javasecurityjarstatic-analysiscodeql

CodeQL Scanning JAR Files


I'm just getting started with CodeQL and have had plenty of success scanning Python projects. Now, I'm starting to scan Java projects, and I struggle to scan precompiled projects.

From what I gathered, it appears CodeQL CLI includes an autobuilder for Java code and will build the projects for me. I'm trying to scan projects already compiled from the Maven central repository.

Question:

  1. Is it possible to scan compiled Java source code (i.e., bytecode, class files) contained within a JAR file with CodeQL?
  2. If so, how can I invoke these properties to scan JAR files from the CLI?

Thanks for any insight!


Solution

  • From what I read, it does not seem to work on compiled classes. You will need the src code, whether that exists as a (Jar, which then you need to unzip before processing), or a Github project.

    Usually during running you would provide the way to build your project, such as --language=java --command='mvn clean install -DskipTests' <-- This requires source code.