Add Hibernate SQL injection sink models and coverage

[Copilot]

The Java sql-injection query already modeled some Hibernate sinks in SqlTainted.ql, but the CWE-089 regression tests did not exercise those APIs. This PR adds focused regression coverage for the existing Hibernate sinks in java/ql/test/query-tests/security/CWE-089/semmle/examples and also extends the Hibernate sink modeling for additional QueryProducer methods that should be treated as SQL-injection sinks.

• Hibernate sink model updates

  • Adds sql-injection sink models in java/ql/lib/ext/org.hibernate.query.model.yml for:
    • QueryProducer.createNativeMutationQuery
    • QueryProducer.createMutationQuery
    • QueryProducer.createSelectionQuery
  • These methods all construct executable SQL or HQL from their first String argument, so they should be treated as SQL-injection sinks.

• New Hibernate regression example

  • Adds Hibernate.java under the existing CWE-089 examples directory.
  • Covers all modeled sink entry points:
    • Session.createQuery
    • Session.createSQLQuery
    • SharedSessionContract.createQuery
    • SharedSessionContract.createSQLQuery
    • QueryProducer.createNativeQuery
    • QueryProducer.createNativeMutationQuery
    • QueryProducer.createQuery
    • QueryProducer.createMutationQuery
    • QueryProducer.createSelectionQuery
    • QueryProducer.createSelectionQuery(String, Class)
    • QueryProducer.createSQLQuery

• Minimal test stubs

  • Adds a small Hibernate stub surface under java/ql/test/stubs/hibernate-5.x for:
    • org.hibernate.Session
    • org.hibernate.SharedSessionContract
    • org.hibernate.query.QueryProducer
    • org.hibernate.query.Query
    • org.hibernate.query.MutationQuery
    • org.hibernate.query.SelectionQuery
  • Keeps the stub scope limited to the APIs needed for extraction and sink coverage.

• Examples classpath update

  • Extends the CWE-089 examples options file to include the new Hibernate stub path so the new test source compiles with the existing example set.

Example added to the regression suite:

public static void test(
    Session session, SharedSessionContract sharedSessionContract, QueryProducer queryProducer) {
  session.createQuery(source()); // $ sqlInjection
  session.createSQLQuery(source()); // $ sqlInjection

  sharedSessionContract.createQuery(source()); // $ sqlInjection
  sharedSessionContract.createSQLQuery(source()); // $ sqlInjection

  queryProducer.createNativeQuery(source()); // $ sqlInjection
  queryProducer.createNativeMutationQuery(source()); // $ sqlInjection
  queryProducer.createQuery(source()); // $ sqlInjection
  queryProducer.createMutationQuery(source()); // $ sqlInjection
  queryProducer.createSelectionQuery(source()); // $ sqlInjection
  queryProducer.createSelectionQuery(source(), Object.class); // $ sqlInjection
  queryProducer.createSQLQuery(source()); // $ sqlInjection
}

Original prompt

The java sql-injection query (java/ql/src/Security/CWE/CWE-089/SqlTainted.ql) has sink models for hibernate (java/ql/lib/ext/org.hibernate.model.yml and java/ql/lib/ext/org.hibernate.query.model.yml) but no tests for them. The tests are in java/ql/test/query-tests/security/CWE-089/semmle/examples/ . Please make a new .java file in that folder with tests for all the hibernate sql injection sinks that we have models for. See the other .java files in that folder for examples to follow. You will have to create stubs and add the path to the stubs to the classpath in java/ql/test/query-tests/security/CWE-089/semmle/examples/options . Make a PR with the result for me to review.

Created from VS Code.

[owen-mc]

@copilot That's great. Now please do the following task in new commits.

I have noticed that there are no models for sql-injection sinks for these methods (and overloaded variants if any):

https://docs.hibernate.org/orm/6.0/javadocs/org/hibernate/query/QueryProducer.html#createNativeMutationQuery(java.lang.String)
https://docs.hibernate.org/orm/6.0/javadocs/org/hibernate/query/QueryProducer.html#createMutationQuery(java.lang.String)
https://docs.hibernate.org/orm/6.0/javadocs/org/hibernate/query/QueryProducer.html#createSelectionQuery(java.lang.String)

For each such method, consider whether it should be an sql-injection sink. If so, add a model for it in java/ql/lib/ext/org.hibernate.query.model.yml and add a test exercising it (you may have to update the stubs). If not, explain why it shouldn't be a sql-injection sink.

[Copilot]

@copilot That's great. Now please do the following task in new commits.

I have noticed that there are no models for sql-injection sinks for these methods (and overloaded variants if any):
...

Addressed in 25d232b. I added sql-injection sink models for QueryProducer.createNativeMutationQuery, createMutationQuery, and createSelectionQuery, and extended the Hibernate regression example plus stubs to exercise them, including createSelectionQuery(String, Class).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.hibernate.org
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[owen-mc]

@copilot Add a library change note. There is guidance in docs/change-notes.md. You can see an example here: java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md.

[Copilot]

@copilot Add a library change note. There is guidance in docs/change-notes.md. You can see an example here: java/ql/lib/change-notes/2026-04-04-sensitive-log-fp-reduction.md.

Added in 083909e.

[owen-mc]

I manually checked that the tests are actually doing something by removing the inline expectation comments and rerunning the tests in that folder. One of the tests failed.

[Copilot]

Pull request overview

Adds regression coverage for Hibernate SQL/HQL injection sinks in the Java CWE-089 test suite, and extends the Hibernate QueryProducer sink models so the sql-injection query flags additional executable query construction APIs.

Changes:

• Extended Hibernate sink modeling to treat additional QueryProducer methods as sql-injection sinks.
• Added a focused CWE-089 example (Hibernate.java) that exercises all modeled Hibernate sink entry points with inline expectations.
• Introduced minimal Hibernate stubs and updated the CWE-089 examples classpath to compile the new example.

Show a summary per file

File	Description
java/ql/lib/ext/org.hibernate.query.model.yml	Adds sink models for additional QueryProducer methods (createNativeMutationQuery, createMutationQuery, createSelectionQuery).
java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md	Documents the new sink models in change notes.
java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java	Adds a new regression example exercising Hibernate sinks with // $ sqlInjection markers.
java/ql/test/query-tests/security/CWE-089/semmle/examples/options	Extends the examples classpath to include the new Hibernate stubs.
java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java	Minimal stub for Session with sink-relevant methods.
java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java	Minimal stub for SharedSessionContract with sink-relevant methods and QueryProducer relationship.
java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java	Minimal stub covering the QueryProducer methods exercised by the regression test.
java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java	Minimal stub type needed for compilation.
java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java	Minimal stub type needed for compilation.
java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java	Minimal stub type needed for compilation.

Copilot's findings

• Files reviewed: 10/10 changed files
• Comments generated: 0