codeql
codeql copied to clipboard
github
Java: static field access of unknown class breaks dataflow (build-mode=none)
This is another issue we encountered when analysing databases created with build-mode=none.
It appears that dataflow graphs are broken when static fields are accessed on unknown classes.
Please take a look codeql_issue2.zip for more information.
Here is the example java code:
// This import is from a dependency that is not resolved
import com.foo.mycompany.UnknownClass;
public class DataFlowNotConnected {
static class MyClass {
public static String staticField = "static";
}
private int run() {
// data source 1 should flow to sink e and f, but dataflow is broken by UnknownClass.staticField
int a = 1;
int b = a;
// static class field access from known class
String staticField1 = MyClass.staticField;
int c = b;
int d = c;
// static class field access from unknown class breaks dataflow
String staticField2 = UnknownClass.staticField;
int e = d;
int f = e;
return f;
}
}
Thanks for the report. Can confirm what you're seeing -- we intend to fix this so unrelated dataflow is not disrupted by the bad access; however since analysing incomplete code like this is not our priority, we cannot promise a timescale for the fix.
Thank you for the follow up. My worry though is that broken dataflow probably also breaks taint analysis, missing potentially true positives related to SQL injection, etc when using build-mode=none.
Yes, when there are missing dependencies like that that is a risk at present. In the short term the best solution is to ensure needed dependencies are available prior to CodeQL analysis -- either as source code within the repository, or as jar files discoverable via Maven or Gradle build files. Alternatively you could switch to using autobuild or manual build so that a successful build process (very nearly) assures that all dependencies are reachable.