Skip to content

Java - Adding support for com.microsoft.sqlserver.jdbc.SQLServerDataSource to CWE-798 #12178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 16, 2023
Merged

Java - Adding support for com.microsoft.sqlserver.jdbc.SQLServerDataSource to CWE-798 #12178

merged 5 commits into from
Feb 16, 2023

Conversation

felickz
Copy link
Contributor

@felickz felickz commented Feb 14, 2023
edited
Loading

Adds a missing sinks for the java/hardcoded-credential-api-call query for the SQLServerDataSource class

  • Group: com.microsoft.sqlserver
  • Artifact: mssql-jdbc

Maps ApiCallableCredentialParam's for User and Password

Local testing - All 4 tests passed (none expected) 
>codeql test run "java/ql/test/query-tests/security/CWE-798/semmle/tests/"
Executing 4 tests in 1 directories.
Extracting test database in /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests.
Compiling queries in /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests.
Compiled /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.ql (512ms).
Compiled /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql (17.2s).
Compiled /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.ql (3.9s).
Compiled /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql (286ms).
Executing tests in /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests.
[1/4 comp 512ms eval 854ms] PASSED /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedPasswordField.ql
[2/4 comp 17.2s eval 3.3s] PASSED /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsSourceCall.ql
[3/4 comp 3.9s eval 31ms] PASSED /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsComparison.ql
[4/4 comp 286ms eval 482ms] PASSED /Users/felickz/Repos/vscode-codeql-starter/ql/java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedCredentialsApiCall.ql
All 4 tests passed.

Tasks

  • Update SensitiveApi.qll to add additional sinks
  • Generate stubs via python3 ./java/ql/src/utils/stub-generator/makeStubs.py "java/ql/test/query-tests/security/CWE-798/semmle/tests/" "java/ql/test/stubs" "...pom.xml" and organize under java/ql/test/stubs/mssql-jdbc-12.2.0
  • add mssql-jdbc-12.2.0 test stubs to dir java/ql/test/query-tests/security/CWE-798/semmle/tests/options
  • Add Changenotes
  • Reviewed tests via @atorralba

@github-actions github-actions bot added the Java label Feb 14, 2023
@felickz felickz changed the title Java - Adding support for com.microsoft.sqlserver:mssql-jdbc SQLServerDataSource to CWE-798 Java - Adding support for com.microsoft.sqlserver.jdbc.SQLServerDataSource to CWE-798 Feb 14, 2023
@felickz felickz marked this pull request as ready for review February 14, 2023 01:21
@felickz felickz requested a review from a team as a code owner February 14, 2023 01:21
atorralba
atorralba reviewed Feb 14, 2023
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! I added a small suggestion regarding a test case, but otherwise this looks reasonable to me.

Also we'll need a change note. You can follow these guidelines, but this most probably categorizes as minorAnalysis. Remember to add the note under lib, not src.

felickz and others added 2 commits February 15, 2023 18:26
@felickz @atorralba
test both arguments of getConnection
2f576a4 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
@felickz
change-notes for this minorAnalysis lib change
2f1bd93
@felickz felickz requested a review from atorralba February 15, 2023 23:46
@atorralba atorralba merged commit 87b54e6 into github:main Feb 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
1 more reviewer

@atorralba atorralba atorralba approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@felickz @atorralba