#14 : Implement a CodeQL query that checks for invocations of Vertx.vertx()

* Implemented CodeQL query.
* Implemented test case.
* Added a query help file.

Author: carlspring

src/main/java/org/carlspring/security/vertx/http/InvocationOfVertxVertx.java

@@ -0,0 +1,16 @@
+package org.carlspring.security.vertx.http;
+
+import io.vertx.core.Vertx;
+
+/**
+ * @author carlspring
+ */
+public class InvocationOfVertxVertx
+{
+
+    public void start()
+    {
+        Vertx.vertx();
+    }
+
+}

src/main/ql/InvocationOfVertxVertx.qhelp

@@ -0,0 +1,46 @@
+x<!DOCTYPE qhelp PUBLIC
+        "-//Semmle//qhelp//EN"
+        "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            An HTTP server which does not use SSL/TLS is vulnerable to man-in-the-middle attacks.
+        </p>
+        <p>
+            Please, note that it may be safe to ignore this, only if you intend your application to be placed
+            behind a loadbalancer, which is itself securing the connections with the appropriate certificates.
+        </p>
+    </overview>
+
+    <recommendation>
+        <p>Use SSL/TLS to encrypt the communication between the client and the server.</p>
+    </recommendation>
+
+    <example>
+        <p>Instead of setting up a plain HTTP server that doesn't use SSL, such as this one:</p>
+
+        <sample src="InsecureHttpServer.java" />
+
+        <p>
+            when creating an HTTP server, the <code>setSsl</code> method should be called on the
+            <code>HttpServerOptions</code>
+            object, and the <code>setKeyStoreOptions</code> method should be called on the
+            <code>HttpServerOptions</code>
+            object with a <code>KeyStoreOptions</code>
+            object as an argument.
+
+            For example, code such as the one illustrated below should be used to create an HTTP server and secure
+            it with SSL:
+        </p>
+
+        <sample src="SecureHttpServer.java" />
+    </example>
+
+    <references>
+        <li>
+            <a href="https://vertx.io/docs/vertx-core/java/#_writing_http_servers_and_clients">
+                Vert.x documentation
+            </a>
+        </li>
+    </references>
+</qhelp>

src/main/ql/InvocationOfVertxVertx.ql

@@ -0,0 +1,35 @@
+/**
+ * @name Invocation of VertX.vertx()
+ * @description The VertX.vertx() method should not be invoked directly.
+ * @kind problem
+ * @problem.severity high
+ * @id java/vertx/invocation-of-vertx-vertx
+ * @tags security java/vertx
+ */
+
+import java
+
+class Vertx extends RefType {
+  Vertx() {
+    this.getASourceSupertype*().hasQualifiedName("io.vertx.core", "Vertx")
+  }
+}
+
+class VertxCreateHttpServerMethodAccess extends MethodAccess {
+  VertxCreateHttpServerMethodAccess() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getName().matches("vertx") and
+      m.getDeclaringType() instanceof Vertx
+    )
+  }
+}
+
+from VertxCreateHttpServerMethodAccess call
+where
+  not call.getEnclosingCallable().getDeclaringType() instanceof Vertx and
+  not call.getLocation().getFile().getRelativePath().matches("%src/test/%") and
+  call.getNumArgument() = 0
+select
+  call,
+  "Invocation of VertX.vertx()"

src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.expected

@@ -0,0 +1 @@
+| InvocationOfVertxVertx.java:13:9:13:21 | vertx(...) | Invocation of VertX.vertx() |

src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.java

@@ -0,0 +1,16 @@
+package org.carlspring.security.vertx.http;
+
+import io.vertx.core.Vertx;
+
+/**
+ * @author carlspring
+ */
+public class InvocationOfVertxVertx
+{
+
+    public void start()
+    {
+        Vertx.vertx();
+    }
+
+}

src/test/ql/test/query-tests/InvocationOfVertxVertx/InvocationOfVertxVertx.qlref

@@ -0,0 +1 @@
+InvocationOfVertxVertx.ql

src/test/ql/test/query-tests/InvocationOfVertxVertx/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../stubs/ -source 17

src/test/ql/test/query-tests/InvocationOfVertxVertx/pom.xml

@@ -0,0 +1,83 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.carlspring.security</groupId>
+    <artifactId>vertx-vulns-test-invocation-of-vertx-vertx</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+
+    <properties>
+        <version.vertx>4.4.4</version.vertx>
+    </properties>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-clean-plugin</artifactId>
+                <version>3.3.1</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.11.0</version>
+                <configuration>
+                    <source>17</source>
+                    <target>17</target>
+                    <debug>true</debug>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-install-plugin</artifactId>
+                <version>3.1.1</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>3.3.1</version>
+                <configuration>
+                    <includeEmptyDirs>true</includeEmptyDirs>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <dependencies>
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-core</artifactId>
+            <version>${version.vertx}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-web</artifactId>
+            <version>${version.vertx}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-web-client</artifactId>
+            <version>${version.vertx}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-jdbc-client</artifactId>
+            <version>${version.vertx}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-rx-java2</artifactId>
+            <version>${version.vertx}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>io.vertx</groupId>
+            <artifactId>vertx-sql-client</artifactId>
+            <version>${version.vertx}</version>
+        </dependency>
+
+    </dependencies>
+
+</project>