From 857b51be5895bf437ea25b5ce2581527d5af69fb Mon Sep 17 00:00:00 2001 From: Ana Scolari <127357173+apsscolari@users.noreply.github.com> Date: Tue, 10 Jun 2025 16:06:22 -0700 Subject: [PATCH 1/5] Update ExecUnescaped.ql - causing FPs with hard coded strings This query is generating False positives with hard coded strings declared within the function - issue reported by customer. We had a discussion on code_scanning channel on 6/5/25 and the team agreed upon reducing its precision to Medium. --- java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index d50f583bbfe3..afa675c7f7b2 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -5,7 +5,7 @@ * @kind problem * @problem.severity error * @security-severity 9.8 - * @precision high + * @precision medium * @id java/concatenated-command-line * @tags security * external/cwe/cwe-078 From 510bbac0e48d4b647688cdf8cd86895b6e0ad5e2 Mon Sep 17 00:00:00 2001 From: Ana Scolari <127357173+apsscolari@users.noreply.github.com> Date: Tue, 10 Jun 2025 16:17:32 -0700 Subject: [PATCH 2/5] Create 2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md --- ...precision-for-building-cmdline-with-string-concatenation.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md diff --git a/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md new file mode 100644 index 000000000000..fe79304526d6 --- /dev/null +++ b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md @@ -0,0 +1,3 @@ +category: queryMetadata +--- +* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are harded coded. From f915984b016ddfe880450a1d903ac7b7b7d5082a Mon Sep 17 00:00:00 2001 From: Ana Scolari <127357173+apsscolari@users.noreply.github.com> Date: Wed, 11 Jun 2025 08:55:34 -0700 Subject: [PATCH 3/5] Update java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- ...-precision-for-building-cmdline-with-string-concatenation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md index fe79304526d6..a96a648e8ecd 100644 --- a/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md +++ b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md @@ -1,3 +1,3 @@ category: queryMetadata --- -* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are harded coded. +* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded. From b84f9d6c3c9755725d72907f7a80d67a1528d854 Mon Sep 17 00:00:00 2001 From: Ana Scolari <127357173+apsscolari@users.noreply.github.com> Date: Wed, 11 Jun 2025 08:55:45 -0700 Subject: [PATCH 4/5] Update java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- ...e-precision-for-building-cmdline-with-string-concatenation.md | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md index a96a648e8ecd..392e1965defa 100644 --- a/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md +++ b/java/ql/src/change-notes/2025-06-10-reduce-precision-for-building-cmdline-with-string-concatenation.md @@ -1,3 +1,4 @@ +--- category: queryMetadata --- * Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded. From a07ce30d30ee1b45c589a02afbaf7ce266643783 Mon Sep 17 00:00:00 2001 From: Ana Scolari <127357173+apsscolari@users.noreply.github.com> Date: Wed, 11 Jun 2025 15:27:20 -0700 Subject: [PATCH 5/5] Update java-code-scanning.qls.expected removing line once this query precision is changed to Medium --- .../java/query-suite/java-code-scanning.qls.expected | 1 - 1 file changed, 1 deletion(-) diff --git a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected index a8ce00aca6c5..3290e0d84b0e 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected @@ -12,7 +12,6 @@ ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql -ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql ql/java/ql/src/Security/CWE/CWE-079/XSS.ql ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql