Java: Add manual overlay annotations

Author: kaspersv

java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll

@@ -36,6 +36,7 @@ Callable exactCallable(Call c) {
 private predicate implCount(MethodCall m, int c) { strictcount(viableImpl(m)) = c }
 
 /** Gets a viable implementation of the target of the given `Call`. */
+overlay[local]
 Callable viableCallable(Call c) {
   result = viableImpl(c)
   or

java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql

@@ -22,6 +22,7 @@ import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.security.Sanitizers
 import Log4jInjectionFlow::PathGraph
 
+overlay[local?]
 deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "log4j-injection" }
 }

java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql

@@ -17,6 +17,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.ExternalFlow
 import RemoteUrlToOpenStreamFlow::PathGraph
 
+overlay[local?]
 deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "openstream-called-on-tainted-url" }
 }

java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql

@@ -22,6 +22,7 @@ import semmle.code.java.security.PathSanitizer
 private import semmle.code.java.security.Sanitizers
 import InjectFilePathFlow::PathGraph
 
+overlay[local?]
 deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "file-path-injection" }
 }

java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql

@@ -18,6 +18,7 @@ import semmle.code.java.security.CommandLineQuery
 import InputToArgumentToExecFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow
 
+overlay[local?]
 deprecated private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "jsch-os-injection" }
 }

java/ql/src/experimental/Security/CWE/CWE-200/AndroidWebResourceResponse.qll

@@ -7,6 +7,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.frameworks.android.WebView
 
+overlay[local?]
 private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "android-web-resource-response" }
 }

java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qll

@@ -8,6 +8,7 @@ import semmle.code.java.arithmetic.Overflow
 import semmle.code.java.dataflow.FlowSteps
 import semmle.code.java.controlflow.Guards
 
+overlay[local?]
 private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "thread-resource-abuse" }
 }

java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll

@@ -9,6 +9,7 @@ import semmle.code.java.controlflow.Guards
 import semmle.code.java.security.UrlRedirect
 import Regex
 
+overlay[local?]
 private class ActivateModels extends ActiveExperimentalModels {
   ActivateModels() { this = "permissive-dot-regex-query" }
 }

shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll

@@ -291,6 +291,7 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
      * to `lambdaCall`, if any. That is, `lastCall` is able to target the enclosing
      * callable of `lambdaCall`.
      */
+    overlay[global]
     pragma[nomagic]
     predicate revLambdaFlow(
       Call lambdaCall, LambdaCallKind kind, Node node, Type t, boolean toReturn, boolean toJump,