Java: apply query alert restrictions

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -18,6 +18,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks the flow of tainted Intents being used to start Android components. */

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll

@@ -23,6 +23,8 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof NumericType or node.getType() instanceof BooleanType
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -17,6 +17,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll

@@ -17,6 +17,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -48,6 +48,8 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
     node.getType().(Array).getElementType() instanceof TypeIntent and
     c instanceof DataFlow::ArrayContent
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module ImplicitPendingIntentStartFlow =

java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll

@@ -49,6 +49,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from user input to the argument of a method that builds constraint error messages. */

java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll

@@ -22,6 +22,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
       succ.asExpr() = ma.getQualifier()
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;

java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll

@@ -96,6 +96,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
       n2.asExpr() = c
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll

@@ -16,6 +16,8 @@ module KeySizeConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, KeySizeState state) {
     sink.(InsufficientKeySizeSink).hasState(state)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks key sizes used in cryptographic algorithms. */

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -23,6 +23,8 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll

@@ -51,6 +51,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -23,6 +23,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JndiInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in JNDI lookup */

java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll

@@ -17,6 +17,8 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     any(LdapInjectionAdditionalTaintStep a).step(pred, succ)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to LDAP injection vulnerabilities. */

java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll

@@ -16,6 +16,8 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module MissingJwtSignatureCheckFlow = DataFlow::Global<MissingJwtSignatureCheckConfig>;

java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll

@@ -19,6 +19,8 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(MvelInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */

java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll

@@ -102,6 +102,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -18,6 +18,8 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -17,6 +17,8 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node node) {
     any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */

java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll

@@ -28,6 +28,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;

java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll

@@ -31,6 +31,8 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll

@@ -20,6 +20,8 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Flow for finding RSA ciphers initialized without using OAEP padding. */

java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll

@@ -18,6 +18,8 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */

java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll

@@ -126,6 +126,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof StaticInitializationVectorSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks the flow from a static initialization vector to the initialization of a cipher */

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -72,6 +72,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(TaintedPathAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to the creation of a path. */

java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll

@@ -16,6 +16,8 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks server-side template injection (SST) vulnerabilities */

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -20,6 +20,8 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -325,6 +325,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll

@@ -195,6 +195,8 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof UrlForwardBarrier }
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll

@@ -13,6 +13,8 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll

@@ -44,6 +44,8 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
     or
     node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll

@@ -12,6 +12,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -20,6 +20,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/XssQuery.qll

@@ -20,6 +20,8 @@ module XssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XssAdditionalTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to cross site scripting vulnerabilities. */

java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll

@@ -18,6 +18,8 @@ module XxeConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(XxeAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -43,6 +43,8 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
     node instanceof SimpleTypeSanitizer or
     node instanceof PathInjectionSanitizer
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from archive entries to file creation. */

java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll

@@ -14,6 +14,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql

@@ -12,6 +12,7 @@
  *       external/cwe/cwe-020
  */
 
+import java
 private import semmle.code.java.regex.RegexTreeView::RegexTreeView as TreeView
 import codeql.regex.OverlyLargeRangeQuery::Make<TreeView>
 
@@ -22,6 +23,7 @@ TreeView::RegExpCharacterClass potentialMisparsedCharClass() {
 
 from TreeView::RegExpCharacterRange range, string reason
 where
+  AlertFiltering::filterByLocation(range.getLocation()) and
   problem(range, reason) and
   not range.getParent() = potentialMisparsedCharClass()
 select range, "Suspicious character range that " + reason + "."

java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

@@ -47,6 +47,7 @@ predicate builtFromUncontrolledConcat(Expr expr) {
 
 from StringArgumentToExec argument
 where
+  AlertFiltering::filterByLocatable(argument) and
   builtFromUncontrolledConcat(argument) and
   not execIsTainted(_, _, argument)
 select argument, "Command line is built with string concatenation."

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

@@ -93,4 +93,5 @@ private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSp
 }
 
 from InsecureNettyObjectCreation new
+where AlertFiltering::filterByLocatable(new)
 select new, new.splittingType() + " vulnerability due to header value verification being disabled."

java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql

@@ -14,5 +14,7 @@ import java
 import semmle.code.java.security.AndroidLocalAuthQuery
 
 from AuthenticationSuccessCallback c
-where not exists(c.getAResultUse())
+where
+  AlertFiltering::filterByLocatable(c) and
+  not exists(c.getAResultUse())
 select c, "This authentication callback does not use its result for a cryptographic operation."

java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql

@@ -14,5 +14,7 @@ import java
 import semmle.code.java.security.AndroidWebViewCertificateValidationQuery
 
 from OnReceivedSslErrorMethod m
-where trustsAllCerts(m)
+where
+  AlertFiltering::filterByLocatable(m) and
+  trustsAllCerts(m)
 select m, "This handler accepts all SSL certificates."

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql

@@ -47,5 +47,6 @@ private class VulnerableJHipsterRandomUtilMethod extends Method {
 }
 
 from VulnerableJHipsterRandomUtilMethod method
+where AlertFiltering::filterByLocatable(method)
 select method,
   "Weak random number generator used in security sensitive method (JHipster CVE-2019-16303)."

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql

@@ -15,5 +15,7 @@ import java
 import semmle.code.java.security.SpringCsrfProtection
 
 from MethodCall call
-where disablesSpringCsrfProtection(call)
+where
+  AlertFiltering::filterByLocatable(call) and
+  disablesSpringCsrfProtection(call)
 select call, "CSRF vulnerability due to protection being disabled."

java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

@@ -17,6 +17,7 @@ import semmle.code.java.security.InsecureCookieQuery
 
 from MethodCall add
 where
+  AlertFiltering::filterByLocatable(add) and
   add.getMethod() instanceof ResponseAddCookieMethod and
   not SecureCookieFlow::flowToExpr(add.getArgument(0))
 select add, "Cookie is added to response without the 'secure' flag being set."