Add some JUnit queries

Author: Marcono1234

codeql-custom-queries-java/queries/unit-tests/CsvSource-instead-of-ValueSource.ql

@@ -0,0 +1,46 @@
+/**
+ * Finds usage of JUnit 5's `@CsvSource` where the values are not actually real CSV rows.
+ * If none of the rows contains a delimiter character (`,` by default), then each 'row' is
+ * passed as separate value to the test method. The `@ValueSource(strings = {...})`
+ * annotation is exactly intended for that use case and should be preferred, because it
+ * makes the intention clearer and is less error-prone in case a value happens to contain
+ * a `,` (in which case it will not be split, unlike for `@CsvSource`).
+ *
+ * For example:
+ * ```java
+ * @CsvSource({"first", "second"})
+ * // should be replaced with
+ * @ValueSource(strings = {"first", "second"})
+ * ```
+ *
+ * @id todo
+ * @kind problem
+ */
+
+import java
+
+string getDelimiter(Annotation csvSource) {
+  exists(string delimiterString, string delimiterChar |
+    delimiterString = csvSource.getStringValue("delimiterString") and
+    delimiterChar = csvSource.getValue("delimiter").(CharacterLiteral).getValue()
+  |
+    // Check default values of annotation elements
+    if delimiterString != ""
+    then result = delimiterString
+    else
+      if delimiterChar != 0.toUnicode()
+      then result = delimiterChar
+      else result = ","
+  )
+}
+
+from Annotation csvSource, string delimiter
+where
+  csvSource.getType().hasQualifiedName("org.junit.jupiter.params.provider", "CsvSource") and
+  delimiter = getDelimiter(csvSource) and
+  // And none of the values contains the delimiter
+  not (
+    exists(csvSource.getAStringArrayValue("value").indexOf(delimiter)) or
+    exists(csvSource.getStringValue("textBlock").indexOf(delimiter))
+  )
+select csvSource, "Should use `@ValueSource(strings = {...})` instead"

codeql-custom-queries-java/queries/unit-tests/assertThrows-expected-message.ql

@@ -0,0 +1,48 @@
+/**
+ * Finds calls to `assertThrows` and `assertThrowsExactly` where a 'message' argument is provided which
+ * seems to be intended as 'expected message'. The 'message' is actually what will be used in case the
+ * assertion fails, it is _not_ the expected message for the thrown exception.
+ *
+ * For example this assertion will pass even though the exception has a different message:
+ * ```java
+ * assertThrows(
+ *     IllegalArgumentException.class,
+ *     () -> {
+ *         throw new IllegalArgumentException("argument 'actual' is invalid");
+ *     },
+ *     "argument 'expected' is invalid"
+ * );
+ * ```
+ *
+ * @id todo
+ * @kind problem
+ */
+
+import java
+
+from
+  MethodAccess assertThrowsCall, Method assertThrowsMethod, Class expectedException,
+  CompileTimeConstantExpr messageArg
+where
+  assertThrowsCall.getMethod() = assertThrowsMethod and
+  // TODO: Use own assertion lib CodeQL classes?
+  (
+    // JUnit 4
+    assertThrowsMethod.getDeclaringType().hasQualifiedName("org.junit", "Assert") and
+    assertThrowsMethod.hasName("assertThrows") and
+    expectedException = assertThrowsCall.getArgument(1).(TypeLiteral).getReferencedType() and
+    messageArg = assertThrowsCall.getArgument(0)
+    or
+    // JUnit 5
+    assertThrowsMethod.getDeclaringType().hasQualifiedName("org.junit.jupiter.api", "Assertions") and
+    assertThrowsMethod.hasName(["assertThrows", "assertThrowsExactly"]) and
+    expectedException = assertThrowsCall.getArgument(0).(TypeLiteral).getReferencedType() and
+    messageArg = assertThrowsCall.getArgument(2)
+  ) and
+  // Check if anywhere in the code an exception with the exact same message is created
+  exists(ConstructorCall newExceptionCall |
+    newExceptionCall.getConstructedType().getASourceSupertype*() = expectedException and
+    newExceptionCall.getAnArgument().(CompileTimeConstantExpr).getStringValue() =
+      messageArg.getStringValue()
+  )
+select messageArg, "Message argument of `assertThrows` misunderstood as 'expected message'"