Skip to content

Java: Added new query java/visible-for-testing-abuse #20178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Java: Added new query java/visible-for-testing-abuse #20178

wants to merge 19 commits into from

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Aug 6, 2025
edited
Loading

Added new query java/visible-for-testing-abuse.
Initial MRVA 1000 run produced 5,108 results, after reducing false positives ended up with 2,611.
Autofix tends to remove @VisibleForTesting, but it may requires deeper refactoring in which case it may not be accepted as a good fix.

@Napalys Napalys added the no-change-note-required This PR does not need a change note label Aug 7, 2025
@Napalys Napalys requested a review from knewbury01 August 7, 2025 08:12
@Napalys Napalys marked this pull request as ready for review August 7, 2025 08:12
@Napalys Napalys requested a review from a team as a code owner August 7, 2025 08:12
@Copilot Copilot AI review requested due to automatic review settings August 7, 2025 08:12
Copilot
Copilot AI reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new CodeQL query java/visible-for-testing-abuse to detect misuse of the @VisibleForTesting annotation in production code. The query identifies cases where elements annotated with @VisibleForTesting are accessed from production code outside their intended scope, which violates the annotation's purpose of only increasing visibility for testing.

  • Added the main query implementation with logic to detect inappropriate access patterns based on visibility modifiers
  • Created comprehensive test cases covering various scenarios including cross-package access, lambda usage, and inner classes
  • Integrated the query into the Java code quality query suites

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql Main query implementation detecting misuse of @VisibleForTesting annotation
java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.md Documentation explaining the rule's purpose and implementation details
java/ql/test/query-tests/VisibleForTestingAbuse/*.java Comprehensive test cases covering various usage scenarios
java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.qlref Test configuration referencing the query
java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.expected Expected test results
java/ql/integration-tests/java/query-suite/*.expected Updated query suite integration test expectations

@Napalys Napalys force-pushed the java/visible-for-testing-abuse branch from b2ba0d7 to 8708130 Compare August 7, 2025 08:15
michaelnebel
michaelnebel reviewed Aug 21, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat new query.
I have added some comments, will continue the review tomorrow.

Napalys and others added 17 commits August 22, 2025 09:23
@Napalys
Java: Added new query java/visible-for-testing-abuse
0c14d93
@Napalys
Java: Added inline test expectations for `java/visible-for-testing-ab…
652e9cb 
…use`
@Napalys
Java: Promoted java/visible-for-testing-abuse to quality
ff6ddd2
@Napalys
Java: Expanded test suite of java/visible-for-testing-abuse
2a16f48
@Napalys
Java: enchanced check if it is within same package
fbf18af
@Napalys
Java: Enchanced isWithinType to also include lambdas, inner classes…
9dfb4d4 
… etc.
@Napalys
Java: Fix Predicate QLDoc style.
7e2a194
@Napalys
Java: Test @VisibleForTesting method accessing @VisibleForTesting mem…
1e2e6ec 
…bers
@Napalys
Java: Resolve spurious VisibleForTestingAbuse alerts for inner class …
e404240 
…access patterns
@Napalys
Java: Exclude @VisibleForTesting-to-@VisibleForTesting access from Vi…
225723b 
…sibleForTestingAbuse alerts
@Napalys
Java: Refactor VisibleForTestingAbuse query to reduce complexity
eb46e54
@Napalys
Java: Fix VisibleForTestingAbuse false positives in annotations
ea831a8
@Napalys
Java: updated visible-for-testing-abuse meta data and docs.
d20fd5b
@Napalys @Copilot
Update java/ql/src/Violations of Best Practice/Implementation Hiding/…
0b17208 
…VisibleForTestingAbuse.ql

Co-authored-by: Copilot <[email protected]>
@Napalys @michaelnebel
Update java/ql/src/Violations of Best Practice/Implementation Hiding/…
66f2911 
…VisibleForTestingAbuse.ql

Co-authored-by: Michael Nebel <[email protected]>
@Napalys
Java: Address comments
38b3df0
@Napalys
Java: Added extra test cases for fields
4705ad2
@Napalys Napalys force-pushed the java/visible-for-testing-abuse branch from bb37c26 to 4705ad2 Compare August 22, 2025 07:23
michaelnebel
michaelnebel reviewed Aug 22, 2025
View reviewed changes
java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql
// not in a test where use is appropriate
not e.getEnclosingCallable() instanceof LikelyTestMethod and
// not when the accessing method or any enclosing method is @VisibleForTesting (test-to-test communication)
not isWithinVisibleForTestingContext(e.getEnclosingCallable()) and
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe also generalise this to support lambdas (to mirror the above).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it necessary, I can't seem to figure out which case would not be covered currently? As this is responsible for exclusion of such https://github.com/Napalys/codeql/blob/38f517ecfaaa3eb1d6b18d0969900aeaddfca420/java/ql/test/query-tests/VisibleForTestingAbuse/packageone/SourcePackage1.java#L16

@Napalys Napalys requested a review from michaelnebel August 24, 2025 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@knewbury01 knewbury01 Awaiting requested review from knewbury01

@michaelnebel michaelnebel Awaiting requested review from michaelnebel

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @michaelnebel