Java: apply query alert restrictions

cklin · cklin · commit 93ba79aa0fe3 · 2024-09-11T12:32:18.000-07:00
diff --git a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirectionQuery.qll
@@ -18,6 +18,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks the flow of tainted Intents being used to start Android components. */
diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -31,6 +31,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c | n.asExpr() = c.getAlgoSpec()) }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -58,6 +58,8 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(CommandInjectionAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll b/java/ql/lib/semmle/code/java/security/ExternallyControlledFormatStringQuery.qll
@@ -23,6 +23,8 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) {
     node.getType() instanceof NumericType or node.getType() instanceof BooleanType
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
@@ -17,6 +17,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/GroovyInjectionQuery.qll
@@ -17,6 +17,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -48,6 +48,8 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {
     node.getType().(Array).getElementType() instanceof TypeIntent and
     c instanceof DataFlow::ArrayContent
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module ImplicitPendingIntentStartFlow =
diff --git a/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureBeanValidationQuery.qll
@@ -49,6 +49,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from user input to the argument of a method that builds constraint error messages. */
diff --git a/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureLdapAuthQuery.qll
@@ -22,6 +22,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {
       succ.asExpr() = ma.getQualifier()
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureRandomnessQuery.qll
@@ -96,6 +96,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {
       n2.asExpr() = c
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
@@ -18,6 +18,8 @@ module InsecureTrustManagerConfig implements DataFlow::ConfigSig {
     node.getType() instanceof Array and
     c instanceof DataFlow::ArrayContent
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module InsecureTrustManagerFlow = DataFlow::Global<InsecureTrustManagerConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll
@@ -16,6 +16,8 @@ module KeySizeConfig implements DataFlow::StateConfigSig {
   predicate isSink(DataFlow::Node sink, KeySizeState state) {
     sink.(InsufficientKeySizeSink).hasState(state)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks key sizes used in cryptographic algorithms. */
diff --git a/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll b/java/ql/lib/semmle/code/java/security/IntentUriPermissionManipulationQuery.qll
@@ -23,6 +23,8 @@ module IntentUriPermissionManipulationConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(IntentUriPermissionManipulationAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JexlInjectionQuery.qll
@@ -51,6 +51,8 @@ module JexlInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll
@@ -23,6 +23,8 @@ module JndiInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JndiInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in JNDI lookup */
diff --git a/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/LdapInjectionQuery.qll
@@ -17,6 +17,8 @@ module LdapInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
     any(LdapInjectionAdditionalTaintStep a).step(pred, succ)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to LDAP injection vulnerabilities. */
diff --git a/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll b/java/ql/lib/semmle/code/java/security/MissingJWTSignatureCheckQuery.qll
@@ -16,6 +16,8 @@ module MissingJwtSignatureCheckConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(JwtParserWithInsecureParseAdditionalFlowStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module MissingJwtSignatureCheckFlow = DataFlow::Global<MissingJwtSignatureCheckConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/MvelInjectionQuery.qll
@@ -19,6 +19,8 @@ module MvelInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(MvelInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a MVEL expression. */
diff --git a/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/NumericCastTaintedQuery.qll
@@ -102,6 +102,8 @@ module NumericCastFlowConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll
@@ -18,6 +18,8 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in OGNL EL evaluation. */
diff --git a/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll b/java/ql/lib/semmle/code/java/security/PartialPathTraversalQuery.qll
@@ -17,6 +17,8 @@ module PartialPathTraversalFromRemoteConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node node) {
     any(PartialPathTraversalMethodCall ma).getQualifier() = node.asExpr()
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to validate against path traversal, but is insufficient and remains vulnerable to Partial Path Traversal. */
diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
@@ -28,6 +28,8 @@ module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll b/java/ql/lib/semmle/code/java/security/ResponseSplittingQuery.qll
@@ -31,6 +31,8 @@ module ResponseSplittingConfig implements DataFlow::ConfigSig {
       )
     )
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
@@ -20,6 +20,8 @@ module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Flow for finding RSA ciphers initialized without using OAEP padding. */
diff --git a/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SpelInjectionQuery.qll
@@ -18,6 +18,8 @@ module SpelInjectionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(SpelExpressionInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a SpEL expression. */
diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
@@ -24,6 +24,8 @@ module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow of unvalidated user input that is used in SQL queries. */
diff --git a/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll b/java/ql/lib/semmle/code/java/security/StaticInitializationVectorQuery.qll
@@ -126,6 +126,8 @@ module StaticInitializationVectorConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof StaticInitializationVectorSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof EncryptionInitializationSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks the flow from a static initialization vector to the initialization of a cipher */
diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
@@ -72,6 +72,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(TaintedPathAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to the creation of a path. */
diff --git a/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll
@@ -59,6 +59,8 @@ module TaintedPermissionsCheckFlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(PermissionsConstruction p).getInput()
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from user input to a permissions check. */
diff --git a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll
@@ -16,6 +16,8 @@ module TemplateInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(TemplateInjectionAdditionalTaintStep a).isAdditionalTaintStep(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks server-side template injection (SST) vulnerabilities */
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeContentUriResolutionQuery.qll
@@ -20,6 +20,8 @@ module UnsafeContentResolutionConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(ContentUriResolutionAdditionalTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Taint-tracking flow to find paths from remote sources to content URI resolutions. */
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -325,6 +325,8 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) { isUnsafeDeserializationSanitizer(node) }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module UnsafeDeserializationFlow = TaintTracking::Global<UnsafeDeserializationConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll
@@ -65,6 +65,8 @@ module TrustAllHostnameVerifierConfig implements DataFlow::ConfigSig {
             "|(set)?(accept|trust|ignore|allow)(all|every|any)" +
             "|(use|do|enable)insecure|(set|do|use)?no.*(check|validation|verify|verification)|disable).*$")
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Data flow to model the flow of a `TrustAllHostnameVerifier` to a `set(Default)HostnameVerifier` call. */
diff --git a/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll b/java/ql/lib/semmle/code/java/security/UrlForwardQuery.qll
@@ -195,6 +195,8 @@ module UrlForwardFlowConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node node) { node instanceof UrlForwardBarrier }
 
   DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll b/java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll
@@ -13,6 +13,8 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll b/java/ql/lib/semmle/code/java/security/WebviewDebuggingEnabledQuery.qll
@@ -44,6 +44,8 @@ module WebviewDebugEnabledConfig implements DataFlow::ConfigSig {
     or
     node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll
@@ -12,6 +12,8 @@ module XPathInjectionConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/XsltInjectionQuery.qll
@@ -20,6 +20,8 @@ module XsltInjectionFlowConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/XssQuery.qll b/java/ql/lib/semmle/code/java/security/XssQuery.qll
@@ -20,6 +20,8 @@ module XssConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     any(XssAdditionalTaintStep s).step(node1, node2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from remote sources to cross site scripting vulnerabilities. */
diff --git a/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll b/java/ql/lib/semmle/code/java/security/XxeRemoteQuery.qll
@@ -18,6 +18,8 @@ module XxeConfig implements DataFlow::ConfigSig {
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
     any(XxeAdditionalTaintStep s).step(n1, n2)
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll
@@ -43,6 +43,8 @@ module ZipSlipConfig implements DataFlow::ConfigSig {
     node instanceof SimpleTypeSanitizer or
     node instanceof PathInjectionSanitizer
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /** Tracks flow from archive entries to file creation. */
diff --git a/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll
@@ -47,6 +47,8 @@ module PolynomialRedosConfig implements DataFlow::ConfigSig {
     node instanceof SimpleTypeSanitizer or
     node.asExpr().(MethodCall).getMethod() instanceof LengthRestrictedMethod
   }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 module PolynomialRedosFlow = TaintTracking::Global<PolynomialRedosConfig>;
diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjectionQuery.qll
@@ -14,6 +14,8 @@ module RegexInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof RegexInjectionSanitizer }
+
+  predicate filterForSourceOrSinkAlerts() { any() }
 }
 
 /**
diff --git a/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql b/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
@@ -35,6 +35,7 @@ Variable getVariable(Expr dest) {
 
 from DangerousAssignOpExpr a, Expr e, Top v
 where
+  AlertFiltering::filterByLocatable(a) and
   e = a.getSource() and
   problematicCasting(a.getDest().getType(), e) and
   (
diff --git a/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql b/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
diff --git a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
diff --git a/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql b/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
diff --git a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
diff --git a/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql b/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
diff --git a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
diff --git a/java/ql/src/Security/CWE/CWE-730/ReDoS.ql b/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
diff --git a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
diff --git a/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql b/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ module IntentRedirectionConfig implements DataFlow::ConfigSig {`
`18`	`18`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`19`	`19`	`any(IntentRedirectionAdditionalTaintStep c).step(node1, node2)`
`20`	`20`	`}`
	`21`	`+`
	`22`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`21`	`23`	`}`
`22`	`24`
`23`	`25`	`/** Tracks the flow of tainted Intents being used to start Android components. */`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,8 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {`
`31`	`31`	`predicate isSink(DataFlow::Node n) { exists(CryptoAlgoSpec c \| n.asExpr() = c.getAlgoSpec()) }`
`32`	`32`
`33`	`33`	`predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }`
	`34`	`+`
	`35`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`34`	`36`	`}`
`35`	`37`
`36`	`38`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,8 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {`
`58`	`58`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
`59`	`59`	`any(CommandInjectionAdditionalTaintStep s).step(n1, n2)`
`60`	`60`	`}`
	`61`	`+`
	`62`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`61`	`63`	`}`
`62`	`64`
`63`	`65`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,8 @@ module ExternallyControlledFormatStringConfig implements DataFlow::ConfigSig {`
`23`	`23`	`predicate isBarrier(DataFlow::Node node) {`
`24`	`24`	`node.getType() instanceof NumericType or node.getType() instanceof BooleanType`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`26`	`28`	`}`
`27`	`29`
`28`	`30`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {`
`17`	`17`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`
`18`	`18`	`any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)`
`19`	`19`	`}`
	`20`	`+`
	`21`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@ module GroovyInjectionConfig implements DataFlow::ConfigSig {`
`17`	`17`	`predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {`
`18`	`18`	`any(GroovyInjectionAdditionalTaintStep c).step(fromNode, toNode)`
`19`	`19`	`}`
	`20`	`+`
	`21`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,8 @@ module ImplicitPendingIntentStartConfig implements DataFlow::StateConfigSig {`
`48`	`48`	`node.getType().(Array).getElementType() instanceof TypeIntent and`
`49`	`49`	`c instanceof DataFlow::ArrayContent`
`50`	`50`	`}`
	`51`	`+`
	`52`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`51`	`53`	`}`
`52`	`54`
`53`	`55`	`module ImplicitPendingIntentStartFlow =`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,8 @@ module BeanValidationConfig implements DataFlow::ConfigSig {`
`49`	`49`	`predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }`
`50`	`50`
`51`	`51`	`predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }`
	`52`	`+`
	`53`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`52`	`54`	`}`
`53`	`55`
`54`	`56`	`/** Tracks flow from user input to the argument of a method that builds constraint error messages. */`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@ module InsecureLdapUrlConfig implements DataFlow::ConfigSig {`
`22`	`22`	`succ.asExpr() = ma.getQualifier()`
`23`	`23`	`)`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`25`	`27`	`}`
`26`	`28`
`27`	`29`	`module InsecureLdapUrlFlow = TaintTracking::Global<InsecureLdapUrlConfig>;`
Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,8 @@ module InsecureRandomnessConfig implements DataFlow::ConfigSig {`
`96`	`96`	`n2.asExpr() = c`
`97`	`97`	`)`
`98`	`98`	`}`
	`99`	`+`
	`100`	`+ predicate filterForSourceOrSinkAlerts() { any() }`
`99`	`101`	`}`
`100`	`102`
`101`	`103`	`/**`