Java: make more queries diff-informed with getASelectedLocation #18340
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This extension allows queries to be diff-informed even when the elements they select are different from the sources and sinks found by data flow.
This commit also adds a test case that would fail under `codeql test run --check-diff-informed` if not for the override of `getASelectedSourceLocation`. There was no existing such test since all the existing tests used anonymous classes whose location was on the same line as the source.
This and other queries would also benefit from making `RegexFlow` diff-informed. That will come later.
There was a problem hiding this comment.
Copilot reviewed 1 out of 13 changed files in this pull request and generated no comments.
Files not reviewed (12)
- java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/RandomQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll: Language not supported
- java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.expected: Language not supported
- shared/dataflow/codeql/dataflow/DataFlow.qll: Language not supported
- shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll: Language not supported
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the uncontroversial parts of #17846, converting 9 data-flow configurations to be diff-informed either by using the concept of selected source/sink locations or by just marking them as diff-informed because I've checked that all use of the configuration is safe.
I recommend reviewing commit-by-commit.
Ideally, these changes should be tested with
codeql test run --check-diff-informed. Most queries were not in shape for potentially failing that test, and I only converted one:UnsafeHostnameVerification.ql. Other queries either had no test cases with challenging location distributions, or they had noqlref-based tests. In particular, these three old-style inline expectations tests should be converted to qlref and post-processing: