QL: ql/unqueryable-code query

erik-krogh · erik-krogh · commit 7ac467d3be90 · 2022-03-15T21:06:35.000+01:00
diff --git a/ql/ql/src/codeql_ql/style/DeadCodeQuery.qll b/ql/ql/src/codeql_ql/style/DeadCodeQuery.qll
@@ -30,7 +30,9 @@ private AstNode publicApi() {
  */
 private AstNode queryPredicate() {
   // result = query relation that is "transitively" imported by a .ql file.
-  PathProblemQuery::importsQueryRelation(result).asFile().getExtension() = "ql"
+  // PathProblemQuery::importsQueryRelation(result).asFile().getExtension() = "ql"
+  // any query predicate. Query predicates are usually meant to be used.
+  result.(Predicate).hasAnnotation("query")
   or
   // the from-where-select
   result instanceof Select
@@ -200,7 +202,8 @@ private AstNode benign() {
   result instanceof BlockComment or
   not exists(result.toString()) or // <- invalid code
   // cached-stages pattern
-  result.(Module).getAMember().(ClasslessPredicate).getName() = "forceStage" or
+  result.(Module).getAMember().(ClasslessPredicate).getName() =
+    ["forceStage", "forceCachingInSameStage"] or
   result.(ClasslessPredicate).getName() = "forceStage" or
   result.getLocation().getFile().getBaseName() = "Caching.qll" or
   // sometimes contains dead code - ignore
@@ -239,16 +242,39 @@ private AstNode queryable() {
   result = aliveStep(queryable())
 }
 
+// The benign cases are mostly
+private AstNode benignUnqueryable() {
+  result = benign() or
+  // cached-stages pattern
+  // sometimes contains dead code - ignore
+  result.(Module).getName() = "Debugging" or
+  result.getLocation().getFile() = benignUnqueryableFile()
+}
+
+pragma[noinline]
+private File benignUnqueryableFile() {
+  result.getAbsolutePath().matches("%/explore/%") or
+  result.getRelativePath().matches("%/tutorials/%") or
+  result.getBaseName() =
+    [
+      "Expr.qll", "TypeScript.qll", "YAML.qll", "Tokens.qll", "Instruction.qll", "Persistence.qll",
+      "ES2015Modules.qll"
+    ] or // lots of classes that exist for completeness
+  result.getBaseName() = ["CachedStages.qll", "Caching.qll", "tutorial.qll"] or
+  result.getBaseName().matches("DataFlowImpl%") or // DataFlow has 1578 unqueryable things.
+  result.getBaseName().matches("SsaImplCommon%") or
+  result.getBaseName().matches("FlowSummary%") or // Lots of unused FlowSummary stuff in ruby.
+  not result.getExtension() = ["ql", "qll"] // ignore dbscheme files
+}
+
 /**
  * Gets an AstNode that does not affect any query result.
  * Is interresting as an quick-eval target to investigate dead code.
  * (It is intentional that this predicate is a result of this predicate).
  */
-AstNode unQueryable(string msg) {
+AstNode unQueryable() {
   not result = queryable() and
   not result = deprecated() and
-  not result = benign() and
-  not result.getParent() = any(AstNode node | not node = queryable()) and
-  msg = result.getLocation().getFile().getBaseName() and
-  result.getLocation().getFile().getAbsolutePath().matches("%/javascript/%")
+  not result = benignUnqueryable() and
+  not result.getParent() = any(AstNode node | not node = queryable())
 }
diff --git a/ql/ql/src/queries/style/UnqueryableCode.ql b/ql/ql/src/queries/style/UnqueryableCode.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Unqueryable code
+ * @description Code that cannot affect the outcome of any query is suspicous.
+ * @kind problem
+ * @problem.severity recommendation
+ * @id ql/unqueryable-code
+ * @precision high
+ */
+
+import ql
+import codeql_ql.style.DeadCodeQuery
+
+from AstNode node
+where
+  node = unQueryable() and
+  // the static languages have way too much noise from code that is only queried from internal stuff
+  node.getLocation()
+      .getFile()
+      .getAbsolutePath()
+      .matches("%/" + ["javascript", "python", "ruby"] + "/%")
+select node, "Code cannot affect the outcome of any query."
