Java: add related location to alert message

Author: Jami Cogswell

java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll

@@ -67,7 +67,9 @@ class ManagementEndPointInclude extends ApplicationPropertiesConfigPair {
  * Holds if `ApplicationProperties` ap of a repository managed by `SpringBootPom` pom
  * has a vulnerable configuration of Spring Boot Actuator management endpoints.
  */
-predicate hasConfidentialEndPointExposed(SpringBootPom pom) {
+predicate hasConfidentialEndPointExposed(
+  SpringBootPom pom, ApplicationPropertiesConfigPair ap, string configStr
+) {
   pom.isSpringBootActuatorUsed() and
   not pom.isSpringBootSecurityUsed() and
   exists(ApplicationPropertiesFile apFile |
@@ -79,14 +81,28 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom) {
       springBootVersion = pom.getParentElement().getVersionString()
     |
       springBootVersion.regexpMatch("1\\.[0-4].*") and // version 1.0, 1.1, ..., 1.4
-      not exists(ManagementSecurityConfig me | me.hasSecurityEnabled() and me.getFile() = apFile)
+      (
+        not exists(ManagementSecurityConfig me | me.getFile() = apFile) and
+        // No `ManagementSecurityConfig` in the file, so nowhere to link to
+        // in select message for this case.
+        configStr = "configuration"
+        or
+        exists(ManagementSecurityConfig me |
+          me.hasSecurityDisabled() and me.getFile() = apFile and me = ap
+        ) and
+        configStr = "$@"
+      )
       or
       springBootVersion.matches("1.5%") and // version 1.5
-      exists(ManagementSecurityConfig me | me.hasSecurityDisabled() and me.getFile() = apFile)
+      exists(ManagementSecurityConfig me |
+        me.hasSecurityDisabled() and me.getFile() = apFile and me = ap
+      ) and
+      configStr = "$@"
       or
       springBootVersion.matches("2.%") and //version 2.x
       exists(ManagementEndPointInclude mi |
         mi.getFile() = apFile and
+        mi = ap and
         (
           mi.getValue() = "*" // all endpoints are enabled
           or
@@ -96,7 +112,8 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom) {
                   "%env%", "%beans%", "%sessions%"
                 ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
         )
-      )
+      ) and
+      configStr = "$@"
     )
   )
 }

java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql

@@ -15,9 +15,11 @@ import java
 import semmle.code.xml.MavenPom
 import semmle.code.java.security.SpringBootActuatorsConfigQuery
 
-from SpringBootPom pom, Dependency d
+from SpringBootPom pom, Dependency d, ApplicationPropertiesConfigPair ap, string configStr
 where
-  hasConfidentialEndPointExposed(pom) and
+  hasConfidentialEndPointExposed(pom, ap, configStr) and
   d = pom.getADependency() and
   d.getArtifact().getValue() = "spring-boot-starter-actuator"
-select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
+select d,
+  "Insecure " + configStr + " of Spring Boot Actuator exposes sensitive endpoints. (" +
+    pom.getParentElement().getVersionString() + ")", ap, "configuration"

java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected

@@ -1,4 +1,17 @@
-| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
-| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
-| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
-| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version1.4-/good/application.properties:2:1:2:32 | management.security.enabled=true | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version1.5/good/application.properties:2:1:2:32 | management.security.enabled=true | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/application.properties:6:1:6:33 | management.security.enabled=false | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/application.properties:9:1:9:43 | management.endpoints.web.exposure.include=* | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/application.properties:10:1:10:47 | management.endpoints.web.exposure.exclude=beans | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/application.properties:12:1:12:41 | management.endpoint.shutdown.enabled=true | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/application.properties:14:1:14:55 | management.endpoint.health.show-details=when_authorized | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/bad/application.properties:3:1:3:47 | management.endpoints.web.exposure.exclude=beans | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/bad/application.properties:5:1:5:41 | management.endpoint.shutdown.enabled=true | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/bad/application.properties:7:1:7:55 | management.endpoint.health.show-details=when_authorized | configuration |
+| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version2+/good/application.properties:2:1:2:59 | management.endpoints.web.exposure.include=beans,info,health | configuration |
+| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints. (1.2.6.RELEASE) | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
+| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints. (1.5.6.RELEASE) | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
+| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints. (2.2.6.RELEASE) | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |