Java: restrict test to source methods

smowton · smowton · commit 0510b0c82552 · 2023-10-13T20:30:28.000+01:00
Otherwise it finds standard library methods that depend on stdlib internals as to what happens to get extracted. In particular the extractor bump to JDK21 led to MethodHandles being in scope and a new method being found; seems better to avoid considering the standard library at all.
diff --git a/java/ql/test/library-tests/sensitive-actions/test.expected b/java/ql/test/library-tests/sensitive-actions/test.expected
@@ -67,5 +67,3 @@ sensitiveDataMethod
 | Test.java:37:18:37:31 | aaCryptAccntaa |
 | Test.java:39:18:39:33 | aaCryptTrustedaa |
 | Test.java:41:18:41:40 | aaCryptRefreshaaTokenaa |
-| file:///modules/java.base/java/lang/invoke/MemberName.class:0:0:0:0 | isTrustedFinalField |
-| file:///modules/java.base/java/lang/reflect/Field.class:0:0:0:0 | isTrustedFinal |
diff --git a/java/ql/test/library-tests/sensitive-actions/test.ql b/java/ql/test/library-tests/sensitive-actions/test.ql
@@ -9,4 +9,4 @@ query predicate sensitiveVariable(Variable v) {
   v.getName().regexpMatch(getCommonSensitiveInfoRegex())
 }
 
-query predicate sensitiveDataMethod(SensitiveDataMethod m) { any() }
+query predicate sensitiveDataMethod(SensitiveDataMethod m) { m.fromSource() }

Original file line number	Diff line number	Diff line change
`@@ -9,4 +9,4 @@ query predicate sensitiveVariable(Variable v) {`
`9`	`9`	`v.getName().regexpMatch(getCommonSensitiveInfoRegex())`
`10`	`10`	`}`
`11`	`11`
`12`		`-query predicate sensitiveDataMethod(SensitiveDataMethod m) { any() }`
	`12`	`+query predicate sensitiveDataMethod(SensitiveDataMethod m) { m.fromSource() }`