Add data extensions for remote tainted sources

[5idg5]

Add relevant APIs that are modeled as remote tainted sources under javax.servlet.ServletRequest and javax.servlet.http.HttpServletRequest for jakarta.servlet.ServletRequest and jakarta.servlet.http.HttpServletRequest as well.

[Copilot]

Pull Request Overview

This PR adds data extensions for remote tainted sources by modeling Jakarta Servlet APIs that correspond to existing javax.servlet APIs. The change ensures that security analysis coverage is consistent between the legacy javax.servlet and modern jakarta.servlet APIs.

• Adds remote source models for basic ServletRequest methods in jakarta.servlet
• Adds remote source models for HTTP-specific methods in jakarta.servlet.http.HttpServletRequest
• Maintains consistency with existing javax.servlet security modeling

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
java/ql/lib/ext/jakarta.servlet.model.yml	Adds remote tainted source models for basic ServletRequest methods like getParameter, getInputStream, and getReader
java/ql/lib/ext/jakarta.servlet.http.model.yml	Adds remote tainted source models for HTTP-specific methods like getHeader, getPathInfo, getQueryString, and getRequestURI

---

_{You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.}

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    Java extensions,"``javax.*``, ``jakarta.*``",69,4159,90,10,4,2,1,1,4
+    Java extensions,"``javax.*``, ``jakarta.*``",87,4159,90,10,4,2,1,1,4
-    Totals,,312,26328,2656,404,16,128,33,1,409
+    Totals,,330,26328,2656,404,16,128,33,1,409

• Changes to framework-coverage-java.csv:

- jakarta.servlet,2,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,1,,
+ jakarta.servlet,2,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,19,,

[aschackmull]

LGTM. If you could please also add a change note in java/ql/lib/change-notes (see e.g. existing change notes and/or the change note documentation https://github.com/github/codeql/blob/main/docs/change-notes.md)

[5idg5]

@aschackmull Looks like all checks have passed now!

[aschackmull]

@aschackmull Looks like all checks have passed now!

Yep! Merging.