hohn/codeql-info
1
0
Fork 0
mirror of https://github.com/hohn/codeql-info.git synced 2025-12-16 20:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
codeql-info/ql/docs/language/learn-ql/build.html-5f4acb8/codeql-language-guides/codeql-library-for-java.html
Michael Hohn e52393de06 Build class-based dataflow documentation
2023-11-20 11:57:03 -08:00

531 lines
52 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en" data-content_root="../">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<title>CodeQL library for Java &#8212; CodeQL</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
<link rel="stylesheet" type="text/css" href="../_static/alabaster.css?v=93459777" />
<script src="../_static/documentation_options.js?v=5929fcd5"></script>
<script src="../_static/doctools.js?v=888ff710"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<link rel="icon" href="../_static/favicon.ico"/>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Analyzing data flow in Java" href="analyzing-data-flow-in-java.html" />
<link rel="prev" title="Basic query for Java code" href="basic-query-for-java-code.html" />
<title>CodeQL docs</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<link rel="stylesheet" href="../_static/custom.css" type="text/css" />
<link rel="stylesheet" href="../_static/primer.css" type="text/css" />
</head><body>
<header class="Header">
<div class="Header-item--full">
<a href="https://codeql.github.com/docs" class="Header-link f2 d-flex flex-items-center">
<!-- <%= octicon "mark-github", class: "mr-2", height: 32 %> -->
<svg height="32" class="octicon octicon-mark-github mr-2" viewBox="0 0 16 16" version="1.1" width="32"
aria-hidden="true">
<path fill-rule="evenodd"
d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0 0 16 8c0-4.42-3.58-8-8-8z">
</path>
</svg>
<span class="hide-sm">CodeQL documentation</span>
</a>
</div>
<div class="Header-item hide-sm hide-md">
<script src="https://addsearch.com/js/?key=93b4d287e2fc079a4089412b669785d5&categories=!0xhelp.semmle.com,0xcodeql.github.com,1xdocs,1xcodeql-standard-libraries,1xcodeql-query-help"></script>
</div>
<div class="Header-item">
<details class="dropdown details-reset details-overlay d-inline-block">
<summary class="btn bg-gray-dark text-white border" aria-haspopup="true">
CodeQL resources
<div class="dropdown-caret"></div>
</summary>
<ul class="dropdown-menu dropdown-menu-se dropdown-menu-dark">
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-overview">CodeQL overview</a></li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL tools
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-for-visual-studio-code">CodeQL for VS Code</a>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-cli">CodeQL CLI</a>
</li>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
CodeQL guides
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/writing-codeql-queries">Writing CodeQL queries</a></li>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/codeql-language-guides">CodeQL language guides</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Reference docs
</div>
<li><a class="dropdown-item" href="https://codeql.github.com/docs/ql-language-reference/">QL language
reference</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-standard-libraries">CodeQL
standard-libraries</a>
<li><a class="dropdown-item" href="https://codeql.github.com/codeql-query-help">CodeQL
query help</a>
<li class="dropdown-divider" role="separator"></li>
<div class="dropdown-header">
Source files
</div>
<li><a class="dropdown-item" href="https://github.com/github/codeql">CodeQL repository</a>
</ul>
</details>
</div>
</header>
<main class="bg-gray-light clearfix">
<nav class="SideNav position-sticky top-0 col-lg-3 col-md-3 float-left p-4 hide-sm hide-md overflow-y-auto">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../codeql-overview/index.html">CodeQL overview</a></li>
<li class="toctree-l1"><a class="reference internal" href="../codeql-for-visual-studio-code/index.html">CodeQL for Visual Studio Code</a></li>
<li class="toctree-l1"><a class="reference internal" href="../codeql-cli/index.html">CodeQL CLI</a></li>
<li class="toctree-l1"><a class="reference internal" href="../writing-codeql-queries/index.html">Writing CodeQL queries</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">CodeQL language guides</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="codeql-for-cpp.html">CodeQL for C and C++</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-csharp.html">CodeQL for C#</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-go.html">CodeQL for Go</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="codeql-for-java.html">CodeQL for Java</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="basic-query-for-java-code.html">Basic query for Java code</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">CodeQL library for Java</a></li>
<li class="toctree-l3"><a class="reference internal" href="analyzing-data-flow-in-java.html">Analyzing data flow in Java</a></li>
<li class="toctree-l3"><a class="reference internal" href="types-in-java.html">Types in Java</a></li>
<li class="toctree-l3"><a class="reference internal" href="overflow-prone-comparisons-in-java.html">Overflow-prone comparisons in Java</a></li>
<li class="toctree-l3"><a class="reference internal" href="navigating-the-call-graph.html">Navigating the call graph</a></li>
<li class="toctree-l3"><a class="reference internal" href="annotations-in-java.html">Annotations in Java</a></li>
<li class="toctree-l3"><a class="reference internal" href="javadoc.html">Javadoc</a></li>
<li class="toctree-l3"><a class="reference internal" href="working-with-source-locations.html">Working with source locations</a></li>
<li class="toctree-l3"><a class="reference internal" href="abstract-syntax-tree-classes-for-working-with-java-programs.html">Abstract syntax tree classes for working with Java programs</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-javascript.html">CodeQL for JavaScript</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-python.html">CodeQL for Python</a></li>
<li class="toctree-l2"><a class="reference internal" href="codeql-for-ruby.html">CodeQL for Ruby</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../ql-language-reference/index.html">QL language reference</a></li>
</ul>
</nav>
<div class="body col-sm-12 col-md-9 col-lg-9 float-left border-left">
<div class="hide-lg hide-xl px-4 pt-4">
<div class="related" role="navigation" aria-label="related navigation">
<ul>
<li class="nav-item nav-item-0"><a href="../contents.html">CodeQL</a> &#187;</li>
<li class="nav-item nav-item-1"><a href="index.html"
>CodeQL language guides</a> &#187;</li>
<li class="nav-item nav-item-2"><a href="codeql-for-java.html"
accesskey="U">CodeQL for Java</a> &#187;</li>
</ul>
</div>
</div>
<article class="p-4 col-lg-10 col-md-10 col-sm-12">
<section id="codeql-library-for-java">
<span id="id1"></span><h1>CodeQL library for Java<a class="headerlink" href="#codeql-library-for-java" title="Link to this heading"></a></h1>
<p>When youre analyzing a Java program, you can make use of the large collection of classes in the CodeQL library for Java.</p>
<section id="about-the-codeql-library-for-java">
<h2>About the CodeQL library for Java<a class="headerlink" href="#about-the-codeql-library-for-java" title="Link to this heading"></a></h2>
<p>There is an extensive library for analyzing CodeQL databases extracted from Java projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks.</p>
<p>The library is implemented as a set of QL modules, that is, files with the extension <code class="docutils literal notranslate"><span class="pre">.qll</span></code>. The module <code class="docutils literal notranslate"><span class="pre">java.qll</span></code> imports all the core Java library modules, so you can include the complete library by beginning your query with:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
</pre></div>
</div>
<p>The rest of this article briefly summarizes the most important classes and predicates provided by this library.</p>
<blockquote class="pull-quote">
<div><p>Note</p>
<p>The example queries in this article illustrate the types of results returned by different library classes. The results themselves are not interesting but can be used as the basis for developing a more complex query. The other articles in this section of the help show how you can take a simple query and fine-tune it to find precisely the results youre interested in.</p>
</div></blockquote>
</section>
<section id="summary-of-the-library-classes">
<h2>Summary of the library classes<a class="headerlink" href="#summary-of-the-library-classes" title="Link to this heading"></a></h2>
<p>The most important classes in the standard Java library can be grouped into five main categories:</p>
<ol class="arabic simple">
<li><p>Classes for representing program elements (such as classes and methods)</p></li>
<li><p>Classes for representing AST nodes (such as statements and expressions)</p></li>
<li><p>Classes for representing metadata (such as annotations and comments)</p></li>
<li><p>Classes for computing metrics (such as cyclomatic complexity and coupling)</p></li>
<li><p>Classes for navigating the programs call graph</p></li>
</ol>
<p>We will discuss each of these in turn, briefly describing the most important classes for each category.</p>
</section>
<section id="program-elements">
<h2>Program elements<a class="headerlink" href="#program-elements" title="Link to this heading"></a></h2>
<p>These classes represent named program elements: packages (<code class="docutils literal notranslate"><span class="pre">Package</span></code>), compilation units (<code class="docutils literal notranslate"><span class="pre">CompilationUnit</span></code>), types (<code class="docutils literal notranslate"><span class="pre">Type</span></code>), methods (<code class="docutils literal notranslate"><span class="pre">Method</span></code>), constructors (<code class="docutils literal notranslate"><span class="pre">Constructor</span></code>), and variables (<code class="docutils literal notranslate"><span class="pre">Variable</span></code>).</p>
<p>Their common superclass is <code class="docutils literal notranslate"><span class="pre">Element</span></code>, which provides general member predicates for determining the name of a program element and checking whether two elements are nested inside each other.</p>
<p>Its often convenient to refer to an element that might either be a method or a constructor; the class <code class="docutils literal notranslate"><span class="pre">Callable</span></code>, which is a common superclass of <code class="docutils literal notranslate"><span class="pre">Method</span></code> and <code class="docutils literal notranslate"><span class="pre">Constructor</span></code>, can be used for this purpose.</p>
<section id="types">
<h3>Types<a class="headerlink" href="#types" title="Link to this heading"></a></h3>
<p>Class <code class="docutils literal notranslate"><span class="pre">Type</span></code> has a number of subclasses for representing different kinds of types:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">PrimitiveType</span></code> represents a <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/nutsandbolts/datatypes.html">primitive type</a>, that is, one of <code class="docutils literal notranslate"><span class="pre">boolean</span></code>, <code class="docutils literal notranslate"><span class="pre">byte</span></code>, <code class="docutils literal notranslate"><span class="pre">char</span></code>, <code class="docutils literal notranslate"><span class="pre">double</span></code>, <code class="docutils literal notranslate"><span class="pre">float</span></code>, <code class="docutils literal notranslate"><span class="pre">int</span></code>, <code class="docutils literal notranslate"><span class="pre">long</span></code>, <code class="docutils literal notranslate"><span class="pre">short</span></code>; QL also classifies <code class="docutils literal notranslate"><span class="pre">void</span></code> and <code class="docutils literal notranslate"><span class="pre">&lt;nulltype&gt;</span></code> (the type of the <code class="docutils literal notranslate"><span class="pre">null</span></code> literal) as primitive types.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">RefType</span></code> represents a reference (that is, non-primitive) type; it in turn has several subclasses:</p>
<ul>
<li><p><code class="docutils literal notranslate"><span class="pre">Class</span></code> represents a Java class.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Interface</span></code> represents a Java interface.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">EnumType</span></code> represents a Java <code class="docutils literal notranslate"><span class="pre">enum</span></code> type.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Array</span></code> represents a Java array type.</p></li>
</ul>
</li>
</ul>
<p>For example, the following query finds all variables of type <code class="docutils literal notranslate"><span class="pre">int</span></code> in the program:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Variable v, PrimitiveType pt
where pt = v.getType() and
pt.hasName(&quot;int&quot;)
select v
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/860076406167044435/">See this in the query console on LGTM.com</a>. Youre likely to get many results when you run this query because most projects contain many variables of type <code class="docutils literal notranslate"><span class="pre">int</span></code>.</p>
<p>Reference types are also categorized according to their declaration scope:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">TopLevelType</span></code> represents a reference type declared at the top-level of a compilation unit.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">NestedType</span></code> is a type declared inside another type.</p></li>
</ul>
<p>For instance, this query finds all top-level types whose name is not the same as that of their compilation unit:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from TopLevelType tl
where tl.getName() != tl.getCompilationUnit().getName()
select tl
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/4340983612585284460/">See this in the query console on LGTM.com</a>. This pattern is seen in many projects. When we ran it on the LGTM.com demo projects, most of the projects had at least one instance of this problem in the source code. There were many more instances in the files referenced by the source code.</p>
<p>Several more specialized classes are available as well:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">TopLevelClass</span></code> represents a class declared at the top-level of a compilation unit.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">NestedClass</span></code> represents <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/javaOO/nested.html">a class declared inside another type</a>, such as:</p>
<ul>
<li><p>A <code class="docutils literal notranslate"><span class="pre">LocalClass</span></code>, which is <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/javaOO/localclasses.html">a class declared inside a method or constructor</a>.</p></li>
<li><p>An <code class="docutils literal notranslate"><span class="pre">AnonymousClass</span></code>, which is an <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/javaOO/anonymousclasses.html">anonymous class</a>.</p></li>
</ul>
</li>
</ul>
<p>Finally, the library also has a number of singleton classes that wrap frequently used Java standard library classes: <code class="docutils literal notranslate"><span class="pre">TypeObject</span></code>, <code class="docutils literal notranslate"><span class="pre">TypeCloneable</span></code>, <code class="docutils literal notranslate"><span class="pre">TypeRuntime</span></code>, <code class="docutils literal notranslate"><span class="pre">TypeSerializable</span></code>, <code class="docutils literal notranslate"><span class="pre">TypeString</span></code>, <code class="docutils literal notranslate"><span class="pre">TypeSystem</span></code> and <code class="docutils literal notranslate"><span class="pre">TypeClass</span></code>. Each CodeQL class represents the standard Java class suggested by its name.</p>
<p>As an example, we can write a query that finds all nested classes that directly extend <code class="docutils literal notranslate"><span class="pre">Object</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from NestedClass nc
where nc.getASupertype() instanceof TypeObject
select nc
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/8482509736206423238/">See this in the query console on LGTM.com</a>. Youre likely to get many results when you run this query because many projects include nested classes that extend <code class="docutils literal notranslate"><span class="pre">Object</span></code> directly.</p>
</section>
<section id="generics">
<h3>Generics<a class="headerlink" href="#generics" title="Link to this heading"></a></h3>
<p>There are also several subclasses of <code class="docutils literal notranslate"><span class="pre">Type</span></code> for dealing with generic types.</p>
<p>A <code class="docutils literal notranslate"><span class="pre">GenericType</span></code> is either a <code class="docutils literal notranslate"><span class="pre">GenericInterface</span></code> or a <code class="docutils literal notranslate"><span class="pre">GenericClass</span></code>. It represents a generic type declaration such as interface <code class="docutils literal notranslate"><span class="pre">java.util.Map</span></code> from the Java standard library:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="kn">package</span><span class="w"> </span><span class="nn">java.util.</span><span class="p">;</span>
<span class="kd">public</span><span class="w"> </span><span class="kd">interface</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="n">K</span><span class="p">,</span><span class="w"> </span><span class="n">V</span><span class="o">&gt;</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="nf">size</span><span class="p">();</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Type parameters, such as <code class="docutils literal notranslate"><span class="pre">K</span></code> and <code class="docutils literal notranslate"><span class="pre">V</span></code> in this example, are represented by class <code class="docutils literal notranslate"><span class="pre">TypeVariable</span></code>.</p>
<p>A parameterized instance of a generic type provides a concrete type to instantiate the type parameter with, as in <code class="docutils literal notranslate"><span class="pre">Map&lt;String,</span> <span class="pre">File&gt;</span></code>. Such a type is represented by a <code class="docutils literal notranslate"><span class="pre">ParameterizedType</span></code>, which is distinct from the <code class="docutils literal notranslate"><span class="pre">GenericType</span></code> representing the generic type it was instantiated from. To go from a <code class="docutils literal notranslate"><span class="pre">ParameterizedType</span></code> to its corresponding <code class="docutils literal notranslate"><span class="pre">GenericType</span></code>, you can use predicate <code class="docutils literal notranslate"><span class="pre">getSourceDeclaration</span></code>.</p>
<p>For instance, we could use the following query to find all parameterized instances of <code class="docutils literal notranslate"><span class="pre">java.util.Map</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from GenericInterface map, ParameterizedType pt
where map.hasQualifiedName(&quot;java.util&quot;, &quot;Map&quot;) and
pt.getSourceDeclaration() = map
select pt
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/7863873821043873550/">See this in the query console on LGTM.com</a>. None of the LGTM.com demo projects contain parameterized instances of <code class="docutils literal notranslate"><span class="pre">java.util.Map</span></code> in their source code, but they all have results in reference files.</p>
<p>In general, generic types may restrict which types a type parameter can be bound to. For instance, a type of maps from strings to numbers could be declared as follows:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="kd">class</span> <span class="nc">StringToNumMap</span><span class="o">&lt;</span><span class="n">N</span><span class="w"> </span><span class="kd">extends</span><span class="w"> </span><span class="n">Number</span><span class="o">&gt;</span><span class="w"> </span><span class="kd">implements</span><span class="w"> </span><span class="n">Map</span><span class="o">&lt;</span><span class="n">String</span><span class="p">,</span><span class="w"> </span><span class="n">N</span><span class="o">&gt;</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="c1">// ...</span>
<span class="p">}</span>
</pre></div>
</div>
<p>This means that a parameterized instance of <code class="docutils literal notranslate"><span class="pre">StringToNumberMap</span></code> can only instantiate type parameter <code class="docutils literal notranslate"><span class="pre">N</span></code> with type <code class="docutils literal notranslate"><span class="pre">Number</span></code> or one of its subtypes but not, for example, with <code class="docutils literal notranslate"><span class="pre">File</span></code>. We say that N is a bounded type parameter, with <code class="docutils literal notranslate"><span class="pre">Number</span></code> as its upper bound. In QL, a type variable can be queried for its type bound using predicate <code class="docutils literal notranslate"><span class="pre">getATypeBound</span></code>. The type bounds themselves are represented by class <code class="docutils literal notranslate"><span class="pre">TypeBound</span></code>, which has a member predicate <code class="docutils literal notranslate"><span class="pre">getType</span></code> to retrieve the type the variable is bounded by.</p>
<p>As an example, the following query finds all type variables with type bound <code class="docutils literal notranslate"><span class="pre">Number</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from TypeVariable tv, TypeBound tb
where tb = tv.getATypeBound() and
tb.getType().hasQualifiedName(&quot;java.lang&quot;, &quot;Number&quot;)
select tv
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/6740696080876162817/">See this in the query console on LGTM.com</a>. When we ran it on the LGTM.com demo projects, the <em>neo4j/neo4j</em>, <em>hibernate/hibernate-orm</em> and <em>apache/hadoop</em> projects all contained examples of this pattern.</p>
<p>For dealing with legacy code that is unaware of generics, every generic type has a “raw” version without any type parameters. In the CodeQL libraries, raw types are represented using class <code class="docutils literal notranslate"><span class="pre">RawType</span></code>, which has the expected subclasses <code class="docutils literal notranslate"><span class="pre">RawClass</span></code> and <code class="docutils literal notranslate"><span class="pre">RawInterface</span></code>. Again, there is a predicate <code class="docutils literal notranslate"><span class="pre">getSourceDeclaration</span></code> for obtaining the corresponding generic type. As an example, we can find variables of (raw) type <code class="docutils literal notranslate"><span class="pre">Map</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Variable v, RawType rt
where rt = v.getType() and
rt.getSourceDeclaration().hasQualifiedName(&quot;java.util&quot;, &quot;Map&quot;)
select v
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/4032913402499547882/">See this in the query console on LGTM.com</a>. Many projects have variables of raw type <code class="docutils literal notranslate"><span class="pre">Map</span></code>.</p>
<p>For example, in the following code snippet this query would find <code class="docutils literal notranslate"><span class="pre">m1</span></code>, but not <code class="docutils literal notranslate"><span class="pre">m2</span></code>:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">Map</span><span class="w"> </span><span class="n">m1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">HashMap</span><span class="p">();</span>
<span class="n">Map</span><span class="o">&lt;</span><span class="n">String</span><span class="p">,</span><span class="w"> </span><span class="n">String</span><span class="o">&gt;</span><span class="w"> </span><span class="n">m2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">new</span><span class="w"> </span><span class="n">HashMap</span><span class="o">&lt;</span><span class="n">String</span><span class="p">,</span><span class="w"> </span><span class="n">String</span><span class="o">&gt;</span><span class="p">();</span>
</pre></div>
</div>
<p>Finally, variables can be declared to be of a <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/generics/wildcards.html">wildcard type</a>:</p>
<div class="highlight-java notranslate"><div class="highlight"><pre><span></span><span class="n">Map</span><span class="o">&lt;?</span><span class="w"> </span><span class="kd">extends</span><span class="w"> </span><span class="n">Number</span><span class="p">,</span><span class="w"> </span><span class="o">?</span><span class="w"> </span><span class="kd">super</span><span class="w"> </span><span class="n">Float</span><span class="o">&gt;</span><span class="w"> </span><span class="n">m</span><span class="p">;</span>
</pre></div>
</div>
<p>The wildcards <code class="docutils literal notranslate"><span class="pre">?</span> <span class="pre">extends</span> <span class="pre">Number</span></code> and <code class="docutils literal notranslate"><span class="pre">?</span> <span class="pre">super</span> <span class="pre">Float</span></code> are represented by class <code class="docutils literal notranslate"><span class="pre">WildcardTypeAccess</span></code>. Like type parameters, wildcards may have type bounds. Unlike type parameters, wildcards can have upper bounds (as in <code class="docutils literal notranslate"><span class="pre">?</span> <span class="pre">extends</span> <span class="pre">Number</span></code>), and also lower bounds (as in <code class="docutils literal notranslate"><span class="pre">?</span> <span class="pre">super</span> <span class="pre">Float</span></code>). Class <code class="docutils literal notranslate"><span class="pre">WildcardTypeAccess</span></code> provides member predicates <code class="docutils literal notranslate"><span class="pre">getUpperBound</span></code> and <code class="docutils literal notranslate"><span class="pre">getLowerBound</span></code> to retrieve the upper and lower bounds, respectively.</p>
<p>For dealing with generic methods, there are classes <code class="docutils literal notranslate"><span class="pre">GenericMethod</span></code>, <code class="docutils literal notranslate"><span class="pre">ParameterizedMethod</span></code> and <code class="docutils literal notranslate"><span class="pre">RawMethod</span></code>, which are entirely analogous to the like-named classes for representing generic types.</p>
<p>For more information on working with types, see the <a class="reference internal" href="types-in-java.html"><span class="doc">Types in Java</span></a>.</p>
</section>
<section id="variables">
<h3>Variables<a class="headerlink" href="#variables" title="Link to this heading"></a></h3>
<p>Class <code class="docutils literal notranslate"><span class="pre">Variable</span></code> represents a variable <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/nutsandbolts/variables.html">in the Java sense</a>, which is either a member field of a class (whether static or not), or a local variable, or a parameter. Consequently, there are three subclasses catering to these special cases:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">Field</span></code> represents a Java field.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">LocalVariableDecl</span></code> represents a local variable.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Parameter</span></code> represents a parameter of a method or constructor.</p></li>
</ul>
</section>
</section>
<section id="abstract-syntax-tree">
<h2>Abstract syntax tree<a class="headerlink" href="#abstract-syntax-tree" title="Link to this heading"></a></h2>
<p>Classes in this category represent abstract syntax tree (AST) nodes, that is, statements (class <code class="docutils literal notranslate"><span class="pre">Stmt</span></code>) and expressions (class <code class="docutils literal notranslate"><span class="pre">Expr</span></code>). For a full list of expression and statement types available in the standard QL library, see “<a class="reference internal" href="abstract-syntax-tree-classes-for-working-with-java-programs.html"><span class="doc">Abstract syntax tree classes for working with Java programs</span></a>.”</p>
<p>Both <code class="docutils literal notranslate"><span class="pre">Expr</span></code> and <code class="docutils literal notranslate"><span class="pre">Stmt</span></code> provide member predicates for exploring the abstract syntax tree of a program:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">Expr.getAChildExpr</span></code> returns a sub-expression of a given expression.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Stmt.getAChild</span></code> returns a statement or expression that is nested directly inside a given statement.</p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">Expr.getParent</span></code> and <code class="docutils literal notranslate"><span class="pre">Stmt.getParent</span></code> return the parent node of an AST node.</p></li>
</ul>
<p>For example, the following query finds all expressions whose parents are <code class="docutils literal notranslate"><span class="pre">return</span></code> statements:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Expr e
where e.getParent() instanceof ReturnStmt
select e
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/1947757851560375919/">See this in the query console on LGTM.com</a>. Many projects have examples of <code class="docutils literal notranslate"><span class="pre">return</span></code> statements with child expressions.</p>
<p>Therefore, if the program contains a return statement <code class="docutils literal notranslate"><span class="pre">return</span> <span class="pre">x</span> <span class="pre">+</span> <span class="pre">y;</span></code>, this query will return <code class="docutils literal notranslate"><span class="pre">x</span> <span class="pre">+</span> <span class="pre">y</span></code>.</p>
<p>As another example, the following query finds statements whose parent is an <code class="docutils literal notranslate"><span class="pre">if</span></code> statement:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Stmt s
where s.getParent() instanceof IfStmt
select s
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/1989464153689219612/">See this in the query console on LGTM.com</a>. Many projects have examples of <code class="docutils literal notranslate"><span class="pre">if</span></code> statements with child statements.</p>
<p>This query will find both <code class="docutils literal notranslate"><span class="pre">then</span></code> branches and <code class="docutils literal notranslate"><span class="pre">else</span></code> branches of all <code class="docutils literal notranslate"><span class="pre">if</span></code> statements in the program.</p>
<p>Finally, here is a query that finds method bodies:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Stmt s
where s.getParent() instanceof Method
select s
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/1016821702972128245/">See this in the query console on LGTM.com</a>. Most projects have many method bodies.</p>
<p>As these examples show, the parent node of an expression is not always an expression: it may also be a statement, for example, an <code class="docutils literal notranslate"><span class="pre">IfStmt</span></code>. Similarly, the parent node of a statement is not always a statement: it may also be a method or a constructor. To capture this, the QL Java library provides two abstract class <code class="docutils literal notranslate"><span class="pre">ExprParent</span></code> and <code class="docutils literal notranslate"><span class="pre">StmtParent</span></code>, the former representing any node that may be the parent node of an expression, and the latter any node that may be the parent node of a statement.</p>
<p>For more information on working with AST classes, see the <a class="reference internal" href="overflow-prone-comparisons-in-java.html"><span class="doc">article on overflow-prone comparisons in Java</span></a>.</p>
</section>
<section id="metadata">
<h2>Metadata<a class="headerlink" href="#metadata" title="Link to this heading"></a></h2>
<p>Java programs have several kinds of metadata, in addition to the program code proper. In particular, there are <a class="reference external" href="https://docs.oracle.com/javase/tutorial/java/annotations/">annotations</a> and <a class="reference external" href="https://en.wikipedia.org/wiki/Javadoc">Javadoc</a> comments. Since this metadata is interesting both for enhancing code analysis and as an analysis subject in its own right, the QL library defines classes for accessing it.</p>
<p>For annotations, class <code class="docutils literal notranslate"><span class="pre">Annotatable</span></code> is a superclass of all program elements that can be annotated. This includes packages, reference types, fields, methods, constructors, and local variable declarations. For every such element, its predicate <code class="docutils literal notranslate"><span class="pre">getAnAnnotation</span></code> allows you to retrieve any annotations the element may have. For example, the following query finds all annotations on constructors:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Constructor c
select c.getAnAnnotation()
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/3206112561297137365/">See this in the query console on LGTM.com</a>. The LGTM.com demo projects all use annotations, you can see examples where they are used to suppress warnings and mark code as deprecated.</p>
<p>These annotations are represented by class <code class="docutils literal notranslate"><span class="pre">Annotation</span></code>. An annotation is simply an expression whose type is an <code class="docutils literal notranslate"><span class="pre">AnnotationType</span></code>. For example, you can amend this query so that it only reports deprecated constructors:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Constructor c, Annotation ann, AnnotationType anntp
where ann = c.getAnAnnotation() and
anntp = ann.getType() and
anntp.hasQualifiedName(&quot;java.lang&quot;, &quot;Deprecated&quot;)
select ann
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/5393027107459215059/">See this in the query console on LGTM.com</a>. Only constructors with the <code class="docutils literal notranslate"><span class="pre">&#64;Deprecated</span></code> annotation are reported this time.</p>
<p>For more information on working with annotations, see the <a class="reference internal" href="annotations-in-java.html"><span class="doc">article on annotations</span></a>.</p>
<p>For Javadoc, class <code class="docutils literal notranslate"><span class="pre">Element</span></code> has a member predicate <code class="docutils literal notranslate"><span class="pre">getDoc</span></code> that returns a delegate <code class="docutils literal notranslate"><span class="pre">Documentable</span></code> object, which can then be queried for its attached Javadoc comments. For example, the following query finds Javadoc comments on private fields:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Field f, Javadoc jdoc
where f.isPrivate() and
jdoc = f.getDoc().getJavadoc()
select jdoc
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/6022769142134600659/">See this in the query console on LGTM.com</a>. You can see this pattern in many projects.</p>
<p>Class <code class="docutils literal notranslate"><span class="pre">Javadoc</span></code> represents an entire Javadoc comment as a tree of <code class="docutils literal notranslate"><span class="pre">JavadocElement</span></code> nodes, which can be traversed using member predicates <code class="docutils literal notranslate"><span class="pre">getAChild</span></code> and <code class="docutils literal notranslate"><span class="pre">getParent</span></code>. For instance, you could edit the query so that it finds all <code class="docutils literal notranslate"><span class="pre">&#64;author</span></code> tags in Javadoc comments on private fields:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Field f, Javadoc jdoc, AuthorTag at
where f.isPrivate() and
jdoc = f.getDoc().getJavadoc() and
at.getParent+() = jdoc
select at
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/2510220694395289111/">See this in the query console on LGTM.com</a>. None of the LGTM.com demo projects uses the <code class="docutils literal notranslate"><span class="pre">&#64;author</span></code> tag on private fields.</p>
<blockquote class="pull-quote">
<div><p>Note</p>
<p>On line 5 we used <code class="docutils literal notranslate"><span class="pre">getParent+</span></code> to capture tags that are nested at any depth within the Javadoc comment.</p>
</div></blockquote>
<p>For more information on working with Javadoc, see the <a class="reference internal" href="javadoc.html"><span class="doc">article on Javadoc</span></a>.</p>
</section>
<section id="metrics">
<h2>Metrics<a class="headerlink" href="#metrics" title="Link to this heading"></a></h2>
<p>The standard QL Java library provides extensive support for computing metrics on Java program elements. To avoid overburdening the classes representing those elements with too many member predicates related to metric computations, these predicates are made available on delegate classes instead.</p>
<p>Altogether, there are six such classes: <code class="docutils literal notranslate"><span class="pre">MetricElement</span></code>, <code class="docutils literal notranslate"><span class="pre">MetricPackage</span></code>, <code class="docutils literal notranslate"><span class="pre">MetricRefType</span></code>, <code class="docutils literal notranslate"><span class="pre">MetricField</span></code>, <code class="docutils literal notranslate"><span class="pre">MetricCallable</span></code>, and <code class="docutils literal notranslate"><span class="pre">MetricStmt</span></code>. The corresponding element classes each provide a member predicate <code class="docutils literal notranslate"><span class="pre">getMetrics</span></code> that can be used to obtain an instance of the delegate class, on which metric computations can then be performed.</p>
<p>For example, the following query finds methods with a <a class="reference external" href="https://en.wikipedia.org/wiki/Cyclomatic_complexity">cyclomatic complexity</a> greater than 40:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Method m, MetricCallable mc
where mc = m.getMetrics() and
mc.getCyclomaticComplexity() &gt; 40
select m
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/6566950741051181919/">See this in the query console on LGTM.com</a>. Most large projects include some methods with a very high cyclomatic complexity. These methods are likely to be difficult to understand and test.</p>
</section>
<section id="call-graph">
<h2>Call graph<a class="headerlink" href="#call-graph" title="Link to this heading"></a></h2>
<p>CodeQL databases generated from Java code bases include precomputed information about the programs call graph, that is, which methods or constructors a given call may dispatch to at runtime.</p>
<p>The class <code class="docutils literal notranslate"><span class="pre">Callable</span></code>, introduced above, includes both methods and constructors. Call expressions are abstracted using class <code class="docutils literal notranslate"><span class="pre">Call</span></code>, which includes method calls, <code class="docutils literal notranslate"><span class="pre">new</span></code> expressions, and explicit constructor calls using <code class="docutils literal notranslate"><span class="pre">this</span></code> or <code class="docutils literal notranslate"><span class="pre">super</span></code>.</p>
<p>We can use predicate <code class="docutils literal notranslate"><span class="pre">Call.getCallee</span></code> to find out which method or constructor a specific call expression refers to. For example, the following query finds all calls to methods called <code class="docutils literal notranslate"><span class="pre">println</span></code>:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Call c, Method m
where m = c.getCallee() and
m.hasName(&quot;println&quot;)
select c
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/5861255162551917595/">See this in the query console on LGTM.com</a>. The LGTM.com demo projects all include many calls to methods of this name.</p>
<p>Conversely, <code class="docutils literal notranslate"><span class="pre">Callable.getAReference</span></code> returns a <code class="docutils literal notranslate"><span class="pre">Call</span></code> that refers to it. So we can find methods and constructors that are never called using this query:</p>
<div class="highlight-ql notranslate"><div class="highlight"><pre><span></span>import java
from Callable c
where not exists(c.getAReference())
select c
</pre></div>
</div>
<p><a class="reference external" href="https://lgtm.com/query/7261739919657747703/">See this in the query console on LGTM.com</a>. The LGTM.com demo projects all appear to have many methods that are not called directly, but this is unlikely to be the whole story. To explore this area further, see “<a class="reference internal" href="navigating-the-call-graph.html"><span class="doc">Navigating the call graph</span></a>.”</p>
<p>For more information about callables and calls, see the <a class="reference internal" href="navigating-the-call-graph.html"><span class="doc">article on the call graph</span></a>.</p>
</section>
<section id="further-reading">
<h2>Further reading<a class="headerlink" href="#further-reading" title="Link to this heading"></a></h2>
<ul class="simple">
<li><p><a class="reference external" href="https://github.com/github/codeql/tree/main/java/ql/src">CodeQL queries for Java</a></p></li>
<li><p><a class="reference external" href="https://github.com/github/codeql/tree/main/java/ql/examples">Example queries for Java</a></p></li>
<li><p><a class="reference external" href="https://codeql.github.com/codeql-standard-libraries/java/">CodeQL library reference for Java</a></p></li>
</ul>
<ul class="simple">
<li><p><a class="reference internal" href="../ql-language-reference/index.html#ql-language-reference"><span class="std std-ref">QL language reference</span></a></p></li>
<li><p><a class="reference internal" href="../codeql-overview/codeql-tools.html#codeql-tools"><span class="std std-ref">CodeQL tools</span></a></p></li>
</ul>
</section>
</section>
</article>
<!-- GitHub footer, with links to terms and privacy statement -->
<div class="px-3 px-md-6 f6 py-4 d-sm-flex flex-justify-between flex-row-reverse flex-items-center border-top">
<ul class="list-style-none d-flex flex-items-center mb-3 mb-sm-0 lh-condensed-ultra">
<li class="mr-3">
<a href="https://twitter.com/github" title="GitHub on Twitter" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 273.5 222.3" class="d-block" height="18">
<path
d="M273.5 26.3a109.77 109.77 0 0 1-32.2 8.8 56.07 56.07 0 0 0 24.7-31 113.39 113.39 0 0 1-35.7 13.6 56.1 56.1 0 0 0-97 38.4 54 54 0 0 0 1.5 12.8A159.68 159.68 0 0 1 19.1 10.3a56.12 56.12 0 0 0 17.4 74.9 56.06 56.06 0 0 1-25.4-7v.7a56.11 56.11 0 0 0 45 55 55.65 55.65 0 0 1-14.8 2 62.39 62.39 0 0 1-10.6-1 56.24 56.24 0 0 0 52.4 39 112.87 112.87 0 0 1-69.7 24 119 119 0 0 1-13.4-.8 158.83 158.83 0 0 0 86 25.2c103.2 0 159.6-85.5 159.6-159.6 0-2.4-.1-4.9-.2-7.3a114.25 114.25 0 0 0 28.1-29.1"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3">
<a href="https://www.facebook.com/GitHub" title="GitHub on Facebook" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 15.3 15.4" class="d-block" height="18">
<path
d="M14.5 0H.8a.88.88 0 0 0-.8.9v13.6a.88.88 0 0 0 .8.9h7.3v-6h-2V7.1h2V5.4a2.87 2.87 0 0 1 2.5-3.1h.5a10.87 10.87 0 0 1 1.8.1v2.1h-1.3c-1 0-1.1.5-1.1 1.1v1.5h2.3l-.3 2.3h-2v5.9h3.9a.88.88 0 0 0 .9-.8V.8a.86.86 0 0 0-.8-.8z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3">
<a href="https://www.youtube.com/github" title="GitHub on YouTube" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.17 13.6" class="d-block" height="16">
<path
d="M18.77 2.13A2.4 2.4 0 0 0 17.09.42C15.59 0 9.58 0 9.58 0a57.55 57.55 0 0 0-7.5.4A2.49 2.49 0 0 0 .39 2.13 26.27 26.27 0 0 0 0 6.8a26.15 26.15 0 0 0 .39 4.67 2.43 2.43 0 0 0 1.69 1.71c1.52.42 7.5.42 7.5.42a57.69 57.69 0 0 0 7.51-.4 2.4 2.4 0 0 0 1.68-1.71 25.63 25.63 0 0 0 .4-4.67 24 24 0 0 0-.4-4.69zM7.67 9.71V3.89l5 2.91z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li class="mr-3 flex-self-start">
<a href="https://www.linkedin.com/company/github" title="GitHub on Linkedin" style="color: #959da5;">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19 18" class="d-block" height="18">
<path
d="M3.94 2A2 2 0 1 1 2 0a2 2 0 0 1 1.94 2zM4 5.48H0V18h4zm6.32 0H6.34V18h3.94v-6.57c0-3.66 4.77-4 4.77 0V18H19v-7.93c0-6.17-7.06-5.94-8.72-2.91z"
fill="currentColor"></path>
</svg>
</a>
</li>
<li>
<a href="https://github.com/github" title="GitHub's organization" style="color: #959da5;">
<svg version="1.1" width="20" height="20" viewBox="0 0 16 16" class="octicon octicon-mark-github"
aria-hidden="true">
<path fill-rule="evenodd"
d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.013 8.013 0 0016 8c0-4.42-3.58-8-8-8z">
</path>
</svg>
</a>
</li>
</ul>
<ul class="list-style-none d-flex text-gray">
<li class="mr-3">&copy;
<script type="text/javascript">document.write(new Date().getFullYear());</script> GitHub, Inc.</li>
<li class="mr-3"><a
href="https://docs.github.com/github/site-policy/github-terms-of-service"
class="link-gray">Terms </a></li>
<li><a href="https://docs.github.com/github/site-policy/github-privacy-statement"
class="link-gray">Privacy </a></li>
</ul>
</div>
</div>
</main>
<script type="text/javascript">
$(document).ready(function () {
$(".toggle > *").hide();
$(".toggle .name").show();
$(".toggle .name").click(function () {
$(this).parent().children().not(".name").toggle(400);
$(this).parent().children(".name").toggleClass("open");
})
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink