Java: Renamed query java/mocking-all-non-private-methods-means-unit-test-is-too-big to java/excessive-public-method-mocking and changed wording from non-private to public

Author: Napalys

java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected

@@ -37,7 +37,7 @@ ql/java/ql/src/Likely Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchOnBoxedType.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
 ql/java/ql/src/Likely Bugs/Frameworks/JUnit/JUnit5MissingNestedAnnotation.ql
-ql/java/ql/src/Likely Bugs/Frameworks/JUnit/MockingAllNonPrivateMethodsMeansUnitTestIsTooBig.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/ExcessivePublicMethodMocking.ql
 ql/java/ql/src/Likely Bugs/Inheritance/NoNonFinalInConstructor.ql
 ql/java/ql/src/Likely Bugs/Likely Typos/ContainerSizeCmpZero.ql
 ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql

java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected

@@ -35,7 +35,7 @@ ql/java/ql/src/Likely Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchOnBoxedType.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
 ql/java/ql/src/Likely Bugs/Frameworks/JUnit/JUnit5MissingNestedAnnotation.ql
-ql/java/ql/src/Likely Bugs/Frameworks/JUnit/MockingAllNonPrivateMethodsMeansUnitTestIsTooBig.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/ExcessivePublicMethodMocking.ql
 ql/java/ql/src/Likely Bugs/Inheritance/NoNonFinalInConstructor.ql
 ql/java/ql/src/Likely Bugs/Likely Typos/ContainerSizeCmpZero.ql
 ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql

java/ql/src/Likely Bugs/Frameworks/JUnit/MockingAllNonPrivateMethodsMeansUnitTestIsTooBig.md renamed to java/ql/src/Likely Bugs/Frameworks/JUnit/ExcessivePublicMethodMocking.md

@@ -1,6 +1,6 @@
 ## Overview
 
-Mocking methods of a class is necessary for unit tests to run without overhead caused by expensive I/O operations. However, when a unit test ends up mocking all non-private methods of a class, it may indicate that the test is too complicated, possibly because it is trying to test multiple things at once. Such extensive mocking is likely a signal that the scope of the unit test is reaching beyond a single unit of functionality.
+Mocking methods of a class is necessary for unit tests to run without overhead caused by expensive I/O operations. However, when a unit test ends up mocking all public methods of a class, it may indicate that the test is too complicated, possibly because it is trying to test multiple things at once. Such extensive mocking is likely a signal that the scope of the unit test is reaching beyond a single unit of functionality.
 
 ## Recommendation
 

java/ql/src/Likely Bugs/Frameworks/JUnit/MockingAllNonPrivateMethodsMeansUnitTestIsTooBig.ql renamed to java/ql/src/Likely Bugs/Frameworks/JUnit/ExcessivePublicMethodMocking.ql

@@ -1,7 +1,8 @@
 /**
- * @id java/mocking-all-non-private-methods-means-unit-test-is-too-big
- * @name Mocking all non-private methods of a class may indicate the unit test is testing too much
- * @description Mocking all non-private methods provided by a class might indicate the unit test
+ * @id java/excessive-public-method-mocking
+ * @previous-id java/mocking-all-non-private-methods-means-unit-test-is-too-big
+ * @name Mocking all public methods of a class may indicate the unit test is testing too much
+ * @description Mocking all public methods provided by a class might indicate the unit test
  *              aims to test too many things.
  * @kind problem
  * @precision high

java/ql/src/Violations of Best Practice/Implementation Hiding/VisibleForTestingAbuse.ql

@@ -0,0 +1,98 @@
+/**
+ * @id java/visible-for-testing-abuse
+ * @name Use of VisibleForTesting in production code
+ * @description Accessing methods, fields or classes annotated with `@VisibleForTesting` from
+ *              production code goes against the intention of the annotation and may indicate
+ *              programmer error.
+ * @kind problem
+ * @precision high
+ * @problem.severity warning
+ * @tags quality
+ *       maintainability
+ *       readability
+ */
+
+import java
+
+/**
+ * Holds if a `Callable` is within the same type hierarchy as `RefType`
+ * (including through lambdas, inner classes, and outer classes)
+ */
+predicate isWithinType(Callable c, RefType t) {
+  // Either the callable is in the target type, or they share a common enclosing type
+  c.getDeclaringType().getEnclosingType*() = t.getEnclosingType*()
+}
+
+/**
+ * Holds if `e` is within the same package as `t`
+ */
+predicate isWithinPackage(Expr e, RefType t) {
+  e.getCompilationUnit().getPackage() = t.getPackage()
+}
+
+/**
+ * Holds if a callable or any of its enclosing callables is annotated with @VisibleForTesting
+ */
+predicate isWithinVisibleForTestingContext(Callable c) {
+  c.getAnAnnotation().getType().hasName("VisibleForTesting")
+  or
+  isWithinVisibleForTestingContext(c.getEnclosingCallable())
+}
+
+from Annotatable annotated, Expr e
+where
+  annotated.getAnAnnotation().getType().hasName("VisibleForTesting") and
+  (
+    // field access
+    e =
+      any(FieldAccess v |
+        v.getField() = annotated and
+        // depending on the visibility of the field, using the annotation to abuse the visibility may/may not be occurring
+        (
+          // if its package protected report when its used outside its class because it should have been private (class only permitted)
+          v.getField().isPackageProtected() and
+          not isWithinType(v.getEnclosingCallable(), v.getField().getDeclaringType())
+          or
+          // if public or protected report when its used outside its package because package protected should have been enough (package only permitted)
+          (v.getField().isPublic() or v.getField().isProtected()) and
+          not isWithinPackage(v, v.getField().getDeclaringType())
+        )
+      )
+    or
+    // method access
+    e =
+      any(MethodCall c |
+        c.getMethod() = annotated and
+        // depending on the visibility of the method, using the annotation to abuse the visibility may/may not be occurring
+        (
+          // if its package protected report when its used outside its class because it should have been private (class only permitted)
+          c.getMethod().isPackageProtected() and
+          not isWithinType(c.getEnclosingCallable(), c.getMethod().getDeclaringType())
+          or
+          // if public or protected report when its used outside its package because package protected should have been enough (package only permitted)
+          (c.getMethod().isPublic() or c.getMethod().isProtected()) and
+          not isWithinPackage(c, c.getMethod().getDeclaringType())
+        )
+      )
+    or
+    // Class instantiation - report if used outside appropriate scope
+    e =
+      any(ClassInstanceExpr c |
+        c.getConstructedType() = annotated and
+        (
+          c.getConstructedType().isPublic() and not isWithinPackage(c, c.getConstructedType())
+          or
+          c.getConstructedType().hasNoModifier() and
+          c.getConstructedType() instanceof NestedClass and
+          not isWithinType(c.getEnclosingCallable(), c.getConstructedType())
+        )
+      )
+  ) and
+  // not in a test where use is appropriate
+  not e.getEnclosingCallable() instanceof LikelyTestMethod and
+  // not when the accessing method or any enclosing method is @VisibleForTesting (test-to-test communication)
+  not isWithinVisibleForTestingContext(e.getEnclosingCallable()) and
+  // not when used in annotation contexts
+  not e.getParent*() instanceof Annotation
+select e, "Access of $@ annotated with VisibleForTesting found in production code.", annotated,
+  "element"

java/ql/test/query-tests/MockingAllNonPrivateMethodsMeansUnitTestIsTooBig/Employee.java renamed to java/ql/test/query-tests/ExcessivePublicMethodMocking/Employee.java

@@ -0,0 +1,2 @@
+query: Likely Bugs/Frameworks/JUnit/ExcessivePublicMethodMocking.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql