Java: apply query alert restrictions

java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll

@@ -18,6 +18,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks the flow of tainted Intents being used to start Android components. */

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -31,6 +31,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -58,6 +58,8 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CommandInjectionAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll

@@ -23,6 +23,8 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof NumericType or node.getType() instanceof BooleanType
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll

@@ -17,6 +17,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll

@@ -17,6 +17,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll

@@ -48,6 +48,8 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
     node.getType().(Array).getElementType() instanceof TypeIntent and
     c instanceof DataFlow::ArrayContent
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module ImplicitPendingIntentStartFlow =

java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll

@@ -49,6 +49,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from user input to the argument of a method that builds constraint error messages. */

java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll

@@ -22,6 +22,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
       succ.asExpr() = ma.getQualifier()
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;

java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll

@@ -96,6 +96,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
       n2.asExpr() = c
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll

@@ -18,6 +18,8 @@ module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
     node.getType() instanceof Array and
     c instanceof DataFlow::ArrayContent
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module InsecureTrustManagerFlow = DataFlow::Global<InsecureTrustManagerConfig>;

java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll

@@ -16,6 +16,8 @@ module KeySizeConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, KeySizeState state) {
     sink.(InsufficientKeySizeSink).hasState(state)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks key sizes used in cryptographic algorithms. */

java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll

@@ -23,6 +23,8 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll

@@ -51,6 +51,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll

@@ -23,6 +23,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JndiInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in JNDI lookup */

java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll

@@ -17,6 +17,8 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     any(LdapInjectionAdditionalTaintStep a).step(pred, succ)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to LDAP injection vulnerabilities. */

java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll

@@ -16,6 +16,8 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module MissingJwtSignatureCheckFlow = DataFlow::Global<MissingJwtSignatureCheckConfig>;

java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll

@@ -19,6 +19,8 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(MvelInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */

java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll

@@ -102,6 +102,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

@@ -18,6 +18,8 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */

java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll

@@ -17,6 +17,8 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node node) {
     any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */

java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll

@@ -28,6 +28,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;

java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll

@@ -31,6 +31,8 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll

@@ -20,6 +20,8 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Flow for finding RSA ciphers initialized without using OAEP padding. */

java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll

@@ -18,6 +18,8 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */

java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll

@@ -24,6 +24,8 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in SQL queries. */

java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll

@@ -126,6 +126,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof StaticInitializationVectorSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks the flow from a static initialization vector to the initialization of a cipher */

java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll

@@ -72,6 +72,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(TaintedPathAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to the creation of a path. */

java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll

@@ -59,6 +59,8 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(PermissionsConstruction p).getInput()
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from user input to a permissions check. */

java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll

@@ -16,6 +16,8 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks server-side template injection (SST) vulnerabilities */

java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll

@@ -20,6 +20,8 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -325,6 +325,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;

java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll

@@ -65,6 +65,8 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
             "|(set)?(accept|trust|ignore|allow)(all|every|any)" +
             "|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$")
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Data flow to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call. */

java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll

@@ -195,6 +195,8 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof UrlForwardBarrier }
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll

@@ -13,6 +13,8 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll

@@ -44,6 +44,8 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
     or
     node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll

@@ -12,6 +12,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll

@@ -20,6 +20,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/XssQuery.qll

@@ -20,6 +20,8 @@ module XssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XssAdditionalTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to cross site scripting vulnerabilities. */

java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll

@@ -18,6 +18,8 @@ module XxeConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(XxeAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll

@@ -43,6 +43,8 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
     node instanceof SimpleTypeSanitizer or
     node instanceof PathInjectionSanitizer
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from archive entries to file creation. */

java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll

@@ -47,6 +47,8 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
     node instanceof SimpleTypeSanitizer or
     node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;

java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll

@@ -14,6 +14,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**

java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql

@@ -35,6 +35,7 @@ Variable getVariable(Expr dest) {
 
 from DangerousAssignOpExpr a, Expr e, Top v
 where
+  AlertFiltering::filterByLocatable(a) and
   e = a.getSource() and
   problematicCasting(a.getDest().getType(), e) and
   (