-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: make more queries diff-informed with getASelectedLocation #18340
Open
jbj
wants to merge
10
commits into
github:main
Choose a base branch
from
jbj:diff-informed-getASelectedLocation
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+167
−5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This extension allows queries to be diff-informed even when the elements they select are different from the sources and sinks found by data flow.
This commit also adds a test case that would fail under `codeql test run --check-diff-informed` if not for the override of `getASelectedSourceLocation`. There was no existing such test since all the existing tests used anonymous classes whose location was on the same line as the source.
This and other queries would also benefit from making `RegexFlow` diff-informed. That will come later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 1 out of 13 changed files in this pull request and generated no comments.
Files not reviewed (12)
- java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/CommandLineQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/RandomQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/TaintedPermissionsCheckQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/UnsafeHostnameVerificationQuery.qll: Language not supported
- java/ql/lib/semmle/code/java/security/regexp/PolynomialReDoSQuery.qll: Language not supported
- java/ql/test/query-tests/security/CWE-297/UnsafeHostnameVerification.expected: Language not supported
- shared/dataflow/codeql/dataflow/DataFlow.qll: Language not supported
- shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll: Language not supported
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the uncontroversial parts of #17846, converting 9 data-flow configurations to be diff-informed either by using the concept of selected source/sink locations or by just marking them as diff-informed because I've checked that all use of the configuration is safe.
I recommend reviewing commit-by-commit.
Ideally, these changes should be tested with
codeql test run --check-diff-informed
. Most queries were not in shape for potentially failing that test, and I only converted one:UnsafeHostnameVerification.ql
. Other queries either had no test cases with challenging location distributions, or they had noqlref
-based tests. In particular, these three old-style inline expectations tests should be converted to qlref and post-processing: