Convert tests to inline expectations and fix one bug revealed doing so

Specifically Apache sshd defines its sensitive api calls on an inherited interface, and they need to be described that way for us to pick them up.

Author: smowton

java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCall.qll renamed to java/ql/lib/semmle/code/java/security/HardcodedCredentialsSourceCallQuery.qll

@@ -442,8 +442,8 @@ private predicate otherApiCallableCredentialParam(string s) {
       "com.jcraft.jsch.JSch;getSession(String, String, int);0",
       "com.jcraft.jsch.JSch;getSession(String, String);0",
       "ch.ethz.ssh2.Connection;authenticateWithPassword(String, String);0",
-      "org.apache.sshd.client.SshClient;connect(String, String, int);0",
-      "org.apache.sshd.client.SshClient;connect(String, SocketAddress);0",
+      "org.apache.sshd.client.session.ClientSessionCreator;connect(String, String, int);0",
+      "org.apache.sshd.client.session.ClientSessionCreator;connect(String, SocketAddress);0",
       "net.schmizz.sshj.SSHClient;authPassword(String, char[]);0",
       "net.schmizz.sshj.SSHClient;authPassword(String, String);0",
       "com.sshtools.j2ssh.authentication.SshAuthenticationClient;setUsername(String);0",

java/ql/lib/semmle/code/java/security/SensitiveApi.qll

@@ -11,7 +11,7 @@
  */
 
 import java
-import semmle.code.java.security.HardcodedCredentialsSourceCall
+import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
 import DataFlow::PathGraph
 
 from

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql

@@ -10,11 +10,11 @@ public static void main(String[] args) throws SQLException {
 		String url = "jdbc:mysql://localhost/test";
 		String u = "admin"; // hard-coded credential (flow source)
 
-		DriverManager.getConnection(url, u, p); // sensitive call (flow target)
+		DriverManager.getConnection(url, u, p); // $ HardcodedCredentialsApiCall
 		test(url, u, p);
 	}
 
 	public static void test(String url, String v, String q) throws SQLException {
-		DriverManager.getConnection(url, v, q); // sensitive call (flow target)
+		DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
 	}
 }

java/ql/test/query-tests/security/CWE-798/semmle/tests/CredentialsTest.java

@@ -15,12 +15,12 @@ public static void main(String[] args) throws SQLException, IOException {
 
 		String p = readText(new File(file));
 
-		DriverManager.getConnection("", "admin", p); // sensitive call (flow target)
+		DriverManager.getConnection("", "admin", p); // $ HardcodedCredentialsApiCall
 		test(url, u, p);
 	}
 
 	public static void test(String url, String v, String q) throws SQLException {
-		DriverManager.getConnection(url, v, q); // sensitive call (flow target)
+		DriverManager.getConnection(url, v, q); // $ HardcodedCredentialsApiCall
 	}
 
 	public static String readText(File f) throws IOException

java/ql/test/query-tests/security/CWE-798/semmle/tests/FileCredentialTest.java

@@ -4,7 +4,7 @@
 public class HardcodedAWSCredentials {
 	public static void main(String[] args) {
 		//BAD: Hardcoded credentials for connecting to AWS services
-		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead 
-		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY");
+		//To fix the problem, use other approaches including AWS credentials file, environment variables, or instance/container credentials instead
+		AWSCredentials creds = new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY"); // $ HardcodedCredentialsApiCall
 	}
 }

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedAWSCredentials.java

@@ -6,8 +6,8 @@ public class HardcodedApacheFtpCredentials {
 	public static void main(FTPClient client) {
     // BAD: Hardcoded credentials used for the session username and/or password.
     try {
-      client.login("username", "password");
-      client.login("username", "password", "blah");
+      client.login("username", "password"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+      client.login("username", "password", "blah"); // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
     } catch(IOException e) { }
 	}
 }

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheFtpCredentials.java

@@ -5,8 +5,8 @@
 public class HardcodedApacheSshdCredentials {
 	public static void main(SshClient client, AbstractClientSession session) {
     // BAD: Hardcoded credentials used for the session username and/or password.
-    client.connect("Username", "hostname", 22);
-    client.connect("Username", null);
-    session.addPasswordIdentity("password");
+    client.connect("Username", "hostname", 22); // $ HardcodedCredentialsApiCall
+    client.connect("Username", null); // $ HardcodedCredentialsApiCall
+    session.addPasswordIdentity("password"); // $ HardcodedCredentialsApiCall
 	}
 }

java/ql/test/query-tests/security/CWE-798/semmle/tests/HardcodedApacheSshdCredentials.java

@@ -15,8 +15,8 @@ public class HardcodedAzureCredentials {
 	public void testHardcodedUsernamePassword(String input) {
 		UsernamePasswordCredential usernamePasswordCredential = new UsernamePasswordCredentialBuilder()
 		.clientId(clientId)
-		.username(username)
-		.password(clientSecret)
+		.username(username) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
+		.password(clientSecret) // $ HardcodedCredentialsApiCall $ HardcodedCredentialsSourceCall
 		.build();
 
 		SecretClient client = new SecretClientBuilder()
@@ -43,7 +43,7 @@ public void testEnvironmentUsernamePassword(String input) {
 	public void testHardcodedClientSecret(String input) {
 		ClientSecretCredential defaultCredential = new ClientSecretCredentialBuilder()
 		.clientId(clientId)
-		.clientSecret(clientSecret)
+		.clientSecret(clientSecret) // $ HardcodedCredentialsApiCall
 		.tenantId(tenantId)
 		.build();
 	}