Java: add alert-suppression query for @SuppressWarnings("lgtm[...]")

2025-12-18 01:33:15 +01:00 · 2019-10-12 18:02:37 -04:00
parent 176d7672a1
commit b2bc8382b0
5 changed files with 103 additions and 0 deletions
--- a/java/ql/src/AlertSuppressionAnnotations.ql
+++ b/java/ql/src/AlertSuppressionAnnotations.ql
@@ -0,0 +1,75 @@
+/**
+ * @name Alert suppression using annotations
+ * @description Generates information about alert suppressions
+ *              using 'SuppressWarnings' annotations.
+ * @kind alert-suppression
+ * @id java/alert-suppression-annotations
+ */
+
+import java
+import Metrics.Internal.Extents
+
+/**
+ * An alert suppression annotation.
+ */
+class SuppressionAnnotation extends SuppressWarningsAnnotation {
+  string annotation;
+
+  SuppressionAnnotation() {
+    exists(string text | text = this.getASuppressedWarningLiteral().getValue() |
+      // match `lgtm[...]` anywhere in the comment
+      annotation = text.regexpFind("(?i)\\blgtm\\s*\\[[^\\]]*\\]", _, _)
+    )
+  }
+
+  /**
+   * Gets the text of this suppression annotation.
+   */
+  string getText() { result = getASuppressedWarningLiteral().getValue() }
+
+  /** Gets the LGTM suppression annotation in this Java annotation. */
+  string getAnnotation() { result = annotation }
+
+  /**
+   * Holds if this annotation applies to the range from column `startcolumn` of line `startline`
+   * to column `endcolumn` of line `endline` in file `filepath`.
+   */
+  predicate covers(string filepath, int startline, int startcolumn, int endline, int endcolumn) {
+    getAnnotatedElement().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets the scope of this suppression. */
+  SuppressionScope getScope() { this = result.getSuppressionAnnotation() }
+}
+
+/**
+ * The scope of an alert suppression annotation.
+ */
+class SuppressionScope extends @annotation {
+  SuppressionScope() { this instanceof SuppressionAnnotation }
+
+  /** Gets a suppression annotation with this scope. */
+  SuppressionAnnotation getSuppressionAnnotation() { result = this }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.(SuppressionAnnotation).covers(filepath, startline, startcolumn, endline, endcolumn)
+  }
+
+  /** Gets a textual representation of this element. */
+  string toString() { result = "suppression range" }
+}
+
+from SuppressionAnnotation c
+select c, // suppression comment
+  c.getText(), // text of suppression comment (excluding delimiters)
+  c.getAnnotation(), // text of suppression annotation
+  c.getScope() // scope of suppression
--- a/java/ql/src/semmle/code/java/JDKAnnotations.qll
+++ b/java/ql/src/semmle/code/java/JDKAnnotations.qll
@@ -18,6 +18,12 @@ class OverrideAnnotation extends Annotation {
 class SuppressWarningsAnnotation extends Annotation {
  SuppressWarningsAnnotation() { this.getType().hasQualifiedName("java.lang", "SuppressWarnings") }

+  /** Gets the `StringLiteral` of a warning suppressed by this annotation. */
+  StringLiteral getASuppressedWarningLiteral() {
+    result = this.getAValue() or
+    result = this.getAValue().(ArrayInit).getAnInit()
+  }
+
  /** Gets the name of a warning suppressed by this annotation. */
  string getASuppressedWarning() {
    result = this.getAValue().(StringLiteral).getLiteral() or