Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeQL 2.19.1 does not work with Java 23 projects #17681

Open
danishnawab opened this issue Oct 8, 2024 · 12 comments
Open

CodeQL 2.19.1 does not work with Java 23 projects #17681

danishnawab opened this issue Oct 8, 2024 · 12 comments
Labels
question Further information is requested

Comments

@danishnawab
Copy link

After upgrading to CodeQL 2.19.1 to get Java 23 support (see issue #17564), the Java 23 project is still not analyzed successfully by CodeQL.

Example project here: https://github.com/danishnawab/codeql-java23/tree/master

Java 23

The master branch is set up with Java 23 -> CodeQL analysis fails

codeql --version            

Output:

CodeQL command-line toolchain release 2.19.1.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in: ~/codeql
Analysis results depend critically on separately distributed query and
extractor modules. To list modules that are visible to the toolchain,
use 'codeql resolve qlpacks' and 'codeql resolve languages'.

codeql database create java-testing-repo --language=java --source-root=. --command="./gradlew clean assemble --no-build-cache" --overwrite

Output:

Initializing database at ~/codeql-java23/java-testing-repo.
Running build command: [./gradlew, clean, assemble, --no-build-cache]
Running command in ~/codeql-java23: [./gradlew, clean, assemble, --no-build-cache]
[2024-10-08 10:20:08] [build-stdout] > Task :clean UP-TO-DATE
[2024-10-08 10:20:08] [build-stdout] > Task :compileJava
[2024-10-08 10:20:08] [build-stdout] > Task :processResources
[2024-10-08 10:20:08] [build-stdout] > Task :classes
[2024-10-08 10:20:08] [build-stdout] > Task :resolveMainClassName
[2024-10-08 10:20:09] [build-stdout] > Task :bootJar
[2024-10-08 10:20:09] [build-stdout] > Task :jar
[2024-10-08 10:20:09] [build-stdout] > Task :assemble
[2024-10-08 10:20:09] [build-stdout] BUILD SUCCESSFUL in 983ms
[2024-10-08 10:20:09] [build-stdout] 6 actionable tasks: 5 executed, 1 up-to-date
Finalizing database at ~/codeql-java23/java-testing-repo.
CodeQL detected code written in Java/Kotlin but could not process any of it. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build.

Exit status: 32

Java 22

The java22 branch is set up with Java 22 -> CodeQL analysis succeeds

codeql --version            

Output:

CodeQL command-line toolchain release 2.19.1.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in:~/codeql
Analysis results depend critically on separately distributed query and
extractor modules. To list modules that are visible to the toolchain,
use 'codeql resolve qlpacks' and 'codeql resolve languages'.

codeql database create java-testing-repo --language=java --source-root=. --command="./gradlew clean assemble --no-build-cache" --overwrite

Initializing database at ~/codeql-java23/java-testing-repo.
Running build command: [./gradlew, clean, assemble, --no-build-cache]
Running command in ~/codeql-java23: [./gradlew, clean, assemble, --no-build-cache]
[2024-10-08 10:26:08] [build-stdout] > Task :clean
[2024-10-08 10:26:13] [build-stdout] > Task :compileJava
[2024-10-08 10:26:13] [build-stdout] > Task :processResources
[2024-10-08 10:26:13] [build-stdout] > Task :classes
[2024-10-08 10:26:13] [build-stdout] > Task :resolveMainClassName
[2024-10-08 10:26:13] [build-stdout] > Task :bootJar
[2024-10-08 10:26:13] [build-stdout] > Task :jar
[2024-10-08 10:26:13] [build-stdout] > Task :assemble
[2024-10-08 10:26:13] [build-stdout] BUILD SUCCESSFUL in 5s
[2024-10-08 10:26:13] [build-stdout] 6 actionable tasks: 6 executed
Finalizing database at ~/codeql-java23/java-testing-repo.
Running pre-finalize script ~/codeql/java/tools/pre-finalize.sh in ~/codeql-java23.
Running command in /codeql-java23: [/codeql/java/tools/pre-finalize.sh]
[2024-10-08 10:26:14] [build-stderr] Scanning for files in ~/codeql-java23...
[2024-10-08 10:26:14] [build-stderr] ~/codeql-java23/java-testing-repo: Indexing files in in ~/codeql-java23...
[2024-10-08 10:26:14] [build-stderr] Running command in /codeql-java23: [/codeql/xml/tools/index-files.sh, ~/codeql-java23/java-testing-repo/working/files-to-index11292473239882580179.list]
[2024-10-08 10:26:15] [build-stderr] Scanning for files in ~/codeql-java23...
[2024-10-08 10:26:15] [build-stderr] ~/codeql-java23/java-testing-repo: Indexing files in in ~/codeql-java23...
[2024-10-08 10:26:15] [build-stderr] Running command in /codeql-java23: [/codeql/properties/tools/index-files.sh, ~/codeql-java23/java-testing-repo/working/files-to-index1093484879480739341.list]
Running TRAP import for CodeQL database at ~/codeql-java23/java-testing-repo...
Importing TRAP files
Merging relations
Finished writing database (relations: 2.41 MiB; string pool: 2.78 MiB).
TRAP import complete (1.2s).
Finished zipping source archive (5.37 KiB).
Successfully created database at ~/codeql-java23/java-testing-repo.

Exit status: 0


The Java version is the only difference between the 2 branches: https://github.com/danishnawab/codeql-java23/compare/master...java22

@danishnawab danishnawab added the question Further information is requested label Oct 8, 2024
@redsun82
Copy link
Contributor

redsun82 commented Oct 8, 2024

👋 @danishnawab thanks a lot for reaching out to us! I will call in the team working on java support on this. In the meantime, it seems like https://github.com/danishnawab/codeql-java23/ is private: I'm guessing it's a small reproducer and it can be made public? That would be much appreciated!

@danishnawab
Copy link
Author

Ah yes, the intention was to have it public. I have updated the visibility now to make it public.

@smowton
Copy link
Contributor

smowton commented Oct 8, 2024

The cause is that the sample project there uses --release 23, indicating intention to use Java 23 language features; however all the Java 23 specific language features are previews or incubators, which we don't support in general.

What is supported at this point is use of the Java 23 toolchain building to a Java 22 or lower language version.

@danishnawab
Copy link
Author

@smowton the intention is to use Java 23. The stable libraries and language features.
To use preview features one needs to additionally provide the --enable-preview flag.

In this case, I have no intention to use the preview features, but I still want to run JDK 23 as each version of Java supersedes the older one.
Can you advise what the way forward is here? When will full Java 23 (minus preview features) support arrive?

@smowton
Copy link
Contributor

smowton commented Oct 8, 2024

In the short term can you just pass -source 22 -target 22 to get the result you want?

@danishnawab
Copy link
Author

danishnawab commented Oct 8, 2024

No that doesn't work because we have a large number of services in my organization - an enterprise Github support customer - where we want to use Java 23 library and runtime updates.
In the short term we will not be able to use CodeQL then.

@smowton
Copy link
Contributor

smowton commented Oct 9, 2024

I'll have a go at getting full Java 23 support in time for CodeQL 2.19.2, but no promises -- upgrading the OpenJDK components varies quite a lot in difficulty from JDK release to release!

@danishnawab
Copy link
Author

Ok, we will wait then.
The same situation might arise for future releases, so direct support of new Java source versions (even if nothing has changed) would be desired.

@smowton
Copy link
Contributor

smowton commented Oct 9, 2024

Yes, this is always intended. We don't anticipate any difficulties on future JDK releases.

@smowton
Copy link
Contributor

smowton commented Oct 15, 2024

The full upgrade turned out to be pretty straightforward this cycle. You should find Java 23 is fully supported (except preview / incubating features) as of CodeQL 2.19.2.

@danishnawab
Copy link
Author

Thank you @smowton.
Could you also comment on how the support for future versions (minus preview/incubator features) will look like?
How soon after a new version release can full support be expected?
This will be valuable information for many organization to plan their upgrade paths.

@smowton
Copy link
Contributor

smowton commented Oct 16, 2024

In the normal course of things, there should be full support for non-preview/incubator features on JDK release day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants