Java: apply query alert restrictions

Author: cklin

java/ql/lib/semmle/code/java/security/CleartextStorageQuery.qll

@@ -36,7 +36,8 @@ abstract class Storable extends Call {
   abstract Expr getAStore();
 }
 
-private module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
+/** Flow configuration for sensitive data flowing into cleartext storage. */
+module SensitiveSourceFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SensitiveExpr }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof CleartextStorageSink }

java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll

@@ -7,7 +7,7 @@ private import semmle.code.java.security.InformationLeak
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
  */
-private class PrintStackTraceMethod extends Method {
+class PrintStackTraceMethod extends Method {
   PrintStackTraceMethod() {
     this.getDeclaringType()
         .getSourceDeclaration()
@@ -17,7 +17,11 @@ private class PrintStackTraceMethod extends Method {
   }
 }
 
-private module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig {
+/**
+ * Flow configuration for xss vulnerable writer source flowing to `Throwable.printStackTrace()` on
+ * a stream that is connected to external output.
+ */
+module ServletWriterSourceToPrintStackTraceMethodFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src instanceof XssVulnerableWriterSourceNode }
 
   predicate isSink(DataFlow::Node sink) {
@@ -55,7 +59,10 @@ private predicate printWriterOnStringWriter(Expr printWriter, Variable stringWri
   )
 }
 
-private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
+/**
+ * Holds if `stackTraceString` writes the stack trace from `exception` to a string.
+ */
+predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
   exists(Expr printWriter, Variable stringWriterVar, MethodCall printStackCall |
     printWriterOnStringWriter(printWriter, stringWriterVar) and
     printStackCall.getMethod() instanceof PrintStackTraceMethod and
@@ -66,7 +73,8 @@ private predicate stackTraceExpr(Expr exception, MethodCall stackTraceString) {
   )
 }
 
-private module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+/** Flow configuration for stack trace flowing to http response. */
+module StackTraceStringToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -334,7 +334,7 @@ deprecated class UnsafeDeserializationConfig extends TaintTracking::Configuratio
 }
 
 /** Tracks flows from remote user input to a deserialization sink. */
-private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
+module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }

java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql

@@ -35,6 +35,7 @@ Variable getVariable(Expr dest) {
 
 from DangerousAssignOpExpr a, Expr e, Top v
 where
+  AlertFiltering::filterByLocatable(a) and
   e = a.getSource() and
   problematicCasting(a.getDest().getType(), e) and
   (

java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql

@@ -12,6 +12,7 @@
  *       external/cwe/cwe-020
  */
 
+private import semmle.code.java.AlertFiltering
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.OverlyLargeRangeQuery::Make<TreeView>
 
@@ -22,6 +23,7 @@ TreeView::RegExpCharacterClass potentialMisparsedCharClass() {
 
 from TreeView::RegExpCharacterRange range, string reason
 where
+  AlertFiltering::filterByLocation(range.getLocation()) and
   problem(range, reason) and
   not range.getParent() = potentialMisparsedCharClass()
 select range, "Suspicious character range that " + reason + "."

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -16,6 +16,9 @@
 import java
 import semmle.code.java.security.PathCreation
 import semmle.code.java.security.TaintedPathQuery
+
+module TaintedPathFlow = TaintTracking::Global<DataFlow::FilteredConfig<TaintedPathConfig>>;
+
 import TaintedPathFlow::PathGraph
 
 from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

@@ -14,6 +14,9 @@
 
 import java
 import semmle.code.java.security.ZipSlipQuery
+
+module ZipSlipFlow = TaintTracking::Global<DataFlow::FilteredConfig<ZipSlipConfig>>;
+
 import ZipSlipFlow::PathGraph
 
 from ZipSlipFlow::PathNode source, ZipSlipFlow::PathNode sink

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql

@@ -11,6 +11,10 @@
  */
 
 import semmle.code.java.security.PartialPathTraversalQuery
+
+module PartialPathTraversalFromRemoteFlow =
+  TaintTracking::Global<DataFlow::FilteredConfig<PartialPathTraversalFromRemoteConfig>>;
+
 import PartialPathTraversalFromRemoteFlow::PathGraph
 
 from

java/ql/src/Security/CWE/CWE-074/JndiInjection.ql

@@ -13,6 +13,9 @@
 
 import java
 import semmle.code.java.security.JndiInjectionQuery
+
+module JndiInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<JndiInjectionFlowConfig>>;
+
 import JndiInjectionFlow::PathGraph
 
 from JndiInjectionFlow::PathNode source, JndiInjectionFlow::PathNode sink

java/ql/src/Security/CWE/CWE-074/XsltInjection.ql

@@ -13,6 +13,9 @@
 
 import java
 import semmle.code.java.security.XsltInjectionQuery
+
+module XsltInjectionFlow = TaintTracking::Global<DataFlow::FilteredConfig<XsltInjectionFlowConfig>>;
+
 import XsltInjectionFlow::PathGraph
 
 from XsltInjectionFlow::PathNode source, XsltInjectionFlow::PathNode sink