From 7b897add220733ae86c7abc0770fee5ee25b7afc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 23 Apr 2026 09:50:34 +0000
Subject: [PATCH 1/4] Initial plan


From 081ad03b4bb72685b2897c333d85bf08c0d762fc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 23 Apr 2026 10:04:52 +0000
Subject: [PATCH 2/4] Add Hibernate SQL injection sink tests

Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
---
 .../CWE-089/semmle/examples/Hibernate.java    | 21 +++++++++++++++++++
 .../security/CWE-089/semmle/examples/options  |  2 +-
 .../hibernate-5.x/org/hibernate/Session.java  | 10 +++++++++
 .../org/hibernate/SharedSessionContract.java  | 11 ++++++++++
 .../org/hibernate/query/Query.java            |  4 ++++
 .../org/hibernate/query/QueryProducer.java    | 10 +++++++++
 6 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
 create mode 100644 java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
 create mode 100644 java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
 create mode 100644 java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
 create mode 100644 java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java

diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
new file mode 100644
index 000000000000..c681b17d9878
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
@@ -0,0 +1,21 @@
+import org.hibernate.Session;
+import org.hibernate.SharedSessionContract;
+import org.hibernate.query.QueryProducer;
+
+public class Hibernate {
+
+  public static String source() { return null; }
+
+  public static void test(
+      Session session, SharedSessionContract sharedSessionContract, QueryProducer queryProducer) {
+    session.createQuery(source()); // $ sqlInjection
+    session.createSQLQuery(source()); // $ sqlInjection
+
+    sharedSessionContract.createQuery(source()); // $ sqlInjection
+    sharedSessionContract.createSQLQuery(source()); // $ sqlInjection
+
+    queryProducer.createNativeQuery(source()); // $ sqlInjection
+    queryProducer.createQuery(source()); // $ sqlInjection
+    queryProducer.createSQLQuery(source()); // $ sqlInjection
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/options b/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
index 8f5ee4913cc8..223a083bc767 100644
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0 --release 21
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0:${testdir}/../../../../../stubs/hibernate-5.x --release 21
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
new file mode 100644
index 000000000000..80b3553e70bf
--- /dev/null
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
@@ -0,0 +1,10 @@
+package org.hibernate;
+
+import org.hibernate.query.Query;
+
+public interface Session extends SharedSessionContract {
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
new file mode 100644
index 000000000000..dbc196749716
--- /dev/null
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
@@ -0,0 +1,11 @@
+package org.hibernate;
+
+import org.hibernate.query.Query;
+import org.hibernate.query.QueryProducer;
+
+public interface SharedSessionContract extends QueryProducer {
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
new file mode 100644
index 000000000000..8aa3f169bf2b
--- /dev/null
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface Query {
+}
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
new file mode 100644
index 000000000000..cfb3879422ae
--- /dev/null
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
@@ -0,0 +1,10 @@
+package org.hibernate.query;
+
+public interface QueryProducer {
+
+  Query createNativeQuery(String sqlString);
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}

From 25d232b81523036f25089a7a4c9923590e5180c8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 23 Apr 2026 13:41:03 +0000
Subject: [PATCH 3/4] Model additional Hibernate query sinks

Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
---
 java/ql/lib/ext/org.hibernate.query.model.yml             | 3 +++
 .../security/CWE-089/semmle/examples/Hibernate.java       | 4 ++++
 .../hibernate-5.x/org/hibernate/query/MutationQuery.java  | 4 ++++
 .../hibernate-5.x/org/hibernate/query/QueryProducer.java  | 8 ++++++++
 .../hibernate-5.x/org/hibernate/query/SelectionQuery.java | 4 ++++
 5 files changed, 23 insertions(+)
 create mode 100644 java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
 create mode 100644 java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java

diff --git a/java/ql/lib/ext/org.hibernate.query.model.yml b/java/ql/lib/ext/org.hibernate.query.model.yml
index bb6232c1fcdd..5eccefd0dfa0 100644
--- a/java/ql/lib/ext/org.hibernate.query.model.yml
+++ b/java/ql/lib/ext/org.hibernate.query.model.yml
@@ -4,5 +4,8 @@ extensions:
       extensible: sinkModel
     data:
       - ["org.hibernate.query", "QueryProducer", True, "createNativeQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createNativeMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["org.hibernate.query", "QueryProducer", True, "createQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createSelectionQuery", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["org.hibernate.query", "QueryProducer", True, "createSQLQuery", "", "", "Argument[0]", "sql-injection", "manual"]
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
index c681b17d9878..ae61f60e0d06 100644
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
@@ -15,7 +15,11 @@ public static void test(
     sharedSessionContract.createSQLQuery(source()); // $ sqlInjection
 
     queryProducer.createNativeQuery(source()); // $ sqlInjection
+    queryProducer.createNativeMutationQuery(source()); // $ sqlInjection
     queryProducer.createQuery(source()); // $ sqlInjection
+    queryProducer.createMutationQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source(), Object.class); // $ sqlInjection
     queryProducer.createSQLQuery(source()); // $ sqlInjection
   }
 }
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
new file mode 100644
index 000000000000..cb7004932e03
--- /dev/null
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface MutationQuery {
+}
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
index cfb3879422ae..364dc30dd634 100644
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
@@ -4,7 +4,15 @@ public interface QueryProducer {
 
   Query createNativeQuery(String sqlString);
 
+  MutationQuery createNativeMutationQuery(String sqlString);
+
   Query createQuery(String queryString);
 
+  MutationQuery createMutationQuery(String hqlString);
+
+  SelectionQuery<?> createSelectionQuery(String hqlString);
+
+  <R> SelectionQuery<R> createSelectionQuery(String hqlString, Class<R> resultType);
+
   Query createSQLQuery(String queryString);
 }
diff --git a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
new file mode 100644
index 000000000000..9eb9fddf5968
--- /dev/null
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface SelectionQuery<R> {
+}

From 083909ee3bba9063db1120f63f6cf0acfc63ec7f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 23 Apr 2026 14:10:29 +0000
Subject: [PATCH 4/4] Add Java change note for Hibernate sinks

Agent-Logs-Url: https://github.com/github/codeql/sessions/41769e74-a435-4aaf-b5f7-92060f6cd84e

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
---
 .../change-notes/2026-04-23-hibernate-queryproducer-sinks.md  | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md

diff --git a/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md b/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
new file mode 100644
index 000000000000..018ce8d348e7
--- /dev/null
+++ b/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.