github
diff --git a/‎java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll
Lines changed: 2 additions & 2 deletions b/‎java/ql/lib/semmle/code/java/security/SpringBootActuatorsConfigQuery.qll
Lines changed: 2 additions & 2 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected
Lines changed: 5 additions & 4 deletions b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected
Lines changed: 5 additions & 4 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/application.properties
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/default/pom.xml
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/application.properties
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/bad/false/pom.xml
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/application.properties
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.0.x-1.4.x/good/pom.xml
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/application.properties
diff --git a/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml b/‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml renamed to ‎java/ql/test/query-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5.x/bad/pom.xml
@@ -110,7 +110,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
         me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome()
       )
       or
-      springBootVersion.matches("2.%") and //version 2.x
+      springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x
       exists(ManagementEndPointInclude mi |
         mi.getFile() = apFile and
         mi = apOption.asSome() and
@@ -121,7 +121,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie
               .matches([
                   "%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%",
                   "%env%", "%beans%", "%sessions%"
-                ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring
+                ]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring
         )
       )
     )
 
@@ -1,4 +1,5 @@
-| Version1.4-/bad/default/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration |
-| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.2.6.RELEASE). | Version1.4-/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
-| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
-| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure $@ of Spring Boot Actuator exposes sensitive endpoints (2.2.6.RELEASE). | Version2+/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
+| Version1.0.x-1.4.x/bad/default/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | file://:0:0:0:0 | (none) | configuration |
+| Version1.0.x-1.4.x/bad/false/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.2.6.RELEASE). | Version1.0.x-1.4.x/bad/false/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
+| Version1.5.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (1.5.6.RELEASE). | Version1.5.x/bad/application.properties:2:1:2:33 | management.security.enabled=false | configuration |
+| Version2.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (2.2.6.RELEASE). | Version2.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
+| Version3.x/bad/pom.xml:29:9:32:22 | dependency | Insecure Spring Boot actuator $@ exposes sensitive endpoints (3.3.5). | Version3.x/bad/application.properties:2:1:2:43 | management.endpoints.web.exposure.include=* | configuration |
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie`
`110`	`110`	`me.hasSecurityDisabled() and me.getFile() = apFile and me = apOption.asSome()`
`111`	`111`	`)`
`112`	`112`	`or`
`113`		`- springBootVersion.matches("2.%") and //version 2.x`
	`113`	`+ springBootVersion.matches(["2.%", "3.%"]) and //version 2.x and 3.x`
`114`	`114`	`exists(ManagementEndPointInclude mi \|`
`115`	`115`	`mi.getFile() = apFile and`
`116`	`116`	`mi = apOption.asSome() and`
`@@ -121,7 +121,7 @@ predicate hasConfidentialEndPointExposed(SpringBootPom pom, ApplicationPropertie`
`121`	`121`	`.matches([`
`122`	`122`	`"%dump%", "%trace%", "%logfile%", "%shutdown%", "%startup%", "%mappings%",`
`123`	`123`	`"%env%", "%beans%", "%sessions%"`
`124`		`- ]) // confidential endpoints to check although all endpoints apart from '/health' and '/info' are considered sensitive by Spring`
	`124`	`+ ]) // confidential endpoints to check although all endpoints apart from '/health' are considered sensitive by Spring`
`125`	`125`	`)`
`126`	`126`	`)`
`127`	`127`	`)`