From e059930d593c30223afcc5791c49e6e3ea89da0d Mon Sep 17 00:00:00 2001 From: nevenas-mit Date: Wed, 12 Nov 2025 09:08:49 -0700 Subject: [PATCH 1/2] Add Source Sinks + README --- README.md | 2 + data/fix_info_source_sink.csv | 54 ++++++++++++++++++ data/source_sink_detect.csv | 100 ++++++++++++++++++++++++++++++++++ 3 files changed, 156 insertions(+) create mode 100644 data/fix_info_source_sink.csv create mode 100644 data/source_sink_detect.csv diff --git a/README.md b/README.md index 04c8f29..b267d4b 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,8 @@ The table below summarizes the number of CVEs in our dataset grouped by CWE cate | CWE-400 | 5 | | Other CWEs (36 total) | 51 | +Additionally, for 50 CVEs we manually extracted source and sinks for the vulnerabilities and marked them in the CodeQL format. We also provide results for LLMs ability to detect those source/sink pairs. + ## 🚀 Set Up ### Using Docker (Recommended) ```bash diff --git a/data/fix_info_source_sink.csv b/data/fix_info_source_sink.csv new file mode 100644 index 0000000..13605d0 --- /dev/null +++ b/data/fix_info_source_sink.csv @@ -0,0 +1,54 @@ +project_slug,cve_id,github_username,github_repository_name,commit,file,class,class_start,class_end,method,method_start,method_end,signature,Done,Link,Source,Source Line,Sink,Sink Line,Source CodeQl Format,Sink CodeQl Format,Check +keycloak_CVE-2025-7365_26.0.12,CVE-2025-7365,keycloak,keycloak,86f0a7864f2bdd991d5e24e6844ddabfce0aa6de,keycloak/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java,IdpReviewProfileAuthenticator,55,255,actionImpl,112,248,"void actionImpl(AuthenticationFlowContext context, SerializedBrokeredIdentityContext userCtx, BrokeredIdentityContext brokerContext)",1,https://github.com/keycloak/keycloak/blob/86f0a7864f2bdd991d5e24e6844ddabfce0aa6de/services/src/main/java/org/keycloak/authentication/authenticators/broker/IdpReviewProfileAuthenticator.java,userCtx,112,"context.getAuthenticationSession().setAuthNote(AbstractIdentityProvider.UPDATE_PROFILE_USERNAME_CHANGED, ""true"");",207,org.keycloak.authentication.authenticators.broker.util; SerializedBrokeredIdentityContext; false; getUsername; (); ; ReturnValue; source; userCtx (brokered IdP user) at L112,"org.keycloak.sessions; AuthenticationSessionModel; true; setAuthNote; (java.lang.String,java.lang.String); ; Argument[1]; sink; context.getAuthenticationSession().setAuthNote(...) at L207",True +opencast_CVE-2025-54380_17.5,CVE-2025-54380,opencast,opencast,2d3219113e2b9fadfb06443f5468b1c2157827a6,opencast/modules/kernel/src/main/java/org/opencastproject/kernel/security/TrustedHttpClientImpl.java,TrustedHttpClientImpl,96,761,execute,386,480,"HttpResponse execute(HttpUriRequest httpUriRequest, int connectionTimeout, int socketTimeout)",1,https://github.com/opencast/opencast/blob/2d3219113e2b9fadfb06443f5468b1c2157827a6/modules/kernel/src/main/java/org/opencastproject/kernel/security/TrustedHttpClientImpl.java,HttpUriRequest httpUriRequest,386,"httpUriRequest.setHeader(SecurityConstants.USER_HEADER, currentUser.getUsername());",406,"org.opencastproject.kernel.security; TrustedHttpClientImpl; false; execute; (org.apache.http.client.methods.HttpUriRequest,int,int); ; Argument[0]; source; httpUriRequest parameter at L386","org.apache.http; HttpMessage; true; setHeader; (java.lang.String,java.lang.String); ; Argument[1]; sink; value passed to httpUriRequest.setHeader(..) for USER_HEADER at L406",True +jena_CVE-2025-49656_jena-5.4.0,CVE-2025-49656,apache,jena,03c5265910aa3a27907bf54f6b4aaae3409afa4f,jena/jena-fuseki2/jena-fuseki-webapp/src/main/java/org/apache/jena/fuseki/webapp/FusekiWebapp.java,FusekiWebapp,59,453,allowConfigFiles,130,135,boolean allowConfigFiles(),1,https://github.com/apache/jena/blob/03c5265910aa3a27907bf54f6b4aaae3409afa4f/jena-fuseki2/jena-fuseki-webapp/src/main/java/org/apache/jena/fuseki/webapp/FusekiWebapp.java,System.getProperty(allowConfigFileProperty);,136,"return ""true"".equals(value);",138,"java.lang; System; false; getProperty; (java.lang.String); ; ReturnValue; source; value from System.getProperty(""fuseki:allowAddByConfigFile"") at L136","org.apache.jena.fuseki.webapp; FusekiWebapp; false; allowConfigFiles; (); ; ReturnValue; sink; method return depends on property comparison (""true"".equals(value)) at L138",True +reactor-netty_CVE-2025-22227_v1.2.8,CVE-2025-22227,reactor,reactor-netty,522892307ea89bf24fe634e8bfea35728c9bf411,reactor-netty/reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientOperations.java,HttpClientOperations,103,1113,copyState,954,966,void copyState(HttpClientOperations streamOps),1,https://github.com/reactor/reactor-netty/blob/522892307ea89bf24fe634e8bfea35728c9bf411/reactor-netty-http/src/main/java/reactor/netty/http/client/HttpClientOperations.java,HttpClientOperations streamOps,954,streamOps.markSentHeaderAndBody();,959,reactor.netty.http.client; HttpClientOperations; false; copyState; (reactor.netty.http.client.HttpClientOperations); ; Argument[0]; source; streamOps parameter at L954,reactor.netty.http; HttpOperations; true; markSentHeaderAndBody; (); ; Argument[this]; sink; streamOps.markSentHeaderAndBody() call at L959,True +DSpace_CVE-2025-53622_dspace-7.6.3,CVE-2025-53622,DSpace,DSpace,3163ff8b1ea0abe09683a1a94fb5f5bb039983b3,DSpace/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java,ItemImportServiceImpl,139,2496,validateFilePath,1021,1040,"void validateFilePath(String parentDir, String fileName)",1,https://github.com/DSpace/DSpace/blob/3163ff8b1ea0abe09683a1a94fb5f5bb039983b3/dspace-api/src/main/java/org/dspace/app/itemimport/ItemImportServiceImpl.java,"String path, String fileName",1448,BufferedInputStream bis = new BufferedInputStream(new FileInputStream(fullpath));,1459,"org.dspace.app.itemimport; ItemImportServiceImpl; false; processContentFileEntry; (org.dspace.core.Context,org.dspace.content.Item,java.lang.String,java.lang.String,java.lang.String,boolean); ; Argument[2..3]; source; method params path & fileName at L1448",java.io; FileInputStream; false; ; (java.lang.String); ; Argument[0]; sink; new FileInputStream(fullpath) at L1459,True +DSpace_CVE-2025-53621_dspace-7.6.3,CVE-2025-53621,DSpace,DSpace,28b5f3810fa2b819516e706849a99a9bf5f3de87,DSpace/dspace-api/src/main/java/org/dspace/administer/RegistryImporter.java,RegistryImporter,34,140,loadXML,50,59,Document loadXML(String filename),1,https://github.com/DSpace/DSpace/blob/28b5f3810fa2b819516e706849a99a9bf5f3de87/dspace-api/src/main/java/org/dspace/administer/RegistryImporter.java,String filename,50,Document document = builder.parse(new File(filename));,56,org.dspace.administer; RegistryImporter; false; loadXML; (java.lang.String); ; Argument[0]; source; method param filename at L50,javax.xml.parsers; DocumentBuilder; true; parse; (java.io.File); ; Argument[0]; sink; builder.parse(new File(filename)) at L56,True +cxf_CVE-2025-48795_cxf-3.5.10,CVE-2025-48795,apache,cxf,1c1d687f8e295f433a3592a3bc0b0a63c432bfde,cxf/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java,DelayedCachedOutputStreamCleaner,41,256,clean,116,130,void clean(Collection closeables),1,https://github.com/apache/cxf/blob/1c1d687f8e295f433a3592a3bc0b0a63c432bfde/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java,Collection closeables,116,"LOG.warning(""Unclosed (leaked?) stream detected: "" + next.closeable.hashCode());",122,org.apache.cxf.io; DelayedCachedOutputStreamCleaner$DelayedCleanerImpl; false; clean; (java.util.Collection); ; Element; source; closeables at L116,java.util.logging; Logger; false; warning; (java.lang.String); ; Argument[0]; sink; uses next.closeable.hashCode() in log msg at L122,True +jackrabbit_CVE-2025-53689_jackrabbit-2.23.1-beta,CVE-2025-53689,apache,jackrabbit,02786c0a01838580252bdab79bfa54026c30294e,jackrabbit/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java,DOMWalker,41,259,createFactory,46,73,DocumentBuilderFactory createFactory(),1,https://github.com/apache/jackrabbit/blob/02786c0a01838580252bdab79bfa54026c30294e/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java,InputStream xml,89,document = builder.parse(xml);,96,org.apache.jackrabbit.core.util; DOMWalker; false; ; (java.io.InputStream); ; Argument[0]; source; xml parameter at L89,javax.xml.parsers; DocumentBuilder; false; parse; (java.io.InputStream); ; Argument[0]; sink; builder.parse(xml) at L96,True +tomcat_CVE-2025-53506_11.0.8,CVE-2025-53506,apache,tomcat,2aa6261276ebe50b99276953591e3a2be7898bdb,tomcat/java/org/apache/coyote/http2/ConnectionSettingsLocal.java,ConnectionSettingsLocal,30,108,set,43,54,"void set(Setting setting, Long value, boolean force)",1,https://github.com/apache/tomcat/blob/2aa6261276ebe50b99276953591e3a2be7898bdb/java/org/apache/coyote/http2/ConnectionSettingsLocal.java,"Setting setting, Long value",43,"current.put(setting, value);",50,"org.apache.coyote.http2; ConnectionSettingsLocal; false; set; (org.apache.coyote.http2.Setting, java.lang.Long, boolean); ; Argument[0]; source; parameter "setting" at L43","java.util; Map; true; put; (java.lang.Object, java.lang.Object); ; Argument[0]; sink; call current.put(setting, É) at L50",True +tomcat_CVE-2025-52520_11.0.8,CVE-2025-52520,apache,tomcat,927d66fbc294cb65242102b817a45fd80834e040,tomcat/java/org/apache/catalina/connector/Request.java,Request,132,3431,parseParts,2598,2779,void parseParts(boolean explicit),1,https://github.com/apache/tomcat/blob/927d66fbc294cb65242102b817a45fd80834e040/java/org/apache/catalina/connector/Request.java,List items = upload.parseRequest(new ServletRequestContext(this));,2716,if (postSize > maxPostSize),2735,org.apache.tomcat.util.http.fileupload; FileUpload; false; parseRequest; (org.apache.tomcat.util.http.fileupload.RequestContext); ; ReturnValue; source; assigned to items at L2716,org.apache.catalina.connector; Request; false; parseParts; (); ; Argument[this]; sink; branch if (postSize > maxPostSize) at L2735,True +junit-framework_CVE-2025-53103_r5.13.1,CVE-2025-53103,junit-team,junit-framework,d4fc834c8c1c0b3168cd030c13551d1d041f51bc,junit-framework/junit-platform-reporting/src/main/java/org/junit/platform/reporting/open/xml/OpenTestReportGeneratingListener.java,OpenTestReportGeneratingListener,100,335,addGitInfo,172,182,"void addGitInfo(Infrastructure infrastructure, GitInfoCollector git)",1,https://github.com/junit-team/junit-framework/blob/d4fc834c8c1c0b3168cd030c13551d1d041f51bc/junit-platform-reporting/src/main/java/org/junit/platform/reporting/open/xml/OpenTestReportGeneratingListener.java,git.getOriginUrl(),173,"infrastructure.append(repository(), repository -> repository.withOriginUrl(gitUrl)));",175,org.junit.platform.reporting.open.xml; GitInfoCollector; false; getOriginUrl; (); ; ReturnValue; source; origin URL Optional at L173,org.opentest4j.reporting.events.git; Repository; false; withOriginUrl; (java.lang.String); ; Argument[0]; sink; call repository.withOriginUrl(gitUrl) at L175,True +graylog2-server_CVE-2025-53106_6.2.3,CVE-2025-53106,Graylog2,graylog2-server,6936bd16a783c2944a3d2f1e83902062520f90e3,graylog2-server/graylog2-server/src/main/java/org/graylog2/rest/resources/users/UsersResource.java,UsersResource,139,905,generateNewToken,724,740,"Token generateNewToken( @ApiParam(name = ""userId"", required = true) @PathParam(""userId"") String userId, @ApiParam(name = ""name"", value = ""Descriptive name for this token (e.g. 'cronjob') "", required = true) @PathParam(""name"") String name, @ApiParam(name = ""JSON Body"", value = ""Can optionally contain the token's TTL."", defaultValue = ""{\""token_ttl\"":null}"") GenerateTokenTTL body)",1,https://github.com/Graylog2/graylog2-server/blob/6936bd16a783c2944a3d2f1e83902062520f90e3/graylog2-server/src/main/java/org/graylog2/rest/resources/users/UsersResource.java,"@PathParam(""userId"") String userId",725,"final AccessToken accessToken = accessTokenService.create(futureOwner.getName(), name, body.getTTL(() -> clusterConfigService.getOrDefault(UserConfiguration.class, UserConfiguration.DEFAULT_VALUES).defaultTTLForNewTokens()));",737,"org.graylog2.rest.resources.users; UsersResource; false; generateNewToken; (java.lang.String, java.lang.String, org.graylog2.rest.resources.users.UsersResource.GenerateTokenTTL); ; Argument[0]; source; @PathParam(""userId"") parameter at L725","org.graylog2.security; AccessTokenService; false; create; (java.lang.String, java.lang.String, org.threeten.extra.PeriodDuration); ; Argument[0]; sink; call accessTokenService.create(futureOwner.getName(), É) at L737",True +conductor_CVE-2025-26074_v3.21.12,CVE-2025-26074,conductor-oss,conductor,e9816501df1e364a3d39d7fe37d6e167c40eaa1b,conductor/core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.java,ScriptEvaluator,21,92,initEngine,61,75,void initEngine(boolean reInit),1,https://github.com/conductor-oss/conductor/blob/e9816501df1e364a3d39d7fe37d6e167c40eaa1b/core/src/main/java/com/netflix/conductor/core/events/ScriptEvaluator.java,"getEnv(""CONDUCTOR_NASHORN_ES6_ENABLED"")",64,"engine = factory.getScriptEngine(""--language=es6"", ""--no-java"");",65,"com.netflix.conductor.core.events; ScriptEvaluator; false; getEnv; (java.lang.String); ; ReturnValue; source; env var ""CONDUCTOR_NASHORN_ES6_ENABLED"" at L64","org.openjdk.nashorn.api.scripting; NashornScriptEngineFactory; false; getScriptEngine; (java.lang.String, java.lang.String); ; Argument[0..1]; sink; call getScriptEngine(""--language=es6"",""--no-java"") at L65",True +jans_CVE-2025-53003_v1.7.0,CVE-2025-53003,JanssenProject,jans,92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1,jans/jans-config-api/server/src/main/java/io/jans/configapi/security/service/OpenIdAuthorizationService.java,OpenIdAuthorizationService,40,269,validateScope,121,206,"String validateScope(String accessToken, List tokenScopes, ResourceInfo resourceInfo, String issuer)",1,https://github.com/JanssenProject/jans/blob/92eea4d4637f1cae16ad2f07b2c16378ff3fc5f1/jans-config-api/server/src/main/java/io/jans/configapi/security/service/OpenIdAuthorizationService.java,List tokenScopes,121,"accessToken = openIdService.requestAccessToken(authUtil.getClientId(), resourceScopes);",179,"io.jans.configapi.util; JwtUtil; false; validateToken; (java.lang.String); ; ReturnValue; source; assigned to variable ""tokenScopes"" at L121","io.jans.configapi.security.service; OpenIdService; false; requestAccessToken; (java.lang.String, java.util.List); ; Argument[1]; sink; call openIdService.requestAccessToken(authUtil.getClientId(), resourceScopes) at L179",True +incubator-seata_CVE-2025-32897_v2.2.0,CVE-2025-32897,apache,incubator-seata,7eda23e948312ed52c3336de70a11f4d2ab06a48,incubator-seata/server/src/main/java/org/apache/seata/server/cluster/raft/serializer/CustomDeserializer.java,CustomDeserializer,26,52,deserialize,35,52,"Class deserialize(JsonParser jsonParser, DeserializationContext deserializationContext)",1,https://github.com/apache/incubator-seata/blob/7eda23e948312ed52c3336de70a11f4d2ab06a48/server/src/main/java/org/apache/seata/server/cluster/raft/serializer/CustomDeserializer.java,String className = jsonParser.getValueAsString();,37,return Class.forName(className);,43,"org.apache.seata.server.cluster.raft.serializer; CustomDeserializer; false; deserialize; (com.fasterxml.jackson.core.JsonParser, com.fasterxml.jackson.databind.DeserializationContext); ; ReturnValue; source; variable className = jsonParser.getValueAsString() at L37",java.lang; Class; false; forName; (java.lang.String); ; Argument[0]; sink; call Class.forName(className) at L43,True +allure2_CVE-2025-52888_2.34.0,CVE-2025-52888,allure-framework,allure2,cbcb33719851ff70adce85d38e15d20fc58d4eb7,allure2/plugins/junit-xml-plugin/src/main/java/io/qameta/allure/junitxml/JunitXmlPlugin.java,JunitXmlPlugin,73,361,parseRootElement,132,158,"void parseRootElement(final Path resultsDirectory, final Path parsedFile, final RandomUidContext context, final ResultsVisitor visitor)",1,https://github.com/allure-framework/allure2/blob/cbcb33719851ff70adce85d38e15d20fc58d4eb7/plugins/junit-xml-plugin/src/main/java/io/qameta/allure/junitxml/JunitXmlPlugin.java,final Path parsedFile,132,builder.parse(parsedFile.toFile()),141,"io.qameta.allure.junitxml; JunitXmlPlugin; false; parseRootElement; (java.nio.file.Path, java.nio.file.Path, io.qameta.allure.context.RandomUidContext, io.qameta.allure.core.ResultsVisitor); ; Argument[1]; source; parameter ""parsedFile"" at L132",javax.xml.parsers; DocumentBuilder; false; parse; (java.io.File); ; Argument[0]; sink; call builder.parse(parsedFile.toFile()) at L141,True +quarkus_CVE-2025-49574_3.23.4,CVE-2025-49574,quarkusio,quarkus,2b58f59f4bf0bae7d35b1abb585b65f2a66787d1,quarkus/extensions/smallrye-reactive-messaging/runtime/src/main/java/io/quarkus/smallrye/reactivemessaging/runtime/ContextualEmitterImpl.java,ContextualEmitterImpl,26,123,sendMessage,63,100,> Uni sendMessage(M msg),1,https://github.com/quarkusio/quarkus/blob/2b58f59f4bf0bae7d35b1abb585b65f2a66787d1/extensions/smallrye-reactive-messaging/runtime/src/main/java/io/quarkus/smallrye/reactivemessaging/runtime/ContextualEmitterImpl.java,M msg,63,msgUni = msgUni.emitOn(r -> context.runOnContext(x -> r.run()));,74,"io.quarkus.smallrye.reactivemessaging.runtime; ContextualEmitterImpl; false; sendMessage; (org.eclipse.microprofile.reactive.messaging.Message); ; Argument[0]; source; parameter ""msg"" at L63",io.smallrye.mutiny; Uni; false; emitOn; (java.util.concurrent.Executor); ; Argument[this]; sink; call msgUni.emitOn(r -> context.runOnContext(x -> r.run())) at L74,True +studio_CVE-2025-6384_v4.2.2,CVE-2025-6384,craftercms,studio,471bbad07cf1f3b420529a020c1409ad57d48a4e,studio/src/main/resources/crafter/studio/groovy/blacklist,Blacklist,1,124,,52,61,,1,https://github.com/craftercms/studio/blob/471bbad07cf1f3b420529a020c1409ad57d48a4e/src/main/resources/crafter/studio/groovy/blacklist,User-supplied Groovy script code,N/A,staticMethod groovy.util.Eval xyz java.lang.Object java.lang.Object java.lang.Object java.lang.String,61,N/A; UserScript; false;