Skip to content

basic-query-for-rust-code.rst

Latest commit

 

History

History
131 lines (85 loc) · 9.39 KB

basic-query-for-rust-code.rst

File metadata and controls

131 lines (85 loc) · 9.39 KB

Basic query for Rust code

Learn to write and run a simple CodeQL query using Visual Studio Code with the CodeQL extension.

About the query

The query we're going to run performs a basic search of the code for if expressions that are redundant, in the sense that they have an empty then branch. For example, code such as:

if error {
  // we should handle the error
}

Running a quick query

  1. In the quick query tab, delete the content and paste in the following query.

    import rust

from IfExpr ifExpr
where ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0
select ifExpr, "This 'if' expression is redundant."

../images/codeql-for-visual-studio-code/basic-rust-query-results-1.png

If any matching code is found, click a link in the ifExpr column to open the file and highlight the matching if expression.

../images/codeql-for-visual-studio-code/basic-rust-query-results-2.png

About the query structure

After the initial import statement, this simple query comprises three parts that serve similar purposes to the FROM, WHERE, and SELECT parts of an SQL query.

Query part Purpose Details
import rust Imports the standard CodeQL AST libraries for Rust. Every query begins with one or more import statements.
from IfExpr ifExpr Defines the variables for the query. Declarations are of the form: <type> <variable name> We use: an IfExpr variable for if expressions.
where ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 Defines a condition on the variables. ifExpr.getThen(): gets the then branch of the if expression. .(BlockExpr): requires that the then branch is a block expression ({ }). .getStmtList(): gets the list of things in the block. .getNumberOfStmtOrExpr() = 0: requires that there are no statements or expressions in the block.
select ifExpr, "This 'if' expression is redundant."

Defines what to report for each match.

select statements for queries that are used to find instances of poor coding practice are always in the form: select <program element>, "<alert message>"

 Reports the resulting if expression with a string that explains the problem.

Extend the query

Query writing is an inherently iterative process. You write a simple query and then, when you run it, you discover examples that you had not previously considered, or opportunities for improvement.

Remove false positive results

Browsing the results of our basic query shows that it could be improved. Among the results you are likely to find examples of if expressions with an else branch, where an empty then branch does serve a purpose. For example:

if (option == "-verbose") {
  // nothing to do - handled earlier
} else {
  handleError("unrecognized option")
}

In this case, identifying the if expression with the empty then branch as redundant is a false positive. One solution to this is to modify the query to select if expressions where both the then and else branches are missing.

To exclude if expressions that have an else branch:

  1. Add the following to the where clause:

    and not exists(ifExpr.getElse())

    The where clause is now:

    where
  ifExpr.getThen().(BlockExpr).getStmtList().getNumberOfStmtOrExpr() = 0 and
  not exists(ifExpr.getElse())

  2. Re-run the query.

    There are now fewer results because if expressions with an else branch are no longer included.

Further reading