github
diff --git a/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected‎
Lines changed: 0 additions & 8 deletions b/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheck.expected‎
Lines changed: 0 additions & 8 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref‎
Lines changed: 0 additions & 1 deletion b/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheck.qlref‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected‎ b/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.expected‎
diff --git a/‎…ty/CWE-347/MissingJWTSignatureCheck.java‎ ‎…WE-347/MissingJWTSignatureCheckTest.java‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheck.java renamed to java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
Lines changed: 34 additions & 61 deletions b/‎…ty/CWE-347/MissingJWTSignatureCheck.java‎ ‎…WE-347/MissingJWTSignatureCheckTest.java‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheck.java renamed to java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.java
Lines changed: 34 additions & 61 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql‎
Lines changed: 19 additions & 0 deletions b/‎java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-347/options‎
Lines changed: 1 addition & 0 deletions b/‎java/ql/test/query-tests/security/CWE-347/options‎
Lines changed: 1 addition & 0 deletions
@@ -1,5 +1,3 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2
-
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.JwtParser;
 import io.jsonwebtoken.Jwt;
@@ -9,10 +7,7 @@
 import io.jsonwebtoken.JwtHandlerAdapter;
 import io.jsonwebtoken.impl.DefaultJwtParser;
 
-public class MissingJWTSignatureCheck {
-
-
-    // SIGNED
+public class MissingJWTSignatureCheckTest {
 
     private JwtParser getASignedParser() {
         return Jwts.parser().setSigningKey("someBase64EncodedKey");
@@ -46,10 +41,6 @@ private void callSignedParsers() {
         goodJwtHandler(parser3, "");
     }
 
-    // SIGNED END
-
-    // UNSIGNED
-
     private JwtParser getAnUnsignedParser() {
         return Jwts.parser();
     }
@@ -84,81 +75,63 @@ private void callUnsignedParsers() {
 
     private void signParserAfterParseCall() {
         JwtParser parser = getAnUnsignedParser();
-        parser.parse(""); // Should not be detected
+        parser.parse(""); // Safe
         parser.setSigningKey("someBase64EncodedKey");
     }
 
-    // UNSIGNED END
-
-    // INDIRECT
-
     private void badJwtOnParserBuilder(JwtParser parser, String token) {
-        parser.parse(token); // BAD: Does not verify the signature
+        parser.parse(token); // $hasMissingJwtSignatureCheck
     }
 
     private void badJwtHandlerOnParserBuilder(JwtParser parser, String token) {
-        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // BAD: The handler is called on an unverified JWT
-                        @Override
-                        public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
-                            return jwt;
-                        }
-                    });
+        parser.parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() { // $hasMissingJwtSignatureCheck
+            @Override
+            public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
+                return jwt;
+            }
+        });
     }
 
     private void goodJwtOnParserBuilder(JwtParser parser, String token) {
-        parser.parseClaimsJws(token) // GOOD: Verify the signature
-                    .getBody();
+        parser.parseClaimsJws(token) // Safe
+                .getBody();
     }
 
     private void goodJwtHandler(JwtParser parser, String token) {
-        parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
-                        @Override
-                        public Jws<String> onPlaintextJws(Jws<String> jws) {
-                            return jws;
-                        }
-                    });
+        parser.parse(token, new JwtHandlerAdapter<Jws<String>>() { // Safe
+            @Override
+            public Jws<String> onPlaintextJws(Jws<String> jws) {
+                return jws;
+            }
+        });
     }
 
-    // INDIRECT END
-
-    // DIRECT
-
     private void badJwtOnParserBuilder(String token) {
-        Jwts.parserBuilder()
-                    .setSigningKey("someBase64EncodedKey").build()
-                    .parse(token); // BAD: Does not verify the signature
+        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token); // $hasMissingJwtSignatureCheck
     }
 
     private void badJwtHandlerOnParser(String token) {
-        Jwts.parser()
-                    .setSigningKey("someBase64EncodedKey")
-                    .parse(token, new JwtHandlerAdapter<Jwt<Header, String>>() {  // BAD: The handler is called on an unverified JWT
-                        @Override
-                        public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
-                            return jwt;
-                        }
-                    });
+        Jwts.parser().setSigningKey("someBase64EncodedKey").parse(token, // $hasMissingJwtSignatureCheck
+                new JwtHandlerAdapter<Jwt<Header, String>>() {
+                    @Override
+                    public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
+                        return jwt;
+                    }
+                });
     }
 
     private void goodJwtOnParser(String token) {
-        Jwts.parser()
-                    .setSigningKey("someBase64EncodedKey")
-                    .parseClaimsJws(token) // GOOD: Verify the signature
-                    .getBody();
+        Jwts.parser().setSigningKey("someBase64EncodedKey").parseClaimsJws(token) // Safe
+                .getBody();
     }
 
     private void goodJwtHandlerOnParserBuilder(String token) {
-        Jwts.parserBuilder()
-                    .setSigningKey("someBase64EncodedKey").build()
-                    .parse(token, new JwtHandlerAdapter<Jws<String>>() { // GOOD: The handler is called on a verified JWS
-                        @Override
-                        public Jws<String> onPlaintextJws(Jws<String> jws) {
-                            return jws;
-                        }
-                    });
+        Jwts.parserBuilder().setSigningKey("someBase64EncodedKey").build().parse(token, // Safe
+                new JwtHandlerAdapter<Jws<String>>() {
+                    @Override
+                    public Jws<String> onPlaintextJws(Jws<String> jws) {
+                        return jws;
+                    }
+                });
     }
-
-    // DIRECT END
-
-
 }
@@ -0,0 +1,19 @@
+import java
+import semmle.code.java.security.JWT
+import TestUtilities.InlineExpectationsTest
+
+class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest {
+  HasMissingJwtSignatureCheckTest() { this = "HasMissingJwtSignatureCheckTest" }
+
+  override string getARelevantTag() { result = "hasMissingJwtSignatureCheck" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasMissingJwtSignatureCheck" and
+    exists(JwtParserWithInsecureParseSink sink, JwtParserWithSigningKeyExpr parserExpr |
+      sink.asExpr() = parserExpr and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
@@ -0,0 +1 @@
+semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jwtk-jjwt-0.11.2`