False positive - cs/unused-reftype - C#

[paoloverdini97]

Hello! Here an explanation of the false positive found in our C# projects.

Description of the false positive

The false positives involve cs/unused-reftype, with specific query DeadRefTypes.ql. This query should search for NON public and NON used reference types (classes or interfaces). Looking at the query, we can find that the filter is properly well formed https://github.com/github/codeql/blob/main/csharp/ql/src/Dead%20Code/DeadRefTypes.ql with the line "not (t.isPublic() or t.isProtected())".

The fact is that codeql creates a lot of issues with this query that are absolutely not compliant with these specifications (they are public or internal classes/interfaces and also used).

Another strange thing is that some reference types are written as array "[]". For example, there is a public class Foo that is used, the report says "Unused reference type Foo[]." that is completely wrong.

Code samples

public class SomeClass

Report: "Unused reference type SomeClass[]."

Also:

public class AnotherClass

Report: "Unused reference type AnotherClass"

[MathiasVP]

Indeed, this looks like a false positive. Thank you for reporting it!

Our current focus is on improving our security analysis. Because your report does not relate to a security query, we will put this on our backlog and prioritize it if we get enough reports of the same underlying issue in other projects. If you think that your report is related to our security analysis, please clarify that in a comment. Either way, we'll let you know here as soon as it's fixed!