From 567d2df995c2d6306b772a8d978551ded9910b84 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Wed, 27 Aug 2025 09:24:57 +0200
Subject: [PATCH 1/2] Java: Remove the query
 githubsecuritylab/java/insecure-spring-actuator-config.

---
 .../InsecureSpringActuatorConfig.qhelp        |  47 -------
 .../CWE-016/InsecureSpringActuatorConfig.ql   | 118 ------------------
 .../security/CWE-016/application.properties   |  22 ----
 java/src/security/CWE-016/pom_bad.xml         |  50 --------
 java/src/security/CWE-016/pom_good.xml        |  50 --------
 .../InsecureSpringActuatorConfig.expected     |   1 -
 .../InsecureSpringActuatorConfig.qlref        |   1 -
 java/test/security/CWE-016/SensitiveInfo.java |  13 --
 .../security/CWE-016/application.properties   |  14 ---
 java/test/security/CWE-016/options            |   1 -
 java/test/security/CWE-016/pom.xml            |  47 -------
 11 files changed, 364 deletions(-)
 delete mode 100644 java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp
 delete mode 100644 java/src/security/CWE-016/InsecureSpringActuatorConfig.ql
 delete mode 100644 java/src/security/CWE-016/application.properties
 delete mode 100644 java/src/security/CWE-016/pom_bad.xml
 delete mode 100644 java/src/security/CWE-016/pom_good.xml
 delete mode 100644 java/test/security/CWE-016/InsecureSpringActuatorConfig.expected
 delete mode 100644 java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref
 delete mode 100644 java/test/security/CWE-016/SensitiveInfo.java
 delete mode 100644 java/test/security/CWE-016/application.properties
 delete mode 100644 java/test/security/CWE-016/options
 delete mode 100644 java/test/security/CWE-016/pom.xml

diff --git a/java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp b/java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp
deleted file mode 100644
index e2011567..00000000
--- a/java/src/security/CWE-016/InsecureSpringActuatorConfig.qhelp
+++ /dev/null
@@ -1,47 +0,0 @@
-<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
-<qhelp>
-  <overview>
-    <p>Spring Boot is a popular framework that facilitates the development of stand-alone applications
-and micro services. Spring Boot Actuator helps to expose production-ready support features against 
-Spring Boot applications.</p>
-
-    <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. 
-Exposing unprotected actuator endpoints through configuration files can lead to information disclosure 
-or even remote code execution vulnerability.</p>
-
-    <p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently
-developers simply leave management endpoints publicly accessible in the application configuration file 
-<code>application.properties</code> without enforcing access control through Spring Security.</p>
-  </overview>
-
-  <recommendation>
-    <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce 
-security checks on management endpoints using Spring Security. Otherwise accessing management endpoints 
-on a different HTTP port other than the port that the web application is listening on also helps to 
-improve the security.</p>
-  </recommendation>
-
-  <example>
-    <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, 
-no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, 
-security is enforced and only endpoints requiring exposure are exposed.</p>
-    <sample src="pom_good.xml" />
-    <sample src="pom_bad.xml" />
-    <sample src="application.properties" />
-  </example>
-
-  <references>
-    <li>
-      Spring Boot documentation:
-      <a href="https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html">Spring Boot Actuator: Production-ready Features</a>
-    </li>
-    <li>
-      VERACODE Blog:
-      <a href="https://www.veracode.com/blog/research/exploiting-spring-boot-actuators">Exploiting Spring Boot Actuators</a>
-    </li>
-    <li>
-      HackerOne Report:
-      <a href="https://hackerone.com/reports/862589">Spring Actuator endpoints publicly available, leading to account takeover</a>
-    </li>
-  </references>
-</qhelp>
diff --git a/java/src/security/CWE-016/InsecureSpringActuatorConfig.ql b/java/src/security/CWE-016/InsecureSpringActuatorConfig.ql
deleted file mode 100644
index 393e3006..00000000
--- a/java/src/security/CWE-016/InsecureSpringActuatorConfig.ql
+++ /dev/null
@@ -1,118 +0,0 @@
-/**
- * @name Insecure Spring Boot Actuator Configuration
- * @description Exposed Spring Boot Actuator through configuration files without declarative or procedural
- *              security enforcement leads to information leak or even remote code execution.
- * @kind problem
- * @problem.severity error
- * @precision high
- * @id githubsecuritylab/java/insecure-spring-actuator-config
- * @tags security
- *       external/cwe/cwe-016
- */
-
-/*
- * Note this query requires properties files to be indexed before it can produce results.
- * If creating your own database with the CodeQL CLI, you should run
- * `codeql database index-files --language=properties ...`
- * If using lgtm.com, you should add `properties_files: true` to the index block of your
- * lgtm.yml file (see https://lgtm.com/help/lgtm/java-extraction)
- */
-
-import java
-import semmle.code.configfiles.ConfigFiles
-import semmle.code.xml.MavenPom
-
-/** The parent node of the `org.springframework.boot` group. */
-class SpringBootParent extends Parent {
-  SpringBootParent() { this.getGroup().getValue() = "org.springframework.boot" }
-}
-
-/** Class of Spring Boot dependencies. */
-class SpringBootPom extends Pom {
-  SpringBootPom() { this.getParentElement() instanceof SpringBootParent }
-
-  /** Holds if the Spring Boot Actuator module `spring-boot-starter-actuator` is used in the project. */
-  predicate isSpringBootActuatorUsed() {
-    this.getADependency().getArtifact().getValue() = "spring-boot-starter-actuator"
-  }
-
-  /**
-   * Holds if the Spring Boot Security module is used in the project, which brings in other security
-   * related libraries.
-   */
-  predicate isSpringBootSecurityUsed() {
-    this.getADependency().getArtifact().getValue() = "spring-boot-starter-security"
-  }
-}
-
-/** The properties file `application.properties`. */
-class ApplicationProperties extends ConfigPair {
-  ApplicationProperties() { this.getFile().getBaseName() = "application.properties" }
-}
-
-/** The configuration property `management.security.enabled`. */
-class ManagementSecurityConfig extends ApplicationProperties {
-  ManagementSecurityConfig() { this.getNameElement().getName() = "management.security.enabled" }
-
-  /** Gets the whitespace-trimmed value of this property. */
-  string getValue() { result = this.getValueElement().getValue().trim() }
-
-  /** Holds if `management.security.enabled` is set to `false`. */
-  predicate hasSecurityDisabled() { this.getValue() = "false" }
-
-  /** Holds if `management.security.enabled` is set to `true`. */
-  predicate hasSecurityEnabled() { this.getValue() = "true" }
-}
-
-/** The configuration property `management.endpoints.web.exposure.include`. */
-class ManagementEndPointInclude extends ApplicationProperties {
-  ManagementEndPointInclude() {
-    this.getNameElement().getName() = "management.endpoints.web.exposure.include"
-  }
-
-  /** Gets the whitespace-trimmed value of this property. */
-  string getValue() { result = this.getValueElement().getValue().trim() }
-}
-
-/**
- * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom
- * has a vulnerable configuration of Spring Boot Actuator management endpoints.
- */
-predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationProperties ap) {
-  pom.isSpringBootActuatorUsed() and
-  not pom.isSpringBootSecurityUsed() and
-  ap.getFile()
-      .getParentContainer()
-      .getAbsolutePath()
-      .matches(pom.getFile().getParentContainer().getAbsolutePath() + "%") and // in the same sub-directory
-  exists(string springBootVersion | springBootVersion = pom.getParentElement().getVersionString() |
-    springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
-    not exists(ManagementSecurityConfig me |
-      me.hasSecurityEnabled() and me.getFile() = ap.getFile()
-    )
-    or
-    springBootVersion.matches("1.5%") and // version 1.5
-    exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = ap.getFile())
-    or
-    springBootVersion.matches("2.%") and //version 2.x
-    exists(ManagementEndPointInclude mi |
-      mi.getFile() = ap.getFile() and
-      (
-        mi.getValue() = "*" // all endpoints are enabled
-        or
-        mi.getValue()
-            .matches([
-                "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%", "%env%",
-                "%beans%", "%sessions%"
-              ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
-      )
-    )
-  )
-}
-
-from SpringBootPom pom, ApplicationProperties ap, Dependency d
-where
-  hasConfidentialEndPointExposed(pom, ap) and
-  d = pom.getADependency() and
-  d.getArtifact().getValue() = "spring-boot-starter-actuator"
-select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
diff --git a/java/src/security/CWE-016/application.properties b/java/src/security/CWE-016/application.properties
deleted file mode 100644
index 4f5defdd..00000000
--- a/java/src/security/CWE-016/application.properties
+++ /dev/null
@@ -1,22 +0,0 @@
-#management.endpoints.web.base-path=/admin
-
-
-#### BAD: All management endpoints are accessible #### 
-# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
-
-# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
-management.security.enabled=false
-
-# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
-management.endpoints.web.exposure.include=*
-
-
-#### GOOD: All management endpoints have access control #### 
-# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
-management.security.enabled=true
-
-# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
-management.security.enabled=true
-
-# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
-management.endpoints.web.exposure.include=beans,info,health
diff --git a/java/src/security/CWE-016/pom_bad.xml b/java/src/security/CWE-016/pom_bad.xml
deleted file mode 100644
index 9dd5c9c1..00000000
--- a/java/src/security/CWE-016/pom_bad.xml
+++ /dev/null
@@ -1,50 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>spring-boot-actuator-app</groupId>
-    <artifactId>spring-boot-actuator-app</artifactId>
-    <version>1.0-SNAPSHOT</version>
-
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-    </properties>
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.3.8.RELEASE</version>
-        <relativePath/>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-        </dependency>
-
-        <!-- BAD: No Spring Security enabled -->
-        <!-- dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency -->
-
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-test</artifactId>
-        </dependency>
-    </dependencies>
-
-</project>
\ No newline at end of file
diff --git a/java/src/security/CWE-016/pom_good.xml b/java/src/security/CWE-016/pom_good.xml
deleted file mode 100644
index 89f577f2..00000000
--- a/java/src/security/CWE-016/pom_good.xml
+++ /dev/null
@@ -1,50 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>spring-boot-actuator-app</groupId>
-    <artifactId>spring-boot-actuator-app</artifactId>
-    <version>1.0-SNAPSHOT</version>
-
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-    </properties>
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.3.8.RELEASE</version>
-        <relativePath/>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-        </dependency>
-
-        <!-- GOOD: Enable Spring Security -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency>
-
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-test</artifactId>
-        </dependency>
-    </dependencies>
-
-</project>
\ No newline at end of file
diff --git a/java/test/security/CWE-016/InsecureSpringActuatorConfig.expected b/java/test/security/CWE-016/InsecureSpringActuatorConfig.expected
deleted file mode 100644
index 48630293..00000000
--- a/java/test/security/CWE-016/InsecureSpringActuatorConfig.expected
+++ /dev/null
@@ -1 +0,0 @@
-| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
diff --git a/java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref b/java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref
deleted file mode 100644
index a0974149..00000000
--- a/java/test/security/CWE-016/InsecureSpringActuatorConfig.qlref
+++ /dev/null
@@ -1 +0,0 @@
-security/CWE-016/InsecureSpringActuatorConfig.ql
\ No newline at end of file
diff --git a/java/test/security/CWE-016/SensitiveInfo.java b/java/test/security/CWE-016/SensitiveInfo.java
deleted file mode 100644
index a3ff69c1..00000000
--- a/java/test/security/CWE-016/SensitiveInfo.java
+++ /dev/null
@@ -1,13 +0,0 @@
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RequestMapping;
-
-@Controller
-public class SensitiveInfo {
-	@RequestMapping
-	public void handleLogin(@RequestParam String username, @RequestParam String password) throws Exception {
-		if (!username.equals("") && password.equals("")) {
-			//Blank processing
-		}
-	}
-}
\ No newline at end of file
diff --git a/java/test/security/CWE-016/application.properties b/java/test/security/CWE-016/application.properties
deleted file mode 100644
index 797906a3..00000000
--- a/java/test/security/CWE-016/application.properties
+++ /dev/null
@@ -1,14 +0,0 @@
-#management.endpoints.web.base-path=/admin
-
-# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
-
-# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
-management.security.enabled=false
-
-# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
-management.endpoints.web.exposure.include=*
-management.endpoints.web.exposure.exclude=beans
-
-management.endpoint.shutdown.enabled=true
-
-management.endpoint.health.show-details=when_authorized
\ No newline at end of file
diff --git a/java/test/security/CWE-016/options b/java/test/security/CWE-016/options
deleted file mode 100644
index a7b10cd2..00000000
--- a/java/test/security/CWE-016/options
+++ /dev/null
@@ -1 +0,0 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../codeql/java/ql/test/stubs/springframework-5.8.x
diff --git a/java/test/security/CWE-016/pom.xml b/java/test/security/CWE-016/pom.xml
deleted file mode 100644
index a9d5fa92..00000000
--- a/java/test/security/CWE-016/pom.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-
-    <groupId>spring-boot-actuator-app</groupId>
-    <artifactId>spring-boot-actuator-app</artifactId>
-    <version>1.0-SNAPSHOT</version>
-
-    <properties>
-        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>1.8</maven.compiler.source>
-        <maven.compiler.target>1.8</maven.compiler.target>
-    </properties>
-
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.3.8.RELEASE</version>
-        <relativePath/>
-    </parent>
-
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-actuator</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-devtools</artifactId>
-        </dependency>
-        <!-- dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-security</artifactId>
-        </dependency -->
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-test</artifactId>
-        </dependency>
-    </dependencies>
-
-</project>
\ No newline at end of file

From 19e0024632cd42c61debaba555937be2360a9c68 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Wed, 27 Aug 2025 09:40:40 +0200
Subject: [PATCH 2/2] Bump Java pack version number (to trigger publish).

---
 java/src/qlpack.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/java/src/qlpack.yml b/java/src/qlpack.yml
index e78130b9..da9a10f8 100644
--- a/java/src/qlpack.yml
+++ b/java/src/qlpack.yml
@@ -1,6 +1,6 @@
 library: false
 name: githubsecuritylab/codeql-java-queries
-version: 0.2.1
+version: 0.2.2
 suites: suites
 defaultSuiteFile: suites/java.qls
 dependencies: