About the query¶

The query we’re going to run searches for inefficient tests for empty strings. For example, Java code such as:

publicclassTestJava{voidmyJavaFun(Strings){booleanb=s.equals("");}}

or Kotlin code such as:

voidmyKotlinFun(s:String){varb=s.equals("")}

In either case, replacings.equals("") withs.isEmpty()would be more efficient.

Finding a CodeQL database to experiment with¶

Before you start writing queries for Java/Kotlin code, you need a CodeQL database to run them against. The simplest way to do this is to download a database for a repository that uses Java/Kotlin directly from GitHub.com.

1. In Visual Studio Code, click theQL icon in the left sidebar to display the CodeQL extension.

2. ClickFrom GitHub or the GitHub logo at the top of the CodeQL extension to open an entry field.

3. Copy the URL for the repository into the field and press the keyboardEnter key. For example,https://github.com/apache/activemq.

4. Optionally, if the repository has more than one CodeQL database available, selectjava to download the database created from the Java/Kotlin code.

Information about the download progress for the database is shown in the bottom right corner of Visual Studio Code. When the download is complete, the database is shown with a check mark in theDatabases section of the CodeQL extension (see screenshot below).

Running a quick query¶

The CodeQL extension for Visual Studio Code adds severalCodeQL: commands to the command palette includingQuick Query, which you can use to run a query without any set up.

1. From the command palette in Visual Studio Code, selectCodeQL: Quick Query.

2. After a moment, a new tabquick-query.ql is opened, ready for you to write a query for your currently selected CodeQL database (here ajava database). If you are prompted to reload your workspace as a multi-folder workspace to allow Quick queries, accept or create a new workspace using the starter workflow.

   

1. In the quick query tab, deleteselect"" and paste the following query beneath the import statementimportjava.

   fromMethodAccessmawherema.getMethod().hasName("equals")andma.getArgument(0).(StringLiteral).getValue()=""selectma,"This comparison to empty string is inefficient, use isEmpty() instead."

   Note that CodeQL treats Java and Kotlin as part of the same language, so even though this query starts withimportjava, it will work for both Java and Kotlin code.

4. Save the query in its default location (a temporary “Quick Queries” directory under the workspace forGitHub.vscode-codeql/quick-queries).

5. Right-click in the query tab and selectCodeQL: Run Query on Selected Database. (Alternatively, run the command from the Command Palette.)

   The query will take a few moments to return results. When the query completes, the results are displayed in a CodeQL Query Results view, next to the main editor view.

   The query results are listed in two columns, corresponding to the expressions in theselect clause of the query. The first column corresponds to the expressionma and is linked to the location in the source code of the project wherema occurs. The second column is the alert message.

If any matching code is found, click a link in thema column to view the.equals expression in the code viewer.

Note

If you want to move your experimental query somewhere more permanent, you need to move the wholeQuickQueries directory. The directory is a CodeQL pack with aqlpack.yml file that defines the content as queries for Java/Kotlin CodeQL databases. For more information about CodeQL packs, see “Managing CodeQL query packs and library packs.”

Extend the query¶

Query writing is an inherently iterative process. You write a simple query and then, when you run it, you discover examples that you had not previously considered, or opportunities for improvement.

publicclassTestJava{voidmyJavaFun(Objecto){booleanb=o.equals("");}}

Further reading¶

• CodeQL queries for Java

• Example queries for Java

• CodeQL library reference for Java

• “QL language reference”

• “CodeQL tools”