codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Fix/jwt source

Open intrigus-lgtm opened this issue 1 year ago • 1 comments

Consider this code:

JwtParserBuilder parserBuilder = Jwts.parserBuilder();
parserBuilder.setSigningKey("someBase64EncodedKey");
JwtParser parser = parserBuilder.build();
return parser;

Previously setSigningKey (the method access) was considered the source. However the return value of that call does not flow anywhere, the method changes the qualifier instead. So this commit changes the source to the qualifier instead.

NOTE: I inlined all the good/bad methods, because otherwise I could not differentiate between the different sources. This is probably an artifact of the changes in https://github.com/github/codeql/commit/bc2370ae1dd3c7ce86252dc2e30551c4e1b39020 by @atorralba

I'd guess that there is probably a way to avoid the inlining, but I'd really like to spend as little time on this pr as possible. (I just want to take this problem off my mind after knowing about if for probably more than half a year^^)

intrigus-lgtm avatar Apr 05 '24 21:04 intrigus-lgtm

@smowton @atorralba ping? Or were you waiting for me to solve the failing change note check?

intrigus-lgtm avatar Apr 16 '24 12:04 intrigus-lgtm