Password models

egregius313 · egregius313 · commit 66486b08dcfd · 2023-10-25T14:31:53.000-04:00
diff --git a/java/ql/lib/ext/com.sun.crypto.provider.model.yml b/java/ql/lib/ext/com.sun.crypto.provider.model.yml
@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "engineGetKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "engineLoad", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "engineSetKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "engineStore", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.crypto.provider", "JceKeyStore", False, "getPreKeyedHash", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["com.sun.crypto.provider", "KeyProtector", False, "KeyProtector", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["com.sun.crypto.provider", "PBKDF2KeyImpl", False, "deriveKey", "(Mac, byte[], byte[], int, int)", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.crypto.provider", "PBKDF2KeyImpl", False, "getPasswordBytes", "(char[])", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.istack.internal.tools.model.yml b/java/ql/lib/ext/com.sun.istack.internal.tools.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.istack.internal.tools", "DefaultAuthenticator$AuthInfo", False, "AuthInfo", "(URL, String, String)", "credential-password", "Argument[2]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.net.httpserver.model.yml b/java/ql/lib/ext/com.sun.net.httpserver.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.net.httpserver", "BasicAuthenticator", False, "checkCredentials", "(String, String)", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.net.ssl.model.yml b/java/ql/lib/ext/com.sun.net.ssl.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.net.ssl", "KeyManagerFactory", False, "init", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.net.ssl", "KeyManagerFactorySpi", False, "engineInit", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.net.ssl", "KeyManagerFactorySpiWrapper", False, "engineInit", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.model.yml b/java/ql/lib/ext/com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations", "PrivateKeyResolver", False, "PrivateKeyResolver", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations", "SecretKeyResolver", False, "SecretKeyResolver", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.rowset.model.yml b/java/ql/lib/ext/com.sun.rowset.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.rowset", "JdbcRowSetImpl", False, "JdbcRowSetImpl", "(String, String, String)", "credential-password", "Argument[2]", "manual"]
+      - ["com.sun.rowset", "JdbcRowSetImpl", False, "setPassword", "(String)", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.security.auth.module.model.yml b/java/ql/lib/ext/com.sun.security.auth.module.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.security.auth.module", "JndiLoginModule", False, "verifyPassword", "(String, String)", "credential-password", "Argument[0]", "manual"]
+      - ["com.sun.security.auth.module", "JndiLoginModule", False, "verifyPassword", "(String, String)", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.security.ntlm.model.yml b/java/ql/lib/ext/com.sun.security.ntlm.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.security.ntlm", "Client", False, "Client", "(String, String, String, String, char[])", "credential-password", "Argument[4]", "manual"]
+      - ["com.sun.security.ntlm", "NTLM", False, "getP1", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["com.sun.security.ntlm", "NTLM", False, "getP2", "(char[])", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.security.sasl.digest.model.yml b/java/ql/lib/ext/com.sun.security.sasl.digest.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.security.sasl.digest", "DigestMD5Base", False, "generateResponseValue", "(String, String, String, String, String, char[], byte[], byte[], int, byte[])", "credential-password", "Argument[5]", "manual"]
+      - ["com.sun.security.sasl.digest", "DigestMD5Server", False, "generateResponseAuth", "(String, char[], byte[], int, byte[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/com.sun.tools.internal.ws.wscompile.model.yml b/java/ql/lib/ext/com.sun.tools.internal.ws.wscompile.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.sun.tools.internal.ws.wscompile", "AuthInfo", False, "AuthInfo", "(URL, String, String)", "credential-password", "Argument[2]", "manual"]
diff --git a/java/ql/lib/ext/java.net.model.yml b/java/ql/lib/ext/java.net.model.yml
@@ -10,6 +10,7 @@ extensions:
       extensible: sinkModel
     data:
       - ["java.net", "DatagramSocket", True, "connect", "(SocketAddress)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String, char[])", "credential-password", "Argument[1]", "manual"]
       - ["java.net", "Socket", True, "Socket", "(String,int)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["java.net", "URL", False, "openConnection", "", "", "Argument[this]", "request-forgery", "manual"]
       - ["java.net", "URL", False, "openConnection", "(Proxy)", "", "Argument[0]", "request-forgery", "ai-manual"]
diff --git a/java/ql/lib/ext/java.security.model.yml b/java/ql/lib/ext/java.security.model.yml
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.security", "KeyStore", False, "getKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["java.security", "KeyStore", False, "load", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["java.security", "KeyStore", False, "setKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["java.security", "KeyStore", False, "store", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["java.security", "KeyStore$PasswordProtection", False, "PasswordProtection", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["java.security", "KeyStore$PasswordProtection", False, "PasswordProtection", "(char[], String, AlgorithmParameterSpec)", "credential-password", "Argument[0]", "manual"]
+      - ["java.security", "KeyStoreSpi", False, "engineGetKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["java.security", "KeyStoreSpi", False, "engineLoad", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["java.security", "KeyStoreSpi", False, "engineSetKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["java.security", "KeyStoreSpi", False, "engineStore", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/java.sql.model.yml b/java/ql/lib/ext/java.sql.model.yml
@@ -11,6 +11,7 @@ extensions:
       - ["java.sql", "DriverManager", False, "getConnection", "(String)", "", "Argument[0]", "request-forgery", "manual"]
       - ["java.sql", "DriverManager", False, "getConnection", "(String,Properties)", "", "Argument[0]", "request-forgery", "manual"]
       - ["java.sql", "DriverManager", False, "getConnection", "(String,String,String)", "", "Argument[0]", "request-forgery", "manual"]
+      - ["java.sql", "DriverManager", False, "getConnection", "(String, String, String)", "credential-password", "Argument[2]", "manual"]
       - ["java.sql", "Statement", True, "addBatch", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["java.sql", "Statement", True, "execute", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["java.sql", "Statement", True, "executeLargeUpdate", "", "", "Argument[0]", "sql-injection", "manual"]
diff --git a/java/ql/lib/ext/javax.crypto.spec.model.yml b/java/ql/lib/ext/javax.crypto.spec.model.yml
@@ -6,4 +6,11 @@ extensions:
       - ["javax.crypto.spec", "IvParameterSpec", True, "IvParameterSpec", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["javax.crypto.spec", "GCMParameterSpec", True, "GCMParameterSpec", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
       - ["javax.crypto.spec", "RC2ParameterSpec", True, "RC2ParameterSpec", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
-      - ["javax.crypto.spec", "RC5ParameterSpec", True, "RC5ParameterSpec", "", "", "Argument[3]", "Argument[this]", "taint", "manual"]
+      - ["javax.crypto.spec", "RC5ParameterSpec", True, "RC5ParameterSpec", "", "", "Argument[3]", "Argument[this]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[], byte[], int)", "credential-password", "Argument[0]", "manual"]
+      - ["javax.crypto.spec", "PBEKeySpec", False, "PBEKeySpec", "(char[], byte[], int, int)", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/javax.net.ssl.model.yml b/java/ql/lib/ext/javax.net.ssl.model.yml
@@ -5,3 +5,5 @@ extensions:
     data:
       - ["javax.net.ssl", "HttpsURLConnection", True, "setDefaultHostnameVerifier", "", "", "Argument[0]", "hostname-verification", "manual"]
       - ["javax.net.ssl", "HttpsURLConnection", True, "setHostnameVerifier", "", "", "Argument[0]", "hostname-verification", "manual"]
+      - ["javax.net.ssl", "KeyManagerFactory", False, "init", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["javax.net.ssl", "KeyManagerFactorySpi", False, "engineInit", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/javax.security.auth.callback.model.yml b/java/ql/lib/ext/javax.security.auth.callback.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.security.auth.callback", "PasswordCallback", False, "setPassword", "(char[])", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/javax.security.auth.kerberos.model.yml b/java/ql/lib/ext/javax.security.auth.kerberos.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.security.auth.kerberos", "KerberosKey", False, "KerberosKey", "(KerberosPrincipal, char[], String)", "credential-password", "Argument[1]", "manual"]
+      - ["javax.security.auth.kerberos", "KeyImpl", False, "KeyImpl", "(KerberosPrincipal, char[], String)", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/javax.sql.model.yml b/java/ql/lib/ext/javax.sql.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["javax.sql", "ConnectionPoolDataSource", False, "getPooledConnection", "(String, String)", "credential-password", "Argument[1]", "manual"]
+      - ["javax.sql", "DataSource", False, "getConnection", "(String, String)", "credential-password", "Argument[1]", "manual"]
+      - ["javax.sql", "RowSet", False, "setPassword", "(String)", "credential-password", "Argument[0]", "manual"]
+      - ["javax.sql", "XADataSource", False, "getXAConnection", "(String, String)", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.net.ftp.impl.model.yml b/java/ql/lib/ext/sun.net.ftp.impl.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.net.ftp.impl", "FtpClient", False, "login", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.net.ftp.impl", "FtpClient", False, "login", "(String, char[], String)", "credential-password", "Argument[1]", "manual"]
+      - ["sun.net.ftp.impl", "FtpClient", False, "tryLogin", "(String, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.net.ftp.model.yml b/java/ql/lib/ext/sun.net.ftp.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.net.ftp", "FtpClient", False, "login", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.net.ftp", "FtpClient", False, "login", "(String, char[], String)", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.net.www.protocol.http.model.yml b/java/ql/lib/ext/sun.net.www.protocol.http.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.net.www.protocol.http", "DigestAuthentication", False, "computeDigest", "(boolean, String, char[], String, String, String, String, String, String)", "credential-password", "Argument[2]", "manual"]
+      - ["sun.net.www.protocol.http", "DigestAuthentication", False, "encode", "(String, char[], MessageDigest)", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.krb5.internal.crypto.dk.model.yml b/java/ql/lib/ext/sun.security.krb5.internal.crypto.dk.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.krb5.internal.crypto.dk", "AesDkCrypto", False, "stringToKey", "(char[], String, byte[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5.internal.crypto.dk", "ArcFourCrypto", False, "stringToKey", "(char[])", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.krb5.internal.crypto.model.yml b/java/ql/lib/ext/sun.security.krb5.internal.crypto.model.yml
@@ -0,0 +1,10 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.krb5.internal.crypto", "Aes128", False, "stringToKey", "(char[], String, byte[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5.internal.crypto", "Aes256", False, "stringToKey", "(char[], String, byte[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5.internal.crypto", "ArcFourHmac", False, "stringToKey", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5.internal.crypto", "Des", False, "char_to_key", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5.internal.crypto", "Des", False, "string_to_key_bytes", "(char[])", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.krb5.model.yml b/java/ql/lib/ext/sun.security.krb5.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.krb5", "EncryptionKey", False, "EncryptionKey", "(char[], String, String)", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5", "EncryptionKey", False, "acquireSecretKey", "(PrincipalName, char[], int, SaltAndParams)", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.krb5", "EncryptionKey", False, "acquireSecretKey", "(char[], String, int, byte[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5", "EncryptionKey", False, "acquireSecretKeys", "(char[], String)", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5", "EncryptionKey", False, "stringToKey", "(char[], String, byte[], int)", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.krb5", "KrbAsRep", False, "decryptUsingPassword", "(char[], KrbAsReq, PrincipalName)", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.pkcs11.model.yml b/java/ql/lib/ext/sun.security.pkcs11.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.pkcs11", "P11KeyStore", False, "engineGetKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs11", "P11KeyStore", False, "engineLoad", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs11", "P11KeyStore", False, "engineSetKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["sun.security.pkcs11", "P11KeyStore", False, "engineStore", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs11", "P11KeyStore$PasswordCallbackHandler", False, "PasswordCallbackHandler", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.pkcs11", "Secmod$KeyStoreLoadParameter", False, "KeyStoreLoadParameter", "(TrustType, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.pkcs12.model.yml b/java/ql/lib/ext/sun.security.pkcs12.model.yml
@@ -0,0 +1,14 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "calculateMac", "(char[], byte[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "createEncryptedData", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "encryptContent", "(byte[], char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "engineGetKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "engineLoad", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "engineSetKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "engineStore", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "getPBEKey", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.pkcs12", "PKCS12KeyStore", False, "loadSafeContents", "(DerInputStream, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.provider.model.yml b/java/ql/lib/ext/sun.security.provider.model.yml
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.provider", "DomainKeyStore", False, "engineGetKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.provider", "DomainKeyStore", False, "engineLoad", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.provider", "DomainKeyStore", False, "engineSetKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["sun.security.provider", "DomainKeyStore", False, "engineStore", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.provider", "JavaKeyStore", False, "engineGetKey", "(String, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.provider", "JavaKeyStore", False, "engineLoad", "(InputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.provider", "JavaKeyStore", False, "engineSetKeyEntry", "(String, Key, char[], Certificate[])", "credential-password", "Argument[2]", "manual"]
+      - ["sun.security.provider", "JavaKeyStore", False, "engineStore", "(OutputStream, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.provider", "JavaKeyStore", False, "getPreKeyedHash", "(char[])", "credential-password", "Argument[0]", "manual"]
+      - ["sun.security.provider", "KeyProtector", False, "KeyProtector", "(char[])", "credential-password", "Argument[0]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.ssl.model.yml b/java/ql/lib/ext/sun.security.ssl.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.ssl", "KeyManagerFactoryImpl$SunX509", False, "engineInit", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.ssl", "KeyManagerFactoryImpl$X509", False, "engineInit", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
+      - ["sun.security.ssl", "SunX509KeyManagerImpl", False, "SunX509KeyManagerImpl", "(KeyStore, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.security.tools.keytool.model.yml b/java/ql/lib/ext/sun.security.tools.keytool.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["sun.security.tools.keytool", "Main", False, "getNewPasswd", "(String, char[])", "credential-password", "Argument[1]", "manual"]
diff --git a/java/ql/lib/ext/sun.tools.jconsole.model.yml b/java/ql/lib/ext/sun.tools.jconsole.model.yml
