Java: Refactor path injection sinks

[atorralba]

Now we consider path creation methods as summaries instead of sinks, and actual sinks are now proper file read/write operations. This is because, many times, path-like objects (File or Path) are created as part of user input validation/sanitization logic, so raising an alert that early led to many FPs. Now we follow the flow path until the actual filesystem IO operation happens, which should help with precision significantly.

Significant alert changes in the affected queries are expected after these changes.

[jcogs33]

LGTM assuming DCA is good.

[jcogs33]

LGTM assuming that the CI check failures are unrelated to any changes in the PR. I don't recall seeing those failures yesterday.

[atorralba]

I don't recall seeing those failures yesterday.

They were caused by missing an import during a conflict resolution after the rebase. It's been fixed in 5bcf687.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    Java Standard Library,``java.*``,10,733,237,79,,9,,,24
+    Java Standard Library,``java.*``,10,734,232,74,,9,,,24
-    Totals,,308,18947,2551,331,16,128,33,1,407
+    Totals,,308,18948,2546,326,16,128,33,1,407

• Changes to framework-coverage-java.csv:

- java.nio,49,,36,,,,,,,,,5,,,,,,,,,,,,,,,43,,,,,,,,,1,,,,,,,,,,,,,,36,
+ java.nio,44,,37,,,,,,,,,5,,,,,,,,,,,,,,,38,,,,,,,,,1,,,,,,,,,,,,,,37,

[atorralba]

I added the models-as-data migration part to a new PR #13225. I'll repurpose this PR to be only about the sink refactor part (converting path creation sinks into summaries). For the time being, I'm going to leave this as a draft.

[egregius313]

LGTM