Waiting for #4771 before reviewing this

Hi @intrigus-lgtm. It looks like #4771 has been merged. Are you able to rebase this now?

@kevinbackhouse sure! But I don't have time right now, probably later this day.

@kevinbackhouse @smowton this has been rebased :)

How about instead of implementing custom logic for barrier guards to pick out the various "if(acceptAllCertificates) ..." cases, we treat context.getSocketFactory as the sink and init(...) as a taint propagator? That way we'll pick out cases where the if(acceptAll) ... logic happens in a parent function, while the flow from instantiating a bad trust manager to calling context.init happens entirely within a child function. By lengthening the passage of code we consider as the source -> sink path, we should be able to use Configuraton.isBarrierGuard/isSanitizerGuard instead of implementing our own guard.controls logic.

How strong do you feel about this?
If you want this changed, I guess this should change as well?
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql#L109-L152

@smowton I applied most of your suggestions besides to suggestions in the .qhelp file.
Let me know your thoughts as this section is very similar to the InsecureHostnameVerification.qhelp file.

Suggestions on the barrier stuff are also unresolved, as it is not yet clear how we want to proceed.

OK, if you don't want to pursue that you don't have to; I'll start a benchmark run with the query as-is

There are also various unaddressed comments here. They don't all have to be applied, but please do respond to them

Will do, but I'm currently lacking a continuous chunk of time needed for evaluating the barrier guard stuff which could make some comments outdated.

👋🏻 I've removed myself as a reviewer so that I don't get nagged about reviewing this PR every morning 😄

@github/codeql-java When this is ready for a docs team review, please ping the new @github/docs-content-codeql team and a member of the team will be in touch.

Sorry for the long wait.

I've experimented a bit with the query.

1. A query without any filtering, run only on projects that were previously identified when run on all of lgtm.com.
   557 of 557 hits.
2. A query with all filtering applied, that is, filtering based on source/sink enclosing callable name and filtering based on flag guards.
   473 of 551 hits.
3. A query with partial filtering, that is, only filtering based on flag guards.
   528 of 551 hits.
4. A query based on this idea with no filtering.
   400 of 551 hits.
5. A query based on this idea with partial filtering, that is, only filtering based on flag guards.
   387 of 551 hits.

With filtering on flag guards I mean code like this:

Re:

1. Nothing unexpected here.
2. It would be possible to further reduce the number of hits, by improving the filtering based on source/sink names.
3. This shows a small reduction of hits. It has the big advantage that I don't have to guess the intention of the developer.
   In the case of source/sink filtering, if a method is named disableSSLSecurity, why is it named this way?
   a) This method may be for external (=user controlled) consumption only. This should not be detected.
   b) The dev wanted to create a re-usable method (for their code only) and always calls it. This should be detected.
   But I'm pretty sure that it's not possible to differentiate between a) and b), because how would one determine whether something is for external consumption?
4. This shows a reduction, although there are probably sinks where the sink is not sslContext.getSocketFactory() but a call to another API that only receives the sslContext.
5. A small further reduction.

Links for the query runs have been privately shared with @smowton.

Which version do you want to submit for consideration for a bounty?

Which version do you want to submit for consideration for a bounty?

The best one :D

But I don't know what you would consider best.
Approach 2 can likely be tuned to filter most results that are likely FPs, but the downside would be that it may also filter TPs.
3 has more FPs by design but will likely not loose TPs.
4 & 5 don't really show a reduction of FPs. Just an overall reduction of results, I think.

I don't have the time to assess 5 variants to decide which is best -- you should pick one. To assess which is doing a better job you could use the LGTM API to determine which projects differ between the different versions and take a closer look at those ones. Then you'll know whether version 4 or 5 is actually useful or whether your guess that they're just producing less results is correct.

Rebased.