[java] Merged with 3665 （https://github.com/github/codeql/pull/3665）

[haby0]

[java] Merged with 3665 （#3665)

[p-]

@haby0 This query as it stands now does not actually detect potential Fastjson RCE vulnerabilities. Besides parsing JSON, Autotyping needs to be enabled (either globally or locally).

[haby0]

@p- When writing codeql rules, it is considered to add local detection of autoType, but autoType may be bypassed.
fastjson <=1.2.68 RCE vulnerability, official announcement: https://github.com/alibaba/fastjson/wiki/security_update_20200601

[haby0]

@p- I think I can increase the detection of autoType in the codeql rules, but there will be some underreporting, because autoType has the risk of being bypassed. And I began to try to detect the set and get methods of dependent packages.

[p-]

@haby0 Oh wow, that's interesting... Makes it harder to write a good query for this.

[aschackmull]

The additions here related to Spring are by now supported out-of-the-box - comprehensive Spring support was added in #3653.
The addition of the FastJson deserialization sink looks good, but is missing a check for safe mode. I've cherry-picked the FastJson contribution and cleaned everything up along with the added safe mode check in a new PR: #4427