Has the listed issue opencast/opencast@4225bf9 already been detected by the query codeql/java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql? Will the queries be merged?

      public boolean verify(String host, SSLSession ssl) {
        logger.trace("Skipping SSL session host name check on {}", host);
        return true;
      }
    };

Has the listed issue opencast/opencast@4225bf9 already been detected by the query codeql/java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql? Will the queries be merged?

      public boolean verify(String host, SSLSession ssl) {
        logger.trace("Skipping SSL session host name check on {}", host);
        return true;
      }
    };

I don't know whether UnsafeCertTrust.ql would have detected it, but I don't think it would have detected it.
https://github.com/github/codeql/blob/8d4f7e2db7ec3b7559a3e358fd1b8a7203ce7474/java/ql/src/experimental/Security/CWE/CWE-273/UnsafeCertTrust.ql#L22 requires the checkServerTrusted method to have 0 statements and the checkServerTrusted method of opencast has more than 0 statements, because it includes a logging call.

I tried building an database of opencast but building failed.
If you or someone else has a database that still has the vulnerability, I could have a look whether it would have been detected.

I found it easier for me to create a new query and then remove the overlapping code from UnsafeCertTrust.ql, because it contains/contained three sub-queries and separating them nicely was hard...

You can download a database at https://lgtm.com/projects/g/opencast/opencast/ci/#ql

I know that I can download databases from lgtm.com, but the issue has already been fixed.
As far as I know, only the latest database is available or isn't it?

Ah, yes I think that is the case, sorry.

@intrigus-lgtm Would you be able to share the build log with us so that we can check what went wrong with the build and then perhaps can help you to build the database? Thanks.

@m-y-mo sure, but the problem seems to be related to a maven package that is missing.
I'm currently trying different opencast versions to see if I can find one that compiles...

I was able to compile it.
(Are you interested in the database?)
Here are the results:

UnsafeCertTrust.ql:

InsecureTrustManager.ql:

Your submission is now in status SecLab review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@intrigus-lgtm Thanks. I'm mostly interested to see if there the UnsafeCertTrust.ql query catches the result and whether the build failure is a problem of the codeql extract so we can take a look at it. As the result is not flagged by UnsafeCertTrust.ql, we are happy to move it to the next stage and review the security impact, scope and FP rate of the query. We'll get back to you once it is done. Thanks.

@m-y-mo the build failure was not related to codeql :)
Note that I still plan to do same improvements.
Running the query on lgtm.com showed that there are quite some FPs that should be quite easily fixable.
So the FP rate of the query is subject to change :)

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed

Created Hackerone report 1250306 for bounty 314830 : [222] [Java]: CWE 295 - Insecure TrustManager - MiTM

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
SecLab review > Generate Query Results > FP Check > CodeQL review > SecLab finalize > Pay > Closed