False positive: Unread local variable used in Java assert - Githubissues

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

https://codeql.github.com

MIT License

7.53k stars 1.5k forks source link

False positive: Unread local variable used in Java assert #17531

Open simonhir opened 2 hours ago

simonhir commented 2 hours ago

Description of the false positive

Variables that are only used in junit assert statements like assertEquals are marked as Unread local variable.

Code samples or links to source code

I.e. https://github.com/it-at-m/refarch/blob/e18859331d0f55b43aae3170f947b840df1fde9c/refarch-integrations/refarch-dms-integration/refarch-dms-integration-core/src/test/java/de/muenchen/refarch/integration/dms/adapter/out/fabasoft/FabasoftAdapterTest.java#L84-L86 where procedureResponse is marked as Unread local variable. This makes also no difference if Lombok val is used or the direct type.

Above code extracted for reference:

val procedureResponse = fabasoftAdapter.createFile(file, "user");
assertEquals(procedureResponse, "1234567890");

URL to the alert on GitHub code scanning (optional)

https://github.com/it-at-m/refarch/security/code-scanning/36 https://github.com/it-at-m/refarch/security/code-scanning/55 (same line but with direct type String)

simonhir commented 2 hours ago

Could be a duplicate of https://github.com/github/codeql/issues/11989 but not really sure.