JS: downgrade other alerts to js/useless-defensive-code

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 358e6188d98e · 2018-11-13T08:19:38.000+01:00
diff --git a/javascript/ql/src/Expressions/HeterogeneousComparison.ql b/javascript/ql/src/Expressions/HeterogeneousComparison.ql
@@ -15,6 +15,7 @@
 
 import javascript
 private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.DefensiveProgramming
 
 /**
  * Holds if `left` and `right` are the left and right operands, respectively, of `nd`, which is
@@ -198,6 +199,7 @@ from ASTNode cmp,
      int leftTypeCount, int rightTypeCount ,
      string leftTypeDescription, string rightTypeDescription
 where isHeterogeneousComparison(cmp, left, right, leftTypes, rightTypes) and
+      not exists (cmp.(Expr).flow().(DefensiveExpression).getTheTestResult()) and
       not whitelist(left.asExpr()) and
       not whitelist(right.asExpr()) and
       leftExprDescription = capitalize(getDescription(left.asExpr(), "this expression")) and
diff --git a/javascript/ql/src/Statements/UselessConditional.ql b/javascript/ql/src/Statements/UselessConditional.ql
@@ -87,7 +87,7 @@ predicate isConstantBooleanReturnValue(Expr e) {
 predicate whitelist(Expr e) {
   isConstant(e) or
   isConstant(e.(LogNotExpr).getOperand()) or
-  e.flow() instanceof Internal::DefensiveInit or
+  exists (e.flow().(DefensiveExpression).getTheTestResult()) or
   isInitialParameterUse(e) or
   isConstantBooleanReturnValue(e)
 }
diff --git a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.expected b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.expected
@@ -0,0 +1,3 @@
+| tst.js:162:9:162:16 | typeof x | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:162:22:162:30 | undefined | 'undefined' |
+| tst.js:163:9:163:21 | typeof window | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:163:27:163:35 | undefined | 'undefined' |
+| tst.js:165:9:165:16 | typeof x | This expression is of type string, but it is compared to $@ of type undefined. | tst.js:165:22:165:22 | u | variable 'u' |
diff --git a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.qlref b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/HeterogeneousComparison.qlref
@@ -0,0 +1 @@
+Expressions/HeterogeneousComparison.ql
diff --git a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.expected b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.expected
diff --git a/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.qlref b/javascript/ql/test/query-tests/Expressions/UselessDefensiveProgramming/UselessConditional.qlref
@@ -0,0 +1 @@
+Statements/UselessConditional.ql

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ predicate isConstantBooleanReturnValue(Expr e) {`
`87`	`87`	`predicate whitelist(Expr e) {`
`88`	`88`	`isConstant(e) or`
`89`	`89`	`isConstant(e.(LogNotExpr).getOperand()) or`
`90`		`- e.flow() instanceof Internal::DefensiveInit or`
	`90`	`+ exists (e.flow().(DefensiveExpression).getTheTestResult()) or`
`91`	`91`	`isInitialParameterUse(e) or`
`92`	`92`	`isConstantBooleanReturnValue(e)`
`93`	`93`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| tst.js:162:9:162:16 \| typeof x \| This expression is of type string, but it is compared to $@ of type undefined. \| tst.js:162:22:162:30 \| undefined \| 'undefined' \|`
	`2`	`+\| tst.js:163:9:163:21 \| typeof window \| This expression is of type string, but it is compared to $@ of type undefined. \| tst.js:163:27:163:35 \| undefined \| 'undefined' \|`
	`3`	`+\| tst.js:165:9:165:16 \| typeof x \| This expression is of type string, but it is compared to $@ of type undefined. \| tst.js:165:22:165:22 \| u \| variable 'u' \|`