Can Codeql be used to extract backward slice for Java?

[smith-co]

Came across Codeql and this library looks promising!

I have to extract:

1. basic def-use chain for intraprocedural and interprocedural analysis with Java. I want to feed:
2. Also I have to extract backward slice

I want to fed the following depending on the need:

• function body of the java source code.
• class
• whole package

Will Codeql work on incomplete code? I don't want three address code as output and I just want to actual sliced code as the output.

Is there a working example in this regard? I would really appreciate your response.

[smowton]

We do have local def-use pairs at https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/dataflow/DefUse.qll#L34 (though normally one would query single-step local flow using DataFlow::localFlowStep), and our dataflow analysis can track flow interprocedurally. Whether this is suitable for program slicing though depends on whether you need a conservative slice (i.e., one that is guaranteed to preserve program behaviour for control flow that does not leave the slice). In particular CodeQL does not use a conservative alias analysis, which means our data-flow analysis produces false negatives in some situations involving aliasing, which would lead to slicing away too much code. Whether this is tolerable depends on your use case.

CodeQL doesn't work on incomplete code: to create a CodeQL database you need to supply a working build command, such as codeql database create -c "mvn package". You may be able to work around incomplete scenarios by generating stubs so that it is possible to compile partial code.

Finally for output, CodeQL databases don't contain the full Java code of a function, so if you used a CodeQL query to determine what functions / classes needed to be kept or discarded from a slice, you would need to use a separate tool to actually generate a sliced .java file.