Java: `Nullness.unboxed` does not use `ConversionSite`

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

https://codeql.github.com

MIT License

7.51k stars 1.49k forks source link

Java: `Nullness.unboxed` does not use `ConversionSite` #5763

Open Marcono1234 opened 3 years ago

Marcono1234 commented 3 years ago

The private predicate unboxed of semmle.code.java.dataflow.Nullness seems to match locations where an implicit conversion from boxed to primitive type occurs: https://github.com/github/codeql/blob/a7030c7fed4811f63c70d8fe67941f67b045b3aa/java/ql/src/semmle/code/java/dataflow/Nullness.qll#L54

Would it maybe be better to use ConversionSite of semmle.code.java.Conversions for this to avoid code duplication, or was this done intentionally (for performance reasons)?

RasmusWL commented 3 years ago

I'll leave this for the Java team to look at whether such a refactoring would make sense :blush: