This PR adds models Java client APIs for CouchBase and adds tests for 2 queries

java/ql/lib/ext/com.couchbase.client.core.env.model.yml

@@ -0,0 +1,12 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[0]", "credentials-key", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKey", "(PrivateKey,String,List)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(Path,String,Optional<String>)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "CertificateAuthenticator", true, "fromKeyStore", "(KeyStore,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "username", "(Supplier<String>)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.core.env", "PasswordAuthenticator$Builder", true, "password", "(String)", "", "Argument[0]", "credentials-password", "manual"]

java/ql/lib/ext/com.couchbase.client.java.model.yml

@@ -0,0 +1,44 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[0]", "credentials-username", "manual"]
+      - ["com.couchbase.client.java", "ClusterOptions", true, "clusterOptions", "(String,String)", "", "Argument[1]", "credentials-password", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[1]", "credentials-username", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "connect", "(String,String,String)", "", "Argument[2]", "credentials-password", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "query", "(String,QueryOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "analysticsQuery", "(String,AnalyticsOptions)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "queryStreaming", "(String,QueryOptions,Consumer<QueryRow>)", "", "Argument[0]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery)", "", "Argument[1]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Cluster", true, "searchQuery", "(String,SearchQuery,SearchOptions)", "", "Argument[1]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Collection", true, "upsert", "(String,Object,UpsertOptions)", "", "Argument[1]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object)", "", "Argument[1]", "sql-injection", "manual"]
+      - ["com.couchbase.client.java", "Collection", true, "replace", "(String,Object,ReplaceOptions)", "", "Argument[1]", "sql-injection", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Object)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,long)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,number)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,double)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonObject)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,Map)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,JsonArray)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "put", "(String,List)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["com.couchbase.client.java.json", "JsonObject", true, "putNull", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/src/change-notes/2025-12-24-couchbase-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added sink models for `com.couchbase` supporting SQL Injection and Hardcoded Cretentials queries.

java/ql/test/query-tests/security/CWE-089/semmle/examples/CouchBase.java

@@ -0,0 +1,18 @@
+package com.example;
+
+import com.couchbase.client.java.Bucket;
+import com.couchbase.client.java.Cluster;
+import com.couchbase.client.java.Collection;
+import com.couchbase.client.java.json.JsonObject;
+
+public class CouchBase {
+  public static void main(String[] args) {
+    Cluster cluster = Cluster.connect("192.168.0.158", "Administrator", "Administrator");
+    Bucket bucket = cluster.bucket("travel-sample");
+    cluster.query(args[1]);
+
+    Collection collection = bucket.defaultCollection();
+    collection.replace("airbnb_1", JsonObject.create().putNull(System.getenv("ITEM_CATEGORY")));
+    collection.upsert("airbnb_1", JsonObject.create().put("country", args[1]));
+  }
+}