mirror of
https://github.com/github/codeql.git
synced 2026-05-05 13:45:19 +02:00
Merge branch 'main' into codescanning_fixes_cpp
This commit is contained in:
Nicolas Will
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/missing-override-annotation
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
* @precision high
|
||||
* @id java/deprecated-call
|
||||
* @tags maintainability
|
||||
* readability
|
||||
* non-attributable
|
||||
* external/cwe/cwe-477
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/inconsistent-javadoc-throws
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision very-high
|
||||
* @id java/unknown-javadoc-parameter
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -1,3 +1,24 @@
|
||||
## 1.6.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The tag `quality` has been added to multiple Java quality queries for consistency. They have all been given a tag for one of the two top-level categories `reliability` or `maintainability`, and a tag for a sub-category. See [Query file metadata and alert message style guide](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags) for more information about these categories.
|
||||
* The tag `external/cwe/cwe-571` has been added to `java/equals-on-unrelated-types`.
|
||||
* The tag `readability` has been added to `java/missing-override-annotation`, `java/deprecated-call`, `java/inconsistent-javadoc-throws`, `java/unknown-javadoc-parameter`, `java/jdk-internal-api-access`, `java/underscore-identifier`, `java/misleading-indentation`, `java/inefficient-empty-string-test`, `java/non-static-nested-class`, `inefficient-string-constructor`, and `java/constants-only-interface`.
|
||||
* The tag `useless-code` has been added to `java/useless-type-test`, and `java/useless-tostring-call`.
|
||||
* The tag `complexity` has been added to `java/chained-type-tests`, and `java/abstract-to-concrete-cast`.
|
||||
* The tag `error-handling` has been added to `java/ignored-error-status-of-call`, and `java/uncaught-number-format-exception`.
|
||||
* The tag `correctness` has been added to `java/evaluation-to-constant`, `java/whitespace-contradicts-precedence`, `java/empty-container`, `java/string-buffer-char-init`, `java/call-to-object-tostring`, `java/print-array` and `java/internal-representation-exposure`.
|
||||
* The tag `performance` has been added to `java/input-resource-leak`, `java/database-resource-leak`, `java/output-resource-leak`, `java/inefficient-key-set-iterator`, `java/inefficient-output-stream`, and `java/inefficient-boxed-constructor`.
|
||||
* The tag `correctness` has been removed from `java/call-to-thread-run`, `java/unsafe-double-checked-locking`, `java/unsafe-double-checked-locking-init-order`, `java/non-sync-override`, `java/sync-on-boxed-types`, `java/unsynchronized-getter`, `java/input-resource-leak`, `java/output-resource-leak`, `java/database-resource-leak`, and `java/ignored-error-status-of-call`.
|
||||
* The tags `maintainability` has been removed from `java/string-buffer-char-init`, `java/inefficient-key-set-iterator`, `java/inefficient-boxed-constructor`, and `java/internal-representation-exposure`.
|
||||
* The tags `reliability` has been removed from `java/subtle-inherited-call`, `java/print-array`, and `java/call-to-object-tostring`.
|
||||
* The tags `maintainability` and `useless-code` have been removed from `java/evaluation-to-constant`.
|
||||
* The tags `maintainability` and `readability` have been removed from `java/whitespace-contradicts-precedence`.
|
||||
* The tags `maintainability` and `useless-code` have been removed from `java/empty-container`.
|
||||
* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded.
|
||||
* Adjusts the `@security-severity` from 9.3 to 7.3 for `java/tainted-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact.
|
||||
|
||||
## 1.5.2
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/jdk-internal-api-access
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/underscore-identifier
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -5,7 +5,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/unused-parameter
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
* @precision high
|
||||
* @id java/chained-type-tests
|
||||
* @tags maintainability
|
||||
* complexity
|
||||
* language-features
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,8 +7,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/iterator-implements-iterable
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/useless-null-check
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
@@ -17,10 +18,10 @@ import semmle.code.java.controlflow.Guards
|
||||
|
||||
from Expr guard, Expr e, Expr reason, string msg
|
||||
where
|
||||
guard = basicNullGuard(e, _, true) and
|
||||
guardSuggestsExprMaybeNull(guard, e) and
|
||||
e = clearlyNotNullExpr(reason) and
|
||||
(
|
||||
if reason instanceof Guard
|
||||
if reason = directNullGuard(_, _, _)
|
||||
then msg = "This check is useless. $@ cannot be null at this check, since it is guarded by $@."
|
||||
else
|
||||
if reason != e
|
||||
|
||||
@@ -5,7 +5,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/useless-type-test
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* language-features
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/iterable-wraps-iterator
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -5,8 +5,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/evaluation-to-constant
|
||||
* @tags maintainability
|
||||
* useless-code
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,10 +6,10 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/integer-multiplication-cast-to-long
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* types
|
||||
* quality
|
||||
* external/cwe/cwe-190
|
||||
* external/cwe/cwe-192
|
||||
* external/cwe/cwe-197
|
||||
|
||||
@@ -5,7 +5,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/lshift-larger-than-type-width
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/whitespace-contradicts-precedence
|
||||
* @tags maintainability
|
||||
* readability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* external/cwe/cwe-783
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/index-out-of-bounds
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* exceptions
|
||||
* external/cwe/cwe-193
|
||||
|
||||
@@ -7,7 +7,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/type-mismatch-access
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/empty-container
|
||||
* @tags reliability
|
||||
* maintainability
|
||||
* useless-code
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,7 +7,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/type-mismatch-modification
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -5,9 +5,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/unused-container
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* quality
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/comparison-of-identical-expressions
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/equals-on-arrays
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/hashing-without-hashcode
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,9 +6,10 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/equals-on-unrelated-types
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* quality
|
||||
* external/cwe/cwe-571
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/inconsistent-equals-and-hashcode
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* quality
|
||||
* external/cwe/cwe-581
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/unchecked-cast-in-equals
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* quality
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,9 +6,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/reference-equality-of-boxed-types
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* quality
|
||||
* external/cwe/cwe-595
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,7 +7,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/constant-comparison
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
* external/cwe/cwe-570
|
||||
* external/cwe/cwe-571
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/comparison-with-nan
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,8 +6,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/call-to-thread-run
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* concurrency
|
||||
* external/cwe/cwe-572
|
||||
*/
|
||||
|
||||
@@ -6,8 +6,8 @@
|
||||
* @problem.severity error
|
||||
* @precision high
|
||||
* @id java/unsafe-double-checked-locking
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* concurrency
|
||||
* external/cwe/cwe-609
|
||||
*/
|
||||
|
||||
@@ -8,8 +8,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/unsafe-double-checked-locking-init-order
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* concurrency
|
||||
* external/cwe/cwe-609
|
||||
*/
|
||||
|
||||
@@ -6,8 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/non-sync-override
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* concurrency
|
||||
* language-features
|
||||
* external/cwe/cwe-820
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
## Overview
|
||||
|
||||
According to the Java documentation on `ScheduledThreadPoolExecutor`, it is not a good idea to set `corePoolSize` to zero, since doing so indicates the executor to keep 0 threads in its pool and the executor will serve no purpose.
|
||||
|
||||
## Recommendation
|
||||
|
||||
Set the `ScheduledThreadPoolExecutor` to have 1 or more threads in its thread pool and use the class's other methods to create a thread execution schedule.
|
||||
|
||||
## Example
|
||||
|
||||
```java
|
||||
public class Test {
|
||||
void f() {
|
||||
int i = 0;
|
||||
ScheduledThreadPoolExecutor s = new ScheduledThreadPoolExecutor(1); // COMPLIANT
|
||||
ScheduledThreadPoolExecutor s1 = new ScheduledThreadPoolExecutor(0); // NON_COMPLIANT
|
||||
s.setCorePoolSize(0); // NON_COMPLIANT
|
||||
s.setCorePoolSize(i); // NON_COMPLIANT
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## References
|
||||
- [ScheduledThreadPoolExecutor](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/util/concurrent/ScheduledThreadPoolExecutor.html)
|
||||
@@ -0,0 +1,36 @@
|
||||
/**
|
||||
* @id java/java-util-concurrent-scheduledthreadpoolexecutor
|
||||
* @name Zero threads set for `java.util.concurrent.ScheduledThreadPoolExecutor`
|
||||
* @description Setting `java.util.concurrent.ScheduledThreadPoolExecutor` to have 0 threads serves
|
||||
* no purpose and may indicate programmer error.
|
||||
* @kind problem
|
||||
* @precision very-high
|
||||
* @problem.severity recommendation
|
||||
* @previous-id java/javautilconcurrentscheduledthreadpoolexecutor
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* concurrency
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
/**
|
||||
* A `Call` that has the ability to set or modify the `corePoolSize` of the `java.util.concurrent.ScheduledThreadPoolExecutor` type.
|
||||
*/
|
||||
class Sink extends Call {
|
||||
Sink() {
|
||||
this.getCallee()
|
||||
.hasQualifiedName("java.util.concurrent", "ThreadPoolExecutor", "setCorePoolSize") or
|
||||
this.getCallee()
|
||||
.hasQualifiedName("java.util.concurrent", "ScheduledThreadPoolExecutor",
|
||||
"ScheduledThreadPoolExecutor")
|
||||
}
|
||||
}
|
||||
|
||||
from IntegerLiteral zero, Sink set
|
||||
where
|
||||
DataFlow::localFlow(DataFlow::exprNode(zero), DataFlow::exprNode(set.getArgument(0))) and
|
||||
zero.getIntValue() = 0
|
||||
select set, "ScheduledThreadPoolExecutor.corePoolSize is set to have 0 threads."
|
||||
@@ -7,8 +7,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/sync-on-boxed-types
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* concurrency
|
||||
* language-features
|
||||
* external/cwe/cwe-662
|
||||
|
||||
@@ -7,8 +7,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/unsynchronized-getter
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* concurrency
|
||||
* language-features
|
||||
* external/cwe/cwe-413
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/non-final-call-in-constructor
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -5,7 +5,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/test-for-negative-container-size
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -7,9 +7,10 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/contradictory-type-checks
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
* quality
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/missing-format-argument
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* external/cwe/cwe-685
|
||||
*/
|
||||
|
||||
|
||||
@@ -7,7 +7,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision very-high
|
||||
* @id java/missing-space-in-concatenation
|
||||
* @tags readability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -5,7 +5,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/redundant-assignment
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/string-buffer-char-init
|
||||
* @tags reliability
|
||||
* maintainability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -5,8 +5,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/suspicious-date-format
|
||||
* @tags correctness
|
||||
* quality
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -7,7 +7,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/unused-format-argument
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* external/cwe/cwe-685
|
||||
*/
|
||||
|
||||
@@ -5,7 +5,8 @@
|
||||
* @problem.severity error
|
||||
* @precision very-high
|
||||
* @id java/dereferenced-value-is-always-null
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* exceptions
|
||||
* external/cwe/cwe-476
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/dereferenced-expr-may-be-null
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* exceptions
|
||||
* external/cwe/cwe-476
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/dereferenced-value-may-be-null
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* exceptions
|
||||
* external/cwe/cwe-476
|
||||
|
||||
@@ -6,10 +6,11 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/input-resource-leak
|
||||
* @tags efficiency
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* performance
|
||||
* efficiency
|
||||
* resources
|
||||
* quality
|
||||
* external/cwe/cwe-404
|
||||
* external/cwe/cwe-772
|
||||
*/
|
||||
|
||||
@@ -5,7 +5,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/database-resource-leak
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* performance
|
||||
* resources
|
||||
* external/cwe/cwe-404
|
||||
* external/cwe/cwe-772
|
||||
|
||||
@@ -6,10 +6,11 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/output-resource-leak
|
||||
* @tags efficiency
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* performance
|
||||
* efficiency
|
||||
* resources
|
||||
* quality
|
||||
* external/cwe/cwe-404
|
||||
* external/cwe/cwe-772
|
||||
*/
|
||||
|
||||
@@ -8,7 +8,9 @@
|
||||
* @id java/continue-in-false-loop
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision high
|
||||
* @id java/unreachable-catch-clause
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* exceptions
|
||||
* external/cwe/cwe-561
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/misleading-indentation
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
* correctness
|
||||
* logic
|
||||
*/
|
||||
|
||||
@@ -7,7 +7,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/constant-loop-condition
|
||||
* @tags correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* external/cwe/cwe-835
|
||||
*/
|
||||
|
||||
|
||||
@@ -5,8 +5,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/inefficient-empty-string-test
|
||||
* @tags efficiency
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -5,8 +5,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/inefficient-key-set-iterator
|
||||
* @tags efficiency
|
||||
* maintainability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* performance
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,10 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/inefficient-output-stream
|
||||
* @tags efficiency
|
||||
* @tags quality
|
||||
* reliability
|
||||
* performance
|
||||
* efficiency
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -5,8 +5,10 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/inefficient-boxed-constructor
|
||||
* @tags efficiency
|
||||
* maintainability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* performance
|
||||
* efficiency
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/non-static-nested-class
|
||||
* @tags efficiency
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/inefficient-string-constructor
|
||||
* @tags efficiency
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/non-null-boxed-variable
|
||||
* @tags readability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
* types
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/unused-reference-type
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/unimplementable-interface
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
*/
|
||||
|
||||
|
||||
@@ -5,7 +5,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/local-variable-is-never-read
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/unused-label
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
* external/cwe/cwe-561
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/constants-only-interface
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
* modularity
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/ignored-error-status-of-call
|
||||
* @tags reliability
|
||||
* correctness
|
||||
* @tags quality
|
||||
* reliability
|
||||
* error-handling
|
||||
* external/cwe/cwe-391
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/uncaught-number-format-exception
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* error-handling
|
||||
* external/cwe/cwe-248
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/abstract-to-concrete-cast
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* complexity
|
||||
* modularity
|
||||
* external/cwe/cwe-485
|
||||
*/
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/internal-representation-exposure
|
||||
* @tags reliability
|
||||
* maintainability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
* modularity
|
||||
* external/cwe/cwe-485
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity warning
|
||||
* @precision very-high
|
||||
* @id java/subtle-inherited-call
|
||||
* @tags reliability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/confusing-method-name
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
* naming
|
||||
*/
|
||||
|
||||
@@ -7,7 +7,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/confusing-method-signature
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
* naming
|
||||
*/
|
||||
|
||||
@@ -6,7 +6,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/local-shadows-field
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
*/
|
||||
|
||||
|
||||
@@ -5,7 +5,8 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/class-name-matches-super-class
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* readability
|
||||
* naming
|
||||
*/
|
||||
|
||||
@@ -5,7 +5,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/useless-tostring-call
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* maintainability
|
||||
* useless-code
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,8 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision high
|
||||
* @id java/call-to-object-tostring
|
||||
* @tags reliability
|
||||
* maintainability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -6,7 +6,9 @@
|
||||
* @problem.severity recommendation
|
||||
* @precision very-high
|
||||
* @id java/print-array
|
||||
* @tags maintainability
|
||||
* @tags quality
|
||||
* reliability
|
||||
* correctness
|
||||
*/
|
||||
|
||||
import java
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* Adjusts the `@security-severity` from 9.3 to 7.3 for `java/tainted-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact.
|
||||
@@ -1,4 +0,0 @@
|
||||
---
|
||||
category: queryMetadata
|
||||
---
|
||||
* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded.
|
||||
4
java/ql/src/change-notes/2025-06-17-improved-guards.md
Normal file
4
java/ql/src/change-notes/2025-06-17-improved-guards.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Java analysis of guards has been switched to use the new and improved shared guards library. This improves precision of a number of queries, in particular `java/dereferenced-value-may-be-null`, which now has fewer false positives, and `java/useless-null-check` and `java/constant-comparison`, which gain additional true positives.
|
||||
20
java/ql/src/change-notes/released/1.6.0.md
Normal file
20
java/ql/src/change-notes/released/1.6.0.md
Normal file
@@ -0,0 +1,20 @@
|
||||
## 1.6.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
* The tag `quality` has been added to multiple Java quality queries for consistency. They have all been given a tag for one of the two top-level categories `reliability` or `maintainability`, and a tag for a sub-category. See [Query file metadata and alert message style guide](https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#quality-query-sub-category-tags) for more information about these categories.
|
||||
* The tag `external/cwe/cwe-571` has been added to `java/equals-on-unrelated-types`.
|
||||
* The tag `readability` has been added to `java/missing-override-annotation`, `java/deprecated-call`, `java/inconsistent-javadoc-throws`, `java/unknown-javadoc-parameter`, `java/jdk-internal-api-access`, `java/underscore-identifier`, `java/misleading-indentation`, `java/inefficient-empty-string-test`, `java/non-static-nested-class`, `inefficient-string-constructor`, and `java/constants-only-interface`.
|
||||
* The tag `useless-code` has been added to `java/useless-type-test`, and `java/useless-tostring-call`.
|
||||
* The tag `complexity` has been added to `java/chained-type-tests`, and `java/abstract-to-concrete-cast`.
|
||||
* The tag `error-handling` has been added to `java/ignored-error-status-of-call`, and `java/uncaught-number-format-exception`.
|
||||
* The tag `correctness` has been added to `java/evaluation-to-constant`, `java/whitespace-contradicts-precedence`, `java/empty-container`, `java/string-buffer-char-init`, `java/call-to-object-tostring`, `java/print-array` and `java/internal-representation-exposure`.
|
||||
* The tag `performance` has been added to `java/input-resource-leak`, `java/database-resource-leak`, `java/output-resource-leak`, `java/inefficient-key-set-iterator`, `java/inefficient-output-stream`, and `java/inefficient-boxed-constructor`.
|
||||
* The tag `correctness` has been removed from `java/call-to-thread-run`, `java/unsafe-double-checked-locking`, `java/unsafe-double-checked-locking-init-order`, `java/non-sync-override`, `java/sync-on-boxed-types`, `java/unsynchronized-getter`, `java/input-resource-leak`, `java/output-resource-leak`, `java/database-resource-leak`, and `java/ignored-error-status-of-call`.
|
||||
* The tags `maintainability` has been removed from `java/string-buffer-char-init`, `java/inefficient-key-set-iterator`, `java/inefficient-boxed-constructor`, and `java/internal-representation-exposure`.
|
||||
* The tags `reliability` has been removed from `java/subtle-inherited-call`, `java/print-array`, and `java/call-to-object-tostring`.
|
||||
* The tags `maintainability` and `useless-code` have been removed from `java/evaluation-to-constant`.
|
||||
* The tags `maintainability` and `readability` have been removed from `java/whitespace-contradicts-precedence`.
|
||||
* The tags `maintainability` and `useless-code` have been removed from `java/empty-container`.
|
||||
* Adjusts the `@precision` from high to medium for `java/concatenated-command-line` because it is producing false positive alerts when the concatenated strings are hard-coded.
|
||||
* Adjusts the `@security-severity` from 9.3 to 7.3 for `java/tainted-format-string` to align `CWE-134` severity for memory safe languages to better reflect their impact.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.5.2
|
||||
lastReleaseVersion: 1.6.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 1.5.3-dev
|
||||
version: 1.6.1-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
Reference in New Issue
Block a user