Merge pull request #21082 from mbaluda/couchdb

This PR adds models Java client APIs for CouchBase and adds tests for 2 queries

Author: owen-mc

java/ql/lib/ext/com.couchbase.client.core.env.model.yml

@@ -0,0 +1,28 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # 'credentials-password' sinks
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0].ReturnValue", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(Supplier)", "", "Argument[0].ReturnValue", "credentials-password", "manual"]
+      # 'credentials-username' sinks
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "create", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "ldapCompatible", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator", true, "builder", "(Supplier)", "", "Argument[0].ReturnValue", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier)", "", "Argument[0].ReturnValue", "credentials-username", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.couchbase.client.core.env", "UsernameAndPassword", true, "UsernameAndPassword", "(String,String)", "", "Argument[0..1]", "Argument[this]", "taint", "manual"]

java/ql/lib/ext/com.couchbase.client.java.model.yml

@@ -0,0 +1,18 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # 'credentials-username' sinks
+      - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[1]", "credentials-username", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      # 'credentials-password' sinks
+      - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      # 'sql-injection' sinks
+      - ["com.couchbase.client.java", "Cluster", true, "analyticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "analyticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer)", "", "Argument[0]", "sql-injection", "manual"]

java/ql/src/change-notes/2025-12-24-couchbase-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.

java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java

@@ -0,0 +1,17 @@
+package com.example;
+
+import com.couchbase.client.java.Bucket;
+import com.couchbase.client.java.Cluster;
+
+public class CouchBase {
+  public static void main(String[] args) {
+    Cluster cluster = Cluster.connect("192.168.0.158", "Administrator", "Administrator");
+    Bucket bucket = cluster.bucket("travel-sample");
+    cluster.analyticsQuery(args[1]);
+    cluster.analyticsQuery(args[1], null);
+    cluster.query(args[1]);
+    cluster.query(args[1], null);
+    cluster.queryStreaming(args[1], null);
+    cluster.queryStreaming(args[1], null, null);
+  }
+}