Java: Deprecate experimental queries.

java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql

@@ -111,9 +111,11 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
   )
 }
 
-from SpringBootPom pom, ApplicationProperties ap, Dependency d
-where
-  hasConfidentialEndPointExposed(pom, ap) and
-  d = pom.getADependency() and
-  d.getArtifact().getValue() = "spring-boot-starter-actuator"
-select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+deprecated query predicate problems(Dependency d, string message) {
+  exists(SpringBootPom pom, ApplicationProperties ap |
+    hasConfidentialEndPointExposed(pom, ap) and
+    d = pom.getADependency() and
+    d.getArtifact().getValue() = "spring-boot-starter-actuator"
+  ) and
+  message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+}

java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.ql

@@ -12,8 +12,9 @@
  */
 
 import java
-import SpringBootActuators
+deprecated import SpringBootActuators
 
-from PermitAllCall permitAllCall
-where permitAllCall.permitsSpringBootActuators()
-select permitAllCall, "Unauthenticated access to Spring Boot actuator is allowed."
+deprecated query predicate problems(PermitAllCall permitAllCall, string message) {
+  permitAllCall.permitsSpringBootActuators() and
+  message = "Unauthenticated access to Spring Boot actuator is allowed."
+}

java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 
 /** The class `org.springframework.security.config.annotation.web.builders.HttpSecurity`. */

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -52,7 +52,13 @@ module Log4jInjectionConfig implements DataFlow::ConfigSig {
  */
 module Log4jInjectionFlow = TaintTracking::Global<Log4jInjectionConfig>;
 
-from Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink
-where Log4jInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Log4j log entry depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, Log4jInjectionFlow::PathNode source, Log4jInjectionFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  Log4jInjectionFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "Log4j log entry depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

@@ -53,11 +53,11 @@ module RemoteUrlToOpenStreamFlowConfig implements DataFlow::ConfigSig {
 
 module RemoteUrlToOpenStreamFlow = TaintTracking::Global<RemoteUrlToOpenStreamFlowConfig>;
 
-from
-  RemoteUrlToOpenStreamFlow::PathNode source, RemoteUrlToOpenStreamFlow::PathNode sink,
-  MethodCall call
-where
+deprecated query predicate problems(
+  MethodCall call, RemoteUrlToOpenStreamFlow::PathNode source,
+  RemoteUrlToOpenStreamFlow::PathNode sink, string message
+) {
   sink.getNode().asExpr() = call.getQualifier() and
-  RemoteUrlToOpenStreamFlow::flowPath(source, sink)
-select call, source, sink,
-  "URL on which openStream is called may have been constructed from remote source."
+  RemoteUrlToOpenStreamFlow::flowPath(source, sink) and
+  message = "URL on which openStream is called may have been constructed from remote source."
+}

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -66,7 +66,13 @@ module InjectFilePathConfig implements DataFlow::ConfigSig {
 
 module InjectFilePathFlow = TaintTracking::Global<InjectFilePathConfig>;
 
-from InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink
-where InjectFilePathFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "External control of file name or path due to $@.",
-  source.getNode(), "user-provided value"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, InjectFilePathFlow::PathNode source, InjectFilePathFlow::PathNode sink,
+  string message1, DataFlow::Node sourceNode, string message2
+) {
+  InjectFilePathFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "External control of file name or path due to $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

java/ql/src/experimental/Security/CWE/CWE-073/JFinalController.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 private import semmle.code.java.dataflow.FlowSources
 

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql

@@ -11,15 +11,24 @@
  *       external/cwe/cwe-078
  */
 
-import CommandInjectionRuntimeExec
-import ExecUserFlow::PathGraph
+import semmle.code.java.dataflow.DataFlow
+deprecated import CommandInjectionRuntimeExec
+deprecated import ExecUserFlow::PathGraph
 
-class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
+deprecated class ThreatModelSource extends Source instanceof ActiveThreatModelSource { }
 
-from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
-  DataFlow::Node sinkCmd
-where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
-select sink, source, sink,
-  "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+deprecated query predicate problems(
+  ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
+  string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
+  string message3
+) {
+  exists(DataFlow::Node sinkCmd |
+    callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd) and
+    sink0 = sink and
+    message1 =
+      "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
+    message2 = sourceCmd.toString() and
+    sourceNode = source.getNode() and
+    message3 = source.toString()
+  )
+}

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions
 import semmle.code.java.dataflow.DataFlow

java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql

@@ -12,15 +12,23 @@
  *       external/cwe/cwe-078
  */
 
-import CommandInjectionRuntimeExec
-import ExecUserFlow::PathGraph
+deprecated import CommandInjectionRuntimeExec
+deprecated import ExecUserFlow::PathGraph
 
-class LocalSource extends Source instanceof LocalUserInput { }
+deprecated class LocalSource extends Source instanceof LocalUserInput { }
 
-from
-  ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink, DataFlow::Node sourceCmd,
-  DataFlow::Node sinkCmd
-where callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd)
-select sink, source, sink,
-  "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'",
-  sourceCmd, sourceCmd.toString(), source.getNode(), source.toString()
+deprecated query predicate problems(
+  ExecUserFlow::PathNode sink, ExecUserFlow::PathNode source, ExecUserFlow::PathNode sink0,
+  string message1, DataFlow::Node sourceCmd, string message2, DataFlow::Node sourceNode,
+  string message3
+) {
+  exists(DataFlow::Node sinkCmd |
+    callIsTaintedByUserInputAndDangerousCommand(source, sink, sourceCmd, sinkCmd) and
+    sink0 = sink and
+    message1 =
+      "Call to dangerous java.lang.Runtime.exec() with command '$@' with arg from untrusted input '$@'" and
+    message2 = sourceCmd.toString() and
+    sourceNode = source.getNode() and
+    message3 = source.toString()
+  )
+}

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql

@@ -22,8 +22,13 @@ private class ActivateModels extends ActiveExperimentalModels {
 }
 
 // This is a clone of query `java/command-line-injection` that also includes experimental sinks.
-from
-  InputToArgumentToExecFlow::PathNode source, InputToArgumentToExecFlow::PathNode sink, Expr execArg
-where execIsTainted(source, sink, execArg)
-select execArg, source, sink, "This command line depends on a $@.", source.getNode(),
-  "user-provided value"
+deprecated query predicate problems(
+  Expr execArg, InputToArgumentToExecFlow::PathNode source,
+  InputToArgumentToExecFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
+  string message2
+) {
+  execIsTainted(source, sink, execArg) and
+  message1 = "This command line depends on a $@." and
+  sourceNode = source.getNode() and
+  message2 = "user-provided value"
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -13,14 +13,14 @@
  */
 
 import java
-import MyBatisCommonLib
-import MyBatisAnnotationSqlInjectionLib
+deprecated import MyBatisCommonLib
+deprecated import MyBatisAnnotationSqlInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
 private import semmle.code.java.security.Sanitizers
 import MyBatisAnnotationSqlInjectionFlow::PathGraph
 
-private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
+deprecated private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisAnnotatedMethodCallArgument }
@@ -37,22 +37,27 @@ private module MyBatisAnnotationSqlInjectionConfig implements DataFlow::ConfigSi
   }
 }
 
-private module MyBatisAnnotationSqlInjectionFlow =
+deprecated private module MyBatisAnnotationSqlInjectionFlow =
   TaintTracking::Global<MyBatisAnnotationSqlInjectionConfig>;
 
-from
-  MyBatisAnnotationSqlInjectionFlow::PathNode source,
-  MyBatisAnnotationSqlInjectionFlow::PathNode sink, IbatisSqlOperationAnnotation isoa,
-  MethodCall ma, string unsafeExpression
-where
-  MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
-  ma.getAnArgument() = sink.getNode().asExpr() and
-  myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
-  unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
-  (
-    isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression) or
-    isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression)
-  )
-select sink.getNode(), source, sink,
-  "MyBatis annotation SQL injection might include code from $@ to $@.", source.getNode(),
-  "this user input", isoa, "this SQL operation"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, MyBatisAnnotationSqlInjectionFlow::PathNode source,
+  MyBatisAnnotationSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
+  string message2, IbatisSqlOperationAnnotation isoa, string message3
+) {
+  exists(MethodCall ma, string unsafeExpression |
+    MyBatisAnnotationSqlInjectionFlow::flowPath(source, sink) and
+    ma.getAnArgument() = sinkNode.asExpr() and
+    myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
+    unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
+    (
+      isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression) or
+      isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression)
+    )
+  ) and
+  sinkNode = sink.getNode() and
+  message1 = "MyBatis annotation SQL injection might include code from $@ to $@." and
+  sourceNode = source.getNode() and
+  message2 = "this user input" and
+  message3 = "this SQL operation"
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll

@@ -1,6 +1,7 @@
 /**
  * Provides classes for SQL injection detection regarding MyBatis annotated methods.
  */
+deprecated module;
 
 import java
 import MyBatisCommonLib

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

@@ -1,6 +1,7 @@
 /**
  * Provides public classes for MyBatis SQL injection detection.
  */
+deprecated module;
 
 import java
 import semmle.code.xml.MyBatisMapperXML

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

@@ -13,14 +13,14 @@
  */
 
 import java
-import MyBatisCommonLib
-import MyBatisMapperXmlSqlInjectionLib
+deprecated import MyBatisCommonLib
+deprecated import MyBatisMapperXmlSqlInjectionLib
 import semmle.code.xml.MyBatisMapperXML
 import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.security.Sanitizers
-import MyBatisMapperXmlSqlInjectionFlow::PathGraph
+deprecated import MyBatisMapperXmlSqlInjectionFlow::PathGraph
 
-private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
+deprecated private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperMethodCallAnArgument }
@@ -37,24 +37,29 @@ private module MyBatisMapperXmlSqlInjectionConfig implements DataFlow::ConfigSig
   }
 }
 
-private module MyBatisMapperXmlSqlInjectionFlow =
+deprecated private module MyBatisMapperXmlSqlInjectionFlow =
   TaintTracking::Global<MyBatisMapperXmlSqlInjectionConfig>;
 
-from
-  MyBatisMapperXmlSqlInjectionFlow::PathNode source,
-  MyBatisMapperXmlSqlInjectionFlow::PathNode sink, MyBatisMapperXmlElement mmxe, MethodCall ma,
-  string unsafeExpression
-where
-  MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and
-  ma.getAnArgument() = sink.getNode().asExpr() and
-  myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
-  unsafeExpression = getAMybatisXmlSetValue(mmxe) and
-  (
-    isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression)
-    or
-    mmxe instanceof MyBatisMapperForeach and
-    isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression)
-  )
-select sink.getNode(), source, sink,
-  "MyBatis Mapper XML SQL injection might include code from $@ to $@.", source.getNode(),
-  "this user input", mmxe, "this SQL operation"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, MyBatisMapperXmlSqlInjectionFlow::PathNode source,
+  MyBatisMapperXmlSqlInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode,
+  string message2, MyBatisMapperXmlElement mmxe, string message3
+) {
+  exists(MethodCall ma, string unsafeExpression |
+    MyBatisMapperXmlSqlInjectionFlow::flowPath(source, sink) and
+    ma.getAnArgument() = sinkNode.asExpr() and
+    myBatisMapperXmlElementFromMethod(ma.getMethod(), mmxe) and
+    unsafeExpression = getAMybatisXmlSetValue(mmxe) and
+    (
+      isMybatisXmlOrAnnotationSqlInjection(sinkNode, ma, unsafeExpression)
+      or
+      mmxe instanceof MyBatisMapperForeach and
+      isMybatisCollectionTypeSqlInjection(sinkNode, ma, unsafeExpression)
+    )
+  ) and
+  sinkNode = sink.getNode() and
+  message1 = "MyBatis Mapper XML SQL injection might include code from $@ to $@." and
+  sourceNode = source.getNode() and
+  message2 = "this user input" and
+  message3 = "this SQL operation"
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll

@@ -1,6 +1,7 @@
 /**
  * Provide classes for SQL injection detection in MyBatis Mapper XML.
  */
+deprecated module;
 
 import java
 import semmle.code.xml.MyBatisMapperXML

java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql

@@ -12,12 +12,12 @@
  */
 
 import java
-import BeanShellInjection
+deprecated import BeanShellInjection
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-import BeanShellInjectionFlow::PathGraph
+deprecated import BeanShellInjectionFlow::PathGraph
 
-module BeanShellInjectionConfig implements DataFlow::ConfigSig {
+deprecated module BeanShellInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanShellInjectionSink }
@@ -41,9 +41,15 @@ module BeanShellInjectionConfig implements DataFlow::ConfigSig {
   }
 }
 
-module BeanShellInjectionFlow = TaintTracking::Global<BeanShellInjectionConfig>;
+deprecated module BeanShellInjectionFlow = TaintTracking::Global<BeanShellInjectionConfig>;
 
-from BeanShellInjectionFlow::PathNode source, BeanShellInjectionFlow::PathNode sink
-where BeanShellInjectionFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "BeanShell injection from $@.", source.getNode(),
-  "this user input"
+deprecated query predicate problems(
+  DataFlow::Node sinkNode, BeanShellInjectionFlow::PathNode source,
+  BeanShellInjectionFlow::PathNode sink, string message1, DataFlow::Node sourceNode, string message2
+) {
+  BeanShellInjectionFlow::flowPath(source, sink) and
+  sinkNode = sink.getNode() and
+  message1 = "BeanShell injection from $@." and
+  sourceNode = source.getNode() and
+  message2 = "this user input"
+}

java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 import semmle.code.java.dataflow.FlowSources
 

java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll

@@ -1,3 +1,5 @@
+deprecated module;
+
 import java
 import semmle.code.java.dataflow.FlowSources