github
diff --git a/‎java/ql/lib/ext/java.awt.model.yml‎
Lines changed: 2 additions & 1 deletion b/‎java/ql/lib/ext/java.awt.model.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎java/ql/lib/ext/java.io.model.yml‎
Lines changed: 6 additions & 5 deletions b/‎java/ql/lib/ext/java.io.model.yml‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎java/ql/lib/ext/java.lang.model.yml‎
Lines changed: 22 additions & 26 deletions b/‎java/ql/lib/ext/java.lang.model.yml‎
Lines changed: 22 additions & 26 deletions
diff --git a/‎java/ql/lib/ext/java.lang.reflect.model.yml‎
Lines changed: 4 additions & 9 deletions b/‎java/ql/lib/ext/java.lang.reflect.model.yml‎
Lines changed: 4 additions & 9 deletions
diff --git a/‎java/ql/lib/ext/java.math.model.yml‎
Lines changed: 2 additions & 4 deletions b/‎java/ql/lib/ext/java.math.model.yml‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎java/ql/lib/ext/java.nio.charset.model.yml‎
Lines changed: 2 additions & 2 deletions b/‎java/ql/lib/ext/java.nio.charset.model.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎java/ql/lib/ext/java.nio.file.model.yml‎
Lines changed: 1 addition & 2 deletions b/‎java/ql/lib/ext/java.nio.file.model.yml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎java/ql/lib/ext/java.nio.model.yml‎
Lines changed: 1 addition & 1 deletion b/‎java/ql/lib/ext/java.nio.model.yml‎
Lines changed: 1 addition & 1 deletion
@@ -3,7 +3,8 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
-      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"] # ! signature as "" instead?
+      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
+      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "ReturnValue", "value", "manual"]
       - ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
 
   - addsTo:
 
@@ -69,7 +69,9 @@ extensions:
       - ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getCanonicalPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["java.io", "File", False, "getPath", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! True versus False (maybe it's private/hidden?).. (and neutral instead?)
+      - ["java.io", "File", True, "getParentFile", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["java.io", "File", True, "getPath", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["java.io", "File", True, "listFiles", "()", "", "Argument[-1]", "ReturnValue.ArrayElement", "taint", "manual"]
       - ["java.io", "File", True, "toPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -90,24 +92,23 @@ extensions:
       - ["java.io", "OutputStream", True, "write", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.io", "Reader", True, "read", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
       - ["java.io", "StringReader", False, "StringReader", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
-      - ["java.io", "StringWriter", False, "toString", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! currently supported by taintPreservingQualifierToMethod?
+      - ["java.io", "StringWriter", False, "toString", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! keep an eye on this one for FP flow, already modeled in `taintPreservingQualifierToMethod` predicate?
       - ["java.io", "UncheckedIOException", False, "UncheckedIOException", "(IOException)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.io", "Writer", True, "write", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
       - ["java.io", "Closeable", "close", "()", "manual"]
+      - ["java.io", "DataOutput", "writeBoolean", "(boolean)", "manual"]
       - ["java.io", "File", "delete", "()", "manual"]
       - ["java.io", "File", "exists", "()", "manual"]
-      - ["java.io", "File", "getParentFile", "()", "manual"] # ! little unsure about this as a neutral
       - ["java.io", "File", "isFile", "()", "manual"]
       - ["java.io", "File", "length", "()", "manual"]
-      - ["java.io", "File", "listFiles", "()", "manual"] # ! little unsure about this as a neutral
       - ["java.io", "File", "isDirectory", "()", "manual"]
       - ["java.io", "File", "mkdirs", "()", "manual"]
       - ["java.io", "InputStream", "close", "()", "manual"]
-      - ["java.io", "OutputStream", "flush", "()", "manual"] # ! little unsure about this as a neutral, but not sure how to represent output if summary model...
+      - ["java.io", "OutputStream", "flush", "()", "manual"]
 
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
 
@@ -108,30 +108,33 @@ extensions:
       - ["java.lang", "String", False, "valueOf", "(char)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      # ! why do below have subtype=True for constructors?
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(CharSequence)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.lang", "StringBuilder", True, "StringBuilder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.lang", "StringBuilder", False, "delete", "(int,int)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "System", False, "arraycopy", "", "", "Argument[0]", "Argument[2]", "taint", "manual"]
-      - ["java.lang", "System", False, "getenv", "(String)", "", "Argument[-1].MapValue", "ReturnValue", "value", "manual"] # ! neutral instead?
-      - ["java.lang", "System", False, "getenv", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]  # ! really unsure about this...; neutral instead? -- or unmodelled
-      - ["java.lang", "Thread", False, "Thread", "(Runnable)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] # ! neutral instead?
+      - ["java.lang", "Thread", False, "Thread", "(Runnable)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["java.lang", "Thread", False, "Thread", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Thread.name]", "value", "manual"]
       - ["java.lang", "Thread", True, "getName", "()", "", "Argument[-1].SyntheticField[java.lang.Thread.name]", "ReturnValue", "value", "manual"]
-      - ["java.lang", "ThreadLocal", True, "get", "()", "", "Argument[-1].SyntheticField[java.lang.ThreadLocal.value]", "ReturnValue", "value", "manual"] # ! not sure if this model is correct, and if should be neutral model instead
+      - ["java.lang", "ThreadLocal", True, "get", "()", "", "Argument[-1].SyntheticField[java.lang.ThreadLocal.value]", "ReturnValue", "value", "manual"]
+      - ["java.lang", "ThreadLocal", True, "set", "(Object)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.ThreadLocal.value]", "value", "manual"]
       - ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
+      - ["java.lang", "Throwable", False, "Throwable", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "Throwable", True, "getCause", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
       - ["java.lang", "Throwable", True, "getMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
-      - ["java.lang", "Throwable", True, "getLocalizedMessage", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]  # ! should the field used be different?
-      - ["java.lang", "Throwable", True, "toString", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "taint", "manual"] # ! little unsure about this one...
+      - ["java.lang", "Throwable", True, "getLocalizedMessage", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
+      - ["java.lang", "Throwable", True, "toString", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "taint", "manual"] # ! watch for FPs
+
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
       - ["java.lang", "AbstractStringBuilder", "length", "()", "manual"]
-      - ["java.lang", "AbstractStringBuilder", "setCharAt", "(int,char)", "manual"] # ! char manipulation not interesting? (or interesting since could set many chars... prbly switch to summary model)
-      - ["java.lang", "AbstractStringBuilder", "setLength", "(int)", "manual"] # ! summary?
+      - ["java.lang", "AbstractStringBuilder", "setCharAt", "(int,char)", "manual"]
+      - ["java.lang", "AbstractStringBuilder", "setLength", "(int)", "manual"]
+      - ["java.lang", "Boolean", "booleanValue", "()", "manual"]
       - ["java.lang", "Boolean", "equals", "(Object)", "manual"]
+      - ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"]
       - ["java.lang", "Boolean", "valueOf", "(boolean)", "manual"]
       - ["java.lang", "CharSequence", "length", "()", "manual"]
       - ["java.lang", "Class", "forName", "(String)", "manual"]
@@ -179,42 +182,35 @@ extensions:
       - ["java.lang", "String", "valueOf", "(boolean)", "manual"]
       - ["java.lang", "System", "currentTimeMillis", "()", "manual"]
       - ["java.lang", "System", "exit", "(int)", "manual"]
+      - ["java.lang", "System", "getenv", "(String)", "manual"]
       - ["java.lang", "System", "identityHashCode", "(Object)", "manual"]
-      - ["java.lang", "System", "lineSeparator", "()", "manual"] # ! double-check...
+      - ["java.lang", "System", "lineSeparator", "()", "manual"]
       - ["java.lang", "System", "nanoTime", "()", "manual"]
       - ["java.lang", "Thread", "currentThread", "()", "manual"]
-      - ["java.lang", "Thread", "getContextClassLoader", "()", "manual"] # ! summary instead?
+      - ["java.lang", "Thread", "getContextClassLoader", "()", "manual"]
       - ["java.lang", "Thread", "interrupt", "()", "manual"]
       - ["java.lang", "Thread", "sleep", "(long)", "manual"]
       - ["java.lang", "Thread", "start", "()", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.lang", "Boolean", "booleanValue", "()", "manual"]          # taint-numeric
-      - ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"]    # taint-numeric
       - ["java.lang", "Double", "doubleToLongBits", "(double)", "manual"] # taint-numeric
       - ["java.lang", "Double", "parseDouble", "(String)", "manual"]      # taint-numeric
       - ["java.lang", "Double", "valueOf", "(double)", "manual"]          # taint-numeric
       - ["java.lang", "Integer", "Integer", "(int)", "manual"]            # taint-numeric
       - ["java.lang", "Integer", "intValue", "()", "manual"]              # taint-numeric
       - ["java.lang", "Integer", "parseInt", "(String)", "manual"]        # taint-numeric
       - ["java.lang", "Integer", "toHexString", "(int)", "manual"]        # taint-numeric
-      - ["java.lang", "Integer", "toString", "()", "manual"]              # taint-numeric
-      - ["java.lang", "Integer", "toString", "(int)", "manual"]           # taint-numeric
-      - ["java.lang", "Integer", "valueOf", "(int)", "manual"]            # taint-numeric
-      - ["java.lang", "Integer", "valueOf", "(String)", "manual"]         # taint-numeric # ! should probably make this and others like it have a "" signature instead...
+      - ["java.lang", "Integer", "toString", "", "manual"]                # taint-numeric
+      - ["java.lang", "Integer", "valueOf", "", "manual"]                 # taint-numeric
       - ["java.lang", "Long", "Long", "(long)", "manual"]                 # taint-numeric
       - ["java.lang", "Long", "intValue", "()", "manual"]                 # taint-numeric
       - ["java.lang", "Long", "longValue", "()", "manual"]                # taint-numeric
       - ["java.lang", "Long", "parseLong", "(String)", "manual"]          # taint-numeric
-      - ["java.lang", "Long", "toString", "()", "manual"]                 # taint-numeric
-      - ["java.lang", "Long", "toString", "(long)", "manual"]             # taint-numeric
-      - ["java.lang", "Long", "valueOf", "(long)", "manual"]              # taint-numeric
-      - ["java.lang", "Long", "valueOf", "(String)", "manual"]            # taint-numeric
-      - ["java.lang", "Math", "max", "(int,int)", "manual"]               # value-numeric
-      - ["java.lang", "Math", "max", "(long,long)", "manual"]             # value-numeric
-      - ["java.lang", "Math", "min", "(int,int)", "manual"]               # value-numeric
-      - ["java.lang", "Math", "min", "(long,long)", "manual"]             # value-numeric
-      - ["java.lang", "Number", "doubleValue", "()", "manual"]            # taint-numeric # ! remove others that could rely on subtyping through Number instead? (e.g. Double, Integer, etc.)
+      - ["java.lang", "Long", "toString", "", "manual"]                   # taint-numeric
+      - ["java.lang", "Long", "valueOf", "", "manual"]                    # taint-numeric
+      - ["java.lang", "Math", "max", "", "manual"]                        # value-numeric
+      - ["java.lang", "Math", "min", "", "manual"]                        # value-numeric
+      - ["java.lang", "Number", "doubleValue", "()", "manual"]            # taint-numeric
       - ["java.lang", "Number", "intValue", "()", "manual"]               # taint-numeric
       - ["java.lang", "Number", "longValue", "()", "manual"]              # taint-numeric
       - ["java.lang", "String", "valueOf", "(int)", "manual"]             # taint-numeric
 
@@ -1,14 +1,9 @@
 extensions:
-  - addsTo:
-      pack: codeql/java-all
-      extensible: summaryModel
-    data:
-      - ["java.lang.reflect", "Constructor", False, "newInstance", "(Object[])", "", "Argument[0].ArrayElement", "ReturnValue.Parameter", "value", "manual"] # ! unsure about input/output
-      - ["java.lang.reflect", "Field", False, "get", "(Object)", "", "Argument[0].Field", "ReturnValue", "value", "manual"] # ! very unsure about
-      - ["java.lang.reflect", "Method", False, "invoke", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[-1].Parameter[0]", "value", "manual"] # ! very unsure if this model is correct...
-
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
-      - ["java.lang.reflect", "Method", "getName", "()", "manual"] # ! seems uninteresting flow to me, but maybe double-check
+      - ["java.lang.reflect", "Constructor", "newInstance", "(Object[])", "manual"]
+      - ["java.lang.reflect", "Field", "get", "(Object)", "manual"]
+      - ["java.lang.reflect", "Method", "getName", "()", "manual"]
+      - ["java.lang.reflect", "Method", "invoke", "(Object,Object[])", "manual"]
@@ -7,8 +7,7 @@ extensions:
 
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.math", "BigDecimal", "BigDecimal", "(int)", "manual"]            # taint-numeric
-      - ["java.math", "BigDecimal", "BigDecimal", "(String)", "manual"]         # taint-numeric
+      - ["java.math", "BigDecimal", "BigDecimal", "", "manual"]                 # taint-numeric
       - ["java.math", "BigDecimal", "add", "(BigDecimal)", "manual"]            # taint-numeric
       - ["java.math", "BigDecimal", "doubleValue", "()", "manual"]              # taint-numeric
       - ["java.math", "BigDecimal", "intValue", "()", "manual"]                 # taint-numeric
@@ -17,8 +16,7 @@ extensions:
       - ["java.math", "BigDecimal", "subtract", "(BigDecimal)", "manual"]       # taint-numeric
       - ["java.math", "BigDecimal", "toBigInteger", "()", "manual"]             # taint-numeric
       - ["java.math", "BigDecimal", "toString", "()", "manual"]                 # taint-numeric
-      - ["java.math", "BigDecimal", "valueOf", "(double)", "manual"]            # taint-numeric
-      - ["java.math", "BigDecimal", "valueOf", "(long)", "manual"]              # taint-numeric
+      - ["java.math", "BigDecimal", "valueOf", "", "manual"]                    # taint-numeric
       - ["java.math", "BigInteger", "BigInteger", "(String)", "manual"]         # taint-numeric
       - ["java.math", "BigInteger", "or", "(BigInteger)", "manual"]             # taint-numeric
       - ["java.math", "BigInteger", "valueOf", "(long)", "manual"]              # taint-numeric
@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
       pack: codeql/java-all
-      extensible: summaryModel
+      extensible: neutralModel
     data:
-      - ["java.nio.charset", "Charset", False, "name", "()", "", "Argument[-1].SyntheticField[java.nio.charset.Charset.canonicalName]", "ReturnValue", "value", "manual"]
+      - ["java.nio.charset", "Charset", "name", "()", "manual"]
@@ -44,9 +44,8 @@ extensions:
       - ["java.nio.file", "FileSystem", True, "getPathMatcher", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
       - ["java.nio.file", "FileSystem", True, "getRootDirectories", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "getParent", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      # ! should Path have subtyping of False for all methods instead? Why is `toFile` different?
       - ["java.nio.file", "Path", True, "normalize", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["java.nio.file", "Path", False, "getFileName", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! maybe need more field flow?
+      - ["java.nio.file", "Path", True, "getFileName", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
       - ["java.nio.file", "Path", True, "of", "(String,String[])", "", "Argument[1]", "ReturnValue", "taint", "ai-generated"]
       - ["java.nio.file", "Path", True, "of", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-generated"]
 
@@ -11,6 +11,6 @@ extensions:
       pack: codeql/java-all
       extensible: neutralModel
     data:
-      - ["java.nio", "Buffer", "position", "()", "manual"] # ! maybe should be summary?
+      - ["java.nio", "Buffer", "position", "()", "manual"]
       - ["java.nio", "Buffer", "remaining", "()", "manual"]
       - ["java.nio", "ByteBuffer", "allocate", "(int)", "manual"]