From 292a9481e6f609e9af9cbac9cd5904e54e7f4e83 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Wed, 20 Sep 2023 22:02:14 +0000 Subject: [PATCH 01/14] Pending changes exported from your codespace --- ...classes-for-working-with-java-programs.rst | 2 +- .../analyzing-data-flow-in-java.rst | 6 +++--- .../basic-query-for-cpp-code.rst | 2 +- .../basic-query-for-java-code.rst | 4 ++-- .../basic-query-for-javascript-code.rst | 6 +++--- .../codeql-for-java.rst | 10 +++++----- .../codeql-for-javascript.rst | 4 ++-- .../codeql-library-for-java.rst | 20 +++++++++---------- docs/codeql/query-help/javascript-cwe.md | 4 ++-- docs/codeql/reusables/extractors.rst | 6 +++--- .../about-codeql-queries.rst | 2 +- .../about-data-flow-analysis.rst | 2 +- .../creating-path-queries.rst | 4 ++-- .../query-help-files.rst | 2 +- docs/query-metadata-style-guide.md | 2 +- 15 files changed, 38 insertions(+), 38 deletions(-) diff --git a/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst b/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst index 7d41785ea89..40af6084c19 100644 --- a/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst +++ b/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst @@ -3,7 +3,7 @@ Abstract syntax tree classes for working with Java programs =========================================================== -CodeQL has a large selection of classes for representing the abstract syntax tree of Java programs. +CodeQL has a large selection of classes for representing the abstract syntax tree of Java and Kotlin programs. .. include:: ../reusables/abstract-syntax-tree.rst diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 06ca7fe413f..2db91cae2dc 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -1,9 +1,9 @@ .. _analyzing-data-flow-in-java: -Analyzing data flow in Java +Analyzing data flow in Java and Kotlin =========================== -You can use CodeQL to track the flow of data through a Java program to its use. +You can use CodeQL to track the flow of data through a Java/Kotlin program to its use. .. include:: ../reusables/kotlin-beta-note.rst @@ -12,7 +12,7 @@ You can use CodeQL to track the flow of data through a Java program to its use. About this article ------------------ -This article describes how data flow analysis is implemented in the CodeQL libraries for Java and includes examples to help you write your own data flow queries. +This article describes how data flow analysis is implemented in the CodeQL libraries for Java/Kotlin and includes examples to help you write your own data flow queries. The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking. For a more general introduction to modeling data flow, see ":ref:`About data flow analysis `." diff --git a/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst index 47a762b4d3e..6b5675c8514 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst @@ -52,7 +52,7 @@ After the initial ``import`` statement, this simple query comprises three parts +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +===============================================================+===================================================================================================================+========================================================================================================================+ -| ``import cpp`` | Imports the standard CodeQL libraries for C/C++. | Every query begins with one or more ``import`` statements. | +| ``import c-cpp`` | Imports the standard CodeQL libraries for C/C++. | Every query begins with one or more ``import`` statements. | +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | ``from IfStmt ifstmt, BlockStmt block`` | Defines the variables for the query. | We use: | | | Declarations are of the form: | | diff --git a/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst index a7d783804b9..3f3fd36affb 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst @@ -70,7 +70,7 @@ After the initial ``import`` statement, this simple query comprises three parts +--------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +==================================================================================================+===================================================================================================================+===================================================================================================+ -| ``import java`` | Imports the standard CodeQL libraries for Java and Kotlin. | Every query begins with one or more ``import`` statements. | +| ``import java-kotlin`` | Imports the standard CodeQL libraries for Java and Kotlin. | Every query begins with one or more ``import`` statements. | +--------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------+ | ``from MethodAccess ma`` | Defines the variables for the query. | We use: | | | Declarations are of the form: | | @@ -133,7 +133,7 @@ Further reading .. Article-specific substitutions for the reusables used in docs/codeql/reusables/vs-code-basic-instructions -.. |language-text| replace:: Java +.. |language-text| replace:: Java/Kotlin .. |language-code| replace:: ``java`` diff --git a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst index 90cb3f77cfd..c810de4eaf1 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst @@ -1,6 +1,6 @@ .. _basic-query-for-javascript-code: -Basic query for JavaScript code +Basic query for JavaScript and TypeScript code =============================== Learn to write and run a simple CodeQL query using Visual Studio Code with the CodeQL extension. @@ -10,7 +10,7 @@ Learn to write and run a simple CodeQL query using Visual Studio Code with the C About the query --------------- -In JavaScript, any expression can be turned into an expression statement. While this is sometimes convenient, it can be dangerous. For example, imagine a programmer wants to assign a new value to a variable ``x`` by means of an assignment ``x = 42``. However, they accidentally type two equals signs, producing the comparison statement ``x == 42``. This is valid JavaScript, so no error is generated. The statement simply compares ``x`` to ``42``, and then discards the result of the comparison. +In JavaScript and TypeScript, any expression can be turned into an expression statement. While this is sometimes convenient, it can be dangerous. For example, imagine a programmer wants to assign a new value to a variable ``x`` by means of an assignment ``x = 42``. However, they accidentally type two equals signs, producing the comparison statement ``x == 42``. This is valid JavaScript, so no error is generated. The statement simply compares ``x`` to ``42``, and then discards the result of the comparison. The query you will run finds instances of this problem. The query searches for expressions ``e`` that are pure—that is, their evaluation does not lead to any side effects—but appear as an expression statement. @@ -50,7 +50,7 @@ After the initial ``import`` statement, this simple query comprises three parts +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +===============================================================+===================================================================================================================+========================================================================================================================+ -| ``import javascript`` | Imports the standard CodeQL libraries for JavaScript. | Every query begins with one or more ``import`` statements. | +| ``import javascript-typescript`` | Imports the standard CodeQL libraries for JavaScript and TypeScript. | Every query begins with one or more ``import`` statements. | +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | ``from Expr e`` | Defines the variables for the query. | ``e`` is declared as a variable that ranges over expressions. | | | Declarations are of the form: | | diff --git a/docs/codeql/codeql-language-guides/codeql-for-java.rst b/docs/codeql/codeql-language-guides/codeql-for-java.rst index dc486b828a9..4c63faea1d9 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-java.rst @@ -10,7 +10,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat .. pull-quote:: Enabling Kotlin support - CodeQL treats Java and Kotlin as parts of the same language, so to enable Kotlin support you should enable ``java`` as a language. + CodeQL treats Java and Kotlin as parts of the same language, so to enable Kotlin support you should enable ``java-kotlin`` as a language. .. toctree:: :hidden: @@ -26,11 +26,11 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat working-with-source-locations abstract-syntax-tree-classes-for-working-with-java-programs -- :doc:`Basic query for Java code `: Learn to write and run a simple CodeQL query. +- :doc:`Basic query for Java and Kotlin code `: Learn to write and run a simple CodeQL query. -- :doc:`CodeQL library for Java `: When analyzing Java code, you can use the large collection of classes in the CodeQL library for Java. +- :doc:`CodeQL library for Java and Kotlin `: When analyzing Java/Kotlin code, you can use the large collection of classes in the CodeQL library for Java/Kotlin. -- :doc:`Analyzing data flow in Java `: You can use CodeQL to track the flow of data through a Java program to its use. +- :doc:`Analyzing data flow in Java and Kotlin `: You can use CodeQL to track the flow of data through a Java/Kotlin program to its use. - :doc:`Java types `: You can use CodeQL to find out information about data types used in Java code. This allows you to write queries to identify specific type-related issues. @@ -44,4 +44,4 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat - :doc:`Working with source locations `: You can use the location of entities within Java code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem. -- :doc:`Abstract syntax tree classes for working with Java programs `: CodeQL has a large selection of classes for representing the abstract syntax tree of Java programs. +- :doc:`Abstract syntax tree classes for working with Java and Kotlin programs `: CodeQL has a large selection of classes for representing the abstract syntax tree of Java/Kotlin programs. diff --git a/docs/codeql/codeql-language-guides/codeql-for-javascript.rst b/docs/codeql/codeql-language-guides/codeql-for-javascript.rst index be3950c53ec..c7d8b640b21 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-javascript.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-javascript.rst @@ -3,7 +3,7 @@ CodeQL for JavaScript ===================== -Experiment and learn how to write effective and efficient queries for CodeQL databases generated from JavaScript codebases. +Experiment and learn how to write effective and efficient queries for CodeQL databases generated from JavaScript and TypeScript codebases. .. toctree:: :hidden: @@ -18,7 +18,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat abstract-syntax-tree-classes-for-working-with-javascript-and-typescript-programs data-flow-cheat-sheet-for-javascript -- :doc:`Basic query for JavaScript code `: Learn to write and run a simple CodeQL query. +- :doc:`Basic query for JavaScript and TypeScript code `: Learn to write and run a simple CodeQL query. - :doc:`CodeQL library for JavaScript `: When you're analyzing a JavaScript program, you can make use of the large collection of classes in the CodeQL library for JavaScript. diff --git a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst index 319afdf29c0..4359d382591 100644 --- a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst @@ -1,14 +1,14 @@ .. _codeql-library-for-java: -CodeQL library for Java +CodeQL library for Java and Kotlin ======================= -When you're analyzing a Java program, you can make use of the large collection of classes in the CodeQL library for Java. +When you're analyzing a Java/Kotlin program, you can make use of the large collection of classes in the CodeQL library for Java/Kotlin. -About the CodeQL library for Java +About the CodeQL library for Java and Kotlin --------------------------------- -There is an extensive library for analyzing CodeQL databases extracted from Java projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. +There is an extensive library for analyzing CodeQL databases extracted from Java/Kotlin projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of QL modules, that is, files with the extension ``.qll``. The module ``java.qll`` imports all the core Java library modules, so you can include the complete library by beginning your query with: @@ -27,7 +27,7 @@ The rest of this article briefly summarizes the most important classes and predi Summary of the library classes ------------------------------ -The most important classes in the standard Java library can be grouped into five main categories: +The most important classes in the standard Java/Kotlin library can be grouped into five main categories: #. Classes for representing program elements (such as classes and methods) #. Classes for representing AST nodes (such as statements and expressions) @@ -192,7 +192,7 @@ The wildcards ``? extends Number`` and ``? super Float`` are represented by clas For dealing with generic methods, there are classes ``GenericMethod``, ``ParameterizedMethod`` and ``RawMethod``, which are entirely analogous to the like-named classes for representing generic types. -For more information on working with types, see the :doc:`Types in Java `. +For more information on working with types, see the :doc:`Types in Java and Kotlin `. Variables ~~~~~~~~~ @@ -206,7 +206,7 @@ Class ``Variable`` represents a variable `in the Java sense `." +Classes in this category represent abstract syntax tree (AST) nodes, that is, statements (class ``Stmt``) and expressions (class ``Expr``). For a full list of expression and statement types available in the standard QL library, see ":doc:`Abstract syntax tree classes for working with Java and Kotlin programs `." Both ``Expr`` and ``Stmt`` provide member predicates for exploring the abstract syntax tree of a program: @@ -254,12 +254,12 @@ Finally, here is a query that finds method bodies: As these examples show, the parent node of an expression is not always an expression: it may also be a statement, for example, an ``IfStmt``. Similarly, the parent node of a statement is not always a statement: it may also be a method or a constructor. To capture this, the QL Java library provides two abstract class ``ExprParent`` and ``StmtParent``, the former representing any node that may be the parent node of an expression, and the latter any node that may be the parent node of a statement. -For more information on working with AST classes, see the :doc:`article on overflow-prone comparisons in Java `. +For more information on working with AST classes, see the :doc:`article on overflow-prone comparisons in Java and Kotlin `. Metadata -------- -Java programs have several kinds of metadata, in addition to the program code proper. In particular, there are `annotations `__ and `Javadoc `__ comments. Since this metadata is interesting both for enhancing code analysis and as an analysis subject in its own right, the QL library defines classes for accessing it. +Java/Kotlin programs have several kinds of metadata, in addition to the program code proper. In particular, there are `annotations `__ and `Javadoc `__ comments. Since this metadata is interesting both for enhancing code analysis and as an analysis subject in its own right, the QL library defines classes for accessing it. For annotations, class ``Annotatable`` is a superclass of all program elements that can be annotated. This includes packages, reference types, fields, methods, constructors, and local variable declarations. For every such element, its predicate ``getAnAnnotation`` allows you to retrieve any annotations the element may have. For example, the following query finds all annotations on constructors: @@ -344,7 +344,7 @@ Most large projects include some methods with a very high cyclomatic complexity. Call graph ---------- -CodeQL databases generated from Java code bases include precomputed information about the program's call graph, that is, which methods or constructors a given call may dispatch to at runtime. +CodeQL databases generated from Java and Kotlin code bases include precomputed information about the program's call graph, that is, which methods or constructors a given call may dispatch to at runtime. The class ``Callable``, introduced above, includes both methods and constructors. Call expressions are abstracted using class ``Call``, which includes method calls, ``new`` expressions, and explicit constructor calls using ``this`` or ``super``. diff --git a/docs/codeql/query-help/javascript-cwe.md b/docs/codeql/query-help/javascript-cwe.md index 628d07a38bf..8d05f243c72 100644 --- a/docs/codeql/query-help/javascript-cwe.md +++ b/docs/codeql/query-help/javascript-cwe.md @@ -1,6 +1,6 @@ -# CWE coverage for JavaScript +# CWE coverage for JavaScript and TypeScript -An overview of CWE coverage for JavaScript in the latest release of CodeQL. +An overview of CWE coverage for JavaScript and TypeScript in the latest release of CodeQL. ## Overview diff --git a/docs/codeql/reusables/extractors.rst b/docs/codeql/reusables/extractors.rst index bfcd7571cb7..e1976ab0e6a 100644 --- a/docs/codeql/reusables/extractors.rst +++ b/docs/codeql/reusables/extractors.rst @@ -5,15 +5,15 @@ * - Language - Identifier * - C/C++ - - ``cpp`` + - ``c-cpp`` * - C# - ``csharp`` * - Go - ``go`` * - Java/Kotlin - - ``java`` + - ``java-kotlin`` * - JavaScript/TypeScript - - ``javascript`` + - ``javascript-typescript`` * - Python - ``python`` * - Ruby diff --git a/docs/codeql/writing-codeql-queries/about-codeql-queries.rst b/docs/codeql/writing-codeql-queries/about-codeql-queries.rst index 9a3957ac6a1..0405c047483 100644 --- a/docs/codeql/writing-codeql-queries/about-codeql-queries.rst +++ b/docs/codeql/writing-codeql-queries/about-codeql-queries.rst @@ -74,7 +74,7 @@ When writing your own alert queries, you would typically import the standard lib - :ref:`CodeQL library guide for C and C++ ` - :ref:`CodeQL library guide for C# ` - :ref:`CodeQL library guide for Go ` -- :ref:`CodeQL library guide for Java ` +- :ref:`CodeQL library guide for Java and Kotlin ` - :ref:`CodeQL library guide for JavaScript ` - :ref:`CodeQL library guide for Python ` - :ref:`CodeQL library guide for Ruby ` diff --git a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst index 52a1e7b91b5..1fde2e7ac2f 100644 --- a/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst +++ b/docs/codeql/writing-codeql-queries/about-data-flow-analysis.rst @@ -18,7 +18,7 @@ See the following tutorials for more information about analyzing data flow in sp - ":ref:`Analyzing data flow in C/C++ `" - ":ref:`Analyzing data flow in C# `" -- ":ref:`Analyzing data flow in Java `" +- ":ref:`Analyzing data flow in Java/Kotlin `" - ":ref:`Analyzing data flow in JavaScript/TypeScript `" - ":ref:`Analyzing data flow in Python `" - ":ref:`Analyzing data flow in Ruby `" diff --git a/docs/codeql/writing-codeql-queries/creating-path-queries.rst b/docs/codeql/writing-codeql-queries/creating-path-queries.rst index 9d2e5eee687..1e1b8d1f7a6 100644 --- a/docs/codeql/writing-codeql-queries/creating-path-queries.rst +++ b/docs/codeql/writing-codeql-queries/creating-path-queries.rst @@ -28,7 +28,7 @@ For more language-specific information on analyzing data flow, see: - ":ref:`Analyzing data flow in C/C++ `" - ":ref:`Analyzing data flow in C# `" -- ":ref:`Analyzing data flow in Java `" +- ":ref:`Analyzing data flow in Java/Kotlin `" - ":ref:`Analyzing data flow in JavaScript/TypeScript `" - ":ref:`Analyzing data flow in Python `" - ":ref:`Analyzing data flow in Ruby `" @@ -123,7 +123,7 @@ Declaring sources and sinks You must provide information about the ``source`` and ``sink`` in your path query. These are objects that correspond to the nodes of the paths that you are exploring. The name and the type of the ``source`` and the ``sink`` must be declared in the ``from`` statement of the query, and the types must be compatible with the nodes of the graph computed by the ``edges`` predicate. -If you are querying C/C++, C#, Go, Java, JavaScript, Python, or Ruby code (and you have used ``import MyFlow::PathGraph`` in your query), the definitions of the ``source`` and ``sink`` are accessed via the module resulting from the application of the ``Global<..>`` module in the data flow library. You should declare both of these objects in the ``from`` statement. +If you are querying C/C++, C#, Go, Java/Kotlin, JavaScript/TypeScript, Python, or Ruby code (and you have used ``import MyFlow::PathGraph`` in your query), the definitions of the ``source`` and ``sink`` are accessed via the module resulting from the application of the ``Global<..>`` module in the data flow library. You should declare both of these objects in the ``from`` statement. For example: .. code-block:: ql diff --git a/docs/codeql/writing-codeql-queries/query-help-files.rst b/docs/codeql/writing-codeql-queries/query-help-files.rst index 480fb7d846c..e4464514f7a 100644 --- a/docs/codeql/writing-codeql-queries/query-help-files.rst +++ b/docs/codeql/writing-codeql-queries/query-help-files.rst @@ -15,7 +15,7 @@ For more information about how to write useful query help in a style that is con You can access the query help for CodeQL queries by visiting `CodeQL query help `__. You can also access the raw query help files in the `GitHub repository `__. - For example, see the `JavaScript security queries `__ and `C/C++ critical queries `__. + For example, see the `JavaScript/TypeScript security queries `__ and `C/C++ critical queries `__. Overview ======== diff --git a/docs/query-metadata-style-guide.md b/docs/query-metadata-style-guide.md index 61ca21b8aa8..0f658fe8409 100644 --- a/docs/query-metadata-style-guide.md +++ b/docs/query-metadata-style-guide.md @@ -70,7 +70,7 @@ You must specify an `@id` property for your query. It must be unique and should * C and C++: `cpp` * C#: `cs` * Go: `go` -* Java: `java` +* Java and Kotlin: `java` * JavaScript and TypeScript: `js` * Python: `py` From 36950d9d5ccb1752a3a2a1136b043debd9226748 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 21 Sep 2023 07:50:12 -0400 Subject: [PATCH 02/14] additional changes --- docs/codeql/query-help/java.rst | 2 +- docs/codeql/query-help/javascript.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/query-help/java.rst b/docs/codeql/query-help/java.rst index 4876546d2dc..2348dbb2423 100644 --- a/docs/codeql/query-help/java.rst +++ b/docs/codeql/query-help/java.rst @@ -1,4 +1,4 @@ -CodeQL query help for Java +CodeQL query help for Java and Kotlin ========================== .. include:: ../reusables/query-help-overview.rst diff --git a/docs/codeql/query-help/javascript.rst b/docs/codeql/query-help/javascript.rst index 58fe97eb3b0..5ca017050cd 100644 --- a/docs/codeql/query-help/javascript.rst +++ b/docs/codeql/query-help/javascript.rst @@ -1,4 +1,4 @@ -CodeQL query help for JavaScript +CodeQL query help for JavaScript and TypeScript ================================ .. include:: ../reusables/query-help-overview.rst From f04a1a534a77cffe143e64edaf529e70b78dcdad Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 21 Sep 2023 08:08:34 -0400 Subject: [PATCH 03/14] one more fix --- docs/codeql/query-help/java-cwe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/query-help/java-cwe.md b/docs/codeql/query-help/java-cwe.md index bbcc061b754..58734459fe1 100644 --- a/docs/codeql/query-help/java-cwe.md +++ b/docs/codeql/query-help/java-cwe.md @@ -1,4 +1,4 @@ -# CWE coverage for Java +# CWE coverage for Java and Kotlin An overview of CWE coverage for Java in the latest release of CodeQL. From 4d9d748d514f0aa4fdefcb0b42f7f3da66fc9df0 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:08:41 -0400 Subject: [PATCH 04/14] fix underlines --- .../codeql-language-guides/analyzing-data-flow-in-java.rst | 2 +- .../codeql-language-guides/basic-query-for-javascript-code.rst | 2 +- docs/codeql/codeql-language-guides/codeql-library-for-java.rst | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst index 2db91cae2dc..028e1317814 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-java.rst @@ -1,7 +1,7 @@ .. _analyzing-data-flow-in-java: Analyzing data flow in Java and Kotlin -=========================== +====================================== You can use CodeQL to track the flow of data through a Java/Kotlin program to its use. diff --git a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst index c810de4eaf1..4aab0d4c7cf 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst @@ -1,7 +1,7 @@ .. _basic-query-for-javascript-code: Basic query for JavaScript and TypeScript code -=============================== +=============================================== Learn to write and run a simple CodeQL query using Visual Studio Code with the CodeQL extension. diff --git a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst index 4359d382591..25485fc7fd1 100644 --- a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst @@ -1,7 +1,7 @@ .. _codeql-library-for-java: CodeQL library for Java and Kotlin -======================= +================================== When you're analyzing a Java/Kotlin program, you can make use of the large collection of classes in the CodeQL library for Java/Kotlin. From 9b2b40004c50579936e82be13c78f6f9883449b7 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 21 Sep 2023 10:57:33 -0400 Subject: [PATCH 05/14] remove import changes --- .../codeql-language-guides/basic-query-for-cpp-code.rst | 2 +- .../codeql-language-guides/basic-query-for-java-code.rst | 2 +- .../basic-query-for-javascript-code.rst | 2 +- docs/codeql/reusables/extractors.rst | 6 +++--- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst index 6b5675c8514..47a762b4d3e 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-cpp-code.rst @@ -52,7 +52,7 @@ After the initial ``import`` statement, this simple query comprises three parts +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +===============================================================+===================================================================================================================+========================================================================================================================+ -| ``import c-cpp`` | Imports the standard CodeQL libraries for C/C++. | Every query begins with one or more ``import`` statements. | +| ``import cpp`` | Imports the standard CodeQL libraries for C/C++. | Every query begins with one or more ``import`` statements. | +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | ``from IfStmt ifstmt, BlockStmt block`` | Defines the variables for the query. | We use: | | | Declarations are of the form: | | diff --git a/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst index 3f3fd36affb..63944d25d43 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-java-code.rst @@ -70,7 +70,7 @@ After the initial ``import`` statement, this simple query comprises three parts +--------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +==================================================================================================+===================================================================================================================+===================================================================================================+ -| ``import java-kotlin`` | Imports the standard CodeQL libraries for Java and Kotlin. | Every query begins with one or more ``import`` statements. | +| ``import java`` | Imports the standard CodeQL libraries for Java and Kotlin. | Every query begins with one or more ``import`` statements. | +--------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------+ | ``from MethodAccess ma`` | Defines the variables for the query. | We use: | | | Declarations are of the form: | | diff --git a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst index 4aab0d4c7cf..911d9401f6f 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst @@ -50,7 +50,7 @@ After the initial ``import`` statement, this simple query comprises three parts +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +===============================================================+===================================================================================================================+========================================================================================================================+ -| ``import javascript-typescript`` | Imports the standard CodeQL libraries for JavaScript and TypeScript. | Every query begins with one or more ``import`` statements. | +| ``import javascript`` | Imports the standard CodeQL libraries for JavaScript and TypeScript. | Every query begins with one or more ``import`` statements. | +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | ``from Expr e`` | Defines the variables for the query. | ``e`` is declared as a variable that ranges over expressions. | | | Declarations are of the form: | | diff --git a/docs/codeql/reusables/extractors.rst b/docs/codeql/reusables/extractors.rst index e1976ab0e6a..bfcd7571cb7 100644 --- a/docs/codeql/reusables/extractors.rst +++ b/docs/codeql/reusables/extractors.rst @@ -5,15 +5,15 @@ * - Language - Identifier * - C/C++ - - ``c-cpp`` + - ``cpp`` * - C# - ``csharp`` * - Go - ``go`` * - Java/Kotlin - - ``java-kotlin`` + - ``java`` * - JavaScript/TypeScript - - ``javascript-typescript`` + - ``javascript`` * - Python - ``python`` * - Ruby From 1899a6048dcb4bbb8e1a2e1b028464346f7ad237 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 21 Sep 2023 11:25:52 -0400 Subject: [PATCH 06/14] fix table --- .../codeql-language-guides/basic-query-for-javascript-code.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst index 911d9401f6f..e318235a5bb 100644 --- a/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst +++ b/docs/codeql/codeql-language-guides/basic-query-for-javascript-code.rst @@ -50,7 +50,7 @@ After the initial ``import`` statement, this simple query comprises three parts +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | Query part | Purpose | Details | +===============================================================+===================================================================================================================+========================================================================================================================+ -| ``import javascript`` | Imports the standard CodeQL libraries for JavaScript and TypeScript. | Every query begins with one or more ``import`` statements. | +| ``import javascript`` | Imports the standard CodeQL libraries for JavaScript and TypeScript. | Every query begins with one or more ``import`` statements. | +---------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------+ | ``from Expr e`` | Defines the variables for the query. | ``e`` is declared as a variable that ranges over expressions. | | | Declarations are of the form: | | From 27817ea9f0d0ab15ab552882845d863fef7b028f Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Thu, 21 Sep 2023 12:07:07 -0400 Subject: [PATCH 07/14] fix --- docs/codeql/codeql-language-guides/codeql-for-javascript.rst | 4 ++-- .../codeql/codeql-language-guides/codeql-library-for-java.rst | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/codeql/codeql-language-guides/codeql-for-javascript.rst b/docs/codeql/codeql-language-guides/codeql-for-javascript.rst index c7d8b640b21..40ecb76ee0a 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-javascript.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-javascript.rst @@ -1,7 +1,7 @@ .. _codeql-for-javascript: -CodeQL for JavaScript -===================== +CodeQL for JavaScript and TypeScript +==================================== Experiment and learn how to write effective and efficient queries for CodeQL databases generated from JavaScript and TypeScript codebases. diff --git a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst index 25485fc7fd1..1dd1c99b012 100644 --- a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst @@ -6,7 +6,7 @@ CodeQL library for Java and Kotlin When you're analyzing a Java/Kotlin program, you can make use of the large collection of classes in the CodeQL library for Java/Kotlin. About the CodeQL library for Java and Kotlin ---------------------------------- +-------------------------------------------- There is an extensive library for analyzing CodeQL databases extracted from Java/Kotlin projects. The classes in this library present the data from a database in an object-oriented form and provide abstractions and predicates to help you with common analysis tasks. From ee9873fdce687a93ddcac8d21f333a3f1482980a Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Wed, 27 Sep 2023 13:16:58 -0400 Subject: [PATCH 08/14] add kotlin to Java language guides --- ...-classes-for-working-with-java-programs.rst | 2 +- .../annotations-in-java.rst | 12 +++++++----- .../codeql-language-guides/codeql-for-java.rst | 10 +++++----- .../codeql-library-for-java.rst | 2 ++ .../customizing-library-models-for-java.rst | 18 ++++++++++-------- docs/codeql/codeql-language-guides/javadoc.rst | 4 +++- .../navigating-the-call-graph.rst | 4 ++-- .../overflow-prone-comparisons-in-java.rst | 6 ++++-- .../codeql-language-guides/types-in-java.rst | 6 ++++-- .../working-with-source-locations.rst | 6 ++++-- 10 files changed, 42 insertions(+), 28 deletions(-) diff --git a/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst b/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst index 40af6084c19..286d6bc6a7a 100644 --- a/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst +++ b/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst @@ -1,6 +1,6 @@ .. _abstract-syntax-tree-classes-for-working-with-java-programs: -Abstract syntax tree classes for working with Java programs +Abstract syntax tree classes for working with Java and Kotlin programs =========================================================== CodeQL has a large selection of classes for representing the abstract syntax tree of Java and Kotlin programs. diff --git a/docs/codeql/codeql-language-guides/annotations-in-java.rst b/docs/codeql/codeql-language-guides/annotations-in-java.rst index 423f6c708fc..d0cd7e6bd8d 100644 --- a/docs/codeql/codeql-language-guides/annotations-in-java.rst +++ b/docs/codeql/codeql-language-guides/annotations-in-java.rst @@ -1,9 +1,11 @@ .. _annotations-in-java: -Annotations in Java +Annotations in Java and Kotlin =================== -CodeQL databases of Java projects contain information about all annotations attached to program elements. +CodeQL databases of Java/Kotlin projects contain information about all annotations attached to program elements. + +.. include:: ../reusables/kotlin-beta-note.rst About working with annotations ------------------------------ @@ -15,7 +17,7 @@ Annotations are represented by these CodeQL classes: - The class ``AnnotationElement`` represents an annotation element, that is, a member of an annotation type. - The class ``Annotation`` represents an annotation such as ``@Override``; annotation values can be accessed through member predicate ``getValue``. -For example, the Java standard library defines an annotation ``SuppressWarnings`` that instructs the compiler not to emit certain kinds of warnings: +For example, the Java/Kotlin standard library defines an annotation ``SuppressWarnings`` that instructs the compiler not to emit certain kinds of warnings: .. code-block:: java @@ -101,7 +103,7 @@ As a first step, let's write a query that finds all ``@Override`` annotations. A where ann.getType().hasQualifiedName("java.lang", "Override") select ann -As always, it is a good idea to try this query on a CodeQL database for a Java project to make sure it actually produces some results. On the earlier example, it should find the annotation on ``Sub1.m``. Next, we encapsulate the concept of an ``@Override`` annotation as a CodeQL class: +As always, it is a good idea to try this query on a CodeQL database for a Java/Kotlin project to make sure it actually produces some results. On the earlier example, it should find the annotation on ``Sub1.m``. Next, we encapsulate the concept of an ``@Override`` annotation as a CodeQL class: :: @@ -185,7 +187,7 @@ For more information about the class ``Call``, see ":doc:`Navigating the call gr Improvements ~~~~~~~~~~~~ -The Java standard library provides another annotation type ``java.lang.SupressWarnings`` that can be used to suppress certain categories of warnings. In particular, it can be used to turn off warnings about calls to deprecated methods. Therefore, it makes sense to improve our query to ignore calls to deprecated methods from inside methods that are marked with ``@SuppressWarnings("deprecation")``. +The Java/Kotlin standard library provides another annotation type ``java.lang.SupressWarnings`` that can be used to suppress certain categories of warnings. In particular, it can be used to turn off warnings about calls to deprecated methods. Therefore, it makes sense to improve our query to ignore calls to deprecated methods from inside methods that are marked with ``@SuppressWarnings("deprecation")``. For instance, consider this slightly updated example: diff --git a/docs/codeql/codeql-language-guides/codeql-for-java.rst b/docs/codeql/codeql-language-guides/codeql-for-java.rst index 4c63faea1d9..13fa4c92625 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-java.rst @@ -32,16 +32,16 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat - :doc:`Analyzing data flow in Java and Kotlin `: You can use CodeQL to track the flow of data through a Java/Kotlin program to its use. -- :doc:`Java types `: You can use CodeQL to find out information about data types used in Java code. This allows you to write queries to identify specific type-related issues. +- :doc:`Java and Kotlin types `: You can use CodeQL to find out information about data types used in Java/Kotlin code. This allows you to write queries to identify specific type-related issues. -- :doc:`Overflow-prone comparisons in Java `: You can use CodeQL to check for comparisons in Java code where one side of the comparison is prone to overflow. +- :doc:`Overflow-prone comparisons in Java and Kotlin `: You can use CodeQL to check for comparisons in Java/Kotlin code where one side of the comparison is prone to overflow. - :doc:`Navigating the call graph `: CodeQL has classes for identifying code that calls other code, and code that can be called from elsewhere. This allows you to find, for example, methods that are never used. -- :doc:`Annotations in Java `: CodeQL databases of Java projects contain information about all annotations attached to program elements. +- :doc:`Annotations in Java and Kotlin `: CodeQL databases of Java/Kotlin projects contain information about all annotations attached to program elements. -- :doc:`Javadoc `: You can use CodeQL to find errors in Javadoc comments in Java code. +- :doc:`Javadoc `: You can use CodeQL to find errors in Javadoc comments in Java/Kotlin code. -- :doc:`Working with source locations `: You can use the location of entities within Java code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem. +- :doc:`Working with source locations `: You can use the location of entities within Java/Kotlin code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem. - :doc:`Abstract syntax tree classes for working with Java and Kotlin programs `: CodeQL has a large selection of classes for representing the abstract syntax tree of Java/Kotlin programs. diff --git a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst index 1dd1c99b012..c122ab5f7e3 100644 --- a/docs/codeql/codeql-language-guides/codeql-library-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-library-for-java.rst @@ -5,6 +5,8 @@ CodeQL library for Java and Kotlin When you're analyzing a Java/Kotlin program, you can make use of the large collection of classes in the CodeQL library for Java/Kotlin. +.. include:: ../reusables/kotlin-beta-note.rst + About the CodeQL library for Java and Kotlin -------------------------------------------- diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst index 707ae531fc1..1bc0149e3dd 100644 --- a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst +++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst @@ -3,12 +3,14 @@ :orphan: :nosearch: -Customizing Library Models for Java +Customizing Library Models for Java and Kotlin =================================== .. include:: ../reusables/beta-note-customizing-library-models.rst -The Java analysis can be customized by adding library models (summaries, sinks and sources) in data extension files. +.. include:: ../reusables/kotlin-beta-note.rst + +The Java/Kotlin analysis can be customized by adding library models (summaries, sinks and sources) in data extension files. A model is a definition of a behavior of a library element, such as a method, that is used to improve the data flow analysis precision by identifying more results. Most of the security related queries are taint tracking queries that try to find paths from a source of untrusted input to a sink that represents a vulnerability. Sources are the starting points of a taint tracking data flow analysis, and sinks are the end points of a taint tracking data flow analysis. @@ -30,7 +32,7 @@ A data extension file for Java is a YAML file in the form: Data extensions contribute to the extensible predicates defined in the CodeQL library. For more information on how to define data extensions and extensible predicates as well as how to wire them up, see the :ref:`data-extensions` documentation. -The CodeQL library for Java exposes the following extensible predicates: +The CodeQL library for Java/Kotlin exposes the following extensible predicates: - **sourceModel**\(package, type, subtypes, name, signature, ext, output, kind, provenance). This is used for **source** models. - **sinkModel**\(package, type, subtypes, name, signature, ext, input, kind, provenance). This is used for **sink** models. @@ -48,7 +50,7 @@ Example: Taint sink in the **java.sql** package In this example we will show how to model the argument of the **execute** method as a SQL injection sink. This is the **execute** method in the **Statement** class, which is located in the **java.sql** package. -Note that this sink is already added to the CodeQL Java analysis. +Note that this sink is already added to the CodeQL Java/Kotlin analysis. .. code-block:: java @@ -89,7 +91,7 @@ Example: Taint source from the **java.net** package ---------------------------------------------------- In this example we show how to model the return value from the **getInputStream** method as a **remote** source. This is the **getInputStream** method in the **Socket** class, which is located in the **java.net** package. -Note that this source is already added to the CodeQL Java analysis. +Note that this source is already added to the CodeQL Java/Kotlin analysis. .. code-block:: java @@ -130,7 +132,7 @@ Example: Add flow through the **concat** method ------------------------------------------------ In this example we show how to model flow through a method for a simple case. This pattern covers many of the cases where we need to define flow through a method. -Note that the flow through the **concat** method is already added to the CodeQL Java analysis. +Note that the flow through the **concat** method is already added to the CodeQL Java/Kotlin analysis. .. code-block:: java @@ -178,7 +180,7 @@ Example: Add flow through the **map** method --------------------------------------------- In this example, we will see a more complex example of modeling flow through a method. This pattern shows how to model flow through higher order methods and collection types. -Note that the flow through the **map** method is already added to the CodeQL Java analysis. +Note that the flow through the **map** method is already added to the CodeQL Java/Kotlin analysis. .. code-block:: java @@ -238,7 +240,7 @@ Example: Add a **neutral** method ---------------------------------- In this example we will show how to model the **now** method as being neutral with respect to flow. A neutral model is used to define that there is no flow through a method. -Note that the neutral model for the **now** method is already added to the CodeQL Java analysis. +Note that the neutral model for the **now** method is already added to the CodeQL Java/Kotlin analysis. .. code-block:: java diff --git a/docs/codeql/codeql-language-guides/javadoc.rst b/docs/codeql/codeql-language-guides/javadoc.rst index c1bce79a0a2..0b18e97373e 100644 --- a/docs/codeql/codeql-language-guides/javadoc.rst +++ b/docs/codeql/codeql-language-guides/javadoc.rst @@ -3,7 +3,9 @@ Javadoc ======= -You can use CodeQL to find errors in Javadoc comments in Java code. +You can use CodeQL to find errors in Javadoc comments in Java/Kotlin code. + +.. include:: ../reusables/kotlin-beta-note.rst About analyzing Javadoc ----------------------- diff --git a/docs/codeql/codeql-language-guides/navigating-the-call-graph.rst b/docs/codeql/codeql-language-guides/navigating-the-call-graph.rst index 6db902ea4b8..6e1b443f96b 100644 --- a/docs/codeql/codeql-language-guides/navigating-the-call-graph.rst +++ b/docs/codeql/codeql-language-guides/navigating-the-call-graph.rst @@ -8,7 +8,7 @@ CodeQL has classes for identifying code that calls other code, and code that can Call graph classes ------------------ -The CodeQL library for Java provides two abstract classes for representing a program's call graph: ``Callable`` and ``Call``. The former is simply the common superclass of ``Method`` and ``Constructor``, the latter is a common superclass of ``MethodAccess``, ``ClassInstanceExpression``, ``ThisConstructorInvocationStmt`` and ``SuperConstructorInvocationStmt``. Simply put, a ``Callable`` is something that can be invoked, and a ``Call`` is something that invokes a ``Callable``. +The CodeQL library for Java/Kotlin provides two abstract classes for representing a program's call graph: ``Callable`` and ``Call``. The former is simply the common superclass of ``Method`` and ``Constructor``, the latter is a common superclass of ``MethodAccess``, ``ClassInstanceExpression``, ``ThisConstructorInvocationStmt`` and ``SuperConstructorInvocationStmt``. Simply put, a ``Callable`` is something that can be invoked, and a ``Call`` is something that invokes a ``Callable``. For example, in the following program all callables and calls have been annotated with comments: @@ -88,7 +88,7 @@ This simple query typically returns a large number of results. We have to use ``polyCalls`` instead of ``calls`` here: we want to be reasonably sure that ``callee`` is not called, either directly or via overriding. -Running this query on a typical Java project results in lots of hits in the Java standard library. This makes sense, since no single client program uses every method of the standard library. More generally, we may want to exclude methods and constructors from compiled libraries. We can use the predicate ``fromSource`` to check whether a compilation unit is a source file, and refine our query: +Running this query on a typical Java/Kotlin project results in lots of hits in the Java/Kotlin standard library. This makes sense, since no single client program uses every method of the standard library. More generally, we may want to exclude methods and constructors from compiled libraries. We can use the predicate ``fromSource`` to check whether a compilation unit is a source file, and refine our query: .. code-block:: ql diff --git a/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst b/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst index 53c36c7f786..44072c5fbf2 100644 --- a/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst +++ b/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst @@ -1,9 +1,11 @@ .. _overflow-prone-comparisons-in-java: -Overflow-prone comparisons in Java +Overflow-prone comparisons in Java and Kotlin ================================== -You can use CodeQL to check for comparisons in Java code where one side of the comparison is prone to overflow. +You can use CodeQL to check for comparisons in Java/Kotlin code where one side of the comparison is prone to overflow. + +.. include:: ../reusables/kotlin-beta-note.rst About this article ------------------ diff --git a/docs/codeql/codeql-language-guides/types-in-java.rst b/docs/codeql/codeql-language-guides/types-in-java.rst index 3bb1c59fed7..0756460909f 100644 --- a/docs/codeql/codeql-language-guides/types-in-java.rst +++ b/docs/codeql/codeql-language-guides/types-in-java.rst @@ -1,9 +1,11 @@ .. _types-in-java: -Types in Java +Types in Java and Kotlin ============= -You can use CodeQL to find out information about data types used in Java code. This allows you to write queries to identify specific type-related issues. +You can use CodeQL to find out information about data types used in Java/Kotlin code. This allows you to write queries to identify specific type-related issues. + +.. include:: ../reusables/kotlin-beta-note.rst About working with Java types ----------------------------- diff --git a/docs/codeql/codeql-language-guides/working-with-source-locations.rst b/docs/codeql/codeql-language-guides/working-with-source-locations.rst index 90cc5f17849..350e38097ab 100644 --- a/docs/codeql/codeql-language-guides/working-with-source-locations.rst +++ b/docs/codeql/codeql-language-guides/working-with-source-locations.rst @@ -3,7 +3,9 @@ Working with source locations ============================= -You can use the location of entities within Java code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem. +You can use the location of entities within Java/Kotlin code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem. + +.. include:: ../reusables/kotlin-beta-note.rst About source locations ---------------------- @@ -175,7 +177,7 @@ Now we can extend our query to discard results where the outer and the inner exp wsinner > wsouter select outer, "Whitespace around nested operators contradicts precedence." -Notice that we again use ``getOp``, this time to determine whether two binary expressions have the same operator. Running our improved query now finds the Java standard library bug described in the Overview. It also flags up the following suspicious code in `Hadoop HBase `__: +Notice that we again use ``getOp``, this time to determine whether two binary expressions have the same operator. Running our improved query now finds the Java/Kotlin standard library bug described in the Overview. It also flags up the following suspicious code in `Hadoop HBase `__: .. code-block:: java From deb47e34b8e5c840fdf4c31a0b975f06cdbb18ea Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Wed, 27 Sep 2023 15:01:42 -0400 Subject: [PATCH 09/14] fix underlines --- ...tract-syntax-tree-classes-for-working-with-java-programs.rst | 2 +- .../customizing-library-models-for-java.rst | 2 +- .../overflow-prone-comparisons-in-java.rst | 2 +- docs/codeql/codeql-language-guides/types-in-java.rst | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst b/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst index 286d6bc6a7a..f903b538926 100644 --- a/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst +++ b/docs/codeql/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs.rst @@ -1,7 +1,7 @@ .. _abstract-syntax-tree-classes-for-working-with-java-programs: Abstract syntax tree classes for working with Java and Kotlin programs -=========================================================== +====================================================================== CodeQL has a large selection of classes for representing the abstract syntax tree of Java and Kotlin programs. diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst index 1bc0149e3dd..87304d779c8 100644 --- a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst +++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst @@ -4,7 +4,7 @@ :nosearch: Customizing Library Models for Java and Kotlin -=================================== +============================================== .. include:: ../reusables/beta-note-customizing-library-models.rst diff --git a/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst b/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst index 44072c5fbf2..a667c670fbe 100644 --- a/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst +++ b/docs/codeql/codeql-language-guides/overflow-prone-comparisons-in-java.rst @@ -1,7 +1,7 @@ .. _overflow-prone-comparisons-in-java: Overflow-prone comparisons in Java and Kotlin -================================== +============================================= You can use CodeQL to check for comparisons in Java/Kotlin code where one side of the comparison is prone to overflow. diff --git a/docs/codeql/codeql-language-guides/types-in-java.rst b/docs/codeql/codeql-language-guides/types-in-java.rst index 0756460909f..733a177c65b 100644 --- a/docs/codeql/codeql-language-guides/types-in-java.rst +++ b/docs/codeql/codeql-language-guides/types-in-java.rst @@ -1,7 +1,7 @@ .. _types-in-java: Types in Java and Kotlin -============= +======================== You can use CodeQL to find out information about data types used in Java/Kotlin code. This allows you to write queries to identify specific type-related issues. From 9609cafab41ee4459a439c37d275da6e788b14f0 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Wed, 27 Sep 2023 16:27:32 -0400 Subject: [PATCH 10/14] Update annotations-in-java.rst --- docs/codeql/codeql-language-guides/annotations-in-java.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-language-guides/annotations-in-java.rst b/docs/codeql/codeql-language-guides/annotations-in-java.rst index d0cd7e6bd8d..083cf471ef8 100644 --- a/docs/codeql/codeql-language-guides/annotations-in-java.rst +++ b/docs/codeql/codeql-language-guides/annotations-in-java.rst @@ -1,7 +1,7 @@ .. _annotations-in-java: Annotations in Java and Kotlin -=================== +============================== CodeQL databases of Java/Kotlin projects contain information about all annotations attached to program elements. From 925d8e21cece93420df9513c6f054d5a8709dd4c Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Fri, 29 Sep 2023 09:45:34 -0400 Subject: [PATCH 11/14] Apply suggestions from code review Co-authored-by: Felicity Chapman --- docs/codeql/query-help/java.rst | 2 +- docs/codeql/query-help/javascript.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/codeql/query-help/java.rst b/docs/codeql/query-help/java.rst index 2348dbb2423..7a6a4b73f6e 100644 --- a/docs/codeql/query-help/java.rst +++ b/docs/codeql/query-help/java.rst @@ -1,5 +1,5 @@ CodeQL query help for Java and Kotlin -========================== +===================================== .. include:: ../reusables/query-help-overview.rst diff --git a/docs/codeql/query-help/javascript.rst b/docs/codeql/query-help/javascript.rst index 5ca017050cd..88c45788dd1 100644 --- a/docs/codeql/query-help/javascript.rst +++ b/docs/codeql/query-help/javascript.rst @@ -1,5 +1,5 @@ CodeQL query help for JavaScript and TypeScript -================================ +=============================================== .. include:: ../reusables/query-help-overview.rst From c0653adc85573640a2d118f27b26e45fe95c7a70 Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Fri, 29 Sep 2023 09:57:48 -0400 Subject: [PATCH 12/14] remove trailing space --- .../customizing-library-models-for-java.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst index 87304d779c8..cbd8d6c1fad 100644 --- a/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst +++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst @@ -3,7 +3,7 @@ :orphan: :nosearch: -Customizing Library Models for Java and Kotlin +Customizing Library Models for Java and Kotlin ============================================== .. include:: ../reusables/beta-note-customizing-library-models.rst From b6b554f384edd25bdd47e22b2c30920a391917ad Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Fri, 29 Sep 2023 10:07:22 -0400 Subject: [PATCH 13/14] Apply suggestions from code review Co-authored-by: Henry Mercer --- docs/codeql/codeql-language-guides/javadoc.rst | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/codeql/codeql-language-guides/javadoc.rst b/docs/codeql/codeql-language-guides/javadoc.rst index 0b18e97373e..c1bce79a0a2 100644 --- a/docs/codeql/codeql-language-guides/javadoc.rst +++ b/docs/codeql/codeql-language-guides/javadoc.rst @@ -3,9 +3,7 @@ Javadoc ======= -You can use CodeQL to find errors in Javadoc comments in Java/Kotlin code. - -.. include:: ../reusables/kotlin-beta-note.rst +You can use CodeQL to find errors in Javadoc comments in Java code. About analyzing Javadoc ----------------------- From f29063bca37874c8fcdee4aa9e96e5872218439f Mon Sep 17 00:00:00 2001 From: Sarita Iyer <66540150+saritai@users.noreply.github.com> Date: Fri, 29 Sep 2023 10:44:27 -0400 Subject: [PATCH 14/14] Update codeql-for-java.rst --- docs/codeql/codeql-language-guides/codeql-for-java.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/codeql/codeql-language-guides/codeql-for-java.rst b/docs/codeql/codeql-language-guides/codeql-for-java.rst index 13fa4c92625..97f212ac64b 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-java.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-java.rst @@ -40,7 +40,7 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat - :doc:`Annotations in Java and Kotlin `: CodeQL databases of Java/Kotlin projects contain information about all annotations attached to program elements. -- :doc:`Javadoc `: You can use CodeQL to find errors in Javadoc comments in Java/Kotlin code. +- :doc:`Javadoc `: You can use CodeQL to find errors in Javadoc comments in Java code. - :doc:`Working with source locations `: You can use the location of entities within Java/Kotlin code to look for potential errors. Locations allow you to deduce the presence, or absence, of white space which, in some cases, may indicate a problem.