From 041adcd63a567d28e769c1578f37991b42ff738f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Fri, 21 Mar 2025 16:28:20 +0000 Subject: [PATCH 01/15] Java: Add initial version of string replaceAll with no regex query --- .../StringReplaceAllWithNonRegex.md | 28 +++++++++++++++++++ .../StringReplaceAllWithNonRegex.ql | 20 +++++++++++++ .../StringReplaceAllWithNonRegex.expected | 1 + .../StringReplaceAllWithNonRegex.qlref | 1 + .../StringReplaceAllWithNonRegex/Test.java | 7 +++++ 5 files changed, 57 insertions(+) create mode 100644 java/ql/src/Performance/StringReplaceAllWithNonRegex.md create mode 100644 java/ql/src/Performance/StringReplaceAllWithNonRegex.ql create mode 100644 java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected create mode 100644 java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref create mode 100644 java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md new file mode 100644 index 000000000000..b38ee002f979 --- /dev/null +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md @@ -0,0 +1,28 @@ +# J-STR-001: Use of `String.replaceAll` with a first argument of a non regular expression + +Using `String.replaceAll` is less performant than `String.replace` when the first argument is not a regular expression. + +## Overview + +The underlying implementation of `String.replaceAll` uses `Pattern.compile` and expects a regular expression as its first argument. However in cases where the argument could be represented by just a plain `String` that does not represent an interesting regular expression, a call to `String.replace` may be more performant as it does not need to compile the regular expression. + +## Recommendation + +Use `String.replace` instead where a `replaceAll` call uses a trivial string as its first argument. + +## Example + +```java +public class Test { + void f() { + String s1 = "test"; + s1 = s1.replaceAll("t", "x"); // NON_COMPLIANT + s1 = s1.replaceAll(".*", "x"); // COMPLIANT + } +} + +``` + +## References + +- [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql new file mode 100644 index 000000000000..d5d4c63cc6e5 --- /dev/null +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -0,0 +1,20 @@ +/** + * @id java/string-replace-all-with-non-regex + * @name J-STR-001: Use of `String#replaceAll` with a first argument of a non regular expression + * @description Using `String#replaceAll` is less performant than `String#replace` when the first + * argument is not a regular expression. + * @kind problem + * @precision very-high + * @problem.severity recommendation + * @tags performance + */ + +import java + +from MethodCall replaceAllCall +where + replaceAllCall.getMethod().hasQualifiedName("java.lang", "String", "replaceAll") and + //only contains characters that could be a simple string + replaceAllCall.getArgument(0).(StringLiteral).getValue().regexpMatch("^[a-zA-Z0-9]+$") +select replaceAllCall, + "Call to 'replaceAll' uses an argument comprised of plain string characters only." diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected new file mode 100644 index 000000000000..f47e86d1f0e3 --- /dev/null +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected @@ -0,0 +1 @@ +| Test.java:4:14:4:36 | replaceAll(...) | Call to 'replaceAll' uses an argument comprised of plain string characters only. | diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref new file mode 100644 index 000000000000..c82994caef5a --- /dev/null +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref @@ -0,0 +1 @@ +Performance/StringReplaceAllWithNonRegex.ql diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java new file mode 100644 index 000000000000..e2734f101350 --- /dev/null +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java @@ -0,0 +1,7 @@ +public class Test { + void f() { + String s1 = "test"; + s1 = s1.replaceAll("t", "x"); // NON_COMPLIANT + s1 = s1.replaceAll(".*", "x"); // COMPLIANT + } +} From ff2947a0e5da92daf993aa32cb8bbe71f4d861cb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 25 Mar 2025 11:34:39 +0000 Subject: [PATCH 02/15] Adjust query name --- java/ql/src/Performance/StringReplaceAllWithNonRegex.md | 2 +- java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md index b38ee002f979..d9e8c722782d 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md @@ -1,4 +1,4 @@ -# J-STR-001: Use of `String.replaceAll` with a first argument of a non regular expression +# Use of `String#replaceAll` with a first argument which is not a regular expression Using `String.replaceAll` is less performant than `String.replace` when the first argument is not a regular expression. diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index d5d4c63cc6e5..02768d6817e5 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -1,6 +1,6 @@ /** * @id java/string-replace-all-with-non-regex - * @name J-STR-001: Use of `String#replaceAll` with a first argument of a non regular expression + * @name Use of `String#replaceAll` with a first argument which is not a regular expression * @description Using `String#replaceAll` is less performant than `String#replace` when the first * argument is not a regular expression. * @kind problem From b5b252b10f7f8ae735c093a03c3ce3feadb83cee Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 25 Mar 2025 11:36:37 +0000 Subject: [PATCH 03/15] Convert test to inline expectations --- .../StringReplaceAllWithNonRegex.qlref | 3 ++- .../test/query-tests/StringReplaceAllWithNonRegex/Test.java | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref index c82994caef5a..7737507b19e9 100644 --- a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref @@ -1 +1,2 @@ -Performance/StringReplaceAllWithNonRegex.ql +query: Performance/StringReplaceAllWithNonRegex.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java index e2734f101350..e3d9dafb5312 100644 --- a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java @@ -1,7 +1,7 @@ public class Test { void f() { String s1 = "test"; - s1 = s1.replaceAll("t", "x"); // NON_COMPLIANT - s1 = s1.replaceAll(".*", "x"); // COMPLIANT + s1 = s1.replaceAll("t", "x"); // $ Alert + s1 = s1.replaceAll(".*", "x"); } } From 441c79ebdf999dfb4802dcf2a418770da72eff17 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 25 Mar 2025 11:38:07 +0000 Subject: [PATCH 04/15] Use existing class StringReplaceAllCall --- java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index 02768d6817e5..a5918c642ea3 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -11,9 +11,8 @@ import java -from MethodCall replaceAllCall +from StringReplaceAllCall replaceAllCall where - replaceAllCall.getMethod().hasQualifiedName("java.lang", "String", "replaceAll") and //only contains characters that could be a simple string replaceAllCall.getArgument(0).(StringLiteral).getValue().regexpMatch("^[a-zA-Z0-9]+$") select replaceAllCall, From fea3d10b97a7d8659b22ce46778f5d550786024b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 25 Mar 2025 11:41:59 +0000 Subject: [PATCH 05/15] Update qhelp --- java/ql/src/Performance/StringReplaceAllWithNonRegex.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md index d9e8c722782d..b5b35fcceff4 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md @@ -1,14 +1,14 @@ # Use of `String#replaceAll` with a first argument which is not a regular expression -Using `String.replaceAll` is less performant than `String.replace` when the first argument is not a regular expression. +Using `String#replaceAll` is less performant than `String#replace` when the first argument is not a regular expression. ## Overview -The underlying implementation of `String.replaceAll` uses `Pattern.compile` and expects a regular expression as its first argument. However in cases where the argument could be represented by just a plain `String` that does not represent an interesting regular expression, a call to `String.replace` may be more performant as it does not need to compile the regular expression. +The underlying implementation of `String#replaceAll` uses `Pattern#compile` and expects a regular expression as its first argument. However in cases where the argument could be represented by just a plain `String` that does not represent an interesting regular expression, a call to `String#replace` may be more performant as it does not need to compile the regular expression. ## Recommendation -Use `String.replace` instead where a `replaceAll` call uses a trivial string as its first argument. +Use `String#replace` instead where a `replaceAll` call uses a trivial string as its first argument. ## Example @@ -25,4 +25,4 @@ public class Test { ## References -- [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)) +- Java SE Documentation: [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)). From 042fe074944033bb6d0ce7ff2fe7ab3cb96b382b Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 25 Mar 2025 11:50:42 +0000 Subject: [PATCH 06/15] Adjust alert message --- java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 8 +++++--- .../StringReplaceAllWithNonRegex.expected | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index a5918c642ea3..49198bc5219a 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -11,9 +11,11 @@ import java -from StringReplaceAllCall replaceAllCall +from StringReplaceAllCall replaceAllCall, StringLiteral firstArg where + firstArg = replaceAllCall.getArgument(0) and //only contains characters that could be a simple string - replaceAllCall.getArgument(0).(StringLiteral).getValue().regexpMatch("^[a-zA-Z0-9]+$") + firstArg.getValue().regexpMatch("^[a-zA-Z0-9]+$") select replaceAllCall, - "Call to 'replaceAll' uses an argument comprised of plain string characters only." + "This call to 'replaceAll' should be a call `replace` as its $@ is not a regular expression.", + firstArg, "first argument" diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected index f47e86d1f0e3..c64ee0db3343 100644 --- a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected @@ -1 +1 @@ -| Test.java:4:14:4:36 | replaceAll(...) | Call to 'replaceAll' uses an argument comprised of plain string characters only. | +| Test.java:4:14:4:36 | replaceAll(...) | This call to 'replaceAll' should be a call `replace` as its $@ is not a regular expression. | Test.java:4:28:4:30 | "t" | first argument | From c4e56b1ec8cf4911577cc72f9d6809c3e18efe3e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 25 Mar 2025 13:44:21 +0000 Subject: [PATCH 07/15] Add quality and cwe tag to query CWE-1176: Inefficient CPU Computation --- java/ql/src/Performance/StringReplaceAllWithNonRegex.md | 1 + java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 2 ++ 2 files changed, 3 insertions(+) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md index b5b35fcceff4..4b14303bd7a2 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md @@ -26,3 +26,4 @@ public class Test { ## References - Java SE Documentation: [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)). +- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index 49198bc5219a..3f0fb5829dde 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -7,6 +7,8 @@ * @precision very-high * @problem.severity recommendation * @tags performance + * quality + * external/cwe/cwe-1176 */ import java From 626a7d50074befe1092981198c7ca7d8d67ac310 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 26 Mar 2025 10:19:31 +0000 Subject: [PATCH 08/15] Fix punctuation --- java/ql/src/Performance/StringReplaceAllWithNonRegex.md | 2 +- java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md index 4b14303bd7a2..a297ad519f84 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md @@ -26,4 +26,4 @@ public class Test { ## References - Java SE Documentation: [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)). -- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html) +- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html). diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index 3f0fb5829dde..d02a7ff0a08a 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -19,5 +19,5 @@ where //only contains characters that could be a simple string firstArg.getValue().regexpMatch("^[a-zA-Z0-9]+$") select replaceAllCall, - "This call to 'replaceAll' should be a call `replace` as its $@ is not a regular expression.", + "This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression.", firstArg, "first argument" From 04ec1d783062d709442d60fa9789977139ebff45 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 26 Mar 2025 11:01:09 +0000 Subject: [PATCH 09/15] Update test expectations --- .../StringReplaceAllWithNonRegex.expected | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected index c64ee0db3343..944dd3d23a3d 100644 --- a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected @@ -1 +1 @@ -| Test.java:4:14:4:36 | replaceAll(...) | This call to 'replaceAll' should be a call `replace` as its $@ is not a regular expression. | Test.java:4:28:4:30 | "t" | first argument | +| Test.java:4:14:4:36 | replaceAll(...) | This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression. | Test.java:4:28:4:30 | "t" | first argument | From e1c5517de71b8f73338c9dcd02582ddb20a03dcb Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 27 Mar 2025 11:40:53 +0000 Subject: [PATCH 10/15] Keep COMPLIANT and NON_COMPLIANT comments in test --- .../test/query-tests/StringReplaceAllWithNonRegex/Test.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java index e3d9dafb5312..1465343b8c2e 100644 --- a/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java +++ b/java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java @@ -1,7 +1,7 @@ public class Test { void f() { String s1 = "test"; - s1 = s1.replaceAll("t", "x"); // $ Alert - s1 = s1.replaceAll(".*", "x"); + s1 = s1.replaceAll("t", "x"); // $ Alert // NON_COMPLIANT + s1 = s1.replaceAll(".*", "x"); // COMPLIANT } } From 3ea5cc1b66670181d96e5cd7e28ca69933f06d13 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 27 Mar 2025 16:00:05 +0000 Subject: [PATCH 11/15] Add query to code-quality query suite --- java/ql/src/codeql-suites/java-code-quality.qls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/codeql-suites/java-code-quality.qls b/java/ql/src/codeql-suites/java-code-quality.qls index ac1f52624c4f..0f6151a5e8d4 100644 --- a/java/ql/src/codeql-suites/java-code-quality.qls +++ b/java/ql/src/codeql-suites/java-code-quality.qls @@ -11,4 +11,5 @@ - java/unused-container - java/input-resource-leak - java/output-resource-leak - - java/type-variable-hides-type \ No newline at end of file + - java/type-variable-hides-type + - java/string-replace-all-with-non-regex From ad89e7980ef1d3eb05bd5917de0aad9db81da668 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 31 Mar 2025 22:45:02 +0100 Subject: [PATCH 12/15] Tweak documentation --- java/ql/src/Performance/StringReplaceAllWithNonRegex.md | 2 +- java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md index a297ad519f84..6e298b4955b6 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.md +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.md @@ -4,7 +4,7 @@ Using `String#replaceAll` is less performant than `String#replace` when the firs ## Overview -The underlying implementation of `String#replaceAll` uses `Pattern#compile` and expects a regular expression as its first argument. However in cases where the argument could be represented by just a plain `String` that does not represent an interesting regular expression, a call to `String#replace` may be more performant as it does not need to compile the regular expression. +The `String#replaceAll` method is designed to work with regular expressions as its first parameter. When you use a simple string without any regex patterns (like special characters or syntax), it's more efficient to use `String#replace` instead. This is because `replaceAll` has to compile the input as a regular expression first, which adds unnecessary overhead when you are just replacing literal text. ## Recommendation diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index d02a7ff0a08a..3f662b60cf3b 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -1,8 +1,8 @@ /** * @id java/string-replace-all-with-non-regex * @name Use of `String#replaceAll` with a first argument which is not a regular expression - * @description Using `String#replaceAll` is less performant than `String#replace` when the first - * argument is not a regular expression. + * @description Using `String#replaceAll` with a first argument which is not a regular expression + * is less efficient than using `String#replace`. * @kind problem * @precision very-high * @problem.severity recommendation From 576f4cf19f92f82960ff55283229763c432a2576 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Apr 2025 12:20:31 +0100 Subject: [PATCH 13/15] Update tags --- java/ql/src/Performance/StringReplaceAllWithNonRegex.ql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql index 3f662b60cf3b..bc05b3bf063b 100644 --- a/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +++ b/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql @@ -6,8 +6,9 @@ * @kind problem * @precision very-high * @problem.severity recommendation - * @tags performance - * quality + * @tags quality + * reliability + * performance * external/cwe/cwe-1176 */ From acfcc6d490b985e3726a0a29d9748a686df8368f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Apr 2025 12:35:42 +0100 Subject: [PATCH 14/15] Sort ids in `java-code-quality.qls` --- java/ql/src/codeql-suites/java-code-quality.qls | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/java/ql/src/codeql-suites/java-code-quality.qls b/java/ql/src/codeql-suites/java-code-quality.qls index 0f6151a5e8d4..2eafe785532e 100644 --- a/java/ql/src/codeql-suites/java-code-quality.qls +++ b/java/ql/src/codeql-suites/java-code-quality.qls @@ -1,15 +1,15 @@ - queries: . - include: id: - - java/suspicious-date-format - - java/integer-multiplication-cast-to-long - - java/equals-on-unrelated-types - java/contradictory-type-checks - - java/reference-equality-of-boxed-types + - java/equals-on-unrelated-types - java/inconsistent-equals-and-hashcode - - java/unchecked-cast-in-equals - - java/unused-container - java/input-resource-leak + - java/integer-multiplication-cast-to-long - java/output-resource-leak - - java/type-variable-hides-type + - java/reference-equality-of-boxed-types - java/string-replace-all-with-non-regex + - java/suspicious-date-format + - java/type-variable-hides-type + - java/unchecked-cast-in-equals + - java/unused-container From 4f5bdbb5174dbecf06e848493185756abf866732 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 10 Apr 2025 14:37:11 +0100 Subject: [PATCH 15/15] Add new query to java-code-quality.qls.expected --- .../java/query-suite/java-code-quality.qls.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected index 6f396573aa16..2cff4a3eaa62 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected @@ -9,3 +9,4 @@ ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql +ql/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql