CodeQL find dependency usages
Question
How do I get a list of method calls which the implementation is from a dependency
For example, dependency group id: "com.google.protobuf"
1 answers
solution1
0 2022-07-19 13:44:08
Method calls are modelled by the CodeQL class MethodAccess . If you want to include constructor calls as well, then you can instead use the CodeQL superclass Call . Java method reference expressions (eg MyClass::doSomething ) are modelled separately as MemberRefExpr , so you need to handle them separately in case you want to consider them too.
The easiest way to match the method calls would be to check the package name. For example the Protobuf classes are in the package com.google.protobuf or in subpackages. The following query finds calls to them:
import java
from MethodAccess call
where
call.getMethod()
.getCompilationUnit()
.getPackage()
// Check if name starts with "com.google.protobuf"
.getName().matches("com.google.protobuf%")
select call
Using the Maven group and artifact ID is a bit more complicated and possibly also not as reliable, and it probably won't work if the build is not using Maven. Maven artifacts are modelled by the CodeQL class MavenRepoJar ; this class is in a separate module and requires an import :
import java
import semmle.code.xml.MavenPom
from MethodAccess call, MavenRepoJar repoJar
where
call.getMethod()
// Get the source declaration to prevent any issues with generic methods
.getSourceDeclaration()
.getCompilationUnit()
// Match the Maven artifact which contains the class
// Uses a transitive closure (`+`) to apply the predicate one or more times
// see https://codeql.github.com/docs/ql-language-reference/recursion/#transitive-closures
.getParentContainer+() = repoJar
and repoJar.getGroupId() = "com.google.protobuf"
select call
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.