Java: Promote Insecure Spring Boot Actuator Configuration query from experimental

java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.qhelp → java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qhelp

@@ -2,28 +2,28 @@
 <qhelp>
   <overview>
     <p>Spring Boot is a popular framework that facilitates the development of stand-alone applications
-and micro services. Spring Boot Actuator helps to expose production-ready support features against 
+and micro services. Spring Boot Actuator helps to expose production-ready support features against
 Spring Boot applications.</p>
 
-    <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application. 
-Exposing unprotected actuator endpoints through configuration files can lead to information disclosure 
+    <p>Endpoints of Spring Boot Actuator allow to monitor and interact with a Spring Boot application.
+Exposing unprotected actuator endpoints through configuration files can lead to information disclosure
 or even remote code execution vulnerability.</p>
 
     <p>Rather than programmatically permitting endpoint requests or enforcing access control, frequently
-developers simply leave management endpoints publicly accessible in the application configuration file 
+developers simply leave management endpoints publicly accessible in the application configuration file
 <code>application.properties</code> without enforcing access control through Spring Security.</p>
   </overview>
 
   <recommendation>
-    <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce 
-security checks on management endpoints using Spring Security. Otherwise accessing management endpoints 
-on a different HTTP port other than the port that the web application is listening on also helps to 
+    <p>Declare the Spring Boot Starter Security module in XML configuration or programmatically enforce
+security checks on management endpoints using Spring Security. Otherwise accessing management endpoints
+on a different HTTP port other than the port that the web application is listening on also helps to
 improve the security.</p>
   </recommendation>
 
   <example>
-    <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration, 
-no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration, 
+    <p>The following examples show both 'BAD' and 'GOOD' configurations. In the 'BAD' configuration,
+no security module is declared and sensitive management endpoints are exposed. In the 'GOOD' configuration,
 security is enforced and only endpoints requiring exposure are exposed.</p>
     <sample src="pom_good.xml" />
     <sample src="pom_bad.xml" />

java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql → java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql

@@ -111,11 +111,9 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
   )
 }
 
-deprecated query predicate problems(Dependency d, string message) {
-  exists(SpringBootPom pom |
-    hasConfidentialEndPointExposed(pom, _) and
-    d = pom.getADependency() and
-    d.getArtifact().getValue() = "spring-boot-starter-actuator"
-  ) and
-  message = "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."
-}
+from SpringBootPom pom, ApplicationProperties ap, Dependency d
+where
+  hasConfidentialEndPointExposed(pom, ap) and
+  d = pom.getADependency() and
+  d.getArtifact().getValue() = "spring-boot-starter-actuator"
+select d, "Insecure configuration of Spring Boot Actuator exposes sensitive endpoints."

java/ql/src/experimental/Security/CWE/CWE-016/application.properties → java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/application.properties

@@ -1,7 +1,7 @@
 #management.endpoints.web.base-path=/admin
 
 
-#### BAD: All management endpoints are accessible #### 
+#### BAD: All management endpoints are accessible ####
 # vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
 
 # vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
@@ -11,7 +11,7 @@ management.security.enabled=false
 management.endpoints.web.exposure.include=*
 
 
-#### GOOD: All management endpoints have access control #### 
+#### GOOD: All management endpoints have access control ####
 # safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
 management.security.enabled=true
 

java/ql/src/experimental/Security/CWE/CWE-016/pom_bad.xml → java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_bad.xml

@@ -47,4 +47,4 @@
         </dependency>
     </dependencies>
 
-</project>
+</project>

java/ql/src/experimental/Security/CWE/CWE-016/pom_good.xml → java/ql/src/Security/CWE/CWE-200/InsecureSpringActuatorConfig/pom_good.xml

@@ -47,4 +47,4 @@
         </dependency>
     </dependencies>
 
-</project>
+</project>

java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-200/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.ql

java/ql/test/experimental/query-tests/security/CWE-016/options → java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../../stubs/springframework-5.8.x