github · owen-mc · Jun 10, 2026 · Jun 10, 2026
@@ -1,2 +1,4 @@
 query: experimental/quantum/Examples/ReusedNonce.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -16,7 +16,7 @@ public static SecretKey generateAESKey() throws Exception {
 
     private static byte[] getRandomWrapper1() throws Exception {
         byte[] val = new byte[16];
-        new SecureRandom().nextBytes(val);
+        new SecureRandom().nextBytes(val); // $ Source
         return val;
     }
 
@@ -37,7 +37,7 @@ private static void funcA1(byte[] iv) throws Exception {
         IvParameterSpec ivSpec = new IvParameterSpec(iv);
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key = generateAESKey();
-        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcB1
+        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcB1
         byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
     }
 
@@ -46,7 +46,7 @@ private static void funcB1() throws Exception {
         IvParameterSpec ivSpec = new IvParameterSpec(iv);
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key = generateAESKey();
-        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // BAD: Reuse of `iv` in funcA1
+        cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // $ Alert // BAD: Reuse of `iv` in funcA1
         byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
     }
 
@@ -73,13 +73,13 @@ private static void funcA3() throws Exception {
         IvParameterSpec ivSpec1 = new IvParameterSpec(iv);
         Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key1 = generateAESKey();
-        cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // BAD: reuse of `iv` below
+        cipher.init(Cipher.ENCRYPT_MODE, key1, ivSpec1); // $ Alert // BAD: reuse of `iv` below
         byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
 
         IvParameterSpec ivSpec2 = new IvParameterSpec(iv);
         Cipher cipher2 = Cipher.getInstance("AES/CBC/PKCS5Padding");
         SecretKey key2 = generateAESKey();
-        cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // BAD: Reuse of `iv` above
+        cipher2.init(Cipher.ENCRYPT_MODE, key2, ivSpec2); // $ Alert // BAD: Reuse of `iv` above
         byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes());
     }
 

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -18,12 +18,12 @@ public class FilePathInjection extends Controller {
 
 	// BAD: Upload file to user specified path without validation
 	public void uploadFile() throws IOException {
-		String savePath = getPara("dir");
+		String savePath = getPara("dir"); // $ Source
 		File file = getFile("fileParam").getFile();
 		String finalFilePath = BASE_PATH + savePath;
 
 		FileInputStream fis = new FileInputStream(file);
-		FileOutputStream fos = new FileOutputStream(finalFilePath);
+		FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
 		int i = 0;
 
 		do {
@@ -61,15 +61,15 @@ public void uploadFile2() throws IOException {
 
 	// BAD: Upload file to user specified path without validation through session attribute
 	public void uploadFile3() throws IOException {
-		String savePath = getPara("dir");
+		String savePath = getPara("dir"); // $ Source
 		setSessionAttr("uploadDir", savePath);
 		String sessionUploadDir = getSessionAttr("uploadDir");
 
 		File file = getFile("fileParam").getFile();
 		String finalFilePath = BASE_PATH + sessionUploadDir;
 
 		FileInputStream fis = new FileInputStream(file);
-		FileOutputStream fos = new FileOutputStream(finalFilePath);
+		FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
 		int i = 0;
 
 		do {
@@ -84,15 +84,15 @@ public void uploadFile3() throws IOException {
 
 	// BAD: Upload file to user specified path without validation through request attribute
 	public void uploadFile4() throws IOException {
-		String savePath = getPara("dir");
+		String savePath = getPara("dir"); // $ Source
 		setAttr("uploadDir2", savePath);
 		String requestUploadDir = getAttr("uploadDir2");
 
 		File file = getFile("fileParam").getFile();
 		String finalFilePath = BASE_PATH + requestUploadDir;
 
 		FileInputStream fis = new FileInputStream(file);
-		FileOutputStream fos = new FileOutputStream(finalFilePath);
+		FileOutputStream fos = new FileOutputStream(finalFilePath); // $ Alert
 		int i = 0;
 
 		do {
@@ -179,7 +179,7 @@ private void readFile(HttpServletResponse resp, File file) {
 		FileInputStream fis = null;
 		try {
 			os = resp.getOutputStream();
-			fis = new FileInputStream(file);
+			fis = new FileInputStream(file); // $ Alert
 			byte fileContent[] = new byte[(int) file.length()];
 			fis.read(fileContent);
 			os.write(fileContent);
@@ -202,12 +202,12 @@ private void readFile(HttpServletResponse resp, File file) {
 	// BAD: Download file to user specified path without validation
 	public void downloadFile() throws FileNotFoundException, IOException {
 		HttpServletRequest request = getRequest();
-		String path = request.getParameter("path");
+		String path = request.getParameter("path"); // $ Source
 		String filePath = BASE_PATH + path;
 
 		HttpServletResponse resp = getResponse();
 		File file = new File(filePath);
-		if (path != null && file.exists()) {
+		if (path != null && file.exists()) { // $ Alert
 			resp.setHeader("Content-type", "application/force-download");
 			resp.setHeader("Content-Disposition", "inline;filename=\"" + filePath + "\"");
 			resp.setHeader("Content-Transfer-Encoding", "Binary");

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-073/FilePathInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-078/ExecTainted.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -11,7 +11,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
             String host = "sshHost";
             String user = "user";
             String password = "password";
-            String command = request.getParameter("command");
+            String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
 
             java.util.Properties config = new java.util.Properties();
             config.put("StrictHostKeyChecking", "no");
@@ -24,7 +24,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
                 session.connect();
 
                 Channel channel = session.openChannel("exec");
-                ((ChannelExec) channel).setCommand("ping " + command);
+                ((ChannelExec) channel).setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
                 channel.setInputStream(null);
                 ((ChannelExec) channel).setErrStream(System.err);
 
@@ -37,7 +37,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             String host = "sshHost";
             String user = "user";
             String password = "password";
-            String command = request.getParameter("command");
+            String command = request.getParameter("command"); // $ Source[java/command-line-injection-experimental]
 
             java.util.Properties config = new java.util.Properties();
             config.put("StrictHostKeyChecking", "no");
@@ -50,7 +50,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
                 session.connect();
 
                 ChannelExec channel = (ChannelExec)session.openChannel("exec");
-                channel.setCommand("ping " + command);
+                channel.setCommand("ping " + command); // $ Alert[java/command-line-injection-experimental]
                 channel.setInputStream(null);
                 channel.setErrStream(System.err);
 

@@ -14,29 +14,29 @@ public class RuntimeExecTest {
     public static void test() {
         System.out.println("Command injection test");
 
-        String script = System.getenv("SCRIPTNAME");
+        String script = System.getenv("SCRIPTNAME"); // $ Source[java/command-line-injection-extra-local]
 
         if (script != null) {
             try {
                 // 1. array literal in the args
-                Runtime.getRuntime().exec(new String[]{"/bin/sh", script});
+                Runtime.getRuntime().exec(new String[]{"/bin/sh", script}); // $ Alert[java/command-line-injection-extra-local]
 
                 // 2. array literal with dataflow
                 String[] commandArray1 = new String[]{"/bin/sh", script};
-                Runtime.getRuntime().exec(commandArray1);
+                Runtime.getRuntime().exec(commandArray1); // $ Alert[java/command-line-injection-extra-local]
 
                 // 3. array assignment after it is created
                 String[] commandArray2 = new String[4];
                 commandArray2[0] = "/bin/sh";
                 commandArray2[1] = script;
-                Runtime.getRuntime().exec(commandArray2);
+                Runtime.getRuntime().exec(commandArray2); // $ Alert[java/command-line-injection-extra-local]
 
                 // 4. Stream concatenation
                 Runtime.getRuntime().exec(
-                    Stream.concat(
+                    Stream.concat( // $
                         Arrays.stream(new String[]{"/bin/sh"}),
                         Arrays.stream(new String[]{script})
-                    ).toArray(String[]::new)
+                    ).toArray(String[]::new) // $ Alert[java/command-line-injection-extra-local]
                 );
 
             } catch (Exception e) {

@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
@@ -16,55 +16,55 @@ public class MybatisSqlInjection {
 	private MybatisSqlInjectionService mybatisSqlInjectionService;
 
 	@GetMapping(value = "msi1")
-	public List<Test> bad1(@RequestParam String name) {
+	public List<Test> bad1(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
 		List<Test> result = mybatisSqlInjectionService.bad1(name);
 		return result;
 	}
 
 	@GetMapping(value = "msi2")
-	public List<Test> bad2(@RequestParam String name) {
+	public List<Test> bad2(@RequestParam String name) { // $ Source[java/mybatis-xml-sql-injection]
 		List<Test> result = mybatisSqlInjectionService.bad2(name);
 		return result;
 	}
 
 	@GetMapping(value = "msi3")
-	public List<Test> bad3(@ModelAttribute Test test) {
+	public List<Test> bad3(@ModelAttribute Test test) { // $ Source[java/mybatis-xml-sql-injection]
 		List<Test> result = mybatisSqlInjectionService.bad3(test);
 		return result;
 	}
 
 	@RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json")
-	public void bad4(@RequestBody Test test) {
+	public void bad4(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
 		mybatisSqlInjectionService.bad4(test);
 	}
 
 	@RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json")
-	public void bad5(@RequestBody Test test) {
+	public void bad5(@RequestBody Test test) { // $ Source[java/mybatis-xml-sql-injection]
 		mybatisSqlInjectionService.bad5(test);
 	}
 
 	@RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json")
-	public void bad6(@RequestBody Map<String, String> params) {
+	public void bad6(@RequestBody Map<String, String> params) { // $ Source[java/mybatis-xml-sql-injection]
 		mybatisSqlInjectionService.bad6(params);
 	}
 
 	@RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json")
-	public void bad7(@RequestBody List<String> params) {
+	public void bad7(@RequestBody List<String> params) { // $ Source[java/mybatis-xml-sql-injection]
 		mybatisSqlInjectionService.bad7(params);
 	}
 
 	@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
-	public void bad8(@RequestBody String[] params) {
+	public void bad8(@RequestBody String[] params) { // $ Source[java/mybatis-xml-sql-injection]
 		mybatisSqlInjectionService.bad8(params);
 	}
 
 	@GetMapping(value = "msi9")
-	public void bad9(@RequestParam String name) {
+	public void bad9(@RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
 		mybatisSqlInjectionService.bad9(name);
 	}
 
 	@GetMapping(value = "msi10")
-	public void bad10(@RequestParam Integer id, @RequestParam String name) {
+	public void bad10(@RequestParam Integer id, @RequestParam String name) { // $ Source[java/mybatis-annotation-sql-injection]
 		mybatisSqlInjectionService.bad10(id, name);
 	}
 

@@ -11,48 +11,48 @@ public class MybatisSqlInjectionService {
 	private SqlInjectionMapper sqlInjectionMapper;
 
 	public List<Test> bad1(String name) {
-		List<Test> result = sqlInjectionMapper.bad1(name);
+		List<Test> result = sqlInjectionMapper.bad1(name); // $ Alert[java/mybatis-xml-sql-injection]
 		return result;
 	}
 
 	public List<Test> bad2(String name) {
-		List<Test> result = sqlInjectionMapper.bad2(name);
+		List<Test> result = sqlInjectionMapper.bad2(name); // $ Alert[java/mybatis-xml-sql-injection]
 		return result;
 	}
 
 	public List<Test> bad3(Test test) {
-		List<Test> result = sqlInjectionMapper.bad3(test);
+		List<Test> result = sqlInjectionMapper.bad3(test); // $ Alert[java/mybatis-xml-sql-injection]
 		return result;
 	}
 
 	public void bad4(Test test) {
-		sqlInjectionMapper.bad4(test);
+		sqlInjectionMapper.bad4(test); // $ Alert[java/mybatis-xml-sql-injection]
 	}
 
 	public void bad5(Test test) {
-		sqlInjectionMapper.bad5(test);
+		sqlInjectionMapper.bad5(test); // $ Alert[java/mybatis-xml-sql-injection]
 	}
 
 	public void bad6(Map<String, String> params) {
-		sqlInjectionMapper.bad6(params);
+		sqlInjectionMapper.bad6(params); // $ Alert[java/mybatis-xml-sql-injection]
 	}
 
 	public void bad7(List<String> params) {
-		sqlInjectionMapper.bad7(params);
+		sqlInjectionMapper.bad7(params); // $ Alert[java/mybatis-xml-sql-injection]
 	}
 
 	public void bad8(String[] params) {
-		sqlInjectionMapper.bad8(params);
+		sqlInjectionMapper.bad8(params); // $ Alert[java/mybatis-xml-sql-injection]
 	}
 
 	public void bad9(String name) {
 		HashMap hashMap = new HashMap();
 		hashMap.put("name", name);
-		sqlInjectionMapper.bad9(hashMap);
+		sqlInjectionMapper.bad9(hashMap); // $ Alert[java/mybatis-annotation-sql-injection]
 	}
 
 	public void bad10(Integer id, String name) {
-		sqlInjectionMapper.bad10(id, name);
+		sqlInjectionMapper.bad10(id, name); // $ Alert[java/mybatis-annotation-sql-injection]
 	}
 
 	public List<Test> good1(Integer id) {

@@ -10,24 +10,24 @@ public class BeanShellInjection {
 
 	@GetMapping(value = "bad1")
 	public void bad1(HttpServletRequest request) {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
 		BshScriptEvaluator evaluator = new BshScriptEvaluator();
-		evaluator.evaluate(new StaticScriptSource(code)); //bad
+		evaluator.evaluate(new StaticScriptSource(code)); // $ Alert[java/beanshell-injection] //bad
 	}
 
 	@GetMapping(value = "bad2")
 	public void bad2(HttpServletRequest request) throws Exception {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
 		Interpreter interpreter = new Interpreter();
-		interpreter.eval(code);  //bad
+		interpreter.eval(code);  // $ Alert[java/beanshell-injection] //bad
 	}
 
 	@GetMapping(value = "bad3")
 	public void bad3(HttpServletRequest request) {
-		String code = request.getParameter("code");
+		String code = request.getParameter("code"); // $ Source[java/beanshell-injection]
 		StaticScriptSource staticScriptSource = new StaticScriptSource("test");
 		staticScriptSource.setScript(code);
 		BshScriptEvaluator evaluator = new BshScriptEvaluator();
-		evaluator.evaluate(staticScriptSource);  //bad
+		evaluator.evaluate(staticScriptSource);  // $ Alert[java/beanshell-injection] //bad
 	}
 }
@@ -1,2 +1,4 @@
 query: experimental/Security/CWE/CWE-094/BeanShellInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql