Java: Remove the hardcoded path filter that excluded CodeQL's own unit tests from the java/visible-for-testing-abuse query.

Napalys · Napalys · commit 4149968f33f8 · 2025-08-24T09:58:35.000Z
diff --git a/java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql b/java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql
@@ -93,11 +93,6 @@ where
   // not when the accessing method or any enclosing method is @VisibleForTesting (test-to-test communication)
   not isWithinVisibleForTestingContext(e.getEnclosingCallable()) and
   // not when used in annotation contexts
-  not e.getParent*() instanceof Annotation and
-  // also omit our own ql unit test where it is acceptable
-  not e.getEnclosingCallable()
-      .getFile()
-      .getAbsolutePath()
-      .matches("%java/ql/test/query-tests/%Test.java")
+  not e.getParent*() instanceof Annotation
 select e, "Access of $@ annotated with VisibleForTesting found in production code.", annotated,
   "element"
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.expected b/java/ql/test/query-tests/VisibleForTestingAbuse/VisibleForTestingAbuse.expected
@@ -15,3 +15,5 @@
 | packagetwo/Source.java:20:28:20:47 | new AnnotatedClass(...) | Access of $@ annotated with VisibleForTesting found in production code. | packageone/AnnotatedClass.java:4:14:4:27 | AnnotatedClass | element |
 | packagetwo/Source.java:24:30:24:40 | Annotated.m | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:7:19:7:19 | m | element |
 | packagetwo/Source.java:28:27:28:39 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:16:16:16:16 | f | element |
+| packagetwo/Test.java:24:30:24:40 | Annotated.m | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:7:19:7:19 | m | element |
+| packagetwo/Test.java:28:27:28:39 | f(...) | Access of $@ annotated with VisibleForTesting found in production code. | packagetwo/Annotated.java:16:16:16:16 | f | element |
diff --git a/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Test.java b/java/ql/test/query-tests/VisibleForTestingAbuse/packagetwo/Test.java
@@ -21,11 +21,11 @@ void f() {
         
         // Lambda usage
         Runnable lambda = () -> {
-            String lambdaS = Annotated.m; // COMPLIANT
+            String lambdaS = Annotated.m; // $ SPURIOUS: Alert
             String lambdaS1 = Annotated.m1; // COMPLIANT
             String lambdaS2 = Annotated.m2; // COMPLIANT
             
-            int lambdaI = Annotated.f(); // COMPLIANT
+            int lambdaI = Annotated.f(); // $ SPURIOUS: Alert
             int lambdaI2 = Annotated.fPublic(); // COMPLIANT
             int lambdaI3 = Annotated.fProtected(); // COMPLIANT
         };
