Migrate Java code to separate QL repo.

Author: pavgust

java/ql/src/.project

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>semmlecode-queries</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+	</buildSpec>
+	<natures>
+		<nature>com.semmle.plugin.qdt.core.qlnature</nature>
+	</natures>
+</projectDescription>

java/ql/src/.qlpath

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<ns:qlpath xmlns:ns="https://semmle.com/schemas/qlpath">
+    <dbscheme>/semmlecode-queries/config/semmlecode.dbscheme</dbscheme>
+    <defaultImports><defaultImport>java</defaultImport></defaultImports>
+</ns:qlpath>

java/ql/src/.settings/org.eclipse.jdt.core.prefs

@@ -0,0 +1,7 @@
+#Tue Nov 04 11:42:37 GMT 2008
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5
+org.eclipse.jdt.core.compiler.compliance=1.5
+org.eclipse.jdt.core.compiler.problem.assertIdentifier=error
+org.eclipse.jdt.core.compiler.problem.enumIdentifier=error
+org.eclipse.jdt.core.compiler.source=1.5

java/ql/src/.vs/VSWorkspaceSettings.json

@@ -0,0 +1,8 @@
+{
+    "ql.projects" : {
+        "." : {
+            "dbScheme" : "config/semmlecode.dbscheme",
+            "libraryPath" : []
+        }
+    }
+}

java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.java

@@ -0,0 +1,15 @@
+class Rectangle
+{
+    private int w = 10, h = 10;
+    public int getArea() { 
+        return w * h; 
+    }
+}
+ 
+class Triangle extends Rectangle
+{
+    @Override  // Annotation of an overriding method 
+    public int getArea() { 
+        return super.getArea() / 2; 
+    }
+}

java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+Java enables you to annotate methods that are intended to override a method in a superclass. 
+Compilers are required to generate an error if such an annotated method does not override a method
+in a superclass, which provides increased protection from potential defects. An annotated method also
+improves code readability.
+</p>
+
+</overview>
+<recommendation>
+
+<p>
+Add an <code>@Override</code> annotation to a method that is intended to override a method in a
+superclass.
+</p>
+
+</recommendation>
+<example>
+
+<p>In the following example, <code>Triangle.getArea</code> overrides <code>Rectangle.getArea</code>,
+so it is annotated with <code>@Override</code>.</p>
+
+<sample src="MissingOverrideAnnotation.java" />
+
+</example>
+<references>
+
+
+<li>
+  J. Bloch, <em>Effective Java (second edition)</em>, Item 36.
+  Addison-Wesley, 2008.
+</li>
+<li>
+Help - Eclipse Platform:
+<a href="http://help.eclipse.org/indigo/index.jsp?topic=%2Forg.eclipse.jdt.doc.user%2Freference%2Fpreferences%2Fjava%2Fcompiler%2Fref-preferences-errors-warnings.htm">Java Compiler Errors/Warnings Preferences</a>.
+</li>
+<li>
+  Java Platform, Standard Edition 6, API Specification:
+  <a href="http://docs.oracle.com/javase/6/docs/api/java/lang/Override.html">Annotation Type Override</a>.
+</li>
+<li>
+  The Java Tutorials:
+  <a href="http://docs.oracle.com/javase/tutorial/java/annotations/predefined.html">Predefined Annotation Types</a>.
+</li>
+
+
+</references>
+</qhelp>

java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Missing Override annotation
+ * @description A method that overrides a method in a superclass but does not have an 'Override'
+ *              annotation cannot take advantage of compiler checks, and makes code less readable.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id java/missing-override-annotation
+ * @tags maintainability
+ */
+import java
+
+class OverridingMethod extends Method {
+  OverridingMethod() {
+    exists(Method m | this.overrides(m))
+  }
+
+  predicate isOverrideAnnotated() {
+    this.getAnAnnotation() instanceof OverrideAnnotation
+  }
+}
+
+from OverridingMethod m, Method overridden
+where
+  m.fromSource() and
+  m.overrides(overridden) and
+  not m.isOverrideAnnotated() and
+  not exists(FunctionalExpr mref | mref.asMethod() = m)
+select m, "This method overrides $@; it is advisable to add an Override annotation.",
+  overridden, overridden.getDeclaringType() + "." + overridden.getName()

java/ql/src/Advisory/Declarations/NonFinalImmutableField.qhelp

@@ -0,0 +1,35 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>A field of immutable type that is not declared <code>final</code>, but is assigned to only in a 
+constructor or static initializer of its declaring type, may lead to defects and makes code less
+readable. This is because other parts of the code may be based on the assumption that the field has 
+a constant value, and a later modification, which includes an assignment to the field, may 
+invalidate this assumption.
+</p>
+
+</overview>
+<recommendation>
+
+<p>If a field of immutable type is assigned to only during class or instance initialization,
+you should usually declare it <code>final</code>. This forces the compiler to verify that the field 
+value cannot be changed subsequently, which can help to avoid defects and increase code readability.
+</p>
+
+</recommendation>
+<references>
+
+
+<li>
+  Java Language Specification:
+  <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-4.html#jls-4.12.4">4.12.4 final Variables</a>,
+  <a href="http://docs.oracle.com/javase/specs/jls/se7/html/jls-8.html#jls-8.3.1.2">8.3.1.2 final Fields</a>.
+</li>
+
+
+</references>
+</qhelp>

java/ql/src/Advisory/Declarations/NonFinalImmutableField.ql

@@ -0,0 +1,52 @@
+/**
+ * @name Non-final immutable field
+ * @description A field of immutable type that is assigned to only in a constructor or static
+ *              initializer of its declaring type, but is not declared 'final', may lead to defects
+ *              and makes code less readable.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision medium
+ * @id java/non-final-immutable-field
+ * @tags reliability
+ */
+import java
+
+class Initialization extends Callable {
+  Initialization() {
+    this instanceof Constructor or
+    this instanceof InitializerMethod
+  }
+}
+
+/** A binary or unary assignment. */
+class AnyAssignment extends Expr {
+  AnyAssignment() {
+    this instanceof Assignment or
+    this instanceof UnaryAssignExpr
+  }
+
+  /** The expression modified by this assignment. */
+  Expr getDest() {
+    this.(Assignment).getDest() = result or
+    this.(UnaryAssignExpr).getExpr() = result
+  }
+}
+
+class ImmutableField extends Field {
+  ImmutableField() {
+    this.fromSource() and
+    not this instanceof EnumConstant and
+    this.getType() instanceof ImmutableType and
+    // The field is only assigned to in a constructor or static initializer of the type it is declared in.
+    forall(FieldAccess fw, AnyAssignment ae |
+      fw.getField().getSourceDeclaration() = this and
+      fw = ae.getDest()
+    | ae.getEnclosingCallable().getDeclaringType() = this.getDeclaringType() and
+      ae.getEnclosingCallable() instanceof Initialization
+    )
+  }
+}
+
+from ImmutableField f
+where not f.isFinal()
+select f, "This immutable field is not declared final but is only assigned to during initialization."

java/ql/src/Advisory/Declarations/NonPrivateField.qhelp

@@ -0,0 +1,38 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>A non-final or non-static field that is not declared <code>private</code>,
+but is not accessed outside of its declaring type, may decrease code maintainability. This is because
+a field that is accessible from outside the class that it is declared in tends to restrict the class 
+to a particular implementation.
+</p>
+
+</overview>
+<recommendation>
+
+<p>In the spirit of encapsulation, it is generally advisable to choose the
+most restrictive access modifier (<code>private</code>) for a field, unless
+there is a good reason to increase its visibility.
+</p>
+
+</recommendation>
+<references>
+
+
+<li>
+  J. Bloch, <em>Effective Java (second edition)</em>, 
+  Item 13.
+  Addison-Wesley, 2008.
+</li>
+<li>
+  The Java Tutorials:
+  <a href="http://docs.oracle.com/javase/tutorial/java/javaOO/accesscontrol.html">Controlling Access to Members of a Class</a>.
+</li>
+
+
+</references>
+</qhelp>

java/ql/src/Advisory/Declarations/NonPrivateField.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Non-private field
+ * @description A non-constant field that is not declared 'private',
+ *              but is not accessed outside of its declaring type, may decrease code maintainability.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision medium
+ * @id java/non-private-field
+ * @tags maintainability
+ */
+import java
+import semmle.code.java.JDKAnnotations
+
+class NonConstantSourceField extends Field {
+  NonConstantSourceField() {
+    this.fromSource() and
+    not (this.isFinal() and this.isStatic())
+  }
+}
+
+from NonConstantSourceField f
+where
+  not f.isPrivate() and
+  not exists(VarAccess va | va.getVariable() = f |
+    va.getEnclosingCallable().getDeclaringType() != f.getDeclaringType()
+  ) and
+  not f.getAnAnnotation() instanceof ReflectiveAccessAnnotation
+select f, "This non-private field is not accessed outside of its declaring type."

java/ql/src/Advisory/Deprecated Code/AvoidDeprecatedCallableAccess.qhelp

@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>
+A method (or constructor) can be marked as deprecated using either the <code>@Deprecated</code> 
+annotation or the <code>@deprecated</code> Javadoc tag. Using a method that has been 
+marked as deprecated is bad practice, typically for one or more of the following reasons:</p>
+
+<ul>
+<li>The method is dangerous.</li>
+<li>There is a better alternative method.</li>
+<li>Methods that are marked as deprecated are often removed from future versions of an API. So using 
+a deprecated method may cause extra maintenance effort when the API is upgraded.</li>
+</ul>
+
+</overview>
+<recommendation>
+
+<p>Avoid using a method that has been marked as deprecated. Follow any guidance that
+is provided with the <code>@deprecated</code> Javadoc tag, which should explain how to replace the 
+call to the deprecated method.
+</p>
+
+</recommendation>
+<references>
+
+
+<li>
+Help - Eclipse Platform:
+<a href="http://help.eclipse.org/indigo/index.jsp?topic=%2Forg.eclipse.jdt.doc.user%2Freference%2Fpreferences%2Fjava%2Fcompiler%2Fref-preferences-errors-warnings.htm">Java Compiler Errors/Warnings Preferences</a>.
+</li>
+<li>
+  Java Platform, Standard Edition 6, API Specification:
+  <a href="http://docs.oracle.com/javase/6/docs/api/java/lang/Deprecated.html">Annotation Type Deprecated</a>.
+</li>
+<li>
+  Java SE Documentation:
+  <a href="http://docs.oracle.com/javase/6/docs/technotes/guides/javadoc/deprecation/deprecation.html">How and When To Deprecate APIs</a>.
+</li>
+
+
+</references>
+</qhelp>

java/ql/src/Advisory/Deprecated Code/AvoidDeprecatedCallableAccess.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Deprecated method or constructor invocation
+ * @description Using a method or constructor that has been marked as deprecated may be dangerous or
+ *              fail to take advantage of a better method or constructor.
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id java/deprecated-call
+ * @tags maintainability
+ *       non-attributable
+ *       external/cwe/cwe-477
+ */
+import java
+
+private
+predicate isDeprecatedCallable(Callable c) {
+  c.getAnAnnotation() instanceof DeprecatedAnnotation or
+  exists(c.getDoc().getJavadoc().getATag("@deprecated"))
+}
+
+from Call ca, Callable c
+where
+  ca.getCallee() = c and
+  isDeprecatedCallable(c) and
+  // Exclude deprecated calls from within deprecated code.
+  not isDeprecatedCallable(ca.getCaller())
+select ca, "Invoking $@ should be avoided because it has been deprecated.",
+  c, c.getDeclaringType() + "." + c.getName()

java/ql/src/Advisory/Documentation/ImpossibleJavadocThrows.java

@@ -0,0 +1,8 @@
+/**
+ * Javadoc for method.
+ *
+ * @throws Exception if a problem occurs.
+ */
+public void noThrow() {
+	System.out.println("This method does not throw.");
+}