Description

Adds a new quality query to detect finalize calls. This query is migrated from the advance security team's quality queries.

Consideration

Changes from original query. Let me know if you disagree with any of these changes:

• The query only alerts on finalize calls now. Alerts for runFinalizersOnExit and gc will continue to be reported on the pre-existing queries java/run-finalizers-on-exit and java/garbage-collection, respectively. I will make follow-up PRs updating these pre-existing queries if needed.
• Added an exclusion for super.finalize calls that occur within a callable that overrides finalize since the Java doc for finalize states: "If a subclass overrides finalize it must invoke the superclass finalizer explicitly", and alerting on these calls would contradict our pre-existing java/missing-super-finalize query. This exclusion reduces the number of alerts on the MRVA top-100 from 66 to 24 and on the MRVA top-1000 from 954 to 115.
• Added an exclusion for calls to overloads of finalize. My understanding is that the JVM will not call overloads of finalize when handling garbage collection, but will only call finalize() and overrides of finalize(). So I don't think overloads are relevant for alerts. Let me know if you disagree. This exclusion further reduces the number of alerts on the MRVA top-100 from 24 to 5 and on the MRVA top-1000 from 115 to 40.

Other Notes:

• Autofixes look okay. Successfully removes the finalize call then attempts to use AutoCloseable as suggested in the QHelp.
• DCA looks good