java: sharpen java/maven/non-https-url to allow localhost URLs

Author: esbena

java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql

@@ -25,8 +25,7 @@ private class DeclaredRepository extends PomElement {
   string getUrl() { result = getAChild("url").(PomElement).getValue() }
 
   predicate isInsecureRepositoryUsage() {
-    getUrl().matches("http://%") or
-    getUrl().matches("ftp://%")
+    getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*")
   }
 }
 

java/ql/test/query-tests/security/CWE-829/semmle/tests/InsecureDependencyResolution.expected

@@ -3,6 +3,3 @@
 | insecure-pom.xml:31:9:36:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://localhost.example |
 | insecure-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
 | insecure-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://insecure-repository.example |
-| secure-pom.xml:31:9:36:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://localhost/snaphots |
-| secure-pom.xml:37:9:42:30 | snapshotRepository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://localhost:82 |
-| secure-pom.xml:51:9:55:22 | repository | Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository http://localhost:${deploy.webserver.port}/repo |