Merge pull request #19723 from apsscolari/update-precision-java-concatenated-command-line

owen-mc · web-flow · commit 23cbc6abc407 · 2025-06-12T09:23:00.000+01:00
Update precision java concatenated command line
diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected
@@ -12,7 +12,6 @@ ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
 ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
 ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
 ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
-ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
 ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
 ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
 ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity error
  * @security-severity 9.8
- * @precision high
+ * @precision medium
  * @id java/concatenated-command-line
  * @tags security
  *       external/cwe/cwe-078
diff --git a/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: queryMetadata
 +---
 +* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded.