Java: split tests by versions

splitting is required to properly test each scenario
github · jcogs33 · Aug 26, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 10, 2025
commit 3823186dc6dc53c87fdd143fbf6d7d95dbbe4e8e
diff --git a/...y/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected b/...y/CWE-200/semmle/tests/InsecureSpringActuatorConfig/InsecureSpringActuatorConfig.expected
@@ -1 +1,6 @@
-| pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
+#select
+| Version1.4-/bad/false/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
+| Version1.5/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
+| Version2+/bad/pom.xml:29:9:32:22 | dependency | Insecure configuration of Spring Boot Actuator exposes sensitive endpoints. |
+testFailures
+| Version1.4-/bad/default/pom.xml:32:23:32:39 |  $ Alert  | Missing result: Alert |
diff --git a/.../semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties b/.../semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/default/application.properties
@@ -0,0 +1 @@
+# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
diff --git a/...ests/InsecureSpringActuatorConfig/pom.xml → ...torConfig/Version1.4-/bad/default/pom.xml b/...ests/InsecureSpringActuatorConfig/pom.xml → ...torConfig/Version1.4-/bad/default/pom.xml
@@ -17,7 +17,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.3.8.RELEASE</version>
+        <version>1.2.6.RELEASE</version>
         <relativePath/>
     </parent>
 

diff --git a/...00/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties b/...00/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/application.properties
@@ -0,0 +1,2 @@
+# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
+management.security.enabled=false
diff --git a/.../security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml b/.../security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/bad/false/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.2.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency> <!-- $ Alert -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <!-- dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/...CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties b/...CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/application.properties
@@ -0,0 +1,2 @@
+# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
+management.security.enabled=true
diff --git a/...tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml b/...tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.4-/good/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.2.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/...y/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties b/...y/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/application.properties
@@ -0,0 +1,2 @@
+# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
+management.security.enabled=false
diff --git a/...y-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml b/...y-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/bad/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency> <!-- $ Alert -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <!-- dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/.../CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties b/.../CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/application.properties
@@ -0,0 +1,2 @@
+# vulnerable configuration (spring boot 1.5+): requires value false to expose sensitive actuators
+management.security.enabled=true
diff --git a/...-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml b/...-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version1.5/good/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.5.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/...ringActuatorConfig/application.properties → ...orConfig/Version2+/application.properties b/...ringActuatorConfig/application.properties → ...orConfig/Version2+/application.properties
diff --git a/...ty/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties b/...ty/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/application.properties
@@ -0,0 +1,7 @@
+# vulnerable configuration (spring boot 2+): exposes health and info only by default, here overridden to expose everything
+management.endpoints.web.exposure.include=*
+management.endpoints.web.exposure.exclude=beans
+
+management.endpoint.shutdown.enabled=true
+
+management.endpoint.health.show-details=when_authorized
diff --git a/...ry-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml b/...ry-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/bad/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.2.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency> <!-- $ Alert -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <!-- dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/...y/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties b/...y/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/application.properties
@@ -0,0 +1,2 @@
+# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
+management.endpoints.web.exposure.include=beans,info,health
diff --git a/...y-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml b/...y-tests/security/CWE-200/semmle/tests/InsecureSpringActuatorConfig/Version2+/good/pom.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>spring-boot-actuator-app</groupId>
+    <artifactId>spring-boot-actuator-app</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <maven.compiler.source>1.8</maven.compiler.source>
+        <maven.compiler.target>1.8</maven.compiler.target>
+    </properties>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.2.6.RELEASE</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-actuator</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-test</artifactId>
+        </dependency>
+    </dependencies>
+
+</project>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# vulnerable configuration (spring boot 1.0 - 1.4): exposes actuators by default
		management.security.enabled=false
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# safe configuration (spring boot 1.0 - 1.4): exposes actuators by default
		management.security.enabled=true
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# safe configuration (spring boot 1.5+): requires value false to expose sensitive actuators
		management.security.enabled=false
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# safe configuration (spring boot 2+): exposes health and info only by default, here overridden to expose one additional endpoint which we assume is intentional and safe.
		management.endpoints.web.exposure.include=beans,info,health