https://codeql.github.com/docs/codeql-language-guides/navigating-the-call-graph/

两个重要的类

Callable
A Callable is something that can be invoked.
Call
A Call is something that invokes a Callable.

点击查看【processon】
代码示例

  1. class Super {
  2.     int x;
  4.     // callable
  5.     public Super() {
  6.         this(23);       // call
  7.     }
  9.     // callable
  10.     public Super(int x) {
  11.         this.x = x;
  12.     }
  14.     // callable
  15.     public int getX() {
  16.         return x;
  17.     }
  18. }
  20.     class Sub extends Super {
  21.     // callable
  22.     public Sub(int x) {
  23.         super(x+19);    // call
  24.     }
  26.     // callable
  27.     public int getX() {
  28.         return x-19;
  29.     }
  30. }
  32. class Client {
  33.     // callable
  34.     public static void main(String[] args) {
  35.         Super s = new Sub(42);  // call
  36.         s.getX();               // call
  37.     }
  38. }

成员谓词

Call类

getCallee谓词,Gets the target callable of this call.

  1. Callable Call::getCallee()

getCaller谓词,Gets the callable invoking this call.

  1. Callable Call::getCaller()

代码示例

  1. import java
  3. from Call sink
  4. select sink,sink.getCallee(),sink.getCaller()

结果匹配示例

sink sink.getCallee() sink.getCaller()
request.getHeader(“x-requested-with”) getHeader commence

image.png
在如上代码中sink是MethodAccess类型,commence是Method类型

Callable类

calls谓词,Holds if this callable calls target,如果这个Callable调用了target则返回True

  1. predicate Callable::calls(Callable target)

polyCalls谓词,如果这个Callable直接调用了m,或者间接调用(Callable调用的某个方法覆盖了m)了m则返回True

  1. predicate Callable::polyCalls(Callable m)

代码示例

  1. import java
  3. from Callable caller, Callable callee
  4. where caller.calls(callee)
  5. select caller, callee

匹配结果示例

image.png

查找未被调用的方法

寻找已经被定义,但是从未被调用过的方法