| description | Guidance for developing CodeQL queries targeting Java code |
|---|
This prompt provides guidance for developing CodeQL queries targeting Java code. For common query development patterns and best practices, see query_development.prompt.md.
- Import
javafor Java AST nodes and predicates - Use
semmle.code.java.dataflow.DataFlowandsemmle.code.java.dataflow.TaintTracking - Import
semmle.code.java.frameworks.*for framework-specific predicates - Security-specific imports:
semmle.code.java.security.*
- Compilation Units:
CompilationUnitfor file-level structure - Classes:
Class,Interfacefor type declarations - Methods:
Method,Constructorfor method definitions - Statements:
BlockStmt,ExprStmt,IfStmt,ForStmt,EnhancedForStmt,WhileStmt,TryStmt,ReturnStmt - Expressions:
MethodCall,ClassInstanceExpr,VarAccess,AssignExpr,BinaryExpr(e.g.,GTExpr,LTExpr,EQExpr) - Declarations:
LocalVariableDeclStmt,FieldDeclaration,Parameter - Literals:
StringLiteral,IntegerLiteral,ArrayAccess - Type Access:
TypeAccessfor type references,ArrayTypeAccessfor array types - Control Flow:
CatchClausefor exception handling,ThrowStmtfor exceptions
- Method calls:
callwherecall instanceof MethodCall - Field access:
accesswhereaccess instanceof VarAccess - Object creation:
creationwherecreation instanceof ClassInstanceExpr - Type checking: Use
TypeAccessfor type references - Exception handling:
TryStmtwithCatchClauseblocks - Loop patterns:
ForStmt,EnhancedForStmtfor iteration - Lambda expressions:
LambdaExprfor functional programming
- Use
DataFlow::Nodefor nodes in the data flow graph TaintTracking::Configurationfor taint analysis- Handle Java-specific features: inheritance, polymorphism, generics
- Track through method calls, field access, and constructor invocations
- Consider static vs instance members in flow analysis
- SQL injection: JDBC query construction with user input
- XSS: HTML output without proper escaping
- XXE: XML parsing with external entity processing
- Deserialization: Unsafe object deserialization
- Path traversal: File operations with unsanitized paths
- LDAP injection: LDAP query construction with user input
- Command injection: Process execution with user input
- Reflection vulnerabilities: Dynamic class loading and method invocation
- Spring:
@Controller,@RequestMapping,@Serviceannotations - Servlets:
HttpServletRequest,HttpServletResponsehandling - JSF: Managed beans and view components
- Struts: Action classes and form handling
- JAX-RS: RESTful web service endpoints
- JPA/Hibernate: Entity mapping and query construction
- Collections:
List,Set,Mapoperations and iterations - I/O operations:
FileInputStream,BufferedReaderusage - Networking:
URL,HttpURLConnectionpatterns - Concurrency:
Thread,ExecutorService,Futureusage - Reflection:
Class.forName(),Method.invoke()patterns - Serialization:
ObjectInputStream,ObjectOutputStream - Database: JDBC
Connection,PreparedStatement,ResultSet
- Generics: Type parameter handling and bounds checking
- Annotations: Annotation processing and metadata
- Lambda expressions: Functional interfaces and method references
- Streams: Stream API operations and collectors
- Optional: Null-safe value handling
- Modules: Java 9+ module system
- Records: Data carrier classes (Java 14+)
- Switch expressions: Enhanced switch statements (Java 14+)
- Inheritance: Method overriding and polymorphic dispatch
- Encapsulation: Access modifiers and visibility
- Static vs instance: Different behavior for static and instance members
- Exception hierarchy: Checked vs unchecked exceptions
- Autoboxing: Primitive to wrapper type conversions
- String interning: String literal handling
- Garbage collection: Object lifecycle and memory management
- qlt query generate new-query - Generate scaffolding for a new CodeQL query with packs and tests
- codeql query format
- codeql query compile
- codeql query run
- codeql test run