Java: add extra sink for java/unsafe-deserialization

[owen-mc]

The qualifiers of a calls to readObject on any classes that implement java.io.ObjectInput are now recognised as sinks for java/unsafe-deserialization. Previously this was only the case for classes which extend java.io.ObjectInputStream.

[Copilot]

Pull Request Overview

This PR enhances the java/unsafe-deserialization query by expanding the recognition of deserialization sinks to include calls to readObject on any classes implementing java.io.ObjectInput, not just subclasses of java.io.ObjectInputStream. This provides broader coverage for detecting unsafe deserialization patterns.

• Added support for detecting unsafe deserialization through ObjectInput interface implementations
• Refactored the code to separate readObject and readUnshared method handling
• Added comprehensive test coverage for the new functionality

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
java/ql/lib/semmle/code/java/JDK.qll	Added TypeObjectInput class for java.io.ObjectInput interface
java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll	Refactored to detect readObject calls on ObjectInput implementations and separated readUnshared handling
java/ql/test/query-tests/security/CWE-502/com/example/MyObjectInput.java	Test class implementing ObjectInput interface for validation
java/ql/test/query-tests/security/CWE-502/A.java	Updated test cases to include new deserialization scenarios
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.ext.yml	Added source models for test data flow
java/ql/test/query-tests/security/CWE-502/UnsafeDeserialization.expected	Updated expected results reflecting new detections
java/ql/lib/change-notes/2025-07-11-unsafe-deserialization-extra-sink.md	Documentation of the enhancement

[jcogs33]

Looks reasonable.