Merge branch 'main' into redsun82/rust-config

Paolo Tranquilli · Paolo Tranquilli · commit 5abcf13973a3 · 2025-02-13T15:38:13.000+01:00
diff --git a/csharp/documentation/library-coverage/coverage.csv b/csharp/documentation/library-coverage/coverage.csv
@@ -42,5 +42,5 @@ MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,12221,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5921,6300
+System,54,47,12241,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5941,6300
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,
diff --git a/csharp/documentation/library-coverage/coverage.rst b/csharp/documentation/library-coverage/coverage.rst
@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12221,54,5
+   System,"``System.*``, ``System``",47,12241,54,5
    Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2272,152,4
-   Totals,,107,14500,400,9
+   Totals,,107,14520,400,9
 
diff --git a/go/documentation/library-coverage/coverage.csv b/go/documentation/library-coverage/coverage.csv
@@ -16,7 +16,7 @@ container/ring,,,5,,,,,,,,,,,,,,,,,,,,,,,5,
 context,,,5,,,,,,,,,,,,,,,,,,,,,,,5,
 crypto,,,10,,,,,,,,,,,,,,,,,,,,,,,10,
 database/sql,30,18,12,,,,,,,,,,,,30,,,,,,18,,,,,12,
-encoding,,,77,,,,,,,,,,,,,,,,,,,,,,,77,
+encoding,,,81,,,,,,,,,,,,,,,,,,,,,,,81,
 errors,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
 expvar,,,6,,,,,,,,,,,,,,,,,,,,,,,6,
 fmt,3,,16,,,,3,,,,,,,,,,,,,,,,,,,16,
@@ -139,4 +139,5 @@ syscall,5,2,8,5,,,,,,,,,,,,,,,,,,2,,,,8,
 text/scanner,,,3,,,,,,,,,,,,,,,,,,,,,,,3,
 text/tabwriter,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
 text/template,,,4,,,,,,,,,,,,,,,,,,,,,,,4,
+weak,,,2,,,,,,,,,,,,,,,,,,,,,,,2,
 xorm.io/xorm,34,,,,,,,,,,,,,,34,,,,,,,,,,,,
diff --git a/go/documentation/library-coverage/coverage.rst b/go/documentation/library-coverage/coverage.rst
@@ -26,7 +26,7 @@ Go framework & library support
    `Macaron <https://gopkg.in/macaron.v1>`_,``gopkg.in/macaron*``,12,1,1
    `Revel <http://revel.github.io/>`_,"``github.com/revel/revel*``, ``github.com/robfig/revel*``",46,20,4
    `SendGrid <https://github.com/sendgrid/sendgrid-go>`_,``github.com/sendgrid/sendgrid-go*``,,1,
-   `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",52,603,104
+   `Standard library <https://pkg.go.dev/std>`_,"````, ``archive/*``, ``bufio``, ``bytes``, ``cmp``, ``compress/*``, ``container/*``, ``context``, ``crypto``, ``crypto/*``, ``database/*``, ``debug/*``, ``embed``, ``encoding``, ``encoding/*``, ``errors``, ``expvar``, ``flag``, ``fmt``, ``go/*``, ``hash``, ``hash/*``, ``html``, ``html/*``, ``image``, ``image/*``, ``index/*``, ``io``, ``io/*``, ``log``, ``log/*``, ``maps``, ``math``, ``math/*``, ``mime``, ``mime/*``, ``net``, ``net/*``, ``os``, ``os/*``, ``path``, ``path/*``, ``plugin``, ``reflect``, ``reflect/*``, ``regexp``, ``regexp/*``, ``slices``, ``sort``, ``strconv``, ``strings``, ``sync``, ``sync/*``, ``syscall``, ``syscall/*``, ``testing``, ``testing/*``, ``text/*``, ``time``, ``time/*``, ``unicode``, ``unicode/*``, ``unsafe``",52,607,104
    `XPath <https://github.com/antchfx/xpath>`_,``github.com/antchfx/xpath*``,,,4
    `appleboy/gin-jwt <https://github.com/appleboy/gin-jwt>`_,``github.com/appleboy/gin-jwt*``,,,1
    `beego <https://beego.me/>`_,"``github.com/astaxie/beego*``, ``github.com/beego/beego*``",102,63,213
@@ -60,6 +60,6 @@ Go framework & library support
    `xpathparser <https://github.com/santhosh-tekuri/xpathparser>`_,``github.com/santhosh-tekuri/xpathparser*``,,,2
    `yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
    `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
-   Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``xorm.io/xorm``",117,16,391
-   Totals,,459,941,1532
+   Others,"``github.com/Masterminds/squirrel``, ``github.com/caarlos0/env``, ``github.com/go-gorm/gorm``, ``github.com/go-xorm/xorm``, ``github.com/gobuffalo/envy``, ``github.com/gogf/gf/database/gdb``, ``github.com/hashicorp/go-envparse``, ``github.com/jinzhu/gorm``, ``github.com/jmoiron/sqlx``, ``github.com/joho/godotenv``, ``github.com/kelseyhightower/envconfig``, ``github.com/lann/squirrel``, ``github.com/raindog308/gorqlite``, ``github.com/rqlite/gorqlite``, ``github.com/uptrace/bun``, ``go.mongodb.org/mongo-driver/mongo``, ``gopkg.in/Masterminds/squirrel``, ``gorm.io/gorm``, ``weak``, ``xorm.io/xorm``",117,18,391
+   Totals,,459,947,1532
 
diff --git a/java/ql/src/Security/CWE/CWE-020/ExternalAPITaintStepExample.java b/java/ql/src/Security/CWE/CWE-020/ExternalAPITaintStepExample.java
@@ -4,6 +4,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
 
 		StringBuilder sqlQueryBuilder = new StringBuilder();
 		sqlQueryBuilder.append("SELECT * FROM user WHERE user_id='");
+		// BAD: a request parameter is concatenated directly into a SQL query
 		sqlQueryBuilder.append(request.getParameter("user_id"));
 		sqlQueryBuilder.append("'");
 
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java
@@ -1,5 +1,6 @@
 public class PartialPathTraversalBad {
     public void example(File dir, File parent) throws IOException {
+        // BAD: dir.getCanonicalPath() not slash-terminated
         if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {
             throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
         }
diff --git a/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java b/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java
@@ -2,6 +2,7 @@
 
 public class PartialPathTraversalGood {
     public void example(File dir, File parent) throws IOException {
+        // GOOD: Check if dir.Path() is normalised
         if (!dir.toPath().normalize().startsWith(parent.toPath())) {
             throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());
         }
diff --git a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterfaceExample.java
@@ -20,4 +20,5 @@ public String studentEmail(String studentName) {
 webview.loadData("", "text/html", null);
 
 String name = "Robert'; DROP TABLE students; --";
+// BAD: Untrusted input loaded into WebView
 webview.loadUrl("javascript:alert(exposedObject.studentEmail(\""+ name +"\"))");
diff --git a/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java b/java/ql/src/Security/CWE/CWE-079/WebSettingsDisableJavascript.java
@@ -1,2 +1,2 @@
 WebSettings settings = webview.getSettings();
-settings.setJavaScriptEnabled(false);
+settings.setJavaScriptEnabled(false); // GOOD: webview has JavaScript disabled
diff --git a/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java b/java/ql/src/Security/CWE/CWE-079/WebSettingsEnableJavascript.java
@@ -1,2 +1,2 @@
 WebSettings settings = webview.getSettings();
-settings.setJavaScriptEnabled(true);
+settings.setJavaScriptEnabled(true); // BAD: webview has JavaScript enabled
diff --git a/java/ql/src/Security/CWE/CWE-094/GroovyInjectionBad.java b/java/ql/src/Security/CWE/CWE-094/GroovyInjectionBad.java
@@ -2,26 +2,26 @@ public class GroovyInjection {
     void injectionViaClassLoader(HttpServletRequest request) {    
         String script = request.getParameter("script");
         final GroovyClassLoader classLoader = new GroovyClassLoader();
-        Class groovy = classLoader.parseClass(script);
+        Class groovy = classLoader.parseClass(script); // BAD: Groovy code injection
         GroovyObject groovyObj = (GroovyObject) groovy.newInstance();
     }
 
     void injectionViaEval(HttpServletRequest request) {
         String script = request.getParameter("script");
-        Eval.me(script);
+        Eval.me(script); // BAD: Groovy code injection
     }
 
     void injectionViaGroovyShell(HttpServletRequest request) {
         GroovyShell shell = new GroovyShell();
         String script = request.getParameter("script");
-        shell.evaluate(script);
+        shell.evaluate(script); // BAD: Groovy code injection
     }
 
     void injectionViaGroovyShellGroovyCodeSource(HttpServletRequest request) {
         GroovyShell shell = new GroovyShell();
         String script = request.getParameter("script");
         GroovyCodeSource gcs = new GroovyCodeSource(script, "test", "Test");
-        shell.evaluate(gcs);
+        shell.evaluate(gcs); // BAD: Groovy code injection
     }
 }
 
diff --git a/java/ql/src/Security/CWE/CWE-094/InstallApkWithFile.java b/java/ql/src/Security/CWE/CWE-094/InstallApkWithFile.java
@@ -9,6 +9,7 @@
 File file = new File(Environment.getExternalStorageDirectory(), "myapp.apk");
 Intent intent = new Intent(Intent.ACTION_VIEW);
 /* Set the mimetype to APK */
+// BAD: The file may be altered by another app
 intent.setDataAndType(Uri.fromFile(file), "application/vnd.android.package-archive");
 
 startActivity(intent);
diff --git a/java/ql/src/Security/CWE/CWE-094/InstallApkWithFileProvider.java b/java/ql/src/Security/CWE/CWE-094/InstallApkWithFileProvider.java
@@ -21,6 +21,7 @@
 
 /* Expose temporary file with FileProvider */
 File toInstall = new File(this.getFilesDir(), tempFilename);
+// GOOD: The file is protected by FileProvider
 Uri applicationUri = FileProvider.getUriForFile(this, "com.example.apkprovider", toInstall);
 
 /* Create Intent and set data to APK file. */
diff --git a/java/ql/src/Security/CWE/CWE-094/InstallApkWithPackageInstaller.java b/java/ql/src/Security/CWE/CWE-094/InstallApkWithPackageInstaller.java
@@ -1,3 +1,4 @@
+// GOOD: Package installed using PackageInstaller
 import android.content.Context;
 import android.content.Intent;
 import android.content.pm.PackageInstaller;
diff --git a/java/ql/src/Security/CWE/CWE-094/SSTIBad.java b/java/ql/src/Security/CWE/CWE-094/SSTIBad.java
@@ -14,6 +14,7 @@ public void bad(HttpServletRequest request) {
 
 		StringWriter w = new StringWriter();
 		// evaluate( Context context, Writer out, String logTag, String instring )
+		// BAD: code is controlled by the user
 		Velocity.evaluate(context, w, "mystring", code);
 	}
 }
diff --git a/java/ql/src/Security/CWE/CWE-094/SSTIGood.java b/java/ql/src/Security/CWE/CWE-094/SSTIGood.java
@@ -11,7 +11,7 @@ public void good(HttpServletRequest request) {
 
 		String s = "We are using $project $name to render this.";
 		StringWriter w = new StringWriter();
-		Velocity.evaluate(context, w, "mystring", s);
+		Velocity.evaluate(context, w, "mystring", s); // GOOD: s is a constant string
 		System.out.println(" string : " + w);
 	}
 }
diff --git a/java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java b/java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java
@@ -4,7 +4,7 @@ public void evaluate(Socket socket) throws IOException {
     
     JexlSandbox onlyMath = new JexlSandbox(false);
     onlyMath.white("java.lang.Math");
-    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();
+    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create(); // GOOD: using a sandbox
       
     String input = reader.readLine();
     JexlExpression expression = jexl.createExpression(input);
diff --git a/java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java b/java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java
@@ -6,7 +6,7 @@ public void evaluate(Socket socket) throws IOException {
     JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
       
     String input = reader.readLine();
-    JexlExpression expression = jexl.createExpression(input);
+    JexlExpression expression = jexl.createExpression(input); // GOOD: jexl uses a sandbox
     JexlContext context = new MapContext();
     expression.evaluate(context);
   }
diff --git a/java/ql/src/Security/CWE/CWE-094/SaferSpelExpressionEvaluation.java b/java/ql/src/Security/CWE/CWE-094/SaferSpelExpressionEvaluation.java
@@ -4,9 +4,11 @@ public Object evaluate(Socket socket) throws IOException {
 
     String string = reader.readLine();
     ExpressionParser parser = new SpelExpressionParser();
+    // AVOID: string is controlled by the user
     Expression expression = parser.parseExpression(string);
     SimpleEvaluationContext context 
         = SimpleEvaluationContext.forReadWriteDataBinding().build();
+    // OK: Untrusted expressions are evaluated in a restricted context
     return expression.getValue(context);
   }
 }
diff --git a/java/ql/src/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java b/java/ql/src/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java
@@ -4,6 +4,7 @@ public void evaluate(Socket socket) throws IOException {
     
     String input = reader.readLine();
     JexlEngine jexl = new JexlBuilder().create();
+    // BAD: input is controlled by the user
     JexlExpression expression = jexl.createExpression(input);
     JexlContext context = new MapContext();
     expression.evaluate(context);
diff --git a/java/ql/src/Security/CWE/CWE-094/UnsafeSpelExpressionEvaluation.java b/java/ql/src/Security/CWE/CWE-094/UnsafeSpelExpressionEvaluation.java
@@ -4,6 +4,7 @@ public Object evaluate(Socket socket) throws IOException {
 
     String string = reader.readLine();
     ExpressionParser parser = new SpelExpressionParser();
+    // BAD: string is controlled by the user
     Expression expression = parser.parseExpression(string);
     return expression.getValue();
   }
diff --git a/java/ql/src/Security/CWE/CWE-1204/BadStaticInitializationVector.java b/java/ql/src/Security/CWE/CWE-1204/BadStaticInitializationVector.java
@@ -1,4 +1,4 @@
-byte[] iv = new byte[16]; // all zeroes
+byte[] iv = new byte[16]; // BAD: all zeroes
 GCMParameterSpec params = new GCMParameterSpec(128, iv);
 Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
 cipher.init(Cipher.ENCRYPT_MODE, key, params);
diff --git a/java/ql/src/Security/CWE/CWE-1204/GoodRandomInitializationVector.java b/java/ql/src/Security/CWE/CWE-1204/GoodRandomInitializationVector.java
@@ -1,6 +1,6 @@
 byte[] iv = new byte[16];
 SecureRandom random = SecureRandom.getInstanceStrong();
-random.nextBytes(iv);
+random.nextBytes(iv); // GOOD: random initialization vector
 GCMParameterSpec params = new GCMParameterSpec(128, iv);
 Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
 cipher.init(Cipher.ENCRYPT_MODE, key, params);
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextBad.java
@@ -1,2 +1,2 @@
 TextView pwView = getViewById(R.id.pw_text);
-pwView.setText("Your password is: " + password);
+pwView.setText("Your password is: " + password); // BAD: password is shown immediately
diff --git a/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java b/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextGood.java
@@ -5,6 +5,6 @@
 Button showButton = findViewById(R.id.show_pw_button);
 showButton.setOnClickListener(new View.OnClickListener() {
     public void onClick(View v) {
-      pwView.setVisibility(View.VISIBLE);
+      pwView.setVisibility(View.VISIBLE); // GOOD: password is only shown when the user clicks the button
     }
 });
diff --git a/java/ql/src/Security/CWE/CWE-200/ContentAccessDisabled.java b/java/ql/src/Security/CWE/CWE-200/ContentAccessDisabled.java
@@ -1,3 +1,4 @@
 WebSettings settings = webview.getSettings();
 
+// GOOD: WebView is configured to disallow content access
 settings.setAllowContentAccess(false);
diff --git a/java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java b/java/ql/src/Security/CWE/CWE-200/ContentAccessEnabled.java
@@ -1,3 +1,4 @@
 WebSettings settings = webview.getSettings();
 
+// BAD: WebView is configured to allow content access
 settings.setAllowContentAccess(true);
diff --git a/java/ql/src/Security/CWE/CWE-200/WebViewFileAccessSafe.java b/java/ql/src/Security/CWE/CWE-200/WebViewFileAccessSafe.java
@@ -1,5 +1,6 @@
 WebSettings settings = view.getSettings();
 
+// GOOD: WebView is configured to disallow file access
 settings.setAllowFileAccess(false);
 settings.setAllowFileAccessFromURLs(false);
 settings.setAllowUniversalAccessFromURLs(false);
diff --git a/java/ql/src/Security/CWE/CWE-200/WebViewFileAccessUnsafe.java b/java/ql/src/Security/CWE/CWE-200/WebViewFileAccessUnsafe.java
@@ -1,5 +1,6 @@
 WebSettings settings = view.getSettings();
 
+// BAD: WebView is configured to allow file access
 settings.setAllowFileAccess(true);
 settings.setAllowFileAccessFromURLs(true);
 settings.setAllowUniversalAccessFromURLs(true);
diff --git a/java/ql/src/Security/CWE/CWE-330/examples/InsecureRandomnessCookie.java b/java/ql/src/Security/CWE/CWE-330/examples/InsecureRandomnessCookie.java
@@ -1,4 +1,4 @@
-Random r = new Random();
+Random r = new Random(); // BAD: Random is not cryptographically secure
 
 byte[] bytes = new byte[16];
 r.nextBytes(bytes);
diff --git a/java/ql/src/Security/CWE/CWE-330/examples/SecureRandomnessCookie.java b/java/ql/src/Security/CWE/CWE-330/examples/SecureRandomnessCookie.java
@@ -1,4 +1,4 @@
-SecureRandom r = new SecureRandom();
+SecureRandom r = new SecureRandom(); // GOOD: SecureRandom is cryptographically secure
 
 byte[] bytes = new byte[16];
 r.nextBytes(bytes);
diff --git a/java/ql/src/Security/CWE/CWE-367/TOCTOURace.java b/java/ql/src/Security/CWE/CWE-367/TOCTOURace.java
@@ -12,14 +12,14 @@ public synchronized void act() {
 	
 public synchronized void bad(Resource r) {
 	if (r.isReady()) {
-		// r might no longer be ready, another thread might
+		// BAD: r might no longer be ready, another thread might
 		// have called setReady(false)
 		r.act();
 	}
 }
 
 public synchronized void good(Resource r) {
-	synchronized(r) {
+	synchronized(r) { // GOOD: r is locked
 		if (r.isReady()) {
 			r.act();
 		}
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserializationBad.java b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserializationBad.java
@@ -7,6 +7,6 @@
 
 public MyObject deserialize(Socket sock) {
   try(ObjectInputStream in = new ObjectInputStream(sock.getInputStream())) {
-    return (MyObject)in.readObject(); // unsafe
+    return (MyObject)in.readObject(); // BAD: in is from untrusted source
   }
 }
diff --git a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserializationGood.java b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserializationGood.java
@@ -1,5 +1,5 @@
 public MyObject deserialize(Socket sock) {
   try(DataInputStream in = new DataInputStream(sock.getInputStream())) {
-    return new MyObject(in.readInt());
+    return new MyObject(in.readInt()); // GOOD: read only an int
   }
 }
diff --git a/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdap.java b/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdap.java
@@ -1,3 +1,4 @@
+// BAD: LDAP authentication is used
 String ldapUrl = "ldap://ad.your-server.com:389";
 Hashtable<String, String> environment = new Hashtable<String, String>();
 environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
diff --git a/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdaps.java b/java/ql/src/Security/CWE/CWE-522/LdapAuthUseLdaps.java
@@ -1,3 +1,4 @@
+// GOOD: LDAP connection using LDAPS
 String ldapUrl = "ldaps://ad.your-server.com:636";
 Hashtable<String, String> environment = new Hashtable<String, String>();
 environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
diff --git a/java/ql/src/Security/CWE/CWE-522/LdapEnableSasl.java b/java/ql/src/Security/CWE/CWE-522/LdapEnableSasl.java
@@ -1,3 +1,4 @@
+// GOOD: LDAP is used but SASL authentication is enabled
 String ldapUrl = "ldap://ad.your-server.com:389";
 Hashtable<String, String> environment = new Hashtable<String, String>();
 environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
diff --git a/java/ql/src/Security/CWE/CWE-611/XXEBad.java b/java/ql/src/Security/CWE/CWE-611/XXEBad.java
@@ -1,5 +1,5 @@
 public void parse(Socket sock) throws Exception {
   DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
   DocumentBuilder builder = factory.newDocumentBuilder();
-  builder.parse(sock.getInputStream()); //unsafe
+  builder.parse(sock.getInputStream()); // BAD: DTD parsing is enabled
 }
diff --git a/java/ql/src/Security/CWE/CWE-611/XXEGood.java b/java/ql/src/Security/CWE/CWE-611/XXEGood.java
@@ -2,5 +2,5 @@ public void disableDTDParse(Socket sock) throws Exception {
   DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
   factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
   DocumentBuilder builder = factory.newDocumentBuilder();
-  builder.parse(sock.getInputStream()); //safe
+  builder.parse(sock.getInputStream()); // GOOD: DTD parsing is disabled
 }
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedAWSCredentials.java b/java/ql/src/Security/CWE/CWE-798/HardcodedAWSCredentials.java
@@ -3,7 +3,7 @@
 
 public class HardcodedAWSCredentials {
 	public static void main(String[] args) {
-		//Hardcoded credentials for connecting to AWS services
+		// BAD: Hardcoded credentials for connecting to AWS services
 		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead 
 		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); //sensitive call
 	}
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.java b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.java
@@ -1,8 +1,8 @@
-private static final String p = "123456"; // hard-coded credential
+private static final String p = "123456"; // BAD: hard-coded credential
 
 public static void main(String[] args) throws SQLException {
     String url = "jdbc:mysql://localhost/test";
-    String u = "admin"; // hard-coded credential
+    String u = "admin"; // BAD: hard-coded credential
 
     getConn(url, u, p);
 }
diff --git a/java/ql/src/Security/CWE/CWE-835/InfiniteLoopBad.java b/java/ql/src/Security/CWE/CWE-835/InfiniteLoopBad.java
@@ -1,5 +1,5 @@
 for (int i=0; i<10; i++) {
-    for (int j=0; i<10; j++) {
+    for (int j=0; i<10; j++) { // BAD: Potential infinite loop: i should be j
         // do stuff
         if (shouldBreak()) break;
     }
diff --git a/java/ql/src/Security/CWE/CWE-835/InfiniteLoopGood.java b/java/ql/src/Security/CWE/CWE-835/InfiniteLoopGood.java
@@ -1,5 +1,5 @@
 for (int i=0; i<10; i++) {
-    for (int j=0; j<10; j++) {
+    for (int j=0; j<10; j++) { // GOOD: correct variable j
         // do stuff
         if (shouldBreak()) break;
     }
diff --git a/java/ql/src/Security/CWE/CWE-925/Bad.java b/java/ql/src/Security/CWE/CWE-925/Bad.java
@@ -1,6 +1,7 @@
 public class ShutdownReceiver extends BroadcastReceiver {
     @Override
     public void onReceive(final Context context, final Intent intent) {
+        // BAD: The code does not check if the intent is an ACTION_SHUTDOWN intent
         mainActivity.saveLocalData();
         mainActivity.stopActivity();
     }
diff --git a/java/ql/src/Security/CWE/CWE-925/Good.java b/java/ql/src/Security/CWE/CWE-925/Good.java
@@ -1,6 +1,7 @@
 public class ShutdownReceiver extends BroadcastReceiver {
     @Override
     public void onReceive(final Context context, final Intent intent) {
+        // GOOD: The code checks if the intent is an ACTION_SHUTDOWN intent
         if (!intent.getAction().equals(Intent.ACTION_SHUTDOWN)) {
             return;
         }
diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list
diff --git a/rust/ql/.gitattributes b/rust/ql/.gitattributes
diff --git a/rust/ql/lib/codeql/rust/elements/internal/TypeParamImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/TypeParamImpl.qll
diff --git a/rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml b/rust/ql/lib/codeql/rust/frameworks/rusqlite.model.yml
diff --git a/rust/ql/test/extractor-tests/utf8/ast.expected b/rust/ql/test/extractor-tests/utf8/ast.expected
diff --git a/rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.expected b/rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.expected
diff --git a/rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql b/rust/ql/test/library-tests/frameworks/rusqlite/Rusqlite.ql
diff --git a/rust/ql/test/library-tests/frameworks/rusqlite/cargo.toml.manual b/rust/ql/test/library-tests/frameworks/rusqlite/cargo.toml.manual
diff --git a/rust/ql/test/library-tests/frameworks/rusqlite/main.rs b/rust/ql/test/library-tests/frameworks/rusqlite/main.rs
diff --git a/rust/ql/test/library-tests/frameworks/rusqlite/options.yml b/rust/ql/test/library-tests/frameworks/rusqlite/options.yml
diff --git a/rust/ql/test/library-tests/path-resolution/path-resolution.expected b/rust/ql/test/library-tests/path-resolution/path-resolution.expected

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`public class PartialPathTraversalBad {`
`2`	`2`	`public void example(File dir, File parent) throws IOException {`
	`3`	`+ // BAD: dir.getCanonicalPath() not slash-terminated`
`3`	`4`	`if (!dir.getCanonicalPath().startsWith(parent.getCanonicalPath())) {`
`4`	`5`	`throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());`
`5`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`public class PartialPathTraversalGood {`
`4`	`4`	`public void example(File dir, File parent) throws IOException {`
	`5`	`+ // GOOD: Check if dir.Path() is normalised`
`5`	`6`	`if (!dir.toPath().normalize().startsWith(parent.toPath())) {`
`6`	`7`	`throw new IOException("Path traversal attempt: " + dir.getCanonicalPath());`
`7`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`WebSettings settings = webview.getSettings();`
`2`		`-settings.setJavaScriptEnabled(false);`
	`2`	`+settings.setJavaScriptEnabled(false); // GOOD: webview has JavaScript disabled`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`WebSettings settings = webview.getSettings();`
`2`		`-settings.setJavaScriptEnabled(true);`
	`2`	`+settings.setJavaScriptEnabled(true); // BAD: webview has JavaScript enabled`