How do I learn which versions of Java are supported by CodeQL? #22425

mattwelke · 2021-10-17T07:06:15Z

mattwelke
Oct 17, 2021

I followed the instructions in Configuring code scanning - GitHub Docs to set up code scanning for my public repo. I used CodeQL with GitHub Actions. At first it didn’t work, saying that auto build failed to detect how to build my code. I suspected this was because I was using a mono repo. I moved my code to a new repo where it was at the top level. But now CodeQL says it can’t build it with an error message that looks like it can’t build it because it’s Java 17:

Error: 0-17 06:57:28] [autobuild] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project apache-openwhisk-runtime-java-17: Fatal error compiling: error: invalid target release: 17 -> [Help 1]

…

Exit code 1 and error was: Picked up JAVA_TOOL_OPTIONS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false CommandInvocationError: Failure invoking /opt/hostedtoolcache/CodeQL/0.0.0-20211005/x64/codeql/java/tools/autobuild.sh with arguments . Exit code 1 and error was: Picked up JAVA_TOOL_OPTIONS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false at runTool (/home/runner/work/_actions/github/codeql-action/v1/lib/codeql.js:722:15) at processTicksAndRejections (internal/process/task_queues.js:93:5) at async Object.runAutobuild (/home/runner/work/_actions/github/codeql-action/v1/lib/codeql.js:460:13) at async runAutobuild (/home/runner/work/_actions/github/codeql-action/v1/lib/autobuild.js:29:5) at async run (/home/runner/work/_actions/github/codeql-action/v1/lib/autobuild-action.js:57:13) at async runWrapper (/home/runner/work/_actions/github/codeql-action/v1/lib/autobuild-action.js:70:9)

I wasn’t able to find a list of supported versions of programming languages in the documentation. Where can I find this information?

Also, I’m confused about why CodeQL needs my Java code to be compiled. I was under the impression it worked by looking for patterns in source code. Why would my source code need to be compiled? What use would it have for the compiled class files?

Answered by hmakholm

Oct 25, 2021

I’m glad your problem was resolved.

For some context, CodeQL wants to observe a build process mainly such that it can know exactly which code is part of the project and which complation flags are used with it. This is especially important in the C/C++ world where compilation flags can radically change what the code does, and where it is not uncommon to generate some source files mechanically during the build process. Even though these are less pressing considerations for Java, we use the same procedure for all compiled languages, to avoid the madness of having slightly different requirements for different languages. (And some Java projects still do create analyzable code on the fly, or co…

View full answer

Katsute · 2021-10-17T15:53:27Z

Katsute
Oct 17, 2021

I think it might compile the code so it can run it. As for the compile failure, try compiling it with mvn compile instead of using the autobuild.

0 replies

mattwelke · 2021-10-17T18:18:40Z

mattwelke
Oct 17, 2021
Author

That did the trick. I replaced the autobuild step with bringing in the setup-java action and adding a step immediately after that where I ran the mvn command to build my app. Then the CodeQL action was able to scan my Java source code.

0 replies

hmakholm · 2021-10-25T17:07:47Z

hmakholm
Oct 25, 2021

I’m glad your problem was resolved.

For some context, CodeQL wants to observe a build process mainly such that it can know exactly which code is part of the project and which complation flags are used with it. This is especially important in the C/C++ world where compilation flags can radically change what the code does, and where it is not uncommon to generate some source files mechanically during the build process. Even though these are less pressing considerations for Java, we use the same procedure for all compiled languages, to avoid the madness of having slightly different requirements for different languages. (And some Java projects still do create analyzable code on the fly, or compile different implementations of the same classes in different configurations).

We don’t actually run the code being built, though.

The autobuilder is a kind of best-effort attempt to provide a one-click setup process for maintainers who want to try out Code Scanning on their repo. Once you’ve gone to the trouble of setting up a definite build command in the scanning workflow, that generally works more robustly and predictably than the autobuilder.

0 replies

mattwelke · 2021-10-27T03:41:28Z

mattwelke
Oct 27, 2021
Author

Thanks for explaining. I can see how that would be important even for Java code. I’ve seen annotation processors and Protobuf compilers used to generate Java code as part of a build.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

How do I learn which versions of Java are supported by CodeQL? #22425

{{title}}

Replies: 4 comments

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

How do I learn which versions of Java are supported by CodeQL? #22425

mattwelke Oct 17, 2021

Replies: 4 comments

Katsute Oct 17, 2021

mattwelke Oct 17, 2021 Author

hmakholm Oct 25, 2021

mattwelke Oct 27, 2021 Author

mattwelke
Oct 17, 2021

Katsute
Oct 17, 2021

mattwelke
Oct 17, 2021
Author

hmakholm
Oct 25, 2021

mattwelke
Oct 27, 2021
Author