Cover missing XSS vulnerability

[jeongsoolee09]

What this PR contributes

Cover new XSS vulnerability

Cover an XSS vulnerability previously not covered, which required these changes:

• Function arguments to some UI5 functions such as sap.ui.core.routing.Target.attachDisplay should also be recognized as EventHandlers, on top of the methods of custom controllers.
  • Note that there is a new DisplayEventHandler class extending the EventHandlers class, which covers the above sap.ui.core.routing.Target.attachDisplay.
• Modeling from the second argument of sap.base.i18n.ResourceBundle.getText to its return value should be recognized.
• PropertyMetadata.getARead, and PropertyMetadata.getAWrite should be more restricted to remove spurious flows.
  • Fixed bugs induced by this change.

Add new tests

• A test to check if all event handlers are being captured: event_handlers.ql
• A test to check if all valid handlers and only them are being captured: property_getter_setter.ql

Bump versions

• Bump versions across UI5 qlpack.yml from 0.5.0 to 0.6.0.

Limitations

The two APIs, sap.ui.core.routing.Target.attachDisplay and sap.base.i18n.ResourceBundle.getText, cannot be expressed as MaD rows since the type of the object that this points to cannot be resolved using MaD. The former is obtained via access path this.getOwnerComponent().getRouter().getTarget("...").attachDisplay() and the latter via this.getOwnerComponent().getModel("...").getResourceBundle(). Here, both this points to the sap.ui.core.Component that is being imported, and the relationship between the two cannot be automatically resolved through the mechanism used in MaD.

Future Work

If possible:

• Recognize all other APIs similar to sap.base.i18n.ResourceBundle.getText and sap.ui.core.routing.Target.attachDisplay, respectively.

[mbaluda]

Looks good to me!
You could add a test for the added flow steps