[Java]: False positive CodeQL searches result is less according to the rules than the java code actually has🥺🥺 #12715
Description
[1] Problem description
I want to use codeql to search for possible sensitive information leaks in Java code, so I want to match all occurrences of xxxx.info() in Java code, as long as .info() occurs
For example:
log.info("attributes: {}", attributes);logger.info("attributes: {}", attributes);
[2] Problems encountered
1) Successfully created the codeql database
Create command:
codeql database create javatest --language=java --command='mvn -gs /Users/tools/tools/apache-maven-3.9.0/settings.xml clean install -Dmaven.test.skip=true -Dmaven .repo.local=/Users/tools/tools/apache-maven-3.9.0/repository' --overwrite`
_Create Database Success:_
[2023-03-30 17:53:22] [build-stdout] [INFO] Installing /Users/guess/Desktop/guess-transaction/guess-transaction-web/target/guess-transaction-web-0.0.1.jar to /Users/tools/tools/apache-maven-3.9.0/repository/com/guess/guess-transaction-web/0.0.1/guess-transaction-web-0.0.1.jar
[2023-03-30 17:53:22] [build-stdout] [INFO] ------------------------------------------------------------------------
[2023-03-30 17:53:22] [build-stdout] [INFO] Reactor Summary:
[2023-03-30 17:53:22] [build-stdout] [INFO]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction 0.0.1 ........................ SUCCESS [ 0.235 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction-apiclient 1.3.9 ........... SUCCESS [ 14.608 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction-common 0.0.1 ................. SUCCESS [ 13.176 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction-dao 0.0.1 .................... SUCCESS [ 13.495 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction-service 0.0.1 ................ SUCCESS [ 42.408 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction-apiservice 0.0.1 ............. SUCCESS [ 6.103 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] guess-transaction-web 0.0.1 .................... SUCCESS [ 13.477 s]
[2023-03-30 17:53:22] [build-stdout] [INFO] ------------------------------------------------------------------------
[2023-03-30 17:53:22] [build-stdout] [INFO] BUILD SUCCESS
[2023-03-30 17:53:22] [build-stdout] [INFO] ------------------------------------------------------------------------
[2023-03-30 17:53:22] [build-stdout] [INFO] Total time: 01:43 min
[2023-03-30 17:53:22] [build-stdout] [INFO] Finished at: 2023-03-30T17:53:22+08:00
[2023-03-30 17:53:22] [build-stdout] [INFO] ------------------------------------------------------------------------
Finalizing database at /Users/guess/Desktop/guess-transaction/javatest.
[2023-03-30 17:53:28] [build-stderr] Scanning for files in /Users/guess/Desktop/guess-transaction...
[2023-03-30 17:53:32] [build-stderr] /Users/guess/Desktop/guess-transaction/javatest: Indexing files in in /Users/guess/Desktop/guess-transaction...
[2023-03-30 17:53:32] [build-stderr] Running command in /Users/guess/Desktop/guess-transaction: [/Users/tools/tools/codeql/codeql-cli-binaries/xml/tools/index-files.sh, /Users/guess/Desktop/guess-transaction/javatest/working/files-to-index13506412261297497112.list]
Successfully created database at /Users/guess/Desktop/guess-transaction/javatest.
-
Use the following codeql code to query, the result does not meet expectations
When I use codeql to retrieve .error(), there are only 25 results, but I use command+F to search and find 100+ results
import java
from MethodAccessma
where ma.getMethod().getName().regexpMatch(".*error")
select ma, "This is a call to an error function with an empty string argument."
When I use codeql to retrieve .info(), there are 0 results, but I use command+F to search and find 100+ results
import java
from MethodAccessma
where ma.getMethod().getName().regexpMatch(".*info")
select ma, "This is a call to an error function with an empty string argument."