Skip to content

Java: convert remaining java-code-scanning.qls query tests to .qlref #19842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open

Java: convert remaining java-code-scanning.qls query tests to .qlref #19842

wants to merge 32 commits into from
+8,835 −2,139

Conversation

d10c
Copy link
Contributor

@d10c d10c commented Jun 23, 2025
edited
Loading

Example prior work: #18848 #19817

  • Does a straightforward conversion of existing .ql-based inline expectations tests to .qlref/utils/test/InlineExpectationsTestQuery.ql-based ones, similar to the above PRs.
  • In the case of CleartextStorageCookie, there was no test, so I created one here.
  • Since the diff-informed consistency check (--check-diff-informed) runs on .qlref-based tests, the UnsafeDeserialization and PolynomialReDoS tests were newly failing that check.
    • In the case of UnsafeDeserialization, the fix was to add a missing getASelectedSinkLocation override.
    • In the case of PolynomialReDoS, the fix was to disable diff-informed support, as the query was failing the consistency check due to a substring of a regex being shown in the results, which does not have a corresponding Location value.

@github-actions github-actions bot added the Java label Jun 23, 2025
@d10c d10c added the no-change-note-required This PR does not need a change note label Jun 23, 2025
@d10c d10c force-pushed the d10c/convert-java-tests-to-qlref branch 2 times, most recently from 3b874a0 to 4a835f9 Compare June 24, 2025 12:43
d10c added 26 commits June 24, 2025 16:41
@d10c
Java: Convert TaintedPath test to .qlref
588efe4
@d10c
Java: convert PartialPathTraversalFromRemote test to .qlref
e1ddce8
@d10c
Java: convert JndiInjection test to .qlref
3f9e0fe
@d10c
Java: convert XsltInjection test to .qlref
199eabd 
Also, split off into separate directory from JndiInjectionTest because their $Alerts were interfering with each other.
@d10c
Java: convert XSS test to .qlref
8e53da2
@d10c
Java: convert GroovyInjection test to .qlref
1cc91e9
@d10c
Java: convert JexlInjection test to .qlref
1b61cb6
@d10c
Java: convert MvelInjection test to .qlref
2a837b2
@d10c
Java: convert SpelInjection test to .qlref
b8c7bd2
@d10c
Java: convert TemplateInjection test to .qlref
c77875d
@d10c
Java: convert IntentUriPermissionManipulation test to .qlref
b736e37
@d10c
Java: convert InsecureTrustManager test to .qlref
993b261
@d10c
Java: convert InsufficientKeySize test to .qlref
288a938
@d10c
Java: convert InsecureRandomness test to .qlref
85c2f72
@d10c
Java: convert MissingJWTSignatureCheck test to .qlref
2869427
@d10c
Java: convert UnsafeContentUriResolution test to .qlref
2b19cbc
@d10c
Java: convert FragmentInjection test to .qlref
192f45e
@d10c
Java: convert WebviewDebuggingEnabled test to .qlref
c4b0955
@d10c
Java: convert UnsafeDeserialization test to .qlref
4412335
@d10c
Java: convert CWE-522 tests to .qlref
bf1a699
@d10c
Java: convert UrlForward test to .qlref
7f33f57
@d10c
Java: convert XXE test to .qlref
162b1c5
@d10c
Java: convert XPathInjection test to .qlref
f5c7ef6
@d10c
Java: convert PolynomialReDoS and RegexInjection tests to .qlref
b7e47e2 
Leaves ReDoS.ql unmodified since it's not a dataflow query; just moves it to its own directory.
@d10c
Java: convert RsaWithoutOaep test to .qlref
cadfd0d
@d10c
Java: convert OgnlInjection test to .qlref
7f05b72
d10c added 5 commits June 24, 2025 16:42
@d10c
Java: convert RequestForgery test to .qlref
aac4f63
@d10c
Java: convert ImproperIntentVerification test to .qlref
e0311e2 
It's a non-path query, so the InlineExpectationsTest postprocessor doesn't do anything.
@d10c
Java: convert ImplicitPendingIntents test to .qlref
e213e3f
@d10c
UnsafeDeserialization: add missing getASelectedSinkLocation override
b2cb585 
This fixes the failing diff-informed consistency check.
@d10c
PolynomialReDoS: disable diff-informed support
a49999d 
This is because it was failing the diff-informed consistency check, and like other ReDoS queries (Python?) the query tries to be helpful by showing a substring of a regex, which has a `hasLocation(...)` (intensional) but no corresponding `getLocation()` (extensional). Until the location overrides get updated to support `hasLocation`-based locations, it's probably best to turn off diff-informed support.
@d10c d10c force-pushed the d10c/convert-java-tests-to-qlref branch from 4a835f9 to a49999d Compare June 24, 2025 14:47
@d10c
Java: add CleartextStorageCookie test
6904461 
Given that it's a non-path-problem dataflow query, the InlineExpectationsTest is not as useful.
@d10c d10c force-pushed the d10c/convert-java-tests-to-qlref branch from d6f8ec3 to 6904461 Compare June 24, 2025 16:12
@d10c d10c requested a review from aschackmull June 24, 2025 16:13
@d10c d10c marked this pull request as ready for review June 24, 2025 16:14
@d10c d10c requested a review from a team as a code owner June 24, 2025 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aschackmull aschackmull Awaiting requested review from aschackmull

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@d10c