Merge pull request #873 from calumgrant/cs/format-getresource-strings

C#: Fix FP in cs/format-argument-unused

change-notes/1.20/analysis-csharp.md

@@ -17,7 +17,8 @@
 | SQL query built from user-controlled sources (cs/sql-injection), Improper control of generation of code (cs/code-injection), Uncontrolled format string (cs/uncontrolled-format-string), Clear text storage of sensitive information (cs/cleartext-storage-of-sensitive-information), Exposure of private information (cs/exposure-of-sensitive-information) | More results | Data sources have been added from user controls in `System.Windows.Forms`. |
 | Use of default ToString() (cs/call-to-object-tostring) | Fewer false positives | Results have been removed for `char` arrays passed to `StringBuilder.Append()`, which were incorrectly marked as using `ToString`. |
 | Use of default ToString() (cs/call-to-object-tostring) | Fewer results | Results have been removed when the object is an interface or an abstract class. |
-
+| Unused format argument (cs/format-argument-unused) | Fewer false positives | Results have been removed where the format string is empty. This is often used as a default value and is not an interesting result. |
+ 
 ## Changes to code extraction
 
 * Fix extraction of `for` statements where the condition declares new variables using `is`.

csharp/ql/src/API Abuse/FormatUnusedArgument.ql

@@ -15,6 +15,7 @@ import semmle.code.csharp.frameworks.Format
 from FormatCall format, int unused, ValidFormatString src
 where
   src = format.getAFormatSource() and
-  unused = format.getAnUnusedArgument(src)
+  unused = format.getAnUnusedArgument(src) and
+  not src.getValue() = ""
 select format, "The $@ ignores $@.", src, "format string", format.getSuppliedExpr(unused),
   "this supplied value"

csharp/ql/test/query-tests/API Abuse/FormatUnusedArgument/FormatUnusedArgument.cs

@@ -8,7 +8,7 @@ class C
         String.Format("{0} {1} {2}", 0, 1, 2);
 
         // BAD: Missing arg {0}
-        String.Format("", 1);
+        String.Format("X", 1);
 
         // BAD: Missing {1}
         String.Format("{0}", 1, 2);
@@ -36,6 +36,10 @@ class C
 
         // BAD: Would display "{0}"
         String.Format("{{0}}", 1);
+
+        // GOOD: Ignore the empty string as it's often used as the default value
+        // of GetResource().
+        String.Format("", 1);
     }
 
     object[] ps;

csharp/ql/test/query-tests/API Abuse/FormatUnusedArgument/FormatUnusedArgument.expected

@@ -1,4 +1,4 @@
-| FormatUnusedArgument.cs:11:9:11:28 | call to method Format | The $@ ignores $@. | FormatUnusedArgument.cs:11:23:11:24 | "" | format string | FormatUnusedArgument.cs:11:27:11:27 | (...) ... | this supplied value |
+| FormatUnusedArgument.cs:11:9:11:29 | call to method Format | The $@ ignores $@. | FormatUnusedArgument.cs:11:23:11:25 | "X" | format string | FormatUnusedArgument.cs:11:28:11:28 | (...) ... | this supplied value |
 | FormatUnusedArgument.cs:14:9:14:34 | call to method Format | The $@ ignores $@. | FormatUnusedArgument.cs:14:23:14:27 | "{0}" | format string | FormatUnusedArgument.cs:14:33:14:33 | (...) ... | this supplied value |
 | FormatUnusedArgument.cs:17:9:17:38 | call to method Format | The $@ ignores $@. | FormatUnusedArgument.cs:17:23:17:31 | "{0} {0}" | format string | FormatUnusedArgument.cs:17:37:17:37 | (...) ... | this supplied value |
 | FormatUnusedArgument.cs:20:9:20:38 | call to method Format | The $@ ignores $@. | FormatUnusedArgument.cs:20:23:20:31 | "{1} {1}" | format string | FormatUnusedArgument.cs:20:34:20:34 | (...) ... | this supplied value |