Add CodeQL GitHub code scanning workflow (#2076)

* Add CodeQL GitHub code scanning workflow

* Only compile main sources for code scanning

* Move test .proto  files to test sources

`annotations.proto` also seems to be only relevant for tests because the test
explicitly registers them as extensions. By default the Proto adapter does not
consider them.

* Address some code scanning findings

* Fix some more findings

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,46 @@
+# Based on default config generated by GitHub, see also https://github.com/github/codeql-action
+
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+  schedule:
+    # Run every Monday at 16:10
+    - cron: '10 16 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # Run all security queries and maintainability and reliability queries
+        queries: +security-and-quality
+
+    # Only compile main sources, but ignore test sources because findings for them might not
+    # be that relevant (though GitHub security view also allows filtering by source type)
+    # Can replace this with github/codeql-action/autobuild action to run complete build
+    - name: Compile sources
+      run: |
+        mvn compile
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

extras/src/main/java/com/google/gson/interceptors/InterceptorFactory.java

@@ -12,7 +12,7 @@
  * A type adapter factory that implements {@code @Intercept}.
  */
 public final class InterceptorFactory implements TypeAdapterFactory {
-  public <T> TypeAdapter<T> create(Gson gson, TypeToken<T> type) {
+  @Override public <T> TypeAdapter<T> create(Gson gson, TypeToken<T> type) {
     Intercept intercept = type.getRawType().getAnnotation(Intercept.class);
     if (intercept == null) {
       return null;

extras/src/test/java/com/google/gson/interceptors/InterceptorTest.java

@@ -141,7 +141,7 @@ public User(String name, String password) {
   }
 
   public static final class UserValidator implements JsonPostDeserializer<User> {
-    public void postDeserialize(User user) {
+    @Override public void postDeserialize(User user) {
       if (user.name == null || user.password == null) {
         throw new JsonSyntaxException("name and password are required fields.");
       }
@@ -161,7 +161,7 @@ private static final class Address {
   }
 
   public static final class AddressValidator implements JsonPostDeserializer<Address> {
-    public void postDeserialize(Address address) {
+    @Override public void postDeserialize(Address address) {
       if (address.city == null || address.state == null || address.zip == null) {
         throw new JsonSyntaxException("Address city, state and zip are required fields.");
       }

extras/src/test/java/com/google/gson/typeadapters/PostConstructAdapterFactoryTest.java

@@ -70,6 +70,7 @@ public Sandwich(String bread, String cheese) {
             }
         }
 
+        @Override
         public boolean equals(Object o) {
             if (o == this) {
                 return true;
@@ -95,6 +96,7 @@ public MultipleSandwiches(List<Sandwich> sandwiches) {
             this.sandwiches = sandwiches;
         }
 
+        @Override
         public boolean equals(Object o) {
             if (o == this) {
                 return true;

extras/src/test/java/com/google/gson/typeadapters/UtcDateTypeAdapterTest.java

@@ -16,18 +16,16 @@
 
 package com.google.gson.typeadapters;
 
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonParseException;
 import java.text.SimpleDateFormat;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
 import java.util.TimeZone;
-
-import com.google.gson.JsonParseException;
 import junit.framework.TestCase;
 
-import com.google.gson.Gson;
-import com.google.gson.GsonBuilder;
-
 public final class UtcDateTypeAdapterTest extends TestCase {
   private final Gson gson = new GsonBuilder()
     .registerTypeAdapter(Date.class, new UtcDateTypeAdapter())
@@ -83,7 +81,7 @@ public void testWellFormedParseException() {
       gson.fromJson("2017-06-20T14:32:30", Date.class);
       fail("No exception");
     } catch (JsonParseException exe) {
-      assertEquals(exe.getMessage(), "java.text.ParseException: Failed to parse date ['2017-06-20T14']: 2017-06-20T14");
+      assertEquals("java.text.ParseException: Failed to parse date ['2017-06-20T14']: 2017-06-20T14", exe.getMessage());
     }
   }
 }

gson/src/main/java/com/google/gson/JsonArray.java

@@ -187,6 +187,7 @@ public boolean isEmpty() {
    *
    * @return an iterator to navigate the elements of the array.
    */
+  @Override
   public Iterator<JsonElement> iterator() {
     return elements.iterator();
   }
@@ -341,13 +342,12 @@ public byte getAsByte() {
     throw new IllegalStateException();
   }
 
+  @Deprecated
   @Override
   public char getAsCharacter() {
     if (elements.size() == 1) {
       JsonElement element = elements.get(0);
-      @SuppressWarnings("deprecation")
-      char result = element.getAsCharacter();
-      return result;
+      return element.getAsCharacter();
     }
     throw new IllegalStateException();
   }

gson/src/main/java/com/google/gson/JsonStreamParser.java

@@ -59,7 +59,7 @@ public final class JsonStreamParser implements Iterator<JsonElement> {
    * @since 1.4
    */
   public JsonStreamParser(String json) {
-    this(new StringReader(json));      
+    this(new StringReader(json));
   }
 
   /**
@@ -81,6 +81,7 @@ public JsonStreamParser(Reader reader) {
    * @throws NoSuchElementException if no {@code JsonElement} is available.
    * @since 1.4
    */
+  @Override
   public JsonElement next() throws JsonParseException {
     if (!hasNext()) {
       throw new NoSuchElementException();
@@ -103,6 +104,7 @@ public JsonElement next() throws JsonParseException {
    * @throws JsonSyntaxException if the incoming stream is malformed JSON.
    * @since 1.4
    */
+  @Override
   public boolean hasNext() {
     synchronized (lock) {
       try {
@@ -120,6 +122,7 @@ public boolean hasNext() {
    * implemented.
    * @since 1.4
    */
+  @Override
   public void remove() {
     throw new UnsupportedOperationException();
   }

gson/src/main/java/com/google/gson/internal/$Gson$Types.java

@@ -505,15 +505,15 @@ public ParameterizedTypeImpl(Type ownerType, Type rawType, Type... typeArguments
       }
     }
 
-    public Type[] getActualTypeArguments() {
+    @Override public Type[] getActualTypeArguments() {
       return typeArguments.clone();
     }
 
-    public Type getRawType() {
+    @Override public Type getRawType() {
       return rawType;
     }
 
-    public Type getOwnerType() {
+    @Override public Type getOwnerType() {
       return ownerType;
     }
 
@@ -552,7 +552,7 @@ public GenericArrayTypeImpl(Type componentType) {
       this.componentType = canonicalize(componentType);
     }
 
-    public Type getGenericComponentType() {
+    @Override public Type getGenericComponentType() {
       return componentType;
     }
 
@@ -601,11 +601,11 @@ public WildcardTypeImpl(Type[] upperBounds, Type[] lowerBounds) {
       }
     }
 
-    public Type[] getUpperBounds() {
+    @Override public Type[] getUpperBounds() {
       return new Type[] { upperBound };
     }
 
-    public Type[] getLowerBounds() {
+    @Override public Type[] getLowerBounds() {
       return lowerBound != null ? new Type[] { lowerBound } : EMPTY_TYPE_ARRAY;
     }
 

gson/src/main/java/com/google/gson/internal/Excluder.java

@@ -108,7 +108,7 @@ public Excluder withExclusionStrategy(ExclusionStrategy exclusionStrategy,
     return result;
   }
 
-  public <T> TypeAdapter<T> create(final Gson gson, final TypeToken<T> type) {
+  @Override public <T> TypeAdapter<T> create(final Gson gson, final TypeToken<T> type) {
     Class<?> rawType = type.getRawType();
     boolean excludeClass = excludeClassChecks(rawType);
 

gson/src/main/java/com/google/gson/internal/LinkedTreeMap.java

@@ -41,7 +41,7 @@
 public final class LinkedTreeMap<K, V> extends AbstractMap<K, V> implements Serializable {
   @SuppressWarnings({ "unchecked", "rawtypes" }) // to avoid Comparable<Comparable<Comparable<...>>>
   private static final Comparator<Comparable> NATURAL_ORDER = new Comparator<Comparable>() {
-    public int compare(Comparable a, Comparable b) {
+    @Override public int compare(Comparable a, Comparable b) {
       return a.compareTo(b);
     }
   };
@@ -466,15 +466,15 @@ static final class Node<K, V> implements Entry<K, V> {
       next.prev = this;
     }
 
-    public K getKey() {
+    @Override public K getKey() {
       return key;
     }
 
-    public V getValue() {
+    @Override public V getValue() {
       return value;
     }
 
-    public V setValue(V value) {
+    @Override public V setValue(V value) {
       V oldValue = this.value;
       this.value = value;
       return oldValue;
@@ -534,7 +534,7 @@ private abstract class LinkedTreeMapIterator<T> implements Iterator<T> {
     LinkedTreeMapIterator() {
     }
 
-    public final boolean hasNext() {
+    @Override public final boolean hasNext() {
       return next != header;
     }
 
@@ -550,7 +550,7 @@ final Node<K, V> nextNode() {
       return lastReturned = e;
     }
 
-    public final void remove() {
+    @Override public final void remove() {
       if (lastReturned == null) {
         throw new IllegalStateException();
       }
@@ -567,7 +567,7 @@ class EntrySet extends AbstractSet<Entry<K, V>> {
 
     @Override public Iterator<Entry<K, V>> iterator() {
       return new LinkedTreeMapIterator<Entry<K, V>>() {
-        public Entry<K, V> next() {
+        @Override public Entry<K, V> next() {
           return nextNode();
         }
       };
@@ -602,7 +602,7 @@ final class KeySet extends AbstractSet<K> {
 
     @Override public Iterator<K> iterator() {
       return new LinkedTreeMapIterator<K>() {
-        public K next() {
+        @Override public K next() {
           return nextNode().key;
         }
       };

gson/src/main/java/com/google/gson/internal/Streams.java

@@ -105,13 +105,13 @@ private static final class AppendableWriter extends Writer {
      */
     static class CurrentWrite implements CharSequence {
       char[] chars;
-      public int length() {
+      @Override public int length() {
         return chars.length;
       }
-      public char charAt(int i) {
+      @Override public char charAt(int i) {
         return chars[i];
       }
-      public CharSequence subSequence(int start, int end) {
+      @Override public CharSequence subSequence(int start, int end) {
         return new String(chars, start, end - start);
       }
     }

gson/src/main/java/com/google/gson/stream/JsonReader.java

@@ -1212,7 +1212,7 @@ public int nextInt() throws IOException {
   /**
    * Closes this JSON reader and the underlying {@link java.io.Reader}.
    */
-  public void close() throws IOException {
+  @Override public void close() throws IOException {
     peeked = PEEKED_NONE;
     stack[0] = JsonScope.CLOSED;
     stackSize = 1;

gson/src/main/java/com/google/gson/stream/JsonWriter.java

@@ -571,7 +571,7 @@ public JsonWriter value(Number value) throws IOException {
    * Ensures all buffered data is written to the underlying {@link Writer}
    * and flushes that writer.
    */
-  public void flush() throws IOException {
+  @Override public void flush() throws IOException {
     if (stackSize == 0) {
       throw new IllegalStateException("JsonWriter is closed.");
     }
@@ -583,7 +583,7 @@ public void flush() throws IOException {
    *
    * @throws IOException if the JSON document is incomplete.
    */
-  public void close() throws IOException {
+  @Override public void close() throws IOException {
     out.close();
 
     int size = stackSize;

gson/src/test/java/com/google/gson/GsonTypeAdapterTest.java

@@ -130,7 +130,7 @@ public void testDeserializerForAbstractClass() {
   private void assertSerialized(String expected, Class<?> instanceType, boolean registerAbstractDeserializer,
       boolean registerAbstractHierarchyDeserializer, Object instance) {
     JsonDeserializer<Abstract> deserializer = new JsonDeserializer<Abstract>() {
-      public Abstract deserialize(JsonElement json, Type typeOfT,
+      @Override public Abstract deserialize(JsonElement json, Type typeOfT,
           JsonDeserializationContext context) throws JsonParseException {
         throw new AssertionError();
       }

gson/src/test/java/com/google/gson/functional/CircularReferenceTest.java

@@ -79,7 +79,7 @@ public void testSelfReferenceCustomHandlerSerialization() throws Exception {
     ClassWithSelfReference obj = new ClassWithSelfReference();
     obj.child = obj;
     Gson gson = new GsonBuilder().registerTypeAdapter(ClassWithSelfReference.class, new JsonSerializer<ClassWithSelfReference>() {
-      public JsonElement serialize(ClassWithSelfReference src, Type typeOfSrc,
+      @Override public JsonElement serialize(ClassWithSelfReference src, Type typeOfSrc,
           JsonSerializationContext context) {
         JsonObject obj = new JsonObject();
         obj.addProperty("property", "value");

gson/src/test/java/com/google/gson/functional/CollectionTest.java

@@ -328,7 +328,7 @@ public void testFieldIsArrayList() {
   public void testUserCollectionTypeAdapter() {
     Type listOfString = new TypeToken<List<String>>() {}.getType();
     Object stringListSerializer = new JsonSerializer<List<String>>() {
-      public JsonElement serialize(List<String> src, Type typeOfSrc,
+      @Override public JsonElement serialize(List<String> src, Type typeOfSrc,
           JsonSerializationContext context) {
         return new JsonPrimitive(src.get(0) + ";" + src.get(1));
       }

gson/src/test/java/com/google/gson/functional/ConcurrencyTest.java

@@ -71,7 +71,7 @@ public void testMultiThreadSerialization() throws InterruptedException {
     ExecutorService executor = Executors.newFixedThreadPool(10);
     for (int taskCount = 0; taskCount < 10; taskCount++) {
       executor.execute(new Runnable() {
-        public void run() {
+        @Override public void run() {
           MyObject myObj = new MyObject();
           try {
             startLatch.await();
@@ -102,7 +102,7 @@ public void testMultiThreadDeserialization() throws InterruptedException {
     ExecutorService executor = Executors.newFixedThreadPool(10);
     for (int taskCount = 0; taskCount < 10; taskCount++) {
       executor.execute(new Runnable() {
-        public void run() {
+        @Override public void run() {
           try {
             startLatch.await();
             for (int i = 0; i < 10; i++) {

gson/src/test/java/com/google/gson/functional/CustomSerializerTest.java

@@ -91,7 +91,7 @@ public void testBaseClassSerializerInvokedForBaseClassFieldsHoldingSubClassInsta
    public void testSerializerReturnsNull() {
      Gson gson = new GsonBuilder()
        .registerTypeAdapter(Base.class, new JsonSerializer<Base>() {
-         public JsonElement serialize(Base src, Type typeOfSrc, JsonSerializationContext context) {
+         @Override public JsonElement serialize(Base src, Type typeOfSrc, JsonSerializationContext context) {
            return null;
          }
        })

gson/src/test/java/com/google/gson/functional/DefaultTypeAdaptersTest.java

@@ -470,7 +470,7 @@ public void testDateSerializationWithPatternNotOverridenByTypeAdapter() throws E
     Gson gson = new GsonBuilder()
         .setDateFormat(pattern)
         .registerTypeAdapter(Date.class, new JsonDeserializer<Date>() {
-          public Date deserialize(JsonElement json, Type typeOfT,
+          @Override public Date deserialize(JsonElement json, Type typeOfT,
               JsonDeserializationContext context)
               throws JsonParseException {
             return new Date(1315806903103L);