/* goodG2B2() - use goodsource and badsink by reversing statements in if */
  private void goodG2B2() throws Throwable {
    String data;
    if (IO.static_returns_t()) {
      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");
      /* FIX: Use a hardcoded string */
      data = "foo";
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      Logger log_bad = Logger.getLogger("local-logger");

      data = ""; /* init data */

      File f = new File("C:\\data.txt");
      BufferedReader buffread = null;
      FileReader fread = null;
      try {
        /* read string from file into data */
        fread = new FileReader(f);
        buffread = new BufferedReader(fread);

        data = buffread.readLine(); // This will be reading the first "line" of the file, which
        // could be very long if there are little or no newlines in the file\
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } catch (NumberFormatException nfe) {
        log_bad.warning("Error with number parsing");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (fread != null) {
              fread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing fread");
          }
        }
      }
    }

    String osCommand;
    if (System.getProperty("os.name").toLowerCase().indexOf("win") >= 0) {
      /* running on Windows */
      osCommand = "c:\\WINDOWS\\SYSTEM32\\cmd.exe /c dir ";
    } else {
      /* running on non-Windows */
      osCommand = "/bin/ls ";
    }

    /* POTENTIAL FLAW: command injection */
    Process p = Runtime.getRuntime().exec(osCommand + data);
    p.waitFor();
  }
  /* good2() reverses the bodies in the if statement */
  private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    if (IO.static_returns_t()) {
      Logger tcLog = Logger.getLogger("cwe_testcases_logger");
      if (request.getParameter("username") == null) {
        return;
      }
      String username = request.getParameter("username");
      if (username.matches("[a-zA-Z0-9]*")) {
        HttpSession session = request.getSession(true);
        /* FIX: logged message does not contain session id */
        tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
      } else {
        response.getWriter().println("Invalid characters");
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      Logger tcLog = Logger.getLogger("cwe_testcases_logger");
      if (request.getParameter("username") == null) {
        return;
      }

      String username = request.getParameter("username");

      if (username.matches("[a-zA-Z0-9]*")) {
        HttpSession session = request.getSession(true);
        /* FLAW: leak session ID to debug log */
        tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
      } else {
        response.getWriter().println("Invalid characters");
      }
    }
  }
  /* good2() reverses the bodies in the if statement */
  private void good2() throws Throwable {
    if (IO.static_returns_t()) {
      /* FIX: use SecureRandom to be cryptographically secure */
      SecureRandom rand = new SecureRandom();
      IO.writeLine("Random int: " + rand.nextInt(100));
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      Random rand = new Random();
      /* FLAW: seed is static, making the numbers always occur in the same sequence */
      rand.setSeed(123456);
      IO.writeLine("Random int: " + rand.nextInt(100));
    }
  }
  /* goodB2G2() - use badsource and goodsink by reversing statements in second if  */
  private void goodB2G2() throws Throwable {
    String data;
    if (IO.static_returns_t()) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = ""; /* init data */
      /* Read data using a listening tcp connection */
      ServerSocket listener = null;
      Socket sock = null;
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        /* read input from socket */
        listener = new ServerSocket(39543);
        sock = listener.accept();
        instrread = new InputStreamReader(sock.getInputStream());
        buffread = new BufferedReader(instrread);
        data = buffread.readLine();
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }

        /* clean up socket objects */
        try {
          if (sock != null) {
            sock.close();
          }
        } catch (IOException e) {
          log_bad.warning("Error closing sock");
        } finally {
          try {
            if (listener != null) {
              listener.close();
            }
          } catch (IOException e) {
            log_bad.warning("Error closing listener");
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    if (IO.static_returns_t()) {
      Logger log2 = Logger.getLogger("local-logger");
      Connection conn_tmp2 = null;
      PreparedStatement sqlstatement = null;
      try {
        /* FIX: use prepared sqlstatements */
        conn_tmp2 = IO.getDBConnection();
        sqlstatement =
            conn_tmp2.prepareStatement(
                "insert into users (status) values ('updated') where name=?");
        sqlstatement.setString(1, data);
        Boolean bResult = sqlstatement.execute();
        if (bResult) {
          IO.writeString("Name, " + data + ", updated successfully");
        } else {
          IO.writeString("Unable to update records for user: "******"Error getting database connection");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      Logger log2 = Logger.getLogger("local-logger");

      Connection conn_tmp2 = null;
      Statement sqlstatement = null;

      try {
        conn_tmp2 = IO.getDBConnection();
        sqlstatement = conn_tmp2.createStatement();

        /* POTENTIAL FLAW: value of "name" taken directly from an untrusted source and inserted into a command string executed against a SQL interpreter */
        Boolean bResult =
            sqlstatement.execute(
                "insert into users (status) values ('updated') where name='" + data + "'");

        if (bResult) {
          IO.writeString("Name, " + data + ", updated successfully");
        } else {
          IO.writeString("Unable to update records for user: "******"Error getting database connection");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    }
  }
  /* goodB2G2() - use badsource and goodsink by reversing statements in second if  */
  private void goodB2G2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    String data;
    if (IO.static_returns_t()) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = ""; /* init data */
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        /* setup the connection */
        conn = IO.getDBConnection();
        /* prepare the query */
        statement = conn.prepareStatement("select name from users where id=?");
        /* get user input for the userid */
        IO.writeLine("Enter a userid to login as (number): ");
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        int num = Integer.parseInt(buffread.readLine());
        statement.setInt(1, num);
        rs = statement.executeQuery();
        data = rs.getString(1);
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }

        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    if (IO.static_returns_t()) {
      /* FIX: use URLEncoder.encode to hex-encode non-alphanumerics */
      data = URLEncoder.encode(data, "UTF-16");
      response.sendRedirect("/author.jsp?lang=" + data);
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      /* POTENTIAL FLAW: Input not verified before inclusion in redirect */
      response.sendRedirect("/author.jsp?lang=" + data);
    }
  }
  /* goodB2G2() - use badsource and goodsink by reversing statements in second if  */
  private void goodB2G2() throws Throwable {
    int data;
    if (IO.static_returns_t()) {
      Logger log_bad = Logger.getLogger("local-logger");
      /* init data */
      data = -1;
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        /* setup the connection */
        conn = IO.getDBConnection();
        /* prepare the query */
        statement = conn.prepareStatement("select name from users where id=?");
        /* get user input for the userid */
        IO.writeLine("Enter a userid to login as (number): ");
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        int num = Integer.parseInt(buffread.readLine());
        statement.setInt(1, num);
        rs = statement.executeQuery();
        String s_data = rs.getString(1);
        data = Integer.parseInt(s_data.trim());
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } catch (NumberFormatException nfe) {
        log_bad.warning("Error with number parsing");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }

        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded number that won't cause underflow, overflow,
      divide by zero, or loss-of-precision issues */
      data = 2;
    }
    if (IO.static_returns_t()) {
      /* FIX: test for a zero denominator */
      if (data != 0) {
        IO.writeLine("100/" + String.valueOf(data) + " = " + (100 / data) + "\n");
      } else {
        IO.writeLine("This would result in a divide by zero");
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      /* POTENTIAL FLAW: Zero denominator will cause an issue.  An integer division will
      result in an exception. */
      IO.writeLine("bad: 100/" + String.valueOf(data) + " = " + (100 / data) + "\n");
    }
  }
  /* goodB2G2() - use badsource and goodsink by reversing statements in second if  */
  private void goodB2G2() throws Throwable {
    String data;
    if (IO.static_returns_t()) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = ""; /* init data */
      URLConnection conn = (new URL("http://www.example.org/")).openConnection();
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        /* read input from URLConnection */
        instrread = new InputStreamReader(conn.getInputStream());
        buffread = new BufferedReader(instrread);
        data = buffread.readLine(); // This will be reading the first "line" of the response body,
        // which could be very long if there are no newlines in the HTML
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    if (IO.static_returns_t()) {
      String names[] = data.split("-");
      int iSuccess = 0;
      Logger log2 = Logger.getLogger("local-logger");
      Connection conn_tmp2 = null;
      PreparedStatement sqlstatement = null;
      try {
        /* FIX: use prepared sqlstatement */
        conn_tmp2 = IO.getDBConnection();
        sqlstatement =
            conn_tmp2.prepareStatement("update users set hitcount=hitcount+1 where name=?");
        for (int i = 0; i < names.length; ++i) {
          sqlstatement.setString(1, names[i]);
          sqlstatement.addBatch();
        }
        int dbResults[] = sqlstatement.executeBatch();
        for (int i = 0; i < names.length; ++i) {
          if (dbResults[i] > 0) {
            iSuccess++;
          }
        }
        IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      String names[] = data.split("-");
      int iSuccess = 0;

      Logger log2 = Logger.getLogger("local-logger");

      Connection conn_tmp2 = null;
      Statement sqlstatement = null;

      try {
        conn_tmp2 = IO.getDBConnection();
        sqlstatement = conn_tmp2.createStatement();

        for (int i = 0; i < names.length; ++i) {
          /* POTENTIAL FLAW: take user input and place into dynamic sql query */
          sqlstatement.addBatch(
              "update users set hitcount=hitcount+1 where name='" + names[i] + "'");
        }

        int dbResults[] = sqlstatement.executeBatch();

        for (int i = 0; i < names.length; ++i) {
          if (dbResults[i] > 0) {
            iSuccess++;
          }
        }

        IO.writeString("Succeeded in " + iSuccess + " out of " + names.length + " queries.");
      } catch (SQLException se) {
        log2.warning("Error getting database connection");
      } finally {
        try {
          if (sqlstatement != null) {
            sqlstatement.close();
          }
        } catch (SQLException e) {
          log2.warning("Error closing sqlstatement");
        } finally {
          try {
            if (conn_tmp2 != null) {
              conn_tmp2.close();
            }
          } catch (SQLException e) {
            log2.warning("Error closing conn_tmp2");
          }
        }
      }
    }
  }
  /* goodB2G2() - use badsource and goodsink by reversing statements in second if  */
  private void goodB2G2() throws Throwable {
    String data;
    if (IO.static_returns_t()) {
      Logger log_bad = Logger.getLogger("local-logger");
      data = ""; /* init data */
      Connection conn = null;
      PreparedStatement statement = null;
      ResultSet rs = null;
      BufferedReader buffread = null;
      InputStreamReader instrread = null;
      try {
        /* setup the connection */
        conn = IO.getDBConnection();
        /* prepare the query */
        statement = conn.prepareStatement("select name from users where id=?");
        /* get user input for the userid */
        IO.writeLine("Enter a userid to login as (number): ");
        instrread = new InputStreamReader(System.in);
        buffread = new BufferedReader(instrread);
        int num = Integer.parseInt(buffread.readLine());
        statement.setInt(1, num);
        rs = statement.executeQuery();
        data = rs.getString(1);
      } catch (IOException ioe) {
        log_bad.warning("Error with stream reading");
      } finally {
        /* clean up stream reading objects */
        try {
          if (buffread != null) {
            buffread.close();
          }
        } catch (IOException ioe) {
          log_bad.warning("Error closing buffread");
        } finally {
          try {
            if (instrread != null) {
              instrread.close();
            }
          } catch (IOException ioe) {
            log_bad.warning("Error closing instrread");
          }
        }

        /* clean up database objects */
        try {
          if (rs != null) {
            rs.close();
          }
        } catch (SQLException se) {
          log_bad.warning("Error closing rs");
        } finally {
          try {
            if (statement != null) {
              statement.close();
            }
          } catch (SQLException se) {
            log_bad.warning("Error closing statement");
          } finally {
            try {
              if (conn != null) {
                conn.close();
              }
            } catch (SQLException se) {
              log_bad.warning("Error closing conn");
            }
          }
        }
      }
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      java.util.logging.Logger log_good = java.util.logging.Logger.getLogger("local-logger");

      /* FIX: Use a hardcoded string */
      data = "foo";
    }
    if (IO.static_returns_t()) {
      final String xmldoc =
          "\\src\\testcases\\CWE643_Unsafe_Treatment_of_XPath_Input\\console_to_evaluate\\CWE643_Unsafe_Treatment_of_XPath_Input__helper.xml";
      /* assume username||password as source */
      String[] tokens = data.split("||");
      if (tokens.length < 2) {
        return;
      }
      /* FIX: validate input using StringEscapeUtils */
      String uname = StringEscapeUtils.escapeXml(tokens[0]);
      String pword = StringEscapeUtils.escapeXml(tokens[1]);
      /* build xpath */
      XPath xp = XPathFactory.newInstance().newXPath();
      InputSource inxml = new InputSource(xmldoc);
      String query =
          "//users/user[name/text()='"
              + uname
              + "' and pass/text()='"
              + pword
              + "']"
              + "/secret/text()";
      String secret = (String) xp.evaluate(query, inxml, XPathConstants.STRING);
    } else {
      /* INCIDENTAL: CWE 561 Dead Code, the code below will never run */

      final String xmldoc =
          "\\src\\testcases\\CWE643_Unsafe_Treatment_of_XPath_Input\\console_to_evaluate\\CWE643_Unsafe_Treatment_of_XPath_Input__helper.xml";

      /* assume username||password as source */
      String[] tokens = data.split("||");
      if (tokens.length < 2) {
        return;
      }
      String uname = tokens[0];
      String pword = tokens[1];

      /* build xpath */
      XPath xp = XPathFactory.newInstance().newXPath();
      InputSource inxml = new InputSource(xmldoc);
      /* INCIDENTAL: CWE180 Incorrect Behavior Order: Validate Before Canonicalize
       * 	The user input should be canonicalized before validation.
       */
      /* FLAW: user input is used without validate */
      String query =
          "//users/user[name/text()='"
              + uname
              + "' and pass/text()='"
              + pword
              + "']"
              + "/secret/text()";
      String secret = (String) xp.evaluate(query, inxml, XPathConstants.STRING);
    }
  }