Java: resolve more -1 to this conflicts

Jami Cogswell · Jami Cogswell · commit 44c3a41194e6 · 2023-03-23T17:53:27.000-04:00
diff --git a/java/ql/lib/ext/java.awt.model.yml b/java/ql/lib/ext/java.awt.model.yml
@@ -3,4 +3,5 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
+      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"] # ! signature as "" instead?
       - ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
diff --git a/java/ql/lib/ext/java.io.model.yml b/java/ql/lib/ext/java.io.model.yml
@@ -71,6 +71,7 @@ extensions:
       - ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getCanonicalPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.io", "File", False, "getPath", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! True versus False (maybe it's private/hidden?).. (and neutral instead?)
       - ["java.io", "File", True, "toPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -91,10 +92,14 @@ extensions:
       - ["java.io", "OutputStream", True, "write", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.io", "Reader", True, "read", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
       - ["java.io", "StringReader", False, "StringReader", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.io", "StringWriter", False, "toString", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! currently supported by taintPreservingQualifierToMethod?
+      - ["java.io", "UncheckedIOException", False, "UncheckedIOException", "(IOException)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.io", "Writer", True, "write", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
       - ["java.io", "File", "delete", "()", "manual"]
       - ["java.io", "File", "exists", "()", "manual"]
+      - ["java.io", "File", "isDirectory", "()", "manual"]
+      - ["java.io", "File", "mkdirs", "()", "manual"]
diff --git a/java/ql/lib/ext/java.lang.model.yml b/java/ql/lib/ext/java.lang.model.yml
@@ -48,10 +48,14 @@ extensions:
       - ["java.lang", "AbstractStringBuilder", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "Appendable", True, "append", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
       - ["java.lang", "Appendable", True, "append", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.lang", "AssertionError", False, "AssertionError", "(Object)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "CharSequence", True, "charAt", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "CharSequence", True, "subSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "CharSequence", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["java.lang", "Class", False, "cast", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "Exception", False, "Exception", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "Exception", False, "Exception", "(String,Throwable)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "Exception", False, "Exception", "(String,Throwable)", "", "Argument[1]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.lang", "IllegalArgumentException", False, "IllegalArgumentException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "IllegalStateException", False, "IllegalStateException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "IndexOutOfBoundsException", False, "IndexOutOfBoundsException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
@@ -104,26 +108,39 @@ extensions:
       - ["java.lang", "String", False, "valueOf", "(char)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # ! why do below have subtype=True for constructors?
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(CharSequence)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["java.lang", "StringBuilder", True, "StringBuilder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.lang", "StringBuilder", False, "delete", "(int,int)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "System", False, "arraycopy", "", "", "Argument[0]", "Argument[2]", "taint", "manual"]
+      - ["java.lang", "System", False, "getenv", "(String)", "", "Argument[-1].MapValue", "ReturnValue", "value", "manual"] # ! neutral instead?
+      - ["java.lang", "System", False, "getenv", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]  # ! really unsure about this...; neutral instead? -- or unmodelled
+      - ["java.lang", "Thread", False, "Thread", "(Runnable)", "", "Argument[0]", "Argument[-1]", "taint", "manual"] # ! neutral instead?
       - ["java.lang", "ThreadLocal", True, "get", "()", "", "Argument[-1].SyntheticField[java.lang.ThreadLocal.value]", "ReturnValue", "value", "manual"] # ! not sure if this model is correct, and if should be neutral model instead
       - ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.lang", "Throwable", True, "getCause", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
       - ["java.lang", "Throwable", True, "getMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
+      - ["java.lang", "Throwable", True, "getLocalizedMessage", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]  # ! should the field used be different?
       - ["java.lang", "Throwable", True, "toString", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "taint", "manual"] # ! little unsure about this one...
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
       - ["java.lang", "AbstractStringBuilder", "length", "()", "manual"]
       - ["java.lang", "Boolean", "equals", "(Object)", "manual"]
+      - ["java.lang", "Boolean", "valueOf", "(boolean)", "manual"]
+      - ["java.lang", "Class", "forName", "(String)", "manual"]
       - ["java.lang", "Class", "getCanonicalName", "()", "manual"]
       - ["java.lang", "Class", "getClassLoader", "()", "manual"]
+      - ["java.lang", "Class", "getMethod", "(String,Class[])", "manual"]
       - ["java.lang", "Class", "getName", "()", "manual"]
+      - ["java.lang", "Class", "getResource", "(String)", "manual"]
+      - ["java.lang", "Class", "getResourceAsStream", "(String)", "manual"]
       - ["java.lang", "Class", "getSimpleName", "()", "manual"]
       - ["java.lang", "Class", "isAssignableFrom", "(Class)", "manual"]
+      - ["java.lang", "Class", "isInstance", "(Object)", "manual"]
+      - ["java.lang", "Class", "toString", "()", "manual"]
       - ["java.lang", "Enum", "Enum", "(String,int)", "manual"]
       - ["java.lang", "Enum", "equals", "(Object)", "manual"]
       - ["java.lang", "Enum", "hashCode", "()", "manual"]
@@ -146,24 +163,33 @@ extensions:
       - ["java.lang", "String", "indexOf", "(int)", "manual"]
       - ["java.lang", "String", "indexOf", "(String)", "manual"]
       - ["java.lang", "String", "isEmpty", "()", "manual"]
+      - ["java.lang", "String", "lastIndexOf", "(int)", "manual"]
       - ["java.lang", "String", "length", "()", "manual"]
       - ["java.lang", "String", "startsWith", "(String)", "manual"]
       - ["java.lang", "System", "currentTimeMillis", "()", "manual"]
+      - ["java.lang", "System", "exit", "(int)", "manual"]
+      - ["java.lang", "System", "identityHashCode", "(Object)", "manual"]
       - ["java.lang", "System", "lineSeparator", "()", "manual"] # ! double-check...
       - ["java.lang", "System", "nanoTime", "()", "manual"]
       - ["java.lang", "Thread", "currentThread", "()", "manual"]
+      - ["java.lang", "Thread", "interrupt", "()", "manual"]
       - ["java.lang", "Thread", "sleep", "(long)", "manual"]
       - ["java.lang", "Thread", "start", "()", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
       - ["java.lang", "Boolean", "booleanValue", "()", "manual"]       # taint-numeric
       - ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"] # taint-numeric
+      - ["java.lang", "Double", "parseDouble", "(String)", "manual"]   # taint-numeric
       - ["java.lang", "Integer", "Integer", "(int)", "manual"]         # taint-numeric
       - ["java.lang", "Integer", "intValue", "()", "manual"]           # taint-numeric
       - ["java.lang", "Integer", "parseInt", "(String)", "manual"]     # taint-numeric
+      - ["java.lang", "Integer", "toHexString", "(int)", "manual"]     # taint-numeric
+      - ["java.lang", "Integer", "toString", "()", "manual"]           # taint-numeric
       - ["java.lang", "Integer", "toString", "(int)", "manual"]        # taint-numeric
       - ["java.lang", "Integer", "valueOf", "(int)", "manual"]         # taint-numeric
       - ["java.lang", "Integer", "valueOf", "(String)", "manual"]      # taint-numeric # ! should probably make this and others like it have a "" signature instead...
+      - ["java.lang", "Long", "Long", "(long)", "manual"]              # taint-numeric
+      - ["java.lang", "Long", "intValue", "()", "manual"]              # taint-numeric
       - ["java.lang", "Long", "longValue", "()", "manual"]             # taint-numeric
       - ["java.lang", "Long", "parseLong", "(String)", "manual"]       # taint-numeric
       - ["java.lang", "Long", "toString", "()", "manual"]              # taint-numeric
diff --git a/java/ql/lib/ext/java.lang.reflect.model.yml b/java/ql/lib/ext/java.lang.reflect.model.yml
@@ -3,6 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
+      - ["java.lang.reflect", "Constructor", False, "newInstance", "(Object[])", "", "Argument[0].ArrayElement", "ReturnValue.Parameter", "value", "manual"] # ! unsure about input/output
       - ["java.lang.reflect", "Method", False, "invoke", "(Object,Object[])", "", "Argument[1].ArrayElement", "Argument[-1].Parameter[0]", "value", "manual"] # ! very unsure if this model is correct...
 
   - addsTo:
diff --git a/java/ql/lib/ext/java.math.model.yml b/java/ql/lib/ext/java.math.model.yml
@@ -7,9 +7,13 @@ extensions:
 
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.math", "BigDecimal", "BigDecimal", "(int)", "manual"]    # taint-numeric
-      - ["java.math", "BigDecimal", "BigDecimal", "(String)", "manual"] # taint-numeric
-      - ["java.math", "BigDecimal", "add", "(BigDecimal)", "manual"]    # taint-numeric
-      - ["java.math", "BigDecimal", "valueOf", "(double)", "manual"]    # taint-numeric
-      - ["java.math", "BigDecimal", "valueOf", "(long)", "manual"]      # taint-numeric
-      - ["java.math", "BigInteger", "valueOf", "(long)", "manual"]      # taint-numeric
+      - ["java.math", "BigDecimal", "BigDecimal", "(int)", "manual"]            # taint-numeric
+      - ["java.math", "BigDecimal", "BigDecimal", "(String)", "manual"]         # taint-numeric
+      - ["java.math", "BigDecimal", "add", "(BigDecimal)", "manual"]            # taint-numeric
+      - ["java.math", "BigDecimal", "doubleValue", "()", "manual"]              # taint-numeric
+      - ["java.math", "BigDecimal", "setScale", "(int,RoundingMode)", "manual"] # taint-numeric
+      - ["java.math", "BigDecimal", "toString", "()", "manual"]                 # taint-numeric
+      - ["java.math", "BigDecimal", "valueOf", "(double)", "manual"]            # taint-numeric
+      - ["java.math", "BigDecimal", "valueOf", "(long)", "manual"]              # taint-numeric
+      - ["java.math", "BigInteger", "or", "(BigInteger)", "manual"]             # taint-numeric
+      - ["java.math", "BigInteger", "valueOf", "(long)", "manual"]              # taint-numeric
diff --git a/java/ql/lib/ext/java.nio.file.model.yml b/java/ql/lib/ext/java.nio.file.model.yml
@@ -61,3 +61,9 @@ extensions:
       # - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[preVisitDirectory(Path,BasicFileAttributes)].Parameter[0]", "taint", "ai-generated"]
       # - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]" "Argument[1].Method[visitFile(Path,BasicFileAttributes)].Parameter[0]", "taint", "ai-generated"]
       # - ["java.nio.file", "Files", True, "walkFileTree", "(Path,FileVisitor)", "", "Argument[0]", "Argument[1].Method[visitFileFailed(Path,IOException)].Parameter[0]", "taint", "ai-generated"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.nio.file", "Files", "exists", "(Path,LinkOption[])", "manual"]
diff --git a/java/ql/lib/ext/java.nio.model.yml b/java/ql/lib/ext/java.nio.model.yml
@@ -6,3 +6,10 @@ extensions:
       - ["java.nio", "ByteBuffer", False, "array", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.nio", "ByteBuffer", False, "get", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["java.nio", "ByteBuffer", False, "wrap", "(byte[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.nio", "Buffer", "remaining", "()", "manual"]
+      - ["java.nio", "ByteBuffer", "allocate", "(int)", "manual"]
diff --git a/java/ql/lib/ext/java.sql.model.yml b/java/ql/lib/ext/java.sql.model.yml
@@ -28,11 +28,14 @@ extensions:
       pack: codeql/java-all
       extensible: neutralModel
     data:
+      - ["java.sql", "PreparedStatement", "executeUpdate", "()", "manual"]
       - ["java.sql", "ResultSet", "next", "()", "manual"]
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "manual"] # value-numeric
-      - ["java.sql", "ResultSet", "getInt", "(String)", "manual"]          # taint-numeric
-      - ["java.sql", "ResultSet", "getLong", "(String)", "manual"]         # taint-numeric
-      - ["java.sql", "ResultSet", "getString", "(int)", "manual"]          # taint-numeric
-      - ["java.sql", "Timestamp", "Timestamp", "(long)", "manual"]         # taint-numeric
+      - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "manual"]   # value-numeric
+      - ["java.sql", "PreparedStatement", "setLong", "(int,long)", "manual"] # value-numeric
+      - ["java.sql", "ResultSet", "getInt", "(String)", "manual"]            # taint-numeric
+      - ["java.sql", "ResultSet", "getLong", "(String)", "manual"]           # taint-numeric
+      - ["java.sql", "ResultSet", "getString", "(int)", "manual"]            # taint-numeric
+      - ["java.sql", "Timestamp", "Timestamp", "(long)", "manual"]           # taint-numeric
+      - ["java.sql", "Timestamp", "getTime", "()", "manual"]                 # taint-numeric
diff --git a/java/ql/lib/ext/java.text.model.yml b/java/ql/lib/ext/java.text.model.yml
@@ -4,6 +4,8 @@ extensions:
       extensible: summaryModel
     data:
       - ["java.text", "DateFormat", True, "parse", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! maybe not interesting flow and should be neutral model?
+      - ["java.text", "MessageFormat", False, "format", "(String,Object[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]              # ! not sure I did this right
+      - ["java.text", "MessageFormat", False, "format", "(String,Object[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"] # ! not sure I did this right
 
   - addsTo:
       pack: codeql/java-all
diff --git a/java/ql/lib/ext/java.time.chrono.model.yml b/java/ql/lib/ext/java.time.chrono.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["java.time.chrono", "ChronoZonedDateTime", False, "toInstant", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"] # ! neutral?
diff --git a/java/ql/lib/ext/java.time.format.model.yml b/java/ql/lib/ext/java.time.format.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["java.time.format", "DateTimeFormatter", False, "ofPattern", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] # ! neutral?
diff --git a/java/ql/lib/ext/java.time.model.yml b/java/ql/lib/ext/java.time.model.yml
@@ -13,7 +13,13 @@ extensions:
       - ["java.time", "LocalDate", "now", "()", "manual"]
       - ["java.time", "LocalDateTime", "now", "()", "manual"]
       - ["java.time", "ZonedDateTime", "now", "()", "manual"]
+      - ["java.time", "ZoneId", "of", "(String)", "manual"]
 
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
-      - ["java.time", "LocalDate", "of", "(int,int,int)", "manual"] # taint-numeric
+      - ["java.time", "Duration", "ofMillis", "(long)", "manual"]                   # taint-numeric
+      - ["java.time", "Duration", "ofMinutes", "(long)", "manual"]                  # taint-numeric
+      - ["java.time", "Duration", "toMillis", "()", "manual"]                       # taint-numeric
+      - ["java.time", "Instant", "toEpochMilli", "()", "manual"]                    # taint-numeric
+      - ["java.time", "LocalDate", "of", "(int,int,int)", "manual"]                 # taint-numeric
+      - ["java.time", "LocalDateTime", "of", "(int,int,int,int,int,int)", "manual"] # taint-numeric
diff --git a/java/ql/lib/ext/java.util.concurrent.atomic.model.yml b/java/ql/lib/ext/java.util.concurrent.atomic.model.yml
@@ -11,6 +11,7 @@ extensions:
       pack: codeql/java-all
       extensible: neutralModel
     data:
+      - ["java.util.concurrent.atomic", "AtomicBoolean", "AtomicBoolean", "(boolean)", "manual"]
       - ["java.util.concurrent.atomic", "AtomicBoolean", "get", "()", "manual"]
       - ["java.util.concurrent.atomic", "AtomicBoolean", "set", "(boolean)", "manual"]
 
@@ -19,4 +20,6 @@ extensions:
       - ["java.util.concurrent.atomic", "AtomicInteger", "AtomicInteger", "(int)", "manual"] # value-numeric
       - ["java.util.concurrent.atomic", "AtomicInteger", "get", "()", "manual"]              # value-numeric
       - ["java.util.concurrent.atomic", "AtomicInteger", "incrementAndGet", "()", "manual"]  # taint-numeric
+      - ["java.util.concurrent.atomic", "AtomicLong", "AtomicLong", "(long)", "manual"]      # value-numeric # ! this is supposedly already supported per the telemetry query, LOOK INTO WHY/HOW
+      - ["java.util.concurrent.atomic", "AtomicLong", "addAndGet", "(long)", "manual"]       # taint-numeric
       - ["java.util.concurrent.atomic", "AtomicLong", "get", "()", "manual"]                 # value-numeric
diff --git a/java/ql/lib/ext/java.util.concurrent.locks.model.yml b/java/ql/lib/ext/java.util.concurrent.locks.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.util.concurrent.locks", "Lock", "unlock", "()", "manual"]
diff --git a/java/ql/lib/ext/java.util.concurrent.model.yml b/java/ql/lib/ext/java.util.concurrent.model.yml
diff --git a/java/ql/lib/ext/java.util.logging.model.yml b/java/ql/lib/ext/java.util.logging.model.yml
diff --git a/java/ql/lib/ext/java.util.model.yml b/java/ql/lib/ext/java.util.model.yml
diff --git a/java/ql/lib/ext/java.util.regex.model.yml b/java/ql/lib/ext/java.util.regex.model.yml
diff --git a/java/ql/lib/ext/java.util.stream.model.yml b/java/ql/lib/ext/java.util.stream.model.yml
