Java: Promote Unsafe certificate trust query from experimental

[atorralba]

PR to promote the Unsafe certificate trust query created in #3550

Changes

• Existing files were moved out of experimental
• The UnsafeCertTrust.qll file was created to contain most of the classes and predicates used by the query.
• Some classes that will probably be reusable by other queries were added to the Networking.qll and Encryption.qll libraries.
• The piece of logic that was handling flawed hostname verifications because of a missing (or wrong) SSL endpoint identification algorithm was refactored - now, a taint tracking configuration is used to properly detect established connections without a safe SSL configuration (see SslEndpointIdentificationFlowConfig).
• Changed tests to use InlineExpectationsTest and added some RabbitMQ stubs.

Evaluation

➕ The following CVEs are now detected by the query:

• CVE-2020-11050 TooTallNate/Java-WebSocket@2dbe2d3

✅ The following CVEs are still detected by the query:

• CVE-2018-17187 apache/qpid-proton-j@0cb8ca0
• CVE-2018-11087 spring-projects/spring-amqp@444b74e
• CVE-2018-11775 apache/activemq@69fad2a

➡️ The following CVEs are now detected by the Insecure TrustManager query (#4879):

• CVE-2020-1929 apache/beam@a7dd23d

⚠️ The following CVEs are still not detected by the query:

• CVE-2018-10936 pgjdbc/pgjdbc@cdeeaca

❌ The following CVEs are no longer detected by the query:

• CVE-2018-8034 apache/tomcat@2835bb4. This is due to taint tracking now being used, and the flow being lost because of it crossing through a class field used in a nested class.

To Consider

• The sources of SafeSslParametersFlowConfig are PostUpdateNodes because what characterizes them is the update done by setEndpointIdentificationAlgorithm.
• The predicate isSslSocket is an heuristic and could (probably) be improved.
• SslConnectionWithSafeSslParameters uses localFlow to add subsequent uses of the sanitizer. This is to correctly identify sanitizers that are added with the following pattern:

SSLSocket socket = (SSLSocket) socketFactory.createSocket();
if (safe) {
    SSLParameters sslParameters = socket.getSSLParameters();
    sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
    socket.setSSLParameters(sslParameters);
}
socket.getOutputStream();

where safe is a boolean that is (almost) always true (e.g. a configuration value that defaults to true, or something like socket instanceof SSLSocket). This is needed because the fix applied to several CVEs follows this pattern, e.g. a configuration value is added in order to give the user the option to revert to the old behavior (no forced hostname verification).

[intrigus-lgtm]

This kind-of collides with #4879, which removes everything related to TrustManagers from the UnsafeCertTrust query:
https://github.com/github/codeql/pull/6171/files#diff-d5c7a86618d97f18cf413d2e72f87196fbba850816852aa6d58ba7896d721c3bR9-R57

[atorralba]

This kind-of collides with #4879, which removes everything related to TrustManagers from the UnsafeCertTrust query:
https://github.com/github/codeql/pull/6171/files#diff-d5c7a86618d97f18cf413d2e72f87196fbba850816852aa6d58ba7896d721c3bR9-R57

Yes, just noticed a bunch of conflicts :-P

Rebased to resolve them - let me know if you spot any lingering code that shouldn't be in this query.

Thanks for pointing this out @intrigus-lgtm

[atorralba]

@github/docs-content-codeql please review the qhelp file. Even though changes aren't introduced in this PR, it wasn't reviewed when this query was merged to experimental.

[docs-bot]

📚 Thanks for the docs ping! 🛎️ This was added to our docs first-responder project board. A team member will be along shortly to respond. To request changes to the docs you can also open a CodeQL docs issue.

[mchammer01]

@atorralba - this LGTM ✨
A few minor nits (see inline comments for more info)

[atorralba]

Thanks @mchammer01, your reviews are really helpful! All comments applied.