From a73f142a1e967e52032ef0ccb07b8291024cf40b Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 28 Feb 2024 01:26:46 +0100 Subject: [PATCH 1/3] Separate CAP from non-CAP alerts --- .../javascript/frameworks/cap/CDS.qll | 4 +- .../cap/src/loginjection/LogInjection.ql | 21 ++- .../cap/src/sqlinjection/SqlInjection.ql | 22 +-- .../loginjection/loginjection.expected | 118 +++++++++---- .../test/queries/loginjection/loginjection.js | 40 +++-- .../sqlinjection/sqlinjection.expected | 162 +++++++++--------- .../test/queries/sqlinjection/sqlinjection.js | 60 ++++--- 7 files changed, 253 insertions(+), 174 deletions(-) diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll index 633bf73d3..57a39c6ce 100644 --- a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll +++ b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll @@ -106,7 +106,7 @@ module CDS { * ``` * not sure how else to know which service is registering the handler */ - class RequestSource extends EventPhaseNodeParam { + class RequestSource extends EventPhaseNodeParam, RemoteFlowSource { RequestSource() { // TODO : consider - do we need to actually ever know which service the handler is associated to? exists(UserDefinedApplicationService svc, FunctionNode init | @@ -119,6 +119,8 @@ module CDS { this.getEventPhaseNode().getEnclosingFunction() = pa.getFunction() ) } + + override string getSourceType() { result = "CAP request source" } } class ApplicationService extends API::Node { diff --git a/javascript/frameworks/cap/src/loginjection/LogInjection.ql b/javascript/frameworks/cap/src/loginjection/LogInjection.ql index 7e8b3f53a..ac8ff23ed 100644 --- a/javascript/frameworks/cap/src/loginjection/LogInjection.ql +++ b/javascript/frameworks/cap/src/loginjection/LogInjection.ql @@ -1,10 +1,10 @@ /** - * @name Uncontrolled data in logging call + * @name CAP Log injection * @description Building log entries from user-controlled sources is vulnerable to * insertion of forged log entries by a malicious user. * @kind path-problem * @problem.severity error - * @security-severity 7.8 + * @security-severity 6.1 * @precision medium * @id js/cap-log-injection * @tags security @@ -16,16 +16,19 @@ import semmle.javascript.security.dataflow.LogInjectionQuery import advanced_security.javascript.frameworks.cap.CDS /** - * A source of remote user controlled input. + * A taint-tracking configuration for untrusted user input used in log entries. */ -class CapRemoteSource extends Source, CDS::RequestSource { } +class CapLogIConfiguration extends TaintTracking::Configuration { + CapLogIConfiguration() { this = "CapLogInjection" } -/** - * An argument to a logging mechanism. - */ -class CapLoggingSink extends Sink, CDS::CdsLogSink { } + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof CDS::CdsLogSink } + + override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer } +} -from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink +from CapLogIConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink where config.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Log entry depends on a $@.", source.getNode(), "user-provided value" diff --git a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql b/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql index ed3e6a0b5..bbb614fd6 100644 --- a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql +++ b/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql @@ -1,6 +1,6 @@ /** - * @name Database query built from user-controlled sources with additional heuristic sources - * @description Building a database query from user-controlled sources is vulnerable to insertion of + * @name CQL query built from user-controlled sources + * @description Building a CQL query from user-controlled sources is vulnerable to insertion of * malicious code by the user. * @kind path-problem * @problem.severity error @@ -13,18 +13,18 @@ import javascript import DataFlow::PathGraph import semmle.javascript.security.dataflow.SqlInjectionCustomizations::SqlInjection -import advanced_security.javascript.frameworks.cap.CDS import advanced_security.javascript.frameworks.cap.CQL -class Configuration extends TaintTracking::Configuration { - Configuration() { this = "CapSqlInjection" } +class CapSqlIConfiguration extends TaintTracking::Configuration { + CapSqlIConfiguration() { this = "CapSqlInjection" } - override predicate isSource(DataFlow::Node source) { - source instanceof Source or source instanceof CDS::RequestSource - } + override predicate isSource(DataFlow::Node source) { source instanceof Source } + + override predicate isSink(DataFlow::Node sink) { sink instanceof CQL::CQLSink } - override predicate isSink(DataFlow::Node sink) { - sink instanceof Sink or sink instanceof CQL::CQLSink + override predicate isSanitizer(DataFlow::Node node) { + super.isSanitizer(node) or + node instanceof Sanitizer } override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) { @@ -42,7 +42,7 @@ class Configuration extends TaintTracking::Configuration { } } -from Configuration sql, DataFlow::PathNode source, DataFlow::PathNode sink +from CapSqlIConfiguration sql, DataFlow::PathNode source, DataFlow::PathNode sink where sql.hasFlowPath(source, sink) select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(), "user-provided value" diff --git a/javascript/frameworks/cap/test/queries/loginjection/loginjection.expected b/javascript/frameworks/cap/test/queries/loginjection/loginjection.expected index fe4ed52a1..bbbbfd3f0 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/loginjection.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/loginjection.expected @@ -1,37 +1,87 @@ nodes -| loginjection.js:7:33:7:35 | req | -| loginjection.js:7:33:7:35 | req | -| loginjection.js:8:11:8:25 | {book,quantity} | -| loginjection.js:8:11:8:36 | book | -| loginjection.js:8:12:8:15 | book | -| loginjection.js:8:29:8:31 | req | -| loginjection.js:8:29:8:36 | req.data | -| loginjection.js:11:14:11:26 | "test" + book | -| loginjection.js:11:14:11:26 | "test" + book | -| loginjection.js:11:23:11:26 | book | -| loginjection.js:14:22:14:24 | req | -| loginjection.js:14:22:14:24 | req | -| loginjection.js:17:11:17:22 | $ | -| loginjection.js:17:15:17:17 | req | -| loginjection.js:17:15:17:22 | req.data | -| loginjection.js:17:45:17:45 | $ | -| loginjection.js:17:45:17:45 | $ | +| loginjection.js:7:34:7:36 | req | +| loginjection.js:7:34:7:36 | req | +| loginjection.js:7:34:7:36 | req | +| loginjection.js:7:34:7:36 | req | +| loginjection.js:8:13:8:30 | { book, quantity } | +| loginjection.js:8:13:8:30 | { book, quantity } | +| loginjection.js:8:13:8:41 | book | +| loginjection.js:8:13:8:41 | book | +| loginjection.js:8:15:8:18 | book | +| loginjection.js:8:15:8:18 | book | +| loginjection.js:8:34:8:36 | req | +| loginjection.js:8:34:8:36 | req | +| loginjection.js:8:34:8:41 | req.data | +| loginjection.js:8:34:8:41 | req.data | +| loginjection.js:11:16:11:28 | "CAP:" + book | +| loginjection.js:11:16:11:28 | "CAP:" + book | +| loginjection.js:11:25:11:28 | book | +| loginjection.js:12:19:12:35 | "console:" + book | +| loginjection.js:12:19:12:35 | "console:" + book | +| loginjection.js:12:32:12:35 | book | +| loginjection.js:15:24:15:26 | req | +| loginjection.js:15:24:15:26 | req | +| loginjection.js:18:13:18:24 | $ | +| loginjection.js:18:17:18:19 | req | +| loginjection.js:18:17:18:24 | req.data | +| loginjection.js:18:47:18:47 | $ | +| loginjection.js:18:47:18:47 | $ | +| loginjection.js:23:13:23:30 | { book, quantity } | +| loginjection.js:23:13:23:30 | { book, quantity } | +| loginjection.js:23:13:23:53 | book | +| loginjection.js:23:13:23:53 | book | +| loginjection.js:23:15:23:18 | book | +| loginjection.js:23:15:23:18 | book | +| loginjection.js:23:34:23:53 | req2.params.category | +| loginjection.js:23:34:23:53 | req2.params.category | +| loginjection.js:23:34:23:53 | req2.params.category | +| loginjection.js:23:34:23:53 | req2.params.category | +| loginjection.js:25:16:25:28 | "CAP:" + book | +| loginjection.js:25:16:25:28 | "CAP:" + book | +| loginjection.js:25:25:25:28 | book | +| loginjection.js:26:19:26:35 | "console:" + book | +| loginjection.js:26:19:26:35 | "console:" + book | +| loginjection.js:26:32:26:35 | book | edges -| loginjection.js:7:33:7:35 | req | loginjection.js:8:29:8:31 | req | -| loginjection.js:7:33:7:35 | req | loginjection.js:8:29:8:31 | req | -| loginjection.js:8:11:8:25 | {book,quantity} | loginjection.js:8:12:8:15 | book | -| loginjection.js:8:11:8:36 | book | loginjection.js:11:23:11:26 | book | -| loginjection.js:8:12:8:15 | book | loginjection.js:8:11:8:36 | book | -| loginjection.js:8:29:8:31 | req | loginjection.js:8:29:8:36 | req.data | -| loginjection.js:8:29:8:36 | req.data | loginjection.js:8:11:8:25 | {book,quantity} | -| loginjection.js:11:23:11:26 | book | loginjection.js:11:14:11:26 | "test" + book | -| loginjection.js:11:23:11:26 | book | loginjection.js:11:14:11:26 | "test" + book | -| loginjection.js:14:22:14:24 | req | loginjection.js:17:15:17:17 | req | -| loginjection.js:14:22:14:24 | req | loginjection.js:17:15:17:17 | req | -| loginjection.js:17:11:17:22 | $ | loginjection.js:17:45:17:45 | $ | -| loginjection.js:17:11:17:22 | $ | loginjection.js:17:45:17:45 | $ | -| loginjection.js:17:15:17:17 | req | loginjection.js:17:15:17:22 | req.data | -| loginjection.js:17:15:17:22 | req.data | loginjection.js:17:11:17:22 | $ | +| loginjection.js:7:34:7:36 | req | loginjection.js:8:34:8:36 | req | +| loginjection.js:7:34:7:36 | req | loginjection.js:8:34:8:36 | req | +| loginjection.js:7:34:7:36 | req | loginjection.js:8:34:8:36 | req | +| loginjection.js:7:34:7:36 | req | loginjection.js:8:34:8:36 | req | +| loginjection.js:8:13:8:30 | { book, quantity } | loginjection.js:8:15:8:18 | book | +| loginjection.js:8:13:8:30 | { book, quantity } | loginjection.js:8:15:8:18 | book | +| loginjection.js:8:13:8:41 | book | loginjection.js:11:25:11:28 | book | +| loginjection.js:8:13:8:41 | book | loginjection.js:12:32:12:35 | book | +| loginjection.js:8:15:8:18 | book | loginjection.js:8:13:8:41 | book | +| loginjection.js:8:15:8:18 | book | loginjection.js:8:13:8:41 | book | +| loginjection.js:8:34:8:36 | req | loginjection.js:8:34:8:41 | req.data | +| loginjection.js:8:34:8:36 | req | loginjection.js:8:34:8:41 | req.data | +| loginjection.js:8:34:8:41 | req.data | loginjection.js:8:13:8:30 | { book, quantity } | +| loginjection.js:8:34:8:41 | req.data | loginjection.js:8:13:8:30 | { book, quantity } | +| loginjection.js:11:25:11:28 | book | loginjection.js:11:16:11:28 | "CAP:" + book | +| loginjection.js:11:25:11:28 | book | loginjection.js:11:16:11:28 | "CAP:" + book | +| loginjection.js:12:32:12:35 | book | loginjection.js:12:19:12:35 | "console:" + book | +| loginjection.js:12:32:12:35 | book | loginjection.js:12:19:12:35 | "console:" + book | +| loginjection.js:15:24:15:26 | req | loginjection.js:18:17:18:19 | req | +| loginjection.js:15:24:15:26 | req | loginjection.js:18:17:18:19 | req | +| loginjection.js:18:13:18:24 | $ | loginjection.js:18:47:18:47 | $ | +| loginjection.js:18:13:18:24 | $ | loginjection.js:18:47:18:47 | $ | +| loginjection.js:18:17:18:19 | req | loginjection.js:18:17:18:24 | req.data | +| loginjection.js:18:17:18:24 | req.data | loginjection.js:18:13:18:24 | $ | +| loginjection.js:23:13:23:30 | { book, quantity } | loginjection.js:23:15:23:18 | book | +| loginjection.js:23:13:23:30 | { book, quantity } | loginjection.js:23:15:23:18 | book | +| loginjection.js:23:13:23:53 | book | loginjection.js:25:25:25:28 | book | +| loginjection.js:23:13:23:53 | book | loginjection.js:26:32:26:35 | book | +| loginjection.js:23:15:23:18 | book | loginjection.js:23:13:23:53 | book | +| loginjection.js:23:15:23:18 | book | loginjection.js:23:13:23:53 | book | +| loginjection.js:23:34:23:53 | req2.params.category | loginjection.js:23:13:23:30 | { book, quantity } | +| loginjection.js:23:34:23:53 | req2.params.category | loginjection.js:23:13:23:30 | { book, quantity } | +| loginjection.js:23:34:23:53 | req2.params.category | loginjection.js:23:13:23:30 | { book, quantity } | +| loginjection.js:23:34:23:53 | req2.params.category | loginjection.js:23:13:23:30 | { book, quantity } | +| loginjection.js:25:25:25:28 | book | loginjection.js:25:16:25:28 | "CAP:" + book | +| loginjection.js:25:25:25:28 | book | loginjection.js:25:16:25:28 | "CAP:" + book | +| loginjection.js:26:32:26:35 | book | loginjection.js:26:19:26:35 | "console:" + book | +| loginjection.js:26:32:26:35 | book | loginjection.js:26:19:26:35 | "console:" + book | #select -| loginjection.js:11:14:11:26 | "test" + book | loginjection.js:7:33:7:35 | req | loginjection.js:11:14:11:26 | "test" + book | Log entry depends on a $@. | loginjection.js:7:33:7:35 | req | user-provided value | -| loginjection.js:17:45:17:45 | $ | loginjection.js:14:22:14:24 | req | loginjection.js:17:45:17:45 | $ | Log entry depends on a $@. | loginjection.js:14:22:14:24 | req | user-provided value | +| loginjection.js:11:16:11:28 | "CAP:" + book | loginjection.js:7:34:7:36 | req | loginjection.js:11:16:11:28 | "CAP:" + book | Log entry depends on a $@. | loginjection.js:7:34:7:36 | req | user-provided value | +| loginjection.js:18:47:18:47 | $ | loginjection.js:15:24:15:26 | req | loginjection.js:18:47:18:47 | $ | Log entry depends on a $@. | loginjection.js:15:24:15:26 | req | user-provided value | +| loginjection.js:25:16:25:28 | "CAP:" + book | loginjection.js:23:34:23:53 | req2.params.category | loginjection.js:25:16:25:28 | "CAP:" + book | Log entry depends on a $@. | loginjection.js:23:34:23:53 | req2.params.category | user-provided value | diff --git a/javascript/frameworks/cap/test/queries/loginjection/loginjection.js b/javascript/frameworks/cap/test/queries/loginjection/loginjection.js index 788741bf8..c7f83cda1 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/loginjection.js +++ b/javascript/frameworks/cap/test/queries/loginjection/loginjection.js @@ -1,22 +1,32 @@ import cds from '@sap/cds' -const { Books } = cds.entities ('sap.capire.bookshop') +const { Books } = cds.entities('sap.capire.bookshop') -class SampleVulnService extends cds.ApplicationService { init(){ +class SampleVulnService extends cds.ApplicationService { + init() { + // contains a sample log injection + this.on('submitOrder', async req => { + const { book, quantity } = req.data - // contains a sample log injection - this.on ('submitOrder', async req => { - const {book,quantity} = req.data + const LOG = cds.log("nodejs"); + LOG.info("CAP:" + book); // CAP log injection alert + console.log("console:" + book); // non-CAP Log injection alert + }) - const LOG = cds.log("nodejs"); - LOG.info("test" + book); // Log injection alert - }) + this.on('format', (req) => { + const cds2 = require('@sap/cds/lib') + const LOG = cds2.log('cds.log') + const $ = req.data; LOG.info('format:', $) // CAP log injection alert + }) - this.on('format', (req) => { - const cds2 = require ('@sap/cds/lib') - const LOG = cds2.log('cds.log') - const $ = req.data; LOG.info('format:', $) // Log injection alert - }) + const app = require("express")(); + app.get("search", function handler(req2, res) { + const { book, quantity } = req2.params.category + const LOG = cds.log("nodejs"); + LOG.info("CAP:" + book); // CAP log injection alert from non-CAP source + console.log("console:" + book); // non-CAP Log injection alert from non-CAP source + }); - return super.init() -}} + return super.init() + } +} export { SampleVulnService } diff --git a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected index 39a9faf48..de9e6eadc 100644 --- a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected +++ b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected @@ -1,84 +1,84 @@ nodes -| sqlinjection.js:7:33:7:35 | req | -| sqlinjection.js:7:33:7:35 | req | -| sqlinjection.js:8:11:8:25 | {book,quantity} | -| sqlinjection.js:8:11:8:36 | book | -| sqlinjection.js:8:12:8:15 | book | -| sqlinjection.js:8:29:8:31 | req | -| sqlinjection.js:8:29:8:36 | req.data | -| sqlinjection.js:12:9:12:57 | query | -| sqlinjection.js:12:17:12:57 | SELECT. ... book}`) | -| sqlinjection.js:12:45:12:56 | `ID=${book}` | -| sqlinjection.js:12:51:12:54 | book | -| sqlinjection.js:13:35:13:39 | query | -| sqlinjection.js:13:35:13:39 | query | -| sqlinjection.js:15:25:15:65 | SELECT. ... book}`) | -| sqlinjection.js:15:25:15:65 | SELECT. ... book}`) | -| sqlinjection.js:15:53:15:64 | `ID=${book}` | -| sqlinjection.js:15:59:15:62 | book | -| sqlinjection.js:17:9:17:56 | query2 | -| sqlinjection.js:17:18:17:56 | SELECT. ... '+book) | -| sqlinjection.js:17:46:17:55 | 'ID='+book | -| sqlinjection.js:17:52:17:55 | book | -| sqlinjection.js:18:36:18:41 | query2 | -| sqlinjection.js:18:36:18:41 | query2 | -| sqlinjection.js:20:25:20:63 | SELECT. ... '+book) | -| sqlinjection.js:20:25:20:63 | SELECT. ... '+book) | -| sqlinjection.js:20:53:20:62 | 'ID='+book | -| sqlinjection.js:20:59:20:62 | book | -| sqlinjection.js:27:9:27:60 | cqn | -| sqlinjection.js:27:15:27:60 | CQL`SEL ... + book | -| sqlinjection.js:27:57:27:60 | book | -| sqlinjection.js:28:38:28:40 | cqn | -| sqlinjection.js:28:38:28:40 | cqn | -| sqlinjection.js:30:9:30:58 | cqn1 | -| sqlinjection.js:30:16:30:58 | cds.par ... + book) | -| sqlinjection.js:30:31:30:57 | `SELECT ... `+ book | -| sqlinjection.js:30:54:30:57 | book | -| sqlinjection.js:31:38:31:41 | cqn1 | -| sqlinjection.js:31:38:31:41 | cqn1 | +| sqlinjection.js:7:34:7:36 | req | +| sqlinjection.js:7:34:7:36 | req | +| sqlinjection.js:8:13:8:30 | { book, quantity } | +| sqlinjection.js:8:13:8:41 | book | +| sqlinjection.js:8:15:8:18 | book | +| sqlinjection.js:8:34:8:36 | req | +| sqlinjection.js:8:34:8:41 | req.data | +| sqlinjection.js:12:11:12:56 | query | +| sqlinjection.js:12:19:12:56 | SELECT. ... book}`) | +| sqlinjection.js:12:44:12:55 | `ID=${book}` | +| sqlinjection.js:12:50:12:53 | book | +| sqlinjection.js:13:36:13:40 | query | +| sqlinjection.js:13:36:13:40 | query | +| sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| sqlinjection.js:15:52:15:63 | `ID=${book}` | +| sqlinjection.js:15:58:15:61 | book | +| sqlinjection.js:17:11:17:57 | query2 | +| sqlinjection.js:17:20:17:57 | SELECT. ... + book) | +| sqlinjection.js:17:45:17:56 | 'ID=' + book | +| sqlinjection.js:17:53:17:56 | book | +| sqlinjection.js:18:37:18:42 | query2 | +| sqlinjection.js:18:37:18:42 | query2 | +| sqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| sqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| sqlinjection.js:20:52:20:63 | 'ID=' + book | +| sqlinjection.js:20:60:20:63 | book | +| sqlinjection.js:27:11:27:62 | cqn | +| sqlinjection.js:27:17:27:62 | CQL`SEL ... + book | +| sqlinjection.js:27:59:27:62 | book | +| sqlinjection.js:28:39:28:41 | cqn | +| sqlinjection.js:28:39:28:41 | cqn | +| sqlinjection.js:30:11:30:60 | cqn1 | +| sqlinjection.js:30:18:30:60 | cds.par ... + book) | +| sqlinjection.js:30:32:30:59 | `SELECT ... + book | +| sqlinjection.js:30:56:30:59 | book | +| sqlinjection.js:31:39:31:42 | cqn1 | +| sqlinjection.js:31:39:31:42 | cqn1 | edges -| sqlinjection.js:7:33:7:35 | req | sqlinjection.js:8:29:8:31 | req | -| sqlinjection.js:7:33:7:35 | req | sqlinjection.js:8:29:8:31 | req | -| sqlinjection.js:8:11:8:25 | {book,quantity} | sqlinjection.js:8:12:8:15 | book | -| sqlinjection.js:8:11:8:36 | book | sqlinjection.js:12:51:12:54 | book | -| sqlinjection.js:8:11:8:36 | book | sqlinjection.js:15:59:15:62 | book | -| sqlinjection.js:8:11:8:36 | book | sqlinjection.js:17:52:17:55 | book | -| sqlinjection.js:8:11:8:36 | book | sqlinjection.js:20:59:20:62 | book | -| sqlinjection.js:8:11:8:36 | book | sqlinjection.js:27:57:27:60 | book | -| sqlinjection.js:8:11:8:36 | book | sqlinjection.js:30:54:30:57 | book | -| sqlinjection.js:8:12:8:15 | book | sqlinjection.js:8:11:8:36 | book | -| sqlinjection.js:8:29:8:31 | req | sqlinjection.js:8:29:8:36 | req.data | -| sqlinjection.js:8:29:8:36 | req.data | sqlinjection.js:8:11:8:25 | {book,quantity} | -| sqlinjection.js:12:9:12:57 | query | sqlinjection.js:13:35:13:39 | query | -| sqlinjection.js:12:9:12:57 | query | sqlinjection.js:13:35:13:39 | query | -| sqlinjection.js:12:17:12:57 | SELECT. ... book}`) | sqlinjection.js:12:9:12:57 | query | -| sqlinjection.js:12:45:12:56 | `ID=${book}` | sqlinjection.js:12:17:12:57 | SELECT. ... book}`) | -| sqlinjection.js:12:51:12:54 | book | sqlinjection.js:12:45:12:56 | `ID=${book}` | -| sqlinjection.js:15:53:15:64 | `ID=${book}` | sqlinjection.js:15:25:15:65 | SELECT. ... book}`) | -| sqlinjection.js:15:53:15:64 | `ID=${book}` | sqlinjection.js:15:25:15:65 | SELECT. ... book}`) | -| sqlinjection.js:15:59:15:62 | book | sqlinjection.js:15:53:15:64 | `ID=${book}` | -| sqlinjection.js:17:9:17:56 | query2 | sqlinjection.js:18:36:18:41 | query2 | -| sqlinjection.js:17:9:17:56 | query2 | sqlinjection.js:18:36:18:41 | query2 | -| sqlinjection.js:17:18:17:56 | SELECT. ... '+book) | sqlinjection.js:17:9:17:56 | query2 | -| sqlinjection.js:17:46:17:55 | 'ID='+book | sqlinjection.js:17:18:17:56 | SELECT. ... '+book) | -| sqlinjection.js:17:52:17:55 | book | sqlinjection.js:17:46:17:55 | 'ID='+book | -| sqlinjection.js:20:53:20:62 | 'ID='+book | sqlinjection.js:20:25:20:63 | SELECT. ... '+book) | -| sqlinjection.js:20:53:20:62 | 'ID='+book | sqlinjection.js:20:25:20:63 | SELECT. ... '+book) | -| sqlinjection.js:20:59:20:62 | book | sqlinjection.js:20:53:20:62 | 'ID='+book | -| sqlinjection.js:27:9:27:60 | cqn | sqlinjection.js:28:38:28:40 | cqn | -| sqlinjection.js:27:9:27:60 | cqn | sqlinjection.js:28:38:28:40 | cqn | -| sqlinjection.js:27:15:27:60 | CQL`SEL ... + book | sqlinjection.js:27:9:27:60 | cqn | -| sqlinjection.js:27:57:27:60 | book | sqlinjection.js:27:15:27:60 | CQL`SEL ... + book | -| sqlinjection.js:30:9:30:58 | cqn1 | sqlinjection.js:31:38:31:41 | cqn1 | -| sqlinjection.js:30:9:30:58 | cqn1 | sqlinjection.js:31:38:31:41 | cqn1 | -| sqlinjection.js:30:16:30:58 | cds.par ... + book) | sqlinjection.js:30:9:30:58 | cqn1 | -| sqlinjection.js:30:31:30:57 | `SELECT ... `+ book | sqlinjection.js:30:16:30:58 | cds.par ... + book) | -| sqlinjection.js:30:54:30:57 | book | sqlinjection.js:30:31:30:57 | `SELECT ... `+ book | +| sqlinjection.js:7:34:7:36 | req | sqlinjection.js:8:34:8:36 | req | +| sqlinjection.js:7:34:7:36 | req | sqlinjection.js:8:34:8:36 | req | +| sqlinjection.js:8:13:8:30 | { book, quantity } | sqlinjection.js:8:15:8:18 | book | +| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:12:50:12:53 | book | +| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:15:58:15:61 | book | +| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:17:53:17:56 | book | +| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:20:60:20:63 | book | +| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:27:59:27:62 | book | +| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:30:56:30:59 | book | +| sqlinjection.js:8:15:8:18 | book | sqlinjection.js:8:13:8:41 | book | +| sqlinjection.js:8:34:8:36 | req | sqlinjection.js:8:34:8:41 | req.data | +| sqlinjection.js:8:34:8:41 | req.data | sqlinjection.js:8:13:8:30 | { book, quantity } | +| sqlinjection.js:12:11:12:56 | query | sqlinjection.js:13:36:13:40 | query | +| sqlinjection.js:12:11:12:56 | query | sqlinjection.js:13:36:13:40 | query | +| sqlinjection.js:12:19:12:56 | SELECT. ... book}`) | sqlinjection.js:12:11:12:56 | query | +| sqlinjection.js:12:44:12:55 | `ID=${book}` | sqlinjection.js:12:19:12:56 | SELECT. ... book}`) | +| sqlinjection.js:12:50:12:53 | book | sqlinjection.js:12:44:12:55 | `ID=${book}` | +| sqlinjection.js:15:52:15:63 | `ID=${book}` | sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| sqlinjection.js:15:52:15:63 | `ID=${book}` | sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| sqlinjection.js:15:58:15:61 | book | sqlinjection.js:15:52:15:63 | `ID=${book}` | +| sqlinjection.js:17:11:17:57 | query2 | sqlinjection.js:18:37:18:42 | query2 | +| sqlinjection.js:17:11:17:57 | query2 | sqlinjection.js:18:37:18:42 | query2 | +| sqlinjection.js:17:20:17:57 | SELECT. ... + book) | sqlinjection.js:17:11:17:57 | query2 | +| sqlinjection.js:17:45:17:56 | 'ID=' + book | sqlinjection.js:17:20:17:57 | SELECT. ... + book) | +| sqlinjection.js:17:53:17:56 | book | sqlinjection.js:17:45:17:56 | 'ID=' + book | +| sqlinjection.js:20:52:20:63 | 'ID=' + book | sqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| sqlinjection.js:20:52:20:63 | 'ID=' + book | sqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| sqlinjection.js:20:60:20:63 | book | sqlinjection.js:20:52:20:63 | 'ID=' + book | +| sqlinjection.js:27:11:27:62 | cqn | sqlinjection.js:28:39:28:41 | cqn | +| sqlinjection.js:27:11:27:62 | cqn | sqlinjection.js:28:39:28:41 | cqn | +| sqlinjection.js:27:17:27:62 | CQL`SEL ... + book | sqlinjection.js:27:11:27:62 | cqn | +| sqlinjection.js:27:59:27:62 | book | sqlinjection.js:27:17:27:62 | CQL`SEL ... + book | +| sqlinjection.js:30:11:30:60 | cqn1 | sqlinjection.js:31:39:31:42 | cqn1 | +| sqlinjection.js:30:11:30:60 | cqn1 | sqlinjection.js:31:39:31:42 | cqn1 | +| sqlinjection.js:30:18:30:60 | cds.par ... + book) | sqlinjection.js:30:11:30:60 | cqn1 | +| sqlinjection.js:30:32:30:59 | `SELECT ... + book | sqlinjection.js:30:18:30:60 | cds.par ... + book) | +| sqlinjection.js:30:56:30:59 | book | sqlinjection.js:30:32:30:59 | `SELECT ... + book | #select -| sqlinjection.js:13:35:13:39 | query | sqlinjection.js:7:33:7:35 | req | sqlinjection.js:13:35:13:39 | query | This query depends on a $@. | sqlinjection.js:7:33:7:35 | req | user-provided value | -| sqlinjection.js:15:25:15:65 | SELECT. ... book}`) | sqlinjection.js:7:33:7:35 | req | sqlinjection.js:15:25:15:65 | SELECT. ... book}`) | This query depends on a $@. | sqlinjection.js:7:33:7:35 | req | user-provided value | -| sqlinjection.js:18:36:18:41 | query2 | sqlinjection.js:7:33:7:35 | req | sqlinjection.js:18:36:18:41 | query2 | This query depends on a $@. | sqlinjection.js:7:33:7:35 | req | user-provided value | -| sqlinjection.js:20:25:20:63 | SELECT. ... '+book) | sqlinjection.js:7:33:7:35 | req | sqlinjection.js:20:25:20:63 | SELECT. ... '+book) | This query depends on a $@. | sqlinjection.js:7:33:7:35 | req | user-provided value | -| sqlinjection.js:28:38:28:40 | cqn | sqlinjection.js:7:33:7:35 | req | sqlinjection.js:28:38:28:40 | cqn | This query depends on a $@. | sqlinjection.js:7:33:7:35 | req | user-provided value | -| sqlinjection.js:31:38:31:41 | cqn1 | sqlinjection.js:7:33:7:35 | req | sqlinjection.js:31:38:31:41 | cqn1 | This query depends on a $@. | sqlinjection.js:7:33:7:35 | req | user-provided value | +| sqlinjection.js:13:36:13:40 | query | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:13:36:13:40 | query | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | +| sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | +| sqlinjection.js:18:37:18:42 | query2 | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:18:37:18:42 | query2 | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | +| sqlinjection.js:20:27:20:64 | SELECT. ... + book) | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:20:27:20:64 | SELECT. ... + book) | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | +| sqlinjection.js:28:39:28:41 | cqn | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:28:39:28:41 | cqn | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | +| sqlinjection.js:31:39:31:42 | cqn1 | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:31:39:31:42 | cqn1 | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | diff --git a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js index 5cc820090..e5f0a5917 100644 --- a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js +++ b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js @@ -1,36 +1,50 @@ import cds from '@sap/cds' -const { Books } = cds.entities ('sap.capire.bookshop') +const { Books } = cds.entities('sap.capire.bookshop') -class SampleVulnService extends cds.ApplicationService { init(){ +class SampleVulnService extends cds.ApplicationService { + init() { + // contains a sample CAP sql injection + this.on('submitOrder', async req => { + const { book, quantity } = req.data - // contains a sample sql injection - this.on ('submitOrder', async req => { - const {book,quantity} = req.data + let { stock } = await SELECT`stock`.from(Books, book) - let {stock} = await SELECT `stock` .from (Books,book) //alert? + let query = SELECT.from`Books`.where(`ID=${book}`) + let books = await cds.db.run(query) // CAP SQL injection alert - let query = SELECT.from `Books` .where (`ID=${book}`) - let books = await cds.db.run (query) //alert + let books11 = await SELECT.from`Books`.where(`ID=${book}`) // CAP SQL injection alert - let books11 = await SELECT.from `Books` .where (`ID=${book}`) //alert + let query2 = SELECT.from`Books`.where('ID=' + book) + let books2 = await cds.db.run(query2) // CAP SQL injection alert - let query2 = SELECT.from `Books` .where ('ID='+book) - let books2 = await cds.db.run (query2) //alert + let books22 = await SELECT.from`Books`.where('ID=' + book) // CAP SQL injection alert - let books22 = await SELECT.from `Books` .where ('ID='+book) //alert + let books3 = await SELECT.from`Books`.where`ID=${book}` //safe - let books3 = await SELECT.from `Books` .where `ID=${book}` //safe + let id = 2 + let books33 = await SELECT.from`Books`.where('ID=' + id) //safe - let id=2 - let books33 = await SELECT.from `Books` .where ('ID='+id) //safe + let cqn = CQL`SELECT col1, col2, col3 from Books` + book + let books222 = await cds.db.run(cqn) // CAP SQL injection alert - let cqn = CQL`SELECT col1, col2, col3 from Books` + book - let books222 = await cds.db.run (cqn) //alert + let cqn1 = cds.parse.cql(`SELECT * from Books` + book) + let books111 = await cds.db.run(cqn1) // CAP SQL injection alert - let cqn1 = cds.parse.cql (`SELECT * from Books`+ book) - let books111 = await cds.db.run (cqn1) //alert - }) + const pg = require("pg"), + pool = new pg.Pool(config); + pool.query(req.params.category, [], function (err, results) { // non-CAP SQL injection alert from CAP source + // process results + }); - return super.init() -}} -export { SampleVulnService } + const app = require("express")(); + app.get("search", function handler(req2, res) { + pool.query(req2.params.category, [], function (err, results) { // non-CAP SQL injection alert from non-CAP source + // process results + }); + }); + + return super.init() + }) + } +} +export { SampleVulnService } \ No newline at end of file From 11b258321dd310b3c96f3c4846f7deede6c3c12f Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 28 Feb 2024 02:00:43 +0100 Subject: [PATCH 2/3] Fix expected file --- .github/workflows/javascript.sarif.expected | 3901 ++++++++--------- .../test/queries/sqlinjection/sqlinjection.js | 18 +- 2 files changed, 1841 insertions(+), 2078 deletions(-) diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected index 39d78d159..37a9f3592 100644 --- a/.github/workflows/javascript.sarif.expected +++ b/.github/workflows/javascript.sarif.expected @@ -6,7 +6,7 @@ "driver" : { "name" : "CodeQL", "organization" : "GitHub", - "semanticVersion" : "2.16.2", + "semanticVersion" : "2.16.3", "notifications" : [ { "id" : "cli/expected-extracted-files/javascript", "name" : "cli/expected-extracted-files/javascript", @@ -43,31 +43,181 @@ "rules" : [ ] }, "extensions" : [ { + "name" : "advanced-security/javascript-sap-ui5-queries", + "semanticVersion" : "0.5.0+6519bc2c9f3d9be292ae8322aa3ea18c081bb38b", + "rules" : [ { + "id" : "js/ui5-clickjacking", + "name" : "js/ui5-clickjacking", + "shortDescription" : { + "text" : "UI5 Clickjacking" + }, + "fullDescription" : { + "text" : "The absence of frame options allows for clickjacking." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", + "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-451" ], + "description" : "The absence of frame options allows for clickjacking.", + "id" : "js/ui5-clickjacking", + "kind" : "problem", + "name" : "UI5 Clickjacking", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-xss", + "name" : "js/ui5-xss", + "shortDescription" : { + "text" : "UI5 Client-side cross-site scripting" + }, + "fullDescription" : { + "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", + "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], + "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", + "id" : "js/ui5-xss", + "kind" : "path-problem", + "name" : "UI5 Client-side cross-site scripting", + "precision" : "high", + "problem.severity" : "error", + "security-severity" : "6.1" + } + }, { + "id" : "js/ui5-formula-injection", + "name" : "js/ui5-formula-injection", + "shortDescription" : { + "text" : "UI5 Formula Injection" + }, + "fullDescription" : { + "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", + "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-1236" ], + "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", + "id" : "js/ui5-formula-injection", + "kind" : "path-problem", + "name" : "UI5 Formula Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-path-injection", + "name" : "js/ui5-path-injection", + "shortDescription" : { + "text" : "UI5 Path Injection" + }, + "fullDescription" : { + "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", + "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], + "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", + "id" : "js/ui5-path-injection", + "kind" : "path-problem", + "name" : "UI5 Path Injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + }, { + "id" : "js/ui5-log-injection", + "name" : "js/ui5-log-injection", + "shortDescription" : { + "text" : "UI5 Log injection" + }, + "fullDescription" : { + "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." + }, + "defaultConfiguration" : { + "enabled" : true, + "level" : "error" + }, + "help" : { + "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", + "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" + }, + "properties" : { + "tags" : [ "security", "external/cwe/cwe-117" ], + "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", + "id" : "js/ui5-log-injection", + "kind" : "path-problem", + "name" : "UI5 Log injection", + "precision" : "medium", + "problem.severity" : "error", + "security-severity" : "7.8" + } + } ], + "locations" : [ { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", + "description" : { + "text" : "The QL pack root directory." + } + }, { + "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", + "description" : { + "text" : "The QL pack definition file." + } + } ] + }, { "name" : "advanced-security/javascript-sap-cap-queries", - "semanticVersion" : "0.1.0+12c62932de295e7980c8faa1871b03303d4df3b7", + "semanticVersion" : "0.1.0+6519bc2c9f3d9be292ae8322aa3ea18c081bb38b", "rules" : [ { "id" : "js/cap-sql-injection", "name" : "js/cap-sql-injection", "shortDescription" : { - "text" : "Database query built from user-controlled sources with additional heuristic sources" + "text" : "CQL query built from user-controlled sources" }, "fullDescription" : { - "text" : "Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user." + "text" : "Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user." }, "defaultConfiguration" : { "enabled" : true, "level" : "error" }, "help" : { - "text" : "# Log Injection\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", - "markdown" : "# Log Injection\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" + "text" : "# SQL Injection\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n", + "markdown" : "# SQL Injection\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n" }, "properties" : { "tags" : [ "security" ], - "description" : "Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", + "description" : "Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.", "id" : "js/cap-sql-injection", "kind" : "path-problem", - "name" : "Database query built from user-controlled sources with additional heuristic sources", + "name" : "CQL query built from user-controlled sources", "precision" : "high", "problem.severity" : "error", "security-severity" : "8.8" @@ -76,7 +226,7 @@ "id" : "js/cap-log-injection", "name" : "js/cap-log-injection", "shortDescription" : { - "text" : "Uncontrolled data in logging call" + "text" : "CAP Log injection" }, "fullDescription" : { "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." @@ -94,10 +244,10 @@ "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", "id" : "js/cap-log-injection", "kind" : "path-problem", - "name" : "Uncontrolled data in logging call", + "name" : "CAP Log injection", "precision" : "medium", "problem.severity" : "error", - "security-severity" : "7.8" + "security-severity" : "6.1" } } ], "locations" : [ { @@ -113,7 +263,7 @@ } ] }, { "name" : "codeql/javascript-queries", - "semanticVersion" : "0.8.8+753d78a695a3290dbadc725fe1bd0ee759f37734", + "semanticVersion" : "0.8.9+8a00a45b32679ddced400ab256706c79c1169e38", "notifications" : [ { "id" : "js/diagnostics/extraction-errors", "name" : "js/diagnostics/extraction-errors", @@ -2919,194 +3069,44 @@ } } ], "locations" : [ { - "uri" : "file:///opt/hostedtoolcache/CodeQL/2.16.2/x64/codeql/qlpacks/codeql/javascript-queries/0.8.8/", + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.16.3/x64/codeql/qlpacks/codeql/javascript-queries/0.8.9/", "description" : { "text" : "The QL pack root directory." } }, { - "uri" : "file:///opt/hostedtoolcache/CodeQL/2.16.2/x64/codeql/qlpacks/codeql/javascript-queries/0.8.8/qlpack.yml", + "uri" : "file:///opt/hostedtoolcache/CodeQL/2.16.3/x64/codeql/qlpacks/codeql/javascript-queries/0.8.9/qlpack.yml", "description" : { "text" : "The QL pack definition file." } } ] }, { - "name" : "advanced-security/javascript-sap-ui5-queries", - "semanticVersion" : "0.5.0+12c62932de295e7980c8faa1871b03303d4df3b7", - "rules" : [ { - "id" : "js/ui5-clickjacking", - "name" : "js/ui5-clickjacking", - "shortDescription" : { - "text" : "UI5 Clickjacking" - }, - "fullDescription" : { - "text" : "The absence of frame options allows for clickjacking." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n", - "markdown" : "# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-451" ], - "description" : "The absence of frame options allows for clickjacking.", - "id" : "js/ui5-clickjacking", - "kind" : "problem", - "name" : "UI5 Clickjacking", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "6.1" + "name" : "generated/extension-pack", + "semanticVersion" : "0.0.0", + "locations" : [ { + "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", + "description" : { + "text" : "The QL pack root directory." } }, { - "id" : "js/ui5-xss", - "name" : "js/ui5-xss", - "shortDescription" : { - "text" : "UI5 Client-side cross-site scripting" - }, - "fullDescription" : { - "text" : "Writing user input directly to a UI5 View allows for a cross-site scripting vulnerability." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n", - "markdown" : "# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-079", "external/cwe/cwe-116" ], - "description" : "Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.", - "id" : "js/ui5-xss", - "kind" : "path-problem", - "name" : "UI5 Client-side cross-site scripting", - "precision" : "high", - "problem.severity" : "error", - "security-severity" : "6.1" + "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", + "description" : { + "text" : "The QL pack definition file." } - }, { - "id" : "js/ui5-formula-injection", - "name" : "js/ui5-formula-injection", - "shortDescription" : { - "text" : "UI5 Formula Injection" - }, - "fullDescription" : { - "text" : "Saving data from an uncontrolled remote source using filesystem or local storage leads to disclosure of sensitive information or forgery of entry." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n", - "markdown" : "# Formula injection\n\nUI5 applications that save local data, fetched from an uncontrolled remote source, into a CSV file format using generic APIs such as [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save) are vulnerable to formula injection, or CSV injection.\n\n## Recommendation\n\n### Escape the leading special characters\n\nCSV cells containing leading special characters such as an equal sign (`=`) may be interpreted as spreadsheet formulas. To prevent them from being interpreted these prefixes should be escaped by surrounding the prefixes with single quotes in order to keep them as literal strings.\n\n### Use a dedicated API function\n\nManual construction of a CSV file using string concatenation is prone to mistakes that can lead to security issues. Instead, a dedicated library function should be used. For example, if the target being exported is a [`sap.m.Table`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.m.Table) and the resulting file is to intended to be opened using a spreadsheet program anyways, then using one of the API functions provided by [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet) is the preferred method of achieving the same exporting functionality.\n\n## Example\n\nThe following controller is exporting a CSV file obtained from an event parameter by surrounding it in a pair of semicolons (`;`) as CSV separators.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/Controller\",\n \"sap/ui/core/util/File\"\n ], function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSomeEvent: function(oEvent) {\n let response = oEvent.getProperty(\"someProperty\").someField;\n let csvRow = \";\" + response + \";\";\n File.save(csvRow, \"someFile\", \"csv\", \"text/csv\", \"utf-8\");\n }\n });\n });\n```\n\n## References\n\n- OWASP: [CSV Injection](https://owasp.org/www-community/attacks/CSV_Injection).\n- Common Weakness Enumeration: [CWE-1236](https://cwe.mitre.org/data/definitions/1236.html).\n- SAP UI5 API Reference: [`sap.ui.export.Spreadsheet`](https://sapui5.hana.ondemand.com/#/entity/sap.ui.export.Spreadsheet).\n- SAP UI5 API Reference: [`sap.ui.core.util.File.save`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-1236" ], - "description" : "Saving data from an uncontrolled remote source using filesystem or local storage\n leads to disclosure of sensitive information or forgery of entry.", - "id" : "js/ui5-formula-injection", - "kind" : "path-problem", - "name" : "UI5 Formula Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-path-injection", - "name" : "js/ui5-path-injection", - "shortDescription" : { - "text" : "UI5 Path Injection" - }, - "fullDescription" : { - "text" : "Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n", - "markdown" : "# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-022", "external/cwe/cwe-035" ], - "description" : "Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.", - "id" : "js/ui5-path-injection", - "kind" : "path-problem", - "name" : "UI5 Path Injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - }, { - "id" : "js/ui5-log-injection", - "name" : "js/ui5-log-injection", - "shortDescription" : { - "text" : "UI5 Log injection" - }, - "fullDescription" : { - "text" : "Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user." - }, - "defaultConfiguration" : { - "enabled" : true, - "level" : "error" - }, - "help" : { - "text" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n", - "markdown" : "# Log Injection\n\nIf an untrusted input, possibly through a UI5 control, is not sanitized and passed onto a logging function, it is possible that a malicious actor submits a crafted input which might lead to forging log entries. If the entries are logged as plaintext, then newline characters may be inserted by the malicious actor. If the entry is interpreted as HTML, then artitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nAvoid directly logging untrusted input from a remote source and sanitize it by replaceing characters so that the input no longer contains control characters and substrings that may be interpreted as HTML.\n\n## Examples\n\nThis UI5 application directly outputs what the user submitted via the `sap.m.Input` control.\n\n``` xml\n\n \n\n```\n\n``` javascript\nsap.ui.define(\n [\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/model/json/JSONModel\",\n \"sap/base/Log/info\",\n ],\n function (Controller, JSONModel, info) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onSearchCompleted: function () {\n var oView = this.getView();\n var oSearchField = oView.byId(\"searchTodoItemsInput\");\n var searchValue = oSearchField.getValue();\n info(searchValue); // Sink\n },\n });\n },\n);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n" - }, - "properties" : { - "tags" : [ "security", "external/cwe/cwe-117" ], - "description" : "Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.", - "id" : "js/ui5-log-injection", - "kind" : "path-problem", - "name" : "UI5 Log injection", - "precision" : "medium", - "problem.severity" : "error", - "security-severity" : "7.8" - } - } ], - "locations" : [ { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ] - }, { - "name" : "generated/extension-pack", - "semanticVersion" : "0.0.0", - "locations" : [ { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/", - "description" : { - "text" : "The QL pack root directory." - } - }, { - "uri" : "file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml", - "description" : { - "text" : "The QL pack definition file." - } - } ], - "properties" : { - "isCodeQLModelPack" : true - } - } ] - }, - "invocations" : [ { - "toolExecutionNotifications" : [ { - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : ".github/actions/install-qlt/action.yml", - "uriBaseId" : "%SRCROOT%", - "index" : 3 - } + } ], + "properties" : { + "isCodeQLModelPack" : true + } + } ] + }, + "invocations" : [ { + "toolExecutionNotifications" : [ { + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : ".github/actions/install-qlt/action.yml", + "uriBaseId" : "%SRCROOT%", + "index" : 5 + } } } ], "message" : { @@ -3117,7 +3117,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3131,7 +3131,7 @@ "artifactLocation" : { "uri" : ".github/actions/install-codeql/action.yml", "uriBaseId" : "%SRCROOT%", - "index" : 4 + "index" : 6 } } } ], @@ -3143,7 +3143,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3155,9 +3155,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/codeql-config.yaml", + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 5 + "index" : 7 } } } ], @@ -3169,7 +3169,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3181,9 +3181,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/codeql/codeql-config.yaml", "uriBaseId" : "%SRCROOT%", - "index" : 6 + "index" : 8 } } } ], @@ -3195,7 +3195,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3207,9 +3207,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", - "index" : 7 + "index" : 9 } } } ], @@ -3221,7 +3221,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3233,9 +3233,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 8 + "index" : 10 } } } ], @@ -3247,7 +3247,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3261,7 +3261,7 @@ "artifactLocation" : { "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", - "index" : 9 + "index" : 11 } } } ], @@ -3273,7 +3273,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3287,7 +3287,7 @@ "artifactLocation" : { "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", "uriBaseId" : "%SRCROOT%", - "index" : 10 + "index" : 12 } } } ], @@ -3299,7 +3299,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3313,7 +3313,7 @@ "artifactLocation" : { "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", "uriBaseId" : "%SRCROOT%", - "index" : 11 + "index" : 13 } } } ], @@ -3325,7 +3325,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3339,7 +3339,7 @@ "artifactLocation" : { "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 12 + "index" : 14 } } } ], @@ -3351,7 +3351,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3365,7 +3365,7 @@ "artifactLocation" : { "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", - "index" : 13 + "index" : 15 } } } ], @@ -3377,7 +3377,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3391,7 +3391,7 @@ "artifactLocation" : { "uri" : ".github/workflows/code_scanning.yml", "uriBaseId" : "%SRCROOT%", - "index" : 14 + "index" : 16 } } } ], @@ -3403,7 +3403,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3417,7 +3417,7 @@ "artifactLocation" : { "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", "uriBaseId" : "%SRCROOT%", - "index" : 15 + "index" : 17 } } } ], @@ -3429,7 +3429,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3443,7 +3443,7 @@ "artifactLocation" : { "uri" : "codeql-workspace.yml", "uriBaseId" : "%SRCROOT%", - "index" : 16 + "index" : 18 } } } ], @@ -3455,7 +3455,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3469,7 +3469,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 17 + "index" : 19 } } } ], @@ -3481,7 +3481,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3495,7 +3495,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/lib/qlpack.yml", "uriBaseId" : "%SRCROOT%", - "index" : 18 + "index" : 20 } } } ], @@ -3507,7 +3507,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3519,9 +3519,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 19 + "index" : 21 } } } ], @@ -3533,7 +3533,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3545,9 +3545,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/src/qlpack.yml", "uriBaseId" : "%SRCROOT%", - "index" : 20 + "index" : 22 } } } ], @@ -3559,7 +3559,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3573,7 +3573,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", - "index" : 21 + "index" : 23 } } } ], @@ -3585,7 +3585,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3599,7 +3599,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/qlpack.yml", "uriBaseId" : "%SRCROOT%", - "index" : 22 + "index" : 24 } } } ], @@ -3611,7 +3611,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3623,9 +3623,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 2 } } } ], @@ -3637,7 +3637,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3649,9 +3649,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 0 } } } ], @@ -3663,7 +3663,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3689,7 +3689,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3715,7 +3715,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3741,7 +3741,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3767,7 +3767,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3793,7 +3793,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3805,7 +3805,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", "uriBaseId" : "%SRCROOT%", "index" : 30 } @@ -3819,7 +3819,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3831,7 +3831,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", "uriBaseId" : "%SRCROOT%", "index" : 31 } @@ -3845,7 +3845,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3857,7 +3857,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", "uriBaseId" : "%SRCROOT%", "index" : 32 } @@ -3871,7 +3871,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3897,7 +3897,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3923,7 +3923,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3949,7 +3949,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3975,7 +3975,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -3987,7 +3987,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", "uriBaseId" : "%SRCROOT%", "index" : 37 } @@ -4001,7 +4001,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4013,7 +4013,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 38 } @@ -4027,7 +4027,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4039,7 +4039,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", "uriBaseId" : "%SRCROOT%", "index" : 39 } @@ -4053,7 +4053,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4079,7 +4079,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4105,7 +4105,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4131,7 +4131,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4157,7 +4157,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4183,7 +4183,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4195,7 +4195,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 45 } @@ -4209,7 +4209,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4221,7 +4221,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", "uriBaseId" : "%SRCROOT%", "index" : 46 } @@ -4235,7 +4235,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4261,7 +4261,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4287,7 +4287,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4313,7 +4313,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4339,7 +4339,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4365,7 +4365,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4391,7 +4391,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4417,7 +4417,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4429,7 +4429,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 54 } @@ -4443,7 +4443,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4455,7 +4455,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 55 } @@ -4469,7 +4469,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4495,7 +4495,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4521,7 +4521,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4547,7 +4547,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4573,7 +4573,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4585,7 +4585,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 60 } @@ -4599,7 +4599,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4625,7 +4625,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4651,7 +4651,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4663,7 +4663,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 63 } @@ -4677,7 +4677,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4689,7 +4689,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 64 } @@ -4703,7 +4703,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4715,7 +4715,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 65 } @@ -4729,7 +4729,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4755,7 +4755,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4781,7 +4781,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4793,7 +4793,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 68 } @@ -4807,7 +4807,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4819,7 +4819,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 69 } @@ -4833,7 +4833,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4859,7 +4859,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4871,7 +4871,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 71 } @@ -4885,7 +4885,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4897,7 +4897,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 72 } @@ -4911,7 +4911,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4925,7 +4925,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 } } } ], @@ -4937,7 +4937,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4949,7 +4949,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 73 } @@ -4963,7 +4963,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -4975,7 +4975,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 74 } @@ -4989,7 +4989,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5001,7 +5001,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 75 } @@ -5015,7 +5015,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5027,7 +5027,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 76 } @@ -5041,7 +5041,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5053,7 +5053,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 77 } @@ -5067,7 +5067,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5093,7 +5093,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5105,7 +5105,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 79 } @@ -5119,7 +5119,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5131,7 +5131,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 80 } @@ -5145,7 +5145,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5171,7 +5171,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5183,7 +5183,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 82 } @@ -5197,7 +5197,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5209,7 +5209,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 83 } @@ -5223,7 +5223,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5235,7 +5235,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 84 } @@ -5249,7 +5249,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5261,7 +5261,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 85 } @@ -5275,7 +5275,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5287,7 +5287,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 86 } @@ -5301,7 +5301,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5327,7 +5327,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5353,7 +5353,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5379,7 +5379,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5391,7 +5391,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 90 } @@ -5405,7 +5405,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5417,7 +5417,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 91 } @@ -5431,7 +5431,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5443,7 +5443,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 92 } @@ -5457,7 +5457,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5469,7 +5469,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 93 } @@ -5483,7 +5483,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5495,7 +5495,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 94 } @@ -5509,7 +5509,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5521,7 +5521,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 95 } @@ -5535,7 +5535,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5547,7 +5547,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 96 } @@ -5561,7 +5561,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5587,7 +5587,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5613,7 +5613,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5639,7 +5639,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5665,7 +5665,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5691,7 +5691,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5703,7 +5703,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 102 } @@ -5717,7 +5717,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5729,7 +5729,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 103 } @@ -5743,7 +5743,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5755,7 +5755,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 104 } @@ -5769,7 +5769,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5781,7 +5781,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 105 } @@ -5795,7 +5795,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5807,7 +5807,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 106 } @@ -5821,7 +5821,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5847,7 +5847,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5873,7 +5873,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5885,7 +5885,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 109 } @@ -5899,7 +5899,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5911,7 +5911,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 110 } @@ -5925,7 +5925,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5937,7 +5937,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 111 } @@ -5951,7 +5951,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5963,7 +5963,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 112 } @@ -5977,7 +5977,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -5989,7 +5989,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 113 } @@ -6003,7 +6003,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6029,7 +6029,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6055,7 +6055,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6067,7 +6067,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 116 } @@ -6081,7 +6081,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6093,7 +6093,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 117 } @@ -6107,7 +6107,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6119,7 +6119,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 118 } @@ -6133,7 +6133,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6145,7 +6145,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 119 } @@ -6159,7 +6159,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6171,7 +6171,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 120 } @@ -6185,7 +6185,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6197,7 +6197,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 121 } @@ -6211,7 +6211,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6223,7 +6223,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 122 } @@ -6237,7 +6237,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6263,7 +6263,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6289,7 +6289,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6315,7 +6315,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6329,7 +6329,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 } } } ], @@ -6341,7 +6341,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6367,7 +6367,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6393,7 +6393,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6419,7 +6419,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6445,7 +6445,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6471,7 +6471,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6497,7 +6497,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6523,7 +6523,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6549,7 +6549,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6575,7 +6575,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6601,7 +6601,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6627,7 +6627,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6653,7 +6653,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6679,7 +6679,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6705,7 +6705,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6731,7 +6731,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6757,7 +6757,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6783,7 +6783,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6809,7 +6809,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6835,7 +6835,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6861,7 +6861,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6887,7 +6887,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6913,7 +6913,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6939,7 +6939,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6965,7 +6965,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -6991,7 +6991,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7017,7 +7017,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7043,7 +7043,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7069,7 +7069,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7095,7 +7095,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7121,7 +7121,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7147,7 +7147,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7173,7 +7173,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7199,7 +7199,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7225,7 +7225,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7251,7 +7251,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7277,7 +7277,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7303,7 +7303,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7329,7 +7329,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7355,7 +7355,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7381,7 +7381,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7407,7 +7407,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7433,7 +7433,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7459,7 +7459,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7485,7 +7485,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7511,7 +7511,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7537,7 +7537,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7563,7 +7563,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7589,7 +7589,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7615,7 +7615,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7641,7 +7641,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7667,7 +7667,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7693,7 +7693,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7719,7 +7719,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7745,7 +7745,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7771,7 +7771,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7797,7 +7797,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7823,7 +7823,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7849,7 +7849,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7875,7 +7875,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7901,7 +7901,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7927,7 +7927,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7953,7 +7953,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -7979,7 +7979,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8005,7 +8005,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8031,7 +8031,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8057,7 +8057,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8083,7 +8083,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8109,7 +8109,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8121,7 +8121,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 194 } @@ -8135,7 +8135,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8147,7 +8147,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 195 } @@ -8161,7 +8161,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8187,7 +8187,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8213,7 +8213,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8239,7 +8239,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8265,7 +8265,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8291,7 +8291,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8317,7 +8317,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8329,7 +8329,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 202 } @@ -8343,7 +8343,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8355,7 +8355,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 203 } @@ -8369,7 +8369,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8381,7 +8381,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 204 } @@ -8395,7 +8395,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8407,7 +8407,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 205 } @@ -8421,7 +8421,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8433,7 +8433,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 206 } @@ -8447,7 +8447,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8473,7 +8473,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8485,7 +8485,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 208 } @@ -8499,7 +8499,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8525,7 +8525,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8537,7 +8537,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 210 } @@ -8551,7 +8551,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8563,7 +8563,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 211 } @@ -8577,7 +8577,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8589,7 +8589,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 212 } @@ -8603,7 +8603,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8629,7 +8629,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8655,7 +8655,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8667,7 +8667,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 215 } @@ -8681,7 +8681,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8693,7 +8693,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 216 } @@ -8707,7 +8707,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8719,7 +8719,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 217 } @@ -8733,7 +8733,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8745,7 +8745,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 218 } @@ -8759,7 +8759,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8785,7 +8785,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8811,7 +8811,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8837,7 +8837,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8863,7 +8863,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8889,7 +8889,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8915,7 +8915,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8941,7 +8941,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8953,7 +8953,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 226 } @@ -8967,7 +8967,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -8979,7 +8979,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 227 } @@ -8993,7 +8993,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9005,7 +9005,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 228 } @@ -9019,7 +9019,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9031,7 +9031,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 229 } @@ -9045,7 +9045,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9057,7 +9057,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", "uriBaseId" : "%SRCROOT%", "index" : 230 } @@ -9071,7 +9071,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9097,7 +9097,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9109,7 +9109,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 232 } @@ -9123,7 +9123,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9135,7 +9135,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", "uriBaseId" : "%SRCROOT%", "index" : 233 } @@ -9149,7 +9149,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9161,7 +9161,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 234 } @@ -9175,7 +9175,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9201,7 +9201,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9213,7 +9213,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 236 } @@ -9227,7 +9227,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9239,7 +9239,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 237 } @@ -9253,7 +9253,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9279,7 +9279,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9305,7 +9305,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9331,7 +9331,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9357,7 +9357,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9383,7 +9383,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9395,7 +9395,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 243 } @@ -9409,7 +9409,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9421,7 +9421,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 244 } @@ -9435,7 +9435,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9447,7 +9447,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", "index" : 245 } @@ -9461,7 +9461,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9487,7 +9487,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9499,7 +9499,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 247 } @@ -9513,7 +9513,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9525,7 +9525,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 248 } @@ -9539,7 +9539,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9551,7 +9551,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 249 } @@ -9565,7 +9565,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9577,7 +9577,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", "uriBaseId" : "%SRCROOT%", "index" : 250 } @@ -9591,7 +9591,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9603,7 +9603,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", "index" : 251 } @@ -9617,7 +9617,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9643,7 +9643,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9669,7 +9669,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9695,7 +9695,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9721,7 +9721,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9747,7 +9747,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9773,7 +9773,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9799,7 +9799,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9825,7 +9825,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9851,7 +9851,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9877,7 +9877,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9903,7 +9903,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9929,7 +9929,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9955,7 +9955,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -9981,7 +9981,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10007,7 +10007,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10033,7 +10033,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10059,7 +10059,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10085,7 +10085,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10111,7 +10111,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10137,7 +10137,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10163,7 +10163,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10189,7 +10189,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10215,7 +10215,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10241,7 +10241,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10267,7 +10267,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10293,7 +10293,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10319,7 +10319,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10345,7 +10345,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10371,7 +10371,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10397,7 +10397,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10423,7 +10423,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10435,7 +10435,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 283 } @@ -10449,7 +10449,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10461,7 +10461,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", "uriBaseId" : "%SRCROOT%", "index" : 284 } @@ -10475,7 +10475,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10501,7 +10501,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10527,7 +10527,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10553,7 +10553,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10579,7 +10579,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10605,7 +10605,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10617,7 +10617,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 290 } @@ -10631,7 +10631,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10643,7 +10643,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 291 } @@ -10657,7 +10657,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10669,7 +10669,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 292 } @@ -10683,7 +10683,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10695,7 +10695,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 293 } @@ -10709,7 +10709,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10721,7 +10721,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 294 } @@ -10735,7 +10735,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10747,7 +10747,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 295 } @@ -10761,7 +10761,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10773,7 +10773,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 296 } @@ -10787,7 +10787,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10799,7 +10799,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 297 } @@ -10813,7 +10813,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10839,7 +10839,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10851,7 +10851,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 299 } @@ -10865,7 +10865,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10877,9 +10877,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 2 + "index" : 300 } } } ], @@ -10891,7 +10891,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10903,9 +10903,9 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", - "index" : 300 + "index" : 4 } } } ], @@ -10917,7 +10917,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10929,7 +10929,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 301 } @@ -10943,7 +10943,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10955,7 +10955,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "qlt.conf.json", + "uri" : "javascript/heuristic-models/tests/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 302 } @@ -10969,7 +10969,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -10981,7 +10981,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uri" : "qlt.conf.json", "uriBaseId" : "%SRCROOT%", "index" : 303 } @@ -10995,7 +10995,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -11007,7 +11007,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "scripts/qlpack.yml", + "uri" : "scripts/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 304 } @@ -11021,7 +11021,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -11033,7 +11033,7 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "scripts/codeql-pack.lock.yml", + "uri" : "scripts/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 305 } @@ -11047,7 +11047,7 @@ "id" : "js/diagnostics/successfully-extracted-files", "index" : 1, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "properties" : { @@ -11060,151 +11060,151 @@ } ], "artifacts" : [ { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", "index" : 0 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", "index" : 1 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", "index" : 2 } }, { "location" : { - "uri" : ".github/actions/install-qlt/action.yml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", "index" : 3 } }, { "location" : { - "uri" : ".github/actions/install-codeql/action.yml", + "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", "index" : 4 } }, { "location" : { - "uri" : ".github/codeql/codeql-config.yaml", + "uri" : ".github/actions/install-qlt/action.yml", "uriBaseId" : "%SRCROOT%", "index" : 5 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/actions/install-codeql/action.yml", "uriBaseId" : "%SRCROOT%", "index" : 6 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 7 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", + "uri" : ".github/codeql/codeql-config.yaml", "uriBaseId" : "%SRCROOT%", "index" : 8 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/cap/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 9 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 10 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 11 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", + "uri" : ".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml", "uriBaseId" : "%SRCROOT%", "index" : 12 } }, { "location" : { - "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml", "uriBaseId" : "%SRCROOT%", "index" : 13 } }, { "location" : { - "uri" : ".github/workflows/code_scanning.yml", + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 14 } }, { "location" : { - "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", + "uri" : ".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 15 } }, { "location" : { - "uri" : "codeql-workspace.yml", + "uri" : ".github/workflows/code_scanning.yml", "uriBaseId" : "%SRCROOT%", "index" : 16 } }, { "location" : { - "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", + "uri" : ".github/workflows/run-codeql-unit-tests-javascript.yml", "uriBaseId" : "%SRCROOT%", "index" : 17 } }, { "location" : { - "uri" : "javascript/frameworks/cap/lib/qlpack.yml", + "uri" : "codeql-workspace.yml", "uriBaseId" : "%SRCROOT%", "index" : 18 } }, { "location" : { - "uri" : "javascript/frameworks/cap/src/qlpack.yml", + "uri" : "javascript/frameworks/cap/lib/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 19 } }, { "location" : { - "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/lib/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 20 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", + "uri" : "javascript/frameworks/cap/src/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 21 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/qlpack.yml", + "uri" : "javascript/frameworks/cap/src/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 22 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", + "uri" : "javascript/frameworks/cap/test/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 23 } }, { "location" : { - "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", + "uri" : "javascript/frameworks/cap/test/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 24 } @@ -11240,19 +11240,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", "uriBaseId" : "%SRCROOT%", "index" : 30 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", + "uri" : "javascript/frameworks/ui5/test/lib/BindingStringParser/test.js", "uriBaseId" : "%SRCROOT%", "index" : 31 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.html", + "uri" : "javascript/frameworks/ui5/test/lib/Bindings/test.js", "uriBaseId" : "%SRCROOT%", "index" : 32 } @@ -11282,19 +11282,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", "uriBaseId" : "%SRCROOT%", "index" : 37 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", + "uri" : "javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 38 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml", + "uri" : "javascript/frameworks/ui5/test/models/sink/sink1.xml", "uriBaseId" : "%SRCROOT%", "index" : 39 } @@ -11330,13 +11330,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 45 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html", "uriBaseId" : "%SRCROOT%", "index" : 46 } @@ -11384,13 +11384,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 54 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 55 } @@ -11420,7 +11420,7 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 60 } @@ -11438,19 +11438,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 63 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 64 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 65 } @@ -11468,13 +11468,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 68 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 69 } @@ -11486,43 +11486,43 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 71 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 72 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 73 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 74 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 75 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 76 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 77 } @@ -11534,13 +11534,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 79 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 80 } @@ -11552,31 +11552,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 82 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 83 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 84 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 85 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 86 } @@ -11600,43 +11600,43 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 90 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 91 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 92 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 93 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 94 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 95 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 96 } @@ -11672,31 +11672,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 102 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 103 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 104 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 105 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 106 } @@ -11714,31 +11714,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", "uriBaseId" : "%SRCROOT%", "index" : 109 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 110 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 111 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 112 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 113 } @@ -11756,43 +11756,43 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 116 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 117 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 118 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", "uriBaseId" : "%SRCROOT%", "index" : 119 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 120 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 121 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 122 } @@ -12224,13 +12224,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 194 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 195 } @@ -12272,31 +12272,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 202 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 203 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 204 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 205 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 206 } @@ -12308,7 +12308,7 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 208 } @@ -12320,19 +12320,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 210 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 211 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 212 } @@ -12350,25 +12350,25 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 215 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 216 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 217 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 218 } @@ -12416,31 +12416,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 226 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 227 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 228 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 229 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json", "uriBaseId" : "%SRCROOT%", "index" : 230 } @@ -12452,19 +12452,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 232 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json", "uriBaseId" : "%SRCROOT%", "index" : 233 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 234 } @@ -12476,13 +12476,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 236 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 237 } @@ -12518,19 +12518,19 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 243 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 244 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", "index" : 245 } @@ -12542,31 +12542,31 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 247 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 248 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", "index" : 249 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", "uriBaseId" : "%SRCROOT%", "index" : 250 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", "index" : 251 } @@ -12758,13 +12758,13 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 283 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json", "uriBaseId" : "%SRCROOT%", "index" : 284 } @@ -12800,49 +12800,49 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", "uriBaseId" : "%SRCROOT%", "index" : 290 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 291 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 292 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json", "uriBaseId" : "%SRCROOT%", "index" : 293 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", "uriBaseId" : "%SRCROOT%", "index" : 294 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json", "uriBaseId" : "%SRCROOT%", "index" : 295 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", "uriBaseId" : "%SRCROOT%", "index" : 296 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", "index" : 297 } @@ -12854,76 +12854,76 @@ } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", "uriBaseId" : "%SRCROOT%", "index" : 299 } }, { "location" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json", + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", "index" : 300 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/qlpack.yml", + "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 301 } }, { "location" : { - "uri" : "qlt.conf.json", + "uri" : "javascript/heuristic-models/tests/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 302 } }, { "location" : { - "uri" : "javascript/heuristic-models/tests/codeql-pack.lock.yml", + "uri" : "qlt.conf.json", "uriBaseId" : "%SRCROOT%", "index" : 303 } }, { "location" : { - "uri" : "scripts/qlpack.yml", + "uri" : "scripts/codeql-pack.lock.yml", "uriBaseId" : "%SRCROOT%", "index" : 304 } }, { "location" : { - "uri" : "scripts/codeql-pack.lock.yml", + "uri" : "scripts/qlpack.yml", "uriBaseId" : "%SRCROOT%", "index" : 305 } } ], "results" : [ { - "ruleId" : "js/xss", + "ruleId" : "js/sql-injection", "rule" : { - "id" : "js/xss", - "index" : 58, + "id" : "js/sql-injection", + "index" : 34, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { - "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + "text" : "This query string depends on a [user-provided value](1)." }, "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", "index" : 0 }, "region" : { - "startLine" : 4, + "startLine" : 41, "startColumn" : 20, - "endColumn" : 25 + "endColumn" : 40 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "6311a9ed7e4091a4:1", - "primaryLocationStartColumnFingerprint" : "15" + "primaryLocationLineHash" : "7d6c29be0dcace2d:1", + "primaryLocationStartColumnFingerprint" : "11" }, "codeFlows" : [ { "threadFlows" : [ { @@ -12931,48 +12931,187 @@ "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", "index" : 0 }, "region" : { - "startLine" : 3, - "startColumn" : 17, - "endColumn" : 51 + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 } }, "message" : { - "text" : "jQuery. ... param\")" + "text" : "req2.params.category" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", "index" : 0 }, "region" : { - "startLine" : 3, - "startColumn" : 9, - "endColumn" : 51 + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 } }, "message" : { - "text" : "value" + "text" : "req2.params.category" } } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 0 - }, - "region" : { - "startLine" : 4, + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 41, + "startColumn" : 20, + "endColumn" : 40 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/missing-rate-limiting", + "rule" : { + "id" : "js/missing-rate-limiting", + "index" : 55, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "This route handler performs [a database access](1), but is not rate-limited." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 40, + "startColumn" : 25, + "endLine" : 44, + "endColumn" : 8 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "ac6d3bdd3d52ea9b:1", + "primaryLocationStartColumnFingerprint" : "18" + }, + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 0 + }, + "region" : { + "startLine" : 41, + "startColumn" : 9, + "endLine" : 43, + "endColumn" : 11 + } + }, + "message" : { + "text" : "a database access" + } + } ] + }, { + "ruleId" : "js/xss", + "rule" : { + "id" : "js/xss", + "index" : 58, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Cross-site scripting vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 4, + "startColumn" : 20, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "6311a9ed7e4091a4:1", + "primaryLocationStartColumnFingerprint" : "15" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 3, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 3, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 1 + }, + "region" : { + "startLine" : 4, "startColumn" : 20, "endColumn" : 25 } @@ -12991,7 +13130,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 3, @@ -13009,7 +13148,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 3, @@ -13027,7 +13166,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 4, @@ -13048,7 +13187,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 3, @@ -13066,7 +13205,7 @@ "id" : "js/xss", "index" : 58, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -13077,7 +13216,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 11, @@ -13098,7 +13237,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 10, @@ -13116,7 +13255,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 10, @@ -13134,7 +13273,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 11, @@ -13155,7 +13294,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 10, @@ -13173,7 +13312,7 @@ "id" : "js/xss", "index" : 58, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -13184,7 +13323,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 19, @@ -13205,7 +13344,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 17, @@ -13223,7 +13362,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 17, @@ -13241,7 +13380,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 18, @@ -13259,7 +13398,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 18, @@ -13277,7 +13416,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 18, @@ -13295,7 +13434,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 19, @@ -13316,7 +13455,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 17, @@ -13334,7 +13473,7 @@ "id" : "js/xss", "index" : 58, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -13345,7 +13484,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 27, @@ -13366,7 +13505,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 25, @@ -13384,7 +13523,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 25, @@ -13402,7 +13541,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 26, @@ -13420,7 +13559,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 26, @@ -13438,7 +13577,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 26, @@ -13456,7 +13595,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 27, @@ -13477,7 +13616,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 25, @@ -13495,7 +13634,7 @@ "id" : "js/log-injection", "index" : 90, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -13504,20 +13643,20 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 + "startLine" : 26, + "startColumn" : 19, + "endColumn" : 36 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:1", - "primaryLocationStartColumnFingerprint" : "13" + "primaryLocationLineHash" : "ccc6f77c65eccb45:1", + "primaryLocationStartColumnFingerprint" : "12" }, "codeFlows" : [ { "threadFlows" : [ { @@ -13525,84 +13664,245 @@ "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 } }, "message" : { - "text" : "jQuery. ... param\")" + "text" : "req2.params.category" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 6, - "startColumn" : 9, - "endColumn" : 51 + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "value" + "text" : "{ book, quantity }" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 39 + "startLine" : 23, + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { - "text" : "value" + "text" : "book" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 54 } }, "message" : { - "text" : "`[INFO] ... value}`" + "text" : "book" } } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 32, + "endColumn" : 36 + } + }, + "message" : { + "text" : "book" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", + "uriBaseId" : "%SRCROOT%", + "index" : 2 + }, + "region" : { + "startLine" : 26, + "startColumn" : 19, + "endColumn" : 36 + } + }, + "message" : { + "text" : "\"console:\" + book" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 + }, + "region" : { + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] + }, { + "ruleId" : "js/log-injection", + "rule" : { + "id" : "js/log-injection", + "index" : 90, + "toolComponent" : { + "index" : 2 + } + }, + "message" : { + "text" : "Log entry depends on a [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 18, + "endColumn" : 41 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "be9a18716e55d497:1", + "primaryLocationStartColumnFingerprint" : "13" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 17, + "endColumn" : 51 + } + }, + "message" : { + "text" : "jQuery. ... param\")" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 6, + "startColumn" : 9, + "endColumn" : 51 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 34, + "endColumn" : 39 + } + }, + "message" : { + "text" : "value" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 + }, + "region" : { + "startLine" : 7, + "startColumn" : 18, + "endColumn" : 41 + } + }, + "message" : { + "text" : "`[INFO] ... value}`" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uriBaseId" : "%SRCROOT%", + "index" : 3 }, "region" : { "startLine" : 6, @@ -13620,7 +13920,7 @@ "id" : "js/log-injection", "index" : 90, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -13631,7 +13931,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 15, @@ -13652,7 +13952,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -13670,7 +13970,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -13688,7 +13988,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -13706,7 +14006,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -13724,7 +14024,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -13742,7 +14042,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -13760,7 +14060,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -13778,7 +14078,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 15, @@ -13796,7 +14096,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 15, @@ -13817,7 +14117,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -13835,7 +14135,7 @@ "id" : "js/log-injection", "index" : 90, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -13846,7 +14146,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 24, @@ -13867,7 +14167,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -13885,7 +14185,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -13903,7 +14203,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -13921,7 +14221,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -13939,7 +14239,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -13957,7 +14257,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -13975,7 +14275,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -13993,7 +14293,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 23, @@ -14011,7 +14311,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 23, @@ -14029,7 +14329,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 23, @@ -14047,7 +14347,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 24, @@ -14065,7 +14365,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 24, @@ -14086,7 +14386,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -14104,7 +14404,7 @@ "id" : "js/log-injection", "index" : 90, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "message" : { @@ -14115,7 +14415,7 @@ "artifactLocation" : { "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", - "index" : 2 + "index" : 4 }, "region" : { "startLine" : 5, @@ -14136,7 +14436,7 @@ "artifactLocation" : { "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", - "index" : 2 + "index" : 4 }, "region" : { "startLine" : 5, @@ -14154,7 +14454,7 @@ "artifactLocation" : { "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", - "index" : 2 + "index" : 4 }, "region" : { "startLine" : 5, @@ -14175,7 +14475,7 @@ "artifactLocation" : { "uri" : "javascript/heuristic-models/tests/Sources/test.js", "uriBaseId" : "%SRCROOT%", - "index" : 2 + "index" : 4 }, "region" : { "startLine" : 5, @@ -14193,7 +14493,7 @@ "id" : "js/ui5-clickjacking", "index" : 0, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14223,7 +14523,7 @@ "id" : "js/ui5-clickjacking", "index" : 0, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14253,7 +14553,7 @@ "id" : "js/ui5-clickjacking", "index" : 0, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14282,7 +14582,7 @@ "id" : "js/ui5-clickjacking", "index" : 0, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14311,7 +14611,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14322,7 +14622,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 5, @@ -14343,7 +14643,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 3, @@ -14361,7 +14661,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 3, @@ -14379,7 +14679,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 5, @@ -14400,7 +14700,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 3, @@ -14418,7 +14718,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14429,7 +14729,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 12, @@ -14450,7 +14750,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 10, @@ -14468,7 +14768,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 10, @@ -14486,7 +14786,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 12, @@ -14507,7 +14807,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 10, @@ -14525,7 +14825,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14536,7 +14836,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 20, @@ -14557,7 +14857,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 17, @@ -14575,7 +14875,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 17, @@ -14593,7 +14893,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 18, @@ -14611,7 +14911,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 18, @@ -14629,7 +14929,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 18, @@ -14647,7 +14947,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 20, @@ -14668,7 +14968,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 0 + "index" : 1 }, "region" : { "startLine" : 17, @@ -14686,7 +14986,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14849,7 +15149,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -14976,7 +15276,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15103,7 +15403,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15230,7 +15530,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15337,7 +15637,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15348,7 +15648,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 250 + "index" : 251 }, "region" : { "startLine" : 8, @@ -15406,7 +15706,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js", "uriBaseId" : "%SRCROOT%", - "index" : 251 + "index" : 250 }, "region" : { "startLine" : 5, @@ -15424,7 +15724,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js", "uriBaseId" : "%SRCROOT%", - "index" : 250 + "index" : 251 }, "region" : { "startLine" : 8, @@ -15464,7 +15764,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15591,7 +15891,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15623,7 +15923,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 291 + "index" : 292 }, "region" : { "startLine" : 5, @@ -15699,7 +15999,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 291 + "index" : 292 }, "region" : { "startLine" : 5, @@ -15718,7 +16018,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15825,114 +16125,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 - } - }, - "message" : { - "text" : "XSS vulnerability due to [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - }, - "region" : { - "startLine" : 13, - "startColumn" : 15, - "endColumn" : 25 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "c18df3aa119b40dc:1", - "primaryLocationStartColumnFingerprint" : "11" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - }, - "region" : { - "startLine" : 9, - "startColumn" : 13, - "endColumn" : 23 - } - }, - "message" : { - "text" : "\"value\": \"{/input}\"" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", - "uriBaseId" : "%SRCROOT%", - "index" : 268 - }, - "region" : { - "startLine" : 9, - "startColumn" : 17, - "endColumn" : 28 - } - }, - "message" : { - "text" : "input: null" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - }, - "region" : { - "startLine" : 13, - "startColumn" : 15, - "endColumn" : 25 - } - }, - "message" : { - "text" : "\"content\": \"{/input}\"" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", - "uriBaseId" : "%SRCROOT%", - "index" : 272 - }, - "region" : { - "startLine" : 9, - "startColumn" : 13, - "endColumn" : 23 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/ui5-xss", - "rule" : { - "id" : "js/ui5-xss", - "index" : 1, - "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -15943,7 +16136,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 73 }, "region" : { "startLine" : 8, @@ -15964,7 +16157,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 73 }, "region" : { "startLine" : 5, @@ -15983,7 +16176,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 69 + "index" : 68 }, "region" : { "startLine" : 10, @@ -16001,7 +16194,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 73 }, "region" : { "startLine" : 8, @@ -16022,7 +16215,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 73 }, "region" : { "startLine" : 5, @@ -16041,7 +16234,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16052,7 +16245,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 203 + "index" : 204 }, "region" : { "startLine" : 9, @@ -16073,7 +16266,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 203 + "index" : 204 }, "region" : { "startLine" : 5, @@ -16182,7 +16375,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 203 + "index" : 204 }, "region" : { "startLine" : 9, @@ -16203,7 +16396,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 203 + "index" : 204 }, "region" : { "startLine" : 5, @@ -16222,7 +16415,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16233,7 +16426,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 203 + "index" : 204 }, "region" : { "startLine" : 17, @@ -16326,7 +16519,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 203 + "index" : 204 }, "region" : { "startLine" : 17, @@ -16365,7 +16558,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16376,7 +16569,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 212 + "index" : 211 }, "region" : { "startLine" : 8, @@ -16397,7 +16590,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 212 + "index" : 211 }, "region" : { "startLine" : 5, @@ -16434,7 +16627,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 212 + "index" : 211 }, "region" : { "startLine" : 8, @@ -16455,7 +16648,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 212 + "index" : 211 }, "region" : { "startLine" : 5, @@ -16474,7 +16667,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16525,7 +16718,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 215 + "index" : 216 }, "region" : { "startLine" : 12, @@ -16584,7 +16777,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 215 + "index" : 216 }, "region" : { "startLine" : 9, @@ -16602,7 +16795,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 215 + "index" : 216 }, "region" : { "startLine" : 15, @@ -16620,7 +16813,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 215 + "index" : 216 }, "region" : { "startLine" : 15, @@ -16638,7 +16831,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 215 + "index" : 216 }, "region" : { "startLine" : 16, @@ -16656,7 +16849,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 215 + "index" : 216 }, "region" : { "startLine" : 10, @@ -16714,7 +16907,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16725,7 +16918,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 236 + "index" : 237 }, "region" : { "startLine" : 8, @@ -16746,7 +16939,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 236 + "index" : 237 }, "region" : { "startLine" : 5, @@ -16765,7 +16958,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 234 + "index" : 232 }, "region" : { "startLine" : 8, @@ -16783,7 +16976,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 236 + "index" : 237 }, "region" : { "startLine" : 8, @@ -16804,7 +16997,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 236 + "index" : 237 }, "region" : { "startLine" : 5, @@ -16823,7 +17016,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16834,7 +17027,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 244 + "index" : 245 }, "region" : { "startLine" : 8, @@ -16855,7 +17048,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 244 + "index" : 245 }, "region" : { "startLine" : 5, @@ -16891,7 +17084,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 244 + "index" : 245 }, "region" : { "startLine" : 8, @@ -16912,7 +17105,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html", "uriBaseId" : "%SRCROOT%", - "index" : 244 + "index" : 245 }, "region" : { "startLine" : 5, @@ -16930,7 +17123,7 @@ "id" : "js/ui5-xss", "index" : 1, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -16941,7 +17134,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 22, @@ -16962,7 +17155,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 8, @@ -16981,7 +17174,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 296 + "index" : 297 }, "region" : { "startLine" : 9, @@ -16999,7 +17192,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 22, @@ -17021,7 +17214,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 15, @@ -17040,7 +17233,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 296 + "index" : 297 }, "region" : { "startLine" : 9, @@ -17058,7 +17251,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 22, @@ -17079,7 +17272,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 8, @@ -17097,7 +17290,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 299 + "index" : 300 }, "region" : { "startLine" : 15, @@ -17110,13 +17303,120 @@ "text" : "user-provided value" } } ] + }, { + "ruleId" : "js/ui5-xss", + "rule" : { + "id" : "js/ui5-xss", + "index" : 1, + "toolComponent" : { + "index" : 0 + } + }, + "message" : { + "text" : "XSS vulnerability due to [user-provided value](1)." + }, + "locations" : [ { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + }, + "region" : { + "startLine" : 13, + "startColumn" : 15, + "endColumn" : 25 + } + } + } ], + "partialFingerprints" : { + "primaryLocationLineHash" : "c18df3aa119b40dc:1", + "primaryLocationStartColumnFingerprint" : "11" + }, + "codeFlows" : [ { + "threadFlows" : [ { + "locations" : [ { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + }, + "region" : { + "startLine" : 9, + "startColumn" : 13, + "endColumn" : 23 + } + }, + "message" : { + "text" : "\"value\": \"{/input}\"" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js", + "uriBaseId" : "%SRCROOT%", + "index" : 268 + }, + "region" : { + "startLine" : 9, + "startColumn" : 17, + "endColumn" : 28 + } + }, + "message" : { + "text" : "input: null" + } + } + }, { + "location" : { + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + }, + "region" : { + "startLine" : 13, + "startColumn" : 15, + "endColumn" : 25 + } + }, + "message" : { + "text" : "\"content\": \"{/input}\"" + } + } + } ] + } ] + } ], + "relatedLocations" : [ { + "id" : 1, + "physicalLocation" : { + "artifactLocation" : { + "uri" : "javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json", + "uriBaseId" : "%SRCROOT%", + "index" : 272 + }, + "region" : { + "startLine" : 9, + "startColumn" : 13, + "endColumn" : 23 + } + }, + "message" : { + "text" : "user-provided value" + } + } ] }, { "ruleId" : "js/ui5-formula-injection", "rule" : { "id" : "js/ui5-formula-injection", "index" : 2, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -17148,7 +17448,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 60 + "index" : 55 }, "region" : { "startLine" : 5, @@ -17224,7 +17524,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 60 + "index" : 55 }, "region" : { "startLine" : 5, @@ -17243,7 +17543,7 @@ "id" : "js/ui5-formula-injection", "index" : 2, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -17275,7 +17575,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 65 + "index" : 64 }, "region" : { "startLine" : 5, @@ -17459,7 +17759,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 65 + "index" : 64 }, "region" : { "startLine" : 5, @@ -17478,7 +17778,7 @@ "id" : "js/ui5-formula-injection", "index" : 2, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -17489,7 +17789,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 69 + "index" : 68 }, "region" : { "startLine" : 16, @@ -17510,7 +17810,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 73 }, "region" : { "startLine" : 5, @@ -17529,7 +17829,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 69 + "index" : 68 }, "region" : { "startLine" : 10, @@ -17547,7 +17847,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 69 + "index" : 68 }, "region" : { "startLine" : 16, @@ -17568,7 +17868,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 72 + "index" : 73 }, "region" : { "startLine" : 5, @@ -17587,7 +17887,7 @@ "id" : "js/ui5-path-injection", "index" : 3, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -17598,7 +17898,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 102 + "index" : 103 }, "region" : { "startLine" : 17, @@ -17638,7 +17938,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 106 + "index" : 104 }, "region" : { "startLine" : 9, @@ -17656,7 +17956,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 102 + "index" : 103 }, "region" : { "startLine" : 8, @@ -17674,7 +17974,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 102 + "index" : 103 }, "region" : { "startLine" : 17, @@ -17714,7 +18014,7 @@ "id" : "js/ui5-path-injection", "index" : 3, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -17725,7 +18025,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 23, @@ -17746,7 +18046,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 116 + "index" : 117 }, "region" : { "startLine" : 5, @@ -17765,7 +18065,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 113 + "index" : 112 }, "region" : { "startLine" : 9, @@ -17783,7 +18083,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 9, @@ -17801,7 +18101,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 15, @@ -17819,7 +18119,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 15, @@ -17837,7 +18137,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 17, @@ -17855,7 +18155,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 17, @@ -17873,7 +18173,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 17, @@ -17891,7 +18191,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 17, @@ -17909,7 +18209,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 112 + "index" : 111 }, "region" : { "startLine" : 23, @@ -17930,7 +18230,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 116 + "index" : 117 }, "region" : { "startLine" : 5, @@ -17949,7 +18249,7 @@ "id" : "js/ui5-path-injection", "index" : 3, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -17960,7 +18260,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 121 }, "region" : { "startLine" : 16, @@ -18000,7 +18300,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 121 }, "region" : { "startLine" : 10, @@ -18018,7 +18318,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 122 + "index" : 121 }, "region" : { "startLine" : 16, @@ -18058,7 +18358,7 @@ "id" : "js/ui5-log-injection", "index" : 4, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -18069,7 +18369,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 8, @@ -18090,7 +18390,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 6, @@ -18108,7 +18408,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 6, @@ -18126,7 +18426,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 8, @@ -18147,7 +18447,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 6, @@ -18165,7 +18465,7 @@ "id" : "js/ui5-log-injection", "index" : 4, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -18176,7 +18476,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 16, @@ -18197,7 +18497,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -18215,7 +18515,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -18233,7 +18533,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -18251,7 +18551,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -18269,7 +18569,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -18287,7 +18587,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -18305,7 +18605,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 14, @@ -18323,7 +18623,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 16, @@ -18344,7 +18644,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 13, @@ -18362,7 +18662,7 @@ "id" : "js/ui5-log-injection", "index" : 4, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -18373,7 +18673,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 25, @@ -18394,7 +18694,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -18412,7 +18712,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -18430,7 +18730,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -18448,7 +18748,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -18466,7 +18766,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -18484,7 +18784,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -18502,7 +18802,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 22, @@ -18520,7 +18820,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 23, @@ -18538,7 +18838,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 23, @@ -18556,7 +18856,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 23, @@ -18574,7 +18874,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 25, @@ -18595,7 +18895,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 3 }, "region" : { "startLine" : 21, @@ -18613,7 +18913,7 @@ "id" : "js/ui5-log-injection", "index" : 4, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -18624,7 +18924,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 76 + "index" : 77 }, "region" : { "startLine" : 13, @@ -18645,7 +18945,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 82 + "index" : 86 }, "region" : { "startLine" : 5, @@ -18682,7 +18982,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 76 + "index" : 77 }, "region" : { "startLine" : 7, @@ -18700,7 +19000,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 76 + "index" : 77 }, "region" : { "startLine" : 13, @@ -18721,7 +19021,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 82 + "index" : 86 }, "region" : { "startLine" : 5, @@ -18740,7 +19040,7 @@ "id" : "js/ui5-log-injection", "index" : 4, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -18751,7 +19051,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 17, @@ -18772,7 +19072,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 90 + "index" : 91 }, "region" : { "startLine" : 5, @@ -18809,7 +19109,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 8, @@ -18827,7 +19127,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 15, @@ -18845,7 +19145,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 15, @@ -18863,7 +19163,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 16, @@ -18881,7 +19181,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 16, @@ -18899,7 +19199,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 16, @@ -18917,7 +19217,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 16, @@ -18935,7 +19235,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js", "uriBaseId" : "%SRCROOT%", - "index" : 86 + "index" : 85 }, "region" : { "startLine" : 17, @@ -18956,7 +19256,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml", "uriBaseId" : "%SRCROOT%", - "index" : 90 + "index" : 91 }, "region" : { "startLine" : 5, @@ -18975,7 +19275,7 @@ "id" : "js/ui5-log-injection", "index" : 4, "toolComponent" : { - "index" : 2 + "index" : 0 } }, "message" : { @@ -18986,7 +19286,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 96 + "index" : 95 }, "region" : { "startLine" : 17, @@ -19026,7 +19326,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 96 + "index" : 95 }, "region" : { "startLine" : 9, @@ -19044,7 +19344,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 96 + "index" : 95 }, "region" : { "startLine" : 15, @@ -19062,7 +19362,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 96 + "index" : 95 }, "region" : { "startLine" : 15, @@ -19080,7 +19380,7 @@ "artifactLocation" : { "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js", "uriBaseId" : "%SRCROOT%", - "index" : 96 + "index" : 95 }, "region" : { "startLine" : 17, @@ -19120,7 +19420,7 @@ "id" : "js/cap-sql-injection", "index" : 0, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -19131,18 +19431,18 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 13, - "startColumn" : 35, - "endColumn" : 40 + "startColumn" : 36, + "endColumn" : 41 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "590e7435266ed375:1", - "primaryLocationStartColumnFingerprint" : "30" + "primaryLocationLineHash" : "f2a20fb013371856:1", + "primaryLocationStartColumnFingerprint" : "29" }, "codeFlows" : [ { "threadFlows" : [ { @@ -19152,12 +19452,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19170,12 +19470,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19188,12 +19488,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -19206,16 +19506,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -19224,12 +19524,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -19242,12 +19542,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -19260,12 +19560,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 12, - "startColumn" : 51, - "endColumn" : 55 + "startColumn" : 50, + "endColumn" : 54 } }, "message" : { @@ -19278,12 +19578,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 12, - "startColumn" : 45, - "endColumn" : 57 + "startColumn" : 44, + "endColumn" : 56 } }, "message" : { @@ -19296,12 +19596,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 12, - "startColumn" : 17, - "endColumn" : 58 + "startColumn" : 19, + "endColumn" : 57 } }, "message" : { @@ -19314,12 +19614,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 12, - "startColumn" : 9, - "endColumn" : 58 + "startColumn" : 11, + "endColumn" : 57 } }, "message" : { @@ -19332,12 +19632,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 13, - "startColumn" : 35, - "endColumn" : 40 + "startColumn" : 36, + "endColumn" : 41 } }, "message" : { @@ -19353,12 +19653,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19371,7 +19671,7 @@ "id" : "js/cap-sql-injection", "index" : 0, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -19382,17 +19682,17 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 15, - "startColumn" : 25, - "endColumn" : 66 + "startColumn" : 27, + "endColumn" : 65 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "d8242ce11617a0ec:1", + "primaryLocationLineHash" : "e89930467a1e0810:1", "primaryLocationStartColumnFingerprint" : "20" }, "codeFlows" : [ { @@ -19403,12 +19703,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19421,12 +19721,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19439,12 +19739,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -19457,16 +19757,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -19475,12 +19775,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -19493,12 +19793,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -19511,12 +19811,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 15, - "startColumn" : 59, - "endColumn" : 63 + "startColumn" : 58, + "endColumn" : 62 } }, "message" : { @@ -19529,12 +19829,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 15, - "startColumn" : 53, - "endColumn" : 65 + "startColumn" : 52, + "endColumn" : 64 } }, "message" : { @@ -19547,12 +19847,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 15, - "startColumn" : 25, - "endColumn" : 66 + "startColumn" : 27, + "endColumn" : 65 } }, "message" : { @@ -19568,12 +19868,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19586,7 +19886,7 @@ "id" : "js/cap-sql-injection", "index" : 0, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -19597,18 +19897,18 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 18, - "startColumn" : 36, - "endColumn" : 42 + "startColumn" : 37, + "endColumn" : 43 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "e7b952296b7ab6cc:1", - "primaryLocationStartColumnFingerprint" : "31" + "primaryLocationLineHash" : "d00fe7de05986c6a:1", + "primaryLocationStartColumnFingerprint" : "30" }, "codeFlows" : [ { "threadFlows" : [ { @@ -19618,12 +19918,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19636,12 +19936,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19654,12 +19954,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -19672,16 +19972,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -19690,12 +19990,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -19708,12 +20008,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -19726,12 +20026,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 17, - "startColumn" : 52, - "endColumn" : 56 + "startColumn" : 53, + "endColumn" : 57 } }, "message" : { @@ -19744,16 +20044,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 17, - "startColumn" : 46, - "endColumn" : 56 + "startColumn" : 45, + "endColumn" : 57 } }, "message" : { - "text" : "'ID='+book" + "text" : "'ID=' + book" } } }, { @@ -19762,16 +20062,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 17, - "startColumn" : 18, - "endColumn" : 57 + "startColumn" : 20, + "endColumn" : 58 } }, "message" : { - "text" : "SELECT. ... '+book)" + "text" : "SELECT. ... + book)" } } }, { @@ -19780,12 +20080,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 17, - "startColumn" : 9, - "endColumn" : 57 + "startColumn" : 11, + "endColumn" : 58 } }, "message" : { @@ -19798,12 +20098,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 18, - "startColumn" : 36, - "endColumn" : 42 + "startColumn" : 37, + "endColumn" : 43 } }, "message" : { @@ -19819,12 +20119,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19837,7 +20137,7 @@ "id" : "js/cap-sql-injection", "index" : 0, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -19848,17 +20148,17 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 20, - "startColumn" : 25, - "endColumn" : 64 + "startColumn" : 27, + "endColumn" : 65 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "79f0f8200a18323a:1", + "primaryLocationLineHash" : "8317b1d31382ab92:1", "primaryLocationStartColumnFingerprint" : "20" }, "codeFlows" : [ { @@ -19869,12 +20169,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19887,12 +20187,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -19905,12 +20205,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -19923,16 +20223,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 - } + "startColumn" : 13, + "endColumn" : 31 + } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -19941,12 +20241,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -19959,12 +20259,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -19977,12 +20277,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 20, - "startColumn" : 59, - "endColumn" : 63 + "startColumn" : 60, + "endColumn" : 64 } }, "message" : { @@ -19995,16 +20295,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 20, - "startColumn" : 53, - "endColumn" : 63 + "startColumn" : 52, + "endColumn" : 64 } }, "message" : { - "text" : "'ID='+book" + "text" : "'ID=' + book" } } }, { @@ -20013,16 +20313,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 20, - "startColumn" : 25, - "endColumn" : 64 + "startColumn" : 27, + "endColumn" : 65 } }, "message" : { - "text" : "SELECT. ... '+book)" + "text" : "SELECT. ... + book)" } } } ] @@ -20034,12 +20334,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20052,7 +20352,7 @@ "id" : "js/cap-sql-injection", "index" : 0, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -20063,18 +20363,18 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 28, - "startColumn" : 38, - "endColumn" : 41 + "startColumn" : 39, + "endColumn" : 42 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "e3b606bd78a285e4:1", - "primaryLocationStartColumnFingerprint" : "33" + "primaryLocationLineHash" : "75dceaab23242fe6:1", + "primaryLocationStartColumnFingerprint" : "32" }, "codeFlows" : [ { "threadFlows" : [ { @@ -20084,12 +20384,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20102,12 +20402,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20120,12 +20420,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -20138,16 +20438,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -20156,12 +20456,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -20174,12 +20474,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -20192,12 +20492,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 27, - "startColumn" : 57, - "endColumn" : 61 + "startColumn" : 59, + "endColumn" : 63 } }, "message" : { @@ -20210,12 +20510,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 27, - "startColumn" : 15, - "endColumn" : 61 + "startColumn" : 17, + "endColumn" : 63 } }, "message" : { @@ -20228,12 +20528,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 27, - "startColumn" : 9, - "endColumn" : 61 + "startColumn" : 11, + "endColumn" : 63 } }, "message" : { @@ -20246,12 +20546,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 28, - "startColumn" : 38, - "endColumn" : 41 + "startColumn" : 39, + "endColumn" : 42 } }, "message" : { @@ -20267,12 +20567,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20285,7 +20585,7 @@ "id" : "js/cap-sql-injection", "index" : 0, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -20296,18 +20596,18 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 31, - "startColumn" : 38, - "endColumn" : 42 + "startColumn" : 39, + "endColumn" : 43 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "3ac2119833f4369b:1", - "primaryLocationStartColumnFingerprint" : "33" + "primaryLocationLineHash" : "a6a36dcb3241fe8b:1", + "primaryLocationStartColumnFingerprint" : "32" }, "codeFlows" : [ { "threadFlows" : [ { @@ -20317,12 +20617,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20335,12 +20635,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20353,12 +20653,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -20371,16 +20671,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -20389,12 +20689,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -20407,12 +20707,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -20425,12 +20725,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 30, - "startColumn" : 54, - "endColumn" : 58 + "startColumn" : 56, + "endColumn" : 60 } }, "message" : { @@ -20443,16 +20743,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 30, - "startColumn" : 31, - "endColumn" : 58 + "startColumn" : 32, + "endColumn" : 60 } }, "message" : { - "text" : "`SELECT ... `+ book" + "text" : "`SELECT ... + book" } } }, { @@ -20461,12 +20761,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 30, - "startColumn" : 16, - "endColumn" : 59 + "startColumn" : 18, + "endColumn" : 61 } }, "message" : { @@ -20479,12 +20779,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 30, - "startColumn" : 9, - "endColumn" : 59 + "startColumn" : 11, + "endColumn" : 61 } }, "message" : { @@ -20497,12 +20797,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 31, - "startColumn" : 38, - "endColumn" : 42 + "startColumn" : 39, + "endColumn" : 43 } }, "message" : { @@ -20518,12 +20818,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 23 + "index" : 0 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20536,7 +20836,7 @@ "id" : "js/cap-log-injection", "index" : 1, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -20547,17 +20847,17 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 11, - "startColumn" : 14, - "endColumn" : 27 + "startColumn" : 16, + "endColumn" : 29 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "6aac872e1ce30edc:1", + "primaryLocationLineHash" : "eae426bf8fad0192:1", "primaryLocationStartColumnFingerprint" : "9" }, "codeFlows" : [ { @@ -20568,12 +20868,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20586,12 +20886,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 32 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20604,12 +20904,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 8, - "startColumn" : 29, - "endColumn" : 37 + "startColumn" : 34, + "endColumn" : 42 } }, "message" : { @@ -20622,16 +20922,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 26 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "{book,quantity}" + "text" : "{ book, quantity }" } } }, { @@ -20640,12 +20940,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 8, - "startColumn" : 12, - "endColumn" : 16 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { @@ -20658,12 +20958,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 8, - "startColumn" : 11, - "endColumn" : 37 + "startColumn" : 13, + "endColumn" : 42 } }, "message" : { @@ -20676,12 +20976,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 11, - "startColumn" : 23, - "endColumn" : 27 + "startColumn" : 25, + "endColumn" : 29 } }, "message" : { @@ -20694,16 +20994,16 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 11, - "startColumn" : 14, - "endColumn" : 27 + "startColumn" : 16, + "endColumn" : 29 } }, "message" : { - "text" : "\"test\" + book" + "text" : "\"CAP:\" + book" } } } ] @@ -20715,12 +21015,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { "startLine" : 7, - "startColumn" : 33, - "endColumn" : 36 + "startColumn" : 34, + "endColumn" : 37 } }, "message" : { @@ -20733,7 +21033,7 @@ "id" : "js/cap-log-injection", "index" : 1, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -20744,17 +21044,17 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 17, - "startColumn" : 45, - "endColumn" : 46 + "startLine" : 18, + "startColumn" : 47, + "endColumn" : 48 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "a360f9c0333d6614:1", + "primaryLocationLineHash" : "e05b39891dddd161:1", "primaryLocationStartColumnFingerprint" : "40" }, "codeFlows" : [ { @@ -20765,12 +21065,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 14, - "startColumn" : 22, - "endColumn" : 25 + "startLine" : 15, + "startColumn" : 24, + "endColumn" : 27 } }, "message" : { @@ -20783,12 +21083,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 17, - "startColumn" : 15, - "endColumn" : 18 + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 20 } }, "message" : { @@ -20801,12 +21101,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 17, - "startColumn" : 15, - "endColumn" : 23 + "startLine" : 18, + "startColumn" : 17, + "endColumn" : 25 } }, "message" : { @@ -20819,12 +21119,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 17, - "startColumn" : 11, - "endColumn" : 23 + "startLine" : 18, + "startColumn" : 13, + "endColumn" : 25 } }, "message" : { @@ -20837,12 +21137,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 17, - "startColumn" : 45, - "endColumn" : 46 + "startLine" : 18, + "startColumn" : 47, + "endColumn" : 48 } }, "message" : { @@ -20858,12 +21158,12 @@ "artifactLocation" : { "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 24 + "index" : 2 }, "region" : { - "startLine" : 14, - "startColumn" : 22, - "endColumn" : 25 + "startLine" : 15, + "startColumn" : 24, + "endColumn" : 27 } }, "message" : { @@ -20876,7 +21176,7 @@ "id" : "js/cap-log-injection", "index" : 1, "toolComponent" : { - "index" : 0 + "index" : 1 } }, "message" : { @@ -20885,20 +21185,20 @@ "locations" : [ { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 + "startLine" : 25, + "startColumn" : 16, + "endColumn" : 29 } } } ], "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:1", - "primaryLocationStartColumnFingerprint" : "13" + "primaryLocationLineHash" : "4dc77ce4a9b7031e:1", + "primaryLocationStartColumnFingerprint" : "9" }, "codeFlows" : [ { "threadFlows" : [ { @@ -20906,645 +21206,108 @@ "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "jQuery. ... param\")" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 6, - "startColumn" : 9, - "endColumn" : 51 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 7, - "startColumn" : 18, - "endColumn" : 41 - } - }, - "message" : { - "text" : "`[INFO] ... value}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 6, - "startColumn" : 17, - "endColumn" : 51 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 18, - "endColumn" : 41 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "be9a18716e55d497:2", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 14, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 14, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 34, - "endColumn" : 39 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 15, - "startColumn" : 18, - "endColumn" : 41 - } - }, - "message" : { - "text" : "`[INFO] ... value}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 13, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 24, - "startColumn" : 18, - "endColumn" : 42 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "e197b363f9dc3962:1", - "primaryLocationStartColumnFingerprint" : "13" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "req.url" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 21, - "startColumn" : 13, - "endColumn" : 37 - } - }, - "message" : { - "text" : "url.par ... , true)" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 21, - "startColumn" : 9, - "endColumn" : 37 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 18 - } - }, - "message" : { - "text" : "q" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 24 - } - }, - "message" : { - "text" : "q.query" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 22, - "startColumn" : 17, - "endColumn" : 33 - } - }, - "message" : { - "text" : "q.query.username" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 22, - "startColumn" : 9, - "endColumn" : 33 - } - }, - "message" : { - "text" : "value" - } - } - }, { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { "startLine" : 23, - "startColumn" : 39, - "endColumn" : 44 + "startColumn" : 34, + "endColumn" : 54 } }, "message" : { - "text" : "value" + "text" : "req2.params.category" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { "startLine" : 23, - "startColumn" : 18, - "endColumn" : 45 + "startColumn" : 13, + "endColumn" : 31 } }, "message" : { - "text" : "jQuery. ... (value)" + "text" : "{ book, quantity }" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { "startLine" : 23, - "startColumn" : 9, - "endColumn" : 45 + "startColumn" : 15, + "endColumn" : 19 } }, "message" : { - "text" : "value1" + "text" : "book" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", - "index" : 1 + "index" : 2 }, "region" : { - "startLine" : 24, - "startColumn" : 34, - "endColumn" : 40 + "startLine" : 23, + "startColumn" : 13, + "endColumn" : 54 } }, "message" : { - "text" : "value1" + "text" : "book" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 24, - "startColumn" : 18, - "endColumn" : 42 - } - }, - "message" : { - "text" : "`[INFO] ... alue1}`" - } - } - } ] - } ] - } ], - "relatedLocations" : [ { - "id" : 1, - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js", - "uriBaseId" : "%SRCROOT%", - "index" : 1 - }, - "region" : { - "startLine" : 21, - "startColumn" : 23, - "endColumn" : 30 - } - }, - "message" : { - "text" : "user-provided value" - } - } ] - }, { - "ruleId" : "js/cap-log-injection", - "rule" : { - "id" : "js/cap-log-injection", - "index" : 1, - "toolComponent" : { - "index" : 0 - } - }, - "message" : { - "text" : "Log entry depends on a [user-provided value](1)." - }, - "locations" : [ { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", - "uriBaseId" : "%SRCROOT%", - "index" : 2 - }, - "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 - } - } - } ], - "partialFingerprints" : { - "primaryLocationLineHash" : "45280b24f3d81287:1", - "primaryLocationStartColumnFingerprint" : "12" - }, - "codeFlows" : [ { - "threadFlows" : [ { - "locations" : [ { - "location" : { - "physicalLocation" : { - "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", "index" : 2 }, "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 + "startLine" : 25, + "startColumn" : 25, + "endColumn" : 29 } }, "message" : { - "text" : "req.responseText" + "text" : "book" } } }, { "location" : { "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", "index" : 2 }, "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 + "startLine" : 25, + "startColumn" : 16, + "endColumn" : 29 } }, "message" : { - "text" : "req.responseText" + "text" : "\"CAP:\" + book" } } } ] @@ -21554,14 +21317,14 @@ "id" : 1, "physicalLocation" : { "artifactLocation" : { - "uri" : "javascript/heuristic-models/tests/Sources/test.js", + "uri" : "javascript/frameworks/cap/test/queries/loginjection/loginjection.js", "uriBaseId" : "%SRCROOT%", "index" : 2 }, "region" : { - "startLine" : 5, - "startColumn" : 17, - "endColumn" : 33 + "startLine" : 23, + "startColumn" : 34, + "endColumn" : 54 } }, "message" : { @@ -21590,22 +21353,22 @@ "id" : "js/summary/lines-of-user-code", "index" : 101, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "ruleId" : "js/summary/lines-of-user-code", - "value" : 2439, + "value" : 2460, "baseline" : 0 }, { "rule" : { "id" : "js/summary/lines-of-code", "index" : 102, "toolComponent" : { - "index" : 1 + "index" : 2 } }, "ruleId" : "js/summary/lines-of-code", - "value" : 2439 + "value" : 2460 } ], "semmle.formatSpecifier" : "sarif-latest" } diff --git a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js index e5f0a5917..ee16c5c9b 100644 --- a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js +++ b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js @@ -3,21 +3,21 @@ const { Books } = cds.entities('sap.capire.bookshop') class SampleVulnService extends cds.ApplicationService { init() { - // contains a sample CAP sql injection + // contains a sample CQL injection this.on('submitOrder', async req => { const { book, quantity } = req.data let { stock } = await SELECT`stock`.from(Books, book) let query = SELECT.from`Books`.where(`ID=${book}`) - let books = await cds.db.run(query) // CAP SQL injection alert + let books = await cds.db.run(query) // CQL injection alert - let books11 = await SELECT.from`Books`.where(`ID=${book}`) // CAP SQL injection alert + let books11 = await SELECT.from`Books`.where(`ID=${book}`) // CQL injection alert let query2 = SELECT.from`Books`.where('ID=' + book) - let books2 = await cds.db.run(query2) // CAP SQL injection alert + let books2 = await cds.db.run(query2) // CQL injection alert - let books22 = await SELECT.from`Books`.where('ID=' + book) // CAP SQL injection alert + let books22 = await SELECT.from`Books`.where('ID=' + book) // CQL injection alert let books3 = await SELECT.from`Books`.where`ID=${book}` //safe @@ -25,20 +25,20 @@ class SampleVulnService extends cds.ApplicationService { let books33 = await SELECT.from`Books`.where('ID=' + id) //safe let cqn = CQL`SELECT col1, col2, col3 from Books` + book - let books222 = await cds.db.run(cqn) // CAP SQL injection alert + let books222 = await cds.db.run(cqn) // CQL injection alert let cqn1 = cds.parse.cql(`SELECT * from Books` + book) - let books111 = await cds.db.run(cqn1) // CAP SQL injection alert + let books111 = await cds.db.run(cqn1) // CQL injection alert const pg = require("pg"), pool = new pg.Pool(config); - pool.query(req.params.category, [], function (err, results) { // non-CAP SQL injection alert from CAP source + pool.query(req.params.category, [], function (err, results) { // non-CQL injection alert from CAP source // process results }); const app = require("express")(); app.get("search", function handler(req2, res) { - pool.query(req2.params.category, [], function (err, results) { // non-CAP SQL injection alert from non-CAP source + pool.query(req2.params.category, [], function (err, results) { // non-CQL injection alert from non-CAP source // process results }); }); From 18673dc5e2da9d8494d3f4ec39419271f62fc20a Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Wed, 28 Feb 2024 19:41:54 +0100 Subject: [PATCH 3/3] Renamed query to CQL Injection --- .../CqlInjection.md} | 2 +- .../CqlInjection.ql} | 6 +- .../cap/src/loginjection/LogInjection.md | 2 +- .../cqlinjection/cqlinjection.expected | 84 +++++++++++++++++++ .../cqlinjection.js} | 0 .../queries/cqlinjection/cqlinjection.qlref | 1 + .../sqlinjection/sqlinjection.expected | 84 ------------------- .../queries/sqlinjection/sqlinjection.qlref | 1 - 8 files changed, 90 insertions(+), 90 deletions(-) rename javascript/frameworks/cap/src/{sqlinjection/SqlInjection.md => cqlinjection/CqlInjection.md} (96%) rename javascript/frameworks/cap/src/{sqlinjection/SqlInjection.ql => cqlinjection/CqlInjection.ql} (87%) create mode 100644 javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected rename javascript/frameworks/cap/test/queries/{sqlinjection/sqlinjection.js => cqlinjection/cqlinjection.js} (100%) create mode 100644 javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.qlref delete mode 100644 javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected delete mode 100644 javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.qlref diff --git a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.md b/javascript/frameworks/cap/src/cqlinjection/CqlInjection.md similarity index 96% rename from javascript/frameworks/cap/src/sqlinjection/SqlInjection.md rename to javascript/frameworks/cap/src/cqlinjection/CqlInjection.md index da5c7656a..40709d883 100644 --- a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.md +++ b/javascript/frameworks/cap/src/cqlinjection/CqlInjection.md @@ -1,4 +1,4 @@ -# SQL Injection +# CQL query built from user-controlled sources If a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries. diff --git a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql b/javascript/frameworks/cap/src/cqlinjection/CqlInjection.ql similarity index 87% rename from javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql rename to javascript/frameworks/cap/src/cqlinjection/CqlInjection.ql index bbb614fd6..f59d6fffc 100644 --- a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql +++ b/javascript/frameworks/cap/src/cqlinjection/CqlInjection.ql @@ -15,8 +15,8 @@ import DataFlow::PathGraph import semmle.javascript.security.dataflow.SqlInjectionCustomizations::SqlInjection import advanced_security.javascript.frameworks.cap.CQL -class CapSqlIConfiguration extends TaintTracking::Configuration { - CapSqlIConfiguration() { this = "CapSqlInjection" } +class CqlIConfiguration extends TaintTracking::Configuration { + CqlIConfiguration() { this = "CqlInjection" } override predicate isSource(DataFlow::Node source) { source instanceof Source } @@ -42,7 +42,7 @@ class CapSqlIConfiguration extends TaintTracking::Configuration { } } -from CapSqlIConfiguration sql, DataFlow::PathNode source, DataFlow::PathNode sink +from CqlIConfiguration sql, DataFlow::PathNode source, DataFlow::PathNode sink where sql.hasFlowPath(source, sink) select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(), "user-provided value" diff --git a/javascript/frameworks/cap/src/loginjection/LogInjection.md b/javascript/frameworks/cap/src/loginjection/LogInjection.md index fcacc2f0e..b0a2cc0de 100644 --- a/javascript/frameworks/cap/src/loginjection/LogInjection.md +++ b/javascript/frameworks/cap/src/loginjection/LogInjection.md @@ -1,4 +1,4 @@ -# Log Injection +# CAP Log Injection If unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries. diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected new file mode 100644 index 000000000..76317f305 --- /dev/null +++ b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected @@ -0,0 +1,84 @@ +nodes +| cqlinjection.js:7:34:7:36 | req | +| cqlinjection.js:7:34:7:36 | req | +| cqlinjection.js:8:13:8:30 | { book, quantity } | +| cqlinjection.js:8:13:8:41 | book | +| cqlinjection.js:8:15:8:18 | book | +| cqlinjection.js:8:34:8:36 | req | +| cqlinjection.js:8:34:8:41 | req.data | +| cqlinjection.js:12:11:12:56 | query | +| cqlinjection.js:12:19:12:56 | SELECT. ... book}`) | +| cqlinjection.js:12:44:12:55 | `ID=${book}` | +| cqlinjection.js:12:50:12:53 | book | +| cqlinjection.js:13:36:13:40 | query | +| cqlinjection.js:13:36:13:40 | query | +| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| cqlinjection.js:15:52:15:63 | `ID=${book}` | +| cqlinjection.js:15:58:15:61 | book | +| cqlinjection.js:17:11:17:57 | query2 | +| cqlinjection.js:17:20:17:57 | SELECT. ... + book) | +| cqlinjection.js:17:45:17:56 | 'ID=' + book | +| cqlinjection.js:17:53:17:56 | book | +| cqlinjection.js:18:37:18:42 | query2 | +| cqlinjection.js:18:37:18:42 | query2 | +| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| cqlinjection.js:20:52:20:63 | 'ID=' + book | +| cqlinjection.js:20:60:20:63 | book | +| cqlinjection.js:27:11:27:62 | cqn | +| cqlinjection.js:27:17:27:62 | CQL`SEL ... + book | +| cqlinjection.js:27:59:27:62 | book | +| cqlinjection.js:28:39:28:41 | cqn | +| cqlinjection.js:28:39:28:41 | cqn | +| cqlinjection.js:30:11:30:60 | cqn1 | +| cqlinjection.js:30:18:30:60 | cds.par ... + book) | +| cqlinjection.js:30:32:30:59 | `SELECT ... + book | +| cqlinjection.js:30:56:30:59 | book | +| cqlinjection.js:31:39:31:42 | cqn1 | +| cqlinjection.js:31:39:31:42 | cqn1 | +edges +| cqlinjection.js:7:34:7:36 | req | cqlinjection.js:8:34:8:36 | req | +| cqlinjection.js:7:34:7:36 | req | cqlinjection.js:8:34:8:36 | req | +| cqlinjection.js:8:13:8:30 | { book, quantity } | cqlinjection.js:8:15:8:18 | book | +| cqlinjection.js:8:13:8:41 | book | cqlinjection.js:12:50:12:53 | book | +| cqlinjection.js:8:13:8:41 | book | cqlinjection.js:15:58:15:61 | book | +| cqlinjection.js:8:13:8:41 | book | cqlinjection.js:17:53:17:56 | book | +| cqlinjection.js:8:13:8:41 | book | cqlinjection.js:20:60:20:63 | book | +| cqlinjection.js:8:13:8:41 | book | cqlinjection.js:27:59:27:62 | book | +| cqlinjection.js:8:13:8:41 | book | cqlinjection.js:30:56:30:59 | book | +| cqlinjection.js:8:15:8:18 | book | cqlinjection.js:8:13:8:41 | book | +| cqlinjection.js:8:34:8:36 | req | cqlinjection.js:8:34:8:41 | req.data | +| cqlinjection.js:8:34:8:41 | req.data | cqlinjection.js:8:13:8:30 | { book, quantity } | +| cqlinjection.js:12:11:12:56 | query | cqlinjection.js:13:36:13:40 | query | +| cqlinjection.js:12:11:12:56 | query | cqlinjection.js:13:36:13:40 | query | +| cqlinjection.js:12:19:12:56 | SELECT. ... book}`) | cqlinjection.js:12:11:12:56 | query | +| cqlinjection.js:12:44:12:55 | `ID=${book}` | cqlinjection.js:12:19:12:56 | SELECT. ... book}`) | +| cqlinjection.js:12:50:12:53 | book | cqlinjection.js:12:44:12:55 | `ID=${book}` | +| cqlinjection.js:15:52:15:63 | `ID=${book}` | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| cqlinjection.js:15:52:15:63 | `ID=${book}` | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | +| cqlinjection.js:15:58:15:61 | book | cqlinjection.js:15:52:15:63 | `ID=${book}` | +| cqlinjection.js:17:11:17:57 | query2 | cqlinjection.js:18:37:18:42 | query2 | +| cqlinjection.js:17:11:17:57 | query2 | cqlinjection.js:18:37:18:42 | query2 | +| cqlinjection.js:17:20:17:57 | SELECT. ... + book) | cqlinjection.js:17:11:17:57 | query2 | +| cqlinjection.js:17:45:17:56 | 'ID=' + book | cqlinjection.js:17:20:17:57 | SELECT. ... + book) | +| cqlinjection.js:17:53:17:56 | book | cqlinjection.js:17:45:17:56 | 'ID=' + book | +| cqlinjection.js:20:52:20:63 | 'ID=' + book | cqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| cqlinjection.js:20:52:20:63 | 'ID=' + book | cqlinjection.js:20:27:20:64 | SELECT. ... + book) | +| cqlinjection.js:20:60:20:63 | book | cqlinjection.js:20:52:20:63 | 'ID=' + book | +| cqlinjection.js:27:11:27:62 | cqn | cqlinjection.js:28:39:28:41 | cqn | +| cqlinjection.js:27:11:27:62 | cqn | cqlinjection.js:28:39:28:41 | cqn | +| cqlinjection.js:27:17:27:62 | CQL`SEL ... + book | cqlinjection.js:27:11:27:62 | cqn | +| cqlinjection.js:27:59:27:62 | book | cqlinjection.js:27:17:27:62 | CQL`SEL ... + book | +| cqlinjection.js:30:11:30:60 | cqn1 | cqlinjection.js:31:39:31:42 | cqn1 | +| cqlinjection.js:30:11:30:60 | cqn1 | cqlinjection.js:31:39:31:42 | cqn1 | +| cqlinjection.js:30:18:30:60 | cds.par ... + book) | cqlinjection.js:30:11:30:60 | cqn1 | +| cqlinjection.js:30:32:30:59 | `SELECT ... + book | cqlinjection.js:30:18:30:60 | cds.par ... + book) | +| cqlinjection.js:30:56:30:59 | book | cqlinjection.js:30:32:30:59 | `SELECT ... + book | +#select +| cqlinjection.js:13:36:13:40 | query | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:13:36:13:40 | query | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value | +| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value | +| cqlinjection.js:18:37:18:42 | query2 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:18:37:18:42 | query2 | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value | +| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:20:27:20:64 | SELECT. ... + book) | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value | +| cqlinjection.js:28:39:28:41 | cqn | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:28:39:28:41 | cqn | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value | +| cqlinjection.js:31:39:31:42 | cqn1 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:31:39:31:42 | cqn1 | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value | diff --git a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js similarity index 100% rename from javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.js rename to javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.qlref b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.qlref new file mode 100644 index 000000000..d6231d2ad --- /dev/null +++ b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.qlref @@ -0,0 +1 @@ +cqlinjection/CqlInjection.ql \ No newline at end of file diff --git a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected deleted file mode 100644 index de9e6eadc..000000000 --- a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.expected +++ /dev/null @@ -1,84 +0,0 @@ -nodes -| sqlinjection.js:7:34:7:36 | req | -| sqlinjection.js:7:34:7:36 | req | -| sqlinjection.js:8:13:8:30 | { book, quantity } | -| sqlinjection.js:8:13:8:41 | book | -| sqlinjection.js:8:15:8:18 | book | -| sqlinjection.js:8:34:8:36 | req | -| sqlinjection.js:8:34:8:41 | req.data | -| sqlinjection.js:12:11:12:56 | query | -| sqlinjection.js:12:19:12:56 | SELECT. ... book}`) | -| sqlinjection.js:12:44:12:55 | `ID=${book}` | -| sqlinjection.js:12:50:12:53 | book | -| sqlinjection.js:13:36:13:40 | query | -| sqlinjection.js:13:36:13:40 | query | -| sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | -| sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | -| sqlinjection.js:15:52:15:63 | `ID=${book}` | -| sqlinjection.js:15:58:15:61 | book | -| sqlinjection.js:17:11:17:57 | query2 | -| sqlinjection.js:17:20:17:57 | SELECT. ... + book) | -| sqlinjection.js:17:45:17:56 | 'ID=' + book | -| sqlinjection.js:17:53:17:56 | book | -| sqlinjection.js:18:37:18:42 | query2 | -| sqlinjection.js:18:37:18:42 | query2 | -| sqlinjection.js:20:27:20:64 | SELECT. ... + book) | -| sqlinjection.js:20:27:20:64 | SELECT. ... + book) | -| sqlinjection.js:20:52:20:63 | 'ID=' + book | -| sqlinjection.js:20:60:20:63 | book | -| sqlinjection.js:27:11:27:62 | cqn | -| sqlinjection.js:27:17:27:62 | CQL`SEL ... + book | -| sqlinjection.js:27:59:27:62 | book | -| sqlinjection.js:28:39:28:41 | cqn | -| sqlinjection.js:28:39:28:41 | cqn | -| sqlinjection.js:30:11:30:60 | cqn1 | -| sqlinjection.js:30:18:30:60 | cds.par ... + book) | -| sqlinjection.js:30:32:30:59 | `SELECT ... + book | -| sqlinjection.js:30:56:30:59 | book | -| sqlinjection.js:31:39:31:42 | cqn1 | -| sqlinjection.js:31:39:31:42 | cqn1 | -edges -| sqlinjection.js:7:34:7:36 | req | sqlinjection.js:8:34:8:36 | req | -| sqlinjection.js:7:34:7:36 | req | sqlinjection.js:8:34:8:36 | req | -| sqlinjection.js:8:13:8:30 | { book, quantity } | sqlinjection.js:8:15:8:18 | book | -| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:12:50:12:53 | book | -| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:15:58:15:61 | book | -| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:17:53:17:56 | book | -| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:20:60:20:63 | book | -| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:27:59:27:62 | book | -| sqlinjection.js:8:13:8:41 | book | sqlinjection.js:30:56:30:59 | book | -| sqlinjection.js:8:15:8:18 | book | sqlinjection.js:8:13:8:41 | book | -| sqlinjection.js:8:34:8:36 | req | sqlinjection.js:8:34:8:41 | req.data | -| sqlinjection.js:8:34:8:41 | req.data | sqlinjection.js:8:13:8:30 | { book, quantity } | -| sqlinjection.js:12:11:12:56 | query | sqlinjection.js:13:36:13:40 | query | -| sqlinjection.js:12:11:12:56 | query | sqlinjection.js:13:36:13:40 | query | -| sqlinjection.js:12:19:12:56 | SELECT. ... book}`) | sqlinjection.js:12:11:12:56 | query | -| sqlinjection.js:12:44:12:55 | `ID=${book}` | sqlinjection.js:12:19:12:56 | SELECT. ... book}`) | -| sqlinjection.js:12:50:12:53 | book | sqlinjection.js:12:44:12:55 | `ID=${book}` | -| sqlinjection.js:15:52:15:63 | `ID=${book}` | sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | -| sqlinjection.js:15:52:15:63 | `ID=${book}` | sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | -| sqlinjection.js:15:58:15:61 | book | sqlinjection.js:15:52:15:63 | `ID=${book}` | -| sqlinjection.js:17:11:17:57 | query2 | sqlinjection.js:18:37:18:42 | query2 | -| sqlinjection.js:17:11:17:57 | query2 | sqlinjection.js:18:37:18:42 | query2 | -| sqlinjection.js:17:20:17:57 | SELECT. ... + book) | sqlinjection.js:17:11:17:57 | query2 | -| sqlinjection.js:17:45:17:56 | 'ID=' + book | sqlinjection.js:17:20:17:57 | SELECT. ... + book) | -| sqlinjection.js:17:53:17:56 | book | sqlinjection.js:17:45:17:56 | 'ID=' + book | -| sqlinjection.js:20:52:20:63 | 'ID=' + book | sqlinjection.js:20:27:20:64 | SELECT. ... + book) | -| sqlinjection.js:20:52:20:63 | 'ID=' + book | sqlinjection.js:20:27:20:64 | SELECT. ... + book) | -| sqlinjection.js:20:60:20:63 | book | sqlinjection.js:20:52:20:63 | 'ID=' + book | -| sqlinjection.js:27:11:27:62 | cqn | sqlinjection.js:28:39:28:41 | cqn | -| sqlinjection.js:27:11:27:62 | cqn | sqlinjection.js:28:39:28:41 | cqn | -| sqlinjection.js:27:17:27:62 | CQL`SEL ... + book | sqlinjection.js:27:11:27:62 | cqn | -| sqlinjection.js:27:59:27:62 | book | sqlinjection.js:27:17:27:62 | CQL`SEL ... + book | -| sqlinjection.js:30:11:30:60 | cqn1 | sqlinjection.js:31:39:31:42 | cqn1 | -| sqlinjection.js:30:11:30:60 | cqn1 | sqlinjection.js:31:39:31:42 | cqn1 | -| sqlinjection.js:30:18:30:60 | cds.par ... + book) | sqlinjection.js:30:11:30:60 | cqn1 | -| sqlinjection.js:30:32:30:59 | `SELECT ... + book | sqlinjection.js:30:18:30:60 | cds.par ... + book) | -| sqlinjection.js:30:56:30:59 | book | sqlinjection.js:30:32:30:59 | `SELECT ... + book | -#select -| sqlinjection.js:13:36:13:40 | query | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:13:36:13:40 | query | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | -| sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:15:27:15:64 | SELECT. ... book}`) | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | -| sqlinjection.js:18:37:18:42 | query2 | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:18:37:18:42 | query2 | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | -| sqlinjection.js:20:27:20:64 | SELECT. ... + book) | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:20:27:20:64 | SELECT. ... + book) | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | -| sqlinjection.js:28:39:28:41 | cqn | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:28:39:28:41 | cqn | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | -| sqlinjection.js:31:39:31:42 | cqn1 | sqlinjection.js:7:34:7:36 | req | sqlinjection.js:31:39:31:42 | cqn1 | This query depends on a $@. | sqlinjection.js:7:34:7:36 | req | user-provided value | diff --git a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.qlref b/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.qlref deleted file mode 100644 index 0401f5b18..000000000 --- a/javascript/frameworks/cap/test/queries/sqlinjection/sqlinjection.qlref +++ /dev/null @@ -1 +0,0 @@ -sqlinjection/SqlInjection.ql \ No newline at end of file