DS: Add support for Java reflection patterns in SRA

Overview

Add support for detecting Java reflection patterns in Semgrep rules to improve SRA coverage in the Dependency Scanning Analyzer

Context

Java can load classes dynamically by name using reflection. For example:

Class.forName("com.example.MyClass");

ClassLoader.getSystemClassLoader().loadClass("com.example.MyClass")

Note that the examples above might have variants, like:

Class.forName("com.example.MyClass").getConstructor(...)

We should add those patterns to Java's Semgrep rules to catch hardcoded class names.

An example of a pattern:

- pattern: Class.forName("$LIB")

Note

Semgrep does allow for some constant folding capabilities, so cases like this will still be caught:

	public void x() {
		var aa = "com.mysql.cj.jdbc.Driver";
		var z = Class.forName(aa);
	}

Limitations

If the class name is dynamically loaded (not a constant), it will not be detected.

Related

• Epic: Java Static Reachability Improvements (&19692) • Orin Naaman
• Similar to Add Java reachability rule and test file (gitlab-org/security-products/analyzers/dependency-scanning!260 - merged) • Michael Henriksen