Add cookbook queries

csharp/ql/examples/array_access.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Array access
+ * @description Finds array access expressions with an index expression
+ *              consisting of a unary increment or decrement, e.g. 'a[i++]'.
+ * @tags array
+ *       access
+ *       index
+ *       unary
+ *       assignment
+ */
+
+import csharp
+
+from ArrayAccess a
+where a.getAnIndex() instanceof MutatorOperation
+select a

csharp/ql/examples/cast_expr.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Cast expressions
+ * @description Finds casts from a floating point type to an integer type.
+ * @tags cast
+ *       integer
+ *       float
+ *       type
+ */
+
+import csharp
+
+from CastExpr c
+where c.getExpr().getType() instanceof FloatingPointType
+  and c.getType() instanceof IntegralType
+select c

csharp/ql/examples/catch_exception.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Catch exception
+ * @description Finds places where we catch exceptions of type 'System.IO.IOException'.
+ * @tags catch
+ *       try
+ *       exception
+ */
+ 
+import csharp
+
+from CatchClause catch
+where catch.getCaughtExceptionType().hasQualifiedName("System.IO.IOException")
+select catch

csharp/ql/examples/constructor_call.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Call to constructor
+ * @description Finds places where we call 'new System.Exception(...)'.
+ * @tags call
+ *       constructor
+ *       new
+ */
+ 
+import csharp
+
+from ObjectCreation new
+where new.getObjectType().hasQualifiedName("System.Exception")
+select new

csharp/ql/examples/empty_block.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Empty blocks
+ * @description Finds empty block statements.
+ * @tags empty
+ *       block
+ *       statement
+ */
+
+import csharp
+
+from BlockStmt blk
+where blk.isEmpty()
+select blk

csharp/ql/examples/empty_then.ql

@@ -0,0 +1,16 @@
+/**
+ * @name If statements with empty then branch
+ * @description Finds 'if' statements where the 'then' branch is
+ *              an empty block statement.
+ * @tags if
+ *       then
+ *       empty
+ *       conditional
+ *       branch
+ */
+
+import csharp
+
+from IfStmt i
+where i.getThen().(BlockStmt).isEmpty()
+select i

csharp/ql/examples/eq_true.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Equality test on Boolean
+ * @description Finds tests like 'x==true', 'x==false', 'x!=true', '!=false'.
+ * @tags equals
+ *       test
+ *       boolean
+ */
+ 
+import csharp
+
+from EqualityOperation eq
+where eq.getAnOperand() instanceof BoolLiteral
+select eq

csharp/ql/examples/extend_class.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Class extends/implements
+ * @description Finds classes/interfaces that extend/implement 'System.Collections.IEnumerator'.
+ * @tags class
+ *       extends
+ *       implements
+ *       overrides
+ *       subtype
+ *       supertype
+ */
+ 
+import csharp
+
+from RefType type
+where type.getABaseType+().hasQualifiedName("System.Collections.IEnumerator")
+select type

csharp/ql/examples/extern_method.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Extern methods
+ * @description Finds methods that are 'extern'.
+ * @tags method
+ *       native
+ *       modifier
+ */
+
+import csharp
+
+from Method m
+where m.isExtern()
+select m

csharp/ql/examples/field_read.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Read of field
+ * @description Finds reads of 'VirtualAddress' (defined on 'Mono.Cecil.PE.Section').
+ * @tags field
+ *       read
+ */
+ 
+import csharp
+
+from Field f, FieldRead read
+where f.hasName("VirtualAddress")
+  and f.getDeclaringType().hasQualifiedName("Mono.Cecil.PE.Section")
+  and f = read.getTarget()
+select read

csharp/ql/examples/integer_literal.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Integer literal
+ * @description Finds places where we use the integer literal '0'.
+ * @tags integer
+ *       literal
+ */
+ 
+import csharp
+
+from IntegerLiteral literal
+where literal.getValue().toInt() = 0
+select literal

csharp/ql/examples/method_call.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Call to method
+ * @description Finds calls to method 'Company.Class.MethodName'.
+ * @tags call
+ *       method
+ */
+ 
+import csharp
+
+from MethodCall call, Method method
+where call.getTarget() = method
+  and method.hasName("MethodName")
+  and method.getDeclaringType().hasQualifiedName("Company.Class")
+select call

csharp/ql/examples/mutual_recursion.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Mutual recursion
+ * @description Finds pairs of methods that call each other.
+ * @tags method
+ *       recursion
+ */
+
+import csharp
+
+from Method m, Method n
+where m.calls(n)
+  and n.calls(m)
+  and m != n
+select m, n
+ 

csharp/ql/examples/null_argument.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Add null to collection
+ * @description Finds places where we add 'null' to a collection.
+ * @tags null
+ *       parameter
+ *       argument
+ *       collection
+ *       add
+ */
+ 
+import csharp
+
+from MethodCall call, Method add
+where call.getTarget() = add.getAnUltimateImplementor*()
+  and add.hasName("Add")
+  and add.getDeclaringType().getSourceDeclaration().hasQualifiedName("System.Collections.Generic.ICollection<>")
+  and call.getAnArgument() instanceof NullLiteral
+select call

csharp/ql/examples/override_method.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Override of method
+ * @description Finds methods that directly override 'Object.ToString'.
+ * @tags method
+ *       override
+ */
+ 
+import csharp
+
+from Method override, Method base
+where base.hasName("ToString")
+  and base.getDeclaringType().hasQualifiedName("System.Object")
+  and base.getAnOverrider() = override
+select override

csharp/ql/examples/qualifier.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Expression qualifier
+ * @description Finds qualified expressions (e.g. 'a.b()') and their qualifiers ('a').
+ * @tags qualifier
+ *       chain
+ */
+
+import csharp
+
+from QualifiableExpr qualifiedExpr, Expr qualifier
+where qualifier = qualifiedExpr.getQualifier()
+select qualifiedExpr, qualifier

csharp/ql/examples/queries.xml

@@ -0,0 +1 @@
+<queries language="csharp"/>

csharp/ql/examples/return_statement.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Return statements
+ * @description Finds return statements that return 'null'.
+ * @tags return
+ *       statement
+ *       null
+ */
+
+import csharp
+
+from ReturnStmt r
+where r.getExpr() instanceof NullLiteral
+select r

csharp/ql/examples/singleton_block.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Singleton blocks
+ * @description Finds block statements containing a single statement.
+ * @tags block
+ *       statement
+ */
+
+import csharp
+
+from BlockStmt b
+where b.getNumberOfStmts() = 1
+select b

csharp/ql/examples/switch_case.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Switch statement case missing
+ * @description Finds switch statements with a missing enum constant case and no default case.
+ * @tags switch
+ *       case
+ *       enum
+ */
+
+import csharp
+
+from SwitchStmt switch, Enum enum, EnumConstant missing
+where switch.getCondition().getType() = enum
+  and missing.getDeclaringType() = enum
+  and not switch.getAConstCase().getExpr() = missing.getAnAccess()
+  and not exists(switch.getDefaultCase())
+select switch

csharp/ql/examples/ternary_conditional.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Conditional expressions
+ * @description Finds conditional expressions of the form '... ? ... : ...'
+ *              where the types of the resulting expressions differ.
+ * @tags conditional
+ *       type
+ */
+
+import csharp
+
+from ConditionalExpr e
+where e.getThen().stripImplicitCasts() != e.getElse().stripImplicitCasts()
+  and not e.getThen().getType() instanceof NullType
+  and not e.getElse().getType() instanceof NullType
+select e

csharp/ql/examples/throw_exception.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Throw exception of given type
+ * @description Finds places where we throw 'System.IO.IOException' or one of its subtypes.
+ * @tags throw
+ *       exception
+ */
+ 
+import csharp
+
+from ThrowStmt throw
+where throw.getThrownExceptionType().getBaseClass*().hasQualifiedName("System.IO.IOException")
+select throw

csharp/ql/examples/todo_comment.ql

@@ -0,0 +1,12 @@
+/**
+ * @name TODO comments
+ * @description Finds comments containing the word "TODO".
+ * @tags comment
+ *       TODO
+ */
+
+import csharp
+
+from CommentLine c
+where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
+select c

csharp/ql/examples/too_many_params.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Methods with many parameters
+ * @description Finds methods with more than ten parameters.
+ * @tags method
+ *       parameter
+ *       argument
+ */
+
+import csharp
+
+from Method m
+where m.getNumberOfParameters() > 10
+select m

csharp/ql/examples/try_finally.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Try-finally statements
+ * @description Finds try-finally statements without a catch clause.
+ * @tags try
+ *       finally
+ *       catch
+ *       exceptions
+ */
+
+import csharp
+
+from TryStmt t
+where exists(t.getFinally())
+  and not exists(t.getACatchClause())
+select t

csharp/ql/examples/unused_local_var.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Unused local variable
+ * @description Finds local variables that are not accessed.
+ * @tags variable
+ *       local
+ *       access
+ */
+
+import csharp
+
+from LocalVariable v
+where not exists(v.getAnAccess())
+select v

csharp/ql/examples/unused_param.ql

@@ -0,0 +1,12 @@
+/**
+ * @name Unused parameter
+ * @description Finds parameters that are not accessed.
+ * @tags parameter
+ *       access
+ */
+
+import csharp
+
+from Parameter p
+where not exists(p.getAnAccess())
+select p

csharp/ql/examples/void_return_type.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Methods without return type
+ * @description Finds methods whose return type is 'void'.
+ * @tags method
+ *       void
+ *       modifier
+ *       return
+ *       type
+ */
+
+import csharp
+
+from Method m
+where m.getReturnType() instanceof VoidType
+select m

csharp/ql/examples/volatile_field.ql

@@ -0,0 +1,13 @@
+/**
+ * @name Fields declared volatile
+ * @description Finds fields with a 'volatile' modifier.
+ * @tags field
+ *       volatile
+ *       synchronization
+ */
+
+import csharp
+
+from Field f
+where f.isVolatile()
+select f