I'm trying to scan java code with codeql. In my repo I have some class files:
src/com/org/proj/Main.java
src/com/org/proj/Task.java
It's very simple and was built by Eclipse and I only exported the executable *.jar file from it before.
Now as I'm trying to scan this by codeql, it was trying to autobuild it without success. After investigating it online I understood that only specific type of projects can work with autobuild hence I went back to Eclipes and converted my project to maven. Now autobuild.sh (the one used by autobuild) is trying to execute a 'mvn' command which I would assume should work and code scan should be successful, but it seems that 'mvn' is not found on the system (I thought this is included during the initialization step or somewhere else). I tried to find a solution how to install maven before executing the autobuild step, but didn't find solution. The error looks like this:
/opt/hostedtoolcache/CodeQL/2.12.6-20230403/x64/codeql/codeql version --format=terse
2.12.6
/opt/hostedtoolcache/CodeQL/2.12.6-20230403/x64/codeql/java/tools/autobuild.sh
Picked up JAVA_TOOL_OPTIONS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
[2023-08-23 07:27:32] Build directory is .
[2023-08-23 07:27:32] [autobuild] > mvn clean package -f "pom.xml" -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip -DskipTests -Dmaven.test.skip.exec -Dlicense.skip=true -Drat.skip=true -Dspotless.check.skip=true
Error: 8-23 07:27:32] [autobuild] [ERROR] Error executing command mvn clean package -f "pom.xml" -B -V -e -Dfindbugs.skip -Dcheckstyle.skip -Dpmd.skip=true -Dspotbugs.skip -Denforcer.skip -Dmaven.javadoc.skip -DskipTests -Dmaven.test.skip.exec -Dlicense.skip=true -Drat.skip=true -Dspotless.check.skip=true
com.semmle.util.exception.ResourceError: IOException while executing process with args: [mvn, clean, package, -f, pom.xml, -B, -V, -e, -Dfindbugs.skip, -Dcheckstyle.skip, -Dpmd.skip=true, -Dspotbugs.skip, -Denforcer.skip, -Dmaven.javadoc.skip, -DskipTests, -Dmaven.test.skip.exec, -Dlicense.skip=true, -Drat.skip=true, -Dspotless.check.skip=true]
(eventual cause: IOException "error=2, No such file or directory")
at com.semmle.util.process.AbstractProcessBuilder.execute(AbstractProcessBuilder.java:258)
at com.semmle.util.process.AbstractProcessBuilder.execute(AbstractProcessBuilder.java:198)
at com.semmle.util.data.CommandLine.run(CommandLine.java:274)
at com.semmle.autobuild.AutoBuild.deduceAndRunBuildCommands(AutoBuild.java:189)
at com.semmle.autobuild.AutoBuild.runApi(AutoBuild.java:147)
at com.semmle.util.process.CliCommand.run(CliCommand.java:62)
at com.semmle.util.process.CliCommand.safeRun(CliCommand.java:79)
at com.semmle.util.process.VerbCliTool.runImpl(VerbCliTool.java:169)
at com.semmle.util.process.VerbCliTool.run(VerbCliTool.java:68)
at com.semmle.autobuild.Main.mainApi(Main.java:80)
at com.semmle.autobuild.Main.main(Main.java:59)
Caused by: java.io.IOException: Cannot run program "mvn" (in directory "."): error=2, No such file or directory
at java.base/java.lang.ProcessBuilder.start(Unknown Source)
at java.base/java.lang.ProcessBuilder.start(Unknown Source)
at com.semmle.util.process.AbstractProcessBuilder.execute(AbstractProcessBuilder.java:231)
... 10 common frames omitted
Caused by: java.io.IOException: error=2, No such file or directory
at java.base/java.lang.ProcessImpl.forkAndExec(Native Method)
at java.base/java.lang.ProcessImpl.<init>(Unknown Source)
at java.base/java.lang.ProcessImpl.start(Unknown Source)
... 13 common frames omitted
Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. Failure invoking /opt/hostedtoolcache/CodeQL/2.12.6-20230403/x64/codeql/java/tools/autobuild.sh with arguments .
Exit code 254 and error was:
Picked up JAVA_TOOL_OPTIONS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false
and my codeql.yml file looks like this (right now):
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
jobs:
analyze:
name: Analyze
runs-on: [ubuntu-latest]
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'java' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# âšī¸ Command-line programs to run using the OS shell.
# đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
#- run: |
# echo "Skipping build, it is not needed..."
# ls -lR .
# sudo apt install maven
# mvn clean install
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
I tried to skip the autobuild, but in that case the analyse step is just failing with the following error:
/opt/hostedtoolcache/CodeQL/2.12.6-20230403/x64/codeql/codeql database finalize --finalize-dataset --threads=8 --ram=14984 /runner/_work/_temp/codeql_databases/java
CodeQL detected code written in Java but could not process any of it. Review our troubleshooting guide at https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#no-code-found-during-the-build.
Error: No code found during the build. Please see:
https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning#no-code-found-during-the-build
I tried to build it manually, but I was not able to install maven (I guess executing install commands won't work this way)
The runners used for this repository and many more were built with minimalistic images. Java and maven needed to be installed manually. For java https://github.com/actions/setup-java is working and for maven we used sudo apt-get install -y maven
After these steps Autobuild step and code scan was successful.