mrigankpawagi · mrigankpawagi · Jun 10, 2026
diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -14,6 +14,7 @@
 
 import java
 import semmle.code.java.security.CommandLineQuery
+import semmle.code.java.security.ControlledString
 import semmle.code.java.security.ExternalProcess
 
 /**
@@ -22,13 +23,7 @@ import semmle.code.java.security.ExternalProcess
  * has in it.
  */
 predicate saneString(Expr expr) {
-  expr instanceof StringLiteral
-  or
-  expr instanceof NullLiteral
-  or
-  exists(Variable var | var.getAnAccess() = expr and exists(var.getAnAssignedValue()) |
-    forall(Expr other | var.getAnAssignedValue() = other | saneString(other))
-  )
+  controlledString(expr)
 }
 
 predicate builtFromUncontrolledConcat(Expr expr) {

diff --git a/java/ql/src/change-notes/2026-06-10-exec-unescaped-controlled-string.md b/java/ql/src/change-notes/2026-06-10-exec-unescaped-controlled-string.md
@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* The `java/concatenated-command-line` query now uses the shared `controlledString` predicate to identify safe expressions in command-line concatenations, reducing false positives for expressions involving numeric types, enum constants, class names, and other programmer-controlled values.