidDeprecatedCallableAccess.qlref b/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/AvoidDeprecatedCallableAccess.qlref index 58c139046f3f..1277deb8a544 100644 --- a/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/AvoidDeprecatedCallableAccess.qlref +++ b/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/AvoidDeprecatedCallableAccess.qlref @@ -1 +1,2 @@ -Advisory/Deprecated Code/AvoidDeprecatedCallableAccess.ql \ No newline at end of file +query: Advisory/Deprecated Code/AvoidDeprecatedCallableAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/Test.java b/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/Test.java index 8f4b55c861d3..b9095a1fa70b 100644 --- a/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/Test.java +++ b/java/ql/test/query-tests/AvoidDeprecatedCallableAccess/Test.java @@ -10,11 +10,11 @@ void n() { { // NOT OK - m(); + m(); // $ Alert } public static void main(String[] args) { // NOT OK - new Test().n(); + new Test().n(); // $ Alert } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/BadAbsOfRandom/BadAbsOfRandom.qlref b/java/ql/test/query-tests/BadAbsOfRandom/BadAbsOfRandom.qlref index b6bbc44bfa05..2fa4288992ae 100644 --- a/java/ql/test/query-tests/BadAbsOfRandom/BadAbsOfRandom.qlref +++ b/java/ql/test/query-tests/BadAbsOfRandom/BadAbsOfRandom.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BadAbsOfRandom.ql +query: Likely Bugs/Arithmetic/BadAbsOfRandom.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/BadAbsOfRandom/Test.java b/java/ql/test/query-tests/BadAbsOfRandom/Test.java index a01f13c7a82c..1be16ed73680 100644 --- a/java/ql/test/query-tests/BadAbsOfRandom/Test.java +++ b/java/ql/test/query-tests/BadAbsOfRandom/Test.java @@ -7,18 +7,18 @@ public class Test { public static void test() { Random r = new Random(); - Math.abs(r.nextInt()); - Math.abs(r.nextLong()); + Math.abs(r.nextInt()); // $ Alert + Math.abs(r.nextLong()); // $ Alert Math.abs(r.nextInt(100)); // GOOD: random value already has a restricted range - Math.abs(RandomUtils.nextInt()); - Math.abs(RandomUtils.nextLong()); + Math.abs(RandomUtils.nextInt()); // $ Alert + Math.abs(RandomUtils.nextLong()); // $ Alert Math.abs(RandomUtils.nextInt(1, 10)); // GOOD: random value already has a restricted range Math.abs(RandomUtils.nextLong(1, 10)); // GOOD: random value already has a restricted range ThreadLocalRandom tlr = ThreadLocalRandom.current(); - Math.abs(tlr.nextInt()); - Math.abs(tlr.nextLong()); + Math.abs(tlr.nextInt()); // $ Alert + Math.abs(tlr.nextLong()); // $ Alert Math.abs(tlr.nextInt(10)); // GOOD: random value already has a restricted range Math.abs(tlr.nextLong(10)); // GOOD: random value already has a restricted range Math.abs(tlr.nextInt(1, 10)); // GOOD: random value already has a restricted range diff --git a/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.java b/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.java index a1f7e9505020..f76b5b535fe7 100644 --- a/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.java +++ b/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.java @@ -7,23 +7,23 @@ public boolean goodLiteral() { } public boolean badLiteral() { - return -10 % 2 > 0; + return -10 % 2 > 0; // $ Alert } public boolean badBrackets1() { - return -10 % 2 > (0); + return -10 % 2 > (0); // $ Alert } public boolean badBrackets2() { - return -10 % (2) > 0;// + return -10 % (2) > 0;// $ Alert // } public boolean badBrackets3() { - return (-10) % 2 > 0; + return (-10) % 2 > 0; // $ Alert } public boolean badBrackets4() { - return (-10 % 2) > 0; + return (-10 % 2) > 0; // $ Alert } // TODO: support for these cases @@ -47,11 +47,11 @@ public boolean goodStringLength(String string) { public boolean badVarLiteral() { int x = -10; - return x % 2 > 0; + return x % 2 > 0; // $ Alert } public boolean badParam(int x) { - return x % 2 > 0; + return x % 2 > 0; // $ Alert } public boolean badSometimes(boolean positive) { @@ -60,11 +60,11 @@ public boolean badSometimes(boolean positive) { x = 10; else x = -10; - return x % 2 > 0; + return x % 2 > 0; // $ Alert } private int f; public boolean badField() { - return f % 2 >0; + return f % 2 >0; // $ Alert } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.qlref b/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.qlref index 486707e04c10..544f107b3ff4 100644 --- a/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.qlref +++ b/java/ql/test/query-tests/BadCheckOdd/BadCheckOdd.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/BadCheckOdd.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/BadCheckOdd.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/BoxedVariable/BoxedVariable.java b/java/ql/test/query-tests/BoxedVariable/BoxedVariable.java index 948f0942af75..3f0f8ff8a44e 100644 --- a/java/ql/test/query-tests/BoxedVariable/BoxedVariable.java +++ b/java/ql/test/query-tests/BoxedVariable/BoxedVariable.java @@ -2,12 +2,12 @@ class Test { public void f() { - Boolean done = false; // bad + Boolean done = false; // $ Alert // bad while (!done) { done = true; } - Integer sum = 0; // bad + Integer sum = 0; // $ Alert // bad for (int i = 0; i < 10; i++) sum += i; useBoxed(sum); @@ -15,7 +15,7 @@ public void f() { Integer box = 42; // ok; only boxed usages useBoxed(box); - Integer badbox = 17; // bad + Integer badbox = 17; // $ Alert // bad useBoxed(badbox); usePrim(badbox); @@ -23,7 +23,7 @@ public void f() { usePrim(x); x = null; - Long y = getPrim(); // bad + Long y = getPrim(); // $ Alert // bad y = 15L; y = getPrim(); boolean dummy = y > 0; @@ -39,7 +39,7 @@ void forloop(List l, int[] a) { for (Integer okix : l) sum += okix; // ok; has boxed assignment - for (Integer badix : a) sum += badix; // bad + for (Integer badix : a) sum += badix; // $ Alert // bad } void usePrim(int i) { } diff --git a/java/ql/test/query-tests/BoxedVariable/BoxedVariable.qlref b/java/ql/test/query-tests/BoxedVariable/BoxedVariable.qlref index 3b9bd6efc7ea..d7c4d286236d 100644 --- a/java/ql/test/query-tests/BoxedVariable/BoxedVariable.qlref +++ b/java/ql/test/query-tests/BoxedVariable/BoxedVariable.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Boxed Types/BoxedVariable.ql +query: Violations of Best Practice/Boxed Types/BoxedVariable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/BusyWait/BusyWait.qlref b/java/ql/test/query-tests/BusyWait/BusyWait.qlref index c172b454c925..874645fca3ee 100644 --- a/java/ql/test/query-tests/BusyWait/BusyWait.qlref +++ b/java/ql/test/query-tests/BusyWait/BusyWait.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/BusyWait.ql \ No newline at end of file +query: Likely Bugs/Concurrency/BusyWait.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/BusyWait/BusyWaits.java b/java/ql/test/query-tests/BusyWait/BusyWaits.java index 7b30ffe591e9..4269bc905f1b 100644 --- a/java/ql/test/query-tests/BusyWait/BusyWaits.java +++ b/java/ql/test/query-tests/BusyWait/BusyWaits.java @@ -1,13 +1,13 @@ class BusyWaits { public void badWait() throws InterruptedException { while(this.hashCode() != 0) - Thread.sleep(1); + Thread.sleep(1); // $ Alert } public void badWait2() throws InterruptedException, CloneNotSupportedException { while (this.hashCode() < 3) { for (int i = 0; i < this.hashCode(); this.clone()) - Thread.sleep(new String[1].length); + Thread.sleep(new String[1].length); // $ Alert } } @@ -26,4 +26,4 @@ public void noError2() { System.out.println("foo"); } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java index b77afc491056..b77c3b915386 100644 --- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java +++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.java @@ -15,12 +15,12 @@ class CloseReader { void test1() throws IOException { - BufferedReader br = new BufferedReader(new FileReader("C:\\test.txt")); + BufferedReader br = new BufferedReader(new FileReader("C:\\test.txt")); // $ Alert System.out.println(br.readLine()); } void test2() throws IOException { - InputStream in = new FileInputStream("file.bin"); + InputStream in = new FileInputStream("file.bin"); // $ Alert in.read(); } @@ -30,7 +30,7 @@ void test3() throws IOException { // InputStreamReader may throw an exception, in which case the ... reader = new InputStreamReader( // ... FileInputStream is not closed by the finally block - new FileInputStream("C:\\test.txt"), "UTF-8"); + new FileInputStream("C:\\test.txt"), "UTF-8"); // $ Alert System.out.println(reader.read()); } finally { @@ -40,7 +40,7 @@ void test3() throws IOException { } void test4() throws IOException { - ZipFile zipFile = new ZipFile("file.zip"); + ZipFile zipFile = new ZipFile("file.zip"); // $ Alert System.out.println(zipFile.getComment()); } diff --git a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref index 1c808bb9f469..9fae04fe76d2 100644 --- a/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref +++ b/java/ql/test/query-tests/CloseResource/CloseReader/CloseReader.qlref @@ -1 +1,2 @@ -Likely Bugs/Resource Leaks/CloseReader.ql +query: Likely Bugs/Resource Leaks/CloseReader.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java index 3733237b8dee..877d18bae681 100644 --- a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java +++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.java @@ -14,12 +14,12 @@ class CloseWriter { void test1() throws IOException { - BufferedWriter bw = new BufferedWriter(new FileWriter("C:\\test.txt")); + BufferedWriter bw = new BufferedWriter(new FileWriter("C:\\test.txt")); // $ Alert bw.write("test"); } void test2() throws IOException { - OutputStream out = new FileOutputStream("test.bin"); + OutputStream out = new FileOutputStream("test.bin"); // $ Alert out.write(1); } @@ -29,7 +29,7 @@ void test3() throws IOException { // OutputStreamWriter may throw an exception, in which case the ... writer = new OutputStreamWriter( // ... FileOutputStream is not closed by the finally block - new FileOutputStream("C:\\test.txt"), "UTF-8"); + new FileOutputStream("C:\\test.txt"), "UTF-8"); // $ Alert writer.write("test"); } finally { diff --git a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref index 880083673630..d81d6020dae2 100644 --- a/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref +++ b/java/ql/test/query-tests/CloseResource/CloseWriter/CloseWriter.qlref @@ -1 +1,2 @@ -Likely Bugs/Resource Leaks/CloseWriter.ql +query: Likely Bugs/Resource Leaks/CloseWriter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/CompareIdenticalValues/A.java b/java/ql/test/query-tests/CompareIdenticalValues/A.java index 89cadc833f55..d3f1b9841325 100644 --- a/java/ql/test/query-tests/CompareIdenticalValues/A.java +++ b/java/ql/test/query-tests/CompareIdenticalValues/A.java @@ -6,13 +6,13 @@ class Super { public class A extends Super { class B extends Super { { - if (this.foo == this.foo) + if (this.foo == this.foo) // $ Alert ; - if (B.this.foo == this.foo) + if (B.this.foo == this.foo) // $ Alert ; - if (super.foo == foo) + if (super.foo == foo) // $ Alert ; - if (B.super.foo == foo) + if (B.super.foo == foo) // $ Alert ; if (A.this.foo != this.foo) ; @@ -23,23 +23,23 @@ class B extends Super { { Double d = Double.NaN; - if (d == d); // !Double.isNan(d) - if (d <= d); // !Double.isNan(d), but unlikely to be intentional - if (d >= d); // !Double.isNan(d), but unlikely to be intentional - if (d != d); // Double.isNan(d) - if (d > d); // always false - if (d < d); // always false + if (d == d); // $ Alert // !Double.isNan(d) + if (d <= d); // $ Alert // !Double.isNan(d), but unlikely to be intentional + if (d >= d); // $ Alert // !Double.isNan(d), but unlikely to be intentional + if (d != d); // $ Alert // Double.isNan(d) + if (d > d); // $ Alert // always false + if (d < d); // $ Alert // always false float f = Float.NaN; - if (f == f); // !Float.isNan(f) - if (f <= f); // !Float.isNan(f), but unlikely to be intentional - if (f >= f); // !Float.isNan(f), but unlikely to be intentional - if (f != f); // Float.isNan(f) - if (f > f); // always false - if (f < f); // always false + if (f == f); // $ Alert // !Float.isNan(f) + if (f <= f); // $ Alert // !Float.isNan(f), but unlikely to be intentional + if (f >= f); // $ Alert // !Float.isNan(f), but unlikely to be intentional + if (f != f); // $ Alert // Float.isNan(f) + if (f > f); // $ Alert // always false + if (f < f); // $ Alert // always false int i = 0; - if (i == i); - if (i != i); + if (i == i); // $ Alert + if (i != i); // $ Alert } } diff --git a/java/ql/test/query-tests/CompareIdenticalValues/CompareIdenticalValues.qlref b/java/ql/test/query-tests/CompareIdenticalValues/CompareIdenticalValues.qlref index afff16c4f864..6022334fa245 100644 --- a/java/ql/test/query-tests/CompareIdenticalValues/CompareIdenticalValues.qlref +++ b/java/ql/test/query-tests/CompareIdenticalValues/CompareIdenticalValues.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/CompareIdenticalValues.ql \ No newline at end of file +query: Likely Bugs/Comparison/CompareIdenticalValues.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ComplexCondition/ComplexCondition.java b/java/ql/test/query-tests/ComplexCondition/ComplexCondition.java index 4ed26d90731c..8ad6e40022c9 100644 --- a/java/ql/test/query-tests/ComplexCondition/ComplexCondition.java +++ b/java/ql/test/query-tests/ComplexCondition/ComplexCondition.java @@ -1,11 +1,11 @@ class ComplexCondition { public boolean bad(boolean a, boolean b, boolean c) { - if (a && (b || !c) + if (a && (b || !c) // $ || b && (a || !c) - || c && (a || !b)) { + || c && (a || !b)) { // $ Alert return true; } else { - return (a && !b) || (b && !c) || (a && !c) || (a && b || c); + return (a && !b) || (b && !c) || (a && !c) || (a && b || c); // $ Alert } } @@ -30,4 +30,4 @@ public boolean lengthy(boolean a, boolean b, boolean c) { }.ok(a || b, b || c, c || a) ); } -}; \ No newline at end of file +}; diff --git a/java/ql/test/query-tests/ComplexCondition/ComplexCondition.qlref b/java/ql/test/query-tests/ComplexCondition/ComplexCondition.qlref index 3c32b8a04cec..cf023b3c8af7 100644 --- a/java/ql/test/query-tests/ComplexCondition/ComplexCondition.qlref +++ b/java/ql/test/query-tests/ComplexCondition/ComplexCondition.qlref @@ -1 +1,2 @@ -Complexity/ComplexCondition.ql +query: Complexity/ComplexCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ConfusingOverloading/ConfusingOverloading.qlref b/java/ql/test/query-tests/ConfusingOverloading/ConfusingOverloading.qlref index 4fc71295c2c0..e74bc1b00aa6 100644 --- a/java/ql/test/query-tests/ConfusingOverloading/ConfusingOverloading.qlref +++ b/java/ql/test/query-tests/ConfusingOverloading/ConfusingOverloading.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql \ No newline at end of file +query: Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ConfusingOverloading/TestConfusingOverloading.java b/java/ql/test/query-tests/ConfusingOverloading/TestConfusingOverloading.java index bba5cfb67b6f..1d4045742156 100644 --- a/java/ql/test/query-tests/ConfusingOverloading/TestConfusingOverloading.java +++ b/java/ql/test/query-tests/ConfusingOverloading/TestConfusingOverloading.java @@ -4,7 +4,7 @@ void test2(T t) {} void test(Super other) {} } class Sub extends Super { - void test(Sub other) {} + void test(Sub other) {} // $ Alert } class Sub2 extends Super { diff --git a/java/ql/test/query-tests/ConstantExpAppearsNonConstant/ConstantExpAppearsNonConstant.qlref b/java/ql/test/query-tests/ConstantExpAppearsNonConstant/ConstantExpAppearsNonConstant.qlref index 6d7e1f5cb7ff..924600d5a4d1 100644 --- a/java/ql/test/query-tests/ConstantExpAppearsNonConstant/ConstantExpAppearsNonConstant.qlref +++ b/java/ql/test/query-tests/ConstantExpAppearsNonConstant/ConstantExpAppearsNonConstant.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ConstantExpAppearsNonConstant/Test.java b/java/ql/test/query-tests/ConstantExpAppearsNonConstant/Test.java index 57c8fe55f15e..344fe39d603f 100644 --- a/java/ql/test/query-tests/ConstantExpAppearsNonConstant/Test.java +++ b/java/ql/test/query-tests/ConstantExpAppearsNonConstant/Test.java @@ -15,27 +15,27 @@ public void tester(){ int mul_constant_left = 0 * 60 * 60 * 24; //OK int mul_constant_right = 60 * 60 * 24 * 0; //OK int mul_is_not_constant = rnd.nextInt() * 1; //OK - int mul_is_constant_int_left = (0+0) * rnd.nextInt(); //NOT OK - int mul_is_constant_int_right = rnd.nextInt() * (1-1); //NOT OK - long mul_is_constant_hex = rnd.nextLong() * (0x0F & 0xF0); //NOT OK - long mul_is_constant_binary = rnd.nextLong() * (0b010101 & 0b101010); //NOT OK + int mul_is_constant_int_left = (0+0) * rnd.nextInt(); // $ Alert //NOT OK + int mul_is_constant_int_right = rnd.nextInt() * (1-1); // $ Alert //NOT OK + long mul_is_constant_hex = rnd.nextLong() * (0x0F & 0xF0); // $ Alert //NOT OK + long mul_is_constant_binary = rnd.nextLong() * (0b010101 & 0b101010); // $ Alert //NOT OK int mul_explicit_zero = rnd.nextInt() * 0; //OK (deliberate zero multiplication) //Remainder by 1 int rem_not_constant = 42 % 6; //OK int rem_constant = 60 % 1; //OK int rem_is_not_constant = rnd.nextInt() % 2; //OK - int rem_is_constant_int = rnd.nextInt() % 1; //NOT OK + int rem_is_constant_int = rnd.nextInt() % 1; // $ Alert //NOT OK double rem_is_constant_float = rnd.nextDouble() % 1; //OK (remainder by 1 on floats is not constant) - long rem_is_constant_hex = rnd.nextLong() % 0x1; //NOT OK - long rem_is_constant_binary = rnd.nextLong() % 01; //NOT OK + long rem_is_constant_hex = rnd.nextLong() % 0x1; // $ Alert //NOT OK + long rem_is_constant_binary = rnd.nextLong() % 01; // $ Alert //NOT OK //Bitwise 'and' by 0 int band_not_constant = 42 & 6; //OK int band_appears_constant_left = 0 & 60; //OK int band_appears_constant_right = 24 & 0; //OK int band_is_not_constant = rnd.nextInt() & 5; //OK - int band_is_constant_left = 0 & rnd.nextInt(); //NOT OK - int band_is_constant_right = rnd.nextInt() & 0; //NOT OK + int band_is_constant_left = 0 & rnd.nextInt(); // $ Alert //NOT OK + int band_is_constant_right = rnd.nextInt() & 0; // $ Alert //NOT OK //Logical 'and' by false boolean and_not_constant = true && true; //OK @@ -50,7 +50,7 @@ public void tester(){ boolean or_appears_constant_left = true || false; //OK boolean or_appears_constant_right = false || true; //OK boolean or_is_not_constant = (rnd.nextInt() > 0) || false; //OK - boolean or_is_constant_left = true || (rnd.nextInt() > 0); //NOT OK - boolean or_is_constant_right = (rnd.nextInt() > 0) || true; //NOT OK + boolean or_is_constant_left = true || (rnd.nextInt() > 0); // $ Alert //NOT OK + boolean or_is_constant_right = (rnd.nextInt() > 0) || true; // $ Alert //NOT OK } } diff --git a/java/ql/test/query-tests/ConstantLoopCondition/A.java b/java/ql/test/query-tests/ConstantLoopCondition/A.java index 444954476dab..e837b69ea1e3 100644 --- a/java/ql/test/query-tests/ConstantLoopCondition/A.java +++ b/java/ql/test/query-tests/ConstantLoopCondition/A.java @@ -5,14 +5,14 @@ class A { void f(int initx) { boolean done = false; - while(!done) { // BAD: main loop condition is constant in the loop + while(!done) { // $ Alert // BAD: main loop condition is constant in the loop if (otherCond()) break; } int x = initx * 2; int i = 0; for(x++; ; i++) { - if (x > 5 && otherCond()) { // BAD: x>5 is constant in the loop and guards all exits + if (x > 5 && otherCond()) { // $ Alert // BAD: x>5 is constant in the loop and guards all exits if (i > 3) break; if (otherCond()) return; } @@ -26,14 +26,14 @@ void f(int initx) { i++; } - for(int j = 0; j < 2 * initx; i++) { // BAD: j 0) { // OK: loop used as an if-statement break; } - while (cond) { // BAD: read of final field + while (cond) { // $ Alert // BAD: read of final field i++; } } diff --git a/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.qlref b/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.qlref index 37e6a9b72fe5..f7081322f7dc 100644 --- a/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.qlref +++ b/java/ql/test/query-tests/ConstantLoopCondition/ConstantLoopCondition.qlref @@ -1 +1,2 @@ -Likely Bugs/Termination/ConstantLoopCondition.ql +query: Likely Bugs/Termination/ConstantLoopCondition.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref b/java/ql/test/query-tests/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref index a9ea71f7f28a..8d1915fd56a8 100644 --- a/java/ql/test/query-tests/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref +++ b/java/ql/test/query-tests/ContainerSizeCmpZero/ContainerSizeCmpZero.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ContainerSizeCmpZero.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/ContainerSizeCmpZero.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ContainerSizeCmpZero/Main.java b/java/ql/test/query-tests/ContainerSizeCmpZero/Main.java index 8176177561ad..518e5074fc30 100644 --- a/java/ql/test/query-tests/ContainerSizeCmpZero/Main.java +++ b/java/ql/test/query-tests/ContainerSizeCmpZero/Main.java @@ -5,22 +5,22 @@ public class Main { public static void arrays(String[] args) { // NOT OK: always true - if (args.length >= 0) { + if (args.length >= 0) { // $ Alert System.out.println("At least zero arguments!!"); } // NOT OK: always true - if (0 <= args.length) { + if (0 <= args.length) { // $ Alert System.out.println("At least zero arguments!!"); } // NOT OK: always false - if (args.length < 0) { + if (args.length < 0) { // $ Alert System.out.println("At least zero arguments!!"); } // NOT OK: always false - if (0 > args.length) { + if (0 > args.length) { // $ Alert System.out.println("At least zero arguments!!"); } @@ -51,12 +51,12 @@ public static void containers(ArrayList xs, Boolean b; // NOT OK - b = xs.size() >= 0; - b = 0 <= xs.size(); - b = 0 <= ys.size(); + b = xs.size() >= 0; // $ Alert + b = 0 <= xs.size(); // $ Alert + b = 0 <= ys.size(); // $ Alert - b = xs.size() < 0; - b = 0 > ys.size(); + b = xs.size() < 0; // $ Alert + b = 0 > ys.size(); // $ Alert // OK b = xs.size() >= -1; @@ -80,24 +80,24 @@ public static void nestedContainers(Vector> xs) { Boolean b; // NOT OK - b = xs.size() >= 0; - b = xs.size() < 0; + b = xs.size() >= 0; // $ Alert + b = xs.size() < 0; // $ Alert // NOT OK - b = xs.get(0).size() >= 0; + b = xs.get(0).size() >= 0; // $ Alert // NOT OK - b = xs.get(0).get(0).length() >= 0; + b = xs.get(0).get(0).length() >= 0; // $ Alert } public static void mapTests(TreeMap xs) { Boolean b; // NOT OK: Always true - b = xs.size() >= 0; + b = xs.size() >= 0; // $ Alert // NOT OK: Always true - b = 0 <= xs.size(); + b = 0 <= xs.size(); // $ Alert // OK: can be false b = xs.size() >= -1; @@ -110,9 +110,9 @@ public static void rawTypes(Set s, ArrayList a, HashMap m) { Boolean b; // NOT OK - b = s.size() >= 0; - b = a.size() >= 0; - b = 0 <= m.size(); + b = s.size() >= 0; // $ Alert + b = a.size() >= 0; // $ Alert + b = 0 <= m.size(); // $ Alert } } diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/A.java b/java/ql/test/query-tests/ContinueInFalseLoop/A.java index 51f381b94c8a..99a749d6726c 100644 --- a/java/ql/test/query-tests/ContinueInFalseLoop/A.java +++ b/java/ql/test/query-tests/ContinueInFalseLoop/A.java @@ -11,7 +11,7 @@ void test1(int x, Cond c) { do { if (c.cond()) - continue; // BAD + continue; // $ Alert // BAD if (c.cond()) break; } while (false); @@ -51,7 +51,7 @@ void test1(int x, Cond c) { do { do { if (c.cond()) - continue; // BAD + continue; // $ Alert // BAD if (c.cond()) break; } while (false); @@ -76,7 +76,7 @@ void test1(int x, Cond c) { default: // do [2] // break out of the loop entirely, skipping [3] - continue; // BAD; labelled break is better + continue; // $ Alert // BAD; labelled break is better }; // do [3] } while (false); diff --git a/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref index 525b40f84090..3fa3e5142294 100644 --- a/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref +++ b/java/ql/test/query-tests/ContinueInFalseLoop/ContinueInFalseLoop.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/ContinueInFalseLoop.ql +query: Likely Bugs/Statements/ContinueInFalseLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ContradictoryTypeChecks/ContradictoryTypeChecks.qlref b/java/ql/test/query-tests/ContradictoryTypeChecks/ContradictoryTypeChecks.qlref index 0744f656bdb9..ecec142d9ed3 100644 --- a/java/ql/test/query-tests/ContradictoryTypeChecks/ContradictoryTypeChecks.qlref +++ b/java/ql/test/query-tests/ContradictoryTypeChecks/ContradictoryTypeChecks.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql \ No newline at end of file +query: Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ContradictoryTypeChecks/Test.java b/java/ql/test/query-tests/ContradictoryTypeChecks/Test.java index 258b6ce87a28..25b44158fdb9 100644 --- a/java/ql/test/query-tests/ContradictoryTypeChecks/Test.java +++ b/java/ql/test/query-tests/ContradictoryTypeChecks/Test.java @@ -7,31 +7,31 @@ static class Sub2 extends Super {} void foo(Super lhs, Super rhs) { if (lhs instanceof Sub1) ; else if (rhs instanceof Sub1) - if ((lhs instanceof Sub1) || (lhs instanceof Sub2)); + if ((lhs instanceof Sub1) || (lhs instanceof Sub2)); // $ Alert } void bar(Super x) { if (x instanceof Super); - else if (x instanceof Sub1); + else if (x instanceof Sub1); // $ Alert } // modeled after results on Apache Lucene void baz(Super x, Super y) { if (x instanceof Sub1); - else if (x instanceof Sub1); + else if (x instanceof Sub1); // $ Alert } // NOT OK void w(Super x) { if (x instanceof Sub2 || x instanceof Super); - else if (x instanceof Sub1); + else if (x instanceof Sub1); // $ Alert } // modeled after result on WildFly @Override public boolean equals(Object object) { if ((object != null) && !(object instanceof Test)) { - Test value = (Test) object; + Test value = (Test) object; // $ Alert return (this.hashCode() == value.hashCode()) && super.equals(object); } return super.equals(object); @@ -40,7 +40,7 @@ public boolean equals(Object object) { // NOT OK Sub1 m(Super o) { if (!(o instanceof Sub1)) - return (Sub1)o; + return (Sub1)o; // $ Alert return null; } diff --git a/java/ql/test/query-tests/DeadCode/DeadRefTypes/DeadRefTypes.qlref b/java/ql/test/query-tests/DeadCode/DeadRefTypes/DeadRefTypes.qlref index e4f2d8791493..e8f47f2d6828 100644 --- a/java/ql/test/query-tests/DeadCode/DeadRefTypes/DeadRefTypes.qlref +++ b/java/ql/test/query-tests/DeadCode/DeadRefTypes/DeadRefTypes.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Dead Code/DeadRefTypes.ql +query: Violations of Best Practice/Dead Code/DeadRefTypes.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DeadCode/DeadRefTypes/UnusedClass.java b/java/ql/test/query-tests/DeadCode/DeadRefTypes/UnusedClass.java index 4c0d27118a32..f6696b8296a0 100644 --- a/java/ql/test/query-tests/DeadCode/DeadRefTypes/UnusedClass.java +++ b/java/ql/test/query-tests/DeadCode/DeadRefTypes/UnusedClass.java @@ -1 +1 @@ -class UnusedClass {} +class UnusedClass {} // $ Alert diff --git a/java/ql/test/query-tests/DeadCode/NonAssignedFields/NonAssignedFields.qlref b/java/ql/test/query-tests/DeadCode/NonAssignedFields/NonAssignedFields.qlref index 79031c31ddb6..ea15ad036eb8 100644 --- a/java/ql/test/query-tests/DeadCode/NonAssignedFields/NonAssignedFields.qlref +++ b/java/ql/test/query-tests/DeadCode/NonAssignedFields/NonAssignedFields.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Dead Code/NonAssignedFields.ql \ No newline at end of file +query: Violations of Best Practice/Dead Code/NonAssignedFields.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref b/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref index d726e7e08496..b94832ebfca9 100644 --- a/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref +++ b/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref @@ -1 +1,2 @@ -DeadCode/DeadClass.ql +query: DeadCode/DeadClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref b/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref index 76204a1df5a4..743a5f157755 100644 --- a/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref +++ b/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref @@ -1 +1,2 @@ -DeadCode/DeadMethod.ql +query: DeadCode/DeadMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java index f4fabc7d22eb..d2ccfa90e367 100644 --- a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java +++ b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java @@ -1,10 +1,10 @@ package com.semmle.camel; /** Dead because it is not referenced in the {@code config.xml} file, or in the Java DSL. */ -public class DeadTarget { +public class DeadTarget { // $ Alert[java/dead-class] public Foo getFoo(Foo foo1) { return new Foo(); } - public static class Foo {} + public static class Foo {} // $ Alert[java/dead-class] } diff --git a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java index 437a4d7b56d7..01baa30e0a9b 100644 --- a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java +++ b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java @@ -5,7 +5,7 @@ public class CustomRouteBuilder extends RouteBuilder { @Override - public void configure() throws Exception { + public void configure() throws Exception { // $ Alert[java/dead-function] from("direct:test") .to("bean:dslToTarget") .bean(DSLBeanTarget.class) diff --git a/java/ql/test/query-tests/Declarations/BreakInSwitchCase.qlref b/java/ql/test/query-tests/Declarations/BreakInSwitchCase.qlref index 463071903e85..ba1066f4fdfd 100644 --- a/java/ql/test/query-tests/Declarations/BreakInSwitchCase.qlref +++ b/java/ql/test/query-tests/Declarations/BreakInSwitchCase.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Declarations/BreakInSwitchCase.ql \ No newline at end of file +query: Violations of Best Practice/Declarations/BreakInSwitchCase.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/Declarations/Test.java b/java/ql/test/query-tests/Declarations/Test.java index 473001a4de4b..d47c8e729049 100644 --- a/java/ql/test/query-tests/Declarations/Test.java +++ b/java/ql/test/query-tests/Declarations/Test.java @@ -11,13 +11,13 @@ public static void main(String[] args) { System.out.println("No args"); break; case 1: - case 2: + case 2: // $ Alert System.out.println("1-2 args"); // missing break. case 3: System.out.println("3 or more args"); // fall-through - case 4: + case 4: // $ Alert System.out.println("4 or more args"); if (i > 1) break; diff --git a/java/ql/test/query-tests/DefineEqualsWhenAddingFields/DefineEqualsWhenAddingFields.qlref b/java/ql/test/query-tests/DefineEqualsWhenAddingFields/DefineEqualsWhenAddingFields.qlref index 59ec6309d586..908f133eccb8 100644 --- a/java/ql/test/query-tests/DefineEqualsWhenAddingFields/DefineEqualsWhenAddingFields.qlref +++ b/java/ql/test/query-tests/DefineEqualsWhenAddingFields/DefineEqualsWhenAddingFields.qlref @@ -1,2 +1,2 @@ - -Likely Bugs/Comparison/DefineEqualsWhenAddingFields.ql \ No newline at end of file +query: Likely Bugs/Comparison/DefineEqualsWhenAddingFields.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DoubleCheckedLocking/A.java b/java/ql/test/query-tests/DoubleCheckedLocking/A.java index 88c7e3172449..c1b119d061aa 100644 --- a/java/ql/test/query-tests/DoubleCheckedLocking/A.java +++ b/java/ql/test/query-tests/DoubleCheckedLocking/A.java @@ -9,11 +9,11 @@ public void setX(int x) { private String s1; public String getString1() { if (s1 == null) { - synchronized(this) { + synchronized(this) { // $ if (s1 == null) { s1 = "string"; // BAD, immutable but read twice outside sync } - } + } // $ Alert[java/unsafe-double-checked-locking] } return s1; } @@ -37,12 +37,12 @@ public String getString2() { public B getter1() { B x = b1; if (x == null) { - synchronized(this) { + synchronized(this) { // $ if ((x = b1) == null) { b1 = new B(); // BAD, not volatile x = b1; } - } + } // $ Alert[java/unsafe-double-checked-locking] } return x; } @@ -67,7 +67,7 @@ public B getter3() { if (b3 == null) { synchronized(this) { if (b3 == null) { - b3 = new B(); + b3 = new B(); // $ Alert[java/unsafe-double-checked-locking-init-order] b3.x = 7; // BAD, post update init } } @@ -80,7 +80,7 @@ public B getter4() { if (b4 == null) { synchronized(this) { if (b4 == null) { - b4 = new B(); + b4 = new B(); // $ Alert[java/unsafe-double-checked-locking-init-order] b4.setX(7); // BAD, post update init } } @@ -98,12 +98,12 @@ public FinalHelper(T x) { private FinalHelper b5; public B getter5() { if (b5 == null) { - synchronized(this) { + synchronized(this) { // $ if (b5 == null) { B b = new B(); b5 = new FinalHelper(b); // BAD, racy read on b5 outside synchronized-block } - } + } // $ Alert[java/unsafe-double-checked-locking] } return b5.x; // Potential NPE here, as the two b5 reads may be reordered } diff --git a/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.qlref b/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.qlref index dba6bdc14231..e5349f614ddb 100644 --- a/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.qlref +++ b/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLocking.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/DoubleCheckedLocking.ql +query: Likely Bugs/Concurrency/DoubleCheckedLocking.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLockingWithInitRace.qlref b/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLockingWithInitRace.qlref index eaa2a16d2383..f38033e08314 100644 --- a/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLockingWithInitRace.qlref +++ b/java/ql/test/query-tests/DoubleCheckedLocking/DoubleCheckedLockingWithInitRace.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql +query: Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/EqualsArray/EqualsArray.qlref b/java/ql/test/query-tests/EqualsArray/EqualsArray.qlref index 0e55e19bea4a..7bd191ec639d 100644 --- a/java/ql/test/query-tests/EqualsArray/EqualsArray.qlref +++ b/java/ql/test/query-tests/EqualsArray/EqualsArray.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/EqualsArray.ql \ No newline at end of file +query: Likely Bugs/Comparison/EqualsArray.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/EqualsArray/Test.java b/java/ql/test/query-tests/EqualsArray/Test.java index f6bf536c4b11..f1870b15ddf5 100644 --- a/java/ql/test/query-tests/EqualsArray/Test.java +++ b/java/ql/test/query-tests/EqualsArray/Test.java @@ -3,7 +3,7 @@ public class Test { // NOT OK public boolean areTheseMyNumbers(int[] numbers) { - return this.numbers.equals(numbers); + return this.numbers.equals(numbers); // $ Alert } // OK @@ -17,6 +17,6 @@ public boolean incomparable(String s) { } { - numbers.hashCode(); + numbers.hashCode(); // $ Alert } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/EqualsUsesInstanceOf/EqualsUsesInstanceOf.qlref b/java/ql/test/query-tests/EqualsUsesInstanceOf/EqualsUsesInstanceOf.qlref index 5fb552f91da2..b9031f10aa66 100644 --- a/java/ql/test/query-tests/EqualsUsesInstanceOf/EqualsUsesInstanceOf.qlref +++ b/java/ql/test/query-tests/EqualsUsesInstanceOf/EqualsUsesInstanceOf.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/EqualsUsesInstanceOf.ql \ No newline at end of file +query: Likely Bugs/Comparison/EqualsUsesInstanceOf.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.qlref b/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.qlref index 6452bb942d29..e47d860dcc2c 100644 --- a/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.qlref +++ b/java/ql/test/query-tests/ExposeRepresentation/ExposeRepresentation.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql +query: Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ExposeRepresentation/ExposesRep.java b/java/ql/test/query-tests/ExposeRepresentation/ExposesRep.java index 11cf44567889..3949467e2496 100644 --- a/java/ql/test/query-tests/ExposeRepresentation/ExposesRep.java +++ b/java/ql/test/query-tests/ExposeRepresentation/ExposesRep.java @@ -8,17 +8,17 @@ public ExposesRep() { strings = new String[1]; } - public String[] getStrings() { return strings; } + public String[] getStrings() { return strings; } // $ Alert - public Map getStringMap() { + public Map getStringMap() { // $ Alert return stringMap; } - public void setStrings(String[] ss) { + public void setStrings(String[] ss) { // $ Alert this.strings = ss; } - public void setStringMap(Map m) { + public void setStringMap(Map m) { // $ Alert this.stringMap = m; } } @@ -26,5 +26,5 @@ public void setStringMap(Map m) { class GenericExposesRep { private T[] array; - public T[] getArray() { return array; } + public T[] getArray() { return array; } // $ Alert } diff --git a/java/ql/test/query-tests/Finally/Finally.java b/java/ql/test/query-tests/Finally/Finally.java index 536dc1df65f8..7baffe907b4e 100644 --- a/java/ql/test/query-tests/Finally/Finally.java +++ b/java/ql/test/query-tests/Finally/Finally.java @@ -3,7 +3,7 @@ class InFinally { void returnVoidInFinally() { try { } finally { - return; + return; // $ Alert } } @@ -14,7 +14,7 @@ int returnIntInFinally(boolean b1, boolean b2) { } } finally { if (b2) { - return 5; + return 5; // $ Alert } } return 3; @@ -27,7 +27,7 @@ int throwInFinally(boolean b1, boolean b2) { } } finally { if (b2) { - throw new RuntimeException("Foo 2"); + throw new RuntimeException("Foo 2"); // $ Alert } } throw new RuntimeException("Foo 3"); @@ -60,7 +60,7 @@ void breakInFinally(boolean b) { } } finally { if(b) { - break; + break; // $ Alert } } } @@ -74,7 +74,7 @@ void breakInFinally(boolean b) { } } finally { if(b) { - break; + break; // $ Alert } } } @@ -108,7 +108,7 @@ void continueInFinally(boolean b) { } } finally { if(b) { - continue; + continue; // $ Alert } } } @@ -122,7 +122,7 @@ void continueInFinally(boolean b) { } } finally { if(b) { - continue; + continue; // $ Alert } } } diff --git a/java/ql/test/query-tests/Finally/FinallyMayNotComplete.qlref b/java/ql/test/query-tests/Finally/FinallyMayNotComplete.qlref index d15679d0dc95..18b98edef023 100644 --- a/java/ql/test/query-tests/Finally/FinallyMayNotComplete.qlref +++ b/java/ql/test/query-tests/Finally/FinallyMayNotComplete.qlref @@ -1 +1,2 @@ -Violations of Best Practice/legacy/FinallyMayNotComplete.ql +query: Violations of Best Practice/legacy/FinallyMayNotComplete.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/HashedButNoHash/HashedButNoHash.qlref b/java/ql/test/query-tests/HashedButNoHash/HashedButNoHash.qlref index 22dcbc4be816..2dc8d0a91973 100644 --- a/java/ql/test/query-tests/HashedButNoHash/HashedButNoHash.qlref +++ b/java/ql/test/query-tests/HashedButNoHash/HashedButNoHash.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/HashedButNoHash.ql \ No newline at end of file +query: Likely Bugs/Comparison/HashedButNoHash.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/HashedButNoHash/Test.java b/java/ql/test/query-tests/HashedButNoHash/Test.java index fa3e3851bbce..b8d63affe78a 100644 --- a/java/ql/test/query-tests/HashedButNoHash/Test.java +++ b/java/ql/test/query-tests/HashedButNoHash/Test.java @@ -7,7 +7,7 @@ class Test { A a = new A(); map.put(a, "value"); HashMap map2 = new HashMap<>(); - map2.put(a, "value"); + map2.put(a, "value"); // $ Alert } } diff --git a/java/ql/test/query-tests/IgnoreExceptionalReturn/IgnoreExceptionalReturn.qlref b/java/ql/test/query-tests/IgnoreExceptionalReturn/IgnoreExceptionalReturn.qlref index a324dbc8ebfb..f359a3dfd3e2 100644 --- a/java/ql/test/query-tests/IgnoreExceptionalReturn/IgnoreExceptionalReturn.qlref +++ b/java/ql/test/query-tests/IgnoreExceptionalReturn/IgnoreExceptionalReturn.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Exception Handling/IgnoreExceptionalReturn.ql +query: Violations of Best Practice/Exception Handling/IgnoreExceptionalReturn.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/IgnoreExceptionalReturn/Test.java b/java/ql/test/query-tests/IgnoreExceptionalReturn/Test.java index 68f647ad4749..9f16604b33a4 100644 --- a/java/ql/test/query-tests/IgnoreExceptionalReturn/Test.java +++ b/java/ql/test/query-tests/IgnoreExceptionalReturn/Test.java @@ -2,13 +2,13 @@ public class Test { public static void main(String[] args) throws IOException { - new File("foo").createNewFile(); + new File("foo").createNewFile(); // $ Alert new File("foo").delete(); // Don't flag: there's usually nothing to do - new File("foo").mkdir(); + new File("foo").mkdir(); // $ Alert new File("foo").mkdirs(); // Don't flag: the return value is uninformative/misleading - new File("foo").renameTo(new File("bar")); - new File("foo").setLastModified(0L); - new File("foo").setReadOnly(); - new File("foo").setWritable(true); + new File("foo").renameTo(new File("bar")); // $ Alert + new File("foo").setLastModified(0L); // $ Alert + new File("foo").setReadOnly(); // $ Alert + new File("foo").setWritable(true); // $ Alert } } diff --git a/java/ql/test/query-tests/ImpossibleCast/ImpossibleCast.qlref b/java/ql/test/query-tests/ImpossibleCast/ImpossibleCast.qlref index f39a2841d29e..076c1c077fca 100644 --- a/java/ql/test/query-tests/ImpossibleCast/ImpossibleCast.qlref +++ b/java/ql/test/query-tests/ImpossibleCast/ImpossibleCast.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/ImpossibleCast.ql \ No newline at end of file +query: Likely Bugs/Statements/ImpossibleCast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ImpossibleCast/impossible_cast/A.java b/java/ql/test/query-tests/ImpossibleCast/impossible_cast/A.java index c7ed31926b30..05b4e5734e8a 100644 --- a/java/ql/test/query-tests/ImpossibleCast/impossible_cast/A.java +++ b/java/ql/test/query-tests/ImpossibleCast/impossible_cast/A.java @@ -3,6 +3,6 @@ import java.io.Serializable; public class A { - { String[] s = (String[])new Object[] { "Hello, world!" }; } - { Serializable[] ss = (Object[][])new Serializable[] {}; } + { String[] s = (String[])new Object[] { "Hello, world!" }; } // $ Alert + { Serializable[] ss = (Object[][])new Serializable[] {}; } // $ Alert } diff --git a/java/ql/test/query-tests/InconsistentEqualsHashCode/InconsistentEqualsHashCode.qlref b/java/ql/test/query-tests/InconsistentEqualsHashCode/InconsistentEqualsHashCode.qlref index f97a899d8874..bdda86a66627 100644 --- a/java/ql/test/query-tests/InconsistentEqualsHashCode/InconsistentEqualsHashCode.qlref +++ b/java/ql/test/query-tests/InconsistentEqualsHashCode/InconsistentEqualsHashCode.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/InconsistentEqualsHashCode.ql \ No newline at end of file +query: Likely Bugs/Comparison/InconsistentEqualsHashCode.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/InconsistentEqualsHashCode/Test.java b/java/ql/test/query-tests/InconsistentEqualsHashCode/Test.java index f4bbb3bcbce3..fce1665accb5 100644 --- a/java/ql/test/query-tests/InconsistentEqualsHashCode/Test.java +++ b/java/ql/test/query-tests/InconsistentEqualsHashCode/Test.java @@ -16,14 +16,14 @@ public int hashCode() { } } -class NoEquals extends Super { +class NoEquals extends Super { // $ Alert // BAD public int hashCode() { return myInt+1; } } -class NoHashCode extends Super { +class NoHashCode extends Super { // $ Alert // BAD public boolean equals(Object other) { return true; @@ -37,4 +37,4 @@ class RefiningEquals extends Super { public boolean equals(Object other) { return (super.equals(other) && myLong == ((RefiningEquals)other).myLong); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/InconsistentOperations/InconsistentCallOnResult.qlref b/java/ql/test/query-tests/InconsistentOperations/InconsistentCallOnResult.qlref index b1457baff9aa..b0ed2b68915b 100644 --- a/java/ql/test/query-tests/InconsistentOperations/InconsistentCallOnResult.qlref +++ b/java/ql/test/query-tests/InconsistentOperations/InconsistentCallOnResult.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/InconsistentCallOnResult.ql \ No newline at end of file +query: Likely Bugs/Statements/InconsistentCallOnResult.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/InconsistentOperations/Operations.java b/java/ql/test/query-tests/InconsistentOperations/Operations.java index 1667ac5fcccc..a91ec212a10c 100644 --- a/java/ql/test/query-tests/InconsistentOperations/Operations.java +++ b/java/ql/test/query-tests/InconsistentOperations/Operations.java @@ -36,7 +36,7 @@ public void missingClose() { { Operations ops = open(); if (ops.isOpen()) ops.close(); } { Operations ops = open(); if (ops.isOpen()) ops.close(); } { Operations ops = open(); if (ops.isOpen()) ops.close(); } - { Operations ops = open(); if (ops.isOpen()) ops.open(); } + { Operations ops = open(); if (ops.isOpen()) ops.open(); } // $ Alert[java/inconsistent-call-on-result] } public void missingAdd() { @@ -83,7 +83,7 @@ public void missingUse() { System.out.println(this.toString()); System.out.println(this.toString()); System.out.println(this.toString()); - this.toString(); + this.toString(); // $ Alert[java/return-value-ignored] } public void designedForChaining() { diff --git a/java/ql/test/query-tests/InconsistentOperations/ReturnValueIgnored.qlref b/java/ql/test/query-tests/InconsistentOperations/ReturnValueIgnored.qlref index ef1dc964d955..ab13392ec553 100644 --- a/java/ql/test/query-tests/InconsistentOperations/ReturnValueIgnored.qlref +++ b/java/ql/test/query-tests/InconsistentOperations/ReturnValueIgnored.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/ReturnValueIgnored.ql \ No newline at end of file +query: Likely Bugs/Statements/ReturnValueIgnored.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/InconsistentOperations/Test2.java b/java/ql/test/query-tests/InconsistentOperations/Test2.java index c325179b863f..6d74fd883fc2 100644 --- a/java/ql/test/query-tests/InconsistentOperations/Test2.java +++ b/java/ql/test/query-tests/InconsistentOperations/Test2.java @@ -12,6 +12,6 @@ void test() { { A a = foo(); a.bar(); } { A a = foo(); a.bar(); } { A a = foo(); a.bar(); } - { A a = foo(); /* no a.bar();*/ } // NOT OK + { A a = foo(); /* no a.bar();*/ } // $ Alert[java/inconsistent-call-on-result] // NOT OK } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/InconsistentOperations/Test3.java b/java/ql/test/query-tests/InconsistentOperations/Test3.java index 70c28029de95..9600179fe6d9 100644 --- a/java/ql/test/query-tests/InconsistentOperations/Test3.java +++ b/java/ql/test/query-tests/InconsistentOperations/Test3.java @@ -14,5 +14,5 @@ void test() { { A a = foo(); a.bar(); } } - { A a = foo(); /* no a.bar();*/ } // NOT OK -} \ No newline at end of file + { A a = foo(); /* no a.bar();*/ } // $ Alert[java/inconsistent-call-on-result] // NOT OK +} diff --git a/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStream.qlref b/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStream.qlref index 1ae3a25fd23a..92c449318696 100644 --- a/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStream.qlref +++ b/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStream.qlref @@ -1 +1,2 @@ -Performance/InefficientOutputStream.ql \ No newline at end of file +query: Performance/InefficientOutputStream.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStreamBad.java b/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStreamBad.java index f1d17f31aa9b..fda83c34964d 100644 --- a/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStreamBad.java +++ b/java/ql/test/query-tests/InefficientOutputStream/InefficientOutputStreamBad.java @@ -2,7 +2,7 @@ import java.security.*; import java.util.*; -public class InefficientOutputStreamBad extends OutputStream { +public class InefficientOutputStreamBad extends OutputStream { // $ Alert private DigestOutputStream digest; private byte[] expectedMD5; diff --git a/java/ql/test/query-tests/InnerClassCouldBeStatic/Classes.java b/java/ql/test/query-tests/InnerClassCouldBeStatic/Classes.java index 38ef4d358db1..03932830d58d 100644 --- a/java/ql/test/query-tests/InnerClassCouldBeStatic/Classes.java +++ b/java/ql/test/query-tests/InnerClassCouldBeStatic/Classes.java @@ -12,19 +12,19 @@ private static class Static { } /** Could be static. */ - private class MaybeStatic { + private class MaybeStatic { // $ Alert } /** Only accesses enclosing instance in constructor. */ - private class MaybeStatic1 { + private class MaybeStatic1 { // $ Alert public MaybeStatic1() { System.out.println(foo); } } /** Only accesses enclosing instance in constructor. */ - private class MaybeStatic2 { + private class MaybeStatic2 { // $ Alert public MaybeStatic2() { System.out.println(Classes.this); } @@ -37,7 +37,7 @@ private int bar(Classes c) { /** * Supertype could be static, and no enclosing instance accesses. */ - private class MaybeStatic3 extends MaybeStatic2 { + private class MaybeStatic3 extends MaybeStatic2 { // $ Alert public void foo(int i) { staticFoo = i; } } @@ -47,7 +47,7 @@ public void foo(int i) {} /** Nested and extending classes that can be static; using enclosing * state only in constructor. */ - public class MaybeStatic4 extends Static { + public class MaybeStatic4 extends Static { // $ Alert MaybeStatic4() { System.out.println(staticFoo); } @@ -57,19 +57,19 @@ public class MaybeStatic4 extends Static { /** * Access to bar() is through inheritance, not enclosing state. */ - private class MaybeStatic5 extends Classes { + private class MaybeStatic5 extends Classes { // $ Alert public void doit() { System.out.println(bar()); } } - private class MaybeStatic6 { + private class MaybeStatic6 { // $ Alert private final int myFoo = staticFoo; MaybeStatic6() { staticBar(); } } /** A qualified `this` access needn't refer to the enclosing instance. */ - private class MaybeStatic7 { + private class MaybeStatic7 { // $ Alert private void foo() { MaybeStatic7.this.foo(); } } @@ -82,7 +82,7 @@ private void bar() { System.out.println(interfaceFoo); } - class MaybeStatic8 { + class MaybeStatic8 { // $ Alert private void bar() { System.out.println(interfaceFoo); } @@ -91,14 +91,14 @@ private void bar() { } /** Accesses implicitly static interface field. */ - public class MaybeStatic9 extends MaybeStatic7 { + public class MaybeStatic9 extends MaybeStatic7 { // $ Alert private void bar() { System.out.println(Interface.interfaceFoo); } } /** A qualified `super` access that doesn't refer to the enclosing scope. */ - class MaybeStatic10 extends Classes { + class MaybeStatic10 extends Classes { // $ Alert private void baz() { System.out.println(MaybeStatic10.super.getClass()); } @@ -108,7 +108,7 @@ static class A { interface B { class ThisIsStatic { final int outer = 0; - class MaybeStaticToo { + class MaybeStaticToo { // $ Alert final int a = 0; } class MayNotBeStatic { @@ -130,7 +130,7 @@ class NeitherIsThis { enum E { A; - class NotStaticButCouldBe {} + class NotStaticButCouldBe {} // $ Alert } /** @@ -187,9 +187,9 @@ private void baz() { } /** Could be static. */ - private class SadlyNotStatic { + private class SadlyNotStatic { // $ Alert /** Could be static, provided the enclosing class is made static. */ - private class SadlyNotStaticToo { + private class SadlyNotStaticToo { // $ Alert } } @@ -203,26 +203,26 @@ private class NotStatic8 { } } - private class MaybeStatic11 { + private class MaybeStatic11 { // $ Alert { new MaybeStatic11(); } } - private class MaybeStatic12 { + private class MaybeStatic12 { // $ Alert { new Classes().new NotStatic(); } } - private class MaybeStatic13 { + private class MaybeStatic13 { // $ Alert { new Static(); } } - class CouldBeStatic { + class CouldBeStatic { // $ Alert { new Object() { class CannotBeStatic { } }; } - class CouldBeStatic2 { + class CouldBeStatic2 { // $ Alert int i; class NotStatic { { @@ -252,7 +252,7 @@ class CannotBeStatic3 { } /** Has an inner anonymous class with a field initializer accessing a member of this class. */ - class CouldBeStatic3 { + class CouldBeStatic3 { // $ Alert int j; { new Object() { diff --git a/java/ql/test/query-tests/InnerClassCouldBeStatic/InnerClassCouldBeStatic.qlref b/java/ql/test/query-tests/InnerClassCouldBeStatic/InnerClassCouldBeStatic.qlref index 3d3b54446096..68cb3e6761ed 100644 --- a/java/ql/test/query-tests/InnerClassCouldBeStatic/InnerClassCouldBeStatic.qlref +++ b/java/ql/test/query-tests/InnerClassCouldBeStatic/InnerClassCouldBeStatic.qlref @@ -1 +1,2 @@ -Performance/InnerClassCouldBeStatic.ql \ No newline at end of file +query: Performance/InnerClassCouldBeStatic.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/InnerClassCouldBeStatic/Test.java b/java/ql/test/query-tests/InnerClassCouldBeStatic/Test.java index 41926a6e2300..92d39471a13b 100644 --- a/java/ql/test/query-tests/InnerClassCouldBeStatic/Test.java +++ b/java/ql/test/query-tests/InnerClassCouldBeStatic/Test.java @@ -2,7 +2,7 @@ class Test { static class Super { public void test() {} } - class Sub extends Super { + class Sub extends Super { // $ Alert public void test2() { test(); } diff --git a/java/ql/test/query-tests/Iterable/IterableIterator.qlref b/java/ql/test/query-tests/Iterable/IterableIterator.qlref index 74c3aa86efad..b21ae41e6408 100644 --- a/java/ql/test/query-tests/Iterable/IterableIterator.qlref +++ b/java/ql/test/query-tests/Iterable/IterableIterator.qlref @@ -1 +1,2 @@ -Language Abuse/IterableIterator.ql +query: Language Abuse/IterableIterator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/Iterable/Test.java b/java/ql/test/query-tests/Iterable/Test.java index e44f8dd9c28b..7978342a96f7 100644 --- a/java/ql/test/query-tests/Iterable/Test.java +++ b/java/ql/test/query-tests/Iterable/Test.java @@ -9,7 +9,7 @@ void useIterable(Iterable i) { List someStrings; void m() { - useIterable(new Iterable() { + useIterable(new Iterable() { // $ Alert[java/iterable-wraps-iterator] final Iterator i = someStrings.iterator(); // bad @Override @@ -72,7 +72,7 @@ public Value next() { public void remove() { } } - protected class ValueIterableBad implements Iterable { + protected class ValueIterableBad implements Iterable { // $ Alert[java/iterable-wraps-iterator] private ValueIterator iterator = new ValueIterator(); // bad @Override public Iterator iterator() { @@ -105,7 +105,7 @@ public Iterator iterator() { } } - class IntIteratorBad implements Iterable, Iterator { + class IntIteratorBad implements Iterable, Iterator { // $ Alert[java/iterator-implements-iterable] private int[] ints; private int idx = 0; IntIteratorBad(int[] ints) { diff --git a/java/ql/test/query-tests/Iterable/WrappedIterator.qlref b/java/ql/test/query-tests/Iterable/WrappedIterator.qlref index c21083fd8185..ce208ed2f8a2 100644 --- a/java/ql/test/query-tests/Iterable/WrappedIterator.qlref +++ b/java/ql/test/query-tests/Iterable/WrappedIterator.qlref @@ -1 +1,2 @@ -Language Abuse/WrappedIterator.ql +query: Language Abuse/WrappedIterator.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/IteratorRemoveMayFail/IteratorRemoveMayFail.qlref b/java/ql/test/query-tests/IteratorRemoveMayFail/IteratorRemoveMayFail.qlref index 614554885fee..3a9b278a015d 100644 --- a/java/ql/test/query-tests/IteratorRemoveMayFail/IteratorRemoveMayFail.qlref +++ b/java/ql/test/query-tests/IteratorRemoveMayFail/IteratorRemoveMayFail.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/IteratorRemoveMayFail.ql \ No newline at end of file +query: Likely Bugs/Collections/IteratorRemoveMayFail.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/IteratorRemoveMayFail/Test.java b/java/ql/test/query-tests/IteratorRemoveMayFail/Test.java index 3ed2c5633275..f06f8efb22d6 100644 --- a/java/ql/test/query-tests/IteratorRemoveMayFail/Test.java +++ b/java/ql/test/query-tests/IteratorRemoveMayFail/Test.java @@ -13,7 +13,7 @@ public static void main(String[] args) { private static void removeOdd(Iterator iter) { while (iter.hasNext()) { if (iter.next()%2 != 0) - iter.remove(); + iter.remove(); // $ Alert } } } @@ -41,7 +41,7 @@ public List getL() { class Parent { public void removeFirst(List l) { - l.iterator().remove(); + l.iterator().remove(); // $ Alert } } @@ -52,4 +52,4 @@ public void test(String... ss) { removeFirst(Arrays.asList(ss)); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java index 7ba8988c38be..9795251ce9a4 100644 --- a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java +++ b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java @@ -6,14 +6,14 @@ class ImpossibleJavadocThrows { /** * - * @throws InterruptedException + * @throws InterruptedException // $ Alert */ public void bad1() { } /** * - * @exception Exception + * @exception Exception // $ Alert */ public void bad2() { } @@ -31,4 +31,4 @@ public void goodDeclared() throws Exception{ */ public void goodUnchecked(){ } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref index 3f604bfc9d10..dc001712b07a 100644 --- a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref +++ b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref @@ -1 +1,2 @@ -Advisory/Documentation/ImpossibleJavadocThrows.ql \ No newline at end of file +query: Advisory/Documentation/ImpossibleJavadocThrows.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/LShiftLargerThanTypeWidth/A.java b/java/ql/test/query-tests/LShiftLargerThanTypeWidth/A.java index a2f1f78506cc..71383afbe5fb 100644 --- a/java/ql/test/query-tests/LShiftLargerThanTypeWidth/A.java +++ b/java/ql/test/query-tests/LShiftLargerThanTypeWidth/A.java @@ -1,51 +1,51 @@ public class A { void test1(byte b, char c, short s, int i, long l) { long b1 = b << 31; // OK - long b2 = b << 32; // BAD - long b3 = b << 33; // BAD - long b4 = b << 64; // BAD + long b2 = b << 32; // $ Alert // BAD + long b3 = b << 33; // $ Alert // BAD + long b4 = b << 64; // $ Alert // BAD long c1 = c << 22; // OK - long c2 = c << 42; // BAD + long c2 = c << 42; // $ Alert // BAD long s1 = s << 22; // OK - long s2 = s << 42; // BAD + long s2 = s << 42; // $ Alert // BAD long i1 = i << 22; // OK - long i2 = i << 32; // BAD - long i3 = i << 42; // BAD - long i4 = i << 64; // BAD - long i5 = i << 65; // BAD + long i2 = i << 32; // $ Alert // BAD + long i3 = i << 42; // $ Alert // BAD + long i4 = i << 64; // $ Alert // BAD + long i5 = i << 65; // $ Alert // BAD long l1 = l << 22; // OK long l2 = l << 32; // OK long l3 = l << 42; // OK - long l4 = l << 64; // BAD - long l5 = l << 65; // BAD + long l4 = l << 64; // $ Alert // BAD + long l5 = l << 65; // $ Alert // BAD } void test2(Byte b, Character c, Short s, Integer i, Long l) { long b1 = b << 31; // OK - long b2 = b << 32; // BAD - long b3 = b << 33; // BAD - long b4 = b << 64; // BAD + long b2 = b << 32; // $ Alert // BAD + long b3 = b << 33; // $ Alert // BAD + long b4 = b << 64; // $ Alert // BAD long c1 = c << 22; // OK - long c2 = c << 42; // BAD + long c2 = c << 42; // $ Alert // BAD long s1 = s << 22; // OK - long s2 = s << 42; // BAD + long s2 = s << 42; // $ Alert // BAD long i1 = i << 22; // OK - long i2 = i << 32; // BAD - long i3 = i << 42; // BAD - long i4 = i << 64; // BAD - long i5 = i << 65; // BAD + long i2 = i << 32; // $ Alert // BAD + long i3 = i << 42; // $ Alert // BAD + long i4 = i << 64; // $ Alert // BAD + long i5 = i << 65; // $ Alert // BAD long l1 = l << 22; // OK long l2 = l << 32; // OK long l3 = l << 42; // OK - long l4 = l << 64; // BAD - long l5 = l << 65; // BAD + long l4 = l << 64; // $ Alert // BAD + long l5 = l << 65; // $ Alert // BAD } } diff --git a/java/ql/test/query-tests/LShiftLargerThanTypeWidth/LShiftLargerThanTypeWidth.qlref b/java/ql/test/query-tests/LShiftLargerThanTypeWidth/LShiftLargerThanTypeWidth.qlref index 5e3fa630b7dc..5f6b62432965 100644 --- a/java/ql/test/query-tests/LShiftLargerThanTypeWidth/LShiftLargerThanTypeWidth.qlref +++ b/java/ql/test/query-tests/LShiftLargerThanTypeWidth/LShiftLargerThanTypeWidth.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/LShiftLargerThanTypeWidth.ql +query: Likely Bugs/Arithmetic/LShiftLargerThanTypeWidth.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/LazyInitStaticField/LazyInitStaticField.qlref b/java/ql/test/query-tests/LazyInitStaticField/LazyInitStaticField.qlref index 3d83072e7012..bba785935e55 100644 --- a/java/ql/test/query-tests/LazyInitStaticField/LazyInitStaticField.qlref +++ b/java/ql/test/query-tests/LazyInitStaticField/LazyInitStaticField.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/LazyInitStaticField.ql \ No newline at end of file +query: Likely Bugs/Concurrency/LazyInitStaticField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/LazyInitStaticField/LazyInits.java b/java/ql/test/query-tests/LazyInitStaticField/LazyInits.java index 08440c20ea35..1faab5c5a5f5 100644 --- a/java/ql/test/query-tests/LazyInitStaticField/LazyInits.java +++ b/java/ql/test/query-tests/LazyInitStaticField/LazyInits.java @@ -95,7 +95,7 @@ public static LazyInits getCorrect8() { private static LazyInits bad1; public static LazyInits getBad1() { if (bad1 == null) - bad1 = new LazyInits(); + bad1 = new LazyInits(); // $ Alert return bad1; } @@ -105,7 +105,7 @@ public static LazyInits getBad2() { if (bad2 == null) { synchronized(bad2) { if (bad2 == null) - bad2 = new LazyInits(); + bad2 = new LazyInits(); // $ Alert } } return bad2; @@ -117,7 +117,7 @@ public static LazyInits getBad3() { if (bad3 == null) { synchronized(Object.class) { if (bad3 == null) - bad3 = new LazyInits(); + bad3 = new LazyInits(); // $ Alert } } return bad3; @@ -129,7 +129,7 @@ public static LazyInits getBad4() { if (bad4 == null) { synchronized(LazyInits.class) { if (bad4 == null) - bad4 = new LazyInits(); + bad4 = new LazyInits(); // $ Alert } } return bad4; @@ -141,7 +141,7 @@ public static LazyInits getBad5() { if (bad5 == null) { synchronized(lock) { if (bad5 == null) - bad5 = new LazyInits(); + bad5 = new LazyInits(); // $ Alert } } return bad5; @@ -153,7 +153,7 @@ public static LazyInits getBad6() { if (bad6 == null) { synchronized(badLock) { if (bad6 == null) - bad6 = new LazyInits(); + bad6 = new LazyInits(); // $ Alert } } return bad6; @@ -174,4 +174,4 @@ public static void init() { okLock.unlock(); } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/MissingEnumInSwitch.qlref b/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/MissingEnumInSwitch.qlref index 10f1b3e8be23..74fae365410d 100644 --- a/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/MissingEnumInSwitch.qlref +++ b/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/MissingEnumInSwitch.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/MissingEnumInSwitch.ql +query: Likely Bugs/Statements/MissingEnumInSwitch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/Test.java b/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/Test.java index 2f39918ead4c..ff75940c857c 100644 --- a/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/Test.java +++ b/java/ql/test/query-tests/Likely Bugs/Statements/MissingEnumInSwitch/Test.java @@ -5,32 +5,32 @@ private enum MyEnum { } public void use(MyEnum e) { - switch(e) { + switch(e) { // $ Alert case A: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; case D: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; case D: break; case E: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; @@ -53,7 +53,7 @@ public void use(MyEnum e) { case T: break; case U: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; @@ -77,7 +77,7 @@ public void use(MyEnum e) { case U: break; case V: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; @@ -102,7 +102,7 @@ public void use(MyEnum e) { case V: break; case W: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; @@ -128,7 +128,7 @@ public void use(MyEnum e) { case W: break; case X: break; } - switch(e) { + switch(e) { // $ Alert case A: break; case B: break; case C: break; diff --git a/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref b/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref index 8ad93d27f527..4d45b7edd2fb 100644 --- a/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref +++ b/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunity.qlref @@ -1 +1,2 @@ -Language Abuse/MissedTernaryOpportunity.ql \ No newline at end of file +query: Language Abuse/MissedTernaryOpportunity.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunityTest.java b/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunityTest.java index 34dab78f14f0..b463c7ad5453 100644 --- a/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunityTest.java +++ b/java/ql/test/query-tests/MissedTernaryOpportunity/MissedTernaryOpportunityTest.java @@ -3,7 +3,7 @@ public class MissedTernaryOpportunityTest { public static boolean missedOpportunity1(int a){ - if(a == 42) + if(a == 42) // $ Alert return true; else return false; @@ -29,7 +29,7 @@ public static boolean doNotComplain2(int a){ public static boolean missedOpportunity2(int a){ boolean ret; - if(a == 42) + if(a == 42) // $ Alert ret = true; else ret = false; @@ -71,7 +71,7 @@ public static boolean doNotComplain5(int a){ } public static boolean missedOpportunity3(int a){ - if(a == 42) + if(a == 42) // $ Alert return true; else return someOtherFn(a); @@ -130,7 +130,7 @@ public void doNotComplain11(int a){ // same variables, different qualification public void missedOpportunity4(int a){ - if(a > 42) + if(a > 42) // $ Alert memberVar1 = "hey"; else MissedTernaryOpportunityTest.this.memberVar1 = "ho"; @@ -142,7 +142,7 @@ public boolean missedOpportunity5(int a){ System.out.println("something"); return false; }else{ - if(a == 42) + if(a == 42) // $ Alert return true; else return false; @@ -152,7 +152,7 @@ public boolean missedOpportunity5(int a){ // nested if public boolean missedOpportunity6(int a){ if(a > 42){ - if(a == 42) + if(a == 42) // $ Alert return true; else return false; diff --git a/java/ql/test/query-tests/MissingCallToSuperClone/MissingCallToSuperClone.qlref b/java/ql/test/query-tests/MissingCallToSuperClone/MissingCallToSuperClone.qlref index 5e9ed3758eea..3939e6de8f07 100644 --- a/java/ql/test/query-tests/MissingCallToSuperClone/MissingCallToSuperClone.qlref +++ b/java/ql/test/query-tests/MissingCallToSuperClone/MissingCallToSuperClone.qlref @@ -1 +1,2 @@ -Likely Bugs/Cloning/MissingCallToSuperClone.ql +query: Likely Bugs/Cloning/MissingCallToSuperClone.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MissingCallToSuperClone/Test.java b/java/ql/test/query-tests/MissingCallToSuperClone/Test.java index a236543a6953..e0286c379308 100644 --- a/java/ql/test/query-tests/MissingCallToSuperClone/Test.java +++ b/java/ql/test/query-tests/MissingCallToSuperClone/Test.java @@ -7,7 +7,7 @@ public Object clone() throws CloneNotSupportedException { class Sub1 extends IAmAGoodCloneable { public Object clone() throws CloneNotSupportedException { return super.clone(); } } class IAmABadCloneable implements Cloneable { - public Object clone() { + public Object clone() { // $ Alert return null; } } diff --git a/java/ql/test/query-tests/MissingInstanceofInEquals/Bad.java b/java/ql/test/query-tests/MissingInstanceofInEquals/Bad.java index 63cdf14fdddc..0f22d47cab2b 100644 --- a/java/ql/test/query-tests/MissingInstanceofInEquals/Bad.java +++ b/java/ql/test/query-tests/MissingInstanceofInEquals/Bad.java @@ -10,10 +10,10 @@ public int hashCode() { } @Override - public boolean equals(Object obj) { + public boolean equals(Object obj) { // $ Alert Bad other = (Bad) obj; if (data != other.data) return false; return true; } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/MissingInstanceofInEquals/MissingInstanceofInEquals.qlref b/java/ql/test/query-tests/MissingInstanceofInEquals/MissingInstanceofInEquals.qlref index 40038cf027a3..d1a5c7d8130d 100644 --- a/java/ql/test/query-tests/MissingInstanceofInEquals/MissingInstanceofInEquals.qlref +++ b/java/ql/test/query-tests/MissingInstanceofInEquals/MissingInstanceofInEquals.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/MissingInstanceofInEquals.ql \ No newline at end of file +query: Likely Bugs/Comparison/MissingInstanceofInEquals.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MissingOverrideAnnotation/MissingOverrideAnnotation.qlref b/java/ql/test/query-tests/MissingOverrideAnnotation/MissingOverrideAnnotation.qlref index c74780e7d241..885c1312f9e1 100644 --- a/java/ql/test/query-tests/MissingOverrideAnnotation/MissingOverrideAnnotation.qlref +++ b/java/ql/test/query-tests/MissingOverrideAnnotation/MissingOverrideAnnotation.qlref @@ -1 +1,2 @@ -Advisory/Declarations/MissingOverrideAnnotation.ql \ No newline at end of file +query: Advisory/Declarations/MissingOverrideAnnotation.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MissingOverrideAnnotation/Test.java b/java/ql/test/query-tests/MissingOverrideAnnotation/Test.java index e74026cf6ef0..cdadb8b7818f 100644 --- a/java/ql/test/query-tests/MissingOverrideAnnotation/Test.java +++ b/java/ql/test/query-tests/MissingOverrideAnnotation/Test.java @@ -15,7 +15,7 @@ public String f() { public class Test extends Super { // NOT OK - int m() { + int m() { // $ Alert return 42; } @@ -32,4 +32,4 @@ public void test() { // OK Arrays.asList(1,2).stream().map(x -> x+1).collect(Collectors.toList()); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/MissingSpaceTypo/A.java b/java/ql/test/query-tests/MissingSpaceTypo/A.java index bf40bbaa27a6..a095d8568d89 100644 --- a/java/ql/test/query-tests/MissingSpaceTypo/A.java +++ b/java/ql/test/query-tests/MissingSpaceTypo/A.java @@ -1,20 +1,20 @@ public class A { public void missing() { String s; - s = "this text" + - "is missing a space"; - s = "the class java.util.ArrayList" + - "without a space"; - s = "This isn't" + - "right."; - s = "There's 1" + - "thing wrong"; - s = "There's A/B" + - "and no space"; - s = "Wait for it...." + - "No space!"; - s = "Is there a space?" + - "No!"; + s = "this text" + // $ + "is missing a space"; // $ Alert + s = "the class java.util.ArrayList" + // $ + "without a space"; // $ Alert + s = "This isn't" + // $ + "right."; // $ Alert + s = "There's 1" + // $ + "thing wrong"; // $ Alert + s = "There's A/B" + // $ + "and no space"; // $ Alert + s = "Wait for it...." + // $ + "No space!"; // $ Alert + s = "Is there a space?" + // $ + "No!"; // $ Alert } public void ok() { diff --git a/java/ql/test/query-tests/MissingSpaceTypo/MissingSpaceTypo.qlref b/java/ql/test/query-tests/MissingSpaceTypo/MissingSpaceTypo.qlref index b0ad55262d24..6eb5700aa4eb 100644 --- a/java/ql/test/query-tests/MissingSpaceTypo/MissingSpaceTypo.qlref +++ b/java/ql/test/query-tests/MissingSpaceTypo/MissingSpaceTypo.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/MissingSpaceTypo.ql +query: Likely Bugs/Likely Typos/MissingSpaceTypo.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.qlref b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.qlref index 26bbcf24bbb8..220dcc04752b 100644 --- a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.qlref +++ b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/MissingVoidConstructorsOnSerializable.qlref @@ -1 +1,2 @@ -Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql +query: Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/Test.java b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/Test.java index f20f5ac8f495..579aa2760707 100644 --- a/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/Test.java +++ b/java/ql/test/query-tests/MissingVoidConstructorsOnSerializable/Test.java @@ -9,7 +9,7 @@ public NonSerializable(int x) { } } // BAD: Serializable but its parent cannot be instantiated -class A extends NonSerializable implements Serializable { +class A extends NonSerializable implements Serializable { // $ Alert public A() { super(1); } } diff --git a/java/ql/test/query-tests/MutualDependency/MutualDependency.qlref b/java/ql/test/query-tests/MutualDependency/MutualDependency.qlref index ab1dbe353ef6..273ed4d757a6 100644 --- a/java/ql/test/query-tests/MutualDependency/MutualDependency.qlref +++ b/java/ql/test/query-tests/MutualDependency/MutualDependency.qlref @@ -1 +1,2 @@ -Architecture/Dependencies/MutualDependency.ql \ No newline at end of file +query: Architecture/Dependencies/MutualDependency.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/MutualDependency/onepackage/MutualDependency.java b/java/ql/test/query-tests/MutualDependency/onepackage/MutualDependency.java index 31188ad5a52e..13225f83869e 100644 --- a/java/ql/test/query-tests/MutualDependency/onepackage/MutualDependency.java +++ b/java/ql/test/query-tests/MutualDependency/onepackage/MutualDependency.java @@ -7,7 +7,7 @@ static class A { static int a = m; } // disallow inter-package dependencies - public static class B { + public static class B { // $ Alert public static int b = otherpackage.OtherClass.c; } } diff --git a/java/ql/test/query-tests/Naming/ConfusingOverloading.qlref b/java/ql/test/query-tests/Naming/ConfusingOverloading.qlref index 4fc71295c2c0..e74bc1b00aa6 100644 --- a/java/ql/test/query-tests/Naming/ConfusingOverloading.qlref +++ b/java/ql/test/query-tests/Naming/ConfusingOverloading.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql \ No newline at end of file +query: Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/Naming/NamingTest.java b/java/ql/test/query-tests/Naming/NamingTest.java index e6365ead8ef1..75ee73b4eb7a 100644 --- a/java/ql/test/query-tests/Naming/NamingTest.java +++ b/java/ql/test/query-tests/Naming/NamingTest.java @@ -4,7 +4,7 @@ public class NamingTest { public boolean equals(Object other) { return false; } - public boolean equals(NamingTest other) { return true; } + public boolean equals(NamingTest other) { return true; } // $ Alert public void visit(Object node) {} public void visit(NamingTest t) {} diff --git a/java/ql/test/query-tests/NonPrivateField/NonPrivateField.qlref b/java/ql/test/query-tests/NonPrivateField/NonPrivateField.qlref index 569bf88d8e54..e52cd3fa668b 100644 --- a/java/ql/test/query-tests/NonPrivateField/NonPrivateField.qlref +++ b/java/ql/test/query-tests/NonPrivateField/NonPrivateField.qlref @@ -1 +1,2 @@ -Advisory/Declarations/NonPrivateField.ql +query: Advisory/Declarations/NonPrivateField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NonPrivateField/NonPrivateFieldTest.java b/java/ql/test/query-tests/NonPrivateField/NonPrivateFieldTest.java index c64af38ee506..a67c6ac7da67 100644 --- a/java/ql/test/query-tests/NonPrivateField/NonPrivateFieldTest.java +++ b/java/ql/test/query-tests/NonPrivateField/NonPrivateFieldTest.java @@ -5,15 +5,15 @@ public class NonPrivateFieldTest { public @interface Rule {} // JUnit-like annotation public static class Fields{ - public static String problematic1 = "value"; - public final int problematic2 = 0; - public final int problematic3; - - final int problematic4 = 9; // omitted access descriptor - static int problematic5 = 0; - public int problematic6 = 0; - protected Double problematic7 = 0.0; // protected but not used in derived classes - static int[] problematic8; + public static String problematic1 = "value"; // $ Alert + public final int problematic2 = 0; // $ Alert + public final int problematic3; // $ Alert + + final int problematic4 = 9; // $ Alert // omitted access descriptor + static int problematic5 = 0; // $ Alert + public int problematic6 = 0; // $ Alert + protected Double problematic7 = 0.0; // $ Alert // protected but not used in derived classes + static int[] problematic8; // $ Alert public static final int ok1 = 0; // public static finals are usually fine, even if not accessed by anything from outside public static int ok2 = 0; // foreign write access diff --git a/java/ql/test/query-tests/NonSerializableField/NonSerializableField.qlref b/java/ql/test/query-tests/NonSerializableField/NonSerializableField.qlref index 401d63757af1..1b3b59559be9 100644 --- a/java/ql/test/query-tests/NonSerializableField/NonSerializableField.qlref +++ b/java/ql/test/query-tests/NonSerializableField/NonSerializableField.qlref @@ -1 +1,2 @@ -Likely Bugs/Serialization/NonSerializableField.ql +query: Likely Bugs/Serialization/NonSerializableField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NonSerializableField/NonSerializableFieldTest.java b/java/ql/test/query-tests/NonSerializableField/NonSerializableFieldTest.java index 48022434c919..71b48e62d78a 100644 --- a/java/ql/test/query-tests/NonSerializableField/NonSerializableFieldTest.java +++ b/java/ql/test/query-tests/NonSerializableField/NonSerializableFieldTest.java @@ -22,20 +22,20 @@ public static class SerializableBase implements Serializable{} public static class MyColl extends HashMap{} public static class NotSerializable1 extends SerializableBase{ - NS problematic1; - List problematic2; - Map problematic3; - Map problematic4; - Map> problematic5; - Map problematic6; - List problematic7; - List problematic8; - T problematic9; - List problematic10; - List problematic11; - Map problematic12; - Map> problematic13; - Map problematic14; + NS problematic1; // $ Alert + List problematic2; // $ Alert + Map problematic3; // $ Alert + Map problematic4; // $ Alert + Map> problematic5; // $ Alert + Map problematic6; // $ Alert + List problematic7; // $ Alert + List problematic8; // $ Alert + T problematic9; // $ Alert + List problematic10; // $ Alert + List problematic11; // $ Alert + Map problematic12; // $ Alert + Map> problematic13; // $ Alert + Map problematic14; // $ Alert transient NS ok1; List ok2; @@ -76,7 +76,7 @@ public static interface Anonymous extends Serializable{} public static void main(String[] args){ Anonymous a1 = new Anonymous(){ - NS problematic; + NS problematic; // $ Alert }; @SuppressWarnings("serial") @@ -106,7 +106,7 @@ class StatelessSessionEjb extends SessionBean { @Stateful class StatefulSessionEjb extends SessionBean { - NonSerializableClass nonSerializableField; + NonSerializableClass nonSerializableField; // $ Alert } enum Enum { diff --git a/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClass.qlref b/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClass.qlref index 4cbb0995764d..0ce5b0819e96 100644 --- a/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClass.qlref +++ b/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClass.qlref @@ -1 +1,2 @@ -Likely Bugs/Serialization/NonSerializableInnerClass.ql +query: Likely Bugs/Serialization/NonSerializableInnerClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClassTest.java b/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClassTest.java index 5fe5a6cafa36..55e15cdd0b97 100644 --- a/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClassTest.java +++ b/java/ql/test/query-tests/NonSerializableInnerClass/NonSerializableInnerClassTest.java @@ -11,9 +11,9 @@ public static class S implements Serializable{} public static class Outer1{ - public class Problematic1 implements Serializable{ } + public class Problematic1 implements Serializable{ } // $ Alert - public class Problematic2 extends S{ } + public class Problematic2 extends S{ } // $ Alert @SuppressWarnings("serial") @@ -48,8 +48,8 @@ public static class Outer2 extends S { public class Ok9 implements Serializable{ } } - public class Problematic3 extends S { - public class Problematic4 implements Serializable{ } // because NonSerializableInnerClassTest is not serializable + public class Problematic3 extends S { // $ Alert + public class Problematic4 implements Serializable{ } // $ Alert // because NonSerializableInnerClassTest is not serializable } // we currently ignore anonymous classes @@ -66,7 +66,7 @@ public void test(){ } // the class is not used anywhere, but the serialVersionUID field is an indicator for later serialization - private class Problematic7 implements Serializable{ + private class Problematic7 implements Serializable{ // $ Alert public static final long serialVersionUID = 123; } diff --git a/java/ql/test/query-tests/NonSynchronizedOverride/NonSynchronizedOverride.qlref b/java/ql/test/query-tests/NonSynchronizedOverride/NonSynchronizedOverride.qlref index f8c54049dcef..324b7a4355c7 100644 --- a/java/ql/test/query-tests/NonSynchronizedOverride/NonSynchronizedOverride.qlref +++ b/java/ql/test/query-tests/NonSynchronizedOverride/NonSynchronizedOverride.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/NonSynchronizedOverride.ql \ No newline at end of file +query: Likely Bugs/Concurrency/NonSynchronizedOverride.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NonSynchronizedOverride/Test.java b/java/ql/test/query-tests/NonSynchronizedOverride/Test.java index dd537d12b3bc..82ffa4b2650c 100644 --- a/java/ql/test/query-tests/NonSynchronizedOverride/Test.java +++ b/java/ql/test/query-tests/NonSynchronizedOverride/Test.java @@ -13,7 +13,7 @@ void bar() {} class Sub extends Super { // NOT OK - void quack() { + void quack() { // $ Alert super.quack(); super.quack(); } @@ -24,7 +24,7 @@ Sub self() { } // NOT OK - void foo() { + void foo() { // $ Alert super.bar(); } } @@ -35,10 +35,10 @@ synchronized void foo() {} class B extends A { // NOT OK - void foo() {} + void foo() {} // $ Alert } class C extends A { // NOT OK - void foo() {} -} \ No newline at end of file + void foo() {} // $ Alert +} diff --git a/java/ql/test/query-tests/NotifyWithoutSynch/NotifyWithoutSynch.qlref b/java/ql/test/query-tests/NotifyWithoutSynch/NotifyWithoutSynch.qlref index fb6f44cc3e04..b05b6eb0c063 100644 --- a/java/ql/test/query-tests/NotifyWithoutSynch/NotifyWithoutSynch.qlref +++ b/java/ql/test/query-tests/NotifyWithoutSynch/NotifyWithoutSynch.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/NotifyWithoutSynch.ql +query: Likely Bugs/Concurrency/NotifyWithoutSynch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NotifyWithoutSynch/Test.java b/java/ql/test/query-tests/NotifyWithoutSynch/Test.java index 73982fc65861..7bd22fbbab36 100644 --- a/java/ql/test/query-tests/NotifyWithoutSynch/Test.java +++ b/java/ql/test/query-tests/NotifyWithoutSynch/Test.java @@ -7,7 +7,7 @@ public synchronized void pass_unqualified_wait() throws InterruptedException { } public void fail_unqualified_wait() throws InterruptedException { - wait(); + wait(); // $ Alert } public synchronized void pass_unqualified_notify() throws InterruptedException { @@ -15,7 +15,7 @@ public synchronized void pass_unqualified_notify() throws InterruptedException { } public void fail_unqualified_notify() throws InterruptedException { - notify(); + notify(); // $ Alert } public synchronized void pass_unqualified_notifyAll() throws InterruptedException { @@ -23,7 +23,7 @@ public synchronized void pass_unqualified_notifyAll() throws InterruptedExceptio } public void fail_unqualified_notifyAll() throws InterruptedException { - notifyAll(); + notifyAll(); // $ Alert } public void pass_unqualified_wait2() throws InterruptedException { @@ -49,32 +49,32 @@ public void pass_qualified_wait03() throws InterruptedException { } public void fail_qualified_wait01() throws InterruptedException { - this.wait(); + this.wait(); // $ Alert } public void fail_qualified_wait02() throws InterruptedException { - this.wait(); + this.wait(); // $ Alert } public void fail_qualified_wait03() throws InterruptedException { synchronized(obj1) { - this.wait(); + this.wait(); // $ Alert } } public void fail_qualified_wait04() throws InterruptedException { synchronized(this) { - obj1.wait(); + obj1.wait(); // $ Alert } } public synchronized void fail_qualified_wait05() throws InterruptedException { - obj1.wait(); + obj1.wait(); // $ Alert } public synchronized void fail_qualified_wait06() throws InterruptedException { synchronized(obj1) { - obj2.wait(); + obj2.wait(); // $ Alert } } @@ -111,7 +111,7 @@ public void pass_indirect_caller13() throws InterruptedException { } private void fail_indirect_callee14() throws InterruptedException { - wait(); + wait(); // $ Alert } public void fail_indirect_caller15() throws InterruptedException { diff --git a/java/ql/test/query-tests/Nullness/A.java b/java/ql/test/query-tests/Nullness/A.java index 065fffdbd3fe..c40f6e898d50 100644 --- a/java/ql/test/query-tests/Nullness/A.java +++ b/java/ql/test/query-tests/Nullness/A.java @@ -12,7 +12,7 @@ public void notTest() { } Object not = null; if (!(not != null)) { - not.hashCode(); + not.hashCode(); // $ Alert[java/dereferenced-value-is-always-null] } } @@ -45,7 +45,7 @@ public void assertNotNullTest() { Object assertNotNull_ok3 = maybe() ? null : new Object(); assertNonNull(assertNotNull_ok3, ""); - assertNotNull_ok3.toString(); + assertNotNull_ok3.toString(); // $ Alert[java/dereferenced-value-may-be-null] } public void assertTrueTest() { @@ -94,7 +94,7 @@ public void instanceOf() { public void synchronised() { Object synchronized_always = null; - synchronized(synchronized_always) { + synchronized(synchronized_always) { // $ Alert[java/dereferenced-value-is-always-null] synchronized_always.hashCode(); } } @@ -158,18 +158,18 @@ public void dowhile() { String do_always = null; do { - System.out.println(do_always.length()); + System.out.println(do_always.length()); // $ Alert[java/dereferenced-value-is-always-null] do_always = null; } while(do_always != null); String do_maybe1 = null; do { - System.out.println(do_maybe1.length()); + System.out.println(do_maybe1.length()); // $ Alert[java/dereferenced-value-is-always-null] } while(do_maybe1 != null); String do_maybe = ""; do { - System.out.println(do_maybe.length()); + System.out.println(do_maybe.length()); // $ Alert[java/dereferenced-value-may-be-null] do_maybe = null; } while(true); } @@ -184,13 +184,13 @@ public void while_() { boolean TRUE = true; String while_always = null; while(TRUE) { - System.out.println(while_always.length()); + System.out.println(while_always.length()); // $ Alert[java/dereferenced-value-is-always-null] while_always = null; } String while_maybe = ""; while(true) { - System.out.println(while_maybe.length()); + System.out.println(while_maybe.length()); // $ Alert[java/dereferenced-value-may-be-null] while_maybe = null; } } @@ -204,7 +204,7 @@ public void if_() { String if_always = null; if (if_always == null) { - System.out.println(if_always.length()); + System.out.println(if_always.length()); // $ Alert[java/dereferenced-value-is-always-null] if_always = null; } @@ -212,7 +212,7 @@ public void if_() { if (if_maybe != null && if_maybe.length() % 2 == 0) { if_maybe = null; } - System.out.println(if_maybe.length()); + System.out.println(if_maybe.length()); // $ Alert[java/dereferenced-value-may-be-null] } public void for_() { @@ -220,20 +220,20 @@ public void for_() { for (for_ok = ""; for_ok != null; for_ok = null) { System.out.println(for_ok.length()); } - System.out.println(for_ok.length()); + System.out.println(for_ok.length()); // $ Alert[java/dereferenced-value-is-always-null] for (String for_always = null; ((for_always == null)); for_always = null) { - System.out.println(for_always.length()); + System.out.println(for_always.length()); // $ Alert[java/dereferenced-value-is-always-null] } for (String for_maybe = ""; ; for_maybe = null) { - System.out.println(for_maybe.length()); + System.out.println(for_maybe.length()); // $ Alert[java/dereferenced-value-may-be-null] } } public void array_assign_test() { int[] array_null = null; - array_null[0] = 10; + array_null[0] = 10; // $ Alert[java/dereferenced-value-is-always-null] int[] array_ok; array_ok = new int[10]; @@ -245,9 +245,9 @@ public void access() { String[] fieldaccess = null; Object methodaccess = null; - System.out.println(arrayaccess[1]); - System.out.println(fieldaccess.length); - System.out.println(methodaccess.toString()); + System.out.println(arrayaccess[1]); // $ Alert[java/dereferenced-value-is-always-null] + System.out.println(fieldaccess.length); // $ Alert[java/dereferenced-value-is-always-null] + System.out.println(methodaccess.toString()); // $ Alert[java/dereferenced-value-is-always-null] System.out.println(arrayaccess[1]); System.out.println(fieldaccess.length); @@ -261,16 +261,16 @@ public void enhanced_for() { System.out.println(for_ok.size()); List for_always = null; - for (String s : for_always) + for (String s : for_always) // $ Alert[java/dereferenced-value-is-always-null] System.out.println(s); - System.out.println(for_always.size()); + System.out.println(for_always.size()); // $ Alert[java/dereferenced-value-is-always-null] List for_maybe = java.util.Collections.emptyList(); for (String s : for_maybe) { System.out.println(s); for_maybe = null; } - System.out.println(for_maybe.size()); + System.out.println(for_maybe.size()); // $ Alert[java/dereferenced-value-may-be-null] } public void assertFalseInstanceofTest() { @@ -290,7 +290,7 @@ public void assertVariousTest() { public void assertFalseNotNullNestedTest() { Object s = String.valueOf(1); assertFalse(s != null || !"1".equals("1")); // assertTrue(s==null) - s.toString().isEmpty(); + s.toString().isEmpty(); // $ Alert[java/dereferenced-value-is-always-null] } public void testForLoopCondition(Iterable iter) { diff --git a/java/ql/test/query-tests/Nullness/B.java b/java/ql/test/query-tests/Nullness/B.java index 5759df2d236f..14ff2b359354 100644 --- a/java/ql/test/query-tests/Nullness/B.java +++ b/java/ql/test/query-tests/Nullness/B.java @@ -13,14 +13,14 @@ public void caller() { } public void callee1(Object param) { - param.toString(); // NPE + param.toString(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } public void callee2(Object param) { if (param != null) { param.toString(); // OK } - param.toString(); // NPE + param.toString(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } private static boolean customIsNull(Object x) { @@ -54,7 +54,7 @@ public void nullGuards() { if (ok) o7.hashCode(); // OK else - o7.hashCode(); // NPE + o7.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE Object o8 = maybe ? null : ""; int track = o8 == null ? 42 : 1+1; @@ -66,16 +66,16 @@ public void nullGuards() { public void deref() { int[] xs = maybe ? null : new int[2]; - if (2 > 1) xs[0] = 5; // NPE - if (2 > 1) maybe = xs[1] > 5; // NPE + if (2 > 1) xs[0] = 5; // $ Alert[java/dereferenced-value-may-be-null] // NPE + if (2 > 1) maybe = xs[1] > 5; // $ Alert[java/dereferenced-value-may-be-null] // NPE if (2 > 1) { - int l = xs.length; // NPE + int l = xs.length; // $ Alert[java/dereferenced-value-may-be-null] // NPE } if (2 > 1) { - for (int i : xs) { } // NPE + for (int i : xs) { } // $ Alert[java/dereferenced-value-may-be-null] // NPE } if (2 > 1) { - synchronized(xs) { // NPE + synchronized(xs) { // $ Alert[java/dereferenced-value-may-be-null] // NPE xs.hashCode(); // Not reported - same basic block } } @@ -115,7 +115,7 @@ public void lengthGuard(int[] a, int[] b) { } public void missedGuard(Object obj) { - obj.hashCode(); // NPE + obj.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE int x = obj != null ? 1 : 0; } @@ -130,7 +130,7 @@ public void exceptions() { obj = mkMaybe(); } catch(Exception e) { } - obj.hashCode(); // NPE + obj.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE Object obj2 = null; try { @@ -187,7 +187,7 @@ public void correlatedConditions(boolean cond, int num) { Object other = maybe ? null : ""; if (other == null) o = ""; if (other != null) - o.hashCode(); // NPE + o.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE else o.hashCode(); // OK @@ -301,7 +301,7 @@ void test(Exception e, boolean b) { if (ioe != null) { ioe = e; } else { - ioe.getMessage(); // NPE; always + ioe.getMessage(); // $ Alert[java/dereferenced-value-is-always-null] // NPE; always } } @@ -331,7 +331,7 @@ public void corrConds3(Object y) { x = new Object(); } if(y instanceof String) { - x.hashCode(); // Spurious NPE - false positive + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } } @@ -341,7 +341,7 @@ public void corrConds4(Object y) { x = new Object(); } if(!(y instanceof String)) { - x.hashCode(); // Spurious NPE - false positive + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } } @@ -351,7 +351,7 @@ public void corrConds5(Object y, Object z) { x = new Object(); } if(y == z) { - x.hashCode(); // Spurious NPE - false positive + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } Object x2 = null; @@ -359,7 +359,7 @@ public void corrConds5(Object y, Object z) { x2 = new Object(); } if(y != z) { - x2.hashCode(); // Spurious NPE - false positive + x2.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } Object x3 = null; @@ -367,7 +367,7 @@ public void corrConds5(Object y, Object z) { x3 = new Object(); } if(!(y == z)) { - x3.hashCode(); // Spurious NPE - false positive + x3.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } } @@ -405,7 +405,7 @@ public void bitwise(Object x, boolean b) { g5 |= b; if (g5) { - x.hashCode(); // NPE + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } } @@ -417,7 +417,7 @@ public void corrCondLoop1(boolean a[]) { x = null; } if (!b) { - x.hashCode(); // NPE + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } // flow can loop around from one iteration to the next } @@ -462,7 +462,7 @@ public void loopCorrTest2(boolean[] a) { cur = a[i]; if (!prev) { // correctly guarded by !cur from the _previous_ iteration - x.hashCode(); // Spurious NPE - false positive + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } else { x = new Object(); } @@ -484,7 +484,7 @@ public void loopCorrTest3(String[] ss) { t = new Object(); } // correctly guarded by t: null -> String -> Object - x.hashCode(); // Spurious NPE - false positive + x.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive } } } @@ -513,7 +513,7 @@ public void trackTest(Object o, int n) { int c = -1; if (maybe) { } if (c == 100) { return; } - o.hashCode(); // NPE + o.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } public void testFinally(int[] xs, int[] ys) { @@ -532,9 +532,9 @@ public void testFinally(int[] xs, int[] ys) { } finally { } s1.hashCode(); // OK - s2.hashCode(); // NPE + s2.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } - s1.hashCode(); // NPE + s1.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } public void lenCheck(int[] xs, int n, int t) { @@ -573,7 +573,7 @@ public void testFinally2(int[] xs) { } finally { } } - s.hashCode(); // Spurious NPE - false positive + s.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // Spurious NPE - false positive // CFG reachability does not distinguish abrupt successors } } diff --git a/java/ql/test/query-tests/Nullness/C.java b/java/ql/test/query-tests/Nullness/C.java index edd64cfa79b5..0ecc0c23f888 100644 --- a/java/ql/test/query-tests/Nullness/C.java +++ b/java/ql/test/query-tests/Nullness/C.java @@ -6,8 +6,8 @@ public void ex1(long[][][] a1, int ix, int len) { long[][] a2 = null; boolean haveA2 = ix < len && (a2 = a1[ix]) != null; long[] a3 = null; - final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // NPE - false positive - if (haveA3) a3[0] = 0; // NPE - false positive + final boolean haveA3 = haveA2 && (a3 = a2[ix]) != null; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive + if (haveA3) a3[0] = 0; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive } public void ex2(boolean x, boolean y) { @@ -18,7 +18,7 @@ public void ex2(boolean x, boolean y) { s2 = (s1 == null) ? null : ""; } if (s2 != null) - s1.hashCode(); // NPE - false positive + s1.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive } public void ex3(List ss) { @@ -48,7 +48,7 @@ public void ex4(Iterable list, int step) { slice = new ArrayList<>(); result.add(slice); } - slice.add(str); // NPE - false positive + slice.add(str); // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive ++index; iter.remove(); } @@ -141,7 +141,7 @@ public void ex9(boolean cond, Object obj1) { public void ex10(int[] a) { int n = a == null ? 0 : a.length; for (int i = 0; i < n; i++) { - int x = a[i]; // NPE - false positive + int x = a[i]; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive if (x > 7) a = new int[n]; } @@ -216,7 +216,7 @@ public void ex15(Object o1, Object o2) { if (o1 == o2) { return; } - if (o1.equals(o2)) { // NPE - false positive + if (o1.equals(o2)) { // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive return; } } @@ -230,7 +230,7 @@ private Object getFoo16() { public static void ex16(C c) { int[] xs = c.getFoo16() != null ? new int[5] : null; if (c.getFoo16() != null) { - xs[0]++; // NPE - false positive + xs[0]++; // $ Alert[java/dereferenced-value-may-be-null] // NPE - false positive } } diff --git a/java/ql/test/query-tests/Nullness/ExprDeref.java b/java/ql/test/query-tests/Nullness/ExprDeref.java index 61aa9c4d8da4..4a4c503d959a 100644 --- a/java/ql/test/query-tests/Nullness/ExprDeref.java +++ b/java/ql/test/query-tests/Nullness/ExprDeref.java @@ -4,6 +4,6 @@ Integer getBoxed() { } int unboxBad(boolean b) { - return (b ? null : getBoxed()); // NPE + return (b ? null : getBoxed()); // $ Alert[java/dereferenced-expr-may-be-null] // NPE } } diff --git a/java/ql/test/query-tests/Nullness/F.java b/java/ql/test/query-tests/Nullness/F.java index 6589c3d78fae..d1fd4348429f 100644 --- a/java/ql/test/query-tests/Nullness/F.java +++ b/java/ql/test/query-tests/Nullness/F.java @@ -8,13 +8,13 @@ public void m1(Object obj) { public void m2(Object obj) { if (obj == null) doStuff(); - obj.hashCode(); // NPE + obj.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } public void m3(Object obj) { if (obj == null) doStuffOrThrow(0); - obj.hashCode(); // NPE + obj.hashCode(); // $ Alert[java/dereferenced-value-may-be-null] // NPE } public static class MyException extends RuntimeException { diff --git a/java/ql/test/query-tests/Nullness/G.java b/java/ql/test/query-tests/Nullness/G.java index 9a525e8d14b0..c8c69873299b 100644 --- a/java/ql/test/query-tests/Nullness/G.java +++ b/java/ql/test/query-tests/Nullness/G.java @@ -17,7 +17,7 @@ public static void test(String s) { case null, default -> "bar"; }; - switch(s) { // BAD; lack of a null case means this may throw. + switch(s) { // $ Alert[java/dereferenced-value-may-be-null] // BAD; lack of a null case means this may throw. case "foo" -> System.out.println("Foo"); case String s2 -> System.out.println("Other string of length " + s2.length()); } diff --git a/java/ql/test/query-tests/Nullness/NullAlways.qlref b/java/ql/test/query-tests/Nullness/NullAlways.qlref index a03818b411f6..76df7c2751ee 100644 --- a/java/ql/test/query-tests/Nullness/NullAlways.qlref +++ b/java/ql/test/query-tests/Nullness/NullAlways.qlref @@ -1 +1,2 @@ -Likely Bugs/Nullness/NullAlways.ql +query: Likely Bugs/Nullness/NullAlways.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/Nullness/NullExprDeref.qlref b/java/ql/test/query-tests/Nullness/NullExprDeref.qlref index 46dda0915934..4ca963ecbccf 100644 --- a/java/ql/test/query-tests/Nullness/NullExprDeref.qlref +++ b/java/ql/test/query-tests/Nullness/NullExprDeref.qlref @@ -1 +1,2 @@ -Likely Bugs/Nullness/NullExprDeref.ql +query: Likely Bugs/Nullness/NullExprDeref.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/Nullness/NullMaybe.qlref b/java/ql/test/query-tests/Nullness/NullMaybe.qlref index ab01473d8e53..19125c7bc598 100644 --- a/java/ql/test/query-tests/Nullness/NullMaybe.qlref +++ b/java/ql/test/query-tests/Nullness/NullMaybe.qlref @@ -1 +1,2 @@ -Likely Bugs/Nullness/NullMaybe.ql +query: Likely Bugs/Nullness/NullMaybe.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NumberFormatException/NumberFormatException.qlref b/java/ql/test/query-tests/NumberFormatException/NumberFormatException.qlref index 8d221a0854f5..4f183d197af5 100644 --- a/java/ql/test/query-tests/NumberFormatException/NumberFormatException.qlref +++ b/java/ql/test/query-tests/NumberFormatException/NumberFormatException.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Exception Handling/NumberFormatException.ql +query: Violations of Best Practice/Exception Handling/NumberFormatException.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/NumberFormatException/Test.java b/java/ql/test/query-tests/NumberFormatException/Test.java index b886116eb740..6f58bac8ba27 100644 --- a/java/ql/test/query-tests/NumberFormatException/Test.java +++ b/java/ql/test/query-tests/NumberFormatException/Test.java @@ -8,46 +8,46 @@ public static void main(String[] args) { } static void test1() { - Byte.parseByte("123"); - Byte.decode("123"); - Byte.valueOf("123"); - Byte.valueOf("123", 10); - Byte.valueOf("7f", 16); - new Byte("123"); + Byte.parseByte("123"); // $ Alert + Byte.decode("123"); // $ Alert + Byte.valueOf("123"); // $ Alert + Byte.valueOf("123", 10); // $ Alert + Byte.valueOf("7f", 16); // $ Alert + new Byte("123"); // $ Alert new Byte((byte) 123); // don't flag: wrong constructor - Short.parseShort("123"); - Short.decode("123"); - Short.valueOf("123"); - Short.valueOf("123", 10); - Short.valueOf("7abc", 16); - new Short("123"); + Short.parseShort("123"); // $ Alert + Short.decode("123"); // $ Alert + Short.valueOf("123"); // $ Alert + Short.valueOf("123", 10); // $ Alert + Short.valueOf("7abc", 16); // $ Alert + new Short("123"); // $ Alert new Short((short) 123); // don't flag: wrong constructor - Integer.parseInt("123"); - Integer.decode("123"); - Integer.valueOf("123"); - Integer.valueOf("123", 10); - Integer.valueOf("1234beef", 16); - new Integer("123"); + Integer.parseInt("123"); // $ Alert + Integer.decode("123"); // $ Alert + Integer.valueOf("123"); // $ Alert + Integer.valueOf("123", 10); // $ Alert + Integer.valueOf("1234beef", 16); // $ Alert + new Integer("123"); // $ Alert new Integer(123); // don't flag: wrong constructor - Long.parseLong("123"); - Long.decode("123"); - Long.valueOf("123"); - Long.valueOf("123", 10); - Long.valueOf("deadbeef", 16); - new Long("123"); + Long.parseLong("123"); // $ Alert + Long.decode("123"); // $ Alert + Long.valueOf("123"); // $ Alert + Long.valueOf("123", 10); // $ Alert + Long.valueOf("deadbeef", 16); // $ Alert + new Long("123"); // $ Alert new Long(123l); // don't flag: wrong constructor - Float.parseFloat("2.7818281828"); - Float.valueOf("2.7818281828"); - new Float("2.7818281828"); + Float.parseFloat("2.7818281828"); // $ Alert + Float.valueOf("2.7818281828"); // $ Alert + new Float("2.7818281828"); // $ Alert new Float(2.7818281828f); // don't flag: wrong constructor - Double.parseDouble("2.7818281828"); - Double.valueOf("2.7818281828"); - new Double("2.7818281828"); + Double.parseDouble("2.7818281828"); // $ Alert + Double.valueOf("2.7818281828"); // $ Alert + new Double("2.7818281828"); // $ Alert new Double(2.7818281828); // don't flag: wrong constructor } diff --git a/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.qlref b/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.qlref index c2db43d8953a..a129d30287b7 100644 --- a/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.qlref +++ b/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatch.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/PartiallyMaskedCatch.ql \ No newline at end of file +query: Likely Bugs/Statements/PartiallyMaskedCatch.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatchTest.java b/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatchTest.java index 4debe220f25f..b5423a3c7318 100644 --- a/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatchTest.java +++ b/java/ql/test/query-tests/PartiallyMaskedCatch/PartiallyMaskedCatchTest.java @@ -13,7 +13,7 @@ public static void method() { // reachable: ExceptionB is thrown by invocation of CloseableThing.doThing() } catch (ExceptionA e) { // reachable: ExceptionA is thrown by implicit invocation of CloseableThing.close() - } catch (IOException e) { + } catch (IOException e) { // $ Alert // unreachable: only more specific exceptions are thrown and caught by previous catch blocks } @@ -23,7 +23,7 @@ public static void method() { // reachable: ExceptionB is thrown by invocation of CloseableThing.doThing() } catch (ExceptionA | RuntimeException e) { // reachable: ExceptionA is thrown by implicit invocation of CloseableThing.close() - } catch (IOException e) { + } catch (IOException e) { // $ Alert // unreachable: only more specific exceptions are thrown and caught by previous catch blocks } @@ -33,7 +33,7 @@ public static void method() { // reachable: ExceptionB is thrown by invocation of CloseableThing.doThing() } catch (ExceptionA | IllegalArgumentException e) { // reachable: ExceptionA is thrown by implicit invocation of CloseableThing.close() - } catch (IOException | RuntimeException e) { + } catch (IOException | RuntimeException e) { // $ Alert // unreachable for type IOException: only more specific exceptions are thrown and caught by previous catch blocks } diff --git a/java/ql/test/query-tests/PointlessForwardingMethod/PointlessForwardingMethod.qlref b/java/ql/test/query-tests/PointlessForwardingMethod/PointlessForwardingMethod.qlref index 310c4a6ae3e3..ad8cb0f399d5 100644 --- a/java/ql/test/query-tests/PointlessForwardingMethod/PointlessForwardingMethod.qlref +++ b/java/ql/test/query-tests/PointlessForwardingMethod/PointlessForwardingMethod.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Dead Code/PointlessForwardingMethod.ql +query: Violations of Best Practice/Dead Code/PointlessForwardingMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/PointlessForwardingMethod/pointlessforwardingmethod/Test.java b/java/ql/test/query-tests/PointlessForwardingMethod/pointlessforwardingmethod/Test.java index 4810a4cefcf0..a71b7c7382d2 100644 --- a/java/ql/test/query-tests/PointlessForwardingMethod/pointlessforwardingmethod/Test.java +++ b/java/ql/test/query-tests/PointlessForwardingMethod/pointlessforwardingmethod/Test.java @@ -6,7 +6,7 @@ int addOne(int x, int one) { return x + one; } - int addOne(byte x) { + int addOne(byte x) { // $ Alert return addOne(x, 1); } diff --git a/java/ql/test/query-tests/PrintLnArray/PrintLn.qlref b/java/ql/test/query-tests/PrintLnArray/PrintLn.qlref index 476f3f42e6eb..ccb0525d55ee 100644 --- a/java/ql/test/query-tests/PrintLnArray/PrintLn.qlref +++ b/java/ql/test/query-tests/PrintLnArray/PrintLn.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Undesirable Calls/PrintLnArray.ql \ No newline at end of file +query: Violations of Best Practice/Undesirable Calls/PrintLnArray.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/PrintLnArray/Test.java b/java/ql/test/query-tests/PrintLnArray/Test.java index 4890b892ce82..917091c21dec 100644 --- a/java/ql/test/query-tests/PrintLnArray/Test.java +++ b/java/ql/test/query-tests/PrintLnArray/Test.java @@ -3,6 +3,6 @@ class Test { // OK: calls PrintStream.println(char[]) System.out.println(new char[] { 'H', 'i' }); // NOT OK: calls PrintStream.println(Object) - System.out.println(new byte[0]); + System.out.println(new byte[0]); // $ Alert } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/RandomUsedOnce/RandomUsedOnce.qlref b/java/ql/test/query-tests/RandomUsedOnce/RandomUsedOnce.qlref index fa212fc35484..9dd0dd1812b3 100644 --- a/java/ql/test/query-tests/RandomUsedOnce/RandomUsedOnce.qlref +++ b/java/ql/test/query-tests/RandomUsedOnce/RandomUsedOnce.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/RandomUsedOnce.ql +query: Likely Bugs/Arithmetic/RandomUsedOnce.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/RandomUsedOnce/Test.java b/java/ql/test/query-tests/RandomUsedOnce/Test.java index 81ee1f0dd5a2..d27779f67578 100644 --- a/java/ql/test/query-tests/RandomUsedOnce/Test.java +++ b/java/ql/test/query-tests/RandomUsedOnce/Test.java @@ -4,7 +4,7 @@ public class Test { public static void test() { - (new Random()).nextInt(); + (new Random()).nextInt(); // $ Alert } diff --git a/java/ql/test/query-tests/RangeAnalysis/A.java b/java/ql/test/query-tests/RangeAnalysis/A.java index b68de9beaa7c..acd05fae9b8e 100644 --- a/java/ql/test/query-tests/RangeAnalysis/A.java +++ b/java/ql/test/query-tests/RangeAnalysis/A.java @@ -16,14 +16,14 @@ public A(int[] arr2, int n) { void m1(int[] a) { int sum = 0; for (int i = 0; i <= a.length; i++) { - sum += a[i]; // Out of bounds + sum += a[i]; // $ Alert // Out of bounds } } void m2(int[] a) { int sum = 0; for (int i = 0; i < a.length; i += 2) { - sum += a[i] + a[i + 1]; // Out of bounds (unless len%2==0) + sum += a[i] + a[i + 1]; // $ Alert // Out of bounds (unless len%2==0) } } @@ -42,11 +42,11 @@ void m3(int[] a) { } for (int i = 0; i < arr2.length; ) { sum += arr2[i++]; // OK - sum += arr2[i++]; // OK - FP + sum += arr2[i++]; // $ Alert // OK - FP } for (int i = 0; i < arr3.length; ) { sum += arr3[i++]; // OK - sum += arr3[i++]; // OK - FP + sum += arr3[i++]; // $ Alert // OK - FP } int[] b; if (sum > 3) @@ -55,7 +55,7 @@ void m3(int[] a) { b = arr1; for (int i = 0; i < b.length; i++) { sum += b[i]; // OK - sum += b[++i]; // OK - FP + sum += b[++i]; // $ Alert // OK - FP } } @@ -86,7 +86,7 @@ void m5(int n) { int m6(int[] a, int ix) { if (ix < 0 || ix > a.length) return 0; - return a[ix]; // Out of bounds + return a[ix]; // $ Alert // Out of bounds } void m7() { @@ -97,7 +97,7 @@ void m7() { sum += xs[i]; // OK sum += xs[j]; // OK if (i < j) - sum += xs[i + 11 - j]; // OK - FP + sum += xs[i + 11 - j]; // $ Alert // OK - FP else sum += xs[i - j]; // OK } @@ -110,8 +110,8 @@ void m8(int[] a) { int sum = 0; for (int i = 4; i < a.length; i += 3) { sum += a[i]; // OK - sum += a[i + 1]; // OK - FP - sum += a[i + 2]; // OK - FP + sum += a[i + 1]; // $ Alert // OK - FP + sum += a[i + 2]; // $ Alert // OK - FP } } @@ -122,7 +122,7 @@ void m9() { if (i < 5) sum += a[i]; // OK else - sum += a[9 - i]; // OK - FP + sum += a[9 - i]; // $ Alert // OK - FP } } @@ -134,7 +134,7 @@ void m10(int n, int m) { sum += a[i]; // OK for (int j = i + 1; j < len; j++) { sum += a[j]; // OK - sum += a[i + 1]; // OK - FP + sum += a[i + 1]; // $ Alert // OK - FP } } } @@ -182,7 +182,7 @@ void m13(int n) { void m14(int[] xs) { for (int i = 0; i < xs.length + 1; i++) { if (i == 0 && xs.length > 0) { - xs[i]++; // OK - FP + xs[i]++; // $ Alert // OK - FP } } } @@ -192,23 +192,23 @@ void m15(int[] xs) { int x = ++i; int y = ++i; if (y < xs.length) { - xs[x]++; // OK - FP + xs[x]++; // $ Alert // OK - FP xs[y]++; // OK } } } static int m16() { - return A.arr1[(new Random()).nextInt(arr1.length + 1)] + // BAD: random int may be out of range + return A.arr1[(new Random()).nextInt(arr1.length + 1)] + // $ Alert // BAD: random int may be out of range A.arr1[(new Random()).nextInt(arr1.length)] + // GOOD: random int must be in range - A.arr1[RandomUtils.nextInt(0, arr1.length + 1)] + // BAD: random int may be out of range + A.arr1[RandomUtils.nextInt(0, arr1.length + 1)] + // $ Alert // BAD: random int may be out of range A.arr1[RandomUtils.nextInt(0, arr1.length)]; // GOOD: random int must be in range } int m17() { - return this.arr2[(new Random()).nextInt(arr2.length + 1)] + // BAD: random int may be out of range + return this.arr2[(new Random()).nextInt(arr2.length + 1)] + // $ Alert // BAD: random int may be out of range this.arr2[(new Random()).nextInt(arr2.length)] + // GOOD: random int must be in range - this.arr2[RandomUtils.nextInt(0, arr2.length + 1)] + // BAD: random int may be out of range + this.arr2[RandomUtils.nextInt(0, arr2.length + 1)] + // $ Alert // BAD: random int may be out of range this.arr2[RandomUtils.nextInt(0, arr2.length)]; // GOOD: random int must be in range } } diff --git a/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.qlref b/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.qlref index 439f2fd18dee..a374970716f4 100644 --- a/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.qlref +++ b/java/ql/test/query-tests/RangeAnalysis/ArrayIndexOutOfBounds.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/ArrayIndexOutOfBounds.ql +query: Likely Bugs/Collections/ArrayIndexOutOfBounds.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref b/java/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref index 2f4f5248a6bb..623d63c75056 100644 --- a/java/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref +++ b/java/ql/test/query-tests/ReadOnlyContainer/ReadOnlyContainer.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/ReadOnlyContainer.ql \ No newline at end of file +query: Likely Bugs/Collections/ReadOnlyContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ReadOnlyContainer/Test.java b/java/ql/test/query-tests/ReadOnlyContainer/Test.java index f4e75501bc89..7eb11a5784c6 100644 --- a/java/ql/test/query-tests/ReadOnlyContainer/Test.java +++ b/java/ql/test/query-tests/ReadOnlyContainer/Test.java @@ -2,7 +2,7 @@ public class Test { boolean containsDuplicates(Object[] array) { - Set seen = new HashSet(); + Set seen = new HashSet(); // $ Alert for (Object o : array) { // should be flagged if (seen.contains(o)) @@ -65,7 +65,7 @@ void baz() { } List g() { - List bl = new ArrayList(); + List bl = new ArrayList(); // $ Alert // should be flagged bl.contains(false); return bl; @@ -81,4 +81,4 @@ boolean inSneakySet(int x) { return sneakySet.contains(x); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/ReturnValueIgnored/ReturnValueIgnored.qlref b/java/ql/test/query-tests/ReturnValueIgnored/ReturnValueIgnored.qlref index ef1dc964d955..ab13392ec553 100644 --- a/java/ql/test/query-tests/ReturnValueIgnored/ReturnValueIgnored.qlref +++ b/java/ql/test/query-tests/ReturnValueIgnored/ReturnValueIgnored.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/ReturnValueIgnored.ql \ No newline at end of file +query: Likely Bugs/Statements/ReturnValueIgnored.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/ReturnValueIgnored/return_value_ignored/Test.java b/java/ql/test/query-tests/ReturnValueIgnored/return_value_ignored/Test.java index 49ec7daf694b..f736a12b7648 100644 --- a/java/ql/test/query-tests/ReturnValueIgnored/return_value_ignored/Test.java +++ b/java/ql/test/query-tests/ReturnValueIgnored/return_value_ignored/Test.java @@ -38,7 +38,7 @@ public static void main(String[] args) { foo = test3.getI(); foo = test1.getI(); foo = test2.getI(); - test3.getI(); + test3.getI(); // $ Alert // test setter; shouldn't flag last call Test test; @@ -86,6 +86,6 @@ public static void main(String[] args) { t = s.trim(); t = s.trim(); t = s.trim(); - s.trim(); + s.trim(); // $ Alert } } diff --git a/java/ql/test/query-tests/SelfAssignment/SelfAssignment.qlref b/java/ql/test/query-tests/SelfAssignment/SelfAssignment.qlref index de3fdee70910..b56a4a667499 100644 --- a/java/ql/test/query-tests/SelfAssignment/SelfAssignment.qlref +++ b/java/ql/test/query-tests/SelfAssignment/SelfAssignment.qlref @@ -1 +1,2 @@ -Likely Bugs/Likely Typos/SelfAssignment.ql +query: Likely Bugs/Likely Typos/SelfAssignment.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/SelfAssignment/Test.java b/java/ql/test/query-tests/SelfAssignment/Test.java index 7b55fd4c1d06..2c89a4a49bf2 100644 --- a/java/ql/test/query-tests/SelfAssignment/Test.java +++ b/java/ql/test/query-tests/SelfAssignment/Test.java @@ -3,7 +3,7 @@ class Outer { Outer(int x) { // NOT OK - x = x; + x = x; // $ Alert // OK this.x = x; } @@ -20,4 +20,4 @@ class Inner2 extends Outer { // OK { x = Outer.this.x; } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.java b/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.java index 7d425e96d803..612acaa5c7a8 100644 --- a/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.java +++ b/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.java @@ -1,16 +1,16 @@ class Test { void f(boolean x, boolean y, Boolean a, Boolean b) { boolean w; - w = a == false; - w = x != true; - w = a ? false : b; - w = a ? true : false; - w = x ? y : true; + w = a == false; // $ Alert + w = x != true; // $ Alert + w = a ? false : b; // $ Alert + w = a ? true : false; // $ Alert + w = x ? y : true; // $ Alert } void g(int x, int y) { boolean w; - w = !(x > y); - w = !(x != y); + w = !(x > y); // $ Alert + w = !(x != y); // $ Alert } public Boolean getBool(int i) { if (i > 2) @@ -19,7 +19,7 @@ public Boolean getBool(int i) { } public Boolean getBoolNPE(int i) { if (i > 2) - return i == 3 ? true : ((Boolean)null); // should be reported; both this and the simplified version have equal NPE behavior - return i == 1 ? false : ((Boolean)null); // should be reported; both this and the simplified version have equal NPE behavior + return i == 3 ? true : ((Boolean)null); // $ Alert // should be reported; both this and the simplified version have equal NPE behavior + return i == 1 ? false : ((Boolean)null); // $ Alert // should be reported; both this and the simplified version have equal NPE behavior } } diff --git a/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.qlref b/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.qlref index d071e989ebbb..45d0db5559c1 100644 --- a/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.qlref +++ b/java/ql/test/query-tests/SimplifyBoolExpr/SimplifyBoolExpr.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql +query: Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/SpuriousJavadocParam/Test.java b/java/ql/test/query-tests/SpuriousJavadocParam/Test.java index d8891afb7564..ca724cf468cf 100644 --- a/java/ql/test/query-tests/SpuriousJavadocParam/Test.java +++ b/java/ql/test/query-tests/SpuriousJavadocParam/Test.java @@ -54,83 +54,83 @@ protected void ok8(){ } protected void ok9(int...param){ } /** - * @param prameter typo + * @param prameter typo // $ Alert */ public void problem1(int parameter){ } /** - * @param Parameter capitalization + * @param Parameter capitalization // $ Alert */ public void problem2(int parameter){ } /** - * @param parameter unmatched + * @param parameter unmatched // $ Alert */ public void problem3(){ } /** * @param someOtherParameter matched - * @param parameter unmatched + * @param parameter unmatched // $ Alert */ public void problem4(int someOtherParameter){ } /** - * @param unmatched type parameter + * @param unmatched type parameter // $ Alert */ private T problem5(){ return null; } /** * @param matched type parameter - * @param

unmatched type parameter - * @param n unmatched normal parameter + * @param

unmatched type parameter // $ Alert + * @param n unmatched normal parameter // $ Alert */ private T problem6(V p){ return null; } /** * param with immediate newline - * @param + * @param // $ Alert */ protected void problem7(){ } /** * param without a value (followed by blanks) - * @param + * @param // $ Alert */ protected void problem8(){ } class SomeClass { /** * @param i exists - * @param k does not + * @param k does not // $ Alert */ SomeClass(int i, int j) {} } /** * @param exists - * @param T wrong syntax - * @param does not exist + * @param T wrong syntax // $ Alert + * @param does not exist // $ Alert */ class GenericClass {} /** * @param exists - * @param T wrong syntax - * @param does not exist + * @param T wrong syntax // $ Alert + * @param does not exist // $ Alert */ interface GenericInterface {} /** * @param i exists - * @param k does not + * @param k does not // $ Alert */ static record SomeRecord(int i, int j) {} /** * @param exists - * @param does not + * @param does not // $ Alert * @param i exists - * @param k does not + * @param k does not // $ Alert */ static record GenericRecord(int i, int j) {} } diff --git a/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref b/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref index 05f7231fe6b8..85c1971658c2 100644 --- a/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref +++ b/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref @@ -1 +1,2 @@ -Advisory/Documentation/SpuriousJavadocParam.ql +query: Advisory/Documentation/SpuriousJavadocParam.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/StartInConstructor/StartInConstructor.qlref b/java/ql/test/query-tests/StartInConstructor/StartInConstructor.qlref index 2f16c25c1eee..e27b98e9e72e 100644 --- a/java/ql/test/query-tests/StartInConstructor/StartInConstructor.qlref +++ b/java/ql/test/query-tests/StartInConstructor/StartInConstructor.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/StartInConstructor.ql +query: Likely Bugs/Concurrency/StartInConstructor.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/StartInConstructor/Test.java b/java/ql/test/query-tests/StartInConstructor/Test.java index ae8148af7873..58883af4ede6 100644 --- a/java/ql/test/query-tests/StartInConstructor/Test.java +++ b/java/ql/test/query-tests/StartInConstructor/Test.java @@ -6,7 +6,7 @@ public class Test { public Test() { myThread = new Thread("myThread"); // BAD - myThread.start(); + myThread.start(); // $ Alert } public static final class Final { diff --git a/java/ql/test/query-tests/StaticArray/StaticArray.java b/java/ql/test/query-tests/StaticArray/StaticArray.java index 362d6fefcef0..b24fa5526b1a 100644 --- a/java/ql/test/query-tests/StaticArray/StaticArray.java +++ b/java/ql/test/query-tests/StaticArray/StaticArray.java @@ -1,6 +1,6 @@ class StaticArray { - public static final int[] bad = new int[42]; //NOT OK + public static final int[] bad = new int[42]; // $ Alert //NOT OK protected static final int[] good_protected = new int[42]; //OK (protected arrays are ok) /* default */ static final int[] good_default = new int[42]; //OK (default access arrays are ok) @@ -11,10 +11,10 @@ class StaticArray public /* final */ static int[] good_nonfinal = new int[42]; //OK (non-final arrays are ok) public static final Object good_not_array = new int[42]; //OK (non-arrays are ok) - public static final int[][][] bad_multidimensional = new int[42][42][42]; //NOT OK - public static final int[][][] bad_multidimensional_partial_init = new int[42][][]; //NOT OK + public static final int[][][] bad_multidimensional = new int[42][42][42]; // $ Alert //NOT OK + public static final int[][][] bad_multidimensional_partial_init = new int[42][][]; // $ Alert //NOT OK - public static final int[] bad_separate_init; //NOT OK + public static final int[] bad_separate_init; // $ Alert //NOT OK static { bad_separate_init = new int[42]; @@ -23,6 +23,6 @@ class StaticArray public static final int[] good_empty = new int[0]; //OK (empty array creation) public static final int[] good_empty2 = {}; //OK (empty array literal) public static final int[][] good_empty_multidimensional = new int[0][42]; //OK (empty array) - public static final int[][] bad_nonempty = { {} }; //NOT OK (first dimension is 1, so not empty) + public static final int[][] bad_nonempty = { {} }; // $ Alert //NOT OK (first dimension is 1, so not empty) } diff --git a/java/ql/test/query-tests/StaticArray/StaticArray.qlref b/java/ql/test/query-tests/StaticArray/StaticArray.qlref index 1c28ac13a166..f0cae39a882e 100644 --- a/java/ql/test/query-tests/StaticArray/StaticArray.qlref +++ b/java/ql/test/query-tests/StaticArray/StaticArray.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Implementation Hiding/StaticArray.ql \ No newline at end of file +query: Violations of Best Practice/Implementation Hiding/StaticArray.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/StringComparison/StringComparison.java b/java/ql/test/query-tests/StringComparison/StringComparison.java index e777b75a3f1e..f1156a3e706a 100644 --- a/java/ql/test/query-tests/StringComparison/StringComparison.java +++ b/java/ql/test/query-tests/StringComparison/StringComparison.java @@ -20,13 +20,13 @@ public void test(String param) { if("".equals(variable)) return; // NOT OK - if("" == variable) + if("" == variable) // $ Alert return; // NOT OK - if("" == param) + if("" == param) // $ Alert return; // NOT OK - if("" == variable2) + if("" == variable2) // $ Alert return; } } diff --git a/java/ql/test/query-tests/StringComparison/StringComparison.qlref b/java/ql/test/query-tests/StringComparison/StringComparison.qlref index a50debd9378d..ecf6c270f7ea 100644 --- a/java/ql/test/query-tests/StringComparison/StringComparison.qlref +++ b/java/ql/test/query-tests/StringComparison/StringComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/StringComparison.ql \ No newline at end of file +query: Likely Bugs/Comparison/StringComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/StringFormat/A.java b/java/ql/test/query-tests/StringFormat/A.java index ff87290bcc9d..88d651c87253 100644 --- a/java/ql/test/query-tests/StringFormat/A.java +++ b/java/ql/test/query-tests/StringFormat/A.java @@ -6,28 +6,28 @@ public class A { void f_string() { - String.format("%s%s", ""); // missing + String.format("%s%s", ""); // $ Alert[java/missing-format-argument] // missing } void f_formatter(Formatter x) { - x.format("%s%s", ""); // missing + x.format("%s%s", ""); // $ Alert[java/missing-format-argument] // missing } void f_printstream(PrintStream x) { - x.format("%s%s", ""); // missing - x.printf("%s%s", ""); // missing + x.format("%s%s", ""); // $ Alert[java/missing-format-argument] // missing + x.printf("%s%s", ""); // $ Alert[java/missing-format-argument] // missing } void f_printwriter(PrintWriter x) { - x.format("%s%s", ""); // missing - x.printf("%s%s", ""); // missing + x.format("%s%s", ""); // $ Alert[java/missing-format-argument] // missing + x.printf("%s%s", ""); // $ Alert[java/missing-format-argument] // missing } void f_console(Console x) { - x.format("%s%s", ""); // missing - x.printf("%s%s", ""); // missing - x.readLine("%s%s", ""); // missing - x.readPassword("%s%s", ""); // missing + x.format("%s%s", ""); // $ Alert[java/missing-format-argument] // missing + x.printf("%s%s", ""); // $ Alert[java/missing-format-argument] // missing + x.readLine("%s%s", ""); // $ Alert[java/missing-format-argument] // missing + x.readPassword("%s%s", ""); // $ Alert[java/missing-format-argument] // missing } void custom_format(Object o, String fmt, Object... args) { @@ -35,20 +35,20 @@ void custom_format(Object o, String fmt, Object... args) { } void f_wrapper() { - custom_format(new Object(), "%s%s", ""); // missing + custom_format(new Object(), "%s%s", ""); // $ Alert[java/missing-format-argument] // missing } void f() { - String.format("%s", "", ""); // unused - String.format("s", ""); // unused - String.format("%2$s %2$s", "", ""); // unused + String.format("%s", "", ""); // $ Alert[java/unused-format-argument] // unused + String.format("s", ""); // $ Alert[java/unused-format-argument] // unused + String.format("%2$s %2$s", "", ""); // $ Alert[java/unused-format-argument] // unused String.format("%2$s %1$s", "", ""); // ok - String.format("%2$s %s", ""); // missing - String.format("%s% { T t; void test(String s) { - t.equals(s); + t.equals(s); // $ Alert[java/equals-on-unrelated-types] t.equals(this); } } diff --git a/java/ql/test/query-tests/TypeMismatch/incomparable_equals/F.java b/java/ql/test/query-tests/TypeMismatch/incomparable_equals/F.java index 52c41537437c..a87667dd9d4f 100644 --- a/java/ql/test/query-tests/TypeMismatch/incomparable_equals/F.java +++ b/java/ql/test/query-tests/TypeMismatch/incomparable_equals/F.java @@ -2,6 +2,6 @@ public class F { void m(int[] l, int[][] r) { - l.equals(r); + l.equals(r); // $ Alert[java/equals-on-unrelated-types] } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/TypeMismatch/remove_type_mismatch/A.java b/java/ql/test/query-tests/TypeMismatch/remove_type_mismatch/A.java index 92b369da370b..1dd72e432409 100644 --- a/java/ql/test/query-tests/TypeMismatch/remove_type_mismatch/A.java +++ b/java/ql/test/query-tests/TypeMismatch/remove_type_mismatch/A.java @@ -4,12 +4,12 @@ public class A { void test1(Collection c, String s, StringBuffer b) { - c.remove(s); + c.remove(s); // $ Alert[java/type-mismatch-modification] c.remove(b); } void test2(Collection c, A a, String b) { - c.remove(a); + c.remove(a); // $ Alert[java/type-mismatch-modification] c.remove(b); } } @@ -20,7 +20,7 @@ class TestB { Collection coll2 = null; Collection coll3; { - coll3.remove(""); + coll3.remove(""); // $ Alert[java/type-mismatch-modification] } } @@ -30,7 +30,7 @@ class MyIntList extends java.util.LinkedList { class TestC { MyIntList mil; { - mil.remove(""); + mil.remove(""); // $ Alert[java/type-mismatch-modification] } } @@ -40,6 +40,6 @@ class MyOtherIntList extends java.util.LinkedList { class TestD { MyOtherIntList moil; { - moil.remove(""); + moil.remove(""); // $ Alert[java/type-mismatch-modification] } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/UnreadLocal/A.java b/java/ql/test/query-tests/UnreadLocal/A.java index 5591df08634c..928de6cd48c5 100644 --- a/java/ql/test/query-tests/UnreadLocal/A.java +++ b/java/ql/test/query-tests/UnreadLocal/A.java @@ -26,18 +26,18 @@ public long ex1(int i, int w1, int w2, int w3, long[][][] bits) { public void ex2() { for (int i = 0; i < 5; i++) { int x = 42; - x = x + 3; // DEAD + x = x + 3; // $ Alert[java/useless-assignment-to-local] // DEAD } } public int ex3(int param) { - param += 3; // DEAD + param += 3; // $ Alert[java/overwritten-assignment-to-local] // DEAD param = 4; int x = 7; - ++x; // DEAD + ++x; // $ Alert[java/overwritten-assignment-to-local] // DEAD x = 10; int y = 5; - y = (++y) + 5; // DEAD (++y) + y = (++y) + 5; // $ Alert[java/overwritten-assignment-to-local] // DEAD (++y) return x + y + param; } @@ -52,7 +52,7 @@ public void ex4() { } int x; try { - x = 5; // DEAD + x = 5; // $ Alert[java/overwritten-assignment-to-local] // DEAD ex3(0); x = 7; ex3(x); @@ -61,7 +61,7 @@ public void ex4() { boolean valid; try { if (ex3(4) > 4) { - valid = false; // DEAD + valid = false; // $ Alert[java/overwritten-assignment-to-local] // DEAD } ex3(0); valid = true; diff --git a/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocal.qlref b/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocal.qlref index ece72e5295b5..86820a141226 100644 --- a/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocal.qlref +++ b/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocal.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Dead Code/DeadStoreOfLocal.ql +query: Violations of Best Practice/Dead Code/DeadStoreOfLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocalUnread.qlref b/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocalUnread.qlref index c3fbaae6b813..81c434f66061 100644 --- a/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocalUnread.qlref +++ b/java/ql/test/query-tests/UnreadLocal/DeadStoreOfLocalUnread.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Dead Code/DeadStoreOfLocalUnread.ql +query: Violations of Best Practice/Dead Code/DeadStoreOfLocalUnread.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UnreadLocal/UnreadLocal.qlref b/java/ql/test/query-tests/UnreadLocal/UnreadLocal.qlref index 5a77117711ed..dc6fb57ca6a3 100644 --- a/java/ql/test/query-tests/UnreadLocal/UnreadLocal.qlref +++ b/java/ql/test/query-tests/UnreadLocal/UnreadLocal.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Dead Code/UnreadLocal.ql +query: Violations of Best Practice/Dead Code/UnreadLocal.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UnreadLocal/UnreadLocal/ImplicitReads.java b/java/ql/test/query-tests/UnreadLocal/UnreadLocal/ImplicitReads.java index bd87047a0861..236b97562f70 100644 --- a/java/ql/test/query-tests/UnreadLocal/UnreadLocal/ImplicitReads.java +++ b/java/ql/test/query-tests/UnreadLocal/UnreadLocal/ImplicitReads.java @@ -35,7 +35,7 @@ public void test2(B b) System.out.println("test"); } // Assignment is useless - c = b; + c = b; // $ Alert[java/useless-assignment-to-local] // Not flagged due to implicit read in implicit finally block try(B d = b) {} } diff --git a/java/ql/test/query-tests/UnreadLocal/UnreadLocal/UnreadLocals.java b/java/ql/test/query-tests/UnreadLocal/UnreadLocal/UnreadLocals.java index 305b3947de6b..5b2168b79d3f 100644 --- a/java/ql/test/query-tests/UnreadLocal/UnreadLocal/UnreadLocals.java +++ b/java/ql/test/query-tests/UnreadLocal/UnreadLocal/UnreadLocals.java @@ -14,13 +14,13 @@ public static class Something public UnreadLocals () { - int alpha = 2; + int alpha = 2; // $ Alert[java/local-variable-is-never-read] int _beta = 4; this.alpha = 3; beta = _beta; Something something1 = new Something(); - Something something2 = new Something(); + Something something2 = new Something(); // $ Alert[java/local-variable-is-never-read] something = something1; diff --git a/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.java b/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.java index 2aadb5044be6..4b97a239be4c 100644 --- a/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.java +++ b/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.java @@ -12,7 +12,7 @@ void g() throws RuntimeException { } MyLock mylock = new MyLock(); void bad1() { - mylock.lock(); + mylock.lock(); // $ Alert f(); mylock.unlock(); } @@ -27,7 +27,7 @@ void good2() { } void bad3() { - mylock.lock(); + mylock.lock(); // $ Alert f(); try { g(); @@ -37,7 +37,7 @@ void bad3() { } void bad4() { - mylock.lock(); + mylock.lock(); // $ Alert try { f(); } finally { @@ -47,7 +47,7 @@ void bad4() { } void bad5(boolean lockmore) { - mylock.lock(); + mylock.lock(); // $ Alert try { f(); if (lockmore) { @@ -69,7 +69,7 @@ void good6() { } void bad7() { - if (!mylock.tryLock()) { return; } + if (!mylock.tryLock()) { return; } // $ Alert f(); mylock.unlock(); } @@ -111,7 +111,7 @@ void good9() { void bad10() { boolean locked = false; try { - locked = mylock.tryLock(); + locked = mylock.tryLock(); // $ Alert if (!locked) { return; } } finally { if (locked) { diff --git a/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.qlref b/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.qlref index 34ea40ac5662..37dfff0e946d 100644 --- a/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.qlref +++ b/java/ql/test/query-tests/UnreleasedLock/UnreleasedLock.qlref @@ -1 +1,2 @@ -Likely Bugs/Concurrency/UnreleasedLock.ql +query: Likely Bugs/Concurrency/UnreleasedLock.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UseBraces/UseBraces.java b/java/ql/test/query-tests/UseBraces/UseBraces.java index 756050b2c440..0177d68571ef 100644 --- a/java/ql/test/query-tests/UseBraces/UseBraces.java +++ b/java/ql/test/query-tests/UseBraces/UseBraces.java @@ -25,11 +25,11 @@ void test(boolean bb) g(); // No alert if(1==1) - f(); + f(); // $ Alert g(); // Alert if(1==1) - f(); g(); // Alert + f(); g(); // $ Alert // Alert // If-then-else statement @@ -55,7 +55,7 @@ void test(boolean bb) f(); } else - f(); + f(); // $ Alert g(); // Alert if(true) @@ -63,7 +63,7 @@ void test(boolean bb) f(); } else - f(); g(); // Alert + f(); g(); // $ Alert // Alert // While statement @@ -79,12 +79,12 @@ void test(boolean bb) g(); while(bb ) - f(); + f(); // $ Alert g(); // Alert g(); // No alert while(bb ) - f(); g(); // Alert + f(); g(); // $ Alert // Alert while(bb) @@ -109,11 +109,11 @@ void test(boolean bb) g(); for(int i=0; i<10; ++i) - f(); + f(); // $ Alert g(); // Alert for(int i=0; i<10; ++i) - f(); g(); // Alert + f(); g(); // $ Alert // Alert // Foreach statement @@ -129,11 +129,11 @@ void test(boolean bb) f(); for( int b : branches) - f(); + f(); // $ Alert g(); // Alert for( int b : branches) - f(); g(); // Alert + f(); g(); // $ Alert // Alert // Nested ifs if( true ) @@ -142,7 +142,7 @@ void test(boolean bb) g(); // No alert if( true ) - if(false) + if(false) // $ Alert f(); g(); // Alert @@ -163,7 +163,7 @@ void test(boolean bb) if( true ) ; else if (false) - f(); + f(); // $ Alert g(); // Alert // Nested combinations @@ -173,7 +173,7 @@ else if (false) g(); // No alert if (true) - while (x<10) + while (x<10) // $ Alert f(); g(); // Alert @@ -183,7 +183,7 @@ else if (false) g(); // No alert while (x<10) - if (true) + if (true) // $ Alert f(); g(); // Alert diff --git a/java/ql/test/query-tests/UseBraces/UseBraces.qlref b/java/ql/test/query-tests/UseBraces/UseBraces.qlref index 5d1d4a063882..e89389461d72 100644 --- a/java/ql/test/query-tests/UseBraces/UseBraces.qlref +++ b/java/ql/test/query-tests/UseBraces/UseBraces.qlref @@ -1 +1,2 @@ -Likely Bugs/Statements/UseBraces.ql +query: Likely Bugs/Statements/UseBraces.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UselessComparisonTest/A.java b/java/ql/test/query-tests/UselessComparisonTest/A.java index abc525ff20dc..a7689b49c523 100644 --- a/java/ql/test/query-tests/UselessComparisonTest/A.java +++ b/java/ql/test/query-tests/UselessComparisonTest/A.java @@ -12,35 +12,35 @@ void test(int x, int y) { x++; if (x - 1 == 2) return; x--; - if (x >= 2) unreachable(); // useless test + if (x >= 2) unreachable(); // $ Alert // useless test } if (y > 0) { int z = (x >= 0) ? x : y; - if (z < 0) unreachable(); // useless test + if (z < 0) unreachable(); // $ Alert // useless test } int k; while ((k = getInt()) >= 0) { - if (k < 0) unreachable(); // useless test + if (k < 0) unreachable(); // $ Alert // useless test } if (x > 0) { int z = x & y; - if (!(z <= x)) unreachable(); // useless test + if (!(z <= x)) unreachable(); // $ Alert // useless test } if (x % 2 == 0) { for (int i = 0; i < x; i+=2) { - if (i + 1 >= x) unreachable(); // useless test + if (i + 1 >= x) unreachable(); // $ Alert // useless test } } int r = new Random().nextInt(x); - if (r >= x) unreachable(); // useless test + if (r >= x) unreachable(); // $ Alert // useless test - if (x > Math.max(x, y)) unreachable(); // useless test - if (x < Math.min(x, y)) unreachable(); // useless test + if (x > Math.max(x, y)) unreachable(); // $ Alert // useless test + if (x < Math.min(x, y)) unreachable(); // $ Alert // useless test int w; if (x > 7) { @@ -52,17 +52,17 @@ void test(int x, int y) { } w--; w -= 2; - if (w <= 5) unreachable(); // useless test + if (w <= 5) unreachable(); // $ Alert // useless test while ((w--) > 0) { - if (w < 0) unreachable(); // useless test + if (w < 0) unreachable(); // $ Alert // useless test } - if (w != -1) unreachable(); // useless test + if (w != -1) unreachable(); // $ Alert // useless test if (x > 20) { int i; for (i = x; i > 0; i--) { } - if (i != 0) unreachable(); // useless test + if (i != 0) unreachable(); // $ Alert // useless test } if (getInt() > 0) { @@ -73,7 +73,7 @@ void test(int x, int y) { } else { if (z >= 4) return; } - if (z >= 4) unreachable(); // useless test + if (z >= 4) unreachable(); // $ Alert // useless test } int length = getInt(); @@ -81,11 +81,11 @@ void test(int x, int y) { int cnt = getInt(); length -= cnt; } - for (int i = 0; i < length; ++i) { } // useless test + for (int i = 0; i < length; ++i) { } // $ Alert // useless test int b = getInt(); if (b > 4) b = 8; - if (b > 8) unreachable(); // useless test + if (b > 8) unreachable(); // $ Alert // useless test int sz = getInt(); if (0 < x && x < sz) { diff --git a/java/ql/test/query-tests/UselessComparisonTest/CharLiterals.java b/java/ql/test/query-tests/UselessComparisonTest/CharLiterals.java index ac90e911ca61..90d8ee0b8830 100644 --- a/java/ql/test/query-tests/UselessComparisonTest/CharLiterals.java +++ b/java/ql/test/query-tests/UselessComparisonTest/CharLiterals.java @@ -1,7 +1,7 @@ public class CharLiterals { public static boolean redundantSurrogateRange(char c) { if(c >= '\uda00') { - if(c >= '\ud900') { + if(c >= '\ud900') { // $ Alert return true; } } @@ -19,7 +19,7 @@ public static boolean goodSurrogateRange(char c) { public static boolean redundantNonSurrogateRange(char c) { if(c >= 'b') { - if(c >= 'a') { + if(c >= 'a') { // $ Alert return true; } } @@ -39,7 +39,7 @@ public static boolean redundantSurrogateEquality(char c) { if(c == '\uda00') { return true; } - else if(c == '\uda00') { + else if(c == '\uda00') { // $ Alert return true; } return false; @@ -59,7 +59,7 @@ public static boolean redundantNonSurrogateEquality(char c) { if(c == 'a') { return true; } - else if(c == 'a') { + else if(c == 'a') { // $ Alert return true; } return false; diff --git a/java/ql/test/query-tests/UselessComparisonTest/Test.java b/java/ql/test/query-tests/UselessComparisonTest/Test.java index eafac84dea52..a4c8e31706f8 100644 --- a/java/ql/test/query-tests/UselessComparisonTest/Test.java +++ b/java/ql/test/query-tests/UselessComparisonTest/Test.java @@ -6,28 +6,28 @@ void test(int x) { throw new Error(); } int y = 0; - if (x >= 0) y++; // useless test due to test in line 5 being false - if (z >= 0) y++; // useless test due to test in line 5 being false + if (x >= 0) y++; // $ Alert // useless test due to test in line 5 being false + if (z >= 0) y++; // $ Alert // useless test due to test in line 5 being false while(x >= 0) { if (y < 10) { z++; - if (y == 15) z++; // useless test due to test in line 12 being true + if (y == 15) z++; // $ Alert // useless test due to test in line 12 being true y++; z--; - } else if (y > 7) { // useless test due to test in line 12 being false + } else if (y > 7) { // $ Alert // useless test due to test in line 12 being false y--; } - if (!(y != 5) && z >= 0) { // z >= 0 is always true due to line 5 (and z being increasing) - int w = y < 3 ? 0 : 1; // useless test due to test in line 20 being true + if (!(y != 5) && z >= 0) { // $ Alert // z >= 0 is always true due to line 5 (and z being increasing) + int w = y < 3 ? 0 : 1; // $ Alert // useless test due to test in line 20 being true } x--; } } void test2(int x) { if (x != 0) { - int w = x == 0 ? 1 : 2; // useless test due to test in line 27 being true + int w = x == 0 ? 1 : 2; // $ Alert // useless test due to test in line 27 being true x--; - } else if (x == 0) { // useless test due to test in line 27 being false + } else if (x == 0) { // $ Alert // useless test due to test in line 27 being false x++; } } diff --git a/java/ql/test/query-tests/UselessComparisonTest/UselessComparisonTest.qlref b/java/ql/test/query-tests/UselessComparisonTest/UselessComparisonTest.qlref index d567af5db1b0..fc8aaa7ab6f3 100644 --- a/java/ql/test/query-tests/UselessComparisonTest/UselessComparisonTest.qlref +++ b/java/ql/test/query-tests/UselessComparisonTest/UselessComparisonTest.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/UselessComparisonTest.ql +query: Likely Bugs/Comparison/UselessComparisonTest.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UselessNullCheck/A.java b/java/ql/test/query-tests/UselessNullCheck/A.java index 009f5efadd3a..232534c0e7fb 100644 --- a/java/ql/test/query-tests/UselessNullCheck/A.java +++ b/java/ql/test/query-tests/UselessNullCheck/A.java @@ -1,12 +1,12 @@ public class A { void f() { Object o = new Object(); - if (o == null) { } // Useless check - if (o != null) { } // Useless check + if (o == null) { } // $ Alert // Useless check + if (o != null) { } // $ Alert // Useless check try { new Object(); } catch(Exception e) { - if (e == null) { // Useless check + if (e == null) { // $ Alert // Useless check throw new Error(); } } @@ -15,7 +15,7 @@ void f() { void g(Object o) { if (o instanceof A) { A a = (A)o; - if (a != null) { // Useless check + if (a != null) { // $ Alert // Useless check throw new Error(); } } @@ -28,7 +28,7 @@ interface I { I h() { final A x = this; return () -> { - if (x != null) { // Useless check + if (x != null) { // $ Alert // Useless check return x; } return new A(); @@ -37,9 +37,9 @@ I h() { Object f2(Object x) { if (x == null) { - return this != null ? this : null; // Useless check + return this != null ? this : null; // $ Alert // Useless check } - if (x != null) { // Useless check + if (x != null) { // $ Alert // Useless check return x; } return null; @@ -49,7 +49,7 @@ Object f2(Object x) { public void ex12() { finalObj.hashCode(); - if (finalObj != null) { // Useless check + if (finalObj != null) { // $ Alert // Useless check finalObj.hashCode(); } } diff --git a/java/ql/test/query-tests/UselessNullCheck/UselessNullCheck.qlref b/java/ql/test/query-tests/UselessNullCheck/UselessNullCheck.qlref index 8b5a095d396f..68c4adcf4287 100644 --- a/java/ql/test/query-tests/UselessNullCheck/UselessNullCheck.qlref +++ b/java/ql/test/query-tests/UselessNullCheck/UselessNullCheck.qlref @@ -1 +1,2 @@ -Language Abuse/UselessNullCheck.ql +query: Language Abuse/UselessNullCheck.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/UselessUpcast/Test.java b/java/ql/test/query-tests/UselessUpcast/Test.java index 497957da5f75..68debb060295 100644 --- a/java/ql/test/query-tests/UselessUpcast/Test.java +++ b/java/ql/test/query-tests/UselessUpcast/Test.java @@ -18,11 +18,11 @@ class Test extends TestSuper { // OK new Test((Super)s); // NOT OK - Super o = (Super)s; + Super o = (Super)s; // $ Alert // OK foo((Super)s); // NOT OK - bar((Super)s); + bar((Super)s); // $ Alert // OK baz((Super)s); // OK @@ -37,4 +37,4 @@ void foo(Sub s) {} void bar(Super o) {} void baz(Super o) {} -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/UselessUpcast/Test2.java b/java/ql/test/query-tests/UselessUpcast/Test2.java index 0ae86ec79239..c1c884b5b007 100644 --- a/java/ql/test/query-tests/UselessUpcast/Test2.java +++ b/java/ql/test/query-tests/UselessUpcast/Test2.java @@ -5,7 +5,7 @@ public class Test2 { public static void main(Sub[] args) { Map m = new HashMap<>(); Sub k = null, v = null; - m.put(k, (Super) v); + m.put(k, (Super) v); // $ Alert m.put(k, v); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/UselessUpcast/UselessUpcast.qlref b/java/ql/test/query-tests/UselessUpcast/UselessUpcast.qlref index f0a49b78b14b..d48a3f989428 100644 --- a/java/ql/test/query-tests/UselessUpcast/UselessUpcast.qlref +++ b/java/ql/test/query-tests/UselessUpcast/UselessUpcast.qlref @@ -1 +1,2 @@ -Language Abuse/UselessUpcast.ql \ No newline at end of file +query: Language Abuse/UselessUpcast.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.java b/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.java index db76f4f73559..227f04137d55 100644 --- a/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.java +++ b/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.java @@ -1,6 +1,6 @@ public class WhitespaceContradictsPrecedence { int bad(int x) { - return x + x>>1; + return x + x>>1; // $ Alert } int ok1(int x) { @@ -26,4 +26,4 @@ int ok5(int x, int y, int z) { int ok6(int x) { return x + x>> 1; } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref b/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref index e8331b4132f1..470fdcfe2731 100644 --- a/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref +++ b/java/ql/test/query-tests/WhitespaceContradictsPrecedence/WhitespaceContradictsPrecedence.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/WriteOnlyContainer/CollectionTest.java b/java/ql/test/query-tests/WriteOnlyContainer/CollectionTest.java index f6dced779fa7..2f57771ceae8 100644 --- a/java/ql/test/query-tests/WriteOnlyContainer/CollectionTest.java +++ b/java/ql/test/query-tests/WriteOnlyContainer/CollectionTest.java @@ -35,7 +35,7 @@ public void n(Collection> ss) { } // should be flagged - private List useless = new ArrayList(); + private List useless = new ArrayList(); // $ Alert { useless.add(23); useless.remove(0); @@ -49,4 +49,4 @@ public void n(Collection> ss) { @interface MyReflectionAnnotation {} @MyReflectionAnnotation private List l8 = new ArrayList(); -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/WriteOnlyContainer/MapTest.java b/java/ql/test/query-tests/WriteOnlyContainer/MapTest.java index 201b7134af5d..ee7071513c04 100644 --- a/java/ql/test/query-tests/WriteOnlyContainer/MapTest.java +++ b/java/ql/test/query-tests/WriteOnlyContainer/MapTest.java @@ -35,7 +35,7 @@ public void n(Collection> ms) { } // should be flagged - private Map useless = new HashMap(); + private Map useless = new HashMap(); // $ Alert { useless.put("hello", 23); useless.remove("hello"); @@ -49,4 +49,4 @@ public void n(Collection> ms) { @interface MyReflectionAnnotation {} @MyReflectionAnnotation private Map l8 = new HashMap(); -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref b/java/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref index fc4d4c2a39b4..9d2057a3d375 100644 --- a/java/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref +++ b/java/ql/test/query-tests/WriteOnlyContainer/WriteOnlyContainer.qlref @@ -1 +1,2 @@ -Likely Bugs/Collections/WriteOnlyContainer.ql \ No newline at end of file +query: Likely Bugs/Collections/WriteOnlyContainer.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/WrongNanComparison/Test.java b/java/ql/test/query-tests/WrongNanComparison/Test.java index 230918184120..3bf6a12fd40f 100644 --- a/java/ql/test/query-tests/WrongNanComparison/Test.java +++ b/java/ql/test/query-tests/WrongNanComparison/Test.java @@ -1,6 +1,6 @@ class Test { void f(double x, float y) { - if (x == Double.NaN) return; - if (y == Float.NaN) return; + if (x == Double.NaN) return; // $ Alert + if (y == Float.NaN) return; // $ Alert } } diff --git a/java/ql/test/query-tests/WrongNanComparison/WrongNanComparison.qlref b/java/ql/test/query-tests/WrongNanComparison/WrongNanComparison.qlref index 09e54ee1c1e3..f22a56542557 100644 --- a/java/ql/test/query-tests/WrongNanComparison/WrongNanComparison.qlref +++ b/java/ql/test/query-tests/WrongNanComparison/WrongNanComparison.qlref @@ -1 +1,2 @@ -Likely Bugs/Comparison/WrongNanComparison.ql +query: Likely Bugs/Comparison/WrongNanComparison.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/dead-code/DeadCallable/DeadCallable.qlref b/java/ql/test/query-tests/dead-code/DeadCallable/DeadCallable.qlref index 76204a1df5a4..743a5f157755 100644 --- a/java/ql/test/query-tests/dead-code/DeadCallable/DeadCallable.qlref +++ b/java/ql/test/query-tests/dead-code/DeadCallable/DeadCallable.qlref @@ -1 +1,2 @@ -DeadCode/DeadMethod.ql +query: DeadCode/DeadMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/dead-code/DeadCallable/Main.java b/java/ql/test/query-tests/dead-code/DeadCallable/Main.java index 46153987d9ab..55de2248270f 100644 --- a/java/ql/test/query-tests/dead-code/DeadCallable/Main.java +++ b/java/ql/test/query-tests/dead-code/DeadCallable/Main.java @@ -1,17 +1,17 @@ -public class Main { +public class Main { // $ Alert private static String ss = "a"; private static String ss2 = "b"; private final String is = "a"; private final String is2 = "b"; - private void unused() { + private void unused() { // $ Alert indirectlyUnused(); } - private void indirectlyUnused() {} + private void indirectlyUnused() {} // $ Alert - private void foo() { bar(); } - private void bar() { foo(); } + private void foo() { bar(); } // $ Alert + private void bar() { foo(); } // $ Alert public static void main(String[] args) {} } diff --git a/java/ql/test/query-tests/dead-code/DeadClass/DeadClass.qlref b/java/ql/test/query-tests/dead-code/DeadClass/DeadClass.qlref index d726e7e08496..b94832ebfca9 100644 --- a/java/ql/test/query-tests/dead-code/DeadClass/DeadClass.qlref +++ b/java/ql/test/query-tests/dead-code/DeadClass/DeadClass.qlref @@ -1 +1,2 @@ -DeadCode/DeadClass.ql +query: DeadCode/DeadClass.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/dead-code/DeadClass/DeadEnumTest.java b/java/ql/test/query-tests/dead-code/DeadClass/DeadEnumTest.java index 7e760a16e42d..3163bb14dff6 100644 --- a/java/ql/test/query-tests/dead-code/DeadClass/DeadEnumTest.java +++ b/java/ql/test/query-tests/dead-code/DeadClass/DeadEnumTest.java @@ -1,5 +1,5 @@ public class DeadEnumTest { - public enum DeadEnum { + public enum DeadEnum { // $ Alert A } diff --git a/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadCodeCycle.java b/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadCodeCycle.java index ab6fab276ff3..40f661e602b8 100644 --- a/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadCodeCycle.java +++ b/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadCodeCycle.java @@ -5,7 +5,7 @@ public class ExternalDeadCodeCycle { * This class should be marked as being only used from a dead code cycle, because the dead-code * cycle is external to the class. */ - public static class DeadClass { + public static class DeadClass { // $ Alert public static void deadMethod() { } } diff --git a/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadRoot.java b/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadRoot.java index e239e2bbec82..dbdec26093d5 100644 --- a/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadRoot.java +++ b/java/ql/test/query-tests/dead-code/DeadClass/ExternalDeadRoot.java @@ -5,7 +5,7 @@ public class ExternalDeadRoot { * This class should be marked as only being used by the "outerDeadRoot()". The * "innerDeadRoot()" should not be reported as a dead root, as it is internal to the class. */ - public static class DeadClass { + public static class DeadClass { // $ Alert public static void innerDeadRoot() { } diff --git a/java/ql/test/query-tests/dead-code/DeadClass/InternalDeadCodeCycle.java b/java/ql/test/query-tests/dead-code/DeadClass/InternalDeadCodeCycle.java index 94079d6198c5..cd0028d3a16b 100644 --- a/java/ql/test/query-tests/dead-code/DeadClass/InternalDeadCodeCycle.java +++ b/java/ql/test/query-tests/dead-code/DeadClass/InternalDeadCodeCycle.java @@ -1,7 +1,7 @@ /** * This class should be marked as entirely unused. */ -public class InternalDeadCodeCycle { +public class InternalDeadCodeCycle { // $ Alert public void foo() { bar(); diff --git a/java/ql/test/query-tests/dead-code/DeadClass/NamespaceTest.java b/java/ql/test/query-tests/dead-code/DeadClass/NamespaceTest.java index f0ae44f2bf79..12b7f547aee8 100644 --- a/java/ql/test/query-tests/dead-code/DeadClass/NamespaceTest.java +++ b/java/ql/test/query-tests/dead-code/DeadClass/NamespaceTest.java @@ -32,7 +32,7 @@ public static enum LiveInnerClass3 { * This class is not a namespace class, because it has an instance method. The nested live class * should not make the NonNamespaceClass live. */ - public static class NonNamespaceClass { + public static class NonNamespaceClass { // $ Alert public static class LiveInnerClass2 { } diff --git a/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstant.qlref b/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstant.qlref index 45725063f34b..7e720934da45 100644 --- a/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstant.qlref +++ b/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstant.qlref @@ -1 +1,2 @@ -DeadCode/DeadEnumConstant.ql +query: DeadCode/DeadEnumConstant.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstantTest.java b/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstantTest.java index ef6b2686b756..3e16c5305e4b 100644 --- a/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstantTest.java +++ b/java/ql/test/query-tests/dead-code/DeadEnumConstant/DeadEnumConstantTest.java @@ -5,8 +5,8 @@ public class DeadEnumConstantTest { public @interface MyAnnotation{}; public static enum E1{ - unused1, - unused2, + unused1, // $ Alert + unused2, // $ Alert @MyAnnotation ok1, // constants with reflective annotations should be ignored diff --git a/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueTest.java b/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueTest.java index 007915b161b4..0dbfb578aa7d 100644 --- a/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueTest.java +++ b/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueTest.java @@ -8,7 +8,7 @@ public class AnnotationValueTest { public static String liveField = ""; @TestAnnotation(value = AnnotationValueUtil.DEAD_STRING_CONSTANT_FIELD) - public static String deadField = ""; + public static String deadField = ""; // $ Alert @TestAnnotation(value = { AnnotationValueUtil.LIVE_STRING_CONSTANT_METHOD }) public static void liveMethod() { diff --git a/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueUtil.java b/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueUtil.java index 95a7129286f8..0511eecb14ae 100644 --- a/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueUtil.java +++ b/java/ql/test/query-tests/dead-code/DeadField/AnnotationValueUtil.java @@ -19,9 +19,9 @@ public class AnnotationValueUtil { /** * These three should be dead because they are used as annotation values on dead fields/methods/classes. */ - public static final String DEAD_STRING_CONSTANT_FIELD = "A string constant."; - public static final String DEAD_STRING_CONSTANT_METHOD = "A string constant."; - public static final String DEAD_STRING_CONSTANT_CLASS = "A string constant."; + public static final String DEAD_STRING_CONSTANT_FIELD = "A string constant."; // $ Alert + public static final String DEAD_STRING_CONSTANT_METHOD = "A string constant."; // $ Alert + public static final String DEAD_STRING_CONSTANT_CLASS = "A string constant."; // $ Alert public static void main(String[] args) { // Ensure outer class is live. diff --git a/java/ql/test/query-tests/dead-code/DeadField/BasicTest.java b/java/ql/test/query-tests/dead-code/DeadField/BasicTest.java index 453469d177aa..4a65ad28e405 100644 --- a/java/ql/test/query-tests/dead-code/DeadField/BasicTest.java +++ b/java/ql/test/query-tests/dead-code/DeadField/BasicTest.java @@ -1,8 +1,8 @@ public class BasicTest { - private static String deadStaticField = "Dead"; + private static String deadStaticField = "Dead"; // $ Alert private static String liveStaticField = "Live"; - private String deadField; - private String deadCycleField; + private String deadField; // $ Alert + private String deadCycleField; // $ Alert private String liveField; public BasicTest(String deadField, String liveField) { diff --git a/java/ql/test/query-tests/dead-code/DeadField/DeadField.qlref b/java/ql/test/query-tests/dead-code/DeadField/DeadField.qlref index 42d37e49f2fa..fdae92e4d92e 100644 --- a/java/ql/test/query-tests/dead-code/DeadField/DeadField.qlref +++ b/java/ql/test/query-tests/dead-code/DeadField/DeadField.qlref @@ -1 +1,2 @@ -DeadCode/DeadField.ql +query: DeadCode/DeadField.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java b/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java index 72ca3ae46f6c..ca64e642fd4d 100644 --- a/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java +++ b/java/ql/test/query-tests/dead-code/DeadField/ReflectionTest.java @@ -2,11 +2,11 @@ public class ReflectionTest { public static class ParentClass { // Not live - private int notInheritedField; + private int notInheritedField; // $ Alert // Live because it is accessed through ChildClass public int inheritedField; // Not live because it is shadowed by the child - public int shadowedField; + public int shadowedField; // $ Alert } public static class ChildClass extends ParentClass { diff --git a/java/ql/test/query-tests/dead-code/DeadMethod/DeadMethod.qlref b/java/ql/test/query-tests/dead-code/DeadMethod/DeadMethod.qlref index 76204a1df5a4..743a5f157755 100644 --- a/java/ql/test/query-tests/dead-code/DeadMethod/DeadMethod.qlref +++ b/java/ql/test/query-tests/dead-code/DeadMethod/DeadMethod.qlref @@ -1 +1,2 @@ -DeadCode/DeadMethod.ql +query: DeadCode/DeadMethod.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/dead-code/DeadMethod/InternalDeadCodeCycle.java b/java/ql/test/query-tests/dead-code/DeadMethod/InternalDeadCodeCycle.java index f52b32895280..18da349c79d1 100644 --- a/java/ql/test/query-tests/dead-code/DeadMethod/InternalDeadCodeCycle.java +++ b/java/ql/test/query-tests/dead-code/DeadMethod/InternalDeadCodeCycle.java @@ -1,10 +1,10 @@ public class InternalDeadCodeCycle { - public void foo() { + public void foo() { // $ Alert bar(); } - public void bar() { + public void bar() { // $ Alert foo(); } diff --git a/java/ql/test/query-tests/dead-code/DeadMethod/JMXTest.java b/java/ql/test/query-tests/dead-code/DeadMethod/JMXTest.java index 0bd2c517f0de..32f8ec8d3e37 100644 --- a/java/ql/test/query-tests/dead-code/DeadMethod/JMXTest.java +++ b/java/ql/test/query-tests/dead-code/DeadMethod/JMXTest.java @@ -11,7 +11,7 @@ public static interface FooMBean { public static class FooIntermediate implements FooMBean { // This method is dead, because it is overridden in FooImpl, which is the registered MBean. - public String sometimesLiveMethod(String arg) { return "foo"; } + public String sometimesLiveMethod(String arg) { return "foo"; } // $ Alert // This method is live, because it is the most specific method for FooImpl public String liveMethod2(String arg) { return "foo"; } } diff --git a/java/ql/test/query-tests/dead-code/DeadMethod/SuppressedConstructorTest.java b/java/ql/test/query-tests/dead-code/DeadMethod/SuppressedConstructorTest.java index 8ab2f5a91c78..9eef167c6e93 100644 --- a/java/ql/test/query-tests/dead-code/DeadMethod/SuppressedConstructorTest.java +++ b/java/ql/test/query-tests/dead-code/DeadMethod/SuppressedConstructorTest.java @@ -6,13 +6,13 @@ private SuppressedConstructor() { } public static void liveMethod() { } } - public void deadMethod() { + public void deadMethod() { // $ Alert new NestedPrivateConstructor(); } private static class NestedPrivateConstructor { // This should be dead, because it is called from a dead method. - private NestedPrivateConstructor() { } + private NestedPrivateConstructor() { } // $ Alert public static void liveMethod() { } } @@ -23,7 +23,7 @@ private static class OtherConstructor { * constructor will be added by the compiler. Therefore, we do not need to declare this private * in order to suppress it. */ - private OtherConstructor() { } + private OtherConstructor() { } // $ Alert // Live constructor private OtherConstructor(Object foo) { } diff --git a/java/ql/test/query-tests/dead-code/UselessParameter/Test.java b/java/ql/test/query-tests/dead-code/UselessParameter/Test.java index 57554544e4cf..7f8fc16ffe63 100644 --- a/java/ql/test/query-tests/dead-code/UselessParameter/Test.java +++ b/java/ql/test/query-tests/dead-code/UselessParameter/Test.java @@ -3,7 +3,7 @@ interface I { // NOT OK: no overriding method uses x - void foo(int x); + void foo(int x); // $ Alert // OK: no concrete implementation void bar(String y); diff --git a/java/ql/test/query-tests/dead-code/UselessParameter/UselessParameter.qlref b/java/ql/test/query-tests/dead-code/UselessParameter/UselessParameter.qlref index b1ceb2751a61..7de29d4e3f4f 100644 --- a/java/ql/test/query-tests/dead-code/UselessParameter/UselessParameter.qlref +++ b/java/ql/test/query-tests/dead-code/UselessParameter/UselessParameter.qlref @@ -1 +1,2 @@ -DeadCode/UselessParameter.ql \ No newline at end of file +query: DeadCode/UselessParameter.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencyBinary.qlref b/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencyBinary.qlref index 9d5c4d42fe4f..ff6e15f32d9c 100644 --- a/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencyBinary.qlref +++ b/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencyBinary.qlref @@ -1 +1,2 @@ -Architecture/Dependencies/UnusedMavenDependencyBinary.ql \ No newline at end of file +query: Architecture/Dependencies/UnusedMavenDependencyBinary.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencySource.qlref b/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencySource.qlref index 78daed5aa147..e9ac8f724259 100644 --- a/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencySource.qlref +++ b/java/ql/test/query-tests/maven-dependencies/UnusedMavenDependencySource.qlref @@ -1 +1,2 @@ -Architecture/Dependencies/UnusedMavenDependencySource.ql \ No newline at end of file +query: Architecture/Dependencies/UnusedMavenDependencySource.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/maven-dependencies/my-project/pom.xml b/java/ql/test/query-tests/maven-dependencies/my-project/pom.xml index c082f704bedb..644cc968f98c 100644 --- a/java/ql/test/query-tests/maven-dependencies/my-project/pom.xml +++ b/java/ql/test/query-tests/maven-dependencies/my-project/pom.xml @@ -18,16 +18,16 @@ com.semmle another-project ${project.version} - + commons-lang commons-lang - + semmle-test semmle-test 1.0 - + - \ No newline at end of file + diff --git a/java/ql/test/query-tests/security/CWE-020/OverlyLargeRangeQuery.qlref b/java/ql/test/query-tests/security/CWE-020/OverlyLargeRangeQuery.qlref index ba518e544428..99525343c37a 100644 --- a/java/ql/test/query-tests/security/CWE-020/OverlyLargeRangeQuery.qlref +++ b/java/ql/test/query-tests/security/CWE-020/OverlyLargeRangeQuery.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-020/OverlyLargeRange.ql +query: Security/CWE/CWE-020/OverlyLargeRange.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java b/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java index e346d74d4c2d..b2f2e0c9c888 100644 --- a/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java +++ b/java/ql/test/query-tests/security/CWE-020/SuspiciousRegexpRange.java @@ -2,11 +2,11 @@ class SuspiciousRegexpRange { void test() { - Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // NOT OK + Pattern overlap1 = Pattern.compile("^[0-93-5]*$"); // $ Alert[java/overly-large-range] // NOT OK - Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // NOT OK + Pattern overlap2 = Pattern.compile("[A-ZA-z]*"); // $ Alert[java/overly-large-range] // NOT OK - Pattern isEmpty = Pattern.compile("^[z-a]*$"); // NOT OK + Pattern isEmpty = Pattern.compile("^[z-a]*$"); // $ Alert[java/overly-large-range] // NOT OK Pattern isAscii = Pattern.compile("^[\\x00-\\x7F]*$"); // OK @@ -16,19 +16,19 @@ void test() { Pattern NON_ALPHANUMERIC_REGEXP = Pattern.compile("([^\\#-~| |!])*"); // OK - Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // NOT OK + Pattern smallOverlap = Pattern.compile("[0-9a-fA-f]*"); // $ Alert[java/overly-large-range] // NOT OK - Pattern weirdRange = Pattern.compile("[$-`]*"); // NOT OK + Pattern weirdRange = Pattern.compile("[$-`]*"); // $ Alert[java/overly-large-range] // NOT OK - Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // NOT OK + Pattern keywordOperator = Pattern.compile("[!\\~\\*\\/%+-<>\\^|=&]*"); // $ Alert[java/overly-large-range] // NOT OK - Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // NOT OK + Pattern notYoutube = Pattern.compile("youtu.be/[a-z1-9.-_]+"); // $ Alert[java/overly-large-range] // NOT OK - Pattern numberToLetter = Pattern.compile("[7-F]*"); // NOT OK + Pattern numberToLetter = Pattern.compile("[7-F]*"); // $ Alert[java/overly-large-range] // NOT OK - Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // NOT OK + Pattern overlapsWithClass1 = Pattern.compile("[0-9\\d]*"); // $ Alert[java/overly-large-range] // NOT OK - Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // NOT OK + Pattern overlapsWithClass2 = Pattern.compile("[\\w,.-?:*+]*"); // $ Alert[java/overly-large-range] // NOT OK Pattern nested = Pattern.compile("[[A-Za-z_][A-Za-z0-9._-]]*"); // OK, the dash it at the end diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.qlref b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.qlref index eee3728e935a..71a41a4c0acc 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.qlref +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipSlip.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-022/ZipSlip.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java index 2c5e1cd9d539..b4d8ba8eea9f 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/ZipTest.java @@ -4,11 +4,11 @@ public class ZipTest { public void m1(ZipEntry entry, File dir) throws Exception { - String name = entry.getName(); + String name = entry.getName(); // $ Alert[java/zipslip] File file = new File(dir, name); - FileOutputStream os = new FileOutputStream(file); // ZipSlip - RandomAccessFile raf = new RandomAccessFile(file, "rw"); // ZipSlip - FileWriter fw = new FileWriter(file); // ZipSlip + FileOutputStream os = new FileOutputStream(file); // $ Sink[java/zipslip] // ZipSlip + RandomAccessFile raf = new RandomAccessFile(file, "rw"); // $ Sink[java/zipslip] // ZipSlip + FileWriter fw = new FileWriter(file); // $ Sink[java/zipslip] // ZipSlip } public void m2(ZipEntry entry, File dir) throws Exception { diff --git a/java/ql/test/query-tests/security/CWE-078/ExecRelative.qlref b/java/ql/test/query-tests/security/CWE-078/ExecRelative.qlref index 42aa816c1772..65cb1b6dd76e 100644 --- a/java/ql/test/query-tests/security/CWE-078/ExecRelative.qlref +++ b/java/ql/test/query-tests/security/CWE-078/ExecRelative.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-078/ExecRelative.ql +query: Security/CWE/CWE-078/ExecRelative.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref b/java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref index 856b97bf0fed..77cdee7b2839 100644 --- a/java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref +++ b/java/ql/test/query-tests/security/CWE-078/ExecTainted.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-078/ExecTainted.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-078/ExecUnescaped.qlref b/java/ql/test/query-tests/security/CWE-078/ExecUnescaped.qlref index 1ee86c5e76ab..add1dcb676b4 100644 --- a/java/ql/test/query-tests/security/CWE-078/ExecUnescaped.qlref +++ b/java/ql/test/query-tests/security/CWE-078/ExecUnescaped.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-078/ExecUnescaped.ql +query: Security/CWE/CWE-078/ExecUnescaped.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java b/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java index cb3ecb3b0509..b112597f2606 100644 --- a/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java +++ b/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java @@ -36,6 +36,6 @@ public void buildProcess() throws java.io.IOException { public void exec() throws java.io.IOException { String kv = (String) source(); - Runtime.getRuntime().exec(new String[] { "ls" }, new String[] { kv }); // $ hasTaintFlow + Runtime.getRuntime().exec(new String[] { "ls" }, new String[] { kv }); // $ Alert[java/relative-path-command] hasTaintFlow } } diff --git a/java/ql/test/query-tests/security/CWE-078/Test.java b/java/ql/test/query-tests/security/CWE-078/Test.java index 1ac5dc47882c..6850a3a19e3b 100644 --- a/java/ql/test/query-tests/security/CWE-078/Test.java +++ b/java/ql/test/query-tests/security/CWE-078/Test.java @@ -4,10 +4,10 @@ class Test { public static void shellCommand(String arg) throws java.io.IOException { - ProcessBuilder pb = new ProcessBuilder("/bin/bash -c echo " + arg); + ProcessBuilder pb = new ProcessBuilder("/bin/bash -c echo " + arg); // $ Alert[java/concatenated-command-line] Alert[java/command-line-injection] pb.start(); - pb = new ProcessBuilder(new String[]{"/bin/bash", "-c", "echo " + arg}); + pb = new ProcessBuilder(new String[]{"/bin/bash", "-c", "echo " + arg}); // $ Alert[java/command-line-injection] pb.start(); List cmd = new ArrayList(); @@ -15,18 +15,18 @@ public static void shellCommand(String arg) throws java.io.IOException { cmd.add("-c"); cmd.add("echo " + arg); - pb = new ProcessBuilder(cmd); + pb = new ProcessBuilder(cmd); // $ Alert[java/command-line-injection] pb.start(); String[] cmd1 = new String[]{"/bin/bash", "-c", ""}; cmd1[1] = "echo " + arg; - pb = new ProcessBuilder(cmd1); + pb = new ProcessBuilder(cmd1); // $ Alert[java/command-line-injection] pb.start(); } public static void nonShellCommand(String arg) throws java.io.IOException { - ProcessBuilder pb = new ProcessBuilder("./customTool " + arg); + ProcessBuilder pb = new ProcessBuilder("./customTool " + arg); // $ Alert[java/concatenated-command-line] Alert[java/command-line-injection] pb.start(); pb = new ProcessBuilder(new String[]{"./customTool", arg}); @@ -47,14 +47,14 @@ public static void nonShellCommand(String arg) throws java.io.IOException { } public static void relativeCommand() throws java.io.IOException { - ProcessBuilder pb = new ProcessBuilder("ls"); + ProcessBuilder pb = new ProcessBuilder("ls"); // $ Alert[java/relative-path-command] pb.start(); pb = new ProcessBuilder("/bin/ls"); pb.start(); } - public static void main(String[] args) throws java.io.IOException { + public static void main(String[] args) throws java.io.IOException { // $ Source[java/command-line-injection] String arg = args.length > 1 ? args[1] : "default"; shellCommand(arg); diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java index 02a81f3e3c2d..82215d111304 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SetJavascriptEnabled.java @@ -6,7 +6,7 @@ public class SetJavascriptEnabled { public static void configureWebViewUnsafe(WebView view) { WebSettings settings = view.getSettings(); - settings.setJavaScriptEnabled(true); // $ javascriptEnabled + settings.setJavaScriptEnabled(true); // $ Alert[java/android/websettings-javascript-enabled] javascriptEnabled } public static void configureWebViewSafe(WebView view) { diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java index 50fc38477055..acd895c474f9 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.java @@ -7,6 +7,6 @@ class Greeter { } public void addGreeter(WebView view) { - view.addJavascriptInterface(new Greeter(), "greeter"); + view.addJavascriptInterface(new Greeter(), "greeter"); // $ Alert[java/android/webview-addjavascriptinterface] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref index 1161c47dda6b..f0385f63cbda 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewAddJavascriptInterface.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql +query: Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref index e9e8006886db..34f44ac58cd3 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebViewSetEnabledJavaScript.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql +query: Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java index 285f9bc49cb2..50a9547e48a6 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilList.java @@ -45,7 +45,7 @@ public static String getNonConstantString() { return String.valueOf(System.currentTimeMillis()); } - public static void main(String[] args) throws IOException, SQLException { + public static void main(String[] args) throws IOException, SQLException { // $ Source[java/sql-injection] badAllowList6 = List.of("allowed1", getNonConstantString(), "allowed3"); testStaticFields(args); testLocal(args); @@ -61,61 +61,61 @@ private static void testStaticFields(String[] args) throws IOException, SQLExcep if(goodAllowList1.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList2.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList3.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList4.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList1.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList2.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList3.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList4.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList5.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // BAD: the allowlist is in a non-final field if(badAllowList6.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } @@ -125,7 +125,7 @@ private void testNonStaticFields(String[] args) throws IOException, SQLException if(goodAllowList7.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } @@ -137,7 +137,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -146,7 +146,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant strings @@ -156,7 +156,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -166,7 +166,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant strings @@ -175,7 +175,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -184,7 +184,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant strings @@ -194,7 +194,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -204,7 +204,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant string @@ -216,7 +216,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -228,7 +228,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but it contains a non-compile-time constant element @@ -239,7 +239,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } } @@ -257,7 +257,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } { @@ -266,7 +266,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } { @@ -275,7 +275,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } } @@ -290,7 +290,7 @@ private static void testEscape(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ // missing result String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java index e1a5f889c6fa..28defcbab298 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/AllowListSanitizerWithJavaUtilSet.java @@ -44,7 +44,7 @@ public static String getNonConstantString() { return String.valueOf(System.currentTimeMillis()); } - public static void main(String[] args) throws IOException, SQLException { + public static void main(String[] args) throws IOException, SQLException { // $ Source[java/sql-injection] badAllowList6 = Set.of("allowed1", getNonConstantString(), "allowed3"); testStaticFields(args); testLocal(args); @@ -60,61 +60,61 @@ private static void testStaticFields(String[] args) throws IOException, SQLExcep if(goodAllowList1.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList2.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList3.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList4.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList1.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList2.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList3.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: an allowlist is used with constant strings if(badAllowList4.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // GOOD: an allowlist is used with constant strings if(goodAllowList5.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } // BAD: the allowlist is in a non-final field if(badAllowList6.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } @@ -124,7 +124,7 @@ private void testNonStaticFields(String[] args) throws IOException, SQLException if(goodAllowList7.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } @@ -136,7 +136,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted.toLowerCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -145,7 +145,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant strings @@ -155,7 +155,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted.toUpperCase())){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -165,7 +165,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant strings @@ -174,7 +174,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -183,7 +183,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant strings @@ -193,7 +193,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -203,7 +203,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // GOOD: an allowlist is used with constant string @@ -215,7 +215,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but one of the entries is not a compile-time constant @@ -227,7 +227,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } // BAD: an allowlist is used but it contains a non-compile-time constant element @@ -238,7 +238,7 @@ private static void testLocal(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } } @@ -256,7 +256,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } { @@ -265,7 +265,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } { @@ -274,7 +274,7 @@ private static void testMultipleSources(String[] args) throws IOException, SQLEx if(allowlist.contains(tainted)){ String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } } @@ -289,7 +289,7 @@ private static void testEscape(String[] args) throws IOException, SQLException { if(allowlist.contains(tainted)){ // missing result String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + tainted + "' ORDER BY PRICE"; - ResultSet results = connection.createStatement().executeQuery(query); + ResultSet results = connection.createStatement().executeQuery(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } } } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java index ee6c81cdc81b..3d3b7179459c 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java @@ -4,14 +4,14 @@ import com.couchbase.client.java.Cluster; public class CouchBase { - public static void main(String[] args) { + public static void main(String[] args) { // $ Source[java/sql-injection] Cluster cluster = Cluster.connect("192.168.0.158", "Administrator", "Administrator"); Bucket bucket = cluster.bucket("travel-sample"); - cluster.analyticsQuery(args[1]); - cluster.analyticsQuery(args[1], null); - cluster.query(args[1]); - cluster.query(args[1], null); - cluster.queryStreaming(args[1], null); - cluster.queryStreaming(args[1], null, null); + cluster.analyticsQuery(args[1]); // $ Alert[java/sql-injection] + cluster.analyticsQuery(args[1], null); // $ Alert[java/sql-injection] + cluster.query(args[1]); // $ Alert[java/sql-injection] + cluster.query(args[1], null); // $ Alert[java/sql-injection] + cluster.queryStreaming(args[1], null); // $ Alert[java/sql-injection] + cluster.queryStreaming(args[1], null, null); // $ Alert[java/sql-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Mongo.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Mongo.java index 3a1cfff39f94..2761a2c52bd1 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Mongo.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Mongo.java @@ -7,19 +7,19 @@ import com.mongodb.*; public class Mongo { - public static void main(String[] args) { + public static void main(String[] args) { // $ Source[java/sql-injection] MongoClient mongoClient = new MongoClient(new ServerAddress("localhost", 27017)); DB db = mongoClient.getDB("mydb"); DBCollection collection = db.getCollection("test"); String name = args[1]; String stringQuery = "{ 'name' : '" + name + "'}"; - DBObject databaseQuery = (DBObject) JSON.parse(stringQuery); + DBObject databaseQuery = (DBObject) JSON.parse(stringQuery); // $ Alert[java/sql-injection] DBCursor result = collection.find(databaseQuery); String json = args[1]; - BasicDBObject bdb = BasicDBObject.parse(json); + BasicDBObject bdb = BasicDBObject.parse(json); // $ Alert[java/sql-injection] DBCursor result2 = collection.find(bdb); } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.qlref b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.qlref index 32211414c8c3..2bab54f9ae6e 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.qlref +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-089/SqlConcatenated.ql +query: Security/CWE/CWE-089/SqlConcatenated.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref index dc9ae162efbc..a60fa5dde2e2 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTainted.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-089/SqlTainted.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java index dee0db129eb9..0f357e61a43f 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java @@ -33,13 +33,13 @@ private static void tainted(String[] args) throws IOException, SQLException { Statement statement = connection.createStatement(); String query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + category + "' ORDER BY PRICE"; - ResultSet results = statement.executeQuery(query1); + ResultSet results = statement.executeQuery(query1); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: don't use user input when building a prepared call { String id = args[1]; String query2 = "{ call get_product_by_id('" + id + "',?,?,?) }"; - PreparedStatement statement = connection.prepareCall(query2); + PreparedStatement statement = connection.prepareCall(query2); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] ResultSet results = statement.executeQuery(); } // BAD: don't use user input when building a prepared query @@ -47,7 +47,7 @@ private static void tainted(String[] args) throws IOException, SQLException { String category = args[1]; String query3 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + category + "' ORDER BY PRICE"; - PreparedStatement statement = connection.prepareStatement(query3); + PreparedStatement statement = connection.prepareStatement(query3); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] ResultSet results = statement.executeQuery(); } // BAD: an injection using a StringBuilder instead of string append @@ -59,7 +59,7 @@ private static void tainted(String[] args) throws IOException, SQLException { querySb.append("' ORDER BY PRICE"); String querySbToString = querySb.toString(); Statement statement = connection.createStatement(); - ResultSet results = statement.executeQuery(querySbToString); + ResultSet results = statement.executeQuery(querySbToString); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: executeUpdate { @@ -67,7 +67,7 @@ private static void tainted(String[] args) throws IOException, SQLException { String price = args[2]; Statement statement = connection.createStatement(); String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'"; - int count = statement.executeUpdate(query); + int count = statement.executeUpdate(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // BAD: executeUpdate { @@ -75,7 +75,7 @@ private static void tainted(String[] args) throws IOException, SQLException { String price = args[2]; Statement statement = connection.createStatement(); String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'"; - long count = statement.executeLargeUpdate(query); + long count = statement.executeLargeUpdate(query); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] } // OK: validate the input first @@ -95,7 +95,7 @@ private static void unescaped() throws IOException, SQLException { Statement statement = connection.createStatement(); String queryFromField = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + categoryName + "' ORDER BY PRICE"; - ResultSet results = statement.executeQuery(queryFromField); + ResultSet results = statement.executeQuery(queryFromField); // $ Alert[java/concatenated-sql-query] } // BAD: unescaped code using a StringBuilder { @@ -105,7 +105,7 @@ private static void unescaped() throws IOException, SQLException { querySb.append("' ORDER BY PRICE"); String querySbToString = querySb.toString(); Statement statement = connection.createStatement(); - ResultSet results = statement.executeQuery(querySbToString); + ResultSet results = statement.executeQuery(querySbToString); // $ Alert[java/concatenated-sql-query] } // BAD: a StringBuilder with appends of + operations { @@ -115,7 +115,7 @@ private static void unescaped() throws IOException, SQLException { querySb2.append("ORDER BY PRICE"); String querySb2ToString = querySb2.toString(); Statement statement = connection.createStatement(); - ResultSet results = statement.executeQuery(querySb2ToString); + ResultSet results = statement.executeQuery(querySb2ToString); // $ Alert[java/concatenated-sql-query] } } @@ -206,7 +206,7 @@ private static void tableNames(String[] args) throws IOException, SQLException { String queryWithUserTableName = "SELECT ITEM,PRICE FROM " + userTabName + " WHERE ITEM_CATEGORY='Biscuits' ORDER BY PRICE"; - ResultSet results = statement.executeQuery(queryWithUserTableName); + ResultSet results = statement.executeQuery(queryWithUserTableName); // $ Alert[java/sql-injection] } } @@ -218,13 +218,13 @@ private static void bindingVars(String[] args) throws IOException, SQLException String prefix = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"; String suffix = "' ORDER BY PRICE"; switch(prefix) { - case String prefixAlias when prefix.length() > 10 -> statement.executeQuery(prefixAlias + category + suffix); + case String prefixAlias when prefix.length() > 10 -> statement.executeQuery(prefixAlias + category + suffix); // $ Alert[java/sql-injection] Alert[java/concatenated-sql-query] default -> { } } } } - public static void main(String[] args) throws IOException, SQLException { + public static void main(String[] args) throws IOException, SQLException { // $ Source[java/sql-injection] tainted(args); unescaped(); good(args); diff --git a/java/ql/test/query-tests/security/CWE-090/LdapInjection.java b/java/ql/test/query-tests/security/CWE-090/LdapInjection.java index 7e585581f0b8..661062f0a469 100644 --- a/java/ql/test/query-tests/security/CWE-090/LdapInjection.java +++ b/java/ql/test/query-tests/security/CWE-090/LdapInjection.java @@ -42,53 +42,53 @@ public class LdapInjection { // JNDI @RequestMapping - public void testJndiBad1(@RequestParam String jBad, @RequestParam String jBadDN, DirContext ctx) + public void testJndiBad1(@RequestParam String jBad, @RequestParam String jBadDN, DirContext ctx) // $ Source throws NamingException { - ctx.search("ou=system" + jBadDN, "(uid=" + jBad + ")", new SearchControls()); + ctx.search("ou=system" + jBadDN, "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad2(@RequestParam String jBad, @RequestParam String jBadDNName, InitialDirContext ctx) + public void testJndiBad2(@RequestParam String jBad, @RequestParam String jBadDNName, InitialDirContext ctx) // $ Source throws NamingException { - ctx.search(new LdapName("ou=system" + jBadDNName), "(uid=" + jBad + ")", new SearchControls()); + ctx.search(new LdapName("ou=system" + jBadDNName), "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad3(@RequestParam String jBad, @RequestParam String jOkDN, LdapContext ctx) + public void testJndiBad3(@RequestParam String jBad, @RequestParam String jOkDN, LdapContext ctx) // $ Source throws NamingException { - ctx.search(new LdapName(List.of(new Rdn("ou=" + jOkDN))), "(uid=" + jBad + ")", new SearchControls()); + ctx.search(new LdapName(List.of(new Rdn("ou=" + jOkDN))), "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad4(@RequestParam String jBadInitial, InitialLdapContext ctx) + public void testJndiBad4(@RequestParam String jBadInitial, InitialLdapContext ctx) // $ Source throws NamingException { - ctx.search("ou=system", "(uid=" + jBadInitial + ")", new SearchControls()); + ctx.search("ou=system", "(uid=" + jBadInitial + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad5(@RequestParam String jBad, @RequestParam String jBadDNNameAdd, InitialDirContext ctx) + public void testJndiBad5(@RequestParam String jBad, @RequestParam String jBadDNNameAdd, InitialDirContext ctx) // $ Source throws NamingException { - ctx.search(new LdapName("").addAll(new LdapName("ou=system" + jBadDNNameAdd)), "(uid=" + jBad + ")", new SearchControls()); + ctx.search(new LdapName("").addAll(new LdapName("ou=system" + jBadDNNameAdd)), "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad6(@RequestParam String jBad, @RequestParam String jBadDNNameAdd2, InitialDirContext ctx) + public void testJndiBad6(@RequestParam String jBad, @RequestParam String jBadDNNameAdd2, InitialDirContext ctx) // $ Source throws NamingException { LdapName name = new LdapName(""); name.addAll(new LdapName("ou=system" + jBadDNNameAdd2).getRdns()); - ctx.search(new LdapName("").addAll(name), "(uid=" + jBad + ")", new SearchControls()); + ctx.search(new LdapName("").addAll(name), "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad7(@RequestParam String jBad, @RequestParam String jBadDNNameToString, InitialDirContext ctx) + public void testJndiBad7(@RequestParam String jBad, @RequestParam String jBadDNNameToString, InitialDirContext ctx) // $ Source throws NamingException { - ctx.search(new LdapName("ou=system" + jBadDNNameToString).toString(), "(uid=" + jBad + ")", new SearchControls()); + ctx.search(new LdapName("ou=system" + jBadDNNameToString).toString(), "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping - public void testJndiBad8(@RequestParam String jBad, @RequestParam String jBadDNNameClone, InitialDirContext ctx) + public void testJndiBad8(@RequestParam String jBad, @RequestParam String jBadDNNameClone, InitialDirContext ctx) // $ Source throws NamingException { - ctx.search((Name) new LdapName("ou=system" + jBadDNNameClone).clone(), "(uid=" + jBad + ")", new SearchControls()); + ctx.search((Name) new LdapName("ou=system" + jBadDNNameClone).clone(), "(uid=" + jBad + ")", new SearchControls()); // $ Alert } @RequestMapping @@ -97,107 +97,107 @@ public void testJndiOk1(@RequestParam String jOkFilterExpr, DirContext ctx) thro } @RequestMapping - public void testJndiOk2(@RequestParam String jOkAttribute, DirContext ctx) throws NamingException { - ctx.search("ou=system", new BasicAttributes(jOkAttribute, jOkAttribute)); + public void testJndiOk2(@RequestParam String jOkAttribute, DirContext ctx) throws NamingException { // $ Source + ctx.search("ou=system", new BasicAttributes(jOkAttribute, jOkAttribute)); // $ Alert } // UnboundID @RequestMapping - public void testUnboundBad1(@RequestParam String uBad, @RequestParam String uBadDN, LDAPConnection c) + public void testUnboundBad1(@RequestParam String uBad, @RequestParam String uBadDN, LDAPConnection c) // $ Source throws LDAPSearchException { - c.search(null, "ou=system" + uBadDN, null, null, 1, 1, false, "(uid=" + uBad + ")"); + c.search(null, "ou=system" + uBadDN, null, null, 1, 1, false, "(uid=" + uBad + ")"); // $ Alert } @RequestMapping - public void testUnboundBad2(@RequestParam String uBadFilterCreate, LDAPConnection c) throws LDAPException { - c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreate)); + public void testUnboundBad2(@RequestParam String uBadFilterCreate, LDAPConnection c) throws LDAPException { // $ Source + c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreate)); // $ Alert } @RequestMapping - public void testUnboundBad3(@RequestParam String uBadROSearchRequest, @RequestParam String uBadROSRDN, + public void testUnboundBad3(@RequestParam String uBadROSearchRequest, @RequestParam String uBadROSRDN, // $ Source LDAPConnection c) throws LDAPException { ReadOnlySearchRequest s = new SearchRequest(null, "ou=system" + uBadROSRDN, null, null, 1, 1, false, "(uid=" + uBadROSearchRequest + ")"); - c.search(s); + c.search(s); // $ Alert } @RequestMapping - public void testUnboundBad4(@RequestParam String uBadSearchRequest, @RequestParam String uBadSRDN, LDAPConnection c) + public void testUnboundBad4(@RequestParam String uBadSearchRequest, @RequestParam String uBadSRDN, LDAPConnection c) // $ Source throws LDAPException { SearchRequest s = new SearchRequest(null, "ou=system" + uBadSRDN, null, null, 1, 1, false, "(uid=" + uBadSearchRequest + ")"); - c.search(s); + c.search(s); // $ Alert } @RequestMapping - public void testUnboundBad5(@RequestParam String uBad, @RequestParam String uBadDNSFR, LDAPConnection c) + public void testUnboundBad5(@RequestParam String uBad, @RequestParam String uBadDNSFR, LDAPConnection c) // $ Source throws LDAPSearchException { - c.searchForEntry("ou=system" + uBadDNSFR, null, null, 1, false, "(uid=" + uBad + ")"); + c.searchForEntry("ou=system" + uBadDNSFR, null, null, 1, false, "(uid=" + uBad + ")"); // $ Alert } @RequestMapping - public void testUnboundBad6(@RequestParam String uBadROSearchRequestAsync, @RequestParam String uBadROSRDNAsync, + public void testUnboundBad6(@RequestParam String uBadROSearchRequestAsync, @RequestParam String uBadROSRDNAsync, // $ Source LDAPConnection c) throws LDAPException { ReadOnlySearchRequest s = new SearchRequest(null, "ou=system" + uBadROSRDNAsync, null, null, 1, 1, false, "(uid=" + uBadROSearchRequestAsync + ")"); - c.asyncSearch(s); + c.asyncSearch(s); // $ Alert } @RequestMapping - public void testUnboundBad7(@RequestParam String uBadSearchRequestAsync, @RequestParam String uBadSRDNAsync, LDAPConnection c) + public void testUnboundBad7(@RequestParam String uBadSearchRequestAsync, @RequestParam String uBadSRDNAsync, LDAPConnection c) // $ Source throws LDAPException { SearchRequest s = new SearchRequest(null, "ou=system" + uBadSRDNAsync, null, null, 1, 1, false, "(uid=" + uBadSearchRequestAsync + ")"); - c.asyncSearch(s); + c.asyncSearch(s); // $ Alert } @RequestMapping - public void testUnboundBad8(@RequestParam String uBadFilterCreateNOT, LDAPConnection c) throws LDAPException { - c.search(null, "ou=system", null, null, 1, 1, false, Filter.createNOTFilter(Filter.create(uBadFilterCreateNOT))); + public void testUnboundBad8(@RequestParam String uBadFilterCreateNOT, LDAPConnection c) throws LDAPException { // $ Source + c.search(null, "ou=system", null, null, 1, 1, false, Filter.createNOTFilter(Filter.create(uBadFilterCreateNOT))); // $ Alert } @RequestMapping - public void testUnboundBad9(@RequestParam String uBadFilterCreateToString, LDAPConnection c) throws LDAPException { - c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString()); + public void testUnboundBad9(@RequestParam String uBadFilterCreateToString, LDAPConnection c) throws LDAPException { // $ Source + c.search(null, "ou=system", null, null, 1, 1, false, Filter.create(uBadFilterCreateToString).toString()); // $ Alert } @RequestMapping - public void testUnboundBad10(@RequestParam String uBadFilterCreateToStringBuffer, LDAPConnection c) throws LDAPException { + public void testUnboundBad10(@RequestParam String uBadFilterCreateToStringBuffer, LDAPConnection c) throws LDAPException { // $ Source StringBuilder b = new StringBuilder(); Filter.create(uBadFilterCreateToStringBuffer).toNormalizedString(b); - c.search(null, "ou=system", null, null, 1, 1, false, b.toString()); + c.search(null, "ou=system", null, null, 1, 1, false, b.toString()); // $ Alert } @RequestMapping - public void testUnboundBad11(@RequestParam String uBadSearchRequestDuplicate, LDAPConnection c) + public void testUnboundBad11(@RequestParam String uBadSearchRequestDuplicate, LDAPConnection c) // $ Source throws LDAPException { SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false, "(uid=" + uBadSearchRequestDuplicate + ")"); - c.search(s.duplicate()); + c.search(s.duplicate()); // $ Alert } @RequestMapping - public void testUnboundBad12(@RequestParam String uBadROSearchRequestDuplicate, LDAPConnection c) + public void testUnboundBad12(@RequestParam String uBadROSearchRequestDuplicate, LDAPConnection c) // $ Source throws LDAPException { ReadOnlySearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false, "(uid=" + uBadROSearchRequestDuplicate + ")"); - c.search(s.duplicate()); + c.search(s.duplicate()); // $ Alert } @RequestMapping - public void testUnboundBad13(@RequestParam String uBadSearchRequestSetDN, LDAPConnection c) + public void testUnboundBad13(@RequestParam String uBadSearchRequestSetDN, LDAPConnection c) // $ Source throws LDAPException { SearchRequest s = new SearchRequest(null, "", null, null, 1, 1, false, ""); s.setBaseDN(uBadSearchRequestSetDN); - c.search(s); + c.search(s); // $ Alert } @RequestMapping - public void testUnboundBad14(@RequestParam String uBadSearchRequestSetFilter, LDAPConnection c) + public void testUnboundBad14(@RequestParam String uBadSearchRequestSetFilter, LDAPConnection c) // $ Source throws LDAPException { SearchRequest s = new SearchRequest(null, "ou=system", null, null, 1, 1, false, ""); s.setFilter(uBadSearchRequestSetFilter); - c.search(s); + c.search(s); // $ Alert } @RequestMapping @@ -226,72 +226,72 @@ public void testUnboundOk4(@RequestParam String uOkSearchRequestVarargs, LDAPCon // Spring LDAP @RequestMapping - public void testSpringBad1(@RequestParam String sBad, @RequestParam String sBadDN, LdapTemplate c) { - c.search("ou=system" + sBadDN, "(uid=" + sBad + ")", 1, false, null); + public void testSpringBad1(@RequestParam String sBad, @RequestParam String sBadDN, LdapTemplate c) { // $ Source + c.search("ou=system" + sBadDN, "(uid=" + sBad + ")", 1, false, null); // $ Alert } @RequestMapping - public void testSpringBad2(@RequestParam String sBad, @RequestParam String sBadDNLNBuilder, LdapTemplate c) { - c.authenticate(LdapNameBuilder.newInstance("ou=system" + sBadDNLNBuilder).build(), "(uid=" + sBad + ")", "pass"); + public void testSpringBad2(@RequestParam String sBad, @RequestParam String sBadDNLNBuilder, LdapTemplate c) { // $ Source + c.authenticate(LdapNameBuilder.newInstance("ou=system" + sBadDNLNBuilder).build(), "(uid=" + sBad + ")", "pass"); // $ Alert } @RequestMapping - public void testSpringBad3(@RequestParam String sBad, @RequestParam String sBadDNLNBuilderAdd, LdapTemplate c) { - c.searchForObject(LdapNameBuilder.newInstance().add("ou=system" + sBadDNLNBuilderAdd).build(), "(uid=" + sBad + ")", null); + public void testSpringBad3(@RequestParam String sBad, @RequestParam String sBadDNLNBuilderAdd, LdapTemplate c) { // $ Source + c.searchForObject(LdapNameBuilder.newInstance().add("ou=system" + sBadDNLNBuilderAdd).build(), "(uid=" + sBad + ")", null); // $ Alert } @RequestMapping - public void testSpringBad4(@RequestParam String sBadLdapQuery, LdapTemplate c) { - c.findOne(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")"), null); + public void testSpringBad4(@RequestParam String sBadLdapQuery, LdapTemplate c) { // $ Source + c.findOne(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")"), null); // $ Alert } @RequestMapping - public void testSpringBad5(@RequestParam String sBadFilter, @RequestParam String sBadDNLdapUtils, LdapTemplate c) { - c.find(LdapUtils.newLdapName("ou=system" + sBadDNLdapUtils), new HardcodedFilter("(uid=" + sBadFilter + ")"), null, null); + public void testSpringBad5(@RequestParam String sBadFilter, @RequestParam String sBadDNLdapUtils, LdapTemplate c) { // $ Source + c.find(LdapUtils.newLdapName("ou=system" + sBadDNLdapUtils), new HardcodedFilter("(uid=" + sBadFilter + ")"), null, null); // $ Alert } @RequestMapping - public void testSpringBad6(@RequestParam String sBadLdapQuery, LdapTemplate c) { - c.searchForContext(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")")); + public void testSpringBad6(@RequestParam String sBadLdapQuery, LdapTemplate c) { // $ Source + c.searchForContext(LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery + ")")); // $ Alert } @RequestMapping - public void testSpringBad7(@RequestParam String sBadLdapQuery2, LdapTemplate c) { + public void testSpringBad7(@RequestParam String sBadLdapQuery2, LdapTemplate c) { // $ Source LdapQuery q = LdapQueryBuilder.query().filter("(uid=" + sBadLdapQuery2 + ")"); - c.searchForContext(q); + c.searchForContext(q); // $ Alert } @RequestMapping - public void testSpringBad8(@RequestParam String sBadLdapQueryWithFilter, LdapTemplate c) { - c.searchForContext(LdapQueryBuilder.query().filter(new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter + ")"))); + public void testSpringBad8(@RequestParam String sBadLdapQueryWithFilter, LdapTemplate c) { // $ Source + c.searchForContext(LdapQueryBuilder.query().filter(new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter + ")"))); // $ Alert } @RequestMapping - public void testSpringBad9(@RequestParam String sBadLdapQueryWithFilter2, LdapTemplate c) { + public void testSpringBad9(@RequestParam String sBadLdapQueryWithFilter2, LdapTemplate c) { // $ Source org.springframework.ldap.filter.Filter f = new HardcodedFilter("(uid=" + sBadLdapQueryWithFilter2 + ")"); - c.searchForContext(LdapQueryBuilder.query().filter(f)); + c.searchForContext(LdapQueryBuilder.query().filter(f)); // $ Alert } @RequestMapping - public void testSpringBad10(@RequestParam String sBadLdapQueryBase, LdapTemplate c) { - c.find(LdapQueryBuilder.query().base(sBadLdapQueryBase).base(), null, null, null); + public void testSpringBad10(@RequestParam String sBadLdapQueryBase, LdapTemplate c) { // $ Source + c.find(LdapQueryBuilder.query().base(sBadLdapQueryBase).base(), null, null, null); // $ Alert } @RequestMapping - public void testSpringBad11(@RequestParam String sBadLdapQueryComplex, LdapTemplate c) { - c.searchForContext(LdapQueryBuilder.query().base(sBadLdapQueryComplex).where("uid").is("test")); + public void testSpringBad11(@RequestParam String sBadLdapQueryComplex, LdapTemplate c) { // $ Source + c.searchForContext(LdapQueryBuilder.query().base(sBadLdapQueryComplex).where("uid").is("test")); // $ Alert } @RequestMapping - public void testSpringBad12(@RequestParam String sBadFilterToString, LdapTemplate c) { - c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null); + public void testSpringBad12(@RequestParam String sBadFilterToString, LdapTemplate c) { // $ Source + c.search("", new HardcodedFilter("(uid=" + sBadFilterToString + ")").toString(), 1, false, null); // $ Alert } @RequestMapping - public void testSpringBad13(@RequestParam String sBadFilterEncode, LdapTemplate c) { + public void testSpringBad13(@RequestParam String sBadFilterEncode, LdapTemplate c) { // $ Source StringBuffer s = new StringBuffer(); new HardcodedFilter("(uid=" + sBadFilterEncode + ")").encode(s); - c.search("", s.toString(), 1, false, null); + c.search("", s.toString(), 1, false, null); // $ Alert } @RequestMapping @@ -311,39 +311,39 @@ public void testSpringOk3(@RequestParam String sOkLdapQuery, @RequestParam Strin // Apache LDAP API @RequestMapping - public void testApacheBad1(@RequestParam String aBad, @RequestParam String aBadDN, LdapConnection c) + public void testApacheBad1(@RequestParam String aBad, @RequestParam String aBadDN, LdapConnection c) // $ Source throws LdapException { - c.search("ou=system" + aBadDN, "(uid=" + aBad + ")", null); + c.search("ou=system" + aBadDN, "(uid=" + aBad + ")", null); // $ Alert } @RequestMapping - public void testApacheBad2(@RequestParam String aBad, @RequestParam String aBadDNObjToString, LdapNetworkConnection c) + public void testApacheBad2(@RequestParam String aBad, @RequestParam String aBadDNObjToString, LdapNetworkConnection c) // $ Source throws LdapException { - c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null); + c.search(new Dn("ou=system" + aBadDNObjToString).getName(), "(uid=" + aBad + ")", null); // $ Alert } @RequestMapping - public void testApacheBad3(@RequestParam String aBadSearchRequest, LdapConnection c) + public void testApacheBad3(@RequestParam String aBadSearchRequest, LdapConnection c) // $ Source throws LdapException { org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl(); s.setFilter("(uid=" + aBadSearchRequest + ")"); - c.search(s); + c.search(s); // $ Alert } @RequestMapping - public void testApacheBad4(@RequestParam String aBadSearchRequestImpl, @RequestParam String aBadDNObj, LdapConnection c) + public void testApacheBad4(@RequestParam String aBadSearchRequestImpl, @RequestParam String aBadDNObj, LdapConnection c) // $ Source throws LdapException { SearchRequestImpl s = new SearchRequestImpl(); s.setBase(new Dn("ou=system" + aBadDNObj)); - c.search(s); + c.search(s); // $ Alert } @RequestMapping - public void testApacheBad5(@RequestParam String aBadDNSearchRequestGet, LdapConnection c) + public void testApacheBad5(@RequestParam String aBadDNSearchRequestGet, LdapConnection c) // $ Source throws LdapException { org.apache.directory.api.ldap.model.message.SearchRequest s = new SearchRequestImpl(); s.setBase(new Dn("ou=system" + aBadDNSearchRequestGet)); - c.search(s.getBase(), "(uid=test", null); + c.search(s.getBase(), "(uid=test", null); // $ Alert } @RequestMapping diff --git a/java/ql/test/query-tests/security/CWE-090/LdapInjection.qlref b/java/ql/test/query-tests/security/CWE-090/LdapInjection.qlref index 53b04e4c00fa..01bec30b84bf 100644 --- a/java/ql/test/query-tests/security/CWE-090/LdapInjection.qlref +++ b/java/ql/test/query-tests/security/CWE-090/LdapInjection.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-090/LdapInjection.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java index 71d4145adfc4..bfa94bbe3a80 100644 --- a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java +++ b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java @@ -4,11 +4,11 @@ public class InsecureBeanValidation implements ConstraintValidator { @Override - public boolean isValid(String object, ConstraintValidatorContext constraintContext) { + public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source String value = object + " is invalid"; // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate` - constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); + constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert // Good: Using message parameters constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation(); diff --git a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.qlref b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.qlref index 73254e55f938..d65ecf968f5a 100644 --- a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.qlref +++ b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-094/InsecureBeanValidation.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref index 9f05b219bfec..8f21e5781652 100644 --- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql +query: Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml index 7e1332564289..e5a87437df7e 100644 --- a/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml +++ b/java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml @@ -19,13 +19,13 @@ JCenter https://jcenter.bintray.com - + jcenter-snapshots JCenter https://jcenter.bintray.com - + @@ -33,7 +33,7 @@ JCenter https://jcenter.bintray.com - + @@ -41,7 +41,7 @@ JCenter https://dl.bintray.com/groovy/maven - + @@ -49,6 +49,6 @@ JCenter https://jcenter.bintray.com - + diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java index b2ea8780e8e1..abe711808382 100644 --- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java +++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.java @@ -19,14 +19,14 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // BAD: setting a cookie with an unvalidated parameter // can lead to HTTP splitting { - Cookie cookie = new Cookie("name", request.getParameter("name")); - response.addCookie(cookie); + Cookie cookie = new Cookie("name", request.getParameter("name")); // $ Source + response.addCookie(cookie); // $ Alert } // BAD: setting a header with an unvalidated parameter // can lead to HTTP splitting - response.addHeader("Content-type", request.getParameter("contentType")); - response.setHeader("Content-type", request.getParameter("contentType")); + response.addHeader("Content-type", request.getParameter("contentType")); // $ Alert + response.setHeader("Content-type", request.getParameter("contentType")); // $ Alert // GOOD: remove special characters before putting them in the header { @@ -50,13 +50,13 @@ public void addCookieName(HttpServletResponse response, Cookie cookie) { } public void sanitizerTests(HttpServletRequest request, HttpServletResponse response){ - String t = request.getParameter("contentType"); + String t = request.getParameter("contentType"); // $ Source // GOOD: whitelist-based sanitization response.setHeader("h", t.replaceAll("[^a-zA-Z]", "")); // BAD: not replacing all problematic characters - response.setHeader("h", t.replaceFirst("[^a-zA-Z]", "")); + response.setHeader("h", t.replaceFirst("[^a-zA-Z]", "")); // $ Alert // GOOD: replace all line breaks response.setHeader("h", t.replace('\n', ' ').replace('\r', ' ')); diff --git a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.qlref b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.qlref index 897d985e9d45..561c8aa65a32 100644 --- a/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.qlref +++ b/java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-113/ResponseSplitting.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.qlref b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.qlref index fc09d33596a9..883151805d4a 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.qlref +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstruction.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.qlref b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.qlref index 4cff7c39aa64..e8277291432d 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.qlref +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayConstructionCodeSpecified.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.qlref b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.qlref index 4dd969c54763..b9d7cd83e499 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.qlref +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndex.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.qlref b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.qlref index b267f488b341..98cc770b734f 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.qlref +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/ImproperValidationOfArrayIndexCodeSpecified.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-129/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-129/semmle/tests/Test.java index c7be8b0031c0..956912f0aba2 100644 --- a/java/ql/test/query-tests/security/CWE-129/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-129/semmle/tests/Test.java @@ -11,12 +11,12 @@ class Test { public static void basic() { int array[] = { 0, 1, 2, 3, 4 }; - String userProperty = System.getProperty("userProperty"); + String userProperty = System.getProperty("userProperty"); // $ Source[java/improper-validation-of-array-index] try { int index = Integer.parseInt(userProperty.trim()); // BAD Accessing array without conditional check - System.out.println(array[index]); + System.out.println(array[index]); // $ Alert[java/improper-validation-of-array-index] if (index >= 0 && index < array.length) { // GOOD Accessing array under conditions @@ -38,10 +38,10 @@ public static void basic() { public static void random() { int array[] = { 0, 1, 2, 3, 4 }; - int index = (new SecureRandom()).nextInt(10); + int index = (new SecureRandom()).nextInt(10); // $ Source[java/improper-validation-of-array-index-code-specified] // BAD Accessing array without conditional check - System.out.println(array[index]); + System.out.println(array[index]); // $ Alert[java/improper-validation-of-array-index-code-specified] if (index < array.length) { // GOOD Accessing array under conditions @@ -56,10 +56,10 @@ public static void random() { public static void apacheRandom() { int array[] = { 0, 1, 2, 3, 4 }; - int index = RandomUtils.nextInt(0, 10); + int index = RandomUtils.nextInt(0, 10); // $ Source[java/improper-validation-of-array-index-code-specified] // BAD Accessing array without conditional check - System.out.println(array[index]); + System.out.println(array[index]); // $ Alert[java/improper-validation-of-array-index-code-specified] if (index < array.length) { // GOOD Accessing array under conditions @@ -73,20 +73,20 @@ public static void apacheRandom() { public static void construction() { - String userProperty = System.getProperty("userProperty"); + String userProperty = System.getProperty("userProperty"); // $ Source[java/improper-validation-of-array-construction] try { int size = Integer.parseInt(userProperty.trim()); - int[] array = new int[size]; + int[] array = new int[size]; // $ Sink[java/improper-validation-of-array-construction] // BAD The array was created without checking the size, so this access may be dubious - System.out.println(array[0]); + System.out.println(array[0]); // $ Alert[java/improper-validation-of-array-construction] if (size >= 0) { - int[] array2 = new int[size]; + int[] array2 = new int[size]; // $ Sink[java/improper-validation-of-array-construction] // BAD The array was created without checking that the size is greater than zero - System.out.println(array2[0]); + System.out.println(array2[0]); // $ Alert[java/improper-validation-of-array-construction] } if (size > 0) { @@ -102,12 +102,12 @@ public static void construction() { public static void constructionBounded() { - int size = 0; + int size = 0; // $ Source[java/improper-validation-of-array-construction-code-specified] - int[] array = new int[size]; + int[] array = new int[size]; // $ Sink[java/improper-validation-of-array-construction-code-specified] // BAD Array may be empty. - System.out.println(array[0]); + System.out.println(array[0]); // $ Alert[java/improper-validation-of-array-construction-code-specified] int index = 0; if (index < array.length) { diff --git a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.qlref b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.qlref index 6309a7eb502b..ee54ac69fe1a 100644 --- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.qlref +++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/ExternallyControlledFormatString.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-134/ExternallyControlledFormatString.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-134/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-134/semmle/tests/Test.java index 140c99740866..56c9930f94df 100644 --- a/java/ql/test/query-tests/security/CWE-134/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-134/semmle/tests/Test.java @@ -14,29 +14,29 @@ import javax.servlet.http.HttpServletResponse; class Test { public static void basic() { - String userProperty = System.getProperty("userProperty"); + String userProperty = System.getProperty("userProperty"); // $ Source // BAD User provided value as format string for String.format - String.format(userProperty); + String.format(userProperty); // $ Alert // BAD User provided value as format string for PrintStream.format - System.out.format(userProperty); + System.out.format(userProperty); // $ Alert // BAD User provided value as format string for PrintStream.printf - System.out.printf(userProperty); + System.out.printf(userProperty); // $ Alert // BAD User provided value as format string for Formatter.format - new Formatter().format(userProperty); + new Formatter().format(userProperty); // $ Alert // BAD User provided value as format string for Formatter.format - new Formatter().format(Locale.ENGLISH, userProperty); + new Formatter().format(Locale.ENGLISH, userProperty); // $ Alert } public class FileUploadServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { - String userParameter = request.getParameter("userProvidedParameter"); + String userParameter = request.getParameter("userProvidedParameter"); // $ Source formatString(userParameter); } private void formatString(String format) { // BAD This is used with user provided parameter - System.out.format(format); + System.out.format(format); // $ Alert } } } diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java index 04020aac31f4..0167af87497a 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java @@ -14,7 +14,7 @@ public void main(String[] args) { try { - readerInputStream = new InputStreamReader(System.in, "UTF-8"); + readerInputStream = new InputStreamReader(System.in, "UTF-8"); // $ Source[java/tainted-arithmetic] readerBuffered = new BufferedReader(readerInputStream); String stringNumber = readerBuffered.readLine(); if (stringNumber != null) { @@ -29,7 +29,7 @@ public void main(String[] args) { { // BAD: may overflow if input data is very large - int scaled = data + 10; + int scaled = data + 10; // $ Alert[java/tainted-arithmetic] } { @@ -37,7 +37,7 @@ public void main(String[] args) { if (data > Integer.MIN_VALUE) { System.out.println("I'm guarded"); } - int output = data - 10; + int output = data - 10; // $ Alert[java/tainted-arithmetic] } { @@ -47,7 +47,7 @@ public void main(String[] args) { } else { System.out.println("I'm not guarded"); } - int output = data + 1; + int output = data + 1; // $ Alert[java/tainted-arithmetic] } { @@ -68,7 +68,7 @@ public void main(String[] args) { // GOOD int output_ok = ok + 1; // BAD - int output = herring + 1; + int output = herring + 1; // $ Alert[java/tainted-arithmetic] } { @@ -92,7 +92,7 @@ public void main(String[] args) { { // BAD: tainted int value is widened to type long, but subsequently // cast to narrower type int - int widenedThenNarrowed = (int) (data + 10L); + int widenedThenNarrowed = (int) (data + 10L); // $ Alert[java/tainted-arithmetic] } // The following test case has an arbitrary guard on hashcode @@ -126,19 +126,19 @@ public void main(String[] args) { public static void test(int data) { // BAD: may overflow if input data is very large - data++; + data++; // $ Alert[java/tainted-arithmetic] } public static void test2(int data) { // BAD: may overflow if input data is very large - ++data; + ++data; // $ Alert[java/tainted-arithmetic] } public static void test3(int data) { // BAD: may underflow if input data is very small - data--; + data--; // $ Alert[java/tainted-arithmetic] } public static void test4(int data) { // BAD: may underflow if input data is very small - --data; + --data; // $ Alert[java/tainted-arithmetic] } public static void boundsCheckGood(byte[] bs, int off, int len) { diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.qlref b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.qlref index 938a60cfc017..38ee81494e11 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.qlref +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-190/ArithmeticTainted.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.qlref b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.qlref index c6d57c735107..e298fb9edc13 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.qlref +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticUncontrolled.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-190/ArithmeticUncontrolled.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.qlref b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.qlref index 0eaecb369412..f01d5c0f24fa 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.qlref +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticWithExtremeValues.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.java b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.java index 88c520307a4e..ace1fff92c1d 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.java +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.java @@ -1,7 +1,7 @@ public class ComparisonWithWiderType { public void testLt(long l) { // BAD: loop variable is an int, but the upper bound is a long - for (int i = 0; i < l; i++) { + for (int i = 0; i < l; i++) { // $ Alert[java/comparison-with-wider-type] System.out.println(i); } @@ -13,7 +13,7 @@ public void testLt(long l) { public void testGt(short c) { // BAD: loop variable is a byte, but the upper bound is a short - for (byte b = 0; c > b; b++) { + for (byte b = 0; c > b; b++) { // $ Alert[java/comparison-with-wider-type] System.out.println(b); } } @@ -24,4 +24,4 @@ public void testLe(int i) { System.out.println(l); } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.qlref b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.qlref index 4605189317fa..f836a00c9c4e 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.qlref +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ComparisonWithWiderType.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-190/ComparisonWithWiderType.ql \ No newline at end of file +query: Security/CWE/CWE-190/ComparisonWithWiderType.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.qlref b/java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.qlref index ce7d4116a76a..c9ab00052aea 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.qlref +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/InformationLoss.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/InformationLoss.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/InformationLoss.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/IntMultToLong.qlref b/java/ql/test/query-tests/security/CWE-190/semmle/tests/IntMultToLong.qlref index 9f172bbac420..4616a5ea9dc8 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/IntMultToLong.qlref +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/IntMultToLong.qlref @@ -1 +1,2 @@ -Likely Bugs/Arithmetic/IntMultToLong.ql \ No newline at end of file +query: Likely Bugs/Arithmetic/IntMultToLong.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java index f24d16a236c0..ed1cf0bbe1f2 100644 --- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/Test.java @@ -18,21 +18,21 @@ public static void main(String[] args) { // BAD: result of multiplication will be too large for // int, and will overflow before being stored in the long - long timeInNanos = timeInSeconds * 1000000000; + long timeInNanos = timeInSeconds * 1000000000; // $ Alert[java/integer-multiplication-cast-to-long] } { int timeInSeconds = 1000000; // BAD - long timeInNanos = timeInSeconds * 1000000000 + 4; + long timeInNanos = timeInSeconds * 1000000000 + 4; // $ Alert[java/integer-multiplication-cast-to-long] } { int timeInSeconds = 1000000; // BAD - long timeInNanos = true ? timeInSeconds * 1000000000 + 4 : 0; + long timeInNanos = true ? timeInSeconds * 1000000000 + 4 : 0; // $ Alert[java/integer-multiplication-cast-to-long] } { @@ -65,7 +65,7 @@ public static void main(String[] args) { while (i < 1000000) { // BAD: getLargeNumber is implicitly narrowed to an integer // which will result in overflows if it is large - i += getLargeNumber(); + i += getLargeNumber(); // $ Alert[java/implicit-cast-in-compound-assignment] } } @@ -84,16 +84,16 @@ public static void main(String[] args) { // FALSE POSITIVE: the query check purely based on the type, it // can't try to // determine whether the value may in fact always be in bounds - i += j; + i += j; // $ Alert[java/implicit-cast-in-compound-assignment] } // ArithmeticWithExtremeValues { int i = 0; - i = Integer.MAX_VALUE; + i = Integer.MAX_VALUE; // $ Source[java/extreme-value-arithmetic] int j = 0; // BAD: overflow - j = i + 1; + j = i + 1; // $ Alert[java/extreme-value-arithmetic] } { @@ -106,9 +106,9 @@ public static void main(String[] args) { } { - long i = Long.MIN_VALUE; + long i = Long.MIN_VALUE; // $ Source[java/extreme-value-arithmetic] // BAD: overflow - long j = i - 1; + long j = i - 1; // $ Alert[java/extreme-value-arithmetic] } { @@ -135,16 +135,16 @@ public static void main(String[] args) { int i = Integer.MAX_VALUE; if (i < Integer.MAX_VALUE) { // BAD: reassigned after guard - i = Integer.MAX_VALUE; - long j = i + 1; + i = Integer.MAX_VALUE; // $ Source[java/extreme-value-arithmetic] + long j = i + 1; // $ Alert[java/extreme-value-arithmetic] } } { - int i = Integer.MAX_VALUE; + int i = Integer.MAX_VALUE; // $ Source[java/extreme-value-arithmetic] // BAD: guarded the wrong way if (i > Integer.MIN_VALUE) { - long j = i + 1; + long j = i + 1; // $ Alert[java/extreme-value-arithmetic] } } @@ -182,32 +182,32 @@ public static void main(String[] args) { } { - byte b = Byte.MAX_VALUE; + byte b = Byte.MAX_VALUE; // $ Source[java/extreme-value-arithmetic] // BAD: extreme byte value is widened to type int, but subsequently // cast to narrower type byte - byte widenedThenNarrowed = (byte) (b + 1); + byte widenedThenNarrowed = (byte) (b + 1); // $ Alert[java/extreme-value-arithmetic] } { - short s = Short.MAX_VALUE; + short s = Short.MAX_VALUE; // $ Source[java/extreme-value-arithmetic] // BAD: extreme short value is widened to type int, but subsequently // cast to narrower type short - short widenedThenNarrowed = (short) (s + 1); + short widenedThenNarrowed = (short) (s + 1); // $ Alert[java/extreme-value-arithmetic] } { - int i = Integer.MAX_VALUE; + int i = Integer.MAX_VALUE; // $ Source[java/extreme-value-arithmetic] // BAD: extreme int value is widened to type long, but subsequently // cast to narrower type int - int widenedThenNarrowed = (int) (i + 1L); + int widenedThenNarrowed = (int) (i + 1L); // $ Alert[java/extreme-value-arithmetic] } // ArithmeticUncontrolled - int data = (new java.security.SecureRandom()).nextInt(); + int data = (new java.security.SecureRandom()).nextInt(); // $ Source[java/uncontrolled-arithmetic] { // BAD: may overflow if data is large - int output = data + 1; + int output = data + 1; // $ Alert[java/uncontrolled-arithmetic] } { @@ -238,15 +238,15 @@ public static void main(String[] args) { { // BAD: uncontrolled int value is widened to type long, but // subsequently cast to narrower type int - int widenedThenNarrowed = (int) (data + 10L); + int widenedThenNarrowed = (int) (data + 10L); // $ Alert[java/uncontrolled-arithmetic] } // ArithmeticUncontrolled using Apache RandomUtils - int data2 = RandomUtils.nextInt(); + int data2 = RandomUtils.nextInt(); // $ Source[java/uncontrolled-arithmetic] { // BAD: may overflow if data is large - int output = data2 + 1; + int output = data2 + 1; // $ Alert[java/uncontrolled-arithmetic] } { @@ -277,7 +277,7 @@ public static void main(String[] args) { { // BAD: uncontrolled int value is widened to type long, but // subsequently cast to narrower type int - int widenedThenNarrowed = (int) (data2 + 10L); + int widenedThenNarrowed = (int) (data2 + 10L); // $ Alert[java/uncontrolled-arithmetic] } // InformationLoss @@ -286,11 +286,11 @@ public static void main(String[] args) { while (arr[2] < 1000000) { // BAD: getLargeNumber is implicitly narrowed to an integer // which will result in overflows if it is large - arr[2] += getLargeNumber(); + arr[2] += getLargeNumber(); // $ Alert[java/implicit-cast-in-compound-assignment] } // BAD. - getAnIntArray()[0] += getLargeNumber(); + getAnIntArray()[0] += getLargeNumber(); // $ Alert[java/implicit-cast-in-compound-assignment] } } diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Files.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Files.java index cc8c1a736adf..89875947d76c 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Files.java +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Files.java @@ -7,12 +7,12 @@ public class Files { private static final int TEMP_DIR_ATTEMPTS = 10000; public static File createTempDir() { - File baseDir = new File(System.getProperty("java.io.tmpdir")); + File baseDir = new File(System.getProperty("java.io.tmpdir")); // $ Alert String baseName = System.currentTimeMillis() + "-"; for (int counter = 0; counter < TEMP_DIR_ATTEMPTS; counter++) { File tempDir = new File(baseDir, baseName + counter); - if (tempDir.mkdir()) { + if (tempDir.mkdir()) { // $ Sink return tempDir; } } diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/TempDirLocalInformationDisclosure.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/TempDirLocalInformationDisclosure.qlref index b7836c96d600..5c3a603d2163 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/TempDirLocalInformationDisclosure.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/TempDirLocalInformationDisclosure.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Test.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Test.java index e1ec05ac51c7..45a455a62323 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Test.java +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/TempDirLocalInformationDisclosure/Test.java @@ -17,7 +17,7 @@ public class Test { void vulnerableFileCreateTempFile() throws IOException { // VULNERABLE VERSION: - File tempVuln = File.createTempFile("random", "file"); + File tempVuln = File.createTempFile("random", "file"); // $ Alert // TO MAKE SAFE REWRITE TO: File tempSafe = Files.createTempFile("random", "file").toFile(); @@ -25,7 +25,7 @@ void vulnerableFileCreateTempFile() throws IOException { void vulnerableFileCreateTempFileNull() throws IOException { // VULNERABLE VERSION: - File tempVuln = File.createTempFile("random", "file", null); + File tempVuln = File.createTempFile("random", "file", null); // $ Alert // TO MAKE SAFE REWRITE TO: File tempSafe = Files.createTempFile("random", "file").toFile(); @@ -33,10 +33,10 @@ void vulnerableFileCreateTempFileNull() throws IOException { void vulnerableFileCreateTempFileTainted() throws IOException { // GIVEN: - File tempDir = new File(System.getProperty("java.io.tmpdir")); + File tempDir = new File(System.getProperty("java.io.tmpdir")); // $ Alert // VULNERABLE VERSION: - File tempVuln = File.createTempFile("random", "file", tempDir); + File tempVuln = File.createTempFile("random", "file", tempDir); // $ Sink // TO MAKE SAFE REWRITE TO (v1): File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile(); @@ -47,10 +47,10 @@ void vulnerableFileCreateTempFileTainted() throws IOException { void vulnerableFileCreateTempFileChildTainted() throws IOException { // GIVEN: - File tempDirChild = new File(new File(System.getProperty("java.io.tmpdir")), "/child"); + File tempDirChild = new File(new File(System.getProperty("java.io.tmpdir")), "/child"); // $ Alert // VULNERABLE VERSION: - File tempVuln = File.createTempFile("random", "file", tempDirChild); + File tempVuln = File.createTempFile("random", "file", tempDirChild); // $ Sink // TO MAKE SAFE REWRITE TO: File tempSafe = Files.createTempFile(tempDirChild.toPath(), "random", "file").toFile(); @@ -58,10 +58,10 @@ void vulnerableFileCreateTempFileChildTainted() throws IOException { void vulnerableFileCreateTempFileCanonical() throws IOException { // GIVEN: - File tempDir = new File(System.getProperty("java.io.tmpdir")).getCanonicalFile(); + File tempDir = new File(System.getProperty("java.io.tmpdir")).getCanonicalFile(); // $ Alert // VULNERABLE VERSION: - File tempVuln = File.createTempFile("random", "file", tempDir); + File tempVuln = File.createTempFile("random", "file", tempDir); // $ Sink // TO MAKE SAFE REWRITE TO (v1): File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile(); @@ -72,10 +72,10 @@ void vulnerableFileCreateTempFileCanonical() throws IOException { void vulnerableFileCreateTempFileAbsolute() throws IOException { // GIVEN: - File tempDir = new File(System.getProperty("java.io.tmpdir")).getAbsoluteFile(); + File tempDir = new File(System.getProperty("java.io.tmpdir")).getAbsoluteFile(); // $ Alert // VULNERABLE VERSION: - File tempVuln = File.createTempFile("random", "file", tempDir); + File tempVuln = File.createTempFile("random", "file", tempDir); // $ Sink // TO MAKE SAFE REWRITE TO (v1): File tempSafe1 = Files.createTempFile(tempDir.toPath(), "random", "file").toFile(); @@ -94,7 +94,7 @@ void safeFileCreateTempFileTainted() throws IOException { void vulnerableGuavaFilesCreateTempDir() { // VULNERABLE VERSION: - File tempDir = com.google.common.io.Files.createTempDir(); + File tempDir = com.google.common.io.Files.createTempDir(); // $ Alert // TO MAKE SAFE REWRITE TO: File tempSafe; @@ -107,10 +107,10 @@ void vulnerableGuavaFilesCreateTempDir() { void vulnerableFileCreateTempFileMkdirTainted() { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child"); // $ Alert // VULNERABLE VERSION: - tempDirChild.mkdir(); + tempDirChild.mkdir(); // $ Sink // TO MAKE SAFE REWRITE TO (v1): File tempSafe1; @@ -131,10 +131,10 @@ void vulnerableFileCreateTempFileMkdirTainted() { void vulnerableFileCreateTempFileMkdirsTainted() { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child"); // $ Alert // VULNERABLE VERSION: - tempDirChild.mkdirs(); + tempDirChild.mkdirs(); // $ Sink // TO MAKE SAFE REWRITE TO (v1): File tempSafe1; @@ -155,8 +155,8 @@ void vulnerableFileCreateTempFileMkdirsTainted() { void vulnerableFileCreateTempFilesWrite1() throws IOException { // VULNERABLE VERSION: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt"); - Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt"); // $ Alert + Files.write(tempDirChild.toPath(), Arrays.asList("secret"), StandardCharsets.UTF_8, StandardOpenOption.CREATE); // $ Sink // TO MAKE SAFE REWRITE TO (v1): // Use this version if you care that the file has the exact path of `[java.io.tmpdir]/child.txt` @@ -184,8 +184,8 @@ void vulnerableFileCreateTempFilesWrite2() throws IOException { byte[] byteArrray = secret.getBytes(); // VULNERABLE VERSION: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt"); - Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child.txt"); // $ Alert + Files.write(tempDirChild.toPath(), byteArrray, StandardOpenOption.CREATE); // $ Sink // TO MAKE SAFE REWRITE TO (v1): // Use this version if you care that the file has the exact path of `[java.io.tmpdir]/child.txt` @@ -201,10 +201,10 @@ void vulnerableFileCreateTempFilesWrite2() throws IOException { void vulnerableFileCreateTempFilesNewBufferedWriter() throws IOException { // GIVEN: - Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt").toPath(); + Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-buffered-writer.txt").toPath(); // $ Alert // VULNERABLE VERSION: - Files.newBufferedWriter(tempDirChild); + Files.newBufferedWriter(tempDirChild); // $ Sink // TO MAKE SAFE REWRITE TO: Files.createFile(tempDirChild, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))); @@ -213,10 +213,10 @@ void vulnerableFileCreateTempFilesNewBufferedWriter() throws IOException { void vulnerableFileCreateTempFilesNewOutputStream() throws IOException { // GIVEN: - Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt").toPath(); + Path tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-output-stream.txt").toPath(); // $ Alert // VULNERABLE VERSION: - Files.newOutputStream(tempDirChild).close(); + Files.newOutputStream(tempDirChild).close(); // $ Sink // TO MAKE SAFE REWRITE TO: Files.createFile(tempDirChild, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))); @@ -225,10 +225,10 @@ void vulnerableFileCreateTempFilesNewOutputStream() throws IOException { void vulnerableFileCreateTempFilesCreateFile() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-file.txt"); // $ Alert // VULNERABLE VERSION: - Files.createFile(tempDirChild.toPath()); + Files.createFile(tempDirChild.toPath()); // $ Sink // TO MAKE SAFE REWRITE TO: Files.createFile(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))); @@ -246,10 +246,10 @@ void safeFileCreateTempFilesCreateFile() throws IOException { void vulnerableFileCreateDirectory() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); // $ Alert // VULNERABLE VERSION: - Files.createDirectory(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x' + Files.createDirectory(tempDirChild.toPath()); // $ Sink // Creates with permissions 'drwxr-xr-x' // TO MAKE SAFE REWRITE TO: Files.createDirectory(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))); @@ -257,10 +257,10 @@ void vulnerableFileCreateDirectory() throws IOException { void vulnerableFileCreateDirectories() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directories/child"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directories/child"); // $ Alert // VULNERABLE VERSION: - Files.createDirectories(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x' + Files.createDirectories(tempDirChild.toPath()); // $ Sink // Creates with permissions 'drwxr-xr-x' // TO MAKE SAFE REWRITE TO: Files.createDirectories(tempDirChild.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE))); @@ -291,11 +291,11 @@ void safeBecauseWindows() { void vulnerableBecauseInvertedPosixCheck() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); // $ Alert // Oops, this check should be inverted if (tempDirChild.toPath().getFileSystem().supportedFileAttributeViews().contains("posix")) { - Files.createDirectory(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x' + Files.createDirectory(tempDirChild.toPath()); // $ Sink // Creates with permissions 'drwxr-xr-x' } } @@ -310,20 +310,20 @@ void safeBecauseCheckingForWindowsVersion() throws IOException { void vulnerableBecauseCheckingForNotLinux() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); // $ Alert if (!SystemUtils.IS_OS_LINUX) { - Files.createDirectory(tempDirChild.toPath()); + Files.createDirectory(tempDirChild.toPath()); // $ Sink } } void vulnerableBecauseInvertedFileSeparatorCheck() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); // $ Alert // Oops, this check should be inverted if (File.separatorChar != '\\') { - Files.createDirectory(tempDirChild.toPath()); // Creates with permissions 'drwxr-xr-x' + Files.createDirectory(tempDirChild.toPath()); // $ Sink // Creates with permissions 'drwxr-xr-x' } } @@ -347,23 +347,23 @@ void safeBecauseInvertedFileSeperatorCheck() throws IOException { void vulnerableBecauseFileSeparatorCheckElseCase() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); // $ Alert if (File.separatorChar == '\\') { Files.createDirectory(tempDirChild.toPath()); // Safe } else { - Files.createDirectory(tempDirChild.toPath()); // Vulnerable + Files.createDirectory(tempDirChild.toPath()); // $ Sink // Vulnerable } } void vulnerableBecauseInvertedFileSeperatorCheckElseCase() throws IOException { // GIVEN: - File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); + File tempDirChild = new File(System.getProperty("java.io.tmpdir"), "/child-create-directory"); // $ Alert if (File.separatorChar != '/') { Files.createDirectory(tempDirChild.toPath()); // Safe } else { - Files.createDirectory(tempDirChild.toPath()); // Vulnerable + Files.createDirectory(tempDirChild.toPath()); // $ Sink // Vulnerable } } } diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.java index 7dd4aa893470..8901b40715b3 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.java +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.java @@ -12,7 +12,7 @@ interface WebViewGetter { public class WebViewContentAccess extends Activity { void enableContentAccess(WebView webview) { - webview.getSettings().setAllowContentAccess(true); + webview.getSettings().setAllowContentAccess(true); // $ Alert[java/android/websettings-allow-content-access] } void disableContentAccess(WebView webview) { @@ -35,25 +35,25 @@ void configureWebViewSafe(WebView view, WebViewGetter getter) { void configureWebViewUnsafe(WebView view1, WebViewGetter getter) { WebSettings settings; - view1.getSettings().setAllowContentAccess(true); + view1.getSettings().setAllowContentAccess(true); // $ Alert[java/android/websettings-allow-content-access] // Cast expression - WebView view2 = (WebView) findViewById(0); + WebView view2 = (WebView) findViewById(0); // $ Alert[java/android/websettings-allow-content-access] settings = view2.getSettings(); - settings.setAllowContentAccess(true); + settings.setAllowContentAccess(true); // $ Alert[java/android/websettings-allow-content-access] // Constructor - WebView view3 = new WebView(this); + WebView view3 = new WebView(this); // $ Alert[java/android/websettings-allow-content-access] settings = view3.getSettings(); - settings.setAllowContentAccess(true); + settings.setAllowContentAccess(true); // $ Alert[java/android/websettings-allow-content-access] // Method access - WebView view4 = getter.getAWebView(); + WebView view4 = getter.getAWebView(); // $ Alert[java/android/websettings-allow-content-access] settings = view4.getSettings(); - settings.setAllowContentAccess(true); + settings.setAllowContentAccess(true); // $ Alert[java/android/websettings-allow-content-access] - enableContentAccess(getter.getAWebView()); + enableContentAccess(getter.getAWebView()); // $ Alert[java/android/websettings-allow-content-access] - WebView view5 = getter.getAWebView(); + WebView view5 = getter.getAWebView(); // $ Alert[java/android/websettings-allow-content-access] } } diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.qlref index 7c9eba28b6ea..cb5fbbc26768 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewContentAccess.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql \ No newline at end of file +query: Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.java b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.java index f42dbfaa84a1..72b054e25897 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.java +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.java @@ -5,11 +5,11 @@ class WebViewFileAccess { void configure(WebView view) { WebSettings settings = view.getSettings(); - settings.setAllowFileAccess(true); + settings.setAllowFileAccess(true); // $ Alert[java/android/websettings-file-access] - settings.setAllowFileAccessFromFileURLs(true); + settings.setAllowFileAccessFromFileURLs(true); // $ Alert[java/android/websettings-file-access] - settings.setAllowUniversalAccessFromFileURLs(true); + settings.setAllowUniversalAccessFromFileURLs(true); // $ Alert[java/android/websettings-file-access] } void configureSafe(WebView view) { diff --git a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.qlref b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.qlref index 6c3224a4a61b..af0434e7711f 100644 --- a/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.qlref +++ b/java/ql/test/query-tests/security/CWE-200/semmle/tests/WebViewAccess/WebViewFileAccess.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql +query: Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-209/semmle/tests/SensitiveDataExposureThroughErrorMessage.qlref b/java/ql/test/query-tests/security/CWE-209/semmle/tests/SensitiveDataExposureThroughErrorMessage.qlref index 25d68a7fceff..c763b46a0779 100644 --- a/java/ql/test/query-tests/security/CWE-209/semmle/tests/SensitiveDataExposureThroughErrorMessage.qlref +++ b/java/ql/test/query-tests/security/CWE-209/semmle/tests/SensitiveDataExposureThroughErrorMessage.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql +query: Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-209/semmle/tests/StackTraceExposure.qlref b/java/ql/test/query-tests/security/CWE-209/semmle/tests/StackTraceExposure.qlref index ea39c4fe8c69..1e5f0d4e2b68 100644 --- a/java/ql/test/query-tests/security/CWE-209/semmle/tests/StackTraceExposure.qlref +++ b/java/ql/test/query-tests/security/CWE-209/semmle/tests/StackTraceExposure.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-209/StackTraceExposure.ql +query: Security/CWE/CWE-209/StackTraceExposure.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-209/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-209/semmle/tests/Test.java index 54d64f05ff6b..51f48471be80 100644 --- a/java/ql/test/query-tests/security/CWE-209/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-209/semmle/tests/Test.java @@ -22,7 +22,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) doSomeWork(); } catch (NullPointerException ex) { // BAD: printing a stack trace back to the response - ex.printStackTrace(response.getWriter()); + ex.printStackTrace(response.getWriter()); // $ Alert[java/stack-trace-exposure] return; } @@ -32,7 +32,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // BAD: printing a stack trace back to the response response.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, - printTrace(ex)); + printTrace(ex)); // $ Alert[java/stack-trace-exposure] return; } @@ -42,7 +42,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // BAD: printing a stack trace back to the response response.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, - printTrace2(ex)); + printTrace2(ex)); // $ Alert[java/stack-trace-exposure] return; } @@ -52,7 +52,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // BAD: printing an exception message back to the response response.sendError( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, - ex.getMessage()); + ex.getMessage()); // $ Alert[java/error-message-exposure] } } diff --git a/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java b/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java index 09fdf89e0f06..77ab00cc432a 100644 --- a/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java +++ b/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.java @@ -11,19 +11,19 @@ public class UnsafeHostnameVerification { * Test the implementation of trusting all hostnames as an anonymous class */ public void testTrustAllHostnameOfAnonymousClass() { - HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { + HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { // $ @Override public boolean verify(String hostname, SSLSession session) { return true; // BAD, always returns true } - }); + }); // $ Alert[java/unsafe-hostname-verification] } /** * Test the implementation of trusting all hostnames as a lambda. */ public void testTrustAllHostnameLambda() { - HttpsURLConnection.setDefaultHostnameVerifier((name, s) -> true); // BAD, always returns true + HttpsURLConnection.setDefaultHostnameVerifier((name, s) -> true); // $ Alert[java/unsafe-hostname-verification] // BAD, always returns true } /** @@ -44,7 +44,7 @@ public void testGuardedByFlagAccrossCalls() { } private void functionThatActuallyDisablesVerification() { - HttpsURLConnection.setDefaultHostnameVerifier((name, s) -> true); // GOOD [but detected as BAD], because we only + HttpsURLConnection.setDefaultHostnameVerifier((name, s) -> true); // $ Alert[java/unsafe-hostname-verification] // GOOD [but detected as BAD], because we only // check guards inside a function // and not across function calls. This is considerer GOOD because the call to // `functionThatActuallyDisablesVerification` is guarded by a feature flag in @@ -63,7 +63,7 @@ public void testTrustAllHostnameDependingOnDerivedValue() { } public void testTrustAllHostnameWithExceptions() { - HostnameVerifier verifier = new HostnameVerifier() { + HostnameVerifier verifier = new HostnameVerifier() { // $ @Override public boolean verify(String hostname, SSLSession session) { try { verify(hostname, session.getPeerCertificates()); } catch (Exception e) { throw new RuntimeException(); } @@ -77,21 +77,21 @@ public boolean verify(String hostname, SSLSession session) { // `Exception` in the case of a mismatch. private void verify(String hostname, Certificate[] certs) { } - }; - HttpsURLConnection.setDefaultHostnameVerifier(verifier); + }; // $ Source[java/unsafe-hostname-verification] + HttpsURLConnection.setDefaultHostnameVerifier(verifier); // $ Alert[java/unsafe-hostname-verification] } /** * Test the implementation of trusting all hostnames as a variable */ public void testTrustAllHostnameOfVariable() { - HostnameVerifier verifier = new HostnameVerifier() { + HostnameVerifier verifier = new HostnameVerifier() { // $ @Override public boolean verify(String hostname, SSLSession session) { return true; // BAD, always returns true } - }; - HttpsURLConnection.setDefaultHostnameVerifier(verifier); + }; // $ Source[java/unsafe-hostname-verification] + HttpsURLConnection.setDefaultHostnameVerifier(verifier); // $ Alert[java/unsafe-hostname-verification] } public static final HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new HostnameVerifier() { @@ -113,7 +113,7 @@ public boolean verify(String hostname, SSLSession session) { * This is for testing the diff-informed functionality of the query. */ public void testTrustAllHostnameOfNamedClass() { - HttpsURLConnection.setDefaultHostnameVerifier(new AlwaysTrueVerifier()); + HttpsURLConnection.setDefaultHostnameVerifier(new AlwaysTrueVerifier()); // $ Alert[java/unsafe-hostname-verification] } } diff --git a/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.qlref b/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.qlref index 5c82af8f3f7c..fc028d3814e2 100644 --- a/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.qlref +++ b/java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-297/UnsafeHostnameVerification.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref index ee69b6e12ca9..e7d9ba08897f 100644 --- a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref +++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrls.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-319/HttpsUrls.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java index 900718904d29..362361a71717 100644 --- a/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java +++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/HttpsUrlsTest.java @@ -20,12 +20,12 @@ public static void main(String[] args) { try { // HttpsUrls { - String protocol = "http://"; + String protocol = "http://"; // $ Source[java/non-https-url] URL u = new URL(protocol + "www.secret.example.org/"); // using HttpsURLConnections to enforce SSL is desirable // BAD: this will give a ClassCastException at runtime, as the // http URL cannot be used to make an HttpsURLConnection - HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); + HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); // $ Alert[java/non-https-url] hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); @@ -33,12 +33,12 @@ public static void main(String[] args) { } { - String protocol = "http"; + String protocol = "http"; // $ Source[java/non-https-url] URL u = new URL(protocol, "www.secret.example.org", "foo"); // using HttpsURLConnections to enforce SSL is desirable // BAD: this will give a ClassCastException at runtime, as the // http URL cannot be used to make an HttpsURLConnection - HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); + HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); // $ Alert[java/non-https-url] hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); @@ -46,13 +46,13 @@ public static void main(String[] args) { } { - String protocol = "http://"; + String protocol = "http://"; // $ Source[java/non-https-url] // the second URL overwrites the first, as it has a protocol URL u = new URL(new URL("https://www.secret.example.org"), protocol + "www.secret.example.org"); // using HttpsURLConnections to enforce SSL is desirable // BAD: this will give a ClassCastException at runtime, as the // http URL cannot be used to make an HttpsURLConnection - HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); + HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); // $ Alert[java/non-https-url] hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); @@ -84,12 +84,12 @@ public static void main(String[] args) { } { - String protocol = "http"; + String protocol = "http"; // $ Source[java/non-https-url] URL u = new URL(protocol, "internal-url", "foo"); // FALSE POSITIVE: the query has no way of knowing whether the url will // resolve to somewhere outside the internal network, where there // are unlikely to be interception attempts - HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); + HttpsURLConnection hu = (HttpsURLConnection) u.openConnection(); // $ Alert[java/non-https-url] hu.setRequestMethod("PUT"); hu.connect(); OutputStream os = hu.getOutputStream(); @@ -116,4 +116,4 @@ public static void main(String[] args) { public String sayHello() { return "Hello"; } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref index cd19c71e3ad0..b1aaff7c3002 100644 --- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref +++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSL.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-319/UseSSL.ql \ No newline at end of file +query: Security/CWE/CWE-319/UseSSL.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java index b6ff8b57fbf1..19e4951f249c 100644 --- a/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java +++ b/java/ql/test/query-tests/security/CWE-311/CWE-319/UseSSLTest.java @@ -8,7 +8,7 @@ public void m1(HttpURLConnection connection) throws java.io.IOException { if (connection instanceof HttpsURLConnection) { input = connection.getInputStream(); // OK } else { - input = connection.getInputStream(); // BAD + input = connection.getInputStream(); // $ Alert[java/non-ssl-connection] // BAD } } } diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/InsecureCookie.qlref b/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/InsecureCookie.qlref index 38042f8864c2..f286f8858ee8 100644 --- a/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/InsecureCookie.qlref +++ b/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/InsecureCookie.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-614/InsecureCookie.ql \ No newline at end of file +query: Security/CWE/CWE-614/InsecureCookie.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/Test.java index c198f522e30e..83c0038b7a01 100644 --- a/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-311/CWE-614/semmle/tests/Test.java @@ -16,7 +16,7 @@ public static void test(HttpServletRequest request, HttpServletResponse response Cookie cookie = new Cookie("secret" ,"fakesecret"); // BAD: secure flag not set - response.addCookie(cookie); + response.addCookie(cookie); // $ Alert } @@ -25,7 +25,7 @@ public static void test(HttpServletRequest request, HttpServletResponse response // BAD: secure flag set to false cookie.setSecure(false); - response.addCookie(cookie); + response.addCookie(cookie); // $ Alert } @@ -34,7 +34,7 @@ public static void test(HttpServletRequest request, HttpServletResponse response // BAD: secure flag set to something not clearly true or request.isSecure() cookie.setSecure(otherInput); - response.addCookie(cookie); + response.addCookie(cookie); // $ Alert } @@ -48,7 +48,7 @@ public static void test(HttpServletRequest request, HttpServletResponse response else secureVal = otherInput; cookie.setSecure(secureVal); - response.addCookie(cookie); + response.addCookie(cookie); // $ Alert } diff --git a/java/ql/test/query-tests/security/CWE-312/android/backup/AllowBackupEnabledTest.qlref b/java/ql/test/query-tests/security/CWE-312/android/backup/AllowBackupEnabledTest.qlref index 2b7a5375daba..b08b50829f89 100644 --- a/java/ql/test/query-tests/security/CWE-312/android/backup/AllowBackupEnabledTest.qlref +++ b/java/ql/test/query-tests/security/CWE-312/android/backup/AllowBackupEnabledTest.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql \ No newline at end of file +query: Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-312/android/backup/TestExplicitlyEnabled/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-312/android/backup/TestExplicitlyEnabled/AndroidManifest.xml index 4b69c52ccaed..8e33b872caaf 100644 --- a/java/ql/test/query-tests/security/CWE-312/android/backup/TestExplicitlyEnabled/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-312/android/backup/TestExplicitlyEnabled/AndroidManifest.xml @@ -24,6 +24,6 @@ - + diff --git a/java/ql/test/query-tests/security/CWE-312/android/backup/TestMissing/AndroidManifest.xml b/java/ql/test/query-tests/security/CWE-312/android/backup/TestMissing/AndroidManifest.xml index 9db4c7429fe0..3a61d35c95d2 100644 --- a/java/ql/test/query-tests/security/CWE-312/android/backup/TestMissing/AndroidManifest.xml +++ b/java/ql/test/query-tests/security/CWE-312/android/backup/TestMissing/AndroidManifest.xml @@ -24,6 +24,6 @@ - + diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.qlref b/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.qlref index 32cbef3d0fbb..4a8ddcd9e7cc 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.qlref +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/BrokenCryptoAlgorithm.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.qlref b/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.qlref index 42fa4845cac1..4c32da91dea5 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.qlref +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/MaybeBrokenCryptoAlgorithm.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql \ No newline at end of file +query: Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java index 23aff65161c9..1136594a5a5e 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java @@ -16,7 +16,7 @@ public void test() { { // BAD: DES is a weak algorithm - keyGenerator = KeyGenerator.getInstance("DES"); + keyGenerator = KeyGenerator.getInstance("DES"); // $ Alert[java/weak-cryptographic-algorithm] } // GOOD: RSA is a strong algorithm @@ -31,7 +31,7 @@ public void test() { { // BAD: foo is an unknown algorithm that may not be secure - secretKeySpec = new SecretKeySpec(byteKey, "foo"); + secretKeySpec = new SecretKeySpec(byteKey, "foo"); // $ Alert[java/potentially-weak-cryptographic-algorithm] } // GOOD: GCM is a strong algorithm @@ -39,7 +39,7 @@ public void test() { { // BAD: RC2 is a weak algorithm - cipher = Cipher.getInstance("RC2"); + cipher = Cipher.getInstance("RC2"); // $ Alert[java/weak-cryptographic-algorithm] } // GOOD: ECIES is a strong algorithm cipher = Cipher.getInstance("ECIES"); diff --git a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java index c79c025a41c8..5ce2e3162804 100644 --- a/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java +++ b/java/ql/test/query-tests/security/CWE-327/semmle/tests/WeakHashing.java @@ -12,13 +12,13 @@ void hashing() throws NoSuchAlgorithmException, IOException { props.load(new FileInputStream("example.properties")); // BAD: Using a weak hashing algorithm - MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); + MessageDigest bad = MessageDigest.getInstance(props.getProperty("hashAlg1")); // $ Alert[java/potentially-weak-cryptographic-algorithm] // BAD: Using a weak hashing algorithm even with a secure default - MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); + MessageDigest bad2 = MessageDigest.getInstance(props.getProperty("hashAlg1", "SHA-256")); // $ Alert[java/potentially-weak-cryptographic-algorithm] // BAD: Using a strong hashing algorithm but with a weak default - MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); + MessageDigest bad3 = MessageDigest.getInstance(props.getProperty("hashAlg2", "MD5")); // $ Alert[java/potentially-weak-cryptographic-algorithm] // GOOD: Using a strong hashing algorithm MessageDigest ok = MessageDigest.getInstance(props.getProperty("hashAlg2")); diff --git a/java/ql/test/query-tests/security/CWE-335/semmle/tests/PredictableSeed.qlref b/java/ql/test/query-tests/security/CWE-335/semmle/tests/PredictableSeed.qlref index 090a64a67ce8..053e69913e08 100644 --- a/java/ql/test/query-tests/security/CWE-335/semmle/tests/PredictableSeed.qlref +++ b/java/ql/test/query-tests/security/CWE-335/semmle/tests/PredictableSeed.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-335/PredictableSeed.ql \ No newline at end of file +query: Security/CWE/CWE-335/PredictableSeed.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-335/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-335/semmle/tests/Test.java index 3c38f57d562c..db7e8eabfa49 100644 --- a/java/ql/test/query-tests/security/CWE-335/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-335/semmle/tests/Test.java @@ -25,16 +25,16 @@ public void test() { SecureRandom r_time1 = new SecureRandom(new BigInteger(Long.toString(time1)).toByteArray()); // BAD: SecureRandom initialized with times. SecureRandom r_time2 = new SecureRandom(new BigInteger(Long.toString(time2)).toByteArray()); - r_time1.nextInt(); r_time2.nextInt(); + r_time1.nextInt(); r_time2.nextInt(); // $ Alert // BAD: SecureRandom initialized with constant value. SecureRandom r_const = new SecureRandom(new BigInteger(Long.toString(12345L)).toByteArray()); - r_const.nextInt(); + r_const.nextInt(); // $ Alert // BAD: SecureRandom's seed set to constant with setSeed. SecureRandom r_const_set = new SecureRandom(); r_const_set.setSeed(12345L); - r_const_set.nextInt(); + r_const_set.nextInt(); // $ Alert // GOOD: SecureRandom self seeded and then seed is supplemented. SecureRandom r_selfseed = new SecureRandom(); diff --git a/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.qlref b/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.qlref index 441bcf25929b..b908d7572187 100644 --- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.qlref +++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/JHipsterGeneratedPRNG.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql +query: Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-338/semmle/tests/vulnerable/RandomUtil.java b/java/ql/test/query-tests/security/CWE-338/semmle/tests/vulnerable/RandomUtil.java index 22e0c0b91502..e6707a41649b 100644 --- a/java/ql/test/query-tests/security/CWE-338/semmle/tests/vulnerable/RandomUtil.java +++ b/java/ql/test/query-tests/security/CWE-338/semmle/tests/vulnerable/RandomUtil.java @@ -17,7 +17,7 @@ private RandomUtil() { * * @return the generated password. */ - public static String generatePassword() { + public static String generatePassword() { // $ Alert return RandomStringUtils.randomAlphanumeric(DEF_COUNT); } @@ -26,7 +26,7 @@ public static String generatePassword() { * * @return the generated activation key. */ - public static String generateActivationKey() { + public static String generateActivationKey() { // $ Alert return RandomStringUtils.randomNumeric(DEF_COUNT); } @@ -35,7 +35,7 @@ public static String generateActivationKey() { * * @return the generated reset key. */ - public static String generateResetKey() { + public static String generateResetKey() { // $ Alert return RandomStringUtils.randomNumeric(DEF_COUNT); } @@ -45,7 +45,7 @@ public static String generateResetKey() { * * @return the generated series data. */ - public static String generateSeriesData() { + public static String generateSeriesData() { // $ Alert return RandomStringUtils.randomAlphanumeric(DEF_COUNT); } @@ -54,7 +54,7 @@ public static String generateSeriesData() { * * @return the generated token data. */ - public static String generateTokenData() { + public static String generateTokenData() { // $ Alert return RandomStringUtils.randomAlphanumeric(DEF_COUNT); } } diff --git a/java/ql/test/query-tests/security/CWE-421/semmle/SocketAuthRace.qlref b/java/ql/test/query-tests/security/CWE-421/semmle/SocketAuthRace.qlref index 6ee9791ad63a..efdf86cc2515 100644 --- a/java/ql/test/query-tests/security/CWE-421/semmle/SocketAuthRace.qlref +++ b/java/ql/test/query-tests/security/CWE-421/semmle/SocketAuthRace.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-421/SocketAuthRace.ql \ No newline at end of file +query: Security/CWE/CWE-421/SocketAuthRace.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-421/semmle/Test.java b/java/ql/test/query-tests/security/CWE-421/semmle/Test.java index 0e2dc665a4ba..d2850f39899f 100644 --- a/java/ql/test/query-tests/security/CWE-421/semmle/Test.java +++ b/java/ql/test/query-tests/security/CWE-421/semmle/Test.java @@ -35,7 +35,7 @@ public void doConnect(int desiredPort, String username) throws Exception { ServerSocket listenSocket = new ServerSocket(desiredPort); if (isAuthenticated(username)) { - Socket connection1 = listenSocket.accept(); + Socket connection1 = listenSocket.accept(); // $ Alert // BAD: no authentication over the socket connection1.getOutputStream().write(secretData); } @@ -48,7 +48,7 @@ public void doConnect(int desiredPort, String username) throws Exception { if (isAuthenticated(username)) { // FP: we authenticate both beforehand and over the socket - Socket connection3 = listenSocket.accept(); + Socket connection3 = listenSocket.accept(); // $ Alert if (doAuthenticate(connection3, username)) { connection3.getOutputStream().write(secretData); } @@ -62,7 +62,7 @@ public void doConnectChannel(int desiredPort, String username) throws Exception listenChannel.bind(port); if (isAuthenticated(username)) { - SocketChannel connection1 = listenChannel.accept(); + SocketChannel connection1 = listenChannel.accept(); // $ Alert // BAD: no authentication over the socket connection1.write(ByteBuffer.wrap(secretData)); } diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java index 01cee2d59f23..90a08ada8a2c 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.java @@ -20,7 +20,7 @@ public class UrlRedirect extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: a request parameter is incorporated without validation into a URL redirect - response.sendRedirect(request.getParameter("target")); + response.sendRedirect(request.getParameter("target")); // $ Alert // GOOD: the request parameter is validated against a known fixed string if (VALID_REDIRECT.equals(request.getParameter("target"))) { @@ -29,17 +29,17 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // BAD: the user attempts to clean the string, but this will fail // if the argument is "hthttp://tp://malicious.com" - response.sendRedirect(weakCleanup(request.getParameter("target"))); + response.sendRedirect(weakCleanup(request.getParameter("target"))); // $ Alert // GOOD: the user input is not used in a position that allows it to dictate // the target of the redirect response.sendRedirect("http://example.com?username=" + request.getParameter("username")); // BAD: set the "Location" header - response.setHeader("Location", request.getParameter("target")); + response.setHeader("Location", request.getParameter("target")); // $ Alert // BAD: set the "Location" header - response.addHeader(LOCATION_HEADER_KEY, request.getParameter("target")); + response.addHeader(LOCATION_HEADER_KEY, request.getParameter("target")); // $ Alert } public String weakCleanup(String input) { diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.qlref b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.qlref index 933c3569eed8..f41f720f7251 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.qlref +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-601/UrlRedirect.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect2.java b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect2.java index 9014dcae7f29..b7e8d673e3c9 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect2.java +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect2.java @@ -24,7 +24,7 @@ public class UrlRedirect2 extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: a request parameter is incorporated without validation into a URL redirect - response.sendRedirect(request.getParameter("target")); + response.sendRedirect(request.getParameter("target")); // $ Alert // GOOD: the request parameter is validated against a known list of strings String target = request.getParameter("target"); diff --git a/java/ql/test/query-tests/security/CWE-601/semmle/tests/mad/Test.java b/java/ql/test/query-tests/security/CWE-601/semmle/tests/mad/Test.java index e222c3d9fbec..baf278ab3aea 100644 --- a/java/ql/test/query-tests/security/CWE-601/semmle/tests/mad/Test.java +++ b/java/ql/test/query-tests/security/CWE-601/semmle/tests/mad/Test.java @@ -6,11 +6,11 @@ public class Test { private static HttpServletRequest request; public static Object source() { - return request.getParameter(null); + return request.getParameter(null); // $ Source } public void test(HttpResponses r) { // "org.kohsuke.stapler;HttpResponses;true;redirectTo;(String);;Argument[0];open-url;ai-generated" - r.redirectTo((String) source()); + r.redirectTo((String) source()); // $ Alert } } diff --git a/java/ql/test/query-tests/security/CWE-676/semmle/tests/PotentiallyDangerousFunction.qlref b/java/ql/test/query-tests/security/CWE-676/semmle/tests/PotentiallyDangerousFunction.qlref index 45388d46e2e3..8fb8f0fceafa 100644 --- a/java/ql/test/query-tests/security/CWE-676/semmle/tests/PotentiallyDangerousFunction.qlref +++ b/java/ql/test/query-tests/security/CWE-676/semmle/tests/PotentiallyDangerousFunction.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-676/PotentiallyDangerousFunction.ql +query: Security/CWE/CWE-676/PotentiallyDangerousFunction.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-676/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-676/semmle/tests/Test.java index 6d9367d20632..8e76feb13302 100644 --- a/java/ql/test/query-tests/security/CWE-676/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-676/semmle/tests/Test.java @@ -11,6 +11,6 @@ public Test(Thread worker) { public void quit() { // Stop - worker.stop(); // BAD: Thread.stop can result in corrupted data + worker.stop(); // $ Alert // BAD: Thread.stop can result in corrupted data } } diff --git a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref index f06664e19d4b..fbe1ae7ab46a 100644 --- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref +++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/NumericCastTainted.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-681/NumericCastTainted.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-681/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-681/semmle/tests/Test.java index f50652c032fe..75862e683e01 100644 --- a/java/ql/test/query-tests/security/CWE-681/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-681/semmle/tests/Test.java @@ -8,7 +8,7 @@ public static void main(String[] args) throws IOException { long data; BufferedReader readerBuffered = new BufferedReader( - new InputStreamReader(System.in, "UTF-8")); + new InputStreamReader(System.in, "UTF-8")); // $ Source String stringNumber = readerBuffered.readLine(); if (stringNumber != null) { data = Long.parseLong(stringNumber.trim()); @@ -18,7 +18,7 @@ public static void main(String[] args) throws IOException { // AVOID: potential truncation if input data is very large, for example // 'Long.MAX_VALUE' - int scaled = (int)data; + int scaled = (int)data; // $ Alert //... @@ -30,4 +30,4 @@ public static void main(String[] args) throws IOException { throw new IllegalArgumentException("Invalid input"); } } -} \ No newline at end of file +} diff --git a/java/ql/test/query-tests/security/CWE-732/semmle/tests/ReadingFromWorldWritableFile.qlref b/java/ql/test/query-tests/security/CWE-732/semmle/tests/ReadingFromWorldWritableFile.qlref index cd90cfe2c174..d5c7df733ef1 100644 --- a/java/ql/test/query-tests/security/CWE-732/semmle/tests/ReadingFromWorldWritableFile.qlref +++ b/java/ql/test/query-tests/security/CWE-732/semmle/tests/ReadingFromWorldWritableFile.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql +query: Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java index 8717203802df..ceca3b1a3840 100644 --- a/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-732/semmle/tests/Test.java @@ -14,20 +14,20 @@ class Test { public static void main(String[] args) throws IOException { // Using the File API File f = new File("file"); - setWorldWritable(f); + setWorldWritable(f); // $ Alert readFile(f); // Using the Path API Path p = Paths.get("file"); Set filePermissions = EnumSet.of(PosixFilePermission.OTHERS_WRITE); - Files.setPosixFilePermissions(p, filePermissions); + Files.setPosixFilePermissions(p, filePermissions); // $ Alert Files.readAllLines(p); // Convert file to path File f2 = new File("file2"); Set file2Permissions = new LinkedHashSet<>(); file2Permissions.add(PosixFilePermission.OTHERS_WRITE); - Files.setPosixFilePermissions(Paths.get(f2.getCanonicalPath()), file2Permissions); + Files.setPosixFilePermissions(Paths.get(f2.getCanonicalPath()), file2Permissions); // $ Alert new FileInputStream(f2); } diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.qlref b/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.qlref index 8c69ea7e9942..cf5503cf706d 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.qlref +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheck.qlref @@ -1,2 +1,4 @@ query: Security/CWE/CWE-807/TaintedPermissionsCheck.ql -postprocess: utils/test/PrettyPrintModels.ql +postprocess: + - utils/test/PrettyPrintModels.ql + - utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheckTest.java b/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheckTest.java index 622538b7e357..4a274c25b916 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheckTest.java +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/TaintedPermissionsCheckTest.java @@ -9,10 +9,10 @@ class TaintedPermissionsCheckTest { public static void main(HttpServletRequest request) throws Exception { // Apache Shiro permissions system - String action = request.getParameter("action"); + String action = request.getParameter("action"); // $ Source[java/tainted-permissions-check] Subject subject = SecurityUtils.getSubject(); // BAD: permissions decision made using tainted data - if (subject.isPermitted("domain:sublevel:" + action)) + if (subject.isPermitted("domain:sublevel:" + action)) // $ Alert[java/tainted-permissions-check] doIt(); // GOOD: use fixed checks diff --git a/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref b/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref index 84f2c1b82cd5..2e4d7f2519a4 100644 --- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref +++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-829/InsecureDependencyResolution.ql +query: Security/CWE/CWE-829/InsecureDependencyResolution.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml b/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml index 7f7585d9429e..9234bd68251d 100644 --- a/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml +++ b/java/ql/test/query-tests/security/CWE-829/semmle/tests/insecure-pom.xml @@ -21,19 +21,19 @@ Insecure Repository Releases http://insecure-repository.example - + insecure-snapshots Insecure Repository Snapshots http://insecure-repository.example - + insecure-snapshots Insecure Repository Snapshots http://localhost.example - + @@ -41,7 +41,7 @@ Insecure Repository http://insecure-repository.example - + @@ -49,6 +49,6 @@ Insecure Repository Releases http://insecure-repository.example - + diff --git a/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.qlref b/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.qlref index 74ebeec5d12d..3bd8029485df 100644 --- a/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.qlref +++ b/java/ql/test/query-tests/security/CWE-833/semmle/tests/LockOrderInconsistency.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-833/LockOrderInconsistency.ql +query: Security/CWE/CWE-833/LockOrderInconsistency.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java b/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java index e02364c05ec5..684fc55f9468 100644 --- a/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java +++ b/java/ql/test/query-tests/security/CWE-833/semmle/tests/MethodAccessLockOrder.java @@ -26,7 +26,7 @@ public synchronized int subtract(int amount) { public boolean initiateTransfer(boolean fromSavings, int amount) { // AVOID: inconsistent lock order if (fromSavings) { - return primary.transferFrom(savings, amount); + return primary.transferFrom(savings, amount); // $ Alert } else { return savings.transferFrom(primary, amount); } diff --git a/java/ql/test/query-tests/security/CWE-833/semmle/tests/ReentrantLockOrder.java b/java/ql/test/query-tests/security/CWE-833/semmle/tests/ReentrantLockOrder.java index 83d395ccad5c..65903ec0034e 100644 --- a/java/ql/test/query-tests/security/CWE-833/semmle/tests/ReentrantLockOrder.java +++ b/java/ql/test/query-tests/security/CWE-833/semmle/tests/ReentrantLockOrder.java @@ -8,7 +8,7 @@ class ReentrantLockOrder { public boolean transferToSavings(int amount) { try { - primaryLock.lock(); + primaryLock.lock(); // $ Alert savingsLock.lock(); if (amount>0 && primaryAccountBalance>=amount) { primaryAccountBalance -= amount; @@ -25,7 +25,7 @@ public boolean transferToPrimary(int amount) { // AVOID: lock order is different from "transferToSavings" // and may result in deadlock try { - savingsLock.lock(); + savingsLock.lock(); // $ Alert primaryLock.lock(); if (amount>0 && primaryAccountBalance>=amount) { primaryAccountBalance -= amount; diff --git a/java/ql/test/query-tests/security/CWE-833/semmle/tests/SynchronizedStmtLockOrder.java b/java/ql/test/query-tests/security/CWE-833/semmle/tests/SynchronizedStmtLockOrder.java index f4a2e626e86c..1da9afd01fe7 100644 --- a/java/ql/test/query-tests/security/CWE-833/semmle/tests/SynchronizedStmtLockOrder.java +++ b/java/ql/test/query-tests/security/CWE-833/semmle/tests/SynchronizedStmtLockOrder.java @@ -5,7 +5,7 @@ class SynchronizedStmtLockOrder { private Object savingsLock = new Object(); public boolean transferToSavings(int amount) { - synchronized(primaryLock) { + synchronized(primaryLock) { // $ Alert synchronized(savingsLock) { if (amount>0 && primaryAccountBalance>=amount) { primaryAccountBalance -= amount; @@ -19,7 +19,7 @@ public boolean transferToSavings(int amount) { public boolean transferToPrimary(int amount) { // AVOID: lock order is different from "transferToSavings" // and may result in deadlock - synchronized(savingsLock) { + synchronized(savingsLock) { // $ Alert synchronized(primaryLock) { if (amount>0 && savingsAccountBalance>=amount) { savingsAccountBalance -= amount; diff --git a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.java b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.java index 69a23502aa32..75c540162670 100644 --- a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.java +++ b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.java @@ -1,7 +1,7 @@ class Test { public void bad() { for (int i=0; i<10; i++) { - for (int j=0; i<10; j++) { + for (int j=0; i<10; j++) { // $ Alert // potentially infinite loop due to test on wrong variable if (shouldBreak()) break; } diff --git a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.qlref b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.qlref index caed88100e65..51b2ad7ece78 100644 --- a/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.qlref +++ b/java/ql/test/query-tests/security/CWE-835/semmle/tests/InfiniteLoop.qlref @@ -1 +1,2 @@ -Security/CWE/CWE-835/InfiniteLoop.ql +query: Security/CWE/CWE-835/InfiniteLoop.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java index 70f5a0b2beed..6bd0966ff289 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java @@ -38,7 +38,7 @@ /** * The uri to consume from */ - String value() default ""; + String value() default ""; // $ Alert[java/dead-function] /** * The uri to consume from @@ -46,12 +46,12 @@ * @deprecated use value instead */ @Deprecated - String uri() default ""; + String uri() default ""; // $ Alert[java/dead-function] /** * Use the field or getter on the bean to provide the uri to consume from */ - String property() default ""; + String property() default ""; // $ Alert[java/dead-function] /** * Optional predicate (using simple language) to only consume if the predicate matches . This can be used to filter @@ -60,5 +60,5 @@ * Notice that only the first method that matches the predicate will be used. And if no predicate matches then the * message is dropped. */ - String predicate() default ""; + String predicate() default ""; // $ Alert[java/dead-function] } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java index 2dcc3ad5a7a4..e90e607e50c0 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java @@ -20,6 +20,6 @@ * Represents an expression clause within the DSL which when the expression is complete the clause continues to another * part of the DSL */ -public class ExpressionClause { +public class ExpressionClause { // $ Alert[java/dead-class] public T method(String ref) { return null; } } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java index 9c1b8c45d68a..0cb300895bcb 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java @@ -31,9 +31,9 @@ public abstract class RouteBuilder implements RoutesBuilder { * @param uri the from uri * @return the builder */ - public RouteDefinition from(String uri) { + public RouteDefinition from(String uri) { // $ Alert[java/dead-function] return null; } - public abstract void configure() throws Exception; + public abstract void configure() throws Exception; // $ Alert[java/dead-function] } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java index 2180623054ba..22140d4b2f5b 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java @@ -21,7 +21,7 @@ public class DefaultCamelContext implements ModelCamelContext { - public void configure() throws Exception {} + public void configure() throws Exception {} // $ Alert[java/dead-function] public void addRoutes(RoutesBuilder arg0) {} diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java index 1138c8d37839..d3bed4347b5e 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java @@ -16,4 +16,4 @@ */ package org.apache.camel.model; -public class FilterDefinition { } +public class FilterDefinition { } // $ Alert[java/dead-class] diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java index cfe55f5cc172..5c4045cdc95b 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java @@ -19,5 +19,5 @@ /** * A useful base class for output types */ -public class OutputDefinition> extends ProcessorDefinition { +public class OutputDefinition> extends ProcessorDefinition { // $ Alert[java/dead-class] } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java index 2423e907b017..37931b917961 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java @@ -18,7 +18,7 @@ import org.apache.camel.builder.ExpressionClause; -public abstract class ProcessorDefinition> { +public abstract class ProcessorDefinition> { // $ Alert[java/dead-class] public Type to(String uri) { return null; } public Type bean(Object bean) { return null; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java index 2ab31d2126a0..2052e6a0cdd1 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java @@ -16,7 +16,7 @@ */ package org.apache.camel.model; -public class RouteDefinition extends OutputDefinition { +public class RouteDefinition extends OutputDefinition { // $ Alert[java/dead-class] } From 3693185b6b155caa236ed873728e1cf5968275ca Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 10 Jun 2026 09:14:47 +0200 Subject: [PATCH 2/2] Second pass --- .../DeadCode/camel/DeadClass.qlref | 3 +- .../DeadCode/camel/DeadMethod.qlref | 3 +- .../camel/com/semmle/camel/DeadTarget.java | 4 +- .../camel/javadsl/CustomRouteBuilder.java | 2 +- .../Javadoc/ImpossibleJavadocThrows.java | 4 +- .../Javadoc/ImpossibleJavadocThrows.qlref | 3 +- .../test/query-tests/MissingSpaceTypo/A.java | 14 +- .../SpuriousJavadocParam/Test.java | 34 ++-- .../SpuriousJavadocParam/test.qlref | 3 +- .../CWE-020/ExternalAPISinkExample.java | 2 +- .../CWE-022/semmle/tests/TaintedPath.java | 4 +- .../security/CWE-022/semmle/tests/Test.java | 154 +++++++++--------- .../security/CWE-079/semmle/tests/JaxXSS.java | 74 ++++----- .../security/CWE-079/semmle/tests/JsfXSS.java | 20 +-- .../CWE-079/semmle/tests/SpringXSS.java | 56 +++---- .../security/CWE-079/semmle/tests/XSS.java | 18 +- .../ApkInstallationTest/ApkInstallation.java | 12 +- .../GroovyClassLoaderTest.java | 24 +-- .../GroovyCompilationUnitTest.java | 36 ++-- .../GroovyInjection/GroovyEvalTest.java | 20 +-- .../GroovyInjection/GroovyShellTest.java | 80 ++++----- .../GroovyInjection/TemplateEngineTest.java | 10 +- .../CWE-094/InsecureBeanValidation.java | 4 +- .../CWE-094/JexlInjection/Jexl2Injection.java | 20 +-- .../CWE-094/JexlInjection/Jexl3Injection.java | 28 ++-- .../MvelInjection/MvelInjectionTest.java | 28 ++-- .../SpelInjection/SpelInjectionTest.java | 28 ++-- .../TemplateInjection/FreemarkerSSTI.java | 36 ++-- .../TemplateInjection/JinJavaSSTI.java | 12 +- .../CWE-094/TemplateInjection/PebbleSSTI.java | 8 +- .../TemplateInjection/ThymeleafSSTI.java | 20 +-- .../TemplateInjection/VelocitySSTI.java | 22 +-- .../semmle/tests/ConditionalBypassTest.java | 26 +-- .../org/apache/camel/Consume.java | 8 +- .../camel/builder/ExpressionClause.java | 2 +- .../apache/camel/builder/RouteBuilder.java | 4 +- .../camel/impl/DefaultCamelContext.java | 2 +- .../apache/camel/model/FilterDefinition.java | 2 +- .../apache/camel/model/OutputDefinition.java | 2 +- .../camel/model/ProcessorDefinition.java | 2 +- .../apache/camel/model/RouteDefinition.java | 2 +- 41 files changed, 416 insertions(+), 420 deletions(-) diff --git a/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref b/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref index b94832ebfca9..d726e7e08496 100644 --- a/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref +++ b/java/ql/test/query-tests/DeadCode/camel/DeadClass.qlref @@ -1,2 +1 @@ -query: DeadCode/DeadClass.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +DeadCode/DeadClass.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref b/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref index 743a5f157755..76204a1df5a4 100644 --- a/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref +++ b/java/ql/test/query-tests/DeadCode/camel/DeadMethod.qlref @@ -1,2 +1 @@ -query: DeadCode/DeadMethod.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +DeadCode/DeadMethod.ql diff --git a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java index d2ccfa90e367..f4fabc7d22eb 100644 --- a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java +++ b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/DeadTarget.java @@ -1,10 +1,10 @@ package com.semmle.camel; /** Dead because it is not referenced in the {@code config.xml} file, or in the Java DSL. */ -public class DeadTarget { // $ Alert[java/dead-class] +public class DeadTarget { public Foo getFoo(Foo foo1) { return new Foo(); } - public static class Foo {} // $ Alert[java/dead-class] + public static class Foo {} } diff --git a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java index 01baa30e0a9b..437a4d7b56d7 100644 --- a/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java +++ b/java/ql/test/query-tests/DeadCode/camel/com/semmle/camel/javadsl/CustomRouteBuilder.java @@ -5,7 +5,7 @@ public class CustomRouteBuilder extends RouteBuilder { @Override - public void configure() throws Exception { // $ Alert[java/dead-function] + public void configure() throws Exception { from("direct:test") .to("bean:dslToTarget") .bean(DSLBeanTarget.class) diff --git a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java index 9795251ce9a4..3a087f6ea923 100644 --- a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java +++ b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.java @@ -6,14 +6,14 @@ class ImpossibleJavadocThrows { /** * - * @throws InterruptedException // $ Alert + * @throws InterruptedException */ public void bad1() { } /** * - * @exception Exception // $ Alert + * @exception Exception */ public void bad2() { } diff --git a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref index dc001712b07a..51541686bfc7 100644 --- a/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref +++ b/java/ql/test/query-tests/Javadoc/ImpossibleJavadocThrows.qlref @@ -1,2 +1 @@ -query: Advisory/Documentation/ImpossibleJavadocThrows.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Advisory/Documentation/ImpossibleJavadocThrows.ql diff --git a/java/ql/test/query-tests/MissingSpaceTypo/A.java b/java/ql/test/query-tests/MissingSpaceTypo/A.java index a095d8568d89..284fd20c8634 100644 --- a/java/ql/test/query-tests/MissingSpaceTypo/A.java +++ b/java/ql/test/query-tests/MissingSpaceTypo/A.java @@ -1,19 +1,19 @@ public class A { public void missing() { String s; - s = "this text" + // $ + s = "this text" + "is missing a space"; // $ Alert - s = "the class java.util.ArrayList" + // $ + s = "the class java.util.ArrayList" + "without a space"; // $ Alert - s = "This isn't" + // $ + s = "This isn't" + "right."; // $ Alert - s = "There's 1" + // $ + s = "There's 1" + "thing wrong"; // $ Alert - s = "There's A/B" + // $ + s = "There's A/B" + "and no space"; // $ Alert - s = "Wait for it...." + // $ + s = "Wait for it...." + "No space!"; // $ Alert - s = "Is there a space?" + // $ + s = "Is there a space?" + "No!"; // $ Alert } diff --git a/java/ql/test/query-tests/SpuriousJavadocParam/Test.java b/java/ql/test/query-tests/SpuriousJavadocParam/Test.java index ca724cf468cf..d8891afb7564 100644 --- a/java/ql/test/query-tests/SpuriousJavadocParam/Test.java +++ b/java/ql/test/query-tests/SpuriousJavadocParam/Test.java @@ -54,83 +54,83 @@ protected void ok8(){ } protected void ok9(int...param){ } /** - * @param prameter typo // $ Alert + * @param prameter typo */ public void problem1(int parameter){ } /** - * @param Parameter capitalization // $ Alert + * @param Parameter capitalization */ public void problem2(int parameter){ } /** - * @param parameter unmatched // $ Alert + * @param parameter unmatched */ public void problem3(){ } /** * @param someOtherParameter matched - * @param parameter unmatched // $ Alert + * @param parameter unmatched */ public void problem4(int someOtherParameter){ } /** - * @param unmatched type parameter // $ Alert + * @param unmatched type parameter */ private T problem5(){ return null; } /** * @param matched type parameter - * @param

unmatched type parameter // $ Alert - * @param n unmatched normal parameter // $ Alert + * @param

unmatched type parameter + * @param n unmatched normal parameter */ private T problem6(V p){ return null; } /** * param with immediate newline - * @param // $ Alert + * @param */ protected void problem7(){ } /** * param without a value (followed by blanks) - * @param // $ Alert + * @param */ protected void problem8(){ } class SomeClass { /** * @param i exists - * @param k does not // $ Alert + * @param k does not */ SomeClass(int i, int j) {} } /** * @param exists - * @param T wrong syntax // $ Alert - * @param does not exist // $ Alert + * @param T wrong syntax + * @param does not exist */ class GenericClass {} /** * @param exists - * @param T wrong syntax // $ Alert - * @param does not exist // $ Alert + * @param T wrong syntax + * @param does not exist */ interface GenericInterface {} /** * @param i exists - * @param k does not // $ Alert + * @param k does not */ static record SomeRecord(int i, int j) {} /** * @param exists - * @param does not // $ Alert + * @param does not * @param i exists - * @param k does not // $ Alert + * @param k does not */ static record GenericRecord(int i, int j) {} } diff --git a/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref b/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref index 85c1971658c2..05f7231fe6b8 100644 --- a/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref +++ b/java/ql/test/query-tests/SpuriousJavadocParam/test.qlref @@ -1,2 +1 @@ -query: Advisory/Documentation/SpuriousJavadocParam.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql +Advisory/Documentation/SpuriousJavadocParam.ql diff --git a/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java b/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java index de76455c2019..9e30b228c48f 100644 --- a/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java +++ b/java/ql/test/query-tests/security/CWE-020/ExternalAPISinkExample.java @@ -9,6 +9,6 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // BAD: a request parameter is written directly to an error response page response.sendError(HttpServletResponse.SC_NOT_FOUND, - "The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert + "The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert[java/untrusted-data-to-external-api] } } diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java index fb87c6878235..fffb93c62916 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/TaintedPath.java @@ -10,10 +10,10 @@ public class TaintedPath { public void sendUserFile(Socket sock, String user) throws IOException { BufferedReader filenameReader = - new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source + new BufferedReader(new InputStreamReader(sock.getInputStream(), "UTF-8")); // $ Source[java/path-injection] String filename = filenameReader.readLine(); // BAD: read from a file without checking its path - BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert + BufferedReader fileReader = new BufferedReader(new FileReader(filename)); // $ Alert[java/path-injection] String fileLine = fileReader.readLine(); while (fileLine != null) { sock.getOutputStream().write(fileLine.getBytes()); diff --git a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java index 362c84f4b167..6ef577372261 100644 --- a/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java +++ b/java/ql/test/query-tests/security/CWE-022/semmle/tests/Test.java @@ -29,143 +29,143 @@ public class Test { private HttpServletRequest request; public Object source() { - return request.getParameter("source"); // $ Source + return request.getParameter("source"); // $ Source[java/path-injection] } void test() throws IOException { // "java.lang;Module;true;getResourceAsStream;(String);;Argument[0];read-file;ai-generated" - getClass().getModule().getResourceAsStream((String) source()); // $ Alert + getClass().getModule().getResourceAsStream((String) source()); // $ Alert[java/path-injection] // "java.lang;Class;false;getResource;(String);;Argument[0];read-file;ai-generated" - getClass().getResource((String) source()); // $ Alert + getClass().getResource((String) source()); // $ Alert[java/path-injection] // "java.lang;ClassLoader;true;getSystemResourceAsStream;(String);;Argument[0];read-file;ai-generated" - ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert + ClassLoader.getSystemResourceAsStream((String) source()); // $ Alert[java/path-injection] // "java.io;File;True;canExecute;();;Argument[this];path-injection;manual" - ((File) source()).canExecute(); // $ Alert + ((File) source()).canExecute(); // $ Alert[java/path-injection] // "java.io;File;True;canRead;();;Argument[this];path-injection;manual" - ((File) source()).canRead(); // $ Alert + ((File) source()).canRead(); // $ Alert[java/path-injection] // "java.io;File;True;canWrite;();;Argument[this];path-injection;manual" - ((File) source()).canWrite(); // $ Alert + ((File) source()).canWrite(); // $ Alert[java/path-injection] // "java.io;File;True;createNewFile;();;Argument[this];path-injection;ai-manual" - ((File) source()).createNewFile(); // $ Alert + ((File) source()).createNewFile(); // $ Alert[java/path-injection] // "java.io;File;true;createTempFile;(String,String,File);;Argument[2];create-file;ai-generated" - File.createTempFile(";", ";", (File) source()); // $ Alert + File.createTempFile(";", ";", (File) source()); // $ Alert[java/path-injection] // "java.io;File;True;delete;();;Argument[this];path-injection;manual" - ((File) source()).delete(); // $ Alert + ((File) source()).delete(); // $ Alert[java/path-injection] // "java.io;File;True;deleteOnExit;();;Argument[this];path-injection;manual" - ((File) source()).deleteOnExit(); // $ Alert + ((File) source()).deleteOnExit(); // $ Alert[java/path-injection] // "java.io;File;True;exists;();;Argument[this];path-injection;manual" - ((File) source()).exists(); // $ Alert + ((File) source()).exists(); // $ Alert[java/path-injection] // "java.io:File;True;isDirectory;();;Argument[this];path-injection;manual" - ((File) source()).isDirectory(); // $ Alert + ((File) source()).isDirectory(); // $ Alert[java/path-injection] // "java.io:File;True;isFile;();;Argument[this];path-injection;manual" - ((File) source()).isFile(); // $ Alert + ((File) source()).isFile(); // $ Alert[java/path-injection] // "java.io:File;True;isHidden;();;Argument[this];path-injection;manual" - ((File) source()).isHidden(); // $ Alert + ((File) source()).isHidden(); // $ Alert[java/path-injection] // "java.io;File;True;mkdir;();;Argument[this];path-injection;manual" - ((File) source()).mkdir(); // $ Alert + ((File) source()).mkdir(); // $ Alert[java/path-injection] // "java.io;File;True;mkdirs;();;Argument[this];path-injection;manual" - ((File) source()).mkdirs(); // $ Alert + ((File) source()).mkdirs(); // $ Alert[java/path-injection] // "java.io;File;True;renameTo;(File);;Argument[0];path-injection;ai-manual" - new File("").renameTo((File) source()); // $ Alert + new File("").renameTo((File) source()); // $ Alert[java/path-injection] // "java.io;File;True;renameTo;(File);;Argument[this];path-injection;ai-manual" - ((File) source()).renameTo(null); // $ Alert + ((File) source()).renameTo(null); // $ Alert[java/path-injection] // "java.io;File;True;setExecutable;;;Argument[this];path-injection;manual" - ((File) source()).setExecutable(true); // $ Alert + ((File) source()).setExecutable(true); // $ Alert[java/path-injection] // "java.io;File;True;setLastModified;;;Argument[this];path-injection;manual" - ((File) source()).setLastModified(0); // $ Alert + ((File) source()).setLastModified(0); // $ Alert[java/path-injection] // "java.io;File;True;setReadable;;;Argument[this];path-injection;manual" - ((File) source()).setReadable(true); // $ Alert + ((File) source()).setReadable(true); // $ Alert[java/path-injection] // "java.io;File;True;setReadOnly;;;Argument[this];path-injection;manual" - ((File) source()).setReadOnly(); // $ Alert + ((File) source()).setReadOnly(); // $ Alert[java/path-injection] // "java.io;File;True;setWritable;;;Argument[this];path-injection;manual" - ((File) source()).setWritable(true); // $ Alert + ((File) source()).setWritable(true); // $ Alert[java/path-injection] // "java.io;File;true;renameTo;(File);;Argument[0];create-file;ai-generated" - new File("").renameTo((File) source()); // $ Alert + new File("").renameTo((File) source()); // $ Alert[java/path-injection] // "java.io;FileInputStream;true;FileInputStream;(File);;Argument[0];read-file;ai-generated" - new FileInputStream((File) source()); // $ Alert + new FileInputStream((File) source()); // $ Alert[java/path-injection] // "java.io;FileInputStream;true;FileInputStream;(FileDescriptor);;Argument[0];read-file;manual" - new FileInputStream((FileDescriptor) source()); // $ Alert + new FileInputStream((FileDescriptor) source()); // $ Alert[java/path-injection] // "java.io;FileInputStream;true;FileInputStream;(String);;Argument[0];read-file;manual" - new FileInputStream((String) source()); // $ Alert + new FileInputStream((String) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(File);;Argument[0];read-file;ai-generated" - new FileReader((File) source()); // $ Alert + new FileReader((File) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(FileDescriptor);;Argument[0];read-file;manual" - new FileReader((FileDescriptor) source()); // $ Alert + new FileReader((FileDescriptor) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(File,Charset);;Argument[0];read-file;manual" - new FileReader((File) source(), null); // $ Alert + new FileReader((File) source(), null); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(String);;Argument[0];read-file;ai-generated" - new FileReader((String) source()); // $ Alert + new FileReader((String) source()); // $ Alert[java/path-injection] // "java.io;FileReader;true;FileReader;(String,Charset);;Argument[0];read-file;manual" - new FileReader((String) source(), null); // $ Alert + new FileReader((String) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;copy;;;Argument[0];read-file;manual" - Files.copy((Path) source(), (Path) null); // $ Alert - Files.copy((Path) source(), (OutputStream) null); // $ Alert + Files.copy((Path) source(), (Path) null); // $ Alert[java/path-injection] + Files.copy((Path) source(), (OutputStream) null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;copy;;;Argument[1];create-file;manual" - Files.copy((Path) null, (Path) source()); // $ Alert - Files.copy((InputStream) null, (Path) source()); // $ Alert + Files.copy((Path) null, (Path) source()); // $ Alert[java/path-injection] + Files.copy((InputStream) null, (Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createDirectories;;;Argument[0];create-file;manual" - Files.createDirectories((Path) source()); // $ Alert + Files.createDirectories((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createDirectory;;;Argument[0];create-file;manual" - Files.createDirectory((Path) source()); // $ Alert + Files.createDirectory((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createFile;;;Argument[0];create-file;manual" - Files.createFile((Path) source()); // $ Alert + Files.createFile((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createLink;;;Argument[0];create-file;manual" - Files.createLink((Path) source(), null); // $ Alert + Files.createLink((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file;manual" - Files.createSymbolicLink((Path) source(), null); // $ Alert + Files.createSymbolicLink((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createTempDirectory;(Path,String,FileAttribute[]);;Argument[0];create-file;manual" - Files.createTempDirectory((Path) source(), null); // $ Alert + Files.createTempDirectory((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;createTempFile;(Path,String,String,FileAttribute[]);;Argument[0];create-file;manual" - Files.createTempFile((Path) source(), null, null); // $ Alert + Files.createTempFile((Path) source(), null, null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;delete;(Path);;Argument[0];delete-file;ai-generated" - Files.delete((Path) source()); // $ Alert + Files.delete((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;deleteIfExists;(Path);;Argument[0];delete-file;ai-generated" - Files.deleteIfExists((Path) source()); // $ Alert + Files.deleteIfExists((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;lines;(Path,Charset);;Argument[0];read-file;ai-generated" - Files.lines((Path) source(), null); // $ Alert + Files.lines((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;move;;;Argument[1];create-file;manual" - Files.move(null, (Path) source()); // $ Alert + Files.move(null, (Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;newBufferedReader;(Path,Charset);;Argument[0];read-file;ai-generated" - Files.newBufferedReader((Path) source(), null); // $ Alert + Files.newBufferedReader((Path) source(), null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;newBufferedWriter;;;Argument[0];create-file;manual" - Files.newBufferedWriter((Path) source()); // $ Alert - Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert + Files.newBufferedWriter((Path) source()); // $ Alert[java/path-injection] + Files.newBufferedWriter((Path) source(), (Charset) null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;newOutputStream;;;Argument[0];create-file;manual" - Files.newOutputStream((Path) source()); // $ Alert + Files.newOutputStream((Path) source()); // $ Alert[java/path-injection] // "java.nio.file;Files;false;write;;;Argument[0];create-file;manual" - Files.write((Path) source(), (byte[]) null); // $ Alert - Files.write((Path) source(), (Iterable) null); // $ Alert - Files.write((Path) source(), (Iterable) null, (Charset) null); // $ Alert + Files.write((Path) source(), (byte[]) null); // $ Alert[java/path-injection] + Files.write((Path) source(), (Iterable) null); // $ Alert[java/path-injection] + Files.write((Path) source(), (Iterable) null, (Charset) null); // $ Alert[java/path-injection] // "java.nio.file;Files;false;writeString;;;Argument[0];create-file;manual" - Files.writeString((Path) source(), (CharSequence) null); // $ Alert - Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert + Files.writeString((Path) source(), (CharSequence) null); // $ Alert[java/path-injection] + Files.writeString((Path) source(), (CharSequence) null, (Charset) null); // $ Alert[java/path-injection] // "javax.xml.transform.stream;StreamResult";true;"StreamResult;(File);;Argument[0];create-file;ai-generated" - new StreamResult((File) source()); // $ Alert + new StreamResult((File) source()); // $ Alert[java/path-injection] // "org.apache.commons.io;FileUtils;true;openInputStream;(File);;Argument[0];read-file;ai-generated" - FileUtils.openInputStream((File) source()); // $ Alert + FileUtils.openInputStream((File) source()); // $ Alert[java/path-injection] // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[1];create-file;ai-generated" - new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert + new ZipURLInstaller((URL) null, (String) source(), ""); // $ Alert[java/path-injection] // "org.codehaus.cargo.container.installer;ZipURLInstaller;true;ZipURLInstaller;(URL,String,String);;Argument[2];create-file;ai-generated" - new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert + new ZipURLInstaller((URL) null, "", (String) source()); // $ Alert[java/path-injection] // "org.springframework.util;FileCopyUtils;false;copy;(byte[],File);;Argument[1];create-file;manual" - FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert + FileCopyUtils.copy((byte[]) null, (File) source()); // $ Alert[java/path-injection] // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[0];create-file;manual" - FileCopyUtils.copy((File) source(), null); // $ Alert + FileCopyUtils.copy((File) source(), null); // $ Alert[java/path-injection] // "org.springframework.util;FileCopyUtils;false;copy;(File,File);;Argument[1];create-file;manual" - FileCopyUtils.copy((File) null, (File) source()); // $ Alert + FileCopyUtils.copy((File) null, (File) source()); // $ Alert[java/path-injection] } void test(AntClassLoader acl) { // "org.apache.tools.ant;AntClassLoader;true;addPathComponent;(File);;Argument[0];read-file;ai-generated" - acl.addPathComponent((File) source()); // $ Alert + acl.addPathComponent((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(ClassLoader,Project,Path,boolean);;Argument[2];read-file;ai-generated" - new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert + new AntClassLoader(null, null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert[java/path-injection] // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path,boolean);;Argument[1];read-file;ai-generated" - new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert + new AntClassLoader(null, (org.apache.tools.ant.types.Path) source(), false); // $ Alert[java/path-injection] // "org.apache.tools.ant;AntClassLoader;true;AntClassLoader;(Project,Path);;Argument[1];read-file;ai-generated" - new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert + new AntClassLoader(null, (org.apache.tools.ant.types.Path) source()); // $ Alert[java/path-injection] // "org.kohsuke.stapler.framework.io;LargeText;true;LargeText;(File,Charset,boolean,boolean);;Argument[0];read-file;ai-generated" - new LargeText((File) source(), null, false, false); // $ Alert + new LargeText((File) source(), null, false, false); // $ Alert[java/path-injection] } void doGet6(String root, HttpServletRequest request) throws IOException { @@ -178,29 +178,29 @@ void doGet6(String root, HttpServletRequest request) throws IOException { void test(DirectoryScanner ds) { // "org.apache.tools.ant;DirectoryScanner;true;setBasedir;(File);;Argument[0];read-file;ai-generated" - ds.setBasedir((File) source()); // $ Alert + ds.setBasedir((File) source()); // $ Alert[java/path-injection] } void test(Copy cp) { // "org.apache.tools.ant.taskdefs;Copy;true;addFileset;(FileSet);;Argument[0];read-file;ai-generated" - cp.addFileset((FileSet) source()); // $ Alert + cp.addFileset((FileSet) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Copy;true;setFile;(File);;Argument[0];read-file;ai-generated" - cp.setFile((File) source()); // $ Alert + cp.setFile((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Copy;true;setTodir;(File);;Argument[0];create-file;ai-generated" - cp.setTodir((File) source()); // $ Alert + cp.setTodir((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Copy;true;setTofile;(File);;Argument[0];create-file;ai-generated" - cp.setTofile((File) source()); // $ Alert + cp.setTofile((File) source()); // $ Alert[java/path-injection] } void test(Expand ex) { // "org.apache.tools.ant.taskdefs;Expand;true;setDest;(File);;Argument[0];create-file;ai-generated" - ex.setDest((File) source()); // $ Alert + ex.setDest((File) source()); // $ Alert[java/path-injection] // "org.apache.tools.ant.taskdefs;Expand;true;setSrc;(File);;Argument[0];read-file;ai-generated" - ex.setSrc((File) source()); // $ Alert + ex.setSrc((File) source()); // $ Alert[java/path-injection] } void test(ChainedOptionsBuilder cob) { // "org.openjdk.jmh.runner.options;ChainedOptionsBuilder;true;result;(String);;Argument[0];create-file;ai-generated" - cob.result((String) source()); // $ Alert + cob.result((String) source()); // $ Alert[java/path-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java index 0e096ab94e02..0ca5b737d86f 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JaxXSS.java @@ -12,25 +12,25 @@ public class JaxXSS { @GET - public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source + public static Response specificContentType(boolean safeContentType, boolean chainDirectly, boolean contentTypeFirst, String userControlled) { // $ Source[java/xss] Response.ResponseBuilder builder = Response.ok(); if(!safeContentType) { if(chainDirectly) { if(contentTypeFirst) - return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + return builder.type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] else - return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert + return builder.entity(userControlled).type(MediaType.TEXT_HTML).build(); // $ Alert[java/xss] } else { if(contentTypeFirst) { Response.ResponseBuilder builder2 = builder.type(MediaType.TEXT_HTML); - return builder2.entity(userControlled).build(); // $ Alert + return builder2.entity(userControlled).build(); // $ Alert[java/xss] } else { Response.ResponseBuilder builder2 = builder.entity(userControlled); - return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert + return builder2.type(MediaType.TEXT_HTML).build(); // $ Alert[java/xss] } } } @@ -56,7 +56,7 @@ public static Response specificContentType(boolean safeContentType, boolean chai } @GET - public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source + public static Response specificContentTypeSetterMethods(int route, boolean safeContentType, String userControlled) { // $ Source[java/xss] // Test the remarkably many routes to setting a content-type in Jax-RS, besides the ResponseBuilder.entity method used above: @@ -105,39 +105,39 @@ else if(route == 8) { else { if(route == 0) { // via ok, as a string literal: - return Response.ok("text/html").entity(userControlled).build(); // $ Alert + return Response.ok("text/html").entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 1) { // via ok, as a string constant: - return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + return Response.ok(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 2) { // via ok, as a MediaType constant: - return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert + return Response.ok(MediaType.TEXT_HTML_TYPE).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 3) { // via ok, as a Variant, via constructor: - return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert + return Response.ok(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 4) { // via ok, as a Variant, via static method: - return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert + return Response.ok(Variant.mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 5) { // via ok, as a Variant, via instance method: - return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert + return Response.ok(Variant.languages(Locale.UK).mediaTypes(MediaType.TEXT_HTML_TYPE).build()).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 6) { // via builder variant, before entity: - return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert + return Response.ok().variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).entity(userControlled).build(); // $ Alert[java/xss] } else if(route == 7) { // via builder variant, after entity: - return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert + return Response.ok().entity(userControlled).variant(new Variant(MediaType.TEXT_HTML_TYPE, "language", "encoding")).build(); // $ Alert[java/xss] } else if(route == 8) { // provide entity via ok, then content-type via builder: - return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert + return Response.ok(userControlled).type(MediaType.TEXT_HTML_TYPE).build(); // $ Alert[java/xss] } } @@ -161,28 +161,28 @@ public static Response methodContentTypeSafeStringLiteral(String userControlled) } @GET @Produces(MediaType.TEXT_HTML) - public static Response methodContentTypeUnsafe(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeUnsafe(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @POST @Produces(MediaType.TEXT_HTML) - public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeUnsafePost(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET @Produces("text/html") - public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET @Produces({MediaType.TEXT_HTML, MediaType.APPLICATION_JSON}) - public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response methodContentTypeMaybeSafe(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET @Produces(MediaType.APPLICATION_JSON) - public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source - return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + public static Response methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source[java/xss] + return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] } @GET @Produces(MediaType.TEXT_HTML) @@ -204,13 +204,13 @@ public String testDirectReturn(String userControlled) { } @GET @Produces({"text/html"}) - public Response overridesWithUnsafe(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public Response overridesWithUnsafe(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET - public Response overridesWithUnsafe2(String userControlled) { // $ Source - return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert + public Response overridesWithUnsafe2(String userControlled) { // $ Source[java/xss] + return Response.ok().type(MediaType.TEXT_HTML).entity(userControlled).build(); // $ Alert[java/xss] } } @@ -218,13 +218,13 @@ public Response overridesWithUnsafe2(String userControlled) { // $ Source @Produces({"text/html"}) public static class ClassContentTypeUnsafe { @GET - public Response test(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public Response test(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET - public String testDirectReturn(String userControlled) { // $ Source - return userControlled; // $ Alert + public String testDirectReturn(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } @GET @Produces({"application/json"}) @@ -239,13 +239,13 @@ public Response overridesWithSafe2(String userControlled) { } @GET - public static Response entityWithNoMediaType(String userControlled) { // $ Source - return Response.ok(userControlled).build(); // $ Alert + public static Response entityWithNoMediaType(String userControlled) { // $ Source[java/xss] + return Response.ok(userControlled).build(); // $ Alert[java/xss] } @GET - public static String stringWithNoMediaType(String userControlled) { // $ Source - return userControlled; // $ Alert + public static String stringWithNoMediaType(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java index f3efab3ddfe3..a6f95bccfa61 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/JsfXSS.java @@ -18,7 +18,7 @@ public void encodeBegin(FacesContext facesContext, UIComponent component) throws { super.encodeBegin(facesContext, component); - Map requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source + Map requestParameters = facesContext.getExternalContext().getRequestParameterMap(); // $ Source[java/xss] String windowId = requestParameters.get("window_id"); ResponseWriter writer = facesContext.getResponseWriter(); @@ -26,7 +26,7 @@ public void encodeBegin(FacesContext facesContext, UIComponent component) throws writer.write("(function(){"); writer.write("dswh.init('" + windowId + "','" + "......" + "'," - + -1 + ",{"); // $ Alert + + -1 + ",{"); // $ Alert[java/xss] writer.write("});"); writer.write("})();"); writer.write(""); @@ -57,13 +57,13 @@ public void testAllSources(FacesContext facesContext) throws IOException { ExternalContext ec = facesContext.getExternalContext(); ResponseWriter writer = facesContext.getResponseWriter(); - writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert - writer.write(ec.getRequestParameterNames().next()); // $ Alert - writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert - writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert - writer.write(ec.getRequestPathInfo()); // $ Alert - writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert - writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert - writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert + writer.write(ec.getRequestParameterMap().keySet().iterator().next()); // $ Alert[java/xss] + writer.write(ec.getRequestParameterNames().next()); // $ Alert[java/xss] + writer.write(ec.getRequestParameterValuesMap().get("someKey")[0]); // $ Alert[java/xss] + writer.write(ec.getRequestParameterValuesMap().keySet().iterator().next()); // $ Alert[java/xss] + writer.write(ec.getRequestPathInfo()); // $ Alert[java/xss] + writer.write(((Cookie)ec.getRequestCookieMap().get("someKey")).getName()); // $ Alert[java/xss] + writer.write(ec.getRequestHeaderMap().get("someKey")); // $ Alert[java/xss] + writer.write(ec.getRequestHeaderValuesMap().get("someKey")[0]); // $ Alert[java/xss] } } diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java index fd3a26bcf105..53b45c678af9 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java @@ -13,17 +13,17 @@ public class SpringXSS { @GetMapping - public static ResponseEntity specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source + public static ResponseEntity specificContentType(boolean safeContentType, boolean chainDirectly, String userControlled) { // $ Source[java/xss] ResponseEntity.BodyBuilder builder = ResponseEntity.ok(); if(!safeContentType) { if(chainDirectly) { - return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert + return builder.contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss] } else { ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.TEXT_HTML); - return builder2.body(userControlled); // $ Alert + return builder2.body(userControlled); // $ Alert[java/xss] } } else { @@ -59,23 +59,23 @@ public static ResponseEntity methodContentTypeSafeStringLiteral(String u } @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE) - public static ResponseEntity methodContentTypeUnsafe(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity methodContentTypeUnsafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = "text/html") - public static ResponseEntity methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity methodContentTypeUnsafeStringLiteral(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = {MediaType.TEXT_HTML_VALUE, MediaType.APPLICATION_JSON_VALUE}) - public static ResponseEntity methodContentTypeMaybeSafe(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity methodContentTypeMaybeSafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE) - public static ResponseEntity methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source - return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert + public static ResponseEntity methodContentTypeSafeOverriddenWithUnsafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE) @@ -84,17 +84,17 @@ public static ResponseEntity methodContentTypeUnsafeOverriddenWithSafe(S } @GetMapping(value = "/xyz", produces = {"text/html", "application/json"}) - public static ResponseEntity methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source + public static ResponseEntity methodContentTypeMaybeSafeStringLiterals(String userControlled, int constructionMethod) { // $ Source[java/xss] // Also try out some alternative constructors for the ResponseEntity: switch(constructionMethod) { case 0: - return ResponseEntity.ok(userControlled); // $ Alert + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] case 1: - return ResponseEntity.of(Optional.of(userControlled)); // $ Alert + return ResponseEntity.of(Optional.of(userControlled)); // $ Alert[java/xss] case 2: - return ResponseEntity.ok().body(userControlled); // $ Alert + return ResponseEntity.ok().body(userControlled); // $ Alert[java/xss] case 3: - return new ResponseEntity(userControlled, HttpStatus.OK); // $ Alert + return new ResponseEntity(userControlled, HttpStatus.OK); // $ Alert[java/xss] default: return null; } @@ -114,13 +114,13 @@ public String testDirectReturn(String userControlled) { } @GetMapping(value = "/xyz", produces = {"text/html"}) - public ResponseEntity overridesWithUnsafe(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public ResponseEntity overridesWithUnsafe(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/abc") - public ResponseEntity overridesWithUnsafe2(String userControlled) { // $ Source - return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert + public ResponseEntity overridesWithUnsafe2(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $ Alert[java/xss] } } @@ -128,13 +128,13 @@ public ResponseEntity overridesWithUnsafe2(String userControlled) { // $ @RequestMapping(produces = {"text/html"}) private static class ClassContentTypeUnsafe { @GetMapping(value = "/abc") - public ResponseEntity test(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public ResponseEntity test(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/abc") - public String testDirectReturn(String userControlled) { // $ Source - return userControlled; // $ Alert + public String testDirectReturn(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } @GetMapping(value = "/xyz", produces = {"application/json"}) @@ -149,13 +149,13 @@ public ResponseEntity overridesWithSafe2(String userControlled) { } @GetMapping(value = "/abc") - public static ResponseEntity entityWithNoMediaType(String userControlled) { // $ Source - return ResponseEntity.ok(userControlled); // $ Alert + public static ResponseEntity entityWithNoMediaType(String userControlled) { // $ Source[java/xss] + return ResponseEntity.ok(userControlled); // $ Alert[java/xss] } @GetMapping(value = "/abc") - public static String stringWithNoMediaType(String userControlled) { // $ Source - return userControlled; // $ Alert + public static String stringWithNoMediaType(String userControlled) { // $ Source[java/xss] + return userControlled; // $ Alert[java/xss] } @GetMapping(value = "/abc") diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java index 13ae6b62e10c..b12099673b8e 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.java @@ -16,7 +16,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response, b throws ServletException, IOException { // BAD: a request parameter is written directly to the Servlet response stream response.getWriter() - .print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert + .print("The page \"" + request.getParameter("page") + "\" was not found."); // $ Alert[java/xss] // GOOD: servlet API encodes the error message HTML for the HTML context response.sendError(HttpServletResponse.SC_NOT_FOUND, @@ -31,10 +31,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response, b "The page \"" + capitalizeName(request.getParameter("page")) + "\" was not found."); // BAD: outputting the path of the resource - response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert + response.getWriter().print("The path section of the URL was " + request.getPathInfo()); // $ Alert[java/xss] // BAD: typical XSS, this time written to an OutputStream instead of a Writer - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] // GOOD: sanitizer response.getOutputStream().write(hudson.Util.escape(request.getPathInfo()).getBytes()); // safe @@ -80,34 +80,34 @@ else if(setContentMethod == 1) { if(setContentMethod == 0) { // BAD: set content-type to something that is not safe response.setContentType("text/html"); - response.getWriter().print(request.getPathInfo()); // $ Alert + response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss] } else if(setContentMethod == 1) { // BAD: set content-type to something that is not safe response.setHeader("Content-Type", "text/html"); - response.getWriter().print(request.getPathInfo()); // $ Alert + response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss] } else { // BAD: set content-type to something that is not safe response.addHeader("Content-Type", "text/html"); - response.getWriter().print(request.getPathInfo()); // $ Alert + response.getWriter().print(request.getPathInfo()); // $ Alert[java/xss] } } else { if(setContentMethod == 0) { // BAD: set content-type to something that is not safe response.setContentType("text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] } else if(setContentMethod == 1) { // BAD: set content-type to something that is not safe response.setHeader("Content-Type", "text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] } else { // BAD: set content-type to something that is not safe response.addHeader("Content-Type", "text/html"); - response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert + response.getOutputStream().write(request.getPathInfo().getBytes()); // $ Alert[java/xss] } } } diff --git a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java index ee6a0c56b709..5f13a16d6900 100644 --- a/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java +++ b/java/ql/test/query-tests/security/CWE-094/ApkInstallationTest/ApkInstallation.java @@ -11,7 +11,7 @@ public class ApkInstallation extends Activity { public void installAPK(String path) { // BAD: the path is not checked Intent intent = new Intent(Intent.ACTION_VIEW); - intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert + intent.setDataAndType(Uri.fromFile(new File(path)), "application/vnd.android.package-archive"); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -19,7 +19,7 @@ public void installAPK3(String path) { Intent intent = new Intent(Intent.ACTION_VIEW); intent.setType(APK_MIMETYPE); // BAD: the path is not checked - intent.setData(Uri.fromFile(new File(path))); // $ Alert + intent.setData(Uri.fromFile(new File(path))); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -27,7 +27,7 @@ public void installAPKFromExternalStorage(String path) { // BAD: file is from external storage File file = new File(Environment.getExternalStorageDirectory(), path); Intent intent = new Intent(Intent.ACTION_VIEW); - intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert + intent.setDataAndType(Uri.fromFile(file), APK_MIMETYPE); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -35,14 +35,14 @@ public void installAPKFromExternalStorageWithActionInstallPackage(String path) { // BAD: file is from external storage File file = new File(Environment.getExternalStorageDirectory(), path); Intent intent = new Intent(Intent.ACTION_INSTALL_PACKAGE); - intent.setData(Uri.fromFile(file)); // $ Alert + intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } public void installAPKInstallPackageLiteral(String path) { File file = new File(Environment.getExternalStorageDirectory(), path); Intent intent = new Intent("android.intent.action.INSTALL_PACKAGE"); - intent.setData(Uri.fromFile(file)); // $ Alert + intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation] startActivity(intent); } @@ -50,7 +50,7 @@ public void otherIntent(File file) { Intent intent = new Intent(this, OtherActivity.class); intent.setAction(Intent.ACTION_VIEW); // BAD: the file is from unknown source - intent.setData(Uri.fromFile(file)); // $ Alert + intent.setData(Uri.fromFile(file)); // $ Alert[java/android/arbitrary-apk-installation] } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java index ff7d73f16bd9..9fd078b1ba94 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyClassLoaderTest.java @@ -14,41 +14,41 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - classLoader.parseClass(gcs); // $ Alert + classLoader.parseClass(gcs); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(GroovyCodeSource,boolean);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - classLoader.parseClass(gcs, true); // $ Alert + classLoader.parseClass(gcs, true); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(InputStream,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert + classLoader.parseClass(new ByteArrayInputStream(script.getBytes()), "test"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(Reader,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(new StringReader(script), "test"); // $ Alert + classLoader.parseClass(new StringReader(script), "test"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(script); // $ Alert + classLoader.parseClass(script); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyClassLoader;false;parseClass;(String,String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] final GroovyClassLoader classLoader = new GroovyClassLoader(); - classLoader.parseClass(script, "test"); // $ Alert + classLoader.parseClass(script, "test"); // $ Alert[java/groovy-injection] } } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java index a906d9fdc968..e5088d873af0 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyCompilationUnitTest.java @@ -18,8 +18,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) // "org.codehaus.groovy.control;CompilationUnit;false;compile;;;Argument[this];groovy;manual" { CompilationUnit cu = new CompilationUnit(); - cu.addSource("test", request.getParameter("source")); // $ Source - cu.compile(); // $ Alert + cu.addSource("test", request.getParameter("source")); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); @@ -29,20 +29,20 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) { CompilationUnit cu = new CompilationUnit(); cu.addSource("test", - new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source - cu.compile(); // $ Alert + new ByteArrayInputStream(request.getParameter("source").getBytes())); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); - cu.addSource(new URL(request.getParameter("source"))); // $ Source - cu.compile(); // $ Alert + cu.addSource(new URL(request.getParameter("source"))); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); SourceUnit su = - new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source + new SourceUnit("test", request.getParameter("source"), null, null, null); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); @@ -53,29 +53,29 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) } { CompilationUnit cu = new CompilationUnit(); - StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source + StringReaderSource rs = new StringReaderSource(request.getParameter("source"), null); // $ Source[java/groovy-injection] SourceUnit su = new SourceUnit("test", rs, null, null, null); cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); SourceUnit su = - new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source + new SourceUnit(new URL(request.getParameter("source")), null, null, null); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); - SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source + SourceUnit su = SourceUnit.create("test", request.getParameter("source")); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); - SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source + SourceUnit su = SourceUnit.create("test", request.getParameter("source"), 0); // $ Source[java/groovy-injection] cu.addSource(su); - cu.compile(); // $ Alert + cu.compile(); // $ Alert[java/groovy-injection] } { CompilationUnit cu = new CompilationUnit(); @@ -85,8 +85,8 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) } { JavaAwareCompilationUnit cu = new JavaAwareCompilationUnit(); - cu.addSource("test", request.getParameter("source")); // $ Source - cu.compile(); // $ Alert + cu.addSource("test", request.getParameter("source")); // $ Source[java/groovy-injection] + cu.compile(); // $ Alert[java/groovy-injection] } { JavaStubCompilationUnit cu = new JavaStubCompilationUnit(null, null); diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java index 3756cd10bfa2..704a225c6708 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyEvalTest.java @@ -11,29 +11,29 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // "groovy.util;Eval;false;me;(String);;Argument[0];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.me(script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.me(script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;me;(String,Object,String);;Argument[2];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.me("test", "result", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.me("test", "result", script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;x;(Object,String);;Argument[1];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.x("result2", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.x("result2", script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;xy;(Object,Object,String);;Argument[2];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.xy("result3", "result4", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.xy("result3", "result4", script); // $ Alert[java/groovy-injection] } // "groovy.util;Eval;false;xyz;(Object,Object,Object,String);;Argument[3];groovy;manual", { - String script = request.getParameter("script"); // $ Source - Eval.xyz("result3", "result4", "aaa", script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + Eval.xyz("result3", "result4", "aaa", script); // $ Alert[java/groovy-injection] } } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java index 6e2e773b03c1..aa26691c0197 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/GroovyShellTest.java @@ -19,134 +19,134 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) // "groovy.lang;GroovyShell;false;evaluate;(GroovyCodeSource);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.evaluate(gcs); // $ Alert + shell.evaluate(gcs); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(Reader);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.evaluate(reader); // $ Alert + shell.evaluate(reader); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(Reader,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.evaluate(reader, "_"); // $ Alert + shell.evaluate(reader, "_"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.evaluate(script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.evaluate(script); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.evaluate(script, "test"); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.evaluate(script, "test"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(String,String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.evaluate(script, "test", "test2"); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.evaluate(script, "test", "test2"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;evaluate;(URI);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(new URI(script)); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(new URI(script)); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;parse;(Reader);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.parse(reader); // $ Alert + shell.parse(reader); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(Reader,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.parse(reader, "_"); // $ Alert + shell.parse(reader, "_"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(script); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(script); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(String,String);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(script, "_"); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(script, "_"); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;parse;(URI);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.parse(new URI(script)); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.parse(new URI(script)); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.run(gcs, new String[] {}); // $ Alert + shell.run(gcs, new String[] {}); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(GroovyCodeSource,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test"); - shell.run(gcs, new ArrayList()); // $ Alert + shell.run(gcs, new ArrayList()); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(Reader,String,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.run(reader, "test", new String[] {}); // $ Alert + shell.run(reader, "test", new String[] {}); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(Reader,String,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source + String script = request.getParameter("script"); // $ Source[java/groovy-injection] Reader reader = new StringReader(script); - shell.run(reader, "test", new ArrayList()); // $ Alert + shell.run(reader, "test", new ArrayList()); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(String,String,String[]);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(script, "_", new String[] {}); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(script, "_", new String[] {}); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(String,String,List);;Argument[0];groovy;manual", { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(script, "_", new ArrayList()); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(script, "_", new ArrayList()); // $ Alert[java/groovy-injection] } // "groovy.lang;GroovyShell;false;run;(URI,String[]);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(new URI(script), new String[] {}); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(new URI(script), new String[] {}); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } // "groovy.lang;GroovyShell;false;run;(URI,List);;Argument[0];groovy;manual", try { GroovyShell shell = new GroovyShell(); - String script = request.getParameter("script"); // $ Source - shell.run(new URI(script), new ArrayList()); // $ Alert + String script = request.getParameter("script"); // $ Source[java/groovy-injection] + shell.run(new URI(script), new ArrayList()); // $ Alert[java/groovy-injection] } catch (URISyntaxException e) { } } diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java index a046b9cd332a..77519656614e 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjection/TemplateEngineTest.java @@ -11,7 +11,7 @@ public class TemplateEngineTest extends HttpServlet { private Object source(HttpServletRequest request) { - return request.getParameter("script"); // $ Source + return request.getParameter("script"); // $ Source[java/groovy-injection] } protected void doGet(HttpServletRequest request, HttpServletResponse response) @@ -19,10 +19,10 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) try { Object script = source(request); TemplateEngine engine = null; - engine.createTemplate(request.getParameter("script")); // $ Alert - engine.createTemplate((File) script); // $ Alert - engine.createTemplate((Reader) script); // $ Alert - engine.createTemplate((URL) script); // $ Alert + engine.createTemplate(request.getParameter("script")); // $ Alert[java/groovy-injection] + engine.createTemplate((File) script); // $ Alert[java/groovy-injection] + engine.createTemplate((Reader) script); // $ Alert[java/groovy-injection] + engine.createTemplate((URL) script); // $ Alert[java/groovy-injection] } catch (Exception e) { } diff --git a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java index bfa94bbe3a80..fb840759b623 100644 --- a/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java +++ b/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java @@ -4,11 +4,11 @@ public class InsecureBeanValidation implements ConstraintValidator { @Override - public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source + public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source[java/insecure-bean-validation] String value = object + " is invalid"; // Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate` - constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert + constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert[java/insecure-bean-validation] // Good: Using message parameters constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation(); diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java index b306cf4e535a..ab5a6b179a56 100644 --- a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl2Injection.java @@ -11,21 +11,21 @@ private static void runJexlExpression(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Expression e = jexl.createExpression(jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionWithJexlInfo(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Expression e = jexl.createExpression(jexlExpr, new DebugInfo("unknown", 0, 0)); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScript(String jexlExpr) { JexlEngine jexl = new JexlEngine(); Script script = jexl.createScript(jexlExpr); JexlContext jc = new MapContext(); - script.execute(jc); // $ Alert + script.execute(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScriptViaCallable(String jexlExpr) { @@ -34,7 +34,7 @@ private static void runJexlScriptViaCallable(String jexlExpr) { JexlContext jc = new MapContext(); try { - script.callable(jc).call(); // $ Alert + script.callable(jc).call(); // $ Alert[java/jexl-expression-injection] } catch (Exception e) { throw new RuntimeException(e); } @@ -42,37 +42,37 @@ private static void runJexlScriptViaCallable(String jexlExpr) { private static void runJexlExpressionViaGetProperty(String jexlExpr) { JexlEngine jexl = new JexlEngine(); - jexl.getProperty(new Object(), jexlExpr); // $ Alert + jexl.getProperty(new Object(), jexlExpr); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaSetProperty(String jexlExpr) { JexlEngine jexl = new JexlEngine(); - jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert + jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaUnifiedJEXLParseAndEvaluate(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert + unifiedJEXL.parse(jexlExpr).evaluate(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaUnifiedJEXLParseAndPrepare(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert + unifiedJEXL.parse(jexlExpr).prepare(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaUnifiedJEXLTemplateEvaluate(String jexlExpr) { JexlEngine jexl = new JexlEngine(); UnifiedJEXL unifiedJEXL = new UnifiedJEXL(jexl); - unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert + unifiedJEXL.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert[java/jexl-expression-injection] } private static void testWithSocket(Consumer action) throws Exception { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); // $ Source + int n = socket.getInputStream().read(bytes); // $ Source[java/jexl-expression-injection] String jexlExpr = new String(bytes, 0, n); action.accept(jexlExpr); } diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java index c047bb5b3158..04e0f9a5e53e 100644 --- a/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjection/Jexl3Injection.java @@ -18,21 +18,21 @@ private static void runJexlExpression(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlExpression e = jexl.createExpression(jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionWithJexlInfo(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlExpression e = jexl.createExpression(new JexlInfo("unknown", 0, 0), jexlExpr); JexlContext jc = new MapContext(); - e.evaluate(jc); // $ Alert + e.evaluate(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScript(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JexlScript script = jexl.createScript(jexlExpr); JexlContext jc = new MapContext(); - script.execute(jc); // $ Alert + script.execute(jc); // $ Alert[java/jexl-expression-injection] } private static void runJexlScriptViaCallable(String jexlExpr) { @@ -41,7 +41,7 @@ private static void runJexlScriptViaCallable(String jexlExpr) { JexlContext jc = new MapContext(); try { - script.callable(jc).call(); // $ Alert + script.callable(jc).call(); // $ Alert[java/jexl-expression-injection] } catch (Exception e) { throw new RuntimeException(e); } @@ -49,30 +49,30 @@ private static void runJexlScriptViaCallable(String jexlExpr) { private static void runJexlExpressionViaGetProperty(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); - jexl.getProperty(new Object(), jexlExpr); // $ Alert + jexl.getProperty(new Object(), jexlExpr); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaSetProperty(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); - jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert + jexl.setProperty(new Object(), jexlExpr, new Object()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaJxltEngineExpressionEvaluate(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert + jxlt.createExpression(jexlExpr).evaluate(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaJxltEngineExpressionPrepare(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert + jxlt.createExpression(jexlExpr).prepare(new MapContext()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaJxltEngineTemplateEvaluate(String jexlExpr) { JexlEngine jexl = new JexlBuilder().create(); JxltEngine jxlt = jexl.createJxltEngine(); - jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert + jxlt.createTemplate(jexlExpr).evaluate(new MapContext(), new StringWriter()); // $ Alert[java/jexl-expression-injection] } private static void runJexlExpressionViaCallable(String jexlExpr) { @@ -81,7 +81,7 @@ private static void runJexlExpressionViaCallable(String jexlExpr) { JexlContext jc = new MapContext(); try { - e.callable(jc).call(); // $ Alert + e.callable(jc).call(); // $ Alert[java/jexl-expression-injection] } catch (Exception ex) { throw new RuntimeException(ex); } @@ -91,7 +91,7 @@ private static void testWithSocket(Consumer action) throws Exception { try (ServerSocket serverSocket = new ServerSocket(0)) { try (Socket socket = serverSocket.accept()) { byte[] bytes = new byte[1024]; - int n = socket.getInputStream().read(bytes); // $ Source + int n = socket.getInputStream().read(bytes); // $ Source[java/jexl-expression-injection] String jexlExpr = new String(bytes, 0, n); action.accept(jexlExpr); } @@ -141,14 +141,14 @@ public static void testWithJexlExpressionCallable() throws Exception { } @PostMapping("/request") - public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source + public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromPathVariable(@PathVariable String expr) { // $ Source[java/jexl-expression-injection] runJexlExpression(expr); return ResponseEntity.ok(HttpStatus.OK); } @PostMapping("/request") - public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source + public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@RequestBody Data data) { // $ Source[java/jexl-expression-injection] String expr = data.getExpr(); runJexlExpression(expr); @@ -158,7 +158,7 @@ public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBody(@ @PostMapping("/request") public ResponseEntity testWithSpringControllerThatEvaluatesJexlFromRequestBodyWithNestedObjects( - @RequestBody CustomRequest customRequest) { // $ Source + @RequestBody CustomRequest customRequest) { // $ Source[java/jexl-expression-injection] String expr = customRequest.getData().getExpr(); runJexlExpression(expr); diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java index 4e6738dbfd9a..b661732cc37b 100644 --- a/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjection/MvelInjectionTest.java @@ -21,31 +21,31 @@ public class MvelInjectionTest { public static void testWithMvelEval(Socket socket) throws IOException { - MVEL.eval(read(socket)); // $ Alert + MVEL.eval(read(socket)); // $ Alert[java/mvel-expression-injection] } public static void testWithMvelCompileAndExecute(Socket socket) throws IOException { Serializable expression = MVEL.compileExpression(read(socket)); - MVEL.executeExpression(expression); // $ Alert + MVEL.executeExpression(expression); // $ Alert[java/mvel-expression-injection] } public static void testWithExpressionCompiler(Socket socket) throws IOException { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); ExecutableStatement statement = compiler.compile(); - statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert - statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert + statement.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] + statement.getValue(new Object(), new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static void testWithCompiledExpressionGetDirectValue(Socket socket) throws IOException { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); CompiledExpression expression = compiler.compile(); - expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert + expression.getDirectValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static void testCompiledAccExpressionGetValue(Socket socket) throws IOException { CompiledAccExpression expression = new CompiledAccExpression(read(socket).toCharArray(), Object.class, new ParserContext()); - expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert + expression.getValue(new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws Exception { @@ -53,10 +53,10 @@ public static void testMvelScriptEngineCompileAndEvaluate(Socket socket) throws MvelScriptEngine engine = new MvelScriptEngine(); CompiledScript compiledScript = engine.compile(input); - compiledScript.eval(); // $ Alert + compiledScript.eval(); // $ Alert[java/mvel-expression-injection] Serializable script = engine.compiledScript(input); - engine.evaluate(script, new SimpleScriptContext()); // $ Alert + engine.evaluate(script, new SimpleScriptContext()); // $ Alert[java/mvel-expression-injection] } public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throws Exception { @@ -64,30 +64,30 @@ public static void testMvelCompiledScriptCompileAndEvaluate(Socket socket) throw ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); ExecutableStatement statement = compiler.compile(); MvelCompiledScript script = new MvelCompiledScript(engine, statement); - script.eval(new SimpleScriptContext()); // $ Alert + script.eval(new SimpleScriptContext()); // $ Alert[java/mvel-expression-injection] } public static void testTemplateRuntimeEval(Socket socket) throws Exception { - TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert + TemplateRuntime.eval(read(socket), new HashMap()); // $ Alert[java/mvel-expression-injection] } public static void testTemplateRuntimeCompileTemplateAndExecute(Socket socket) throws Exception { - TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert + TemplateRuntime.execute(TemplateCompiler.compileTemplate(read(socket)), new HashMap()); // $ Alert[java/mvel-expression-injection] } public static void testTemplateRuntimeCompileAndExecute(Socket socket) throws Exception { TemplateCompiler compiler = new TemplateCompiler(read(socket)); - TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert + TemplateRuntime.execute(compiler.compile(), new HashMap()); // $ Alert[java/mvel-expression-injection] } public static void testMvelRuntimeExecute(Socket socket) throws Exception { ExpressionCompiler compiler = new ExpressionCompiler(read(socket)); CompiledExpression expression = compiler.compile(); - MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert + MVELRuntime.execute(false, expression, new Object(), new ImmutableDefaultFactory()); // $ Alert[java/mvel-expression-injection] } public static String read(Socket socket) throws IOException { - try (InputStream is = socket.getInputStream()) { // $ Source + try (InputStream is = socket.getInputStream()) { // $ Source[java/mvel-expression-injection] byte[] bytes = new byte[1024]; int n = is.read(bytes); return new String(bytes, 0, n); diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java index 88c4e913d493..17bf732d547c 100644 --- a/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjection/SpelInjectionTest.java @@ -13,7 +13,7 @@ public class SpelInjectionTest { private static final ExpressionParser PARSER = new SpelExpressionParser(); public void testGetValue(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -21,33 +21,33 @@ public void testGetValue(Socket socket) throws IOException { ExpressionParser parser = new SpelExpressionParser(); Expression expression = parser.parseExpression(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testGetValueWithParseRaw(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); SpelExpressionParser parser = new SpelExpressionParser(); SpelExpression expression = parser.parseRaw(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testGetValueWithChainedCalls(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = new SpelExpressionParser().parseExpression(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testSetValueWithRootObject(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -57,33 +57,33 @@ public void testSetValueWithRootObject(Socket socket) throws IOException { Object root = new Object(); Object value = new Object(); - expression.setValue(root, value); // $ Alert + expression.setValue(root, value); // $ Alert[java/spel-expression-injection] } public void testGetValueWithStaticParser(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = PARSER.parseExpression(input); - expression.getValue(); // $ Alert + expression.getValue(); // $ Alert[java/spel-expression-injection] } public void testGetValueType(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); String input = new String(bytes, 0, n); Expression expression = PARSER.parseExpression(input); - expression.getValueType(); // $ Alert + expression.getValueType(); // $ Alert[java/spel-expression-injection] } public void testWithStandardEvaluationContext(Socket socket) throws IOException { - InputStream in = socket.getInputStream(); // $ Source + InputStream in = socket.getInputStream(); // $ Source[java/spel-expression-injection] byte[] bytes = new byte[1024]; int n = in.read(bytes); @@ -92,7 +92,7 @@ public void testWithStandardEvaluationContext(Socket socket) throws IOException Expression expression = PARSER.parseExpression(input); StandardEvaluationContext context = new StandardEvaluationContext(); - expression.getValue(context); // $ Alert + expression.getValue(context); // $ Alert[java/spel-expression-injection] } public void testWithSimpleEvaluationContext(Socket socket) throws IOException { diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java index a39ed8c5a4e5..e1b87b3d2e5c 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/FreemarkerSSTI.java @@ -20,88 +20,88 @@ public class FreemarkerSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Reader reader = new StringReader(code); - Template t = new Template(name, reader); // $ Alert + Template t = new Template(name, reader); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Reader reader = new StringReader(code); Configuration cfg = new Configuration(); - Template t = new Template(name, reader, cfg); // $ Alert + Template t = new Template(name, reader, cfg); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Reader reader = new StringReader(code); Configuration cfg = new Configuration(); - Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert + Template t = new Template(name, reader, cfg, "UTF-8"); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad4") public void bad4(HttpServletRequest request) { String name = "ttemplate"; - String sourceCode = request.getParameter("sourceCode"); // $ Source + String sourceCode = request.getParameter("sourceCode"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); - Template t = new Template(name, sourceCode, cfg); // $ Alert + Template t = new Template(name, sourceCode, cfg); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad5") public void bad5(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); Reader reader = new StringReader(code); - Template t = new Template(name, sourceName, reader, cfg); // $ Alert + Template t = new Template(name, sourceName, reader, cfg); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad6") public void bad6(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); ParserConfiguration customParserConfiguration = new Configuration(); Reader reader = new StringReader(code); Template t = - new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert + new Template(name, sourceName, reader, cfg, customParserConfiguration, "UTF-8"); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad7") public void bad7(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] Configuration cfg = new Configuration(); ParserConfiguration customParserConfiguration = new Configuration(); Reader reader = new StringReader(code); - Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert + Template t = new Template(name, sourceName, reader, cfg, "UTF-8"); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad8") public void bad8(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] StringTemplateLoader stringLoader = new StringTemplateLoader(); - stringLoader.putTemplate("myTemplate", code); // $ Alert + stringLoader.putTemplate("myTemplate", code); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad9") public void bad9(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] StringTemplateLoader stringLoader = new StringTemplateLoader(); - stringLoader.putTemplate("myTemplate", code, 0); // $ Alert + stringLoader.putTemplate("myTemplate", code, 0); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "good1") diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java index 9bd9bad4ca8f..ef931de15379 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/JinJavaSSTI.java @@ -18,27 +18,27 @@ public class JinJavaSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String template = request.getParameter("template"); // $ Source + String template = request.getParameter("template"); // $ Source[java/server-side-template-injection] Jinjava jinjava = new Jinjava(); Map context = new HashMap<>(); - String renderedTemplate = jinjava.render(template, context); // $ Alert + String renderedTemplate = jinjava.render(template, context); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String template = request.getParameter("template"); // $ Source + String template = request.getParameter("template"); // $ Source[java/server-side-template-injection] Jinjava jinjava = new Jinjava(); Map bindings = new HashMap<>(); - RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert + RenderResult renderResult = jinjava.renderForResult(template, bindings); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { - String template = request.getParameter("template"); // $ Source + String template = request.getParameter("template"); // $ Source[java/server-side-template-injection] Jinjava jinjava = new Jinjava(); Map bindings = new HashMap<>(); JinjavaConfig renderConfig = new JinjavaConfig(); - RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert + RenderResult renderResult = jinjava.renderForResult(template, bindings, renderConfig); // $ Alert[java/server-side-template-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java index 45beaf46fa19..c2404a83172d 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/PebbleSSTI.java @@ -15,15 +15,15 @@ public class PebbleSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String templateName = request.getParameter("templateName"); // $ Source + String templateName = request.getParameter("templateName"); // $ Source[java/server-side-template-injection] PebbleEngine engine = new PebbleEngine.Builder().build(); - PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert + PebbleTemplate compiledTemplate = engine.getTemplate(templateName); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { - String templateName = request.getParameter("templateName"); // $ Source + String templateName = request.getParameter("templateName"); // $ Source[java/server-side-template-injection] PebbleEngine engine = new PebbleEngine.Builder().build(); - PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert + PebbleTemplate compiledTemplate = engine.getLiteralTemplate(templateName); // $ Alert[java/server-side-template-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java index 669b287ea797..ce8813ab902b 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/ThymeleafSSTI.java @@ -18,20 +18,20 @@ public class ThymeleafSSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] try { TemplateEngine templateEngine = new TemplateEngine(); - templateEngine.process(code, (Set) null, (Context) null); // $ Alert - templateEngine.process(code, (Set) null, (Context) null, (Writer) null); // $ Alert - templateEngine.process(code, (Context) null); // $ Alert - templateEngine.process(code, (Context) null, (Writer) null); // $ Alert - templateEngine.processThrottled(code, (Set) null, (Context) null); // $ Alert - templateEngine.processThrottled(code, (Context) null); // $ Alert + templateEngine.process(code, (Set) null, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(code, (Set) null, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(code, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(code, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection] + templateEngine.processThrottled(code, (Set) null, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.processThrottled(code, (Context) null); // $ Alert[java/server-side-template-injection] TemplateSpec spec = new TemplateSpec(code, ""); - templateEngine.process(spec, (Context) null); // $ Alert - templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert - templateEngine.processThrottled(spec, (Context) null); // $ Alert + templateEngine.process(spec, (Context) null); // $ Alert[java/server-side-template-injection] + templateEngine.process(spec, (Context) null, (Writer) null); // $ Alert[java/server-side-template-injection] + templateEngine.processThrottled(spec, (Context) null); // $ Alert[java/server-side-template-injection] } catch (Exception e) { } } diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java index 463a653525e5..f175cae98e41 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjection/VelocitySSTI.java @@ -28,19 +28,19 @@ public class VelocitySSTI { @GetMapping(value = "bad1") public void bad1(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] VelocityContext context = null; String s = "We are using $project $name to render this."; StringWriter w = new StringWriter(); - Velocity.evaluate(context, w, "mystring", code); // $ Alert + Velocity.evaluate(context, w, "mystring", code); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad2") public void bad2(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] VelocityContext context = null; @@ -48,17 +48,17 @@ public void bad2(HttpServletRequest request) { StringWriter w = new StringWriter(); StringReader reader = new StringReader(code); - Velocity.evaluate(context, w, "mystring", reader); // $ Alert + Velocity.evaluate(context, w, "mystring", reader); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "bad3") public void bad3(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] RuntimeServices runtimeServices = null; StringReader reader = new StringReader(code); - runtimeServices.parse(reader, new Template()); // $ Alert + runtimeServices.parse(reader, new Template()); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "good1") @@ -78,7 +78,7 @@ public void good1(HttpServletRequest request) { @GetMapping(value = "bad5") public void bad5(HttpServletRequest request) { String name = "ttemplate"; - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] VelocityContext context = new VelocityContext(); context.put("code", code); @@ -90,8 +90,8 @@ public void bad5(HttpServletRequest request) { ctx.put("key", code); engine.evaluate(ctx, null, null, (String) null); // Safe engine.evaluate(ctx, null, null, (Reader) null); // Safe - engine.evaluate(null, null, null, code); // $ Alert - engine.evaluate(null, null, null, new StringReader(code)); // $ Alert + engine.evaluate(null, null, null, code); // $ Alert[java/server-side-template-injection] + engine.evaluate(null, null, null, new StringReader(code)); // $ Alert[java/server-side-template-injection] } @GetMapping(value = "good2") @@ -111,10 +111,10 @@ public void good2(HttpServletRequest request) { @GetMapping(value = "bad6") public void bad6(HttpServletRequest request) { - String code = request.getParameter("code"); // $ Source + String code = request.getParameter("code"); // $ Source[java/server-side-template-injection] StringResourceRepository repo = new StringResourceRepositoryImpl(); - repo.putStringResource("woogie2", code); // $ Alert + repo.putStringResource("woogie2", code); // $ Alert[java/server-side-template-injection] } } diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java index 0085ce516cc7..0de066c98721 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java @@ -16,18 +16,18 @@ public static void main(HttpServletRequest request) throws Exception { String user = request.getParameter("user"); String password = request.getParameter("password"); - String isAdmin = request.getParameter("isAdmin"); // $ Source + String isAdmin = request.getParameter("isAdmin"); // $ Source[java/user-controlled-bypass] // BAD: login is only executed if isAdmin is false, but isAdmin // is controlled by the user - if (isAdmin == "false") // $ Sink - login(user, password); // $ Alert + if (isAdmin == "false") // $ Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] Cookie adminCookie = getCookies()[0]; // BAD: login is only executed if the cookie value is false, but the cookie // is controlled by the user - if (adminCookie.getValue().equals("false")) // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue().equals("false")) // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] // GOOD: both methods are conditionally executed, but they probably // both perform the security-critical action @@ -73,8 +73,8 @@ public static void test(String user, String password) { public static void test2(String user, String password) { Cookie adminCookie = getCookies()[0]; // BAD: login may happen once or twice - if (adminCookie.getValue() == "false") // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] else { // do something else doIt(); @@ -85,8 +85,8 @@ public static void test2(String user, String password) { public static void test3(String user, String password) { Cookie adminCookie = getCookies()[0]; // BAD: login may not happen - if (adminCookie.getValue() == "false") // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] else { // do something else doIt(); @@ -130,8 +130,8 @@ public static void test6(String user, String password) { public static void test7(String user, String password) { Cookie adminCookie = getCookies()[0]; // BAD: login is bypasseable - if (adminCookie.getValue() == "false") { // $ Source Sink - login(user, password); // $ Alert + if (adminCookie.getValue() == "false") { // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + login(user, password); // $ Alert[java/user-controlled-bypass] return; } else { doIt(); @@ -142,8 +142,8 @@ public static void test8(String user, String password) { Cookie adminCookie = getCookies()[0]; { // BAD: login may not happen - if (adminCookie.getValue() == "false") // $ Source Sink - authorize(user, password); // $ Alert + if (adminCookie.getValue() == "false") // $ Source[java/user-controlled-bypass] Sink[java/user-controlled-bypass] + authorize(user, password); // $ Alert[java/user-controlled-bypass] else { // do something else doIt(); diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java index 6bd0966ff289..70f5a0b2beed 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/Consume.java @@ -38,7 +38,7 @@ /** * The uri to consume from */ - String value() default ""; // $ Alert[java/dead-function] + String value() default ""; /** * The uri to consume from @@ -46,12 +46,12 @@ * @deprecated use value instead */ @Deprecated - String uri() default ""; // $ Alert[java/dead-function] + String uri() default ""; /** * Use the field or getter on the bean to provide the uri to consume from */ - String property() default ""; // $ Alert[java/dead-function] + String property() default ""; /** * Optional predicate (using simple language) to only consume if the predicate matches . This can be used to filter @@ -60,5 +60,5 @@ * Notice that only the first method that matches the predicate will be used. And if no predicate matches then the * message is dropped. */ - String predicate() default ""; // $ Alert[java/dead-function] + String predicate() default ""; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java index e90e607e50c0..2dcc3ad5a7a4 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/ExpressionClause.java @@ -20,6 +20,6 @@ * Represents an expression clause within the DSL which when the expression is complete the clause continues to another * part of the DSL */ -public class ExpressionClause { // $ Alert[java/dead-class] +public class ExpressionClause { public T method(String ref) { return null; } } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java index 0cb300895bcb..9c1b8c45d68a 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/builder/RouteBuilder.java @@ -31,9 +31,9 @@ public abstract class RouteBuilder implements RoutesBuilder { * @param uri the from uri * @return the builder */ - public RouteDefinition from(String uri) { // $ Alert[java/dead-function] + public RouteDefinition from(String uri) { return null; } - public abstract void configure() throws Exception; // $ Alert[java/dead-function] + public abstract void configure() throws Exception; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java index 22140d4b2f5b..2180623054ba 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/impl/DefaultCamelContext.java @@ -21,7 +21,7 @@ public class DefaultCamelContext implements ModelCamelContext { - public void configure() throws Exception {} // $ Alert[java/dead-function] + public void configure() throws Exception {} public void addRoutes(RoutesBuilder arg0) {} diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java index d3bed4347b5e..1138c8d37839 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/FilterDefinition.java @@ -16,4 +16,4 @@ */ package org.apache.camel.model; -public class FilterDefinition { } // $ Alert[java/dead-class] +public class FilterDefinition { } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java index 5c4045cdc95b..cfe55f5cc172 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/OutputDefinition.java @@ -19,5 +19,5 @@ /** * A useful base class for output types */ -public class OutputDefinition> extends ProcessorDefinition { // $ Alert[java/dead-class] +public class OutputDefinition> extends ProcessorDefinition { } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java index 37931b917961..2423e907b017 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/ProcessorDefinition.java @@ -18,7 +18,7 @@ import org.apache.camel.builder.ExpressionClause; -public abstract class ProcessorDefinition> { // $ Alert[java/dead-class] +public abstract class ProcessorDefinition> { public Type to(String uri) { return null; } public Type bean(Object bean) { return null; } diff --git a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java index 2052e6a0cdd1..2ab31d2126a0 100644 --- a/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java +++ b/java/ql/test/stubs/apache-camel-4.0.6/org/apache/camel/model/RouteDefinition.java @@ -16,7 +16,7 @@ */ package org.apache.camel.model; -public class RouteDefinition extends OutputDefinition { // $ Alert[java/dead-class] +public class RouteDefinition extends OutputDefinition { }