Merge pull request github#3401 from erik-krogh/jsonLike

Approved by esbena

Author: semmle-qlci

change-notes/1.25/analysis-javascript.md

@@ -20,6 +20,7 @@
 | Misspelled variable name (`js/misspelled-variable-name`) | Message changed | The message for this query now correctly identifies the misspelled variable in additional cases. |
 | Uncontrolled data used in path expression (`js/path-injection`) | More results | This query now recognizes additional file system calls. |
 | Uncontrolled command line (`js/command-line-injection`) | More results | This query now recognizes additional command execution calls. |
+| Expression has no effect (`js/useless-expression`) | Less results | This query no longer flags an expression when that expression is the only content of the containing file. |
 
 ## Changes to libraries
 

javascript/ql/src/Expressions/ExprHasNoEffect.qll

@@ -158,5 +158,11 @@ predicate hasNoEffect(Expr e) {
   // exclude block-level flow type annotations. For example: `(name: empty)`.
   not e.(ParExpr).getExpression().getLastToken().getNextToken().getValue() = ":" and
   // exclude the first statement of a try block
-  not e = any(TryStmt stmt).getBody().getStmt(0).(ExprStmt).getExpr()
+  not e = any(TryStmt stmt).getBody().getStmt(0).(ExprStmt).getExpr() and
+  // exclude expressions that are alone in a file, and file doesn't contain a function.
+  not exists(TopLevel top |
+    top = e.getParent().(ExprStmt).getParent() and
+    top.getNumChild() = 1 and
+    not exists(Function fun | fun.getEnclosingContainer() = top)
+  )
 }

javascript/ql/test/query-tests/Expressions/ExprHasNoEffect/jsonlike.js

@@ -0,0 +1 @@
+["foo", "bar", 123]