Skip to content

Java: Added new query java/visible-for-testing-abuse #20178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Java: Added new query java/visible-for-testing-abuse #20178

wants to merge 14 commits into from

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Aug 6, 2025
edited
Loading

Added new query java/visible-for-testing-abuse.
Initial MRVA 1000 run produced 5,108 results, after reducing false positives ended up with 2,611.
DCA run: https://github.com/github/codeql-dca-main/tree/data/Napalys/visible-for-tes__nightly-buildle__CustomSuite__1/reports
Autofix tends to remove @VisibleForTesting, but it may requires deeper refactoring in which case it may not be accepted as a good fix.

@Napalys Napalys added the no-change-note-required This PR does not need a change note label Aug 7, 2025
@Napalys Napalys requested a review from knewbury01 August 7, 2025 08:12
@Napalys Napalys marked this pull request as ready for review August 7, 2025 08:12
@Napalys Napalys requested a review from a team as a code owner August 7, 2025 08:12
@Copilot Copilot AI review requested due to automatic review settings August 7, 2025 08:12
Copilot
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new CodeQL query java/visible-for-testing-abuse to detect misuse of the @VisibleForTesting annotation in production code. The query identifies cases where elements annotated with @VisibleForTesting are accessed from production code outside their intended scope, which violates the annotation's purpose of only increasing visibility for testing.

  • Added the main query implementation with logic to detect inappropriate access patterns based on visibility modifiers
  • Created comprehensive test cases covering various scenarios including cross-package access, lambda usage, and inner classes
  • Integrated the query into the Java code quality query suites

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql Main query implementation detecting misuse of @VisibleForTesting annotation
java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.md Documentation explaining the rule's purpose and implementation details
java/ql/test/query-tests/VisibleForTestingAbuse/*.java Comprehensive test cases covering various usage scenarios
java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.qlref Test configuration referencing the query
java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.expected Expected test results
java/ql/integration-tests/java/query-suite/*.expected Updated query suite integration test expectations

@Napalys Napalys force-pushed the java/visible-for-testing-abuse branch from b2ba0d7 to 8708130 Compare August 7, 2025 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@knewbury01 knewbury01 Awaiting requested review from knewbury01

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Napalys