CodeQL 查找依赖项用法

Question

How do I get a list of method calls which the implementation is from a dependency

For example, dependency group id: "com.google.protobuf"

Answer 1

Method calls are modelled by the CodeQL class MethodAccess . If you want to include constructor calls as well, then you can instead use the CodeQL superclass Call . Java method reference expressions (eg MyClass::doSomething ) are modelled separately as MemberRefExpr , so you need to handle them separately in case you want to consider them too.

The easiest way to match the method calls would be to check the package name. For example the Protobuf classes are in the package com.google.protobuf or in subpackages. The following query finds calls to them:

import java

from MethodAccess call
where
  call.getMethod()
    .getCompilationUnit()
    .getPackage()
    // Check if name starts with "com.google.protobuf"
    .getName().matches("com.google.protobuf%")
select call

Query Console link

Using the Maven group and artifact ID is a bit more complicated and possibly also not as reliable, and it probably won't work if the build is not using Maven. Maven artifacts are modelled by the CodeQL class MavenRepoJar ; this class is in a separate module and requires an import :

import java
import semmle.code.xml.MavenPom

from MethodAccess call, MavenRepoJar repoJar
where
  call.getMethod()
    // Get the source declaration to prevent any issues with generic methods
    .getSourceDeclaration()
    .getCompilationUnit()
    // Match the Maven artifact which contains the class
    // Uses a transitive closure (`+`) to apply the predicate one or more times
    // see https://codeql.github.com/docs/ql-language-reference/recursion/#transitive-closures
    .getParentContainer+() = repoJar
  and repoJar.getGroupId() = "com.google.protobuf"
select call

Query Console link