Crypto: To get unreferenced parameters as general sources for Java, I've included the caveat that if a function is called, all the calls appear to be in test files.

bdrodes · bdrodes · commit 9a6aac130036 · 2025-10-15T14:20:16.000-04:00
diff --git a/java/ql/lib/experimental/quantum/Language.qll b/java/ql/lib/experimental/quantum/Language.qll
@@ -55,7 +55,18 @@ final class DefaultRemoteFlowSource = RemoteFlowSource;
 
 private class GenericUnreferencedParameterSource extends Crypto::GenericUnreferencedParameterSource {
   GenericUnreferencedParameterSource() {
-    exists(Parameter p | this = p and not exists(p.getAnArgument()))
+    exists(Parameter p |
+      this = p and
+      (
+        not exists(p.getAnArgument())
+        or
+        // If all calls to a function occur in a test file, ignore those calls
+        // and consider the parameter to the function a potential source as well.
+        forall(Call testCall | testCall.getCallee() = p.getCallable() |
+          testCall.getFile().getBaseName().toUpperCase().matches("%TEST%")
+        )
+      )
+    )
   }
 
   override predicate flowsTo(Crypto::FlowAwareElement other) {
