Skip to content

Add CodeQL support and tests for Micronaut framework#21387

Open
nicolaswill wants to merge 4 commits intomainfrom
nicolaswill/micronaut
Open

Add CodeQL support and tests for Micronaut framework#21387
nicolaswill wants to merge 4 commits intomainfrom
nicolaswill/micronaut

Conversation

@nicolaswill
Copy link
Contributor

@nicolaswill nicolaswill commented Feb 27, 2026

This pull request adds CodeQL modeling for the Micronaut Java framework, covering HTTP controllers, WebSocket endpoints, configuration injection, security annotations, and relevant sources and sinks. The changes integrate Micronaut-specific classes and methods into the CodeQL dataflow architecture, enabling taint tracking and threat modeling for user input, configuration, and HTTP/WebSocket requests. Test cases are included to verify the new models.

Micronaut framework modeling:

  • Added overlays for Micronaut HTTP controllers, request mapping methods, input parameters, error handlers, and request beans in MicronautController.qll, enabling detection and classification of user-controlled input sources.
  • Introduced overlays for Micronaut WebSocket endpoints, message handlers, and user input parameters in MicronautWebSocket.qll.
  • Added overlays for Micronaut configuration injection via @Value and @Property annotations, modeling fields and parameters as local user input in MicronautConfig.qll.
  • Added overlays for Micronaut Data repositories and query annotations in MicronautData.qll.
  • Added overlays for Micronaut Security, modeling @Secured annotations for classes and methods in MicronautSecurity.qll.

Dataflow source and sink integration:

  • Extended FlowSources.qll to include Micronaut HTTP input parameters, WebSocket parameters, configuration fields/parameters, and error handler parameters as sources, using the new overlays. [1] [2]
  • Added source, summary, and sink models for Micronaut HTTP, multipart, and client APIs in .model.yml files, covering taint propagation and SSRF, response splitting, and URL redirection sinks. [1] [2] [3]

Test coverage:

  • Added test cases for Micronaut controller input sources and error handlers in MicronautControllerTest.java.
  • Added test cases for Micronaut configuration injection sources in MicronautConfigTest.java.

@nicolaswill
Add Micronaut framework support for Java QL
cf31af7 
Add CodeQL support for Micronaut: add MaD models for HTTP, HTTP client and multipart (sources, sinks and summary propagation), new framework QLL modules (Controller, WebSocket, Config, Data, Security). Add library tests and query tests exercising request inputs, file uploads, HttpClient sinks (SSRF), header sinks (response-splitting) and redirect sinks (open-redirect), plus expected results and extractor options. Include Micronaut 4.x stubs used by the tests.
Copilot AI review requested due to automatic review settings February 27, 2026 16:18
@nicolaswill nicolaswill requested a review from a team as a code owner February 27, 2026 16:18
@github-actions github-actions bot added the Java label Feb 27, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 27, 2026
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.jsonwebtoken``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",108,6034,757,131,6,14,18,,185
+    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.jsonwebtoken``, ``io.micronaut.http``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",122,6064,763,131,6,14,18,,189
-    Totals,,363,26381,2681,404,16,134,33,1,409
+    Totals,,377,26411,2687,404,16,134,33,1,413
  • Changes to framework-coverage-java.csv:
+ io.micronaut.http,6,14,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,1,,,,,,1,,,,,,,,14,30,

Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Micronaut framework modeling to the Java CodeQL libraries and integrates it into the existing dataflow source/sink architecture, with accompanying stubs and tests to validate taint tracking for common Micronaut HTTP/WebSocket/config patterns.

Changes:

  • Add Micronaut-specific CodeQL libraries (controller/websocket/config/data/security overlays) and wire them into FlowSources.
  • Add Micronaut MaD .model.yml entries for key HTTP/multipart/client APIs (sources, summaries, and sinks such as SSRF, redirect, and header splitting).
  • Add Micronaut stubs and new/updated tests/options for security and library test suites.

Reviewed changes

Copilot reviewed 72 out of 74 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
java/ql/lib/semmle/code/java/dataflow/FlowSources.qll Imports Micronaut framework libraries and adds Micronaut source definitions.
java/ql/lib/semmle/code/java/frameworks/micronaut/MicronautController.qll New Micronaut HTTP controller/request mapping identification library.
java/ql/lib/semmle/code/java/frameworks/micronaut/MicronautWebSocket.qll New Micronaut WebSocket endpoint/handler identification library.
java/ql/lib/semmle/code/java/frameworks/micronaut/MicronautConfig.qll New Micronaut configuration injection identification library.
java/ql/lib/semmle/code/java/frameworks/micronaut/MicronautData.qll New Micronaut Data repository/query identification library.
java/ql/lib/semmle/code/java/frameworks/micronaut/MicronautSecurity.qll New Micronaut Security annotation identification library.
java/ql/lib/ext/io.micronaut.http.model.yml Adds Micronaut HTTP request sources + summaries, plus redirect/header sinks.
java/ql/lib/ext/io.micronaut.http.multipart.model.yml Adds Micronaut multipart upload sources (file upload getters).
java/ql/lib/ext/io.micronaut.http.client.model.yml Adds Micronaut HTTP client SSRF sink models + URI/UriBuilder propagation.
java/ql/test/library-tests/frameworks/micronaut/options Adds extractor options for Micronaut library tests (classpath stubs).
java/ql/test/library-tests/frameworks/micronaut/flow.ql New inline taint-flow test driver for Micronaut modeling.
java/ql/test/library-tests/frameworks/micronaut/flow.expected Empty expected output for inline flow test (no mismatches).
java/ql/test/library-tests/frameworks/micronaut/MicronautControllerTest.java Library test cases for Micronaut controller parameter sources and error handler.
java/ql/test/library-tests/frameworks/micronaut/MicronautWebSocketTest.java Library test cases for WebSocket handler parameters as sources.
java/ql/test/library-tests/frameworks/micronaut/MicronautHttpRequestTest.java Library test cases for taint from HttpRequest accessors (headers/params/etc).
java/ql/test/library-tests/frameworks/micronaut/MicronautHttpClientTest.java Library test cases for client sinks and URI/UriBuilder taint propagation.
java/ql/test/library-tests/frameworks/micronaut/MicronautFileUploadTest.java Library test cases for multipart upload taint sources.
java/ql/test/library-tests/frameworks/micronaut/MicronautConfigTest.java Library test cases intended for config injection sources.
java/ql/test/query-tests/security/CWE-918/options Adds Micronaut stubs to classpath for SSRF query tests.
java/ql/test/query-tests/security/CWE-918/MicronautSSRF.java New SSRF query test exercising Micronaut client sinks and controller source.
java/ql/test/query-tests/security/CWE-601/semmle/tests/options Adds Micronaut stubs to classpath for URL redirect query tests.
java/ql/test/query-tests/security/CWE-601/semmle/tests/MicronautUrlRedirect.java New URL redirect query test for HttpResponse.redirect(URI.create(...)).
java/ql/test/query-tests/security/CWE-601/semmle/tests/UrlRedirect.expected Updated expected output for URL redirect query tests (generated).
java/ql/test/query-tests/security/CWE-113/semmle/tests/options Adds Micronaut stubs to classpath for response splitting query tests.
java/ql/test/query-tests/security/CWE-113/semmle/tests/MicronautResponseSplitting.java New response splitting query test for MutableHttpResponse.header(...).
java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected Updated expected output for response splitting query tests (generated).
java/ql/test/stubs/micronaut-4.x/LICENSE.txt Adds Micronaut stub licensing file.
java/ql/test/stubs/micronaut-4.x/io/micronaut/context/annotation/Property.java Stub for @Property.
java/ql/test/stubs/micronaut-4.x/io/micronaut/context/annotation/Value.java Stub for @Value.
java/ql/test/stubs/micronaut-4.x/io/micronaut/data/annotation/Query.java Stub for @Query.
java/ql/test/stubs/micronaut-4.x/io/micronaut/data/annotation/Repository.java Stub for @Repository.
java/ql/test/stubs/micronaut-4.x/io/micronaut/data/repository/CrudRepository.java Stub for CrudRepository.
java/ql/test/stubs/micronaut-4.x/io/micronaut/data/repository/GenericRepository.java Stub for GenericRepository.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/HttpHeaders.java Stub for HttpHeaders.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/HttpMethod.java Stub for HttpMethod.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/HttpParameters.java Stub for HttpParameters.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/HttpRequest.java Stub for HttpRequest (incl. static factories).
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/HttpResponse.java Stub for HttpResponse (incl. redirect).
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/HttpStatus.java Stub for HttpStatus.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/MediaType.java Stub for MediaType.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/MutableHttpResponse.java Stub for MutableHttpResponse (incl. header).
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Body.java Stub for @Body.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Controller.java Stub for @Controller.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/CookieValue.java Stub for @CookieValue.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/CustomHttpMethod.java Stub for @CustomHttpMethod.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Delete.java Stub for @Delete.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Error.java Stub for @Error.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Get.java Stub for @Get.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Head.java Stub for @Head.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Header.java Stub for @Header.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Options.java Stub for @Options.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Part.java Stub for @Part.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Patch.java Stub for @Patch.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/PathVariable.java Stub for @PathVariable.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Post.java Stub for @Post.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Put.java Stub for @Put.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/QueryValue.java Stub for @QueryValue.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/RequestAttribute.java Stub for @RequestAttribute.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/RequestBean.java Stub for @RequestBean.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/annotation/Trace.java Stub for @Trace.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/client/BlockingHttpClient.java Stub for BlockingHttpClient.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/client/HttpClient.java Stub for HttpClient.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/cookie/Cookie.java Stub for Cookie.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/cookie/Cookies.java Stub for Cookies.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/multipart/CompletedFileUpload.java Stub for CompletedFileUpload.
java/ql/test/stubs/micronaut-4.x/io/micronaut/http/uri/UriBuilder.java Stub for UriBuilder.
java/ql/test/stubs/micronaut-4.x/io/micronaut/security/annotation/Secured.java Stub for @Secured.
java/ql/test/stubs/micronaut-4.x/io/micronaut/websocket/WebSocketSession.java Stub for WebSocketSession.
java/ql/test/stubs/micronaut-4.x/io/micronaut/websocket/annotation/OnClose.java Stub for @OnClose.
java/ql/test/stubs/micronaut-4.x/io/micronaut/websocket/annotation/OnMessage.java Stub for @OnMessage.
java/ql/test/stubs/micronaut-4.x/io/micronaut/websocket/annotation/OnOpen.java Stub for @OnOpen.
java/ql/test/stubs/micronaut-4.x/io/micronaut/websocket/annotation/ServerWebSocket.java Stub for @ServerWebSocket.

java/ql/test/library-tests/frameworks/micronaut/MicronautConfigTest.java
Comment on lines +18 to +28
sink(secretValue);
}

@Get("/key")
void testPropertyField() {
sink(apiKey);
}

@Get("/param")
void testValueParam(@Value("${app.name}") String appName) {
sink(appName);
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MicronautConfigTest doesn’t currently assert any taint-flow expectations: the sink(...) calls are missing the // $hasTaintFlow markers used by InlineFlowTest. As a result, the Micronaut config injection models aren’t actually being tested here. Add the appropriate inline expectation comments to the relevant sink calls (field injection and parameter injection).

Suggested change
sink(secretValue);
}
@Get("/key")
void testPropertyField() {
sink(apiKey);
}
@Get("/param")
void testValueParam(@Value("${app.name}") String appName) {
sink(appName);
sink(secretValue); // $hasTaintFlow
}
@Get("/key")
void testPropertyField() {
sink(apiKey); // $hasTaintFlow
}
@Get("/param")
void testValueParam(@Value("${app.name}") String appName) {
sink(appName); // $hasTaintFlow

Copilot uses AI. Check for mistakes.
java/ql/lib/semmle/code/java/frameworks/micronaut/MicronautController.qll Outdated
}

private predicate isExplicitlyTaintedInput() {
// The MicronautHttpInputAnnotations allow access to the URI path,
Copy link

Copilot AI Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment refers to MicronautHttpInputAnnotations, but the defined type is MicronautHttpInputAnnotation (singular). Consider aligning the comment with the actual identifier to avoid confusion when navigating the library.

Suggested change
// The MicronautHttpInputAnnotations allow access to the URI path,
// The MicronautHttpInputAnnotation allows access to the URI path,

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nicolaswill