github · atorralba · Jun 12, 2024
@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The predicate `isAndroid` from the module `semmle.code.java.security.AndroidCertificatePinningQuery` has been deprecated. Use `semmle.code.java.frameworks.android.Android::isAndroid` instead.
@@ -0,0 +1,11 @@
+/** Definitions related to `io.swagger`. */
+
+import java
+private import semmle.code.xml.AndroidManifest
+
+/** An Android Manifest automatically generated by Swagger Codegen. */
+class SwaggerCodegenAndroidManifest extends AndroidManifestXmlFile {
+  SwaggerCodegenAndroidManifest() {
+    this.getManifestElement().getAttribute("package").getValue() = "io.swagger.client"
+  }
+}
@@ -4,6 +4,12 @@
 
 import java
 private import semmle.code.xml.AndroidManifest
+private import semmle.code.java.frameworks.Swagger
+
+/** Holds if this database is of an Android application. */
+predicate isAndroid() {
+  exists(AndroidManifestXmlFile m | not m instanceof SwaggerCodegenAndroidManifest)
+}
 
 /**
  * Gets a reflexive/transitive superType

@@ -6,6 +6,7 @@ import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.frameworks.Networking
 import semmle.code.java.security.Encryption
 import semmle.code.java.security.HttpsUrls
+private import semmle.code.java.frameworks.android.Android as Android
 
 /** An Android Network Security Configuration XML file. */
 class AndroidNetworkSecurityConfigFile extends XmlFile {
@@ -19,8 +20,12 @@ class AndroidNetworkSecurityConfigFile extends XmlFile {
   }
 }
 
-/** Holds if this database is of an Android application. */
-predicate isAndroid() { exists(AndroidManifestXmlFile m) }
+/**
+ * DEPRECATED. Use `semmle.code.java.frameworks.android.Android::isAndroid` instead.
+ *
+ * Holds if this database is of an Android application.
+ */
+deprecated predicate isAndroid() { Android::isAndroid() }
 
 /** Holds if the given domain name is trusted by the Network Security Configuration XML file. */
 private predicate trustedDomainViaXml(string domainName) {
@@ -122,7 +127,7 @@ private module UntrustedUrlFlow = TaintTracking::Global<UntrustedUrlConfig>;
 
 /** Holds if `node` is a network communication call for which certificate pinning is not implemented. */
 predicate missingPinning(MissingPinningSink node, string domain) {
-  isAndroid() and
+  Android::isAndroid() and
   exists(DataFlow::Node src | UntrustedUrlFlow::flow(src, node) |
     if trustedDomain(_) then domain = getDomain(src.asExpr()) else domain = ""
   )

@@ -10,12 +10,12 @@
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSinks
 private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.frameworks.android.Android
 
 private class AndroidFilesystemCleartextStorageSink extends CleartextStorageSink {
   AndroidFilesystemCleartextStorageSink() {
     filesystemInput(_, this.asExpr()) and
-    // Make sure we are in an Android application.
-    exists(AndroidManifestXmlFile manifest)
+    isAndroid()
   }
 }
 

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The heuristic to enable certain Android queries has been improved. Now it ignores Android Manifests generated by [Swagger Codegen](https://github.com/swagger-api/swagger-codegen).